Preface¶
The Connect Switchboard is the heart of the Secure Digital Platform, Endian solution that links the IT Security with the Internet of Things. The latest updates and corrections to this manual, referred to the latest release of the Connect Switchboard, will be available online at http://docs.endian.com/6.1/sb/. If you think that you have found any errors, either simple typos or even content errors, feel free to provide us feedback using the Endian's bug tracker.
Legal notice¶
The Connect Switchboard Reference Manual 6.1 (“this document”) is copyright 2011-2020, Endian S.r.l. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the GNU Free Documentation License.
This document has been written by the Endian Team and its layout resembles the GUI of the 6.0 product line.
Reference manuals written for older Endian products can be found in the Documentation archive.
The information contained within this document may change from one version to the next and may also change over time without notice to improve the content, to correct any error or mistake, or to describe new or changed features. The date of the last update is always present at the bottom of every HTML page or on the cover of the PDF version.
All programs and details contained within this document have been created to the best of our knowledge and tested carefully. However, errors cannot be completely ruled out. Therefore Endian does not express or imply any guarantees for errors within this document or a consequent damage arising from the availability, performance, or use of this or related material.
Endian and the Endian logo are trademarks of Endian S.r.l., Italy.
The use of names in general use, names of firms, trade names, etc. in this document, even without special notation, does not imply that such names can be considered as free in terms of trademark legislation and that they can be used by anyone. All trade names are used without a guarantee of free usage and might be registered trademarks. As a general rule, Endian adheres to the notation of the manufacturer. Other products mentioned here could be trademarks owned by the respective manufacturer.
Security Certifications Awarded¶
New in version 6.1.0: BSI, OWASP Top 10, and IEC 62443 certifications.
In November 2020, the following security certifications have been awarded to Endian for its products Switchboard and Edge X:
BSI-Grundschutzkatalog, granted by the German’s Federal Office for Information Security. Official documentation is available (in German) on the BSI web site.
OWASP Top 10, the list of the 10 most exploited vulnerabilities in the wild is also available on the OWASP web site
IEC 62443-4-2 SL2 for Switchboard and 4i Edge X as single products
IEC 62443-3-3 SL2 for the combination of Switchboard and 4i Edge X as a complete solution
Note
IEC 62443 was initially defined to reduce the threats and attacks against the security of Industrial Automation and Control Systems (IACS), and has later evolved into the industrial cybersecurity standards for all the industrial networks. More information about the IEC 62443 certification can be found in the IEC’s official publication (PDF Table of content available).
In order to comply with the certifications, a few improvements have been developed and included in release 6.1.0; all of them affect both the Switchboard all the clients connecting to it and to all the devices managed, be them either Gateways (i.e., 4i Edge X) or Endpoints.
Note
The new functionalities can be configured on the Switchboard by an Administrator.
Session Lock
Two new options have been introduced to lock sessions after a period of inactivity by the user (soft lockout and hard lockout, see the box below).
The first option is called Session lock timeout, and can be configured under
and defaults to five minutes.In other words, after five minutes of inactivity, the user is required to log in again to continue their activities. This option concerns HTTP/HTTPS connections only.
The second option is available on CLI only and defines the hard lockout for all connection besides HTTP/HTTPS, including for example SSH, VNC, RDP, and so on. The option is called SESSION_TERMINATION_TIMEOUT and its value can be controlled with the following commands.
1 2 3 4 5 6 7 8
root@switchboard:~ # datasource emi.settings.SESSION_TERMINATION_TIMEOUT Value EMI.SETTINGS.SESSION_TERMINATION_TIMEOUT 5 root@switchboard:~ # datasource emi.settings.SESSION_TERMINATION_TIMEOUT=10 Value EMI.SETTINGS.SESSION_TERMINATION_TIMEOUT 10
The command on line 1 returns the current value of the variable (5 minutes, which is the default), while the command on line 5 sets the value to 10 minutes.
Soft and hard lockout
There is a slight but important difference between soft and hard lockout in network connections. They both concern a period of inactivity by a (client) user and define how the server reacts to it.
- Soft lockout
After the inactivity period, the user is logged out and their next HTTP request will require a new login.
- Hard lockout
After the inactivity period, the user is logged out and the connection/socket is terminated as well.
In terms of Endian devices, soft lockout only implies that the user will need to provide username and password to continue the access to the appliance, while the hard lockout also triggers a disconnection event, i.e., the user’s connection to the Gateway or Endpoint is forcibly terminated.
To prevent hard lockouts, the client sends routinely a ping to the Switchboard: a hard lockout is triggered from the Switchboard only after the session timeout is reached and the pings from the client are not received anymore.
Account Lockout
To mitigate the effects of brute force attacks, an account lockout policy has been implemented. Configuration is available under
.System use notification
The default value of existent option Welcome message under
Welcome to the Switchboard, access to the system is
monitored
.
Limit access for web crawler
Access to web crawler is prevented by appropriately configuring the
Switchboard's web server with the directive Header set
X-Robots-Tag "noindex, nofollow"
. This is a much more robust approach
than using a robots.txt file in the web server root directory, as
noted in this article.
Note
Among the new improvements described in this section, this functionality is the only one that can not be configured by the user.
Endian web sites¶
For more information about Endian S.r.l., Italy and its products, please visit Endian web site at https://www.endian.com/.
Many resources (tutorials, how-tos, examples) in this manual are taken from those web sites:
https://help.endian.com/hc/en-us/ The new support center for the Endian products, that should become the reference site to support customers and users. Several links to howtos on this site are provided on this documentation at the end of the various subsections.
Within the support center, Section https://help.endian.com/hc/en-us/categories/202695877-Switchboard contains useful resources (tutorials and how-tos) for the Switchboard.
https://jira.endian.com/ Endian’s bug tracker, the place in which to search for existing bugs and their resolution or workarounds and to report new issues. It replaces the older bug tracker located at http://bugs.endian.com/, which is still accessible but not maintained anymore.