Microwall VPN

Secure Network Communication with the Microwall VPN from Wiesemann & Theis

In modern industry and automation, secure communication between machines and systems is crucial for protecting critical infrastructure and ensuring stable operations. The Microwall VPN from Wiesemann & Theis is an advanced firewall solution that isolates sensitive components or subnetworks into a separate island network and protects them from unauthorized access through strict firewall rules. With support for WireGuard VPN for secure remote access, a Discover Mode for assisted commissioning, and flexible operating modes like NAT router and standard router, it is ideal for Industry 4.0, remote maintenance, and network control. This article highlights the technical features, application scenarios, and benefits of this innovative solution.

Secure Communication for Critical Systems

The Microwall VPN protects critical machines and systems using a strictly whitelist-based firewall concept that limits both incoming and outgoing communications to what is operationally necessary. All inter-network connections require explicit approval based on source/destination IP and TCP/UDP port numbers, with support for hostnames in outbound connections.

This significantly reduces the attack surface and prevents disruptive events such as load spikes or broadcast storms, which remain locally contained without impacting other network segments. The Microwall VPN is therefore an essential solution for companies looking to ensure secure communication and operation of their systems.

Secure Commissioning with Discover Mode

Unlike conventional routers that often permit outgoing traffic by default, the Microwall VPN initially blocks all inter-network traffic. In Discover Mode, outbound communication attempts from devices within the island network are recorded and documented, including associated hostnames.

Approval rules can be created with a single click for desired connections, while unknown or unwanted ones remain blocked. This approach enables secure commissioning of new or unfamiliar devices by only permitting authorized communication, which is especially beneficial in complex networks with many devices.

Secure Remote Access with WireGuard VPN

The Microwall VPN offers a WireGuard VPN endpoint that can operate as either a VPN client or server. This enables secure remote access for maintenance and support by granting selected VPN clients firewall-protected access to the island network. WireGuard stands out for its high data throughput (up to 300 MBit/s in VPN mode), ease of management, and strong security compared to other VPN solutions like OpenVPN or IPsec. External clients (Windows, Linux, Android, macOS, iOS) can connect to the island network, or the Microwall VPN can act as a client in a service network, such as a manufacturer’s network. Additionally, box-to-box VPN tunnels between two Microwall devices allow secure interconnection of island networks via intranet or internet.

Flexible Operating Modes: NAT Router and Standard Router

The Microwall VPN supports two operating modes to suit various network requirements:

• NAT Router Mode: The entire island network is integrated into the corporate network via a single intranet IP address, similar to a traditional DSL connection. This requires no changes to the intranet routing setup and allows multiple island networks with identical IP ranges to operate in parallel. This is beneficial for machine and system manufacturers using standardized serial IP configurations without having to adapt to customer infrastructures.
• Standard Router Mode: The Microwall VPN functions as a conventional router, with the island network made known in the intranet via static routes. With static NAT, 1:1 mapping of intranet addresses to fixed IPs in the island network is possible, making island hosts appear as local intranet participants while still being protected by firewall rules.

This flexibility makes the Microwall VPN ideal for complex network environments that require both security and easy integration.

High-Performance Network Connectivity

The Microwall VPN features two Gigabit Ethernet interfaces (100/1000BaseT) with autosensing and auto-MDIX, offering high data throughput of up to 900 MBit/s in router mode and 300 MBit/s in VPN mode. Its powerful hardware platform ensures low latency, essential for time-critical industrial applications. Support for static NAT enables 1:1 mapping from intranet IPs to island hosts, while Discover Mode facilitates secure commissioning. These features ensure reliable and efficient network control in demanding environments.

Management and Security

The Microwall VPN offers a secure management concept with the following features:

• Secure Boot: Prevents uploading of manipulated or foreign firmware.
• HTTPS Configuration: Configuration exclusively via HTTPS with support for individual certificates.
• Password Enforcement: No default login, increasing security.
• Port Management: All local services are configurable or can be disabled.
• Whitelist-Based Firewall: Filtering rules based on IPv4 addresses, TCP/UDP port numbers, and hostnames (via integrated DNS proxy).
• Logging: Identification and logging of unauthorized communication attempts.
• SNMP Support: Optional support for SNMPv2c/3 (read-only) for network management systems.

Quick setup is possible via WuTility or DHCP, simplifying installation. These features make the Microwall VPN a secure and user-friendly solution for network administrators.

Versatile Applications

The Microwall VPN is designed for a wide range of applications. In Industry 4.0 environments, it protects sensitive machines and systems from unauthorized access and enables secure remote maintenance and support. In system control, it allows secure integration of devices into the corporate network without IP address conflicts. Manufacturers can operate internal networks with uniform IP configurations, simplifying on-site installations. For remote maintenance, WireGuard VPN ensures secure access to remote devices, while Discover Mode simplifies commissioning. Additional use cases include network segmentation, securing IoT devices, and logging network events.

Flexible Power Supply and Standards Compliance

The Microwall VPN can be powered via Power over Ethernet (PoE) or through an external power source (24V–48V DC) via screw terminal. This flexibility facilitates installation in various environments. The device complies with standards for office and industrial settings, offering high interference immunity per EN 61000-6-2 and low emissions per EN 55032:2015 + A1 Class B, EN 61000-3-2, and EN 61000-3-3. These features ensure reliable and interference-free operation, even in demanding conditions.

Please note: No power supply is included.

Durability and Reliability

The Microwall VPN is designed for continuous operation and comes with a five-year warranty. Its robust design and DIN rail mounting capability make it ideal for industrial environments. The internal battery-buffered clock ensures precise timestamps, optimized through synchronization with a time server. These features underline the device’s durability and reliability, even under demanding conditions.

A Future-Proof Solution for Network Communication

The Microwall VPN from Wiesemann & Theis is a powerful and secure solution for network control and remote maintenance of machines and systems. With its whitelist-based firewall concept, WireGuard VPN technology, and flexible operating modes like NAT router and standard router, it offers a robust platform for Industry 4.0, network segmentation, and secure communication. Discover Mode simplifies commissioning, while support for Gigabit Ethernet and low latency ensures high performance. Whether for securing IoT devices, remote maintenance of systems, or integration into complex networks – the Microwall VPN is an indispensable tool for professional users.