The DCB ESP appliance is an add-in device used as a front end to legacy equipment requiring modern security features. The ESP provides encryption, authentication, and audit trail logging to protect against electronic security intrusions, meets new NERC-CIP requirements, new corporate security standards, and HIPPA regulations, etc.
Interfaces include three RS-232 serial ports (two implemented via USB) and three 10/100BaseT Ethernet ports. This allows a “lump in the cord” installation for Ethernet as well as RS-232 serial connections. Logging and authentication are provided either locally within the unit or via remote RADIUS and rsyslog servers.
This new appliance allows utilities to meet NERC-CIP Electronic Security Perimeter requirements without costly equipment replacement.
In an ethernet protection application, the ESP is installed between the local ethernet network (typically connected to Eth3) and the equipment to be protected (typically connected to Eth1). It’s then configured as a transparent firewall containing black-hole features, as a RADIUS enabled front-end authentication box, or as a SSH front end to the protected equipment’s telnet port. Authentication and logging may be local or remote.
For a serial protection application, the ESP is installed between the equipment to be protected and the incoming serial line. It provides logging, authentication, and serial “firewalling” to protect the RS-232 serial interface.
In both of those typical installations, the ESP uses a remote RADIUS server for centralized authentication or an optional local authentication database. In all installations, the ESP can be configured for remote syslog logging of an audit trail or maintenance of a temporary local log.
The ESP can also be configured to allow SSH access to the legacy equipment’s serial interface via ethernet. In many cases, this option will allow the removal of vulnerable telephone modem lines since more secure ethernet is often being installed in CIPS locations.
- Up to three asynchronous serial ports:
- One DE-9P DTE (PC-9 pin) connector
- Two USB based serial DTE or DCE ports
- Speeds to 115.2 Kbps
- Three 10/100/1000 Ethernet ports. (Unused ports may be disabled)
- The upstream network is typically connected to“ETH3
- Protected devices are typically connected to “ETH1” and “ETH2”
- Password policy enforcement
- Syslog support
- Radius support
- Transparent Firewall
- SSH to Telnet conversion
- Limit access through device
- Logging of events
- ARP rules
- IPv4 Rules
- Low level ethernet rules
- Optional logging of firewall events
- Serial to Serial “lump-in-the-cable”
- Ethernet to Ethernet “lump-in-the-cable”
- User authentication challenge via Radius
- Local user authentication
- HTTPS Web management
- SSH to serial
- SSH to telnet
- Power
- Status
- Serial port activity
- LAN connection, LAN activity (per port)
- Dual core Gigabit X86 processor
- Near wirespeed (gigabit) Ethernet
- Standalone or DIN mounting
- Power requirements: 12 VDC, 12 watts
- Supplied with 100-240 VAC external power supply
- 48 and 125 VDC options are available
- 168mm x 157mm x 30mm or 6.61″ x 6.18″ x 1.18″
- One pound
- Operating Temperature: 0 to +50 C
- Humidity: Non-condensing
- Power Supply Options may affect temperature specifications