Professional Documents
Culture Documents
A100K12107-Exigo PAGA System - Network Guideline
A100K12107-Exigo PAGA System - Network Guideline
Network Guideline
1 Introduction ......................................................................................................... 3
1.1 Document Scope ................................................................................................................... 3
1.2 Publication Log ...................................................................................................................... 3
1.3 Related Documentation ......................................................................................................... 3
1.4 Terminology ........................................................................................................................... 3
2 System Overview................................................................................................. 5
Exigo PA/GA system is an advanced IP PA/GA system, capable of delivering critical communication
in demanding environments, and is certified for the most stringent safety standards for Public
Address and General Alarm.
This guide includes descriptions of network setup, configuration and best practices for critical
communication.
This guide assumes that the reader is familiar with the setup of Exigo, network terms and topology.
1.4 Terminology
Acronym Description
AMP Amplifier
DIP Display-data over IP is the control protocol used devices and central equipment.
ESC Exigo System Controller
GA General Alarm
▪ Operate 30 minutes after a mains power failure using the ship’s 24 VDC emergency supply
or UPS (230 VAC) with battery backup.
▪ Remain viable and be able to complete calls when part of the network infrastructure is down
▪ Systems providing integrated PA/GA shall provide no single point of failure for broadcasting
PA/GA in cabins and public areas
▪ Always have sufficient bandwidth to provide emergency services
▪ Protected from unauthorized use and interference
▪ Cabling infrastructure shall be approved for marine use
In addition to the general requirement for PA/GA systems, DNV has defined a new class notation for
Cyber Secure. The new class notation includes requirements to cyber security for a vessel, intended
to protect the safety of the vessel, crew and passengers.
The class notation consider critical systems which collectively makes up a vessles functions subject
for cyber security assesments. The following functions are considered:
It is recommended that network layout and network control should be planned for all new buildings:
Physical layout
It is important to consider the physical location of essential network devices, including servers,
switches, firewalls and cabling.
▪ Always have a clear understanding of the entire network’s infrastructure, for instance the
vendor/model, location, and basic configuration.
▪ Control of removable physical media like hard drives or USBs.
Network management
The network design will need to include an infrastructure for administering the IT and a clear
guideline for IT management.
▪ Few trained individuals should have access to network devices, and their activities on devices
should be authorized and logged.
▪ Use managed switches. These provide key network services suchas segmentation,
prioritization, time synchronization, multicast management and security.
▪ The network device must not have any default manufacturer passwords.
▪ Change frequently the passwords.
▪ Only secure protocols can be used to access network devices for management.
▪ Logs from network devices should be collected, analyzed, and correlated in a central location
for preventive measures as well as incidence response.
Network segmentation
Onboard networks should accommodate the necessary communication between OT equipment, the
onboard administrative and business tasks (IT networks) and recreational internet access for crew
and/or passengers/visitors. For this reason, onboard networks shall be segmented.
▪ Virtual Networks (VLANs) to assign separate subnets to critical departments. That way,
attackers will not be able to penetrate them, even if they connect to your local network.
▪ Logical access to the critical networks should be protected by a barrier, either air-gapping or
by a firewall router.
For reference see DNV Doc. “Rules for Classification Ships. July 2018 Pt. 6 Ch. 5 Sec. 21”
Chapter 11 of NORSOK T101 “Telecom Systems” outlines specific requirements for the data network
equipment. It is stated that “Critical data networks should be segregated into several networks (e.g.
office data network, technical network and critical/PCSS data network) and integrated as part of the
LAN/WAN infrastructure”.
On the aspect of cyber security, chapter 6 of NORSOK T101 refers to DNVGL-RP-G108, NOG 104,
NEK IEC 27001, and NEK IEC 27002, for the minimum requirements, and in addition outlines some
specific requirements for data networks.
Even though Exigo system is not directly connected to internet and to remote networks, it is a good
practice to do a cybersecurity risk assessment. The objective of the cybersecurity risk assessment
is to reduce cyber risk to acceptable levels for the company and vessels.
