To improve the user experience on this site we use cookies. I agree | I disagree

S1 Routers

Secure boot, integrity checks, compliance with most up to date cryptographic and security recommendations… S1 Routers represent entirely new standard in security and cybersecurity threads resistance for Advantech Cellular Routers.  

In combination with hardware capabilities (CPU OTP memory) and hardened Linux ICR-OS, S1 Routers provide the simplicity of a web-based configuration with limited flexibility known from our standard product open platforms in exchange for higher security level applied for S1 devices.  

S1 Routers fitting to applications where compliancy with IEC 62443-4-2 SL1 (level 1), FirstNet, BSI IT Security label rules and others is required. For currently available formal certification take a look at the datasheets to relevant router models or contact Advantech support.

S1 Routers Differentiation

 Selected differences between S1 Routers and standard routers
 S1 RoutersStandard products (standard FW ICR-OS)
Compliancy with IEC 62443-4-2 SL1, FirstNet, BSI IT Security label rules and requirements*YesNo
Secure bootYesNo
Read only filesystem with integrity checksYesNo
Default usernameadminroot
Router App format.raw.tgz
Min password requirements**12 chars, 3 classes6 chars, 1 class
Mandatory account lockYesNo
Available cryptographic algorithms**strong onlyboth weak and strong
Web AdminHTTPS onlyHTTP and/or HTTPS
OpenVPN Security Level2 (medium) .. 5 (very high)0 (weak) .. 5 (very high)
FTP, TelnetNoYes
FW Support End indicatorYesNo
Advanced Intrusion Detection Environment (AIDE)YesNo
Encrypted firmware imageYesNo
Using scripts***NoYes
Root access (sudo)limited set of commandsfull
Wi-Fi AP/Station "Extra Options"NoYes
HTTP Content-Security-Policystrictpermissive
Persistent syslogmandatoryoptional
IPsec aggressive modeNoYes
Persistent data storagecombined (/var)router apps (/opt), user data (/var/data)

* Compliancy does not mean formal approval; for scope of available formal approvals, contact producer.

** Weak algorithms: strength < 128 bits (e.g. DES, 3DES, MD5, SHA-1, RSA-1024/2048)

Strong algorithms: strength ≥ 128 bits (e.g. SHA-256+, RSA-3072+, ED25519)

More info: Strength criteria explained in Security Guidelines, Section 1.2

*** The only way to use scripts is to convert rquired scripts into S1 Router Apps.

 

Above mentioned differences outline the general use and convenience for different customer applications. Standard products provide large flexibility to configure the router for almost any application case. The S1 Routers limits need to be reviewed more carefully with application requirements to decide whether convenient or not.

S1 Routers GUI

What we keep the same is a familiar look of S1 Routers web interface for configuration.

*some nice screenshots*

so the customer can operate familiar interface with logical segmentation into categories. Functionality overview follows

*review please*

*unified table of functions for ICR-OS / ICR-OS S1 or link to table in ICR-OS*

S1 Routers availability and production

S1 Routers are available just as selected router models. You can easily identify them by “-S1” extension at the end of the PN name (eg. ICR-2734-S1). There is possible to increase the list for other PN´s depended on project volume and technical fit (not all routers within our production range can be modified to be S1 Routers) after agreement. Then the new PN needs to be created for ordering.   

During a lifecycle S1 Routers can benefit from regular updates we provide for this product group by using dedicated firmware branch called ICR-OS S1 available at the website. As said above – uploading on standard units is not possible. ICR-OS S1 firmware branch is developed and to work just in connection with S1 Routers.  

S1 Routers compatibility

 

S1 Routers does not allow scripting natively because of security reasons as standard products however there is possible to extend the standard firmware functionalities by well known Router Apps. Router Apps differs from the ones used for standard ICR-OS firmware so there is necessary to use dedicated S1 Router Apps ending with extension .raw. Customer can also produce its own S1 Router Apps in .raw format – in this case developer bears his own responsibility for the security of such developed software.  

Check the list of available Router Apps here*link to S1 router Router Apps*

 

There is also possible to use S1 Routers in combination with other routers and various monitoring or management systems when communication scenario in the application allows it (see chapter S1 Routers Differentiation mentioned earlier).    

FAQ

?Are there any differences in GUI between standard routers and S1 Routers?
The GUI looks the same so it is to be very familiar for any user of our current routers. For standard users using GUI for configuration there is to be virtually no impact between standard router and S1 Routers. You will notice you configure S1 Router by “S1” indication in the router model name in web GUI and by green color of S1 Routers GUI that differs from standard production web GUI (blue).
?Is there possible to make S1 Router from any cellular router in Advantech portfolio?
No, this is not possible. S1 Routers required OTP part of the memory that is not available for all Advantech routers. If you need another product than currently available as S1 Router than contact producer.
?I have Advantech routers already in the network. Is there possible to update them to be S1 Routers?
No, this is not possible. Routers needs to be ordered as S1 Router and produced as S1 Router directly in Advantech production. See the list here. *S1 router app link*
?I am currently operating scripts on standard Advantech routers – can I operate the scripts with S1 Routers?
There are not scripts available for S1 Routers because of security reasons. When you need to customize router behavior by additional scripts there is possible to produce Router App for S1 Routers in .raw format and upload it on the router/routers.
?Can I use Router Apps as for standard Advantech routers on S1 Routers?
No, it is not possible. It is possible to use Router Apps developed directly for S1 Routers ending with .raw extension.
?Is there IEC 62443-4-2 SL1 (level 1), FirstNet, BSI IT Security label certification available for S1 Routers?
S1 Routers are produced in-line with recommendations of above mentioned certifications. However formal certification is not available for all of them. For currently available or planned formal certification for selected PN consult datasheet or Advantech specialists that provide you with required information.
?Is firmware for S1 Routers regularly updated?
Yes, the firmware is continually developed to react on the latest security recommendations while targeting on improving customer experience as well. The firmware update is done in the same way as on standard products using dedicated ICR-OS S1 firmware branch.