Basics and application

Basics and application
Basics and application
___________________
Preface
1
___________________
Introduction and basics
SIMATIC NET
Industrial Ethernet Security
Basics and application
Configuring with the Security
2
___________________
Configuration Tool
Creating modules and
3
___________________
setting network parameters
4
___________________
Configure the firewall
Configuring additional
5
___________________
module properties
Configuration Manual
Secure communication in the
6
___________________
VPN via an IPsec tunnel
Router and firewall
7
___________________
redundancy
8
___________________
SOFTNET Security Client
Online functions - test,
9
___________________
diagnostics, and logging
A
___________________
Appendix
B
___________________
References
09/2013
C79000-G8976-C286-02
Legal information
Warning notice system
This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent
damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert
symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are
graded according to the degree of danger.
DANGER
indicates that death or severe personal injury will result if proper precautions are not taken.
WARNING
indicates that death or severe personal injury may result if proper precautions are not taken.
CAUTION
indicates that minor personal injury can result if proper precautions are not taken.
NOTICE
indicates that property damage can result if proper precautions are not taken.
If more than one degree of danger is present, the warning notice representing the highest degree of danger will
be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to
property damage.
Qualified Personnel
The product/system described in this documentation may be operated only by personnel qualified for the specific
task in accordance with the relevant documentation, in particular its warning notices and safety instructions.
Qualified personnel are those who, based on their training and experience, are capable of identifying risks and
avoiding potential hazards when working with these products/systems.
Proper use of Siemens products
Note the following:
WARNING
Siemens products may only be used for the applications described in the catalog and in the relevant technical
documentation. If products and components from other manufacturers are used, these must be recommended
or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and
maintenance are required to ensure that the products operate safely and without any problems. The permissible
ambient conditions must be complied with. The information in the relevant documentation must be observed.
Trademarks
All names identified by ® are registered trademarks of Siemens AG. The remaining trademarks in this publication
may be trademarks whose use by third parties for their own purposes could violate the rights of the owner.
Disclaimer of Liability
We have reviewed the contents of this publication to ensure consistency with the hardware and software
described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the
information in this publication is reviewed regularly and any necessary corrections are included in subsequent
editions.
Siemens AG
Industry Sector
Postfach 48 48
90026 NÜRNBERG
GERMANY
Order number: C79000-G8976-C286-02
Ⓟ 09/2013 Technical data subject to change
Copyright © Siemens AG 2012 - 2013.
All rights reserved
Preface
Preface
This manual…
... supports you during the configuration of the security functions of the following"Security
Integrated" products:
● SCALANCE S: S602 / S612 / S623 / S627-2M
● SOFTNET Security Client
● S7-CPs: CP 343-1 Advanced, CP 443-1 Advanced
● PC-CP: CP 1628
● Mobile wireless router: SCALANCE M875 and SCALANCE M874-x
General terminology "security module"
In this documentation, the term "security module" includes the following products:
SCALANCE S602 / SCALANCE S612 / SCALANCE S623 / SCALANCE S627-2M, CP 343-1
Advanced, CP 443-1 Advanced, CP 1628.
Functional differences are indicated by symbols (refer to the section "Explanation of the
symbols"). You will find hardware descriptions and installation instructions in the documents
relating to the individual modules.
Use of the terms "interface" and "port"
In this documentation, the following terms are used for the ports of SCALANCE S modules:
● "External interface": The external port of the SCALANCE S602 / S612 / S623 or an
external port of the SCALANCE S627-2M (marked red)
● "Internal interface": The internal port of the SCALANCE S602 / S612 / S623 or an internal
port of the SCALANCE S627-2M (marked green)
● "DMZ interface": The DMZ port of the SCALANCE S623 / S627-2M (marked yellow)
The term "port" itself is used when the focus of interest is a special port of an interface.
General use of the term "STEP 7"
The configuration of the security functions of CPs is possible as of STEP 7 V5.5 SP2 HF1.
For this reason, in this documentation, the term "STEP 7" stands for all versions of STEP 7
as of V5.5 SP2 HF1 and lower than STEP 7 V10. How to configure the security functions of
all security modules in STEP 7 as of V12 can be found in the information system of STEP 7
as of V12, section "Industrial Ethernet Security".
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
3
Preface
General use of the term "CP x43-1 Adv."
In this documentation, the term "CP x43-1 Adv." includes the following products: CP 343-1
Advanced / CP 443-1 Advanced
Security Configuration Tool V4.0 - New functions
With the Security Configuration Tool V4.0, the following new functions have been included:
● SCALANCE S627-2M with two media module slots
In addition to the built-in ports, the SCALANCE S627-2M is also equipped with two media
module slots in which an electrical or optical 2-port media module can be inserted. The
external and the internal interface of the SCALANCE S627-2M are therefore expanded by
two ports. The media module ports can be used to integrate the SCALANCE S627-2M in
ring topologies.
● Support of media redundancy by SCALANCE S627-2M
The SCALANCE S627-2M supports the media redundancy methods MRP and HRP, in
each case as client. As a node of an MRP/HRP ring, a SCALANCE S627-2M can protect
a lower-level automation cell or a lower-level ring. This protection can also be redundant.
The loss of a cable is detected by a separate ring manager, for example a SCALANCE
X308, and compensated by redirecting the communication path.
● Support of topology discovery with LLDP by SCALANCE S V4 modules
The security modules SCALANCE S602 V4 / S612 V4 / S623 V4 / S627-2M V4 support
the topology discovery protocol LLDP. Network management systems can therefore
include the security modules named above in the simulation of network topologies.
● Router and firewall redundancy with SCALANCE S623 V4 / SCALANCE S627-2M V4
Failures of the security modules SCALANCE S623 V4 and SCALANCE S627-2M V4 can
be automatically compensated by routers and firewall redundancy during operation. To
do this, one of the two security modules is defined as the primary module that is active in
normal operation. If the active security module fails, the passive security module
automatically takes over its function as firewall and (NAT/NAPT) router. To ensure the
identical configuration of both security modules, these are connected together via their
DMZ interfaces and their configurations are synchronized during operation.
● Address translation with NAT/NAPT in VPN tunnels
Address translations with NAT/NAPT can be performed for communications relations
established via a VPN tunnel. This is supported by SCALANCE S612 V4 / S623 V4 /
S627-2M V4.
● User authentication using a RADIUS server
Users can be authenticated by a RADIUS server on which the data of all users can be
stored centrally. Authentication by a RADIUS server is possible by activating a userspecific IP rule set.
Basics and application
4
Configuration Manual, 09/2013, C79000-G8976-C286-02
Preface
● Time synchronization "NTP (secure)" for SCALANCE S V4 modules
The time synchronization mode "NTP (secure)" can be used for SCALANCE S V4
modules.
● Expansion of the DNS functionality
The active VPN connection establishment from a SCALANCE S V4 (S612 / S623 / S6272M) to a security module using its FQDN is supported.
For configuration of routers, Syslog servers, WAN IP addresses, NTP servers and
RADIUS servers, not only IP addresses but also FQDNs are supported for SCALANCE S
V4 modules.
Validity of this manual
This manual is valid for the following SIMATIC NET modules:
Module
MLFB
Firmware version
SCALANCE S602
6GK5 602-0BA10-2AA3
As of V4
SCALANCE S612
6GK5 612-0BA10-2AA3
As of V4
SCALANCE S623
6GK5 623-0BA10-2AA3
As of V4
SCALANCE S627-2M
6GK5 627-2BA10-2AA3
As of V4
CP 343-1 Advanced
6GK7 343-1GX31-0XE0
As of V3
CP 443-1 Advanced
6GK7 443-1GX30-0XE0
As of V3
CP 1628
6GK1162-8AA00
As of V8.2.2
This manual is valid for the following SIMATIC NET configuration tools:
Configuration tool
MLFB
Version
SOFTNET Security Client
6GK1 704-1VW04-0AA0
V4.0 Hotfix 1
Security Configuration Tool (SCT)
-
V4.0
Audience
This manual is intended for persons setting up the Industrial Ethernet security functions in a
network.
SIMATIC NET Manual Collection (order no. A5E00069051)
The SIMATIC NET Manual Collection ships with SCALANCE S modules, the S7 CPs and
the PC CP 1628. This Manual Collection is regularly updated and contains the device
manuals and descriptions valid at the time it is created.
Symbols used in this manual
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
5
Preface
The chapter described / the section described / the line described is only relevant for
SCALANCE S as of V3.0.
The chapter described / the section described / the line described is only relevant for
SCALANCE S as of V4.0.
The chapter described / the section described / the line described is only relevant for
SCALANCE S.
The chapter described / the section described / the line described is relevant for all security
modules except SCALANCE S602.
The chapter described / the section described / the line described is relevant only for
SCALANCE S602 as of V3.1.
The chapter described / the section described / the line described is relevant for SCALANCE
S623 only.
The chapter described / the section described / the line described is relevant for SCALANCE
S627-2M only.
The chapter described / the section described / the line described is relevant for SCALANCE
S623 and SCALANCE S627-2M only.
The chapter described / the section described / the line described is relevant only for
SCALANCE S623 as of V4.0 and SCALANCE S627-2M as of V4.0.
The chapter described / the section described / the line described is only relevant for S7
CPs.
The chapter described / the section described / the line described is relevant for all security
modules except the S7 CPs.
The chapter described / the section described / the line described is only relevant for PC
CPs.
Basics and application
6
Configuration Manual, 09/2013, C79000-G8976-C286-02
Preface
The chapter described / the section described / the line described is relevant for all security
modules except the PC CPs.
The chapter described / the section described / the line described is relevant for all S7 CPs
and PC CPs.
The chapter described / the section described / the line described is relevant for all security
modules except the CPs.
This symbol highlights special tips in the manual.
This symbol indicates specific further reading material.
This symbol indicates that detailed help texts are available in the context help. You can call
this with the F1 key or using the "Help" button in the relevant dialog.
References /.../
References to other documentation are shown in slashes /.../. Based on these numbers, you
can find the title of the documentation in the references at the end of the manual.
