Confidential and Proprietary Information. This document contains confidential information belonging to Forward Edge-AI, Inc. and shall not be published, reproduced, modified, copied, disclosed, or used for other than its intended purpose without the express written consent of duly authorized representatives of Forward Edge-AI, Inc.

Forward Edge-AI is committed to enhancing the security of critical infrastructure, including both in- facility systems and remote access via cloud-based storage. This is achieved using our cost-effective, post-quantum encryption devices. These devices are designed to protect against advanced cyber threats and safeguard the confidentiality and integrity of sensitive data.

Our sophisticated data-driven analytics algorithm is housed within the Isidore Quantum device, which is crafted for straightforward integration into existing controller chassis. This integration facilitates a seamless connection, allowing the Isidore Quantum device to efficiently adapt to and understand the specific applications managed by the controller.

By leveraging Artificial Intelligence and innovative physics-based modeling, the Isidore Quantum device comprehensively learns the operational dynamics of the system it monitors. This capability enables it to provide continuous monitoring and deliver precise insights, enhancing system management and security.

As cybersecurity threats evolve, the Isidore Quantum device is engineered to update and respond to new challenges both efficiently and effectively, ensuring ongoing protection against both current and future threats. This adaptability and advanced protection make Forward Edge-AI's solutions crucial for any modern critical infrastructure, providing robust security and positive reassurance in a digitally connected environment.

The first Industrial IX Type A Ethernet port on the device and the second USB-C port on the device are assigned as the "red side," representing the trusted zone. This zone is intended for secure connections to end-user devices or internal network enclaves that require a high level of trust and protection.

To establish a connection:

Use an Ethernet cable: Connect your secure “Red side” end-user device or network enclave router/switch to the Isidore device’s “Red side” using an Use an Ethernet cable: Connect your secure “Red side” end-user device or network enclave router/switch to the Isidore Quantum device’s “Red side” using an ethernet cable. This setup ensures that data transmitted through this port remains secure and confined to the trusted internal network.

The second Industrial IX Type A Ethernet port on the device and the first USB-C port on the device are assigned as the "Black side" of the device, representing the untrusted zone. This zone is intended for connections to external networks or devices that may not be fully secure.

To establish a connection:

Use an Ethernet cable: To link the black side of the device to your switch or router. This configuration helps manage data flow from less secure or external sources without compromising the integrity of the trusted zone.

Maintaining a clear distinction between these zones is critical for network security. The trusted zone (Red side) should only connect with secure, verified devices, while the untrusted zone (Black side) handles all external connections. This setup minimizes the risk of security breaches by isolating potential vulnerabilities to the untrusted zone and enhancing the overall security posture of your network.

Each Isidore Quantum® device is carefully inspected and tested by our engineering team prior to shipment. This ensures that every unit meets quality standards and is ready for deployment upon arrival.

Upon receiving your devices:

Note: All devices are pre-provisioned with unique node numbers and preloaded firmware to streamline the setup process.

Before integrating the devices into your network:

The Isidore Quantum hub and spoke devices are pre-configured and crypto-graphically linked, ensuring secure communication and seamless integration.

To easily identify paired devices, each unit is labeled with a product number, as shown in the example with "2." The product number will match between the provisioned devices, confirming they are correctly configured to work together.

To identify whether a device is Node 0, Node 1, Node 2, etc., check the label affixed to the device. Example:

Proper identification of each device’s node number is essential for correct network configuration and overall functionality. The node number determines the IP address of the black-side interface, allowing initial access to the management portal.

Maintaining the integrity of the set of devices provisioned together is crucial for proper routing and initial network setup. By keeping track of this designated set, you can efficiently manage and configure the network, ensuring all devices communicate correctly and securely with their intended counterparts.

Each Isidore device is assigned a unique 16-digit alphanumeric serial number to track product type, hardware/firmware configuration, origin, and production sequence.

IMPORTANT: Ensure proper pairing of the boards for functionality. Please verify that each board is correctly paired with its respective counterpart.

​The wired configuration of the device involves connecting to the untrusted network using an Industrial IX Type A Ethernet cable. This setup ensures a stable and reliable connection for data transmission between devices. By utilizing this Ethernet connection both the hub (Node 0) and the client (Node 1) will be able to seamlessly discover and communicate with each other over the network.

The Isidore Quantum 50 device features the capability to power the board using Power over Ethernet (PoE). This functionality allows the Isidore device to connect to the untrusted switch via the black side of the board, ensuring both power and data transmission through a single Ethernet cable. This integration simplifies the setup process and enhances the device's deployment flexibility in various network environments.

