Company Network Security; Connectivity - AutomationDirect StrideLinx SE-SL30011 User Manual

Linx
Appendix E: StrideLinx Network Security

Company Network Security

Connectivity

The StrideLinx router uses an outgoing port to establish a secure connection to our StrideLinx
Cloud. This means there is no need to open any incoming ports in your firewall. Via this
outgoing port, the StrideLinx router connects to different servers: REST API, MQTT
and OpenVPN servers. The IP addresses of these servers, as well as the number of servers,
may change over time and are thus not pre-defined. What is pre-defined is the domain of
these servers. This is why the StrideLinx router needs to be able to perform DNS requests;
otherwise, the StrideLinx router can't connect to our servers.
Below is an overview of the outgoing ports and protocols that the StrideLinx router utilizes.
Outgoing Ports and Protocols
Port Protocol Application
443 TCP HTTPS, MQTT/TSL, OpenVPN
53 TCP & UDP DNS
Port 443 is a port that is normally open and also used by other services to set up a secure
connection (i.e. internet banking).
If necessary, the local (plant) IT department can choose to allow internet access based on
the MAC address or IP address of the StrideLinx router. The router WAN IP address can be
set to a static IP address on the wired router configuration; the WiFi router is set to default.
However, by default the WAN IP address is set to be obtained automatically via DHCP.
To communicate with the StrideLinx Cloud, the StrideLinx router firmware uses the proven
encryption standard SSL / TLS. The required TLS key exchange, crucial for security, is done
in accordance with the industry standard 2048-bit RSA with SHA-256. During the RSA
handshake the public server keys are shared and with built-in Certificate Authorities the
server's identity is verified. The StrideLinx agent does not use 3rd party Certificate Authorities
which guarantees an up-to-date security for embedded devices. When setting up a VPN
tunnel, the necessary security licenses are downloaded and the Blowfish/AES encrypted VPN
tunnel is set up. Attacks like Man-in-the-middle, spoofing ARP and DNS hijacking will be
detected immediately.
The StrideLinx router remains permanently connected to the Cloud and sends out 'keep-
alive heartbeats' on a regular interval. The remote connection between the StrideLinx router
and StrideLinx Cloud can be managed by the local operator. A digital input allows the user
to enable/disable the VPN connection at the flick of a switch, literally. For instance, this
input can be used by plant personnel to manage access to the router by outside personnel
on an as-needed basis. Alternatively, the connection can be terminated by powering off the
StrideLinx router. Once it is powered again, the StrideLinx router automatically re-establishes
the connection with the StrideLinx Cloud.
E-5
StrideLinx™ Cloud 2.0 Industrial VPN Routers User Manual 1st Edition Rev. C