The figure above give an high level view of how Exigo system can be used for doing a risk
accessment. Mitigation of threats is about minimizing attach surface to minimize likelyhood of
successful attacks. You typically minimize the attack surface in the following dimensions:
The objective of risk assessment is establishing a starting point and a strategy for the management
of cyber threats. This evaluation can have common aspects for all ships of a company, but it must
be individualized in each case since it can depend on several factors.
Both maritime and offshore require establishment of barriers between main systems to prevent,
mitigate and respond to un-intended network issues as well as intentional cyber attacks.
For a PA/GA solution the following main systems must be considered:
▪ PA/GA system
▪ IT management system
▪ Automation / SCADA
▪ Other external systems
The table below provide recommendation on settings to use for the internal firewall and router.
▪ X: Mandatory protocol
▪ (X): Optional protocol
The 2nd column shows recommended settings for the internal firewall, while the 3 last columns show
recommended settings for the router.
▪ SNMP
▪ SNMP trap
▪ MODBUS
IT management might want more hands-on control of the PA/GA system. This may include:
▪ PBX systems
▪ Other SIP systems
This will require that the SIP and VoIP ports are enabled in the router between the subnets.
Figure 5 shows the layer 2 network setup for the Exigo system. The network solution for a single site
A-B system is a redundant network based on 2 Cisco switches. The switches are interconnected
directly and the call panel have redundant connections to each switch.
The switches utilize Rapid Spanning Tree Protocol (RSTP) for protecting against network loops,
redundant links will be in blocking mode unless there is a failure in the network. In addition to using
a modern and robust protocol, the proposed solution utilizes a set of additional switch features,
discussed in chapter 4.3, to decrease risk even further.
The solution provides the required redundancy for the network and control-plane of the network,
there is no single point of failure in the hardware or software, and the potential negative failure mode
of STP is mitigated by utilizing the relevant features.
It is important to note that the call panel only uses one link at a time due to RSTP blocking loops in
the system. Messages from ESC-A to AMP-B needs to travel through the redundant links between
the switches, and can not be passed trough the call panel.
• Public Address
Public address service is initiated by a person using a call panel, and the live speech is sent
to both A and B controller as illustrated in Figure 6.
1. Step 1 Call panels to system controller
a. When call is initiated, the call panel signals to both controllers as DIP data
messages
b. Media is sent to both controllers as RTP/UDP unicast data
2. Step 2 System controller to amplifiers
a. Both controllers accept the RTP/UDP audio stream from the call panel
b. Both controllers then send separate RTP/UDP multicast streams to the
amplifiers of both the A and B system. The A-system stream will have priority
over B-controllers stream.
3. Step 3 Amplifier to speakers
a. The amplifier receives both RTP/UDP streams, both from A controller and B
controller. By default, the amplifiers listens to the A controllers stream, but in
case of A system failiure, the B stream is used instead.
• General Alarm
General Alarm audio will follow the same path as in Figure 6, with the exception of step 1
since the sound is generated in the controller.
1. Step 1 Event to system controller
Different event can trigger an alarm, such as a relay closing, a push button sending
a DIP message to the Exigo system, or a third-party integration causing a software
triggered event. The exact cause of a triggered alarm, and the protocol it propagates
by, depends on the system design.
2. Step 2 System controller to amplifiers
a. The signal (analog, DIP, SIP etc.) or activating the alarm is received by both
controllers
b. Behaves in the same manner as for live speech
Flowire must be used together with EX panels instead of ethernet cables with PoE.
Figure 7 show an example system where Flowire is used in an EX and industrial system.
The flowire system has some special requirements for the switch configuration and setup, for a more
technical view on the Flowire system, please refer to A100K11422 “Flowire Configuration Manual”
and A100K11706 “Flowire Guidelines for Exigo”.
In case of ExigoNet, both controllers have a SIP connection to all other controllers in the system.
