MOXA AIG-302 Series Industrial IoT Gateways Instructions

MOXA AIG-302 Series Industrial IoT Gateways

Product Information

Specifications

• Model: AIG-302 Series
• Operating System: Linux Debian 11
• Firmware: v1.0

Product Usage Instructions

General System Information
The AIG-302 Series is a robust device that runs on the Linux Debian 11 operating system with firmware version 1.0. It is designed to provide secure and reliable performance in various applications.

Physical Security Measures
To ensure the security of your AIG-302 device, it is recommended to implement the following physical security measures:

• CCTV surveillance for monitoring
• Security guards for on-site protection
• Protective barriers to restrict access
• Locks for securing the device
• Access control mechanisms
• Perimeter intrusion detection systems

FAQ

Q: What should I do if I forget my password?
A: If you forget your password, you can follow the password recovery process outlined in the user manual or contact Moxa Technical Support for assistance.

Q: How often should I update the firmware of the AIG-302 Series?
A: It is recommended to regularly check for firmware updates and apply them as needed to ensure optimal performance and security of your device.

Introduction

This document provides guidelines on how to configure and secure the AIG-302 Series. You should consider the recommendations in this document as best practices for securing the AIG-302 in most applications. It is highly recommended that you review and test the configurations thoroughly before implementing them in your production system to ensure that your applications are not negatively impacted.

 General System Information

Basic Information About the Device

Physical Security Measures
The AIG-302 should be safeguarded with physical security measures such as CCTV surveillance, security guards, protective barriers, locks, access control, and perimeter intrusion detection. The appropriate type of physical security should be determined based on the environment and the level of risk of physical attacks.

Anti-tamper Features

• The AIG-302 is equipped with anti-tamper labels on its enclosures, enabling the administrator to detect any tampering with the device.
• Additionally, security screws are used on the enclosures as a physical tamper-resistance measure, enhancing the difficulty of accessing the internal components in the event of a physical security breach.

Usage Limitations
The AIG-302 should not be utilized to control mission-critical components. Failure to maintain control of such a device could pose threats to human safety, and the environment, or lead to significant financial losses.

Network Security

• If the AIG-302 needs to be connected to an untrusted network (e.g., Internet) through Ethernet or Wi-Fi, we recommend avoiding direct connections to the network. Set up a firewall between the Ethernet and Wi-Fi connections of the AIG-302 and the untrusted network.
• For security-critical applications, it is highly recommended to use a private APN for cellular networks.

Configuration and Hardening Information

TCP/UDP Port Status and Suggested Settings
For security reasons, consider disabling unused services and using a higher security level for data-communication services. Refer to the table below for recommended settings.

Process

Name

| Suggested

Settings

| Type| Port

Number

| Description| Security Remark
---|---|---|---|---|---
SSH Server| Enable| TCP| 22| SSH console| Encrypted data channel

with trusted certificate

HTTP

Service

|

Disable

|

TCP

|

80

|

Web console

| Disable HTTP service for transmissions involving

plain text

HTTPS

Service

| Enable| TCP| 8443| Secured web

console

| Encrypted data channel

with trusted certificate

Discovery Service

|

Disable

|

UDP

|

5353

| For communicating with Moxa

utilities

|

Disable the service if it is not in use

Modbus

TCP Server

| Disable| TCP| 502| For Modbus

communication

| Disable service if it is

not in use

DHCP

Server

|

Disable

|

UDP

|

67, 68

| For assigning a

system IP to DHCP clients

| Disable service if it is not in use

Forcing a Password Change After First Login

For security reasons, account and password protection is enabled by default. Users must provide the correct user account and password to unlock the device to gain access to the web console of the gateway. The default account and password are admin and admin@123 (both in lowercase letters), respectively After the first login, we force a password change to comply with general security policies and practices and to enhance the security of your device.

Security Dashboard
Once device provisioning is completed, you can log in to the AIG web console, go to Security Dashboard , and press Scan to check the security status of the device. You can utilize the Security Dashboard results to fix security issues to enhance the security of your AIG gateway as per the following guidelines:

Account Settings

| Password should be changed within

the preset interval.

| Go to Account Management >

Accounts to change the password.

An account should only have one

active session at any given time.

|

Go to Security > Session Management monitor and manage concurrent sessions.

An account should not have abnormal connections (E.g., more than one session per account from

different source IPs).

