Icsp Support - AMX Epica DGX 16 Instruction Manual

Set Security Profile Settings table w/DoD
The three security profile terminal command settings are described in the table below.
Set Security Profile Settings
Setting
None (default)
Secure
DoD

ICSP Support

When using ICSP protocol, connect to Port 2 of the NXB-AP-1000 interface through the NetLinx
Controller for SEND_COMMANDs that include standard BCS commands and connect to Port 3 for any
SEND_COMMANDs that include diagnostic or auxiliary BCS commands. Port 1 is reserved for future
functionality. For Epica DGX 16/32 NetLinx Programming information, see page 105.
Epica DGX 16 and Epica DGX 32 Instruction Manual
Description
• No security is enabled and all interfaces are available, including HTTP, HTTPS, Telnet,
SSH, and FTP.
• Logins are not required on the NXB-AP-1000 interface or Telnet.
• This is the default from-the-factory configuration.
• Unsecured interface ports are disabled including HTTP, Telnet, and FTP. Only HTTPS and
SSH ports are available.
• All user access requires a username/password login including HTTPS and SSH.
• Passwords must conform to a stricter set of requirements. They must be at least
8 characters long and contain at least one upper and one lower case alpha and one
numeric and one special character (excluding the blankspace ' ').
• Passwords cannot contain back-to-back duplicate characters.
• To make sure all account passwords conform to the new standard, all existing user
accounts are deleted and the built-in 'administrator' and account passwords are set to the
secure default of "Amx1234!".
• Failed login attempts will force a 4 second delay before a subsequent login attempt can
occur.
• Three consecutive login failures from any location will cause a 15 minute lockout for the
specified user account.
• All user account access will be timed out after at most 15 minutes of inactivity by the user.
Any activity after the time out will cause the login prompt to be displayed and login will be
required to regain access.
The inactivity timer on an SSH session will be disabled if extended diagnostic logging is
active (enable with "msg on" command).
• All account access including successful and failed logins and logouts will be recorded in
persistent storage. Audit records will be retained for 90 days. The current audit logs can be
viewed via SSH sessions using the "show audit log" command. The audit log can be
manually cleared from SSH using the "clear audit log" command.
DoD security profile has all of the security specifications of "secure" profile along with the
following additional features:
• HTTPS is disabled.
• The SSH interface will display the following banner after a successful login: "DOD use only!
Subject to monitoring, reporting, prosecution, and penalties."
Secure and DoD profile configuration can be tailored with more or less security features by
manually altering the system's configuration following the secure profile selection.
For example, the system can be put into "secure" profile and then the HTTP and Telnet
interfaces can be manually re-enabled via their existing configuration mechanism. This would
enable all of the new security features provided by the "secure" profile but still allow system
access via HTTP and Telnet.
Note: When transitioning from secure or DoD profile to the "none" profile, user accounts are
not wiped and the "administrator" account retains its secure password.
NXB-AP-1000 Interface – Initial Setup by Network Admin
93