Administrator Manual
Security Manual
Int-Ref: FL1601
CONTENTS
1 INTRODUCTION ................................................................................................. 6
1.1 Purpose of the document ............................................................................................................. 6
2 GENERAL TERMS.............................................................................................. 7
3.2 Components of SPPA-T3000 (Thin Client, Application Server, Automation Server S7,
Automation Server CM, Time Server, Firewalls, Router for Multi-Unit, Switches) ........... 10
3.2.1 User interfaces - Thin Clients ................................................................................................ 11
3.2.2 Power server – Application Server ........................................................................................ 11
3.2.3 Power server – Automation Server S7.................................................................................. 12
3.2.4 Power server – Automation Server CM104 .......................................................................... 13
3.2.5 Time server ............................................................................................................................. 13
3.2.6 Process interfaces .................................................................................................................. 13
3.2.7 Network components.............................................................................................................. 14
3.5 Software......................................................................................................................................... 28
3.5.1 Software architecture ............................................................................................................. 28
4.4 Thin Clients outside the security cell "Control system" ...................................................... 34
6 ACCOUNT MANAGEMENT.............................................................................. 44
6.1 Access control ............................................................................................................................. 44
6.1.1 Password ................................................................................................................................ 44
7 HARDENING ..................................................................................................... 47
9 ANNEXES ......................................................................................................... 80
9.1 VPN details for remote service access via cRSP................................................................... 80
9.1.1 IPSec details on establishing a VPN tunnel via the Internet to the cRSP .......................... 81
9.1.2 Configuration of the Cisco VPN client software ................................................................... 82
10 GLOSSARY....................................................................................................... 84
1 Introduction
It describes standards of a binding nature which ensure a high degree of security for the T3000 systems
and the related plant operation.
Some exemplary typical scenarios of the connection of external clients to T3000 systems are illustrated
and dealt with in detail.
The aim is to establish a common basis for the cooperation of network administrators of company
networks and of automation networks.
2 General Terms
The security manual covers the complete lifecycle of a plant including FAT, commissioning phase, SAT
and operating phase. The configuration of SPPA-T3000, network topology as well as hardware and
software configuration, described in this document are the only setups authorized by Siemens E F IE. For
a secure operation of SPPA-T3000 it is obligatory to follow all instructions thoroughly. Exceptions are not
allowed.
Passwords:
All passwords of SPPA-T3000 are initally set by Siemens in accordance with the password policy
explained below. Siemens stores the passwords in a secure manner for remote service access. If a
customer does not agree to this he has to change the passwords.
All account passwords mentioned in this document – including operating system accounts (Windows XP
Professional and Windows Server 2003) as well as SPPA-T3000 user accounts - must meet the following
password complexity rules:
1. The password should not contain all or part of the account name of the user.
2. It should not match with the last used 4 passwords, if any.
3. It should be at least 8 characters.
4. It should contain at least one uppercase character (A to Z).
5. It should contain at least one lowercase character (a to z).
6. It should contain at least one numeric character (0 to 9).
7. It should contain at least one special character (! @ # $ % & ...etc).
8. Passwords must be changed periodically:
i. Minimum password age: 5 days
ii. Maximum password age: 90 days
Third-party systems:
It is strictly forbidden to connect third-party systems to SPPA-T3000 apart from systems used at the
commissioning phase. These can exclusively be connected to the Application Highway under the
constraint that they comply to security standard of Siemens E F IE (so-called CAT clients). Their security
standard must be tested and it is emphasised that these systems can only be connected to the
Application Highway and nowhere else.
All other access of third-party systems to SPPA-T3000 must be authorized by Siemens E F IE.
Firmware updates:
It is the responsibility of the customer to install new firmware on the following components of SPPA-
T3000:
• Hirschmann mGuard Eagle Firewall (http://www.hirschmann-ac.de)
• OSM/ESM- , Scalance switches
• Etc.
3 SPPA-T3000 introduction
The SPPA-T3000 standard architecture is formed from 3 functional levels connected via networks.
• Presentation tier
• Processing tier
• Data tier
Overview
User Interfaces
Power server
• Application Server
o ft server
o non tf server
• Automation Servers
o S7
o CM104
Process Interfaces
• I/O modules
• Special I/O modules
switch switch
Thin Clients form the interface between users and the functions of SPPA-T3000. In principle every
computer with a web browser can access the web applications via the local network, an intranet or via the
Internet. No particular applications need to be installed on the desktop system for this purpose.
Benefit
Scalable controllers
Scalable automation performance to project
needs
Time server
Distribution of time information via the network
• Redundant use
• Highest precision using GPS time
Standard I/Os
• ET200M
• ET200M fail-safe
Special I/Os
• Functional modules FUM
• Front-end modules AddFEM
• Layer 2 switching
• 10/100 Mbit/s
• Ring topology
• Up to 150 km, 50 OSM per network
• Max. 3000 m between two OSMs
• High availability through fast redundancy
switching (complete transfer in 0.3)
3.2.7.2 Profibus
Process integration withProfibus DP
Flexible and fast fieldbus
Profibus OLM
External firewall
Customer access gateway
Fast and safe service access
Connection via or
• ISDN
• Analog
• DSL
• LAN
The networks for T3000 are based on Ethernet standards and are used to connect the various SPPA-
T3000 system components. They are divided into:
• Application Highway
• Automation Highway
• Backbones (application and automation backbone)
• DMZ network
The standard topology of SPPA-T3000 consists of separate application and Automation Highways, a
DMZ network for remote access and an optional backbone for multi-unit systems. In small SPPA-T3000
systems the application and Automation Highway can be combined into a network.
The ring offers a 1 failure tolerance, i.e. if a network component in the ring fails or the ring cabling is
interrupted, all connected system components remain accessible. (Exceptions are single systems e.g.
Thin Clients, printers or gateways in case of a network component failure.)
R edundan cy -
m anager
Test
Telegrams
Test
Telegrams
R edundan cy -
m anager
An interruption in the ring exists if at least one of the two ring test telegram currents is interrupted. The
RM then re-activates its port 8 for user data and the 2 bus segments resulting from the interruptions are
reconnected. A ring interruption is rectified for <= 50 switch modules in the ring within 0.3 sec in the
manner described above.
Interruption
Test
Activating
Telegrams
Port 8
Test
Telegrams
R edundan cy -
m anager
Figure 3: RM activation
The ring test telegram currents remain interrupted until the ring structure has been restored. When both
ring test telegram currents are received the RM re-"opens" the closed ring structure and the standard
topology is restored.