Hub (Node 0) vs. Client (Node 1):

Zone Identification:

Black Side vs. Red Side:

End User Devices / Network Enclaves:

For network communication between End User Devices (EUDs) or Network Enclaves through the Isidore device, it is essential that these devices or enclaves be routable to one another. If Isidore were removed from the network, the two enclaves or end user devices would be able to communicate over the network.

Isidore operates in a bi-directional network, with traffic flowing in both directions. To satisfy requirements where Isidore is deployed in a unidirectional network configuration. This is the typical configuration for Isidore and does not require any special configuration steps.

Certain high security requirements in a military environment require one-way network communication. In such a configuration, Isidore can function as a One-Way Diode device on the RED network side. This configuration requires a special configuration RED-side connection, allowing the RED side to only send data without the ability to receive data from the Isidore device.

With this configuration, communication on the RED side will be strictly unidirectional, whereas that on the BLACK side will still be bidirectional, as required by cryptography.

The Isidore Hub is designated as Node 0, with the default IP address 192.168.0.254, and the Isidore Client is designated as Node 1, with the default IP address 192.168.0.1. If additional nodes are added, you would simply increment the last octet of the IP address by one.

For example:

This default configuration allows for easy testing of the devices by linking them together via the Black side Ethernet interfaces using an Ethernet cable. Once the devices are powered on, they will establish a secure tunnel between each other. No unencrypted traffic will traverse the interconnect—not even a public, unencrypted handshake transaction. The Isidore Management Portal is also continually evolving to improve functionality and user experience. As such, its features and interface are subject to change.
​

You can connect to the Black Side Management Portal in multiple ways:

Node 0 Device Configuration:

Assign an IP address within the range 192.168.0.1 to 192.168.0.255 to the interface connecting to the Hub (Node 0) Isidore device (default IP: 192.168.0.254).

Node 1 Device Configuration:

Assign an IP address within the range 192.168.0.1 to 192.168.0.255 to the interface connecting to the Client (Node 1) Isidore device (default IP: 192.168.0.1).

For additional nodes, ensure each device is configured with unique IP addresses that follow the incremental pattern (e.g., 192.168.0.2, 192.168.0.3, etc.).

To access the Management Portal of your nodes, connect all the nodes you wish to manage to a switch using their Black side Ethernet interfaces. Then, connect your computer to the same switch and assign the computer an IP address, such as 192.168.0.50, ensuring this IP address is not already in use by any of the nodes.

Using your computer:

This setup allows you to efficiently manage and configure all connected nodes from a single device.

To access the Management Portal, you will need to change the IP address of your computer to match the required network configuration. This is done to ensure proper communication between your system and the encryption device. Here is how to do it:

1. Open Network and Sharing Center:

2. Open Adapter Settings:

3. Open IPv4 Settings:

4. Configure the IP Address:

Troubleshooting

By following these steps, you should be able to successfully configure dual home IP addresses on your Windows machine. This setup can enhance your network flexibility and allow for more complex networking configurations.

Test the Configuration

Once you have configured your computer with the appropriate IP addresses, you can access the management portals for both the node 0 and node 1 by typing the following URLs into your browser.

This step is crucial for directly navigating to the management interfaces, allowing you to monitor and configure settings:

For Node 0: Type http://192.168.0.254 into the browser's address bar. This will take you to the node 0's management portal, where you can adjust settings, monitor activity, and manage connections associated with the hub side of your network.

For Node 1: Enter http://192.168.0.1 in the browser. This address leads to the node 1's management portal, providing access to configure and manage the client specific settings and operations.

Using these specific URLs ensures that you are directly accessing the correct device's settings within your network's structure, making it straightforward to manage each device. This method of access is particularly effective in environments where precise control and quick adjustments to the network settings are regularly required.

The Isidore Quantum encryption platform is designed to operate flexibly across a range of network topologies to support secure, quantum-resistant communications in diverse mission environments. It can be configured for point-to-point, point-to-multipoint, and full mesh deployments, depending on the operational requirements.

Each setup leverages the Protocol-Free Encryption Device (PFED) core and channel management capabilities to ensure secure data exchange regardless of the underlying transport or routing scheme. Note that PFED and Isidore Quantum are used interchangeably, but have the same meaning.

In a point-to-point setup—also referred to as a hub-and-spoke configuration—the Isidore Quantum devices establish a direct, secure communication channel between two designated nodes: Node 0 (Hub) and Node 1 (Client/Spoke). This architecture is well-suited for environments requiring dedicated, low-latency, and high-assurance communication between two endpoints, such as secure site-to-site links or isolated ground-to-orbit transmissions.

Upon deployment, users will receive two pre-configured Isidore Quantum devices:

In a point-to-multipoint configuration, the Isidore Quantum devices are deployed in a hub-and- spoke topology where one central node (Node 0 – Hub) securely communicates with multiple remote nodes (Node 1, Node 2, Node 3, etc. – Clients). This setup is optimal for scenarios that require centralized control or data distribution, such as secure command-and-control environments, broadcast-style communications, or ground station uplinks to multiple space assets.

