Preface¶

4i Edge X is an Open Source Unified Threat Management (UTM) appliance software. This document is both an User Manual and a Guide to the configuration of the various part of the 4i Edge X web interface and its functionalities.

The latest updates and corrections to this manual, referred to the latest release of the 4i Edge X, will be available online at http://docs.endian.com/6.6/4i/. If you think that you have found any errors, either simple typos or even content errors, feel free to provide us feedback using the Endian's bug tracker.

Legal notice¶

The 4i Edge X Reference Manual 6.6 (“this document”) is copyright 2011-2023, Endian S.r.l. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the GNU Free Documentation License.

This document has been written by the Endian Team, building on the previous versions (5.1, 5.0, 3.0.5), and features improved content and a completely reworked layout, which resembles the new GUI of the 6.0 product line.

Older versions

Version 2.4 was written by (in alphabetical order) Andreas Ender, Diego Gagliardo, Luca Giovenzana,. Christian Graffer, Raphael Lechner, Chris Mair, Raphael Vallazza, and Peter Warasin. Some parts of the 2.4 documentation were based on the IPCop Administrative Guide by Chris Clancey, Harry Goldschmitt, John Kastner, Eric Oberlander, Peter Walker and on the IPCop Advanced Proxy Administrative Guide by Marco Sondermann.

Reference manuals written for older releases can be found in the Documentation archive.

The information contained within this document may change from one version to the next and may also change over time without notice to improve the content, to correct any error or mistake, or to describe new or changed features. The date of the last update is always present at the bottom of every page.

All programs and details contained within this document have been created to the best of our knowledge and tested carefully. However, errors cannot be completely ruled out. Therefore Endian does not express or imply any guarantees for errors within this document or a consequent damage arising from the availability, performance, or use of this or related material.

Endian and the Endian logo are trademarks of Endian S.r.l., Italy.

The use of names in general use, names of firms, trade names, etc. in this document, even without special notation, does not imply that such names can be considered as free in terms of trademark legislation and that they can be used by anyone. All trade names are used without a guarantee of free usage and might be registered trademarks. As a general rule, Endian adheres to the notation of the manufacturer. Other products mentioned here could be trademarks owned by the respective manufacturer.

Security Certifications Awarded¶

New in version 6.1.0: BSI, OWASP Top 10, and IEC 62443 certifications.

In November 2020, the following security certifications have been awarded to Endian for its products Switchboard and Edge X:

BSI-Grundschutzkatalog, granted by the German’s Federal Office for Information Security. Official documentation is available (in German) on the BSI web site.
OWASP Top 10, the list of the 10 most exploited vulnerabilities in the wild is also available on the OWASP web site
IEC 62443-4-2 SL2 for Switchboard and 4i Edge X as single products
IEC 62443-3-3 SL2 for the combination of Switchboard and 4i Edge X as a complete solution

Note

IEC 62443 was initially defined to reduce the threats and attacks against the security of Industrial Automation and Control Systems (IACS), and has later evolved into the industrial cybersecurity standards for all the industrial networks. More information about the IEC 62443 certification can be found in the IEC’s official publication (PDF Table of content available).

In order to comply with the certifications, a few improvements have been developed and included in release 6.1.0; all of them affect both the Switchboard all the clients connecting to it and to all the devices managed, be them either Gateways (i.e., 4i Edge X) or Endpoints.

Note

The new functionalities can be configured on the Switchboard by an Administrator.

Session Lock

Two new options have been introduced to lock sessions after a period of inactivity by the user (soft lockout and hard lockout, see the box below).

The first option is called Session lock timeout, and can be configured under Switchboard ‣ Settings ‣ Portal and defaults to five minutes.

In other words, after five minutes of inactivity, the user is required to log in again to continue their activities. This option concerns HTTP/HTTPS connections only.
The second option is available on CLI only and defines the hard lockout for all connection besides HTTP/HTTPS, including for example SSH, VNC, RDP, and so on. The option is called SESSION_TERMINATION_TIMEOUT and its value can be controlled with the following commands.
```
1root@switchboard:~ # datasource emi.settings.SESSION_TERMINATION_TIMEOUT
2Value EMI.SETTINGS.SESSION_TERMINATION_TIMEOUT
3
45
5root@switchboard:~ # datasource emi.settings.SESSION_TERMINATION_TIMEOUT=10
6Value EMI.SETTINGS.SESSION_TERMINATION_TIMEOUT
7
810
```
The command on line 1 returns the current value of the variable (5 minutes, which is the default), while the command on line 5 sets the value to 10 minutes.

Soft and hard lockout

There is a slight but important difference between soft and hard lockout in network connections. They both concern a period of inactivity by a (client) user and define how the server reacts to it.

Soft lockout: After the inactivity period, the user is logged out and their next HTTP request will require a new login.
Hard lockout: After the inactivity period, the user is logged out and the connection/socket is terminated as well.

In terms of Endian devices, soft lockout only implies that the user will need to provide username and password to continue the access to the appliance, while the hard lockout also triggers a disconnection event, i.e., the user’s connection to the Gateway or Endpoint is forcibly terminated.

To prevent hard lockouts, the client sends routinely a ping to the Switchboard: a hard lockout is triggered from the Switchboard only after the session timeout is reached and the pings from the client are not received anymore.

Account Lockout

To mitigate the effects of brute force attacks, an account lockout policy has been implemented. Configuration is available under VPN ‣ Authentication ‣ Lockout.

System use notification

The default value of existent option Welcome message under Switchboard ‣ Settings ‣ Portal has been modified into Welcome to the Switchboard, access to the system is monitored.

Limit access for web crawler

Access to web crawler is prevented by appropriately configuring the Switchboard's web server with the directive Header set X-Robots-Tag "noindex, nofollow". This is a much more robust approach than using a robots.txt file in the web server root directory, as noted in this article.

Note

Among the new improvements described in this section, this functionality is the only one that can not be configured by the user.

Acknowledgements¶

Without the great work of the Smoothwall and then of the IPCop team, neither 4i Edge X nor this document would exist. Therefore we would like to thank them all for their hard work.

Thanks to Sourceforge for the hosting. Without Sourceforge we would not have the possibility to gain such a huge worldwide visibility. You are really helping us very much!

Endian web sites¶

For more information about Endian S.r.l., Italy and its products, please visit Endian web site at https://www.endian.com/.

Many resources (tutorials, how-tos, examples) in this manual are taken from those web sites:

https://help.endian.com/hc/en-us/ The new support center for the Endian products, that should become the reference site to support customers and users. Several links to howtos on this site are provided on this documentation at the end of the various subsections.
http://kb.endian.com/ The old knowledge base of Endian, now discontinued. Its content, including configuration examples, has been incorporated either in the reference manual on in the help.endian.com site.
https://jira.endian.com/ Endian’s bug tracker, the place in which to search for existing bugs and their resolution or workarounds and to report new issues. It replaces the older bug tracker located at http://bugs.endian.com/, which is still accessible but not maintained anymore.