Inside
Firew all
L
G
A
E
x
1 2
P LT
U
A
F
A
/D
LS U
A
T
S
IP ADDRESS
1 2 V
.24
R
MAC-Adresse
k
1
Aufkleber
0 VF A U L T
g
2
+ 2 4 V
+24V*
0 V
.24
V
Application
Application
Server 2
Server 1
C onnection 1 to (optional ) C onnection 2 to
Application Backbone Application Backbone
(optional ) (optional )
C onnection 1 to C onnection 2 to
Automation Backbone Automation Backbone
(optional ) (optional )
Application Application
Server 1 Server 2
(optional )
*)
*)
switch switch
C M 104 C M 104
Automat ion Automat ion Automat ion
Server C M Server S 7 Server S 7
This requires a connection of the individual system networks via 2 backbone highways.
• Application backbone
• Automation backbone
The backbone highways consist of a virtually divided redundant router to which the individual system
networks are connected also with redundancy.
L
G
A
E
x
1 2
P LT
U
A
F
A
/D
LS U
A
T
S
ADDRESS
1 2 V
.24
R
Inside
MAC-Adresse
k
IP
1
Firew all
2
Aufkleber
0 VF A U L T
g
2
+ 2 4 V
+24V*
0 V
.24
V
*
*
* switch switch switch
**
**
Router
**
Router
Unit 1 Unit 2 Unit 10
* switch
* switch switch
**
**
Redundant Router
Connection
Tim e Tim e
Server Server
* Master connection
** Standby connection
Inside
H irschmann R outer 1
Firew all
L
G
A
E
x
E
T
U
O
-R
M P
8
T
S
A
-F
M P
8
T
S
A
-F
M P
8
T
S
A
-F
M
1 2
P F
LT
U
A
U
A
T
S
ADDRESS
A
/D
LS
1 3 5 7 1 3 5 7 1 2 V
.24
1 3 5 7 R
A
/D
S
L A
/D
S
L
A
/D
S
L
7 8 7 8 7 8
k
IP
MAC-Adresse
5 6 5 6
5 6 1
3 4 3 4 3 4
1 2 1 2 1 2
2
0 VF A U L T
2 4 6 8 2 4 6 8 2 4 6 8 g
Aufkleber
2
+ 2 4 V
+24V*
.24
V
U nit 1 U nit 2
R e du n da n t Ro u ter C o u pl in g
Application H ighw ay Application H ighw ay
Automation H ighw ay
Automation H ighw ay
E
T
U
O
-R
M P
8
T
S
A
-F
M P
8
T
S
A
-F
M P
8
T
S
A
-F
M
1 3 5 7 1 3 5 7 1 3 5 7
A
/D
S
L A
/D
S
L A
/D
S
L
7 8 7 8 7 8
5 6 5 6 5 6
3 4 3 4 3 4
1 2 1 2 1 2
2 4 6 8 2 4 6 8 2 4 6 8
H irschmann R outer 2
The DMZ network is a network segment which must be used for external access to the SPPA T3000
system. External access, e.g. remote service or the connection to an office network, are protected by a 1
or 2 stage firewall (inside and outside firewall) and, if necessary, decoupled via proxy systems.
When using proxies there is no direct access to the SPPA-T3000 system.
Only remote service access via Customer Access Gateway (CAG) via Terminal Server
SPPA-T3000
DMZ-Net CAG mit
Control System
Firewall Firewall
inside outside
WAN
Application
Server
Terminal Server
Automation-
Server
SPPA-T3000 DMZ-Net
Control System CAG mit
Firewall Firewall
inside outside
WAN
Application
Server Terminal Server
OPC Server/Client
(optional)
WIN TS
Automation- (optional)
Server
Client Intranet
SPPA-T3000 DMZ-Net
Control System Firewall CAG mit
inside Firewall
outside
WAN
Application
Server
Terminal Server
OPC Server/Client
(optional)
WIN TS
Automation- (optional)
Server
Figure 10: DMZ-Net with remote service access, intranet and optional systems
Inside Firewall
• Hirschmann Eagle mGuard
Due to the universal scalability of SPPA-T3000 the system can be used for diverse system sizes.
From the "small" HKW via the "standard" GuD system to the multi-unit large power station.
SPPA-T3000 - one System fits all!
With this system size the network is designed as a combined application/Automation Highway. A 1-fault
tolerant ring is implemented which can be adapted ideally to the system size of the SPPA-T3000. This
allows for the hardware costs of the network to be kept to a minimum.
Printer 1
P 1 2 LT
U
FA
ADDRESS
U
TA
S
A
/D
LS
1 2 V
.24
R
MAC-Adresse
k
IP
1
switch switch
2
Aufkleber
0 FV A U L T
g
2
+ 2 4 V
+24V*
0 V
.24
V
switch switch
• up to 2 Application Servers
• up to 2 parallel message printers
• a number of network printers in accordance with theSIMATIC network limit
• up to 25 Automation Servers
• up to 10,000 3rd party I/Os (OPC or M/90) *
• *or up to 20 Automation Servers and up to 22,5000 3rd party I/Os
• up to 15% network load
The SPPA-T3000 standard system has one separate application and Automation Highway each. These
are each designed as 1-fault tolerant ring.
inside
Firew all
switch switch x
1 2
L
G
A
E
P S
LT
U
A
F
ADDRESS
A
/D
LS
1 2 V
.24
R
MAC-Adresse
k
IP
1
Application
2
Application
0 VF A U L T
Aufkleber
g
2
+ 2 4 V
+24V*
Server 1 Server 2
.24
V
Time
Server
switch switch
Modbus
C M 104
C S275 Automat ion Automat ion
C M104 Server 1 Server 25
Several SPPA-T3000 standard systems with separate application and Automation Highways connected
via an additional backbone network. The system networks are always connected redundantly to both
backbone routers. This ensures the accessibility of the system networks even where one (1) hardware
fault is present.
Inside
L
G
A
E
x
1 2
P S
LT
U
A
F
ADDRESS
A
/D
LS
Firewall
1 2 V
.24
R
MAC-Adresse
k
IP
1
Backbone 2
0 VF A U L T
Aufkleber
g
2
Router 1
+ 2 4 V
+24V*
0 V
.24
V
Time E
T
U
O
-R
M
A
/D
S
L
P
8
T
S
A
-F
M
1 3 5 7
A
/D
S
L
P
8
T
S
A
-F
M
1 3 5 7
A
/D
S
L
P
8
T
S
A
-F
M
1 3 5 7
Server
7 8 7 8 7 8
5 6 5 6
5 6
3 4 3 4 3 4
1 2 1 2
1 2
2 4 6 8 2 4 6 8
2 4 6 8
P
8
T
S
A
-F
M P
8
T
S
A
-F
M
Time
E
T
U
O
-R
M P
8
T
S
A
-F
M
1 3 5 7 1 3 5 7
1 3 5 7 A
/D
S
L A
/D
S
L
A
/D
S
L 7 8 7 8
7 8
Server
5 6 5 6 5 6
3 4 3 4
3 4
1 2 1 2 1 2
Backbone
Router 2
3.5 Software
During the development of SPPA-T3000 the following user requirements were considered from the
outset:
• Ease of use
• Flexibility in application
• Reliability during operation
• Scalability
• Openness
• Security
The SPPA-T3000 software architecture is based on software components The functional modules for
automation are represented by individual components providing standardized interfaces. These
components not only represent the standard AS (automation system) functions but also functionalities for
control/monitoring alarms, engineering and diagnosis. The traditional division into AS, HMI, ES and DS
thus becomes obsolete.