See also
Customer Support pages
(http://support.automation.siemens.com/WW/view/en/18701555/130000)
SIMATIC NET glossary
Explanations of the specialist terms used in this documentation can be found in the SIMATIC
NET glossary.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
7
Preface
You will find the SIMATIC NET glossary here:
● SIMATIC NET Manual Collection
The DVD ships with certain SIMATIC NET products.
● On the Internet under the following entry ID:
50305045 (http://support.automation.siemens.com/WW/view/en/50305045)
Basics and application
8
Configuration Manual, 09/2013, C79000-G8976-C286-02
Table of contents
Preface ................................................................................................................................................... 3
1
2
Introduction and basics ......................................................................................................................... 15
1.1
Important information ...................................................................................................................15
1.2
Introduction and basics ................................................................................................................18
1.3
1.3.1
1.3.2
1.3.3
Product characteristics .................................................................................................................18
Overview of the functions .............................................................................................................18
Configuration limits ......................................................................................................................20
Replacing a module .....................................................................................................................22
1.4
Using the SOFTNET Security Client ............................................................................................24
1.5
Use of SCALANCE S602 .............................................................................................................24
1.6
Use of SCALANCE S612, S623 and S627-2M ............................................................................27
1.7
Use of the DMZ interface of SCALANCE S623 and SCALANCE S627-2M ................................30
1.8
Use of the media module ports of a SCALANCE S627-2M .........................................................33
1.9
Use of the CP 343-1 Advanced and CP 443-1 Advanced ...........................................................34
1.10
Use of CP 1628 ............................................................................................................................37
1.11
Configuration and administration .................................................................................................39
Configuring with the Security Configuration Tool ................................................................................... 41
2.1
Overview - Range of performance and how it works ...................................................................41
2.2
2.2.1
Installation of the Security Configuration Tool .............................................................................43
Supported operating systems ......................................................................................................43
2.3
User interface and menu commands ...........................................................................................45
2.4
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.4.6
2.4.7
Creating and managing projects ..................................................................................................51
Security Configuration Tool (standalone variant) .........................................................................51
Security Configuration Tool in STEP 7 ........................................................................................51
Migrating STEP 7 data .................................................................................................................55
Overview ......................................................................................................................................56
Specifying default initialization values for a project .....................................................................61
Consistency checks .....................................................................................................................61
You can assign symbolic names for IP / MAC addresses. ..........................................................62
2.5
Configuration data for SCALANCE M modules ...........................................................................64
2.6
Configuration data for VPN devices .............................................................................................66
2.7
Configuration data for NCP VPN clients (Android) ......................................................................68
2.8
2.8.1
2.8.2
2.8.3
Managing users............................................................................................................................70
Overview of user management ....................................................................................................70
Create users.................................................................................................................................71
Creating roles ...............................................................................................................................73
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
9
Table of contents
3
4
2.8.4
2.8.5
2.8.6
2.8.6.1
2.8.6.2
2.8.6.3
Managing rights ........................................................................................................................... 75
Configuring password policies .................................................................................................... 79
Authentication using a RADIUS server ....................................................................................... 80
Overview ..................................................................................................................................... 80
Defining a RADIUS server .......................................................................................................... 83
Assigning a RADIUS server to a security module ...................................................................... 83
2.9
2.9.1
2.9.2
2.9.3
Managing certificates .................................................................................................................. 85
Overview ..................................................................................................................................... 85
Renewing certificates .................................................................................................................. 87
Replacing certificates .................................................................................................................. 89
Creating modules and setting network parameters ................................................................................ 91
3.1
Parameters in the content area ................................................................................................... 93
3.2
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.2.6.1
3.2.6.2
3.2.7
Configuring interfaces (SCALANCE S) ....................................................................................... 96
Overview of the connector options .............................................................................................. 96
Interfaces..................................................................................................................................... 99
Internet connection .................................................................................................................... 103
Dynamic DNS (DDNS) .............................................................................................................. 104
LLDP ......................................................................................................................................... 106
Media redundancy in ring topologies ........................................................................................ 107
Media redundancy with MRP or HRP ....................................................................................... 107
Configuring MRP/HRP for the security module......................................................................... 108
Special features of the ghost mode .......................................................................................... 110
Configure the firewall ...........................................................................................................................113
4.1
4.1.1
4.1.1.1
4.1.1.2
4.1.1.3
4.1.1.4
4.1.2
4.1.2.1
4.1.2.2
CPs in standard mode............................................................................................................... 115
CP x43-1 Adv. ........................................................................................................................... 115
Default firewall setting ............................................................................................................... 115
Configure the firewall ................................................................................................................ 118
Configuring the access list ........................................................................................................ 119
Adding an entry in the access list ............................................................................................. 120
CP 1628 .................................................................................................................................... 121
Default firewall setting ............................................................................................................... 121
Configure the firewall ................................................................................................................ 124
4.2
4.2.1
4.2.2
4.2.3
SCALANCE S in standard mode .............................................................................................. 126
Default firewall setting ............................................................................................................... 126
Configuring a firewall for SCALANCE S ≥ V3.0 ........................................................................ 131
Configuring a firewall for SCALANCE S < V3.0 ........................................................................ 134
4.3
4.3.1
4.3.2
4.3.2.1
4.3.2.2
4.3.3
4.3.3.1
4.3.4
4.3.5
4.3.6
4.3.7
4.3.8
Firewall in advanced mode ....................................................................................................... 136
Configuring the firewall in advanced mode ............................................................................... 136
Global firewall rule sets ............................................................................................................. 137
Global firewall rule sets - conventions ...................................................................................... 139
Creating and assigning global firewall rule sets ........................................................................ 139
User-specific IP rule sets .......................................................................................................... 140
Creating and assigning user-specific IP rule sets ..................................................................... 141
Connection-related automatic firewall rules .............................................................................. 143
Setting local IP packet filter rules .............................................................................................. 146
IP packet filter rules ................................................................................................................... 147
Defining IP services .................................................................................................................. 153
defining ICMP services ............................................................................................................. 154
Basics and application
10
Configuration Manual, 09/2013, C79000-G8976-C286-02
Table of contents
4.3.9
4.3.10
4.3.11
4.3.12
4.3.13
5
6
7
Setting MAC packet filter rules ...................................................................................................156
MAC packet filter rules ...............................................................................................................157
defining MAC services ...............................................................................................................160
Setting up service groups ..........................................................................................................162
Adjusting standard rules for IP services ....................................................................................164
Configuring additional module properties............................................................................................. 167
5.1
5.1.1
5.1.2
5.1.3
5.1.4
5.1.5
5.1.6
5.1.7
Security module as router ..........................................................................................................167
Overview ....................................................................................................................................167
Specifying a standard router and routes ....................................................................................168
NAT/NAPT routing .....................................................................................................................169
Address translation with NAT/NAPT ..........................................................................................172
Address translation with NAT/NAPT in VPN tunnels .................................................................178
Relationship between NAT/NAPT router and firewall ................................................................179
Relationship between NAT/NAPT router and user-specific firewall ...........................................181
5.2
5.2.1
5.2.2
Security module as DHCP server ..............................................................................................182
Overview ....................................................................................................................................182
Configuring a DHCP server .......................................................................................................183
5.3
5.3.1
5.3.2
5.3.3
Time synchronization .................................................................................................................187
Overview ....................................................................................................................................187
Configuring time keeping ...........................................................................................................187
Defining an NTP server ..............................................................................................................189
5.4
5.4.1
5.4.2
SNMP .........................................................................................................................................190
Overview ....................................................................................................................................190
Enabling SNMP ..........................................................................................................................191
5.5
Proxy ARP..................................................................................................................................192
Secure communication in the VPN via an IPsec tunnel ........................................................................ 193
6.1
VPN with security modules ........................................................................................................193
6.2
Authentication method ...............................................................................................................195
6.3
6.3.1
6.3.2
6.3.3
VPN groups ................................................................................................................................197
Rules for forming VPN groups ...................................................................................................197
Supported tunnel communication relations ................................................................................198
Creating VPN groups and assigning modules ...........................................................................200
6.4
Tunnel configuration in standard mode .....................................................................................201
6.5
6.5.1
6.5.2
6.5.3
6.5.4
Tunnel configuration in advanced mode ....................................................................................202
Configuring VPN group properties .............................................................................................202
Including security module in configured VPN group ..................................................................205
Configuring module-specific VPN properties .............................................................................208
Configuring VPN properties for specific connections.................................................................211
6.6
6.6.1
6.6.2
6.6.3
Configuring internal network nodes ...........................................................................................212
Configuring other nodes and subnets for the VPN tunnel .........................................................213
How the learning mode works....................................................................................................214
Displaying the detected internal nodes ......................................................................................217
Router and firewall redundancy ........................................................................................................... 219
7.1
Overview ....................................................................................................................................219
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
11
Table of contents
8
9
A
B
7.2
Creating redundancy relationships and assigning security modules ........................................ 220
7.3
Configuring redundancy relationships ....................................................................................... 221
SOFTNET Security Client ....................................................................................................................223
8.1
Using the SOFTNET Security Client ......................................................................................... 223
8.2
8.2.1
8.2.2
Installation and commissioning of the SOFTNET Security Client ............................................. 226
Installing and starting SOFTNET Security Client ...................................................................... 226
Uninstalling SOFTNET Security Client ..................................................................................... 227
8.3
Creating a configuration file with the Security Configuration Tool ............................................ 227
8.4
Working with SOFTNET Security Client ................................................................................... 230
8.5
Setting up and editing tunnels ................................................................................................... 232
Online functions - test, diagnostics, and logging ...................................................................................241
9.1
Overview of the functions in the online dialog........................................................................... 242
9.2
9.2.1
9.2.2
9.2.3
Logging events .......................................................................................................................... 244
Local logging - settings in the configuration .............................................................................. 245
Network syslog - settings in the configuration........................................................................... 248
Configuring packet logging........................................................................................................ 251
Appendix .............................................................................................................................................253
A.1
DNS compliance ....................................................................................................................... 253
A.2
Range of values for IP address, subnet mask and address of the gateway ............................. 253
A.3
MAC address ............................................................................................................................ 254
References ..........................................................................................................................................255
B.1
Introduction - without CD/DVD .................................................................................................. 255
B.2
S7 CPs / On configuring, commissioning and using the CP ..................................................... 256
B.3
For configuration with STEP 7 / NCM S7 .................................................................................. 256
B.4
S7 CPs On installing and commissioning the CP ..................................................................... 257
B.5
On setting up and operating an Industrial Ethernet network..................................................... 258
B.6
SIMATIC and STEP 7 basics .................................................................................................... 258
B.7
Industrial Communication Volume 2 ......................................................................................... 259
B.8
On the configuration of PC stations / PGs ................................................................................ 259
B.9
On configuration of PC CPs ...................................................................................................... 259
B.10
SIMATIC NET Industrial Ethernet Security ............................................................................... 260
Index ...................................................................................................................................................261
Basics and application
12
Configuration Manual, 09/2013, C79000-G8976-C286-02
Table of contents
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
13
Introduction and basics
1
Security messages
Note
Siemens offers IT security mechanisms for its automation and drive product portfolio in order
to support the safe operation of the plant/machine. Our products are also continuously
developed further with regard to IT security. We therefore recommend that you regularly
check for updates of our products and that you only use the latest versions. You will find
information in:
(http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo2&aktprim=99&lang=
en)
Here, you can register for a product-specific newsletter.