Upon deployment, users will receive one Isidore Quantum device configured as the hub and multiple devices configured as clients. Each client is pre-paired with the hub to establish independent encrypted channels for data exchange. Key characteristics of this configuration include:

This configuration is ideal for distributed operations requiring centralized command, secure multicast communications, or secure data collection from multiple remote endpoints.
​

In a mesh configuration, Isidore Quantum devices are deployed in a decentralized topology where each node can establish secure, encrypted communication channels with multiple peer nodes in the network. This configuration supports resilient, distributed communication and is ideal for dynamic, contested, or infrastructure-limited environments such as tactical edge operations or space-based mesh networks.

Mesh communications within the Isidore Quantum system are initiated starting from Node 1, which is pre-configured to actively seek out and establish encrypted connections with other authorized nodes (e.g., Node 2, Node 3, etc.). Each Isidore Quantum device in the mesh acts as both a sender and receiver, enabling peer-to-peer encrypted tunnels through PFED software without reliance on traditional protocols or centralized infrastructure.

Key characteristics of the mesh configuration include:

The Isidore Quantum system supports a robust multi-channel architecture, enabling each node to simultaneously manage multiple encrypted communication links. This capability is essential for mission environments requiring secure, parallel data exchange across multiple nodes using dynamic network topologies such as mesh, point-to-point, and point-to-multipoint. Each channel functions as an isolated, protocol-free tunnel using PFED software, ensuring strict confidentiality and channel-level isolation.

� Important Note: Red-side Management on the Isidore Quantum devices must currently be performed via UART console access. A graphical user interface (GUI) is in development and will be available in a future release; however, until then, it is strongly recommended that this configuration be completed by a certified Forward Edge-AI engineer. Improper configuration may result in misaligned channels, failed communication links, or compromised encryption integrity.

Each Isidore Quantum node is provisioned with a defined number of logical channels during deployment. These channels are used to establish secure connections with peer nodes. While channel numbers do not need to match numerically across nodes, they must be explicitly mapped to ensure bidirectional recognition and alignment of encryption keys.

Red-side provisioning configures the application-layer routing over each encrypted channel, assigning logical mappings and binding authentication credentials.

Again, this step must be performed through UART, and Forward Edge-AI support is recommended to ensure security and correctness.

The red-side UART console is used to perform detailed multi-channel configuration, connection validation, and ongoing monitoring.

The multi-channel system is a foundational capability of the Isidore Quantum platform, enabling encrypted, protocol-free communications across complex and mission-critical environments.

The firewall in the Isidore integration acts as a protocol break between two of the processing units. This isolation boundary consists of two stages, offering a more precise definition. It operates as a near-perfect firewall with a rule of one.

It is important to understand that Isidore has three independent processing units. These processing units are independent CPUs and do not share memory. Processing Units 1 & 2 are inside the secure network on the RED side. Processing Unit 3 is in the unsecure network on the BLACK side. A physical trust boundary separates processing units 2 & 3.

Processing Unit 2 first examines the incoming packets from Processing Unit 3 to determine if they meet the correct format, protocol, address, and other metadata criteria. This is achieved through a packet filter designed to ensure that only compliant packets are allowed through.

The filter operates at the bottom of the network stack of Processing Unit 2, immediately after the packet leaves the network interface and before it enters the network stack. Only packets with a specific Ethernet type are accepted. Processing Unit 3 translates incoming Internet packets into ones with the required Ethernet frame. This ensures that any packets not matching the specified Ethernet type are automatically rejected.

The filtering logic is embedded within the system and is not configurable by the user.

This means:

The second critical layer involves robust encryption to further secure the packets:

Direct Packet Handling: Once a packet is accepted based on the Ethernet type, it is not processed by Processing Unit 2’s network stack. Instead, it is directly passed to the application for decryption.

Decryption and Integrity Checks: The application decrypts the packet and performs integrity checks. These checks verify that the packet has not been tampered with. If these checks pass, the packet is forwarded to Processing Unit 1, where a cryptographic hash is performed to ensure further integrity and authenticity.

For an attacker to bypass the firewall, they must overcome several layers of security:

Correct Port: The packet must be sent to the correct port. Correct Format: The packet must adhere to the specified format.

Decryption Key: The attacker must possess the correct decryption key.

This multi-layered approach provides a nearly impenetrable barrier against unauthorized access, ensuring the integrity and security of the EUD.

