Home > Edge > Manufacturing Edge > Guides > Dell Validated Design for Manufacturing Edge - Design Guide with 5 Independent Software Vendors > Cybersecurity for Telit Cinterion
An existing local user to delete
To maintain proper access control, users that no longer require access should be deleted. This test case confirms that users can be deleted, and that those credentials can no longer be used to access a node.
Attempt to log in as the deleted user:
A second instance of Workbench
It is imperative to change the default logins on each deviceWISE Edge node. Since all nodes have the users preconfigured, the credentials can be considered public knowledge. Also, when a Workbench instance connects to a node, it tries the default admin login automatically, so one is not required to know what the default credentials are to connect to a node. Furthermore, the admin user is given unbridled access to the node by default, and this cannot be changed. It is vital to change default logins to prevent both malicious and unwitting unauthorized access.
Non-default login credentials, per Test case: Change default logins.
When interacting with a deviceWISE Edge node, a user’s session is managed by the Workbench instance they are using. Sessions are separate per node, so a user requires valid credentials for each node, although it is not a requirement that they be the same credentials. Sessions are maintained by the Workbench instance and last until Workbench is closed or a new user is logged in.
As described in Test case: Change default logins, when starting Workbench, it attempts to use the default credentials, so the default credentials must be changed in order for closing Workbench to effectively limit access to an unauthorized person. This test case explores closing Workbench as a way to end a user session, given that the default node credentials have already been changed.
LDAP (Lightweight Directory Access Protocol) is a protocol used to interact with directory servers. In this test case, the deviceWISE LDAP integration supports integration with a Microsoft AD (Active Directory) server for user management and Role-Based Access Control (RBAC).
Log in with the AD credentials:
An audit log is an important tool to track actions, which can be used to find the source of additions, changes, or deletions for a node’s configuration, whether intentional or unintentional. For each event, the following is captured: Date, Time, User, Component (action category), and Message (action description). This test case examines the capture of a selection of actions.
Over time, it may become necessary, or at least advantageous, to update the deviceWISE Edge software. It is important that security settings remain in place after an update. This test case reviews select security settings before and after a minor version update.
To configure, perform the update as described in Updating deviceWISE Edge software.
In this case, The IDMZ proxy function can be served by deploying a deviceWISE Edge node in the IDMZ network, which receives data from the far edge deviceWISE node and can send it onward to SDP to make it available for further analysis and visualization.
The test cases outlined below will explore the details of this IDMZ architecture further.
Traffic across the IDMZ boundaries should be encrypted for maximum security benefits. This test case examines the traffic moving from the far edge control network to the IDMZ proxy using deviceWISE Edge’s PeerLink connection type. In deviceWISE Edge v22.03, this proprietary protocol uses TCP with custom encryption. deviceWISE Edge v22.04 has an option to use TLS instead of the custom encryption, but this was not tested here.
The first part of this task is to create user credentials on the IDMZ node to allow the far edge node to establish communication. Alternatively, an AD (Active Directory) user can be used if LDAP (Lightweight Directory Access Protocol) is configured on the node, and this step can be skipped. See Test case: Integrate with AD over LDAP for more information about configuring LDAP.
The following firewall rules were implemented and validated on the Telit Cinterion IDMZ architecture.
Description | Source Network | Source Device | Destination Network | Destination Device | Port | Application1 |
Allow the far edge deviceWISE Edge node on OT network to connect and send OT data to IDMZ proxy deviceWISE Edge node in the IDMZ network. | OT | Far edge deviceWISE Edge node | IDMZ | IDMZ proxy deviceWISE Edge node | TCP 4012 | Unknown-TCP2 |
Allow the IDMZ proxy deviceWISE Edge node in the IDMZ network to connect to the SDP MQTT broker in the IT network. | IDMZ | IDMZ proxy deviceWISE Edge node | IT | SDP MQTT broker | TCP 8883 | SSL/TLS |