For the safe operation of a plant/machine, however, it is also necessary to integrate the
automation components into an overall IT security concept for the entire plant/machine,
which corresponds to the state-of-the-art IT technology. You will find information on this in:
(http://www.siemens.com/industrialsecurity)
Products from other manufacturers that are being used must also be taken into account.
1.1
Important information
General
Note
Protection from unauthorized access
Make sure that the configuration computer (PC/PG) or the project are protected from
unauthorized access.
Note
Disabling the guest account
Make sure that the guest account is disabled on the configuration computer.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
15
Introduction and basics
1.1 Important information
Note
Current date and current time of day on the security modules
When using secure communication (for example HTTPS, VPN...), make sure that the
security modules involved have the current time of day and the current date. Otherwise the
certificates used will not be evaluated as valid and the secure communication will not work.
Note
Up-to-date anti-virus software
We recommend that up-to-date anti-virus software is always installed and active on all
configuration computers.
Note
FTPS
Where the term "FTPS" is used in this documentation, FTPS in the explicit mode is meant
(PTPES).
Note
No return to standard mode possible
If you switch to the advanced mode for the current project, you cannot switch back.
Remedy for SCT Standalone: Close the project without saving and open it again.
Note
Additional security measures when using the SOFTNET Security Client
The SOFTNET Security Client provides a solution for secure communication with automation
cells via VPN. For self-protection of the PC/PG and the corresponding automation cell, it is
advisable to use additional measures such as a virus scanner and the Windows firewall.
In Windows 7, the firewall of the operating system must be enabled so that VPN tunnel
establishment works.
Basics and application
16
Configuration Manual, 09/2013, C79000-G8976-C286-02
Introduction and basics
1.2 Introduction and basics
CP x43-1 Adv.
Note
Additional security settings
To avoid unauthorized configuration data being downloaded to the CP, you will need to
make additional security settings in the firewall of the CP (e.g. blocking S7 communication or
only allowing tunneled communication) or take external security measures.
STEP 7
Note
"Save and compile" after changes
To have the security settings adopted in the corresponding (offline) system data blocks, after
making changes, select the "Station" > "Save and Compile" menu in HW Config or "Network"
> "Save and Compile" in NetPro.
Note
Opening a station with the Security Configuration Tool open
Close the Security Configuration Tool before you open another station with the SIMATIC
Manager or NetPro.
Note
No STEP 7 multiprojects in connection with security
For each STEP 7 project, a separate unique security configuration is created when security
is activated. For this reason, no STEP 7 multiprojects are supported in connection with
security.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
17
Introduction and basics
1.2 Introduction and basics
1.2
Introduction and basics
With SIMATIC NET security modules and the SIMATIC NET SOFTNET Security Client, you
have chosen the SIEMENS security concept that meets the exacting requirements of secure
communication in industrial automation engineering.
Note
Up-to-date anti-virus software
We recommend that up-to-date anti-virus software is always installed on all configuration
computers.
This chapter provides you with an overview of the security functions of the devices and
components:
● SCALANCE S
● CP x43-1 Adv.
● CP 1628
● SOFTNET Security Client
Tip:
The document "SIMATIC NET Security - Getting Started" will help you to start working with
the security modules in a short time.
1.3
Product characteristics
1.3.1
Overview of the functions
Overview of the functions of the module types
The following table shows the functions supported by the individual security modules.
Note
This manual describes all functions. Based on the following table, note which functions are
relevant for the security module you are using.
You should also note the additional information in the titles of the sections.
Basics and application
18
Configuration Manual, 09/2013, C79000-G8976-C286-02
Introduction and basics
1.3 Product characteristics
Table 1- 1
Overview of the functions
Function
CP x43-1 Adv.
CP 1628
SCALANCE S ≥ V4.0
Security Configuration Tool
-
-
x
Security Configuration Tool integrated
in STEP 7
x
x
x
Compatibility with IP access control
lists (ACL)
x
-
-
NAT/NAPT router
x
-
x
NAT/NAPT routing in VPN connections
-
-
x
DHCP server
-
-
x
Local firewall rules
x
x
x
Global firewall rule sets
x
x
x
User-specific IP rule sets
-
-
x
x
x
x
User management
x
x
x
Migration of the current user
management
x
-
x
User authentication using a RADIUS
server
-
-
x
SNMPv3
x
x
x
HTTPS server
x
-
x
FTPS server
x
-
-
FTPS client
x
-
-
NTP client
x
x
x
NTP client (secure)
x
x
x
PPPoE client
-
-
x
DDNS client / DNS client
-
-
x
LLDP
x
-
x
MRP/HRP client
-
-
x
Logging system events
x
x
x
Logging audit events
x
x
x
Logging packet filter events
x
x
x
Configuration using
General
Firewall
IPsec
Establishment of IPsec tunnels
User management
Supported protocols
Logging
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
19
Introduction and basics
1.3 Product characteristics
Function
CP x43-1 Adv.
CP 1628
SCALANCE S ≥ V4.0
Audit messages in the diagnostics
buffers of the security module
x
x
-
Access to the log buffer of the security
module using the Security
Configuration Tool
x
x
x
Diagnostics with the Security
Configuration Tool
x
x
x
Sending messages to Syslog server
x
x
x
Web diagnostics
x
-
-
-
-
x
-
-
x
-
-
x
Ghost mode
Obtaining the IP address of the
internal node during runtime and
adopting the IP address for the
external port of the security module
Demilitarized zone (DMZ)
Setting up a DMZ for separating the
secure network from the non-secure
network
Router and firewall redundancy
Redundant security modules for
maintaining the router and firewall
functionality if a security module fails
x Function supported
- Function not supported
1.3.2
Configuration limits
Note
You will find a complete overview of the permitted configuration limits on the Internet at the
following address: (http://support.automation.siemens.com/WW/view/en/58217657).
Basics and application
20
Configuration Manual, 09/2013, C79000-G8976-C286-02
Introduction and basics
1.3 Product characteristics
Configuration limits
Function
CP x43-1 Adv.
CP 1628
SCALANCE S ≥ V4.0
Max. 32
Max. 64
Max. 128
VPN tunnels per security module
Firewall rules per security module
Max. 256
NTP servers that can be created throughout
the project (assignable NTP servers per
security module)
32 (4)
Which rules apply to user names, role names and passwords?
When creating or modifying a user, a role or a password, remember the following rules:
Permitted characters
The following characters from the US-ASCII character set are
permitted:
0123456789
A...Z a...z
!#$%&()*+,-./:;<=>[email protected] [\]_{|}~¦^`
Characters not allowed
"'
Length of the user name (authentication method
"password")
1 ... 32 characters
Length of the user name (authentication method
"RADIUS")
1 ... 255 characters
Length of the password
8 ... 32 characters
Length of the role name
1 ... 32 characters
Maximum number of users per project
Maximum number of users on one security module
Maximum number of roles per project
Maximum number of roles on one security module
128
32 + 1 administrator when creating the project
128 (122 user-defined + 6 system-defined)
37 (31 user-defined + 6 system-defined)
Note
User names and passwords
As an important measure for increasing security, always make sure that user names and
passwords are as long as possible and include special characters, upper and lowercase
letters and numerals.
Using password policies, you can further narrow down the restrictions listed above for
passwords. How to define password policies is described in the section:
Configuring password policies (Page 79)
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
21
Introduction and basics
1.3 Product characteristics
Password strength
When a new password is entered, its password strength is checked. The following levels are
distinguished for the password strength:
● Very weak
● Weak
● Medium
● Good
● Strong
● Very strong
Note
Checking the password strength of existing users
Check the password strength
• of users already in the project,
• of the first user created in STEP 7,
• of migrated users,
by selecting the relevant user in the "User" tab of the user management and clicking the
"Edit..." button.
1.3.3
Replacing a module
How to access this function
1. Select the security module or the SOFTNET Security Client to be edited.
2. Select the "Edit" > "Replace module…" menu command.
3. Depending on the product type and the firmware release of the selected module, you can
adapt the module type and/or the firmware release in the dialog.
Based on a following table, you can see which modules you can replace without data loss
and which could involve a possible data loss.
Note
Replacing CPs
You will find information about replacing CPs in the relevant device manual.
Basics and application
22
Configuration Manual, 09/2013, C79000-G8976-C286-02
Introduction and basics
1.3 Product characteristics
Output module
Possible module replacement
S602
V2
S602
V3
S602
V4
S612
V1
S612
V2
S612
V3
S612
V4
S613
V1
S613
V2
S623
V3
S623
V4
S6272M V4
S602 V2
-
x
x
!
x
x
x
!
x
x
x
x
S602 V3
!
-
x
!
!
!
!
!
!
!
!
!
S602 V4
!
!
-
!
!
!
!
!
!
!
!
!
S612 V1
!
!
!