Application

Networking

| The system should not have open

network ports.

| Go to Security > Firewall and

check the allowed list.

Application Resource Usage

| IoT Edge modules should not utilize

system disk’s configurable space.

|

Ensure the IoT Edge modules are deployed in the system storage paths /var/run/ and /tmp/.

IoT Edge modules should not utilize

the system disk’s non-configurable space.

IoT Edge modules should not be granted direct privileges.

| To grant permissions to the IoT Edge modules, go to Cloud Connectivity > Azure IoT Edge > Module Permission , create a service account, and grant the required permissions to the IoT.

Edge module.

Product Certificate

Deployment

| Production certificate should be configured as an Azure IoT Edge

downstream certificate.

| For enhanced security robustness, we recommend using your own

certificate instead of the default

Azure IoT Edge > Downstream Certificate to upload a certificate.

Azure IoT Edge should not use a connection string for provisioning.| For enhanced security robustness, we recommend using a TPM or a

X.509 certificate.

All certificates should not expire

within the next three months.

| Go to Security > Certificate Center to check the status of each certificate.

If you find that a certificate will expire soon or has already expired, go to Cloud Connectivity > Azure IoT Edge/Azure IoT Device/MQTT Client or Security

HTTPS to check and replace the

certificates.

All certificates should have expired.

Service Settings

| Discovery Service should not be

enabled.

| Go to Maintenance > Service to

disable Discovery Service.

SSH Service should not be enabled.| Go to Maintenance > Service to

disable the Debug Mode.

Serial Console Service should not be

enabled.

| Go to Security > Service to

disable the local console.

Account Lock Service should be enabled.| Go to Security > Login Lockout

to enable the Login Failure Lockout option.

System Use Notification Service should be enabled.| Go to Security > System Use Notification to enable System Use

Notification Service.

System Status Check

|

The product software package should be up to date.

| Go to Maintenance > Software Upgrade and click Check for Upgrade to retrieve the latest

upgrade pack information.

System backup should be performed at least once a year.| Go to Maintenance

Backup & Restore and click Manage to back

up the system.

Account Settings

• Security Check Criteria: Password should be changed within the preset Go to Account Management > Accounts to change the password. We recommend changing the password within the preset interval. To configure a preset interval for changing the password, go to Account Management > Password Policy > Reminder Threshold.
• Security Check Criteria: An account should have only one active session at any given Go to Security > Session Management to identify and manage accounts with more than one session. We recommend deleting connections that you are unaware of, especially in cases where an account has more than one active session.
• An account should not have abnormal Go to Security > Session Management to identify and manage abnormal sessions, such as more than one session per account from different source IPs. We recommend deleting the connections of which you are not aware.

Application Networking

Security Check Criteria: The system should not have open network ports. Understanding which network ports are open is crucial for improving security, preventing vulnerabilities, safeguarding data, staying compliant, and optimizing system resources. We advise minimizing open network ports to reduce cybersecurity risks. To check for open ports in the system, navigate to Security > Firewall. If there are open ports that are not in use, we strongly recommend disabling them. For the essential open ports, we recommend adding rules to limit access.

Application Resource Usage

• Security Check Criteria: IoT Edge modules should not utilize the system disk’s configurable space. Our recommendation is for the IoT Edge modules to be deployed only in specific system storage directories/paths such as /var/run/ and /tmp/.

• Security Check Criteria: IoT Edge modules should not utilize the system disk’s non-configurable space. Our recommendation is for the IoT Edge modules to be deployed only in specific system storage directories/paths such as /var/run/ and /tmp/.

• Security Check Criteria: IoT Edge modules should not granted directly Granting permissions to IoT Edge modules in a controlled manner is important for cybersecurity because it reduces the risk of unauthorized access, protects sensitive data, and ensures that each module has access only to what it needs to function properly. To grant permissions to IoT Edges, go to Cloud Connectivity > Azure IoT Edge > Module Permission

, create a service account, and grant permission to the IoT Edge module.

