MOXA EDR-G9004 Series

The EDR-G9004 Series is a set of highly integrated industrial multi-port secure routers with firewall/NAT/VPN functions. These devices are designed for Ethernet-based security applications in critical remote control or monitoring networks. These secure routers provide an electronic security perimeter to protect critical cyber assets including substations in power applications, pump-and-treat systems in water stations, distributed control systems in oil and gas applications, and PLC/SCADA systems in factory automation. Furthermore, with the addition of IDS/IPS, the EDR-G9004 Series is an industrial next-generation firewall, equipped with threat detection and prevention capabilities to further protect critical infrastructure from cybersecurity attacks.

The EDR-G9004 Series' embedded firewall uses policy rules to control network traffic between trusted zones while Network Address Translation (NAT) shields the internal network from unauthorized access by outside hosts. The Virtual Private Networking (VPN) functionality further provides users with secure communication tunnels when accessing the private network from the public Internet. To help protect your OT assets from cyberattacks, the EDR-G9004 Series supports Deep Packet Inspection (DPI) to examine the data portion of network packets for various OT-specific protocols.

The EDR-G9004 Series' Setup Wizard provides an easy way for users to set up DMZ ports to create a secure network buffer zone in just three steps. In addition, the object-based firewall management feature gives engineers a simple way to configure and maintain firewall filtering for IP addresses and subnets, network services, industrial application services, and user-defined services.

The EDR-G9004 Series' rugged hardware makes these secure routers ideal for harsh industrial environments, featuring wide-temperature models that are built to operate reliably in hazardous conditions and extreme temperatures of -40 up to 75°C. Moreover, the EDR-G9004 Series supports WAN, Layer 3 redundancy mechanisms, and Gen3 LAN Bypass fault tolerance to ensure that your network stays connected at all times.

Patching remains a major challenge in OT environments because OT applications cannot afford interrupting operations by shutting down systems to apply patches. Virtual patching technology can help complement existing patch management processes by shielding known and unknown vulnerabilities. In addition, the EDR-G9004 features intelligent IPS functionality for continuous protection against cyberthreats which uses pattern-based detection to identify and block known attacks.

Moxa's MX-ROS (https://www.moxa.com/en/spotlight/portfolio/mx-ros/index) is a software platform for industrial security routers and firewalls. The platform supports the robust security and user-friendly operation of secure routers through simplified web and CLI interfaces. In addition to adhering to IEC 62443-4-2, MX-ROS devices offer a wealth of the latest cross-industry Operational Technology (OT) network management features with each release to safeguard hardware and software.

Specifications

Input/Output Interface


Alarm Contact Channels
Resistive load: 1 A @ 24 VDC

Buttons
Reset button

Digital Input Channels
+13 to +30 V for state 1
-30 to +3 V for state 0
Max. input current: 8 mA



Ethernet Interface


10/100/1000BaseT(X) Ports (RJ45 connector)
2 (with Gen3 LAN Bypass)

Combo Ports (10/100/1000BaseT(X) or 1000/2500BaseSFP)
2

DMZ Supports
DMZ port

Standards
IEEE 802.3 for 10BaseT
IEEE 802.3u for 100BaseT(X)
IEEE 802.3ab for 1000BaseT(X)
IEEE 802.3z for 1000BaseSX/LX/LHX/ZX
IEEE 802.3x for flow control



Ethernet Software Features


Management
Back Pressure Flow Control
DDNS
DHCP Server/Client
Web Console (HTTP/HTTPS)
LLDP
SNMPv1/v2c/v3
Telnet
TFTP
HTTPS
SSH

Routing Throughput
Max. 350K packets per second / 2 Gbps (based on RFC 2544)

Routing Table
Max. 4K routing rules

Concurrent Connections
Max. 400K (based on RFC 3511)

Connections Per Second
Max. 20K (based on RFC 3511)

Routing Redundancy
VRRP

Security
Secure Boot
IPsec
L2TP (server)
RADIUS
TACACS+
Trust access control
SCP
SFTP
NTP authentication
Syslog Authentication