-
x
x
x
x
x
x
x
x
S612 V2
!
!
!
!
-
x
x
!
x
x
x
x
S612 V3
!
!
!
!
!
-
x
!
!
x
x
x
S612 V4
!
!
!
!
!
!
-
!
!
x
x
x
S613 V1
!
!
!
!
!
x
x
-
x
x
x
x
S613 V2
!
!
!
!
!
x
x
!
-
x
x
x
S623 V3
!
!
!
!
!
!
!
!
!
-
x
x
S623 V4
!
!
!
!
!
!
!
!
!
!
-
x
S627-2M V4
!
!
!
!
!
!
!
!
!
!
!
-
x Without losses
! Possibly with losses
- The module type is not changed.
Initial configuration
Possible replacement
SOFTNET Security
Client 2005
SOFTNET Security
Client 2008
SOFTNET Security
Client V3.0
SOFTNET Security
Client V4.0
SOFTNET Security
Client 2005
-
x
x
x
SOFTNET Security
Client 2008
x*
-
x
x
SOFTNET Security
Client V3.0
x* **
x**
-
x
SOFTNET Security
Client V4.0
x* **
x**
x
-
* If the SOFTNET Security Client is not in a routing group.
** If the SOFTNET Security Client is not in a VPN group along with a SCALANCE M module.
See also
User interface and menu commands (Page 45)
/2/ (Page 256)
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
23
Introduction and basics
1.4 Using the SOFTNET Security Client
1.4
Using the SOFTNET Security Client
PG/PC communication in the VPN - job of the SOFTNET Security Client
With the SOFTNET Security Client PC software, secure remote access is possible from
PGs/PCs to automation systems protected by security modules via public networks.
With the SOFTNET Security Client, a PG/PC is configured automatically so that it can
establish secure IPsec tunnel communication in the VPN (Virtual Private Network) with one
or more security modules.
PG/PC applications such as NCM Diagnostics or STEP 7 can then access devices or
networks in an internal network protected by security modules over a secure tunnel
connection.
The SOFTNET Security Client PC software is also configured with the Security Configuration
Tool ensuring fully integrated configuration.
1.5
Use of SCALANCE S602
Firewall and router - the job of the SCALANCE S602
With a combination of different security measures such as firewall and NAT/NAPT routers,
the SCALANCE S602 module protects individual devices or even entire automation cells
from:
● Data espionage
● Unwanted access
SCALANCE S602 allows this protection flexibly and without complicated handling.
SCALANCE S602 is configured with the Security Configuration Tool.
Figure 1-1
Network configuration with SCALANCE S602
Basics and application
24
Configuration Manual, 09/2013, C79000-G8976-C286-02
Introduction and basics
1.5 Use of SCALANCE S602
Security functions
● Firewall
– IP firewall with stateful packet inspection (layer 3 and 4)
– Firewall also for Ethernet "non-IP" frames according to IEEE 802.3
(Layer 2 frames: does not apply to S602 if router mode is used);
– Bandwidth limitation
– Global firewall rule sets
– User-specific IP rule sets
All network nodes located in the internal network segment of a SCALANCE S are
protected by its firewall.
● Router mode
By operating the SCALANCE S as a router, you separate the internal network from the
external network. The internal network connected over SCALANCE S therefore becomes
a separate subnet; SCALANCE S must be addressed explicitly as a router using its IP
address.
● Protection for devices and network segments
The firewall protective function can be applied to the operation of single devices, several
devices, or entire network segments.
● No repercussions when included in flat networks (bridge mode)
This means that when a SCALANCE S602 is installed in an existing network
infrastructure, the settings of end devices do not need to be made again.
● Security module and internal node as one unit (ghost mode)
When communicating with external stations, the security module uses the IP address of
the internal node and the MAC address of the security module.
● NTP (secure)
For secure time-of-day synchronization and transmission.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
25
Introduction and basics
1.5 Use of SCALANCE S602
Internal and external network nodes
SCALANCE S602 divides networks into two areas:
● Internal network: Protected areas with the "internal nodes"
Internal nodes are all the nodes secured by a SCALANCE S.
● External network: Unprotected areas with the "external nodes"
External nodes are all the nodes located outside the protected areas.
Note
The internal network is considered to be secure (trustworthy).
Connect an internal network segment to the external network segments only over
SCALANCE S.
There must be no other paths connecting the internal and external network!
Basics and application
26
Configuration Manual, 09/2013, C79000-G8976-C286-02
Introduction and basics
1.6 Use of SCALANCE S612, S623 and S627-2M
1.6
Use of SCALANCE S612, S623 and S627-2M
All-round protection - the job of SCALANCE S612, SCALANCE S623 and SCALANCE S627-2M
With a combination of different security measures such as firewall, NAT/NAPT routers and
VPN (Virtual Private Network) via IPsec tunnels, the security modules SCALANCE S612,
SCALANCE S623 and SCALANCE S627-2M protect individual devices or even entire
automation cells from:
● Data espionage
● Data manipulation
● Unwanted access
SCALANCE S allows this protection flexibly, without repercussions, protocol-independent (as
of Layer 2 according to IEEE 802.3) and without complicated handling.
SCALANCE S and SOFTNET Security Client are configured with the Security Configuration
Tool.
Figure 1-2
Network configuration with SCALANCE S612, SCALANCE S623 and SCALANCE S627-2M
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
27
Introduction and basics
1.6 Use of SCALANCE S612, S623 and S627-2M
Security functions
● Firewall
– IP firewall with stateful packet inspection (layer 3 and 4)
– Firewall also for Ethernet "non-IP" frames according to IEEE 802.3
(Layer 2 frames; not available if router mode is used)
– Bandwidth limitation
– Global firewall rule sets
– User-specific IP rule sets
All network nodes located in the internal network segment of a SCALANCE S are
protected by its firewall.
● Communication made secure by IPsec tunnels
SCALANCE S can be grouped together with other security modules during configuration.
IPsec tunnels are created between all security modules of a group (VPN, Virtual Private
Network). All internal nodes of these security modules can communicate securely with
each other through these tunnels.
● Protocol-independent
Tunneling also includes Ethernet frames according to IEEE 802.3 (layer 2 frames; does
not apply if router mode is used).
Both IP and non-IP packets are transferred through the IPsec tunnel.
● PPPoE
Point-to-Point Protocol over the Ethernet (RFC 2516) for obtaining IP addresses
automatically from the provider so that the use of a separate DSL router is not necessary.
● Client for dynamic DNS (DDNS client)
Dynamic Domain Name Service for the use of dynamic IP addresses when a SCALANCE
S is used as a VPN server in remote maintenance scenarios in conjunction with the
SOFTNET Security Client, SCALANCE M modules, SCALANCE S modules or other VPN
clients.
● SNMPv3
For secure transmission of network analysis information safe from eavesdropping.
● Router mode
By operating the SCALANCE S as a router, you connect the internal network with the
external network. The internal network connected by SCALANCE S therefore becomes a
separate subnet.
● Protection for devices and network segments
The firewall and VPN protective function can be applied to the operation of single
devices, several devices, or entire network segments.
Basics and application
28
Configuration Manual, 09/2013, C79000-G8976-C286-02
Introduction and basics
1.6 Use of SCALANCE S612, S623 and S627-2M
● Additional DMZ interface
In a demilitarized zone (DMZ), servers can be placed for which access to other networks
(non-secure external network, secure internal network) can be controlled and restricted.
This means that the two networks can have services and data made available securely
without the two networks having direct communication between them.
● No repercussions when included in flat networks (bridge mode)
Internal network nodes can be found without configuration. This means that when a
SCALANCE S is installed in an existing network infrastructure, the end devices do not
need to be reconfigured.
The security module attempts to find internal nodes; internal nodes that cannot be found
in this way must nevertheless be configured.
● User authentication using a RADIUS server
User names, passwords and roles of users can be stored centrally on a RADIUS server.
These users are then authenticated by a RADIUS server.
● NTP (secure)
For secure time-of-day synchronization and transmission.
Internal network nodes, external network nodes, DMZ network nodes
SCALANCE S divides networks into several areas:
● Internal network: Protected areas with the "internal nodes"
Internal nodes are all nodes secured by a SCALANCE S.
● External network: Unprotected areas with the "external nodes"
External nodes are all the nodes located outside the protected areas.
● DMZ network: Protected areas with the "DMZ nodes"
DMZ nodes are all nodes located in the DMZ and secured by a
SCALANCE S.
Note
The networks connected to the internal interface are considered as being secure
(trustworthy).
Connect an internal network segment with network segments with a different security
level (external network, DMZ network) only via SCALANCE S.
There must be no other connection paths between the internal network and a network
with a different security level.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
29
Introduction and basics
1.7 Use of the DMZ interface of SCALANCE S623 and SCALANCE S627-2M
1.7
Use of the DMZ interface of SCALANCE S623 and SCALANCE
S627-2M
Scenarios for the use of the DMZ interface
In addition to the functions of the SCALANCE S612, the SCALANCE S623 and SCALANCE
S627-2M are equipped with a third interface (DMZ) to which a additional network can be
connected.
Depending on the various scenarios for its use, the interface can provide a variety of
functions (not at the same time):
● Setting up a DMZ
● Endpoint for VPN tunnel connection
● Synchronization interface for router and firewall redundancy
● ...
Setting up a DMZ
With the SCALANCE S623 and the SCALANCE S627-2M, a DMZ (Demilitarized Zone) can
be set up on the additional interface. The DMZ is often used when services for an insecure
network need to be available and the secure network that supplies data for these services
needs to remain separated from the insecure network.
The DMZ, for example, can include terminal servers with installed maintenance and
diagnostic software which can be used by authorized users from the external network.
In typical DMZ applications, the user should configure the firewall rules so that (external)
access from the Internet to the server in the DMZ is possible (optionally further secured by a
VPN tunnel) but not to devices in the secure area (internal).
Figure 1-3
Setting up a DMZ
Basics and application
30
Configuration Manual, 09/2013, C79000-G8976-C286-02
Introduction and basics
1.7 Use of the DMZ interface of SCALANCE S623 and SCALANCE S627-2M
An example of a configuration in which the DMZ interface is used to set up a DMZ can be
found in section "4.2 SCALANCE S as firewall between external network and DMZ" of the
"SIMATIC NET Industrial Ethernet Security - Getting started" manual.