HMI, engineering, diagnosis etc. are merely different views of the system.
Project Container
Central data manager for engineering and
process data
Runtime container
Management and execution
Automation functions
Components with standardized interfaces
Hardware proxy
Represents an I/O module
Management proxy
Coordination of all software components and
services
• Server components
• Network communication
• Field device communication
As already described in the previous chapters the SPPA-T3000 system includes 3 functional levels:
• Presentation Tier
• Processing Tier
• Data Tier
Combined the systems of these levels form the control system.
Access by external systems to the control system is subject to strict rules which are described in more
detail in the following chapters.
"External" or "outside world" includes all systems which are not part of the control system but are to have
access to it. Access by these systems can be via:
Client Intranet
SPPA-T3000
Control System
Firewall
Dial-in
or
Internet
Application
Server
Terminal Server
(optional)
OPC Server/Client
(optional)
Automation- WIN TS
Server (optional)
Access to the security cell "Control system" from outside always takes place via at least one firewall
system. If a DMZ network is present the crossover to the outside is implemented via additional firewalls
and router/firewall combinations.
Client Intranet
SPPA-T3000 DMZ-Net
Control System
Firewall Firewall
inside outside
Dial-in
or
Internet
Application
Server
Terminal Server
OPC Server/Client
(optional)
WIN TS
Automation- (optional)
Server
The framework conditions necessary for the DMZ network could be: e.g.
• Project requirements
• Client security policy
The inner cells consist of the application and Automation Servers; the next cell includes the Thin Clients.
Together they then form the security cell of the "Control system".
All other cells outside the control systems are considered as less secure.
External Thin
C lient
D MZ N et Intranet
C ontrol System
Application
Internet
Automation
Field
The optional security cell DMZ Net is switched between the security cell Control system and the non-
secure cell intranet/Internet. All access to the security cell Control system is then directed via the security
cell DMZ Net. The DMZ Net contains systems which communicate externally and internally.
For access to the security cells Control system and optional DMZ Net a restrictive basic approach is
used:
Everything is prohibited unless explicitly permitted!
In the firewalls of the optional DMZ Net and the Control system the source and target address and the
communication port used are checked. In future, application level firewalls may also be used.
A Thin Client is "reinforced" for operation in the security cell "Control system" on 3 levels:
Hardware
• Disabling integrated drives and interfaces
• Locked installation location of the Thin Client hardware. Only monitor, keyboard and mouse are
accessible to the operator.
Firmware
• Setup of a BIOS password
Software
Strict limitation of the Thin Client functionality ("locking") for the user "operator" e.g.
• Automatic start of the web browser with login screen for the control technology application.
• No starting of other websites.
• No installation of additional software possible
• No starting of other applications
• No login possible under different user names
• No autostart of any drives present (e.g. CD ROM).
• No access to external drives and USB memories
• No icons, no start button, no task manager, no explorer
Security relevant events are monitored and subsequently logged in the security log by SPPA-T3000.
Examples are:
• Packets dropped at the firewall
• User logon and logoff (Operating system as well as application)
• Password change requests
• Etc.
For each day a security report is generated which is stored in the subdirectory “Security Logs”. The
directory is configured as a cyclic buffer which stores the reports for up to a period of 90 days. Afterwards
the oldest report is replaced by the newest report. The size of the cyclic buffer (default value 90 days) is
configurable; however the reconfiguration requires a restart of the SPPA-T3000 archive.
5.1 Introduction
In order to protect computers of SPPA-T3000 from malware, Malware Prevention System is deployed in
SPPA-T3000 system.
Malware Prevention System consists of Malware Prevention Tool (i.e. antivirus software) and a set of
ancillary components. Key features of Malware Prevention System are to:^
Trend Micro OfficeScan 8.0 will be used as malware prevention tool. OfficeScan 8.0 is responsible for
protecting all Windows based computers in SPPA-T3000.
Office Scan is a client-server application and following are the components of OfficeScan system:
• OfficeScan Server: Hosts web console and also responsible for updating OfficeScan client
software on all client computers that it manages.
• OfficeScan Client: Software component that protects all the computers with Windows
NT/2000/XP/Server 2003 from malware programs.
• OfficeScan Admin console is a Web based user interface to manage OfficeScan server and
clients.
Admin console
OfficeScan
server Manage the OfficeScan
server and clients through
Admin console
OfficeScan Clients
OfficeScan client must be updated regularly for the scanner to detect latest malware.
Customer can obtain updates from either Siemens Remote Servers via common remote service platform
(cRSP) or by other means such as email or CD.
The update process is a multi-step procedure. In case updates need to be fetched from Siemens servers,
the following actions are performed:
1. Fetch updates from Siemens remote server and store them on Terminal Server
Updates obtained by email or CD can be imported into Malware Prevention System either on Terminal
Server or OfficeScan server. In this case, step 1 above is not required. If updates are deployed directly on
OfficeScan server, then step 2 above is also not required.
Latest updates will be available on Siemens Remote Access servers. In order to download updates, the
update component of Malware Prevention System (MPS) will initiate FTP session. That is, update
component is FTP client and Siemens remote service provides an FTP Server. All communication
happens in a IPSec tunnel. The tunnel is set up between the customer’s perimeter router (Customer
Access Gateway) and cRSP’s router. The component’s name is getupdcrsp.cmd. getupdcrsp.cmd will
download updates only if newer versions (as compared to the previously downloaded versions) are
available on FTP server.
Configuration
• FTP client is authenticated by a username and password.
• FTP client will connect to cRSP’s FTP server using IP Address and not domain name.
• A dedicated Windows user account is used to run the application that fetches the updates.
getupdsftp.cmd residing on OfficeScan server is responsible for transferring updates from Terminal
Server to OfficeScan server. It uses SFTP protocol to connect to Terminal Server and download the
updates to OfficeScan server. As cygwin is installed on all computers, including OfficeScan server and
Terminal server; getupdsftp.cmd makes use of cygwin’s SFTP client to connect to cygwin’s OpenSSH
server on Terminal Server. getupdsftp.cmd will transfer updates to OfficeScan server only if the updates
are newer.
Configuration
• A dedicated Windows user account on OfficeScan server for running getupdsftp.cmd.
