An introduction to Hirschmann Eagle20 Firewall

Hirschmann

Hirschmann is a Germany brand that specialized in manufacturing layer2/layer3 switches, access points and firewall for industrial network. It is merged with Belden and becomes a Belden brand. Industrial ethernet is robust and has to be certified to be operable under harsh environment. Ruggedized not in appearance but with certification that proves the credibility.

Eagle20
Eagle20 is one of the Eagle series firewall that Hirschmann manufactured. Eagle20 is a fanless two port firewall that comes with factory configured trusted and untrusted interface, Eagle20 comes with several flavours you can check the varieties from this link. Recently Hirschmann also launches Eagle30 that comes with 6 ports and has granularity in providing firewall zoning.

Eagle20 can act as a firewall in either transparent mode or routed mode, the default is transparent mode that comes with a default IP address 192.168.1.1 for management purposes. Below is the command line interface from the console interface. Eagle20 console interface uses V.24 interface, the connector is using RJ11 type which is rather unusual if you are a commercial firewall user.

  Copyright (c) 2007-2012 Hirschmann Automation and Control GmbH

                             All rights reserved

                           EAGLE Release SDV-05.2.00

                         (Build date 2012-02-28 17:15)



                       System Name:  EAGLE-81090F
                       Netw. Mode :  transparent
                       Mgmt-IP    :  192.168.1.1
                       Base-MAC   :  00:80:63:81:09:0F
                       System Time:  SUN JAN 01 01:42:25 2012






User:admin
Password:*******



NOTE: Enter '?' for Command Help.  Command help displays all options
      that are valid for the particular mode.
      For the syntax of a particular command form, please
      consult the documentation.

!(Hirschmann Eagle) >

Another variant of Eagle20 is Eagle20 Tofino, this variant uses Tofino security’s software to configure the firewall, and the firewall is acted in transparent mode only, there is no IP address for management, to manage the Eagle20 tofino you need a software known as CMP, the management IP address is “borrowed” from a host connected to the untrusted interface of Eagle20 Tofino. Tofino security specializes in providing firewall for the control systems in Industrial networks.

Eagle20 can be configured in CLI or Web interface, Web interface is encouraged to be used instead. However there may be initial setup which is easier to execute in CLI environment.

All Eagle series firewall is stateful, you do not need to define rules from trusted and untrusted to ensure two way communication, you only need to provide rules in the trusted interface.

As of version 5.2 software, Eagle20 only supports static routes. No dynamic routing protocol is supported yet.

Routed mode
As mentioned earlier, the default is transparent mode you can easily change to routed mode using command line interface:

!(Hirschmann Eagle) >enable

!(Hirschmann Eagle) #network mode router
Are you sure (Y/N) ?y

!(Hirschmann Eagle) #save
[====================]

OK.

!(Hirschmann Eagle) #

When you logout, you will see the CLI with two interfaces:

!(Hirschmann Eagle) #logout
Are you sure (Y/N) ?y


         Copyright (c) 2007-2012 Hirschmann Automation and Control GmbH

                             All rights reserved

                           EAGLE Release SDV-05.2.00

                         (Build date 2012-02-28 17:15)



                       System Name:  EAGLE-81090F
                       Netw. Mode :  router
                       Internal-IP:  192.168.3.1
                       External-IP:  10.0.0.10
                       Base-MAC   :  00:80:63:81:09:0F
                       System Time:  SUN JAN 01 01:52:50 2012






User:

Configure IP addresses for trusted and untrusted interfaces
In routed mode the firewall behaves like a router, you need to assign ip address on each trusted and untrusted interface if the default IP addresses are not applicable to your environment.

!(Hirschmann Eagle) #network router param int ip-address 10.0.0.1

!(Hirschmann Eagle) #network router param int netmask 255.255.255.0

!*(Hirschmann Eagle) #network router param ext ip-address 192.168.1.1

!*(Hirschmann Eagle) #network router param ext netmask 255.255.255.0

!*(Hirschmann Eagle) #save
[====================]

OK.

!(Hirschmann Eagle) #

To verify the IP addresses of the interfaces either use:

!(Hirschmann Eagle) #show network router params

Index IP-Addr         Netmask         use VLAN VLAN   protocol
----- --------------- --------------- -------- ------ --------
int   10.0.0.1        255.255.255.0   disable  1      none
ext   192.168.1.1     255.255.255.0   disable  1      none


!(Hirschmann Eagle) #

or simply logout.

!(Hirschmann Eagle) #logout
Are you sure (Y/N) ?y


         Copyright (c) 2007-2012 Hirschmann Automation and Control GmbH

                             All rights reserved

                           EAGLE Release SDV-05.2.00

                         (Build date 2012-02-28 17:15)



                       System Name:  EAGLE-81090F
                       Netw. Mode :  router
                       Internal-IP:  10.0.0.1
                       External-IP:  192.168.1.1
                       Base-MAC   :  00:80:63:81:09:0F
                       System Time:  SUN JAN 01 01:58:54 2012






User:

add user
There are two default users, admin and user. You can add another customized user, this example will add a user cyruslab and readonly privilege is given, as of version 5.2 there are only two privileges namely readonly or readwrite, the encryption of the username password is only DES and the hash is only MD5, the user account is also used for snmpv3 polling by your network management system:

!(Hirschmann Eagle) (config)#users name cyruslab add
!(Hirschmann Eagle) (config)#users name cyruslab passwd

Enter OLD password:

Enter NEW password:   ******

Confirm NEW password: ******
Password changed

!(Hirschmann Eagle) (config)#users name cyruslab snmpv3 encryption des
!(Hirschmann Eagle) (config)#users name cyruslab snmpv3 accessmode readonly
!(Hirschmann Eagle) (config)#users name cyruslab snmpv3 authentication md5
!(Hirschmann Eagle) (config)#users name cyruslab enable
!(Hirschmann Eagle) (config)#save
[====================]

OK.