Endpoint for VPN tunnel connection
The DMZ interface can be used as the endpoint of a VPN tunnel. In this scenario, the DMZ
interface is connected to the Internet via a connected DSL modem and is operated using
PPPoE. The VPN tunnel allows secure communication with, for example, an automation unit
connected to the internal port of another security module.
Figure 1-4
Endpoint for VPN tunnel connection
An example of a configuration in which the DMZ interface is used as the end point of a VPN
tunnel can be found in section "5.2 VPN tunnel between SCALANCE S623 and SCALANCE
S612" of the "SIMATIC NET Industrial Ethernet Security - Getting started" manual.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
31
Introduction and basics
1.7 Use of the DMZ interface of SCALANCE S623 and SCALANCE S627-2M
Synchronization interface for router and firewall redundancy
When using two security modules of the type SCALANCE S623 or SCALANCE S627-2M,
the failure of one security module can be compensated by router and firewall redundancy.
Here, both security modules are operated in routing mode and connected to the external and
internal network but only one security module is active at one time. If the active security
module fails, the passive security module takes over its function as router or firewall. To
ensure the identical behavior of both security modules, the two security modules are
connected together via their DMZ interfaces and their configurations are synchronized during
operation.
Figure 1-5
Router and firewall redundancy
Basics and application
32
Configuration Manual, 09/2013, C79000-G8976-C286-02
Introduction and basics
1.8 Use of the media module ports of a SCALANCE S627-2M
1.8
Use of the media module ports of a SCALANCE S627-2M
Integration in ring topologies
In addition to the functions of the SCALANCE S623, the SCALANCE S627-2M has two
media module slots in which an electrical or optical media module with two ports can be
inserted. This expands both the external and internal interface by up to two ports. In routing
mode, the additional ports of the security module can be used to link the external and
internal interface to ring topologies.
Ring redundancy with MRP or HRP
The SCALANCE S627-2M supports the MRP and HRP protocols on the media module ports
of the external and internal interface as client. As a node of an MRP/HRP ring, a SCALANCE
S627-2M can protect a lower-level automation cell or a lower-level ring. This protection can
also be redundant. The loss of cables is detected by a separate ring manager, for example a
SCALANCE X308, and compensated by redirecting the communication path.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
33
Introduction and basics
1.9 Use of the CP 343-1 Advanced and CP 443-1 Advanced
1.9
Use of the CP 343-1 Advanced and CP 443-1 Advanced
Cell protection concept - job of the CP x43-1 Adv.
With Industrial Ethernet Security, individual devices, automation cells or network segments
of an Ethernet network can be protected. In addition to this, data transmission can be
protected by a combination of different security measures such as a firewall, NAT/NAPT
routers and VPN (Virtual Private Network) via an IPsec tunnel:
● Data espionage
● Data manipulation
● Unwanted access
The security functions of the CP x43-1 Adv. are configured with the Security Configuration
Tool configuration tool integrated in STEP 7.
Figure 1-6
Network configuration with CP x43-1 Adv.
Basics and application
34
Configuration Manual, 09/2013, C79000-G8976-C286-02
Introduction and basics
1.9 Use of the CP 343-1 Advanced and CP 443-1 Advanced
Security functions
● Firewall
– IP firewall with stateful packet inspection (layer 3 and 4)
– Firewall also for Ethernet "non-IP" frames according to IEEE 802.3 (layer 2)
– Bandwidth limitation
– Global firewall rule sets
All network nodes located in the internal network segment of a CP x43-1 Adv. are
protected by its firewall.
● Communication made secure by IPsec tunnels
The CP x43-1 Adv. can be grouped together with other security modules during
configuration. IPsec tunnels are created between all security modules of a VPN group. All
internal nodes of these security modules can communicate securely with each other
through these tunnels.
● Logging
To allow monitoring, events can be stored in log files that can be read out using the
configuration tool or can be sent automatically to a syslog server.
● HTTPS
For the encrypted transfer of Web pages, for example in process control.
● FTPS
For encrypted transfer of files.
● NTP (secured)
For secure time-of-day synchronization and transmission.
● SNMPv3
For secure transmission of network analysis information safe from eavesdropping.
● Protection for devices and network segments
The firewall and VPN protective function can be applied to the operation of single
devices, several devices, or entire network segments.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
35
Introduction and basics
1.9 Use of the CP 343-1 Advanced and CP 443-1 Advanced
Internal and external network nodes:
CP x43-1 Adv. divides networks into two areas:
● Internal network: Protected areas with the "internal nodes"
Internal nodes are all the nodes secured by a CP x43-1 Adv..
● External network: Unprotected areas with the "external nodes"
External nodes are all the nodes located outside the protected areas.
Note
The internal network is considered to be secure (trustworthy).
Connect an internal network segment to the external network segments only over
CP x43-1 Adv..
There must be no other paths connecting the internal and external network.
Information on the general functions of the CP x43-1 Adv.
This manual explains the security functions of the CP x43-1 Adv. For descriptions of the
general functions, refer to:
● /1/ (Page 256)
● /2/ (Page 256)
Basics and application
36
Configuration Manual, 09/2013, C79000-G8976-C286-02
Introduction and basics
1.10 Use of CP 1628
1.10
Use of CP 1628
Cell protection concept - job of the CP 1628
The integrated security mechanisms of the CP 1628 allow computer systems to be secured
including the data communication within an automation network or secure remote access via
the Internet. The CP 1628 allows access to individual devices or even to entire automation
cells protected by security modules and it allows secure connections via non-secure network
structures.
With the combination of different security measures such as firewall and VPN (Virtual Private
Network) via an IPsec tunnel, the CP 1628 protects from the following:
● Data espionage
● Data manipulation
● Unwanted access
The security functions of the CP 1628 are configured with the Security Configuration Tool
configuration tool integrated in STEP 7.
Figure 1-7
Network configuration with CP 1628
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
37
Introduction and basics
1.10 Use of CP 1628
Security functions
● Firewall
– IP firewall with stateful packet inspection (layer 3 and 4)
– Firewall also for Ethernet "non-IP" frames according to IEEE 802.3 (layer 2)
– Bandwidth limitation
– Global firewall rules
● Communication made secure by IPsec tunnels
The CP 1628 can be grouped together with other security modules during configuration.
IPsec tunnels are created between all security modules of a group (VPN, Virtual Private
Network).
● Logging
To allow monitoring, events can be stored in log files that can be read out using the
configuration tool or can be sent automatically to a syslog server.
● NTP (secured)
For secure time-of-day synchronization and transmission.
● SNMPv3
For secure transmission of network analysis information safe from eavesdropping.
Information on the general functions of the CP 1628
This manual explains the security functions of the CP 1628. For descriptions of the general
functions, refer to
● /11/ (Page 259)
Basics and application
38
Configuration Manual, 09/2013, C79000-G8976-C286-02
Introduction and basics
1.11 Configuration and administration
1.11
Configuration and administration
The most important features at a glance
In conjunction with the Security Configuration Tool, you are guided to a simple and secure
application of the security modules:
● Configuration without expert IT knowledge with the Security Configuration Tool
With the Security Configuration Tool, a security module can be configured by non IT
experts. When necessary, more complex settings can be made in advanced mode.
● Secure administrative communication
The transfer of the settings is signed and encrypted and must only be performed by
authorized persons.
● Access protection in the Security Configuration Tool
The user administration of the Security Configuration Tool ensures access protection for
the security modules and the configuration data.
● C-PLUG exchangeable memory medium can be used
The C-PLUG is a plug-in memory medium on which the encrypted configuration data can
be stored. When replacing a security module, this allows configuration without a PG/PC
as long as the security module supports data management on the C-PLUG.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
39
Introduction and basics
1.11 Configuration and administration
Basics and application
40
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configuring with the Security Configuration Tool
2
The Security Configuration Tool is the configuration tool is supplied with the security
modules.
This chapter will familiarize you with the user interface and the functionality of the
configuration tool.
You will learn how to set up, work with, and manage security projects.
Further information
How to configure modules and IPsec tunnels is described in detail in the next sections of this
manual.
You will find detailed information on the dialogs and parameter settings in the online help.
You can call this with the F1 key or using the "Help" button in the relevant dialog.
2.1
Overview - Range of performance and how it works
Scope of performance
You use the Security Configuration Tool for the following tasks:
● Configuration of the security modules
● Configuration of SOFTNET Security Client
● Creating the VPN configuration data of the SCALANCE M
● Setting VPN configuration files for VPN devices from third-party manufacturers
● Test and diagnostic functions, status displays
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
41
Configuring with the Security Configuration Tool
2.1 Overview - Range of performance and how it works
Two modes of the Security Configuration Tool
The Security Configuration Tool can be called up in the following modes:
● Security Configuration Tool Standalone:
– Can be called up independent of STEP 7.
– No security configuration of CPs possible
● Security Configuration Tool integrated in STEP 7:
– Can only be called up from STEP 7
– There must be at least one CP in the project with the security function activated.
– The range of the Security Configuration Tool standalone is expanded by the option of
configuring security functions for CPs
Offline configuration view and online diagnostics view
The Security Configuration Tool has an offline configuration view and an online diagnostics
view:
● Offline configuration view
In offline mode, the configuration data is created for the relevant module. Prior to
downloading, there must already be a connection to this module.
● Online
The online mode is used for testing and diagnostics of a security module.
Two operating modes
The Security Configuration Tool provides two operating modes in the offline configuration
view:
● Standard mode
The standard mode is the default mode in the Security Configuration Tool. This mode
allows fast, uncomplicated configuration for operating security modules.
● Advanced mode
In Advanced mode, there are further optional settings, for example that allow individual
setting of firewall rules, log settings, NAT/NAPT rules, VPN nodes and expanded security
functionalities.
Basics and application
42
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configuring with the Security Configuration Tool
2.2 Installation of the Security Configuration Tool
How it works - security and consistency
● Access only for authorized users
Every project is protected from unauthorized access by assigning user names and
passwords. With the help of password policies, project-specific rules for password
assignment can be defined.