Time Management
NTP Server/Client
SNTP

Multicast Routing
Static Route

Unicast Routing
OSPF
RIPV1/V2
Static Route



LED Interface


LED Indicators
PWR1, PWR2, STATE, BYPASS, WAN/DMZ, VRRP/HA, VPN, USB



DoS and DDoS Protection


Technology
ARP-Flood
FIN Scan
ICMP Flood
TCP Sessions Without SYN
NMAP-ID Scan
NMAP-Xmas Scan
Null Scan
SYN/FIN Scan
SYN/RST Scan
SYN-Flood
Xmas Scan



Firewall


Filter
DDoS
Ethernet protocols
ICMP
IP address
MAC address
Ports

Stateful Inspection
Router firewall
Transparent (bridge) firewall

Deep Packet Inspection
Modbus TCP
Modbus UDP
DNP3
IEC 60870-5-104
IEC 61850 MMS
EtherNet/IP
MELSEC
Omron FINS
OPC UA
Siemens S7 Comm.
Siemens S7 Comm. Plus
Additional protocols will be supported through future firmware updates.

Intrusion Prevention System
Requires an additional license.

Throughput
Firewall:
Max. 350K packets per second / 2 Gbps (based on RFC 2544)
IPS:
Max. 200K packets per second / 2 Gbps (based on RFC 2544)



IPsec VPN


Authentication
MD5 and SHA (SHA-512)
RSA (key size: 1024-bit, 2048-bit)
X.509 v3 certificate

Concurrent
VPN Tunnels Max. 250 IPsec VPN tunnels

Encryption
DES
3DES
AES-128
AES-192
AES-256
AES-256-GCM

Protocols
IPsec
L2TP (server)
PPTP (client)

Throughput
Conditions: AES-256, SHA-256
Max. 100K packets per second / 800 Mbps (based on RFC 2544)



NAT


Features
1-to-1
N-to-1
NAT loopback
Port forwarding



Real-Time Firewall / VPN Event Log


Event Type
Firewall event
VPN event

Media
Local storage
SNMP Trap
Syslog server



Serial Interface


Console Port
RS-232 (TxD, RxD, GND), 3-pin (115200, n, 8, 1)

Connector
USB Type-C



Power Parameters


Connection
Removable terminal block

Input Voltage
12/24/48 VDC, redundant dual inputs

Operating Voltage
9.6 to 60 VDC

Input Current
1.01 A @ 12 VDC
0.51 A @ 24 VDC
0.27 A @ 48 VDC

Reverse Polarity Protection
Supported



Physical Characteristics


Housing
Metal

IP Rating
IP40

Dimensions
45 x 135 x 105 mm (1.77 x 5.31 x 4.13 in)

Weight
800 g (1.76 lb)

Installation
DIN-rail mounting
Wall mounting (with optional kit)



Environmental Limits


Operating Temperature
Standard Models: -10 to 60°C (14 to 140°F)
Wide Temp. Models: -40 to 75°C (-40 to 167°F)

Storage Temperature (package included)
-40 to 85°C (-40 to 185°F)

Ambient Relative Humidity
5 to 95% (non-condensing)



Standards and Certifications


Safety
IEC 62368-1
UL 62368-1

EMC
EN 55032/35

EMI
CISPR 32, FCC Part 15B Class A

EMS
IEC 61000-4-2 ESD: Contact: 8 kV; Air: 15 kV
IEC 61000-4-3 RS: 80 MHz to 1 GHz: 20 V/m
IEC 61000-4-4 EFT: Power: 4 kV; Signal: 4 kV
IEC 61000-4-5 Surge: Power: 2 kV; Signal: 4 kV
IEC 61000-4-6 CS: 10 V
IEC 61000-4-8 PFMF

Railway
EN 50121-4

Shock
IEC 60068-2-27

Freefall
IEC 60068-2-32

Vibration
IEC 60068-2-6



MTBF


Time
1,876,185 hrs

Standards
Telcordia (Bellcore), GB



Package Contents


Device
1 x EDR-G9004 Series secure router

Cable
1 x DB9 female to USB Type-C

Documentation
1 x quick installation guide
1 x warranty card

Note
SFP modules need to be purchased separately for use with this product.

Ordering Information

• MOXA EDR-G9004 Series Datasheet (1586.1 kB)