• A cygwin account on Terminal Server for SFTP session
• getupdsftp.cmd uses SSH-v2 RSA based authentication mechanism
• Since getupdsftp.cmd runs unattended, the RSA private must not be protected by password
• SFTP client will connect to SSH server using IP Address
Updates need to be installed (or activated) manually using a program called tmactsvr.cmd. In case an
update has a new version of Scan Engine, the computers may require a restart. A restart may be required
after the scan engine is deployed on OfficeScan clients. In case a restart is required, OfficeScan Client
displays a notification that a restart is required.
Configuration
• None
After updates are installed on OfficeScan server, administrator will need to manually deploy updates on
clients. Administrator will need to login to OfficeScan’s Admin console and initiate updates.
OfficeScan server will then notify OfficeScan clients that they need to update themselves. Then
OfficeScan clients will contact the server and download the updates.
In order to receive notifications from OfficeScan server, OfficeScan Client will be listening on TCP port
number 54000. After being notified, OfficeScan client will use HTTP protocol to download updates. Note
that the local OfficeScan client present on OfficeScan server also uses the same mechanism to download
updates. Figure 21 shows deployment of updates in a High security configuration.
There are two important types of events. These are Threat related events and Monitoring events. These
events are reported to SPPA-T3000 control system. The Threat events are generated when malware is
detected in a computer. Monitoring events are raised when Scan engine is not running or components
are out of date.
There are two types of Threat events. One is a Threat alert. This is raised when malware is detected. The
other event is an outbreak alert. This raises when five or more malware detections occur in less than one
day.
When malware is detected on a computer. OfficeScan client sends the event to OfficeScan server via
HTTP protocol. OfficeScan server logs this event in Windows event log. This in turn will generate an
SNMP trap. The SNMP trap will be received by SPPA-T3000 control system. Normally, all events are
stored in security log. Additionally, important events will be displayed in Alarm Sequence Display.
An example of a monitoring event is that a Scan engine is not running. When a Scan engine is not
running, an event is logged in the Windows event log on the computer in which the Scan engine stopped
working. This event will in turn raise an SNMP trap, sent to SPPA-T3000 on the Application Server.
Figure 22: Raising of MPS related events in ASD (High security solution)
5.4 Dependencies
The Web server used is Apache. The version must be Apache 2.0.55 or above.
5.4.1.2 cygwin
cygwin with core utilities, sed and ssh package must be installed. SSH-v2 must be enabled in the config
files.
5.4.2.1 cygwin
cygwin with core utilities, cygrunsrv, ssh package (including ssh server) must be installed. SSH-v2 must
be enabled in the config files.
SSH
2 TCP 22 OfficeScan server Terminal Server
(SFTP)
6 Account Management
SPPA-T3000 Account management feature imposes various security measures that need to be
implemented on various devices that are used in DCS and DMZ of SPPA-T3000. These security
measures will be imposed on all the devices (where ever feasible) listed below.
• Thin Client (TC)
• Application Server (AS)
• Switches (SW)
• Router
• Printers
• Customer Access Gateway (CAG)
• SPPA-T3000 Firewall
• Timer (Clock)
• Terminal Server (TS)
• SPPA-T3000 Workbench
Following security features are required to implement on all the above mentioned devices (where ever
feasible):
1. Access Control (Deny access on default)
2. Passwords
3. Login Banners
4. Monitoring
5. Automatic Logout
6. Local Access
7. External Login (Login from external network)
Where ever possible, device’s built in capability will be used to implement above mentioned security
features. In case, if a device that does not support or rather can not impose a security feature, then that
device’s administrator is responsible to implement or follow that security feature manually. For example a
router may not impose strong password requirement rule while accepting and assigning a password to a
user account. In such a case administrator of the router should choose a strong password as per
password complexity guide lines given below, while selecting / assigning a password for an account.
6.1.1 Password
Password of every account should meet following password complexity requirements.
Complexity:
Life cycle:
• All passwords (excluding exceptional accounts) should be changed once in 90 days or less.
• Device should prompt the user to change his/her account password from 14 days prior to
password expiry.
• Password should not be same as last 4 passwords assigned for that account.
• User can always decline the password change request and access the device with existing
password. However if user declines the password change for 3 consecutive times, then a
message will be logged in device's message logging system and subsequently report to SPPA-
T3000 logging system.
• Password will also have a minimum lifetime and that will be 1 day. User can change the
password as and when required provided the existing password is older than password minimum
lifetime i.e. 1 day.
Implementation:
Where ever possible, device's capability to enforce the password complexity rules will be used. However,
if the device does not have capability to enforcing password complexity rules, then device administrator
will be responsible to follow/adopt password policy manually.
A login banner will be displayed to the user through device login screen. A clear statement that describes
basic rules that a user must follow while using or accessing the device will be described in the login
banner.
6.3 Monitoring
All devices will be configured to log important events. Logged event will be forwarded to SPPA-T3000
logging system. Logged information will be used to conduct audit trails.
Auto logoff feature will be enabled (if device supports) on all the devices. After successful user login, if a
device is left idle (no input via input devices like keyboard, mouse etc) for a certain time period, then
device will automatically logoff the user.
In case of remote desktop session then the idle session will be disconnected but session will be kept
active, so that user can login again and continue with disconnected session.
Terminal server will be configured to keep disconnected session running for 2 days (configurable). That
means user can connect (login with same user account) to his/her disconnected session within 2 days
(after TS disconnected the user session when it reached idle session limit) without loosing any
information. If user did not login within 2 days, TS will logoff the user and terminates the session. In such
a case, it is possible that user might lose unsaved data if any.
(CAG) and Terminal Server in the DMZ. Common Remote Service Platform (cRSP) is the channel that
allows an authorized user from Siemens network to get connected to CAG and TS.
External user can also access the remaining devices present in SPPA-T3000 security cell indirectly,
provided user has the required credentials to access the device. For example after starting RDP session
to TS, from TS, user can further start a RDP session to AS. From AS user can access all other devices
like application backbone router or application highway switch etc.
For external login to TS, power plant shift leader/administrator authorization is required. Every time user
tries to perform an external login to TS, a permission request dialog box will appear on TS console,
external access to the user will be granted if shift leader accepts the request otherwise external access
will be rejected.
Password generator will be integrated with CAG and be used in the power plants that have un-manned
stations. Siemens cRSP can provide such solution based on a special order. However, details on this
solution are currently out of scope to this document.
7 Hardening
The default configurations of systems leave a lot of unnecessary services and protocols enabled. Not
only does this increase the attack vector but, also the chances of disruptions due to a failure in these
unnecessary services increases.