● Consistent project data
Consistency checks are running even while you make the entries in the dialogs. You can
also run a project-wide consistency check for all dialogs at any time.
Only consistent project data can be downloaded to the security modules.
● Protecting project data by encryption
The project and configuration data is protected by encryption both in the project file and, if
it exists, on the C-PLUG (not for the CP 1628).
2.2
Installation of the Security Configuration Tool
2.2.1
Supported operating systems
Supported operating systems
The following operating systems are supported:
● Microsoft Windows XP 32-bit + Service Pack 3
● Microsoft Windows 7 Professional 32/64-bit
● Microsoft Windows 7 Professional 32/64-bit + Service Pack 1
● Microsoft Windows 7 Ultimate 32/64-bit
● Microsoft Windows 7 Ultimate 32/64-bit + Service Pack 1
● Windows Server 2008 R2 64-bit
● Windows Server 2008 R2 64-bit + Service Pack 1
Note
Before you install the Security Configuration Tool, make sure that you read the
"README.htm" file on the DVD. This file contains important notes and any late
modifications.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
43
Configuring with the Security Configuration Tool
2.2 Installation of the Security Configuration Tool
SCALANCE S - follow the steps below
You install the Security Configuration Tool from the supplied product DVD.
● Insert the product DVD in your DVD ROM drive. If the Autorun function is enabled, the
user interface is started automatically from where you can perform the installation.
or
● Start the "start.exe" application on the supplied product S DVD.
CP x43-1 Adv. - Follow the steps below
You install the Security Configuration Tool from the STEP 7 data medium. You will find the
installation file on the STEP 7 data medium in the directory for optional software
components.
CP 1628 - Follow the steps below
You install the Security Configuration Tool from the supplied data medium containing the
driver data of the CP 1628.
● Insert the data medium in your DVD drive. If the Autorun function is enabled, the user
interface is started automatically from where you can perform the installation.
or
● Start the "start.exe" application on the supplied data medium.
Basics and application
44
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configuring with the Security Configuration Tool
2.3 User interface and menu commands
2.3
User interface and menu commands
Structure of the user interface in advanced mode
①
Navigation panel:
•
Global firewall rule sets
The object contains the configured global firewall rule sets. Other folders:
–
Firewall IP rule sets
–
Firewall MAC rule sets
•
User-specific IP rule sets
•
All modules
The object contains all the configured modules and SOFTNET configurations of the project.
•
VPN groups
The object contains all generated VPN groups.
•
②
Redundancy relationships
The object contains all generated redundancy relationships of the project.
Content area:
When you select an object in the navigation panel, you will see detailed information on this
object in the content area.
For some of the security modules, you can see and adapt excerpts of the interface
configurations in this area.
Assuming that they provide corresponding configuration options, by double-clicking on the
security modules, you open properties dialogs where you can enter further parameters.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
45
Configuring with the Security Configuration Tool
2.3 User interface and menu commands
③
Details window:
The Details window contains additional information about the selected object and allows the
configuration of VPN properties for specific connections in the relevant context of a VPN group.
④
The Details window can be hidden and shown using the "View" menu.
Status bar:
The status bar displays operating states and current status messages. This includes:
•
The current user and user type
•
The operator view - standard mode/advanced mode
•
The mode - online/offline
Toolbar
Below, you will find an overview of the icons you can select in the toolbar and their meaning.
Symbol
Meaning / remarks
Create a new project.
Open the existing project.
Save the open project in the current path and under the current project name.
Copy the selected object.
Paste object from the clipboard.
Delete the selected object.
Create new module.
The symbol is only active if you are located in the navigation panel in the "All modules"
folder.
Create new VPN group.
The symbol is only active if you are located in the navigation panel in the "VPN groups"
folder.
Create a new global IP rule set / MAC rule set or user-specific IP rule set.
The symbol is only active if you are located in the navigation panel in a subfolder of
"Global firewall rule sets" or on the "User-specific IP rule sets" folder.
Create new redundancy relationship.
The symbol is only active if you are located in the navigation panel in the "Redundancy
relationships" folder.
Download the configuration to the selected security modules or create configuration data
for SOFTNET Security Client / SCALANCE M / VPN device / NCP VPN client (Android).
Basics and application
46
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configuring with the Security Configuration Tool
2.3 User interface and menu commands
Symbol
Meaning / remarks
Switch over to offline mode.
Switch over to online mode.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
47
Configuring with the Security Configuration Tool
2.3 User interface and menu commands
Menu bar
Below, you will see an overview of the available menu commands and their meaning.
Menu command
Meaning / remarks
Project ▶…
Functions for project-specific settings and for
downloading and saving the project file.
New...
Keyboard shortcut
Create a new project.
For CPs: Projects are created as a result of STEP 7
configuration.
Open...
Open the existing project.
For CPs: Existing projects can only be opened using
STEP 7 projects.
Save
Save the open project in the current path and under
the current project name.
Save As...
Save the open project in a selectable path and under
a selectable project name.
Ctrl + S
For CPs: The project is part of the STEP 7 project.
The path name cannot be changed.
Properties...
Open dialog for project properties.
Recent Projects
Allows you to select previously opened projects
directly.
For CPs: Existing projects can only be opened using
STEP 7.
Exit
Edit ▶…
Close project.
Menu commands only in offline mode
Note
When an object is selected, you can also activate
some of the functions in the shortcut menu.
Copy
Copy the selected object.
Ctrl + C
Paste
Fetch object from the clipboard and paste.
Ctrl + V
Delete
Delete the selected object.
Del
Rename
Rename the selected object.
F2
New certificate...
Generate a new group certificate for a module
selected in the content area after selecting the
appropriate VPN group.
Replace module ...
Replace the selected security module with another.
Properties ...
Open the properties dialog for the selected object.
Online diagnostics ...
Access test and diagnostic functions.
Insert ▶…
F4
Menu commands only in offline mode
Module
Create new security module.
Ctrl + M
The menu command is enabled only when a module
object or a VPN group is selected in the navigation
panel.
Basics and application
48
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configuring with the Security Configuration Tool
2.3 User interface and menu commands
Menu command
Group
Meaning / remarks
Keyboard shortcut
Create new VPN group.
Ctrl + G
The menu command is enabled only when a group
object is selected in the navigation panel.
Firewall rule set
Create a new global firewall IP rule set, MAC rule set
or user-specific IP rule set.
Ctrl + F
The menu command is enabled only when a firewall
object is selected in the navigation panel.
The menu command is only visible in advanced
mode.
Redundancy relationship
Create new redundancy relationship.
Ctrl + R
The menu command is only active if you are located
in the navigation panel in the "Redundancy
relationships" folder.
Transfer ▶…
To module(s)...
Download the configuration to the selected security
module(s) or create configuration data for SOFTNET
Security Client / SCALANCE M / VPN devices / NCP
VPN clients (Android).
Note: Only consistent project data can be
downloaded.
For CPs: Project data can only be downloaded using
STEP 7.
To all modules...
Download configuration to all security modules.
Note: Only consistent project data can be
downloaded.
Configuration status...
The configuration status of the configured security
modules is shown in a list.
Transfer firmware ...
Download new firmware to the selected security
module.
For S7-CPs: The firmware is loaded on the CP via
the update center of Web diagnostics.
View ▶…
Advanced mode
Switch over from the standard (default) to the
advanced mode.
Ctrl + E
Note
If you switch to the advanced mode for the current
project, you cannot switch back.
Show Details window
Show and hide additional details about the selected
object.
Ctrl + Alt + D
Offline
Default. Switch over to the offline configuration view.
Ctrl + Shift + D
Online
Switch over to the online diagnostics view.
Ctrl + D
Options ▶…
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
49
Configuring with the Security Configuration Tool
2.3 User interface and menu commands
Menu command
IP services...
Meaning / remarks
Keyboard shortcut
Open a dialog for service definitions for IP firewall
rules.
The menu command is only visible in advanced
mode.
MAC services...
Open a dialog for service definitions for MAC firewall
rules.
The menu command is only visible in advanced
mode.
Network adapter...
The SCALANCE S is assigned an IP address via the
selected network adapter.
Language...
Select the language in which the SCT user interface
is displayed.
For SCT in STEP 7, the language of the SCT user
interface is specified by the language selection in
STEP 7.
Log files...
Displays stored log files.
Symbolic names...
Assign symbolic names for IP or MAC addresses.
Configuration of the NTP
servers...
Create and edit NTP servers.
Configuration of the
RADIUS servers...
Create and edit RADIUS servers.
Consistency check...
Check the consistency of the entire project. The
result is output in the results list.
User management...
Create and edit users and roles, assign rights and
define password policies.
Certificate manager...
Display or import / export certificates.
Contents...
Help on the functions and parameters in the SCT.
About...
Information on the version and revision of the SCT.
Help ▶…
F1
Basics and application
50
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configuring with the Security Configuration Tool
2.4 Creating and managing projects
2.4
Creating and managing projects
2.4.1
Security Configuration Tool (standalone variant)
Configuration with the Security Configuration Tool standalone
The Security Configuration Tool standalone variant is used to create security projects in
which no security modules are configured that need to be created and configured in STEP 7.
With the "Project" > "New" menu command, you create a new project. This includes all the
configuration and management information for one or more SCALANCE S devices,
SOFTNET Security Clients and SCALANCE M devices, VPN devices and NCP VPN clients
(Android). For each device or for each configuration, you create a module in the project.
2.4.2
Security Configuration Tool in STEP 7
Project engineering
The Security Configuration Tool in STEP 7 is used to create security projects in which
security modules are configured that need to be created and configured in STEP 7. All
security modules of the standalone variant are also supported.
As soon as you enable the security functions for a security module in STEP 7, an SCT
project is created automatically in which the data of the security configuration is stored and
managed. All the data for the security configuration is processed internally by the SCT and
the result is returned to STEP 7.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
51
Configuring with the Security Configuration Tool
2.4 Creating and managing projects
Interaction of STEP 7 and SCT
The interaction of STEP 7 and SCT is explained based on the following diagram:
①
If you make security settings using STEP 7, SCT is called because the data for
security is maintained and managed there.
