Introduction
MetaDefender OT Access™ is a remote access tool that provides a platform for facilitating and monitoring connections between remote users and industrial assets. The software contains built-in tools for security and manageability.
MetaDefender OT Access features include:
- The ability to deploy in the Cloud or onsite
- The Cloud deployment has no required hardware and can be set up in one day or less.
- The onsite Management Console is easy to install. This deployment can also be set up in one day.
- Integrates with your Active Directory server for user and Security Group authorization
- Enables Policy Enforcement per user and per session
- Outbound-only connection from endpoint gateway to MetaDefender OT Access cloud or on-prem instance, with no inbound firewall exceptions required
- Inexpensive and flexible pricing model on annual or monthly subscription
- Cloud components are hosted on Amazon Web Services (AWS) for maximum reliability and performance
MetaDefender OT Access deployments
MetaDefender OT Access has two possible deployments:
- Cloud: OPSWAT manages some aspects of MetaDefender OT Access configuration, including uploading performing software updates at the customers request, and setting Management IPs.
- Onsite: The customer manages all MetaDefender OT Access configuration tasks. All traffic inspection and policy enforcement are performed in the onsite server, making it suitable for offline deployments with no internet access.
Except for the Management Console, both deployments have the same functionality. You will receive the equipment, software, etc. appropriate to your deployment.
Supported protocols
Both MetaDefender OT Access deployments support various IT and OT protocols. Refer to Appendix 1 for a table of protocols and their associated policies.
IT protocols
The following IT protocols support both client-based client-less access:
- RDP
- SSH
The following IT protocols support client-based access only:
- HTTP
- HTTPS
- RDP
- SSH
- Telnet
- Generic TCP
OT protocols
OT protocols support client-based access only:
- EtherNet/IP
- FINS
- MODBUS
- OPCUA
- S7Comm
- SLMP
MetaDefender OT Access components
MetaDefender OT Access components differ, depending on the deployment:
- System Configuration Console (on-prem only): Used to perform internal configuration tasks the MetaDefender OT Access instance, such as license activation and static IP configuration. Refer to the Management Console Guide for more information.
- Management Console (on-prem or cloud): Used to for everyday manage tasks such as provisioning users, configuring services, and monitoring connections between remote users the OT assets / services to which they have been granted access.
- Windows Client / MetaDefender Endpoint: Connects the remote user's computer to the cloud or on-prem MetaDefender OT Access instance, and ultimately to their OT assets.
- Windows Service Client: Windows system-level service that can be used as an alternative to the Windows Client. The service launches automatically when the system boots.
Appendix 1: Protocols and Policies
| Protocol | Policy | Description |
|---|---|---|
| Ethernet IP | None | N/A |
| FINS | Read Only | Read:
|
| FINS | Full Access | Unrestricted access |
| HTTP | Full Access | Protect against SQL injection and cross-site scripting |
| HTTPS | None | N/A |
| Modbus | Read Only | Read registers or coils |
| Modbus | Standard_Ops | Allow the following Modbus operation codes:
|
| Modbus | Full Access | Unrestricted access |
| OPCUA | Read Only | Deny the following OPCUA operation codes:
|
| OPCUA | All Access | Unrestricted access |
| RDP | None | N/A |
| S7COMM | Read Only | Read
|
| S7COMM | Full Access | Unrestricted access |
| SLMP | Read Only | Read:
|
| SLMP | Full Access | Unrestricted access |
| SSH | None | N/A |
| Telnet | None | N/A |
| VNC | None | N/A |