The hardening feature disables all unnecessary services and protocols on computers and devices (such
as firewalls and printers) connected to SPPA-T3000 Application Highway. The principle used to decide
whether a service is necessary is based on the security concept 'anything required will be explicitly
requested, all others will be rejected'. These necessary services and protocols are documented in
Supplementary Document "Administrator Manual - Required Services and Protocols".
Remote access is defined as access to SPPA-T3000 from outside of the security cell.
Examples are:
• Remote service access from the common Remote Service Platform of Siemens AG.
• Remote access from Thin Clients located in the client’s intranet.
• Remote access from Thin Clients located in the Internet.
• Remote access from third-party systems via mechanisms provided by OPC.
The remote access scenarios, including the specification of the corresponding firewall rule sets, are
explained in the following.
Abbreviations:
Scenario Figure 25
Scenario Figure 27
Application Protocol Source Direction Destination
Remote
RDP cRSP -> TS x x
Desktop
RDP cRSP -> TC/TS
Scenario Figure 25
Scenario Figure 27
Scenario Figure 28
Scenario Figure 29
Scenario Figure 30
Scenario Figure 31
Scenario Figure 33
Scenario Figure 35
Application Protocol Source Direction Dst.
Remote Appl.
RDP TS -> x x x x
Desktop Server
cRSP -> TC/TS x x
Appl.
Secure Shell SSH TS -> x x x x
Server
cRSP <-> TC/TS x x
Office
Scan -> TS x x
Srv
Secure File Appl.
SFTP -> TS x x x x
Transfer Server
Filer Transfer FTP TC/TS -> cRSP x x
WIN_TS <-> cRSP x
Event T3000 Appl.
Syslog -> x x x x x x
Logging Firewall Server
Workbench Appl.
HTTPS TS -> x x x x x x
via Web Server
Workbench Appl.
RMI reg TS -> x x x x x x
via RMI Server
Appl.
RMI com TS -> x x x x x x
Server
RMI to Appl.
-> TS x x x x x x
WB Server
Diagnostig http Appl.
TS -> x x x x
View 8080 Server
Virtual
Network VNC cRSP -> WIN_TS x
Client
HTTP
Web cRSP -> RSB x
HTTPs
Network Appl.
NTP TS -> x x x x
Time Server
Management SNMP Appl.
TS -> x x x x
via SNMP Trap Server
SNMP Appl.
-> TS x x x x
read Server
Office
File Transfer
HTTP TS -> Scan x x x x
via HTTP
Srv
Office
Scan
Office
Office Scan Srv -> TS x x x x
Scan
(1. Appl.
Srv.)
WIN_TS
Tunneler Appl.
OPC WIN_TS <-> x x x
Protocol Server
Tunneler
Simatic Appl.
WRA TS ! x x x x x x
Manager Server
Scenario Figure 24
Scenario Figure 26
Application Protocol Source Direction Destination
Remote
RDP cRSP -> TS
Desktop
cRSP -> TC/TS x x
Appl.
TS ->
Server
Secure Shell SSH cRSP <-> TC/TS x x
cRSP <-> TS
Event Appl.
Syslog CAG -> x x
Logging Server
WIN_TS
Tunneler Appl.
OPC WIN_TS <-> x
Protocol Server
Tunneler
File Transfer FTP TS -> cRSP
TC/TS -> cRSP x x
WIN_TS <-> cRSP x
Virtual
Network VNC cRSP -> WIN_TS x
Client
HTTP
Web cRSP -> RSB x
HTTPs
Scenario Figure 28
Scenario Figure 29
Scenario Figure 30
Scenario Figure 31
Scenario Figure 33
Scenario Figure 35
Application Protocol Source Direction Destination
Remote
RDP ext TC -> TS x x
Desktop
cRSP -> TC/TS x x
cRSP -> TS x x
Secure Shell SSH cRSP <-> TC/TS x x
SSH cRSP <-> TS x x
Event
Syslog CAG -> TC/TS
Logging
Syslog CAG -> TS
Virtual
Network VNC cRSP -> WIN_TS x x
Client
HTTP
Web cRSP -> RSB x x
HTTPs
Each site has its own cRSP infrastructure and its individual IP addresses. In case of a failure at a cRSP
site the connection is passed to one of the remaining sites. This is the reason why all three cRSP sites
must be considered when configuring a firewall.
* The access servers are the only peers of the cRSP which communicate with SPPA-T3000 components.
For external service access via WAN or Internet, the access must always be via a Terminal Server (TS)
using Microsoft Terminal Services (MS-TS).Access cannot gained direct via the Application Server(s).
The Terminal Server is either a Thin Client at the Application Highway or a server in the DMZ. In the case
of a Thin Client as Terminal Server only a remote session is possible; the local session must be logged
out.
If more than one terminal session is to be allowed at the Terminal Server, a standard server HW and
server operating system must be used.
The only exception to this rule are the applications on SSH basis Secure Shell, SFTP and SCP, which for
exclusively service purposes, may also run direct on the Application Server and Thin Clients.
File transfer is an important application between the service center and the Control system. Diagnosis
data, patches, virus pattern updates etc. are frequently transferred in both directions.
Microsoft Terminal Services (MS-TS) is one of the main service applications and also offers a file transfer
option. Resources, e.g. the client drives, are connected to the server. When using the cRSP the MS-TS
client runs on CAT clients in the intranet. When using the drive connection via MS-TS all network drives
and any inserted USB drives at the CAT client would be connected to the server. This situation cannot be
modified administratively and poses a high security risk for the server. For this reason the connection of
drives via MS-TS is prohibited.
As an alternative the file transfer via SSH is used. On Application Servers and Thin Clients an SSH
program will be installed or enabled in future.
SSH File Transfer Protocol (SFTP) permits the secure data transfer and data access on remote
systems.
Secure Copy or SCP ensures the confidentiality, integrity and authenticity of the transferred data. For
this the SSH uses.
SPPA-T3000 Service centers rely on the remote service for the fast analysis and correction of faults.
Remote Service implies a temporary data connection between the service center and the SPPA-T3000
system. The system can be connected to the service center via dial-up (ISDN or analog) or over the
Internet.
There are 2 cases:
a.) A dedicated service access for SPPA-T3000, Customer Access Gateway (CAG)
b.) A service access provided by the client, Customer Owned Gateway (COG)
In both cases a connection from the Siemens-wide Common Remote Service Platform (cRSP) to the
system is made when required. The cRSP is a centralized infrastructure permitting connections to
systems with Siemens technology globally via 3 access points.
Siemens
Intranet Service
Centre
Siemens Access
cRSP Portal
Access
Server
Data
Service
Dial in
ISDN or POTS
Internet via VPN
Customer
Site
8.3.1.1 Service access via CAG through dial-up connection (ISDN or POTS*) or
Internet
* Plain Old Telephone Service = analog connection
Dial-up connections
• For dial-up connections the service access methods are as follows
• ISDN 64kBit/s
• POTS: typically 33.6kBit/s, often less
In dial-up connections IPSec (IP Security) must be used if there are no significant reasons* against it.