If specified connections are configured in NetPro, firewall rules are created in SCT
automatically for these after saving and compiling.
②
You then make further security settings in SCT. SCT processes the data internally and
returns the result to STEP 7.
③
Actions such as "Save as" and "Compile" are performed in STEP 7. The security data
is stored as an SCT project under an automatically assigned name in a subfolder of
the STEP 7 project. The name and storage location must not be changed. Precisely
one SCT project can be created for a STEP 7 project. An SCT project created in
STEP 7 with the Security Configuration Tool cannot be opened with the Security
Configuration Tool in standalone mode.
④
The configured security data of the CP is downloaded to the module using STEP 7.
Which data is migrated to SCT from STEP 7 and displayed in the content area?
The following configuration data created in STEP 7 is automatically adopted by SCT but it
cannot be modified there:
● Device name
● IP address PROFINET IO
● IP address Bit
Basics and application
52
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configuring with the Security Configuration Tool
2.4 Creating and managing projects
● Subnet mask PROFINET IO
● Subnet mask Gbit
● MAC address of the Gbit interface
● Standard router
● MAC address PROFINET IO
Which data can be migrated to SCT and modified there?
The following functions used in STEP 7 can be migrated to SCT and edited there:
● Access control lists (Page 119)
● Users (Page 70)
● NTP server (Page 187)
You will find more detailed information in the online help of SCT.
You can call this with the F1 key or using the "Help" button in the relevant SCT dialog.
Automatic firewall rules for configured connections
With specified connections configured in STEP 7, firewall rules are automatically created in
SCT that allow connection establishment. For more detailed information, refer to the
following section:
● Connection-related automatic firewall rules (Page 143).
With unspecified connections, you need to configure firewall rules that allow connection
establishment in SCT. For more detailed information, refer to the following section:
● Firewall in advanced mode (Page 136).
Making security settings in STEP 7
You can make the security settings as follows:
● Using individual tabs of the object properties
In the individual tabs, you can enable and execute CP-specific security functions. When
the function executes, the relevant SCT dialog opens in which you can make security
settings. You can make security settings in the following tabs:
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
53
Configuring with the Security Configuration Tool
2.4 Creating and managing projects
Tab
Function
Description
Security
Enable security
•
The security functions in the individual tabs
become active.
•
The "Edit" > "Security Configuration Tool"
menu becomes active and you can then
open the Security Configuration Tool. There,
you can make further general security
module settings, such as creating VPN
groups or adding security modules that
cannot be configured in STEP 7.
•
If you have configured users for the security
module in STEP 7, the window "Data
migration of security-relevant project data"
opens in which you can migrate the STEP 7
users to the Security Configuration Tool.
Start of security
configuration
SCT opens in an overview mode in which you
can configure specific properties for this security
module.
Reloading firewall
rules online
Adapted firewall settings are generated and
downloaded to the CP without causing the CP to
stop.
Reloading firewall
Adapted firewall settings are generated and
rules online (CP 1628) downloaded to the CP.
User
Start of user
management
Starts the SCT user management in which users
and roles can be created and rights assigned.
IP access protection
Start of the firewall
configuration
When you activate security, an existing IP
access list is migrated and converted to firewall
rules in the Security Configuration Tool.
FTP
Permit access only
with FTPS
Starts the SCT user management in which you
can assign FTP rights to a role.
Start of user
management
Web
Permit access only
with HTTPS
Starts the SCT user management in which you
can assign Web rights to a role.
Start of user
management
Time-of-day synchronization
Expanded NTP
configuration
Starts SCT in the NTP configuration mode.
SNMP
Start of SNMP
configuration
Starts SCT in the SNMP configuration mode.
You can choose between SNMPv1 and
SNMPv3.
Start of user
management
Starts the SCT user management in which you
can assign SNMP rights to a role.
● Directly in SCT
Basics and application
54
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configuring with the Security Configuration Tool
2.4 Creating and managing projects
You call SCT in STEP 7 using the "Edit" > "Security Configuration Tool" menu. In addition
to the settings in the tabs of the object properties, here you can create for example VPN
groups or add SCALANCE S modules. Although you can configure and download the
SCALANCE S modules in SCT, the data is not returned to STEP 7. When SCT is exited,
the modules are also not displayed in STEP 7.
Note
You will find more detailed information in the STEP 7 and SCT online help.
You will find general information on STEP 7 in /9/ (Page 258).
2.4.3
Migrating STEP 7 data
Migrating STEP 7 device users to the SCT user management
In the migration dialog, select how the users created in STEP 7 will be migrated to the SCT
user management. Here, you can choose from the following actions:
Action
Description
Adopt as...
The user is migrated to the SCT user management under a
different name. Enter the name in the "Migrated user name"
column. The migrated user is assigned an automatically generated
role in SCT.
Merge
If a user with the same name has already been created in the SCT
project, the two users are merged. The role of the user is expanded
by the rights selected for the migrated user.
Do not adopt
The user of the security module is not migrated to the SCT user
management. Migration at a later point in time is not possible.
Note
The following data is not migrated
• Passwords of users already created in STEP 7. For all users, you should therefore select
how they will be migrated and assign a new password using the "Assign password"
button.
• The system-defined user "everybody" available in STEP 7. This user's rights are not
adopted for migrated users.
Note
The users and their roles can be adapted after migration in the user management of the
Security Configuration Tool.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
55
Configuring with the Security Configuration Tool
2.4 Creating and managing projects
Migrating STEP 7 device rights to the SCT user management
The following rights are migrated:
Right in STEP 7
Right after migration to SCT
To access the configured symbols Applet: Read tags using configured
symbols
Service
PLC
Applet: Write tags using configured
symbols
To read tags using absolute
addresses
Applet: Read tags using absolute
addresses
To write tags using absolute
address
Applet: Write tags using absolute
addresses
Access files on the S7 station with FTP: Read files (DBs) from the S7 CPU
FTP
FTP: Write files (DBs) to the S7 CPU
FTP: Read files from the CP file system
File system
FTP: Write files to the CP file system
Web: Format CP file system
Send a test mail using the system
page
Web: Access Web diagnostics and CP file
system
Web
Web: Send test mail
Query the status of modules
Applet: Read status of the modules in the
rack
Query order number of modules
Applet: Read order number of the modules
in the rack
PLC
See also
Time synchronization (Page 187)
Configuring the access list (Page 119)
2.4.4
Overview
General contents
Both in the standalone version of the Security Configuration Tool, as well as in the version
integrated in STEP 7, you will be prompted to assign a user name and a password when
creating a new project. The user you create here is of the type "administrator". After making
this entry, you can create the configurations in the project.
Generally, the configurations of a project contain the following:
● Valid settings throughout the project
● Module-specific settings
● Group assignments for IPsec tunnel
Basics and application
56
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configuring with the Security Configuration Tool
2.4 Creating and managing projects
User management also handles access rights to the project data and to the security
modules.
Valid settings throughout the project
● Project properties
These include not only address and name information but also initialization values.
● Global firewall rule sets
A global firewall rule set can be assigned to several modules at the same time. In many
situations, this simplifies the configuration compared with configuring local firewall rules in
the settings for specific modules.
● User-specific IP rule sets
A user-specific IP rule set is assigned to a user and a security module. A SCALANCE S
V4 module can also be assigned a user-specific IP rule set to which a role is assigned.
User-specific IP rule sets allow the definition of highly detailed user-specific access rights.
● Redundancy relationships
A redundancy relationship is created for two security modules. If one of the two security
modules fails during operation, the other security module takes over its function as
firewall and (NAT/NAPT) router.
● MRP domains
The members of an MRP ring are specified with the help of MRP domains. The same
MRP domain must be selected for the interfaces of all modules to be connected to an
MRP ring.
● Service definitions
Using the IP service or MAC service definitions, you can define succinct and clear firewall
rules.
● NTP server
NTP servers are created throughout the project and can then be assigned to several
security modules in SCT.
● RADIUS server
RADIUS servers are created throughout the project and can then be assigned to several
security modules in SCT.
● Certificate manager
All the certificates of the project and the security modules it contains are managed in the
certificate management.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
57
Configuring with the Security Configuration Tool
2.4 Creating and managing projects
● User management
In the user management, you can manage all users of the project and their rights and the
password policies.
● Symbolic names
In a project, you can assign symbolic names in a table that stand for IP and MAC
addresses.
Basics and application
58
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configuring with the Security Configuration Tool
2.4 Creating and managing projects
Module-specific settings
Most of the functions are configured in the tabs of the properties dialog that can be called up
for a selected security module with the command "Edit" > "Properties...". In the properties
dialog, the individual tabs can be arranged as required by dragging them with the mouse.
The following table contains the functional descriptions of the individual tabs.
Function / tab in the properties dialog
Interfaces
Specified in mode ...
Standard
Advanced
X
X
X
X
X
X
-
X
X
X
-
X
X
X
-
X
Overview of the individual interface and port settings.
For CPs: The settings are taken from STEP 7 and cannot be
modified.
Firewall
In standard mode, you enable the firewall with simple standard
rules. You can also enable log settings.
In advanced mode, you can define detailed packet filter rules.
You can also define explicit log settings for each packet filter
rule.
For CPs: If an access control list was migrated, this is displayed
here and can be edited.
Internet connection
If you have set a connection using PPPoE, make the settings for
the Internet Service Provider here.
DNS
Settings related to dynamic DNS permitting access to
continuously changing IP addresses via fixed defined names
(FQDN). Dynamic DNS is permitted on the external interface
and on the DMZ interface.
Routing
Here, enter the data for the standard router and/or specify a
subnet-specific route.
For CPs: The specification of a default router is adopted from
STEP 7 and can only be changed there. This is displayed in the
content area of SCT. The tab does not therefore exist in the
module properties.
NAT/NAPT
Enable NAT/NAPT functionality and specify the address
translation in a list.
Time synchronization
Here, you specify the type of synchronization for the date and
time.
For CPs: Time-of-day synchronization can only be configured in
SCT if the expanded NTP configuration was enabled in STEP 7.