• Public Address
In the case of live announcement, audio will be sent from the call panel to both controllers on
the same site. The controllers will then distribute the message by SIP to all other controllers,
who in turn will route the audio to the required zones, as illustrated in Figure 8.
1. Step 1 Call panel to system controller
a. When call is initiated, the call panel signals as DIP data messages
b. Media is sent to both controllers on the same network as RTP/UDP unicast
data
2. Step 2 The call panel will have dual data cabling, where one interface is connected
to A-System and the other is connected to B-System (Ref. Figure 5)
a. Both controllers accept the RTP/UDP audio stream from the call panel
b. SIP session is set up between the local controllers and all other controllers on
the ExigoNet
3. Step 3 System controller to amplifiers
a. Receives the SIP RTP/UPD packages
b. Both controllers then send separate RTP/UDP streams to the amplifiers of
both the A and B system. The A-system stream will have priority over B-
controllers stream.
Note! Please see chapter 3.2 “High Level Network View” for information for setting up internal firewall
and router.
The Exigo System Controller (ESC1) must be setup with a static IP address. The other Exigo
equipment support both dynamic (DHCP) and static address assignment.
It is a good practice to keep an overview of the different Exigo IP equipment and accociated IP
address’ . Zenitel has also found it useful to allocate sub-ranges of IP address’ to different equipment
types. This will make analysis of Wireshark traces easier to do in case network traffic should be
analysed.
To have type approval it is required that the network switches are bought via Zenitel.
A redundant network will need switches for routing traffic and provide proper segregation of systems.
There exist several methods to improve robustness and stability for a redundant data network.
▪ Rapid Spanning Tree Protocol (RSTP) is a link management protocol, defined in the IEEE
802.1D, for bridged networks. RSTP provides path redundancy while preventing undesirable
loops in networks consisting of multiple active paths. RSTP uses the Bridge Protocol Data
Unit (BPDU), a data message, to detect loops in network topologies.
▪ STP Loop Guard – This feature will shut down a local switch-to-switch port if the remote switch
experiences a STP protocol failure, or the link is unidirectional (A common failure in fiber
▪ Storm Control – This feature is implemented on all ports, limiting the amount of allowed
broadcast/multicast packets, to protect the control-plane of the network and applications
running over the network. This feature protects the network from external sources of errors,
like failing NIC, failing protocol stacks or processes creating erroneous traffic.
▪ STP Portfast – This feature will prevent STP TCN BPDU flooding when an end-host port flap,
protecting the control-plane of the network from extra processing of unneeded change
notifications.
▪ BPDU Guard – This feature is configured on all ports except inter-switch ports and will shut
down a port if it receives a STP BPDU, typically from a mis-cabling. This feature protects
against mis-cabling in case of maintenance or work in cabinets where the equipment is
located.
These features can be configured in the switches and should be considered when designing the
system to ensure a security and robustness.
The following picture will be used as an example to ilustrate and explain the network configuration
needed for an Exigo A-B System:
IP table for this network setup. This is an example, IP Addresses and Fast ethernet ports (Fa) can
be changed and modified as needed:1
Once we have a clear idea of the network setup and a list of the desired IPs, we can start configuring
the system.
The Table 5 below contains the general switch configuration needed to achieve the functionality and
security requirements for an Exigo A-B system, which are mainly:
The configuration marked in red should be changed according to preferences and which switch is
being configured.
There are different ways to configure the switches, the config above it is just one of multiple choices
available. For example:
Management options:
▪ SSH v2 enabled, Telnet disabled:
▪ All SSH and Telnet disabled. The only way to connect to the switch is with direct console
access:
▪ To avoid brute force password attacks to the devices, you can configure maximum number of
failed login attempts so that a user will be locked out after this threshold, using the command
aaa local authentication attempts max-fail {value}
Also, It is possible to configure an external AAA server for authentication and easily
change/enable/disable account passwords, enforce strong password policies, monitor account
usage and user access.
Table 7 below shows the configuration for the different port profiles to be used on our network
example of an A-B system, when we have a network component or a Exigo Central device connected
to the Switches.