*) e.g. legal reasons, country-specific reasons.
Internet connections
In an Internet connection as service access the bandwidth depends on the selected tariff.
Recommendations for minimum bandwidth:
• 192kBit/s upstream
• 2000kBit/s downstream
A connection between cRSP and the system over the Internet uses public resources; therefore
mechanisms for the security of the transferred data are mandatory:
• A VPN tunnel is only established after successful authentication.
• Authentication is encrypted.
• In the VPN tunnel the data packages are encrypted using 3DES* encryption.
* In export-critical countries also only with DES
Note:
The Siemens remote service access is only intended for the service via cRSP. The specific setup of the
access does not permit any other use.
Service access via dial-up or Internet connection through combined CAG/firewall System on
TC/TS
Siemens
SPPA-T3000 cRSP Access
Control System Server
TC/TS
CAG/Firewall
Data
VPN Tunnel Service
Internet or
Dial up lines
via VPN
Application
Server
Automation-
Server
Figure 24: Service access via dial-up or Internet connection on Thin Client/Terminal Server
Service access via dial-up or Internet connection on Terminal Server in the DMZ
Siemens
cRSP Access
SPPA -T 3000 Server
DMZ -Net
Control System
CAG with
Firewall inside Firewall outside
Data
VPN Tunnel Service
Internet or
Dial up lines
via VPN
Application
Server
Terminal Server
Automation -
Server
Figure 25: Service access via dial-up or Internet connection on Terminal Server in the DMZ
The firewall rules for the CAG are defined in Chapter 8.1.1.
The firewall rules for the “inside firewall” are defined in Chapter 8.1.2.
Service access via dial-up or Internet connection through combined CAG/Firewall system on Thin
Client/Terminal Server and WIN TS
Siemens
cRSP Access
SPPA-T3000 Server
Control System
TC/TS
CAG/Firewall
Application
Server
WIN TS
(optional)
Automation-
Server
Figure 26: Service access via dial-up or Internet connection on Thin Client/Terminal Server and WIN TS
The firewall rules for the CAG/T3000 firewall are defined in Chapter 8.1.3.
Service access via dial-up or Internet connection through CAG, Terminal Server and WIN TS in the
DMZ
Siemens
cRSP Access
SPPA -T 3000 Server
DMZ -Net CAG /
Control System
T3000 Outside
Firewall Firewall
Application
Server
Terminal Server
WIN TS
Automation - (optional )
Server
Figure 27: Service access via dial-up or Internet connection, TS and WIN TS in the DMZ
The firewall rules for the CAG are defined in Chapter 8.1.1.
The firewall rules for the T3000 are defined in Chapter 8.1.2.
If the client provides a service access this is a Customer Owned Gateway (COG).
Where a COG exists, the connection is not made direct from the cRSP to the CAG and the DMZ of the
SPPA-T3000 system but to the client gateway. After authentication the data is transferred from the cRSP
over the client network to the gateway at the DMZ.
With regard to the communication relationships there is little change compared to access through a CAG.
The client must at his access gateway and in his network enable the protocols required by the service.
For external access via WAN or Internet the access may not be direct to the Application Server(s) but
must always be via a Terminal Server (TS) using Microsoft Terminal Services (MS-TS). See chapter 4.1
Optional additional systems, e.g. WIN-TS are also connected at least via the T3000 firewall or are within
the optional DMZ. This means they can also be accessed externally through the COG.
For the external access via Internet the same conditions as for dial-up connections apply.
COG
Data
Service
Dial up lines
IPSec encryption ISDN , POTS
Client
Firewall
SPPA -T 3000
Control System DMZ -Net
Firewall inside
Application
Server
Terminal Server
Automation -
Server
Figure 28: Service access through COG and client intranet on TS in the DMZ
Note:
This variant is only permitted with RDP encryption. Encryption must be enabled at the Terminal Server.
The firewall rules for the COG are defined in Chapter 8.1.4.
The firewall rules for the T3000 firewall are defined in Chapter 8.1.2.
Siemens
cRSP Access
Client Server
Intranet
COG
VPN Tunnel Data
Service
Internet or
Dial up lines
Client Firewall via VPN
SPPA -T 3000
Control System
TC/TS
Firewall
Application
Server
Automation -
Server
Figure 29: Service access via dial-up or Internet connection on Thin Client/Terminal Server
The firewall rules for the COG and the Client firewall are defined in Chapter 8.1.4.
The firewall rules for the T3000 firewall are defined in Chapter 8.1.2.
Service access through COG, Thin Client as Terminal Server and optional WIN TS
Siemens
cRSP Access
Client Server
Intranet
COG
VPN Tunnel Data
Service
Internet or
Dial up lines
Client Firewall via VPN
SPPA -T 3000
Control System
TC/ TS
Application
Server
WIN TS
(optional)
Automation -
Server
Figure 30: Service Access via dial-up or Internet connection on TC/TS and optional WIN TS
The firewall rules for the COG and Client Firewall are defined in Chapter 8.1.4.
The firewall rules for the T3000 firewall are defined in Chapter 8.1.2.
Service access through COG, Terminal Server and optional WIN TS in the DMZ
Siemens
cRSP Access
Server
Client
Intranet
COG Data
VPN Tunnel Service
Internet or
Dial up lines
via VPN
Client
Firewall
SPPA -T 3000
Control System
Router with
Firewall inside
DMZ-Net
Application
Server
Terminal Server
WIN TS
(optional)
Automation -
Server
Figure 31: Service access via dial-up or Internet connection on TS and optional WIN TS in the DMZ
The firewall rules for the COG and the Client firewall are defined in Chapter 8.1.4.
The firewall rules for the T3000 firewall are defined in Chapter 8.1.2.
Client
Intranet
COG
Client
Firewall
SPPA-T3000
Control System
Router with
Firewall inside
DMZ-Net
Application
Server
Terminal Server
WIN TS
Automation- (optional)
Server
The details for remote access through COG and client intranet have already been covered in previous
chapters (see chapter 4.1). The following describes in detail additional rules for access of Thin Clients
from within the client intranet.
The firewall rules for the Client firewall are defined in Chapter 8.1.4.
The firewall rules for the T3000 firewall are defined in Chapter 8.1.2.
The Thin Client in the client intranet must first establish a VPN connection (VPN tunnel) to the inside
firewall (router/firewall) in the DMZ. The inside firewall acts as VPN gateway.
The HTTPS and RMI connections are then channeled through this protected tunnel.
The Thin Client in the client intranet must meet the requirements in chapter 3.5.