Enter the device’s IP address in a web browser to access the management portal. If a security warning appears indicating the connection is not private, select Advanced, then select Proceed to Unsafe to continue

Enter the device’s IP address in a web browser to access the management portal. If a security warning appears indicating the connection is not private, select Proceed to Unsafe to continue.

After navigating to the portal, you will be prompted to log in.

Username: admin

Password: 123qwe

Each node has a dedicated management portal:

The dashboard serves as the central interface for managing and monitoring all black-side operations of the device.

From the dashboard, locate the Channel Number under the Action column. Select the three-dot menu and click Edit PFED Attributes. Here, you can set the Protocol, Remote Gateway, and Remote Port. In a Hub-and-Spoke configuration, spoke devices should use the Node 0 device IP as their gateway.

This view demonstrates how to configure the device to operate within your network environment.

Once the network settings are changed, you must refresh the device.

Displays real-time PFED logs for monitoring system activity, troubleshooting, and verifying operational status.

Displays the operational status of the PFED. If the system is functioning properly, the status will display as Active. This allows quick verification that the device is online and communicating correctly.

Provides direct command-line access to the device for advanced configuration, diagnostics, and troubleshooting.

Note: Terminal is best displayed in the Microsoft Edge browser.

Allows the device to be restored to its factory default state, clearing configurations and returning it to its original setup.

Warning: Safety Guidelines for Isidore Devices

Please read the following warnings, precautions, and safety guidelines carefully before using this device. Failure to adhere to these instructions may result in damage to the device, personal injury, or property damage.

To maintain your Isidore devices and ensure their longevity, please follow these guidelines:

By following these care instructions, you can help ensure the optimal performance and durability of your Isidore devices.

Avoid Submersion: Do not submerge this device in water under any circumstances. Exposure to water beyond the specified resistance level can cause severe damage to internal components, rendering the device inoperable.

Liquid Ingress Warning: Prevent any form of liquid ingress to safeguard the integrity and functionality of the device. Liquid exposure, including water, can lead to corrosion, short circuits, and other detrimental effects, potentially voiding the warranty.

Moisture Management: Minimize exposure to moisture to ensure optimal performance and longevity of the device. Avoid operating or storing the device in high humidity environments and take necessary precautions to shield it from moisture accumulation.

Fire Hazard Awareness: Exercise caution to mitigate the risk of fire hazards associated with the use of this device. Avoid placing the device near open flames, sparks, or sources of intense heat, as combustible materials within the device may pose a fire risk when exposed to elevated temperatures.

Ventilation Requirements: Ensure adequate ventilation during device operation to prevent overheating, which may increase the likelihood of fire incidents. Avoid obstructing ventilation ports, as thermal buildup could lead to fire hazards.

Emergency Preparedness: In the event of a fire involving the device, prioritize personal safety above all else. Immediately disconnect the device from power sources if it's safe to do so and evacuate the vicinity. Utilize appropriate fire extinguishing methods suitable for electronic fires, such as Class C fire extinguishers.

Make sure to read and understand the user manual and all safety guidelines before using the device.

Keep Out of Reach of Children: This device may contain small parts and components that pose a choking hazard to young children. Keep out of reach of children and pets.

Avoid Extreme Temperatures: Do not expose the device to extreme temperatures, both hot and cold, as it may affect its performance and lifespan.

Use Manufacturer Accessories: Only use manufacturer recommended accessories and replacement parts recommended by the manufacturer to prevent damage to the device and ensure safe operation.

Regular Maintenance: Perform regular maintenance as outlined in the user manual to keep the device in optimal condition and prevent safety hazards.

Proper Handling: Handle the device with care to avoid drops, impacts, and other physical damage that may compromise its integrity and safety.

Unplug During Maintenance: Always unplug the device from power sources before performing any maintenance or cleaning to prevent electrical shock.

Authorized Service Centers: In case of malfunction or damage, seek assistance from authorized service centers or qualified professionals for repairs and servicing.

Report Safety Concerns: If you encounter any safety concerns or abnormalities with the device, cease use immediately and report the issue to the manufacturer or authorized service center for investigation and resolution.

Note: These warnings and safety precautions are provided to promote safe usage and handling of the device. Ignoring these instructions may void the warranty and result in damage to the device or personal harm.

If you need any help or have any questions, our support team is here to assist you. Please use any of the following methods to reach out to us:

For all support inquiries contact Isidore helpdesk via email: [email protected].

Website: https://forwardedge.ai/

Visit our website for more information, including product documentation and for a live chat with a support representative.

Our support team is available during the following hours:

Monday to Friday: 9 AM to 6 PM (EST)

Saturday and Sunday: Closed

Stay connected and get support through our social media channels:

For immediate assistance, use our live chat feature on our support website. Maven, our support bot, is ready to help you in real-time during support hours. Just ask Maven!

THE INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE.
​