Preface

4i Edge X is an Open Source Unified Threat Management (UTM) appliance software. This document is both an User Manual and a Guide to the configuration of the various part of the 4i Edge X web interface and its functionalities.

The latest updates and corrections to this manual, referred to the latest release of the 4i Edge X, will be available online at http://docs.endian.com/6.1/4i/. If you think that you have found any errors, either simple typos or even content errors, feel free to provide us feedback using the Endian's bug tracker.

Security Certifications Awarded

New in version 6.1.0: BSI, OWASP Top 10, and IEC 62443 certifications.

In November 2020, the following security certifications have been awarded to Endian for its products Switchboard and Edge X:

  • BSI-Grundschutzkatalog, granted by the German’s Federal Office for Information Security. Official documentation is available (in German) on the BSI web site.

  • OWASP Top 10, the list of the 10 most exploited vulnerabilities in the wild is also available on the OWASP web site

  • IEC 62443-4-2 SL2 for Switchboard and 4i Edge X as single products

  • IEC 62443-3-3 SL2 for the combination of Switchboard and 4i Edge X as a complete solution

    Note

    IEC 62443 was initially defined to reduce the threats and attacks against the security of Industrial Automation and Control Systems (IACS), and has later evolved into the industrial cybersecurity standards for all the industrial networks. More information about the IEC 62443 certification can be found in the IEC’s official publication (PDF Table of content available).

In order to comply with the certifications, a few improvements have been developed and included in release 6.1.0; all of them affect both the Switchboard all the clients connecting to it and to all the devices managed, be them either Gateways (i.e., 4i Edge X) or Endpoints.

Note

The new functionalities can be configured on the Switchboard by an Administrator.

Session Lock

Two new options have been introduced to lock sessions after a period of inactivity by the user (soft lockout and hard lockout, see the box below).

  • The first option is called Session lock timeout, and can be configured under Switchboard ‣ Settings ‣ Portal and defaults to five minutes.

    In other words, after five minutes of inactivity, the user is required to log in again to continue their activities. This option concerns HTTP/HTTPS connections only.

  • The second option is available on CLI only and defines the hard lockout for all connection besides HTTP/HTTPS, including for example SSH, VNC, RDP, and so on. The option is called SESSION_TERMINATION_TIMEOUT and its value can be controlled with the following commands.

    1
    2
    3
    4
    5
    6
    7
    8
    root@switchboard:~ # datasource emi.settings.SESSION_TERMINATION_TIMEOUT
    Value EMI.SETTINGS.SESSION_TERMINATION_TIMEOUT
    
    5
    root@switchboard:~ # datasource emi.settings.SESSION_TERMINATION_TIMEOUT=10
    Value EMI.SETTINGS.SESSION_TERMINATION_TIMEOUT
    
    10
    

    The command on line 1 returns the current value of the variable (5 minutes, which is the default), while the command on line 5 sets the value to 10 minutes.

Soft and hard lockout

There is a slight but important difference between soft and hard lockout in network connections. They both concern a period of inactivity by a (client) user and define how the server reacts to it.

Soft lockout

After the inactivity period, the user is logged out and their next HTTP request will require a new login.

Hard lockout

After the inactivity period, the user is logged out and the connection/socket is terminated as well.

In terms of Endian devices, soft lockout only implies that the user will need to provide username and password to continue the access to the appliance, while the hard lockout also triggers a disconnection event, i.e., the user’s connection to the Gateway or Endpoint is forcibly terminated.

To prevent hard lockouts, the client sends routinely a ping to the Switchboard: a hard lockout is triggered from the Switchboard only after the session timeout is reached and the pings from the client are not received anymore.

Account Lockout

To mitigate the effects of brute force attacks, an account lockout policy has been implemented. Configuration is available under VPN ‣ Authentication ‣ Lockout.

System use notification

The default value of existent option Welcome message under Switchboard ‣ Settings ‣ Portal has been modified into Welcome to the Switchboard, access to the system is monitored.

Limit access for web crawler

Access to web crawler is prevented by appropriately configuring the Switchboard's web server with the directive Header set X-Robots-Tag "noindex, nofollow". This is a much more robust approach than using a robots.txt file in the web server root directory, as noted in this article.

Note

Among the new improvements described in this section, this functionality is the only one that can not be configured by the user.

Acknowledgements

Without the great work of the Smoothwall and then of the IPCop team, neither 4i Edge X nor this document would exist. Therefore we would like to thank them all for their hard work.

Thanks to Sourceforge for the hosting. Without Sourceforge we would not have the possibility to gain such a huge worldwide visibility. You are really helping us very much!

Endian web sites

For more information about Endian S.r.l., Italy and its products, please visit Endian web site at https://www.endian.com/.

Many resources (tutorials, how-tos, examples) in this manual are taken from those web sites:

  • https://help.endian.com/hc/en-us/ The new support center for the Endian products, that should become the reference site to support customers and users. Several links to howtos on this site are provided on this documentation at the end of the various subsections.

  • http://kb.endian.com/ The old knowledge base of Endian, now discontinued. Its content, including configuration examples, has been incorporated either in the reference manual on in the help.endian.com site.

  • https://jira.endian.com/ Endian’s bug tracker, the place in which to search for existing bugs and their resolution or workarounds and to report new issues. It replaces the older bug tracker located at http://bugs.endian.com/, which is still accessible but not maintained anymore.