!(Hirschmann Eagle) (config)#

Before enabling the new user account, you need to first specify snmpv3 settings. To delete an user you first need to disable the user first. It is easier to do it in web interface.

DHCP server for trusted interface

!(Hirschmann Eagle) #network router proto int dhcp
!*(Hirschmann Eagle) (config)#dhcp-server pool dynamic add 1 interface int first-address 10.0.0.10 last-address 10.0.0.20 netmask 255.255.255.0 gw 10.0.0.1 lease-time 32768
!*(Hirschmann Eagle) (config)#dhcp-server pool dynamic status 1 enable
!*(Hirschmann Eagle) (config)#dhcp-server operation int enable

!*(Hirschmann Eagle) (config)#exit
!*(Hirschmann Eagle) #network router proto int none
!*(Hirschmann Eagle) (config)#save
[====================]

OK.

!(Hirschmann Eagle) (config)#

You may be slightly intimidated by the long string of commands just to add the pool, you can do it line by line instead of writing every parameters all at once, however the start is always an add command and you need to specify the dhcp pool is for which interface – int for trusted and ext for untrusted. It is easier to do these configuration in web interface however it is good to know the command line interface commands as well.

As you can see, a new entry is disabled by default you need to enable the entry first otherwise even if dhcp-server operation is set to enable your host will never get a DHCPOFFER message from Eagle20. This principle applies to entries you add for the packet filtering rules.

To verify the DHCP configuration you can either specify a specific entry number or show an entire entries you have created:

!(Hirschmann Eagle) (config)#show dhcp-server pool 1

DHCP Server Pool
----------------
Index...................................1
Interface...............................int
First Address...........................10.0.0.10
Last Address............................10.0.0.20
Net Mask................................255.255.255.0
Default Gateway.........................10.0.0.1
DNS Server..............................0.0.0.0
WINS Server.............................0.0.0.0
Lease Time..............................32768
MAC Address.............................00:00:00:00:00:00
Configuration URL.......................
Host Name...............................
Hirschmann Client.......................[ ]
Status..................................[x]

!(Hirschmann Eagle) (config)#
!(Hirschmann Eagle) (config)#show dhcp-server pool

No.  Itf  First Address    Last Address     MAC Address        L. Time    Active
---  ---  ---------------  ---------------  -----------------  ---------  ------
  1  int  10.0.0.10        10.0.0.20        00:00:00:00:00:00      32768  [x]

!(Hirschmann Eagle) (config)#

To show the dhcp-server lease:

!(Hirschmann Eagle) #show dhcp-server lease

Itf  IP Address       MAC Address         Rem. Time   State
---  ---------------  ------------------  ----------  ---------
int  10.0.0.10        e8:11:32:41:88:9d       32742   bound


!(Hirschmann Eagle) #

Show configuration

!(Hirschmann Eagle) #show running-config
          CONFIG_HEADER = {
    hdr_fileVersion = "1"
    hdr_deviceID = "EAGLE20"
    hdr_softwareVersion = "SDV-05.2.00"
    hdr_configSecret = ":v1:81449548fb49a99b1de6f913cca6889993b69fdb17e9cd2631782fc78f696a5a:"
}
DEVICE_CONFIGURATION = {
  MIB2 = {
    MIB2_SYSTEM = {
      sysContact = "Hirschmann Automation and Control GmbH"
      sysName = "EAGLE-81090F"
      sysLocation = "Hirschmann EAGLE"
    }
    MIB2_IF = {
      MIB2_IFENTRY = {
          {
          INDEX = 1
          ifAdminStatus = "1"
          ifLinkUpDownTrapEnable = "1"
          ifAlias = ""
          }
          {
--More-- or (q)uit

If you desired to see more configuration parameters you just press any key except for q key. The show running-config command lacks filtering sometime I just want to see certain sections and not the entire configuration.

Show system info

show system info is the command that you use to understand the entire firewall settings and information at a glance.

!(Hirschmann Eagle) #show system info

System information
------------------
System Description......................Hirschmann EAGLE Security Device
System Name.............................EAGLE-81090F
System Location.........................Hirschmann EAGLE
System Contact..........................Hirschmann Automation and Control GmbH
System Uptime...........................0 days 1 hours 30 minutes 28 seconds
System Date and Time (local time zone)..SUN JAN 01 02:30:29 2012
OS Software Release.....................SDV-05.2.00 2012-02-28 17:15
OS Software Release (ROM)...............SDV-05.2.00 2012-02-28 17:15
OS Software Release (BAK)...............SDV-05.0.00 2010-11-25 16:54
Device Hardware Revision................1.13
Device Hardware Description.............EAGLE 20 TX/TX
Serial Number...........................943987001000101054
Network Operation Mode..................Router Mode
IP address (internal)...................0.0.0.0
MAC address (internal)..................00:80:63:81:09:0f
IP address (external)...................192.168.1.1
MAC address (external)..................00:80:63:81:09:10
Configuration state (running to NV).....ok
Configuration state (NV to ACA).........absent
--More-- or (q)uit
Auto Configuration Adapter, Serial Num..
Power Supply P1, State..................ok
Power Supply P2, State..................failed
Temperature (°C)........................48

Last Alarm..............................Failure of Power Supply 2

!(Hirschmann Eagle) #
Advertisements
This entry was posted in Firewall, Security and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s