It includes the configuration of port security and ACLs needed in each port depending on the device
connected to it, in order to protect and prevent unauthorized access to the network.
The configuration marked in red can be changed according to preferences and which port is being
configured.
Table 8 below is a list of Call Panels that can be connected to the IP network:
Table 9 below shows the configuration for the different port profiles to be used on our network
example of an A-B system, when we have a Exigo Call Panel connected to the Switches.
It includes the configuration of port security and ACLs needed in each port depending on the device
connected to it, in order to protect and prevent unautorized access to the network.
The configuration marked in red can be changed according preferences and which port is being
configured.
Table 10 below shows the configuration for the different port profiles to be used if we have flowires
connected to our A-B system. It includes the configuration of port security and ACLs needed in each
port, in order to protect and prevent unautorized access to the network.
The configuration marked in red can be changed according to preferences and which port is being
configured.
All flowires report two MAC addresses to the switch, so we would need to take this into account in
all scenarios using flowire, especially regarding Port Security configuration.
▪ If we have one central Flowire going to several Flowires connected to 1 Turbine we will have
number of Flowires*2Mac + Number of Turbines. In this case, 4FW*2MAC + 3 Call
Panels*1MAC = 4*2 + 3 = 11 Mac-addresses
▪ Static routes are not advertised over the network, resulting in better security.
▪ Static routes use less bandwidth than dynamic routing protocols, as routers do not exchange
routes.
▪ No CPU cycles are used to calculate and communicate routes.
▪ The path a static route uses to send data is known.
Often an Exigo Call Panel or an Exigo accessory needs to be installed and connected in a different
part of the building or ship that belongs to a different IP network than Exigo. In order to solve this
situation and to allow the communication between Exigo system and these end devices or call
panels, we will need a router with a proper routing configuration.
The following examples illustrate an end device connected to the network in different ways. These
are only examples and the configuration and routing protocols will most likely need to be adapted to
your environment and platform.
▪ For example, if we need to communicate one or several end devices belonging to the same
IP network range, that are installed on different part of the network than Exigo, we would need
the following configuration if we choose Dynamic Routing protocol RIP v2 :
The configuration marked in red can be changed according to preferences and which port is being
configured.
If we need to communicate several end devices belonging to different IP network ranges, and
installed on different part of the network than Exigo, we would need the following configuration:
Table 14 shows the routing configuration needed in Router 1, Router 2 and Router 3, using static
routes. This is an example, routing can be done using several static routes or different dynamic
routing protocols.
The configuration marked in red can be changed according to preferences and which port is being
configured.
The more we open the Exigo network and the more we give access to it from other network
segments, the more efficient and precise security mechanisms we need in order to prevent
unathorized access or attacks.
First, in order to simplify the access-list, the ip addresses of different kind of equipment are placed
in object-groups:
▪ Controllers, IP addresses of the PSC (AMC-IP card) in the Exigo controller(s) in the system.
▪ EquipmentIn, Addresses of the equipment on the “inside” (Exigo system network)
▪ MngmtIn, address(es) of management computer placed on the “inside.
▪ MngmtOut, address(es) of management computer placed on the “ouside” (Not directly on
Exigo Broadcast Domain)
▪ StationOut, address(es) of Exigo equipment on the “outside”.
The configuration marked in red can be changed according to preferences and which port is being
configured.
The configuration marked in red can be changed according to preferences and which port is being
configured.
Line# Description
1 Permit the management PC web access to the components in the system (configuration and upgrade
via IMT)
2 Permit outside equipment normal communication with the controllers
3 Permit outside equipment normal communication with the controllers
4 Permit the outside management computer to communicate with the controllers for EMT monitoring
5 Permit TFTP traffic for upgrade of stations
6 Permit TFTP traffic for upgrade of stations
7 Permit inside management PC to access outside Exigo equipment.
8 Permit PING from remote stations
9 Permit management PC to ping local stations (this has any destination so the management computer
can ping any device in the network)
10 Permit management PC to have telnet access to the Exigo equipment (not necessary for normal
operation)
11 Permit management PC to have ssh access to the Exigo equipment (not necessary for normal
operation)
12 Permit the management PC web access to the components in the system (configuration and upgrade)
13 Permit an inside management PC to upgrade outside stations via VS-IMT
14 Ping from outside station to inside management PC
Table 17: Explanation of lines in ACL
And now, we can apply the access-list called “Router-out”, to the router interfaces.
