![6bee20ebff918abb11c70b4840dd3684.png 6bee20ebff918abb11c70b4840dd3684.png](/upload/medialibrary/8d4/v53rn5709pkqez0w526ou0v45clsiyrl.png)
For some crucially essential tasks it is required to ensure the secured data transfer from serial devices over an Ethernet network. That is true, for example, for banking sector, telecommunication sphere, remote access and control systems.
To solve these tasks, MOXA company has launched a series of NPort 6000 converters from RS-232/422/485 to Ethernet.
The main feature of NPort 6000 series is the opportunity to encrypt traffic using SSL v2 encryption protocol and to protect the access to the device itself.
Operation mode of NPort 6000 with traffic encryption.
This article describes only those operation modes that support data encryption.
Secure Real COM mode (or virtual COM port mode with data encryption).
Secure Real COM mode ensures the secured data exchange between a PC and an NPort in an Ethernet network using SSL v2 protocol. In other aspects, the work of this mode is similar to that of Real COM mode.
Starting from the firmware of v.1.14 and higher, the level of security provided by NPort 6000 corresponds to the requirements of IEC 62443-4-2, level 2 industrial standard, i.e.: there is support of the more secure encryption protocols, access control, advanced encryption complexity, etc.
Let us consider how data without encryption is transferred:
![7c1f626318a798caa7e00645246c8344.jpg 7c1f626318a798caa7e00645246c8344.jpg](/upload/medialibrary/c57/mgyzkhdspy63jd531qg39p43ywepgw1k.jpg)
A hacker can intercept a TCP/IP packet and access the data.
Once the encryption is on, all data is encrypted and no one can read it using network analysis software.
![5d51b67e76de01171cdb1239bf5b85c0.jpg 5d51b67e76de01171cdb1239bf5b85c0.jpg](/upload/medialibrary/ec3/gpairbjgeuha0mxv83pkpkknz3i9w2rf.jpg)
To start the work, it is required to enable the support of encryption in both the driver settings on a PC (tick the box near Enable Data Encryption), and the NPort settings (selecting Yes in Secure field).
The process of encryption keys exchange is given in the figure:
![05a0d19ab852fd32a3ccdd6e2950b8db.jpg 05a0d19ab852fd32a3ccdd6e2950b8db.jpg](/upload/medialibrary/e82/ijjk3b35yv88kbjuu6j060yjl1p21hgi.jpg)
Secure TCP Server mode
Similarly to Secure Real COM mode, both the PC software, and the NPort software must support the encryption. In Secure Real COM mode, the encryption function is already build in the driver, whereas, in Secure TCP Server mode, it is required to add this function manually to the software that is used for communication with the NPort.
In other aspects, the work of this mode is completely identical to that of TCP Server mode.
There are two ways of adding the encryption support function to a PC (in this case, the PC that is used as a TCP Client)
- Use MOXA SSDK examples with functions that should be applied for NPort connection.
- Use OpenSSL commands in the code of your program to establish the communication with NPort.
NPort will be a TCP Server, so to switch on Secure TCP Server mode, just enable Secure function in the NPort settings then save and reboot the device.
![5d80bbfe8ae4312a6bdf2acbd0450c17.jpg 5d80bbfe8ae4312a6bdf2acbd0450c17.jpg](/upload/medialibrary/294/x14qcv42k36uy8oxcns745dqzzagng7z0.jpg.pagespeed.ic.jrCj6Tye-q.jpg)
Secure TCP Client mode
It is a secure version of TCP Client mode.
The concept is similar to that of Secure TCP Server mode.
Software acting as a TCP Server must support the encryption functions. There are two way of adding them to a program:
- Use MOXA SSDK examples with functions that should be applied for NPort connection.
- Use OpenSSL commands in the code of your program to establish the communication with NPort.
NPort will be a TCP Client, so to switch on Secure TCP Client mode, just enable Secure function in the NPort settings then save and reboot the device.
![43da5f805ffefff1aca4259c49a68d75.jpg 43da5f805ffefff1aca4259c49a68d75.jpg](/upload/medialibrary/5d9/xvfdl850yk6rz2ukmbh8h2nmcfmrgffjx.jpg.pagespeed.ic.rPuQFNQ5hA.jpg)
Secure Pair Connection mode
The mode is applied to extend the distance of transmission over serial communication line via Ethernet. In Secure Pair Connection mode, the encrypted data is transferred.
![b3b6d1986b302802f7b8f029fb85fbfc.jpg b3b6d1986b302802f7b8f029fb85fbfc.jpg](/upload/medialibrary/e1a/xl3mfxa57n5odjl7qz2dt6oa5nm5r6xjp.jpg.pagespeed.ic.-ELTrBS4GN.jpg)
NPort 6000 access protection
Secure authorization
To protect NPort 6000 from unauthorized access, in addition to a password you can you special TACACS+ or RADIUS protocols.
To enable these functions, you just need to specify the server IP address and the password.
![cfc509b78bbb8a41d74e025d014eaa15.jpg cfc509b78bbb8a41d74e025d014eaa15.jpg](/upload/medialibrary/e95/x7oc5kioaeehn1hffn0qcj36v43llt432.jpg.pagespeed.ic.2_0h03XfLM.jpg)
You also need to create the same user accounts as those on the server.
![8f93036849aa86930a1f428c71460701.jpg 8f93036849aa86930a1f428c71460701.jpg](/upload/medialibrary/193/xgo0shxul9jjhiyn50kiuo7eydks13p2v.jpg.pagespeed.ic.jWZTruk4D0.jpg)
Now you can enable access to NPort 6000 via TACACS+ or RADIUS server.
![374a2ffb6e8980444861e606ff3e8efa.jpg 374a2ffb6e8980444861e606ff3e8efa.jpg](/upload/medialibrary/cb1/xg4wt21nrpb7s8eb58h2te8ca05ev9s65.jpg.pagespeed.ic.uHpRrRz9de.jpg)
You can also disable the insecure access to the console.
When setting a password for NPort 6000, you can set the password check for various symbols and enable protection against the password search.
![934e686d32600a94dc34b6422e0f3e30.jpg 934e686d32600a94dc34b6422e0f3e30.jpg](/upload/medialibrary/808/x9ad5gkdg5213xwawh06vsn4hn4owdsba.jpg.pagespeed.ic.3gkBwmpZbj.jpg)
Secure monitoring
NPort 6000 series supports SNMP protocol, which allows you to monitor the equipment activity, and SNMP Trap function, which sends information about event changes to the server. SNMP protocol data can be encrypted according to DES CBC, the password can be encrypted according to MD5 or SHA.
![5e557d70795749f00273468455914ab6.jpg 5e557d70795749f00273468455914ab6.jpg](/upload/medialibrary/02e/on8uogkh8g6spzid4e6u9iiee59taxzj.jpg)