Conditions for the establishment of a VPN tunnel between TC and inside firewall:
• TC: VPN Client Software (Cisco VPN Client) installed and configured, for
configuring the Cisco VPN Client see "appendix"
• Inside firewall: Configuration as VPN gateway
Figure 34: Connection of a Thin Client in the client intranet to SPPA-T3000 via VPN
Connection Protocol/
Application Source IP Target IP
direction target port
Establishment of
TC-> VPN VPN gateway on ISAKMP
VPN connection, TC IP
Gateway the inside firewall UDP 500
key management
IPSEC NAT TC-> VPN VPN gateway on
TC IP UDP 10000
Transparency Gateway the inside firewall
Communication relationships between TC in the client intranet and the VPN gateway in the inside
firewall
Permissions required at the inside firewall, the access to the security cell "Control System"
The communication here is divided into 2 parts:
1. Establishing the tunnel
2. Application communication
Connection Protocol/
Application Source IP Target IP
direction target port
Establishment of
TC-> VPN VPN gateway on ISAKMP
VPN connection, TC IP
Gateway the inside firewall UDP 500
key management
IPSEC NAT TC-> VPN VPN gateway on
TC IP UDP 10000
Transparency Gateway the inside firewall
Re 2, application communication
Connection Protocol/
Application Source IP Target IP
direction target port
Workbench VPN-Client IP of HTTPS
TC-> Appl. server Appl.Server IP
HTTPS connection the TC* TCP 443
VPN-Client IP of RMI
RMI reg TC-> Appl. server Appl.Server IP
the TC* TCP 1099
VPN-Client IP of RMI
RMI com. TC-> Appl. server Appl.Server IP
the TC* TCP 50001-50050
RMI
RMI to VPN-Client IP of
Appl. server -> TC Appl.Server IP TCP 50000-50001
Workbench** the TC*
***
* allocated by the VPN gateway
** outgoing connection
*** Expandable up to 50009 if required (e.g. multi-unit)
The connection of SPPA-T3000 to the Internet may be required for the following reasons:
• Access for client personnel
• Access for third parties
The use of the Internet by Siemens remote service has already been covered in chapter 4.1. This also
defined that the Internet access via Customer Access Gateway CAG (the Internet is connected direct to
the DMZ Net via CAG) can only be used for service via cRSP.
The information above determines that access by client personnel and third parties to the SPPA-T3000
must be carried out via a separate Internet access.
A connection over the Internet uses public resources; therefore mechanisms for the security of the
transferred data are mandatory:
• A VPN tunnel is only established after successful authentication.
• Authentication is encrypted.
• In the VPN tunnel the data packages are encrypted using 3DES* encryption.
In addition to the Remote Service via the Internet it may be necessary also to connect individual Thin
Clients over the Internet to SPPA-T3000, e.g. client personnel from home.
The client must provide the corresponding access for this purpose. This gateway forms the access point
for individual systems via Internet or dial-in.
The Internet is considered an "untrusted area". Therefore, access by TC from the Internet must be
especially secure. The TC in the Internet must first establish a VPN connection (VPN tunnel) to the client
gateway. Protected by this VPN tunnel a MS-TS connection to the Terminal Server in the DMZ can be
made. No direct access to SPPA-T3000 systems from the Internet is permitted.
The Thin Client in the Internet must meet a minimum of the following requirements:
• Recognized anti-virus program with current signatures installed
• All relevant security updates of the manufacturers have been installed
• Only trusted standard software has been installed on this Thin Client
Figure 35: Connection of a Thin Client in the Internet to SPPA-T3000 via VPN and TS
The firewall rules for the Client firewall are defined in Chapter 8.1.4.
The firewall rules for the T3000 firewall are defined in Chapter 8.1.2.
Wireless communication technologies (WLAN, Bluetooth or infrared) should not be used in the I&C
network and deactivated by system configuration.
If the customer is determined to use WLAN communication despite the serious security concerns, the
following concept is recommended for reasons of security and also to ensure efficient operation:
An I&C-specific WLAN network should not be built up. WLAN communication is performed exclusively via
the general WLAN network operated under the company-wide security policy.
WLAN users identify themselves in the corporate network. When accessing the I&C network, the WLAN
user is therefore subject to the same security regulations as all other users in the corporate network.
This procedure
• allows the use of WLAN access channels (also for the I&C)
• establishes a company-wide, uniform WLAN policy
• avoids the operating and administration effort for separate WLAN networks (office network,
I&C network).
Ro uter w ith
Fi rew all i nsi de Wi rele ss
Acce ss Poi nt
VP
N
Ap pli ca ti on
Ser ve r
A utoma ti on -
Ser ve r
Wi rel ess
Acc ess Po int
Plant floor
If there is no WLAN network throughout the site, or a network of this type is not possible for other
reasons, the following procedure is recommended:
The WLAN access points are connected to a separate LAN segment that is used exclusively for WLAN
coupling. The LAN segment is connected with the application highway using a firewall. A terminal server
provides the necessary SPPA-T3000 workbench sessions. Direct access to SPPA-T3000 is not
permitted. The access points must provide the security functions of the outside firewall (CAG) of a DMZ
according to the SPPA-T3000 security manual.
The wireless route must be secured using up-to-date encryption technology. Single-use passwords are
recommended for the users of the WLAN link as well as identification and monitoring of the permissible
WLAN devices.
OPC OPC
C lient /Server Server /C lient
OPC D ata
Inside
Firew all
For the communication between the applications OPC currently, mainly uses the DCOM technology
(Distributed Component Object Model).
The result of using DCOM would be:
• DCOM has to be configured
• An unpredictable number of TCP/UDP connections would be opened.
The 2nd point in particular would represent a serious security problem, because it would no longer make
a static firewall configuration possible.
The solution to the problem is in the use of an "OPC tunnelers" e.g. by Matrikon Inc., which reduces the
OPC communication between client and server to one (1) TCP connection.
The target port TCP 21379 has been defined for the tunneler.
OPC OPC
C lient /Server OPC Tunnel OPC Tunnel Server /C lient
OPC Tunnel
C lient Side OPC D ata Server Side
Inside
Firew all
If the external OPC server is located in an insecure environment, e.g. in the client intranet, a VPN
connection is required in addition between the OPC server and the VPN gateway on the inside firewall
OPC OPC
C lient /Server OPC Tunnel OPC Tunnel OPC Tunnel Server /C lient
CClient
lient Side OPC D ata Server Side
VPN Tunnel
Here a VPN tunnel between the OPC system in the client intranet and the VPN gateway in the inside
firewall is mandated.
OPC Server/Client
via OPC- and VPN Tunnel Client
Intranet
VPN Client
Connection Client
Firewall
OPC Tunnel
SPPA-T3000 with OPC
Control System Connection
Router with
Firewall inside +
VPN Gateway
DMZ-Net
Application
Server with
OPC
Terminal Server
WIN TS
Automation- (optional)
Server
Connection Protocol/
Application Source IP Target IP
direction target port
OPC-> Appl.