The configuration marked in red shall be changed according to preferences and which port is being
configured:
In the following example, the external NTP server will have IP address 10.1.200.90. The
configuration marked in red shall be changed according to preferences:
▪ emergencies
▪ alerts
▪ critical
▪ errors
▪ warnings
▪ notifications
▪ informational (default level)
▪ debugging
In the following example, our external syslog server will have IP address 10.1.200.80. The
configuration marked in red can be changed according to preferences:
▪ The "Link Up" or "Link Down" SNMP Trap monitors the port operating status of a Switch. If an
Ethernet cable is plugged into a port, or a cable is removed, then the SNMP Client will send
a corresponding "Link Up" or "Link Down" notification to a network management station
(SNMP Manager).
The following example, shows how to enable link down and link up traps. The configuration marked
in red can be changed according preferences:
When a call panel disconnects from the port on a switch, it sends a notification to the SNMP Manager
(IP address 10.0.0.61 in this example), indicating that the Operational status of FastEthernet0/23 is
down as shown in the following screenshot.
The following example show how to enable Port Security Traps. The SW will send a trap for every
port security violation able to detect. The configuration marked in red can be changed according
preferences:
If we disconnect the authorized host from the port FastEthernet0/4 and connect an unknown host,
the port security violation forces the interface into the shutdown state and the switch sends a trap to
inform about this event.
The Exigo Management Tool (EMT) is a modern and easy to use configuration tool, which enables
configuration of the system with drag and drop features. Through EMT it is possible to:
The following example shows how to back up or restore a project database to/from the hard disk.
▪ Select Projects
Backup Now
This will back up the project database to the hard disk under: \Documents\Exigo\1.4\Projects\
Restore
This will restore the project database from the hard disk under: \Documents\Exigo\1.4\Projects\
The system controller project database will now be downloaded as a new Exigo project file.
The onboard networks have grown gradually as the needs grew, without an order or a clear
infrastructure in some cases. The different network cells or zones, originally without communication
between each other, have been putting together without taking too much into account the priorities,
requirements and security levels of each of these layers and the related processes.
In addition, the increasing interrelationship between OT and IT systems has not helped adequate
growth either, establishing simple connections according to information needs.
Over the years, the most common configuration errors and bad practices that we can find in a ship’s
network are:
▪ No management interfaces
▪ Default passwords.
▪ No isolation between IT and OT networks.
▪ A flat network, without any type of segmentation and/or VLAN segregation that separates the
equipment by levels of criticality or functionality.
▪ Poorly configured firewalls
▪ Direct connection to the Internet, which exposes the onboard network system to unwanted
access and attacks.
With the constant increase of cyber attacks on ships, it is vitally important to secure the onboard
networks and systems. To protect environments where IT (Information Technologies) and OT
(Operational Technologies) are combined, at least the following list of good practices at network
level should be applied:
Both environments are based on their own topology and by not having shared network components
such as switches or routers, all incoming and outgoing communications between the IT network, and
the OT networks, are controlled by a single point of connection security and traffic will be subject to
the rules that we configure in it.
Network Segmentation
Once separated both OT and IT environments, the next step will be to apply the concept of
Segmentation. Segmentation consists of subdividing the network or networks, of the OT and IT
environments into what it’s called “zones”.
We will define "zones" as the set of devices, applications, services and other assets grouped
according to their functionality, assigned security level, operational function, physical location,
network connection and systems access. The way we do it is by introducing a perimeter security
element or security application point, normally a Firewall, whose mission is to filter all
communications to, from or between the different zones. In this way, we reduce the degree of
exposure that a zone will have, and on the other, in case of a security event, it remains confined to
its zone.
