Frequently Asked Question
Overview
The ProTAACS Ethernet Sensor Gateway 3.0 was built with security in mind. By design the EGW is a very specific use piece of hardware which doesn't run a standard embedded operating system. This removes the possibility of someone gaining access to the gateway and running a malicious application. The vulnerabilities of more complex gateways are removed by only supporting a very specific set of functions. The key security features of the gateway are outlined below.
ProTAACS added several features to ensure the gateway’s security is not compromised. First, the gateway has no active listeners on any ports. All communication is initialized from the gateway to the iProTAACS Server.
The communication between the gateway and the server is secured with 128-bit encryption to make sure no one watching packets can manipulate the requests or responses.
The gateway can be configured to use either DHCP or Static IP Addressing. All communication is sent to the servers using TCP protocol on port 3000, allowing traffic usage and patterns to easily be monitored if desired.
Network Security
Network security addresses factors that affect the local network into which the gateway is installed.
Addressing
The ProTAACS Ethernet Sensor Gateway 3.0 will utilize standard DHCP to obtain a dynamic IP Address from the local network. Doing so enables most users of the ProTAACS Ethernet Sensor Gateway 3.0 to enjoy zero configuration setup. During the DHCP setup the gateway announces itself so the network administrator can easily locate which IP address is given to the gateway.
If desired, the gateway can be assigned a static IP Address by the network administrator. There are several methods which can be used to configure the gateway to receive this address. It can be done by the monitoring software if a temporary DHCP address can be used. If there is not a DHCP server available to issue a temporary address, there is a local web based interface that can be accessed for configuration. Physical access to the gateway is required to temporarily enable this interface.
Operating System
Because of the single use nature of the ProTAACS Ethernet Sensor Gateway 3.0, there is no embedded operating system utilized on the hardware. This means there is no system that can be used to run any third party code. Anyone trying to hack into a system to run their own code will find it unsuccessful.
Network Ports
The ProTAACS Ethernet Sensor Gateway 3.0 sends its data to the monitoring software over port 3000. The gateway creates a standard TCP connection to the software and then communicates the data. The monitoring software responds as needed to the gateway. This enables network administrators to easily monitor traffic to and from the device without having to separate it from other protocols using common ports. If needed, the gateway can be configured to communicate over any port on which the monitoring software has also been configured to listen for gateway communication.
The iProTAACS online portal has several alternative ports already configured for use. Any of the iProTAACS monitoring solutions can be configured to listen on specific or multiple ports.
Listeners
There are no listeners on the gateway responding to any TCP or UDP network traffic. The gateway will respond to an ICMP ping to assist network administrators with network troubleshooting. All other traffic is ignored on the network unless it is part of a TCP connection that was initialized from the Ethernet Gateway.
Because all traffic is initiated from the gateway, in most networks there is no configuration needed to the firewall as all traffic originates from within. No ProTAACS monitoring solutions will initiate communication from the server and try to communicate with the gateway. The monitoring solutions only respond to communications they receive from a gateway.
Advanced users can configure one or more of the local interfaces to respond to communication from within the network. The interfaces available are:
- Proprietary TCP based binary protocol that enables a status application to communicate with the gateway.
- Modbus over TCP protocol that enables a PLC or other Modbus enabled device to poll for data from the sensors that has been delivered to the gateway.
- SNMP, a UDP based protocol that enables any SNMP enabled device or software to poll for data from the sensors that has been delivered to the gateway.
Configuration
The ProTAACS Ethernet Sensor Gateway 3.0 can be configured from multiple interfaces. The simplest is through a ProTAACS enabled monitoring platform that can respond to the gateway with new configurations as needed. In the event configuration needs to take place before the gateway is able to communicate with the monitoring software, there is also a local web server that can be activated so the gateway can be configured with nothing more than a standard web browser.
To enable the hosted web server and access the configurations, you must first have physical access to the device. During the boot of the device you must hold the reset button down to enter the configuration mode. Once complete, the gateway will reboot and this interface is no longer available. Because physical access is required, there is no way for anyone to gain access to the configurations over the network.
- Do ProTAACS gateways support HTTP proxies?
- The Ethernet Gateways won’t be affected by many of the HTTP proxies, but if they are affected, ethernet gateways will need to be whitelisted. Likewsie, If a proxy works at the socket level, it will also have to be whitelisted.
Data Security
The wireless communication technology developed by ProTAACS provides several features to help protect your data in transit. Our proprietary sensor protocol uses very low transmit power and requires specialized radio equipment to operate. Typical wireless devices that operate on non-proprietary communication protocols (Wi-Fi, Bluetooth, Zigbee) operate using different frequency bands so they can't be used to eavesdrop on the radio communications from the ProTAACS family of sensors. ProTAACS also uses a robust packet tampering evaluation routine to ensure traffic wasn't altered between sensors and gateways. This enables us to check for well-formed data packets that only originated from ProTAACS enabled devices. To further protect data, we use algorithms to protect against spoofing and re-transmission of wireless data packets. This is included with best-in-class range and a power consumption protocol developed for ProTAACS wireless sensor systems.
Data security is important for multiple reasons. First, it is always important to keep the data sent from inside your network protected during transmission. Second, it is important to protect responses from the monitoring software from being compromised.
Protocols
ProTAACS Link Gateways utilize a proprietary protocol that enables sensor data to be sent with minimal overhead. This also prevents casual lookers from observing the traffic and being able to interpret it. As opposed to many text based protocols (e.g. HTML/XML/JSON) the data is encoded in binary form that is not directly convertible to human readable values. This ProTAACS Gateway Protocol is the basis for all communication between the gateway and the monitoring software.
When enabled there are other protocols that allow the gateway to be used by other systems that implement those protocols. The two currently supported are Modbus over TCP and SNMP. These are for convenience and utility by certain users and are not enabled by default.
Encryption
In addition to binary protocols and rejecting unrequested network traffic, the ProTAACS Ethernet Sensor Gateway 3.0 also implements 128-bit AES encryption while sending and receiving data from the iProTAACS servers. This encryption allows all transmitted data that would otherwise be difficult for someone to read, to also be encrypted. The encryption is bi-directional so both the data that is being sent as well as the responses being returned are encrypted.