Microwall IO

Secure Network Communication and Control with the Microwall IO from Wiesemann & Theis

In modern industry and automation technology, secure communication between machines and systems, as well as the integration of control and signaling functions, is critical to protecting sensitive systems and optimizing processes. The Microwall IO from Wiesemann & Theis is an advanced firewall solution with digital inputs and outputs that offloads sensitive components into a separate island network and protects them from unauthorized access through strict firewall rules. With WireGuard VPN for secure remote access, a Discover Mode for assisted commissioning, and two digital inputs/outputs for event-driven actions, it is ideal for Industry 4.0, remote maintenance, and network control. This article highlights the technical features, applications, and benefits of this versatile solution.

Secure Communication for Critical Systems

The Microwall IO protects critical machines and systems through a consistently whitelist-based firewall concept that limits both incoming and outgoing communication to the operationally necessary level. All connections between networks require explicit approval based on source/destination IP and TCP/UDP port numbers, with hostnames also being usable for outgoing connections. This significantly reduces the attack surface and prevents harmful events such as traffic spikes or broadcast storms, which remain local and have no impact on other network segments. The two digital inputs allow event-driven control of VPN access, firewall rules, or network interfaces, while the two digital outputs externally visualize messages such as an activated VPN access. This combination makes the Microwall IO ideal for secure communication and reliable operation in automation and process environments.

Secure Commissioning with Discover Mode

Unlike conventional routers that often allow outgoing traffic without restriction, the Microwall IO initially blocks all inter-network traffic. In Discover Mode, outgoing communication attempts from devices within the island network are recorded and documented, including their associated hostnames. For desired connections, an approval rule can be created with a single click, while unknown or unwanted connections remain blocked. This approach enables secure commissioning of new or unknown devices by only allowing authorized communication, which is especially useful in complex networks with many devices.

Secure Remote Access with WireGuard VPN

The Microwall IO offers a WireGuard VPN endpoint that can operate both as a VPN client and as a VPN server. This enables secure remote access for maintenance and support, by allowing selected VPN clients protected access to the island network via its own firewall. The WireGuard platform is known for its high data throughput (up to 300 Mbit/s in VPN mode), easy management, and strong security compared to other VPN solutions like OpenVPN or IPsec. External clients (Windows, Linux, Android, macOS, iOS) can connect to the island network, or the Microwall IO can connect as a client to a service network, such as one from a manufacturer. The Box-to-Box function supports VPN tunnels between two Microwall devices to securely link island networks over intranet or the internet. The digital inputs can event-trigger the activation of the VPN tunnel, while the outputs signal the VPN status.

Flexible Operating Modes: NAT Router and Standard Router

The Microwall IO supports two operating modes that adapt to different network requirements:

• NAT Router Mode: The entire island network is integrated into the company network via a single intranet IP address, similar to a traditional DSL connection. This does not require changes to the intranet routing concept and allows the operation of multiple island networks with identical IP ranges. Manufacturers of machines and systems benefit from this, as they can use uniform serial IP configurations without having to adapt to the customer infrastructure.
• Standard Router Mode: The Microwall IO operates as a classic router, and the island network is made known in the intranet through static routes. With Static NAT, 1:1 mapping of intranet addresses to fixed IPs in the island network is possible, allowing island hosts to appear as local participants in the intranet but still remain protected through firewall rules.

This flexibility makes the Microwall IO ideal for complex network environments where both security and easy integration are required.

Digital Inputs/Outputs for Automation Processes

The Microwall IO features two digital inputs and two digital outputs in 24V technology, specifically designed for automation and process environments. The inputs enable event-driven control of actions such as activating a VPN connection, switching firewall rule groups, or changing the status of network interfaces. For example, in case of a plant failure, a switch contact from the controller or an operator can activate the VPN connection to the manufacturer. The outputs (current-driving up to 500 mA) are used for external visualization of events, such as the status of an active VPN connection, and can be connected to PLCs, indicator lights, or other devices. These functions seamlessly integrate the Microwall IO into automation processes and process control.

High-Performance Network Connectivity

The Microwall IO features two Gigabit Ethernet interfaces (100/1000BaseT) with autosensing and Auto-MDIX, offering high data throughput of up to 900 Mbit/s in router mode and 300 Mbit/s in VPN mode. The powerful hardware platform ensures low latency, which is crucial for time-critical applications in industry. Support for Static NAT allows 1:1 mapping of intranet IPs to island hosts, while Discover Mode supports secure commissioning. These features ensure reliable and efficient network control in demanding environments.

Management and Security

The Microwall IO offers a secure management concept with the following features:

• Secure-Boot: Prevents the upload of manipulated or unauthorized firmware.
• HTTPS Configuration: Configuration is only possible via HTTPS with support for individual certificates.
• Password Requirement: No default login, enhancing security.
• Port Management: All local services can be configured or disabled.
• Whitelist-Based Firewall: Filter rules based on IPv4 addresses, TCP/UDP port numbers, and hostnames (via integrated DNS proxy), controllable via digital inputs.
• Logging: Identification and logging of unauthorized communication attempts.
• SNMP Support: Optional SNMPv2c/3 (read-only) support for network management systems.

Fast commissioning is possible via WuTility or DHCP, making setup easier. These features make the Microwall IO a secure and user-friendly solution for network administrators.

Versatile Applications

The Microwall IO is designed for a wide range of applications. In Industry 4.0, it protects sensitive machines and systems from unauthorized access and enables secure remote access for maintenance and support. In plant control, it ensures secure integration of devices into the company network without conflicts due to IP address ranges. The digital inputs/outputs enable integration into automation processes, such as event-driven VPN activation during failures or visualizing network status via outputs. Machine and system manufacturers can operate internal networks with uniform IP configurations, making installation easier for customers. Other applications include network segmentation, securing IoT devices, and logging network events.

Flexible Power Supply and Compliance

The Microwall IO is powered either via Power-over-Ethernet (PoE) or via an external supply (24V-48V DC) through a screw terminal. This flexibility makes installation easier in various environments. The device complies with office and industrial environment standards and offers high interference resistance according to EN 61000-6-2, as well as low electromagnetic emissions according to EN 55032:2015 + A1 Class B, EN 61000-3-2, and EN 61000-3-3. These properties ensure reliable and interference-free operation, even in demanding environments.

Please Note: Power supply is NOT included in the delivery.

Durability and Reliability

The Microwall IO is designed for continuous operation and comes with a five-year warranty. The robust construction and the option for DIN rail mounting make it ideal for use in industrial environments. The internal, battery-buffered clock ensures precise timestamps, optimized through synchronization with a time server. These features highlight the device's durability and reliability, even under challenging conditions.

A Future-Proof Solution for Network Communication and Automation

The Microwall IO from Wiesemann & Theis is a powerful and secure solution for network control, remote maintenance, and automation processes for machines and systems. With its whitelist-based firewall concept, WireGuard VPN technology, digital inputs/outputs, and flexible operating modes such as NAT router and standard router, it provides a robust platform for Industry 4.0, network segmentation, and secure communication. The Discover Mode simplifies commissioning, while the digital inputs/outputs enable integration into process environments. Whether for securing IoT devices, remote maintenance of systems, or controlling network actions – the Microwall IO is an essential tool for professional users.