Product Certificate Deployment

• Security Check Criteria: The production Certificate should be configured as an Azure IoT Edge downstream certificate. For enhanced security robustness, we recommend using your certificate instead of the default one. Go to Cloud Connectivity > Azure IoT Edge > Downstream Certificate to upload a certificate.
• Security Check Criteria: Azure IoT Edge should not use a connection string We recommend an attestation method, which uses a TPM or an X.509 certificate, instead of a manual confirmation using a connection string. You can configure this at Cloud Connectivity > Provisioning Settings > DPS.
• Security Check Criteria: All certificates should not expire within the next three You can check the status of all the certificates being used by the AIG at Security > Certificate Center. We recommend regular inspection of the status of the certificates and importing new certificates to replace the ones that are about to expire.
• Security Check Criteria: All certificates should not have You can check the status of all the certificates being used by the AIG at Security > Certificate Center. We recommend regular inspection of the status of the certificates and importing new certificates to replace the ones that are about to expire.

 Service Setting

• Security Check Criteria: Discovery Service should not be We recommend disabling the Discovery Service in the commissioning stage. Go to Maintenance > Service to disable the service.
• Security Check Criteria: SSH Service should not be We recommend disabling the SSH Service in the commissioning stage. Go to Maintenance > Service to disable Debug Mode.
• Security Check Criteria: Serial Console Service should not be We recommend disabling Serial Console Service in the commissioning stage. Go to Maintenance > Service to disable the Local Console.
• Security Check Criteria: Account Lock Service should be To thwart brute-force attacks, we recommend activating the Account Lock Service. When AIG detects multiple failed login attempts surpassing the set threshold, it will automatically lock the account for the specified duration. Go to Security > Login Lockout to enable  and configure parameters for this service.
• Security Check Criteria: System Use Notification Service should be It is important to display system usage notifications before the login page so users know the rules and risks involved in using the system. This helps meet legal requirements, reduces risks, and holds users accountable for their actions. Go to Security > System Usage Notification to enable this function.

System Status Check

• Security Check Criteria: The product software package should be up to The importance of security cannot be overstated when it comes to keeping your product software up to date. Regular updates help patch vulnerabilities, reduce the risk of cyberattacks, and protect sensitive data, safeguarding your system and users from potential security threats. Go to Maintenance > Software Upgrades to retrieve up-to-date software for your AIG.

• Security Check Criteria: System backup should be performed at least once Performing a system backup annually is important to protect your data in case of system failures, cyberattacks, or disasters. It ensures you can quickly recover your information, stay compliant with regulations, and maintain business continuity. Go to Maintenance > Backup & Restore to back up your system.

Account Management

You can maintain user accounts and assign a role with specific permissions to each account. These functions allow you to track and control the access to the device.

Accounts
You can View , Create , Edit , Deactivate , and Delete user accounts. In the main menu, go to Account Management > Accounts to manage user accounts.

Creating a New User Account

Click + Create to create a new user account. In the dialogue box that is displayed, fill in the fields and click SAVE.
Note: To comply with security policy and best practices, specify a strong password that is at least eight characters long, consisting of at least one number and at least one special character.

Managing Existing User Accounts
To manage an account, click on the pop-up menu icon for the account.

( NOTE: This operation is irreversible.)

Note : You cannot Deactivate or Delete the last remaining account with an Administrator role. This is to prevent an unauthorized account from fully managing the system. When the system detects only one active account when selecting the Administrator role, all items in the pop-up menu are grayed out.

Roles
You can View , Create , Edit , and Delete user roles for your AIG device here.

Click + Create to set up a new user role. Specify a unique name for the role assign the appropriate permissions and click Save to create the role in the system.

You can edit the settings or delete an existing role by clicking on the pop-up menu icon next to the role.

When the role has been set up, it is available for selection by accounts.

Password Policy

Password Strength

Policy

|  | To define how the AIG checks the password

strength

Password Change

Reminders

| 10 to 360 days| Notify the user to change the password

About Moxa

Moxa is a leading provider of edge connectivity, industrial computing, and network infrastructure solutions for enabling connectivity for the Industrial Internet of Things. With 35 years of industry experience, Moxa has connected more than 82 million devices worldwide and has a distribution and service network that reaches customers in more than 80 countries. Moxa delivers lasting business value by empowering the industry with reliable networks and sincere service for industrial communications infrastructures. Information about Moxa’s solutions is available at www.moxa.com.
How to Contact Moxa
Tel: 1-714-528-6777
Fax: 1-714-528-6778

References

• Moxa - Your Trusted Partner in Automation

Read User Manual Online (PDF format)

Read User Manual Online (PDF format)  >>

Download This Manual (PDF format)

Download this manual  >>