OPC Tunnel OPC Appl.Server IP TCP 21379
server
Connection Protocol/
Application source IP Target IP
direction target port
Establishment of
OPC-> VPN VPN gateway on ISAKMP
VPN connection, OPC IP
Gateway the inside firewall UDP 500
key management
IPSEC NAT OPC-> VPN VPN gateway on
OPC IP UDP 10000
Transparency Gateway the inside firewall
Communication relationships between OPC server/client in the client intranet and the VPN
gateway in the inside firewall
Settings in the inside firewall, the access to the security cell "Control System"
The communication here is divided into 2 parts:
1 establishing the tunnel
2 communication by the application
Connection Protocol/
Application Source IP Target IP
direction target port
Establishment of
OPC-> VPN VPN gateway on ISAKMP
VPN connection, OPC IP
Gateway the inside firewall UDP 500
key management
IPSEC NAT OPC-> VPN VPN gateway on
OPC IP UDP 10000
Transparency Gateway the inside firewall
Connection Protocol/
Application Source IP Target IP
direction target port
OPC-> Appl. VPN-Client IP of
OPC Tunnel Appl.Server IP TCP 21379
server the OPC*
* allocated by the VPN gateway
8.7.2 OPC server/client system in the DMZ with access by external PI system in
the client intranet
Here the OPC system is located within the DMZ, access is e.g. via a PI system in the intranet.
Figure 41: PI server in the client intranet and OPC connection through an OPC tunnel
Connection Protocol/
Application Source IP Target IP
direction target port
PI to OPC
PI -> OPC System PI IP OPC IP TCP 5450
connection
PI to OPC RDP
PI -> OPC System PI IP OPC IP
connection TCP 3389
Connection Protocol/
Application Source IP Target IP
direction target port
OPC-> Appl.
OPC Tunnel OPC IP Appl.Server IP TCP 21379
server
WIN_TS is a diagnostic system for turbines and generators. As it is not an integral part of SPPA-T3000 it
is located in the DMZ. WIN_TS evaluates measured variabels and by doing this it assesses the state of
the running turbines and generators respectively.
The process data is gathered by the Application Server of SPPA-T3000 which in turn forwards the data to
the WIN_TS server. The communcation between Application Server and WIN_TS relies on OPC
mechanisms and uses the communication ports 6666, 6677 and 7777. Accordingly, the firewall must be
configured to allow communication over these ports.
SPPA-T3000 provides the option to control and monitor 3rd party PLC / PLS
Protocols
• MODBUS
• CS275
• IEC 60870-5
Interfaces
• Ethernet
• RS 232, 422, 482
In the present version of the SPPA-T3000 Security Manual only the Modbus connection via CM 104 is
initially described. Other connections will follow.
The Modbus CM is connected to the Automation Highway. If the access by the 3rd party Modbus system
is implemented via an unsecured network, a firewall is required for modbus communication.
sw itch sw itch
Application
Server
Terminal
Server
sw itch sw itch
WIN TS
( optional )
sw itch sw itch Firew all
(optional )
L
G
A
E
x
1 2
P S
LT
U
A
F
IP ADDRESS
A
/D
LS
1 2 V
.24
R
MAC-Adresse
k
LAN
2
0 VF A U L T
Aufkleber
g
2
+ 2 4 V
+24V*
C M 104
0 V
Automat ion Automat ion .24
V
Modbus TC P
Server 1 Server 25 C onnection
Connection Protocol/
Application Source IP Target IP
direction target port
3rd party system Modbus TCP
Modbus protocol 3rd party IP CM104 IP
-> CM104 TCP 502
9 Annexes
Fuerth (Europe)
Newark/CA (America)
Singapore (Asia)
Fuerth
dial-up IP Internet IP local DMZ access server FTP Server
169.254.0.3 194.138.39.1 194.138.39.0/27 194.138.39.24 194.138.39.19
Singapore
dial-up IP Internet IP local DMZ access server FTP Server
194.138.243.169 194.138.240.3 194.138.243.176/29 194.138.243.178 -
Newark (CA)
dial-up IP Internet IP local DMZ access server FTP Server
129.73.116.86 129.46.135.193 129.73.116.88/29 129.73.116.92 129.73.116.91
9.1.1 IPSec details on establishing a VPN tunnel via the Internet to the cRSP
MD5
Authentication SHA1
SHA1
DES
Encryption * 3DES
3DES
Diffie-Hellman 768Bit
Key exchange security Diffie-Hellman 1024 Bit Diffie-Hellman 1024 Bit
Diffie-Hellman 1536 Bit
* observe country-specific restrictions and export regulations!
none
AH Authentication MD5 none
SHA1
none
ESP Authentication MD5 SHA1
SHA1
none
ESP Encryption* DES 3DES
3DES
none
Diffie-Hellman 768Bit
PFS none
Diffie-Hellman 1024 Bit
Diffie-Hellman 1536 Bit
Shared Secret
- At least 12 a/n characters
IPSec parameters
Authentication algorithm: ESP/MD5/HMAC-128
Encryption algorithm: 3DES-168
Encapsulation mode: Tunnel
Perfect Forward Secrecy: Disabled
Lifetime Measurement: Time
Data Lifetime: 10000kB
Time Lifetime: 28800sec
IKE Parameters:
Negotiation Mode: Main
Digital Certificate: none
IKE Proposal: IKE-3DES-MD5
A port is an address component to allocate data to the correct services (protocols). This concept is
implemented e.g. in TCP and UDP .
Port ranges:
• Port numbers between 0 and 1023 are permanently allocated to specific applications
• Port numbers between 1024 and 49151 are "registered ports" of specific application
manufacturers
• Port numbers between 49152 and 65535 are private ports which can be used variably
For security reasons the communication to the security cell Control system must be reduced to the
absolute necessary minimum.
Depending on the design, with or without DMZ Net, this is implemented using 1 or 2 firewalls.
Where a DMZ Net exists there is an inside firewall at the security cell Control system and an outside
firewall at the remote access point (Customer Access Gateway). If the client intranet is connected, this
access also terminates at the inside firewall of the Control system.
The following applications and communication ports are currently provided for SPPA-T3000.
* OPC Server/Client
10 Glossary
COG Customer Owned Gateway Service access point provided by the client
Terminal server
TS Computer, emulating several terminals
VLAN Virtual Local Area Network a virtual local network within a physical network
facilitates the secure transmission via an
VPN Virtual Private Network
unsecured network
WPA Wi-Fi Protected Access an encryption method for a wireless LAN
Thin Client connected via a wireless network
wTC Wireless Thin Client
infrastructure