Remote access possibilities for the vessel shall be grouped into a separate zone, providing the asset
owner/asset operator full control of any cyber related access external to the vessel.
Depending on the level of criticality of the system or the level of security to be achieved, different
strategies and/or tools that can be used to carry out a correct segmentation:
▪ Air Gap: The air gap consists of physically separating the connections of two networks.
▪ IPS: Allows blocking certain information packets according to certain predefined rules.
▪ Virtual networks (VLANs); Separate systems and devices into logical networks within the
same physical network.
▪ Firewalls: Firewalls are the most common elements to carry out segmentation. Its operation
is based on allowing or denying traffic between different networks based on filtering rules.
▪ Data diodes or Unidirectional Gateways: Unlike a firewall, in a data diode there is no channel
in one of the two directions and are used when we only want to get information from a network
but not receive it, ensuring the availability and integrity of the information.
Network Management
Any network design will need to include an infrastructure for administering and managing the
network. This may include installing network management software on dedicated workstations and
servers providing file sharing, log and event management, and other services.
On network devices, the management communications can be In-Band, throught the networked
ports or Out-of-Band (OOBM), through a dedicated management ports separated from the data
▪ If the network switches on your network have out-of-band networked management ports, use
them as only point of access for Management.
▪ You can also use only the Console port as access for Management and leave the networked
ports only for data traffic.
▪ You can also configure VLANS to separate Management and Data traftic. In this case, enable
only one port for management with port security/mac filtering and other security features
properly configured.
▪ Make sure that the auxiliary port on the switch is disabled
Authentication, Authorization and Accounting: Ideally, the network device must be configured to use
802.1x authentication on host facing access switch ports and for administrative local and remote
access to switch.
Remote Access
VPN is a service that allows remote access to the ships's internal network and resources, creating a
tunnel through internet using secure encryption.
Most organizations that use VPNs implement a multi-layer line of defense to protect their network
and assets through a combination of endpoint security measures, user authentication, and network
security policy enforcement.
Advantages of implementing a VPN:
Centralized logs
In the event of a security breach, centralized logs play a crucial role:
▪ Collecting information and logs from various sources across the network ecosystem, including
audit, authentication, intrusion detection system (IDS), and intrusion prevention system (IPS)
logs.
▪ Correlating events/logs in real-time. It is the relationship that is defined between two or more
events or operations generated in the same or in different devices in an interval of time and
that is used to detect actions.
▪ Allow to compress and save the events protecting that they are not modified.
The WEEE Directive does not legislate that Zenitel, as a ‘producer’, shall collect ‘end
of life’ WEEE.
This ‘end of life’ WEEE should be recycled appropriately by the owner who should use proper
treatment and recycling measures. It should not be disposed to landfill.
Many electrical items that we throw away can be repaired or recycled. Recycling items helps to save
our natural finite resources and also reduces the environmental and health risks associated with
sending electrical goods to landfill.
Under the WEEE Regulations, all new electrical goods should now be marked with
the crossed-out wheeled bin symbol shown.
Goods are marked with this symbol to show that they were produced after 13th August
2005, and should be disposed of separately from normal household waste so that they
can be recycled.
DOC NO.
A100K12107 customer.service@zenitel.com
Zenitel and its subsidiaries assume no responsibility for any errors that may appear in this publication, or for damages arising from the information therein. Vingtor-Stentofon products are developed and
marketed by Zenitel. The company’s Quality Assurance System is certified to meet the requirements in NS-EN ISO 9001. Zenitel reserves the right to modify designs and alter specifications without notice.
ZENITEL PROPRIETARY. This document and its supplementing elements, contain Zenitel or third party information which is proprietary and confidential. Any disclosure, copying, distribution or use is
prohibited, if not otherwise explicitly agreed in writing with Zenitel. Any authorized reproduction, in part or in whole, must include this legend: Zenitel – All rights reserved.