Log settings
Here you can specify the recording and storage mode of log
events in greater detail and configure the transfer to a Syslog
server.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
59
Configuring with the Security Configuration Tool
2.4 Creating and managing projects
Function / tab in the properties dialog
Specified in mode ...
VPN
Standard
Advanced
X
X
-
X
X
X
-
X
X
X
X
X
If the security module is in a VPN group, you can configure dead
peer detection, the type of connection establishment and, if
applicable, a WAN access point (IP address or FQDN) here.
Depending on the security module, in the "VPN nodes" dialog
area you make additional settings for subnets, IP/MAC nodes
and NDIS nodes that should also be reachable via the VPN
tunnels.
For SCALANCE S: The learning of internal nodes can be
enabled or disabled.
The "VPN nodes" dialog area is only displayed if the project is in
advanced mode.
DHCP server
For the internal network and the DMZ network (SCALANCE
S623/S627-2M only), you can use the security module as a
DHCP server.
SNMP
In this tab, set the SNMP protocol version and the
authentication/encryption method.
Proxy ARP
In this tab, make static entries for proxy ARP on the external
interface.
MRP/HRP
In this tab, select the parameters for connecting the security
module to MRP/HRP rings.
RADIUS
In this tab, assign a RADIUS server to the security module that
will authenticate users when activating user-specific IP rule sets
instead of the security module.
Group assignments for an IPsec tunnel
VPN groups specify which security modules, SOFTNET Security Clients and SCALANCE M
modules, VPN devices and NCP VPN clients (Android) communicate with each other via an
IPsec tunnel.
By assigning these network nodes to a VPN group, you can establish a VPN (Virtual Private
Network) communications tunnel.
Only modules of the same VPN group can communicate securely via tunnels, however the
modules can belong to several VPN groups at the same time.
See also
Configuring additional module properties (Page 167)
Basics and application
60
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configuring with the Security Configuration Tool
2.4 Creating and managing projects
2.4.5
Specifying default initialization values for a project
Specifying default initialization values for a project
With the default initialization values, you specify the properties to be adopted when you
create new modules. Using the "Save selection" check box, you can also specify whether a
window for setting the properties is opened when you create a new module or whether the
module will be inserted directly.
Select the "Project" > "Properties" menu command, "Default initialization values" tab.
Protecting project data by encryption
The saved project and configuration data is protected by encryption both in the project file
and on the C-PLUG (not for the CP 1628).
2.4.6
Consistency checks
Overview
The Security Configuration Tool distinguishes between:
● Local consistency checks
● Project-wide consistency checks
The checked rules where care is required when you enter them can be found in the relevant
dialog descriptions under the keyword "Consistency check".
Local consistency checks
A consistency check is local when it can be performed directly within a dialog. Checks can
be made during the following actions:
● After exiting a box
● After exiting a row in a table
● When you close the dialog with "OK"
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
61
Configuring with the Security Configuration Tool
2.4 Creating and managing projects
Project-wide consistency checks
Project-wide consistency checks provide you with information on correctly configured
modules. With the following actions, there is automatically a consistency check through the
entire project:
● When you save the project
● When you open the project
● Before you download a configuration
Note
You can only download configuration data when the entire project is consistent.
How to start a project-wide consistency check
Run a consistency check for an open project as follows:
Menu command: "Options" > "Consistency checks...".
The result of the check is displayed in a list that you can filter according to the message
types "Errors" or "Warnings". If the project contains inconsistent data, the status is displayed
in the status bar of the SCT window. Click on the status bar to display the check list.
2.4.7
You can assign symbolic names for IP / MAC addresses.
How to access this function
Menu command: "Options" > "Symbolic names ...".
Meaning and advantages
In a security project, you can assign symbolic names in a table that stand for IP and MAC
addresses.
This makes it simpler and more reliable when configuring the individual services.
Symbolic names within the project are taken into account by the following functions and can
be used during their configuration:
● Firewall
● NAT/NAPT router
● Syslog
● DHCP
● NTP
Basics and application
62
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configuring with the Security Configuration Tool
2.4 Creating and managing projects
Forming symbolic names
Both when defining and using symbolic names, they must be preceded by a hash character
(#). The symbolic names themselves must be DNS-compliant.
Validity and uniqueness
The validity of the symbolic names specified in the table is restricted to configuration within a
security project.
Each symbolic name must be assigned uniquely to a single IP address and/or MAC address
within the project.
Dialog for defining symbolic names
To avoid inconsistencies between an "IP address - symbolic name" assignment, and "MAC
address - symbolic name", the symbolic names are managed in a single table.
Defining symbolic names
1. Click the "Add" button to add a new symbolic name in the next free table row.
2. Enter the hash character (#) followed by the required, DNS-compliant symbolic name.
3. Add the IP address and/or the MAC address to the entry.
Using undefined symbolic names
During the configuration of security modules, you can also use symbolic names that have not
yet been defined. After entering a symbolic name that has not yet been defined and
confirming the corresponding dialog, the selected symbolic name is added to the table of
symbolic names. In this dialog, you can then specify the corresponding IP address and/or
MAC address for the symbolic name.
If you delete an entry in the table, the symbolic names used in the services remain. In this
case, the consistency check recognizes undefined symbolic names. This applies regardless
of whether or not you defined the symbolic name later.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
63
Configuring with the Security Configuration Tool
2.5 Configuration data for SCALANCE M modules
Tip:
The use of the project-wide consistency check is especially practical for the table described
here. Based on the list, you can recognize inconsistencies and correct them.
Start the consistency check for an open project using the menu command "Options" >
"Consistency checks...".
Consistency check - these rules must be adhered to
Remember the following rules when making the entries:
● Symbolic names must be preceded by a hash character (#).
● The assignment of a symbolic name to an IP or MAC address must be unique. The
symbol name and the address may only be assigned once and must not be used in
another list entry.
● The symbolic names must be DNS-compliant.
● A symbolic name must be assigned either an IP address or a MAC address or both.
● No symbolic names may be assigned to the IP addresses of the security modules.
● Symbolic names used in the project for IP or MAC addresses must be included in the
table.
Inconsistencies can occur when entries in the table are deleted and not removed or
corrected in the configuration dialogs.
See also
Consistency checks (Page 61)
DNS compliance (Page 253)
2.5
Configuration data for SCALANCE M modules
Meaning
You can generate your VPN information for the assignment of parameters to a SCALANCE
M using the Security Configuration Tool. With the generated files, you can then configure the
SCALANCE M.
The following file types are generated:
Basics and application
64
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configuring with the Security Configuration Tool
2.5 Configuration data for SCALANCE M modules
● Export file with the configuration data
– File type: *.txt file in ASCII format
– Contains the exported configuration information for the SCALANCE M including
information on the additionally generated certificates.
– Export file for SCALANCE M875 modules:
– Export file for SCALANCE M874-x modules:
● VPN group certificates for the module
– File type of the private key: *.p12 file
– The file contains the VPN group certificate of the module and the relevant key
material.
– Access is password protected.
● CA certificates of VPN groups
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
65
Configuring with the Security Configuration Tool
2.6 Configuration data for VPN devices
– File type: *.cer file
Note
Configuration files are not transferred to the module. An ASCII file is generated with which
you can configure the SCALANCE M. Fur this to be possible, the module must be in at least
one VPN group with a security module or a SOFTNET Security Client as of V3.0.
Generating configuration files
1. Select the module to be edited.
2. Select the "Transfer" > "To module(s)..." menu command.
3. In the save dialog that then opens, enter the path and file name of the configuration file
and click the "Save" button.
4. In the dialog that follows, choose whether you want to create your own password for the
two created certificate files.
If you select "No", the project name is assigned as the password (for
example SCALANCE_M_configuration1), not the project password.
If you select "Yes" (recommended), you enter a password in the next dialog.
Result: The files (and certificates) are stored in the folder you specify.
Note
You will find further information on configuration in the operating instructions for the
SCALANCE M875 or M874-x.
2.6
Configuration data for VPN devices
Meaning
You can generate your VPN information for the assignment of parameters to a VPN device
using the Security Configuration Tool. With the generated files, you can then configure the
VPN device.
The following files are generated:
Basics and application
66
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configuring with the Security Configuration Tool
2.6 Configuration data for VPN devices
● Export file with the configuration data
– File type: *.txt file in ASCII format
– Contains the exported configuration information for the VPN device including
information on the additionally generated certificates.
Figure 2-1
Export file for a VPN device
● VPN group certificates of the VPN device
● VPN group certificates of partner modules
● Private keys
● CA certificates of VPN groups
Configuring file types
For VPN devices, you can specify the file types in which the generated data is saved.
To do this, select the VPN device you want to edit and then select the menu command "Edit"
> "Properties...".
● VPN group certificates of the VPN device
– *.crt file: Base64-coded certificate
– *.pem file: Base64-coded certificate
– *.pem file: Binary-coded certificate
● VPN group certificates of partner modules:
– *.crt file: Base64-coded certificate
– *.pem: Base64-coded certificate
– *.pem: Binary-coded certificate
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
67
Configuring with the Security Configuration Tool
2.7 Configuration data for NCP VPN clients (Android)
● Private keys:
– *.p12 file: Password-protected PKCS12 archive with private key
– *.key: Unprotected Base64-coded private key
● CA certificates of VPN groups:
– *.crt file: Base64-coded certificate
– *.pem file: Base64-coded certificate
– *.pem file: Binary-coded certificate
Note
Configuration files are not transferred to the VPN device. An ASCII file is generated with
which you can configure the VPN device. For this to be possible, the VPN device must be in
at least one VPN group with a security module or a SOFTNET Security Client as of V3.0.
Generating configuration files
1. Select the VPN device to be edited.
2. Select the "Transfer" > "To module(s)..." menu command.
3. In the save dialog that then opens, enter the path and file name of the configuration file
and click the "Save" button.
4. In the dialog that follows, choose whether you want to create your own password for the
two created certificate files.
If you select "No", the project name is assigned as the password (for
example VPN_project_02), not the project password.
If you select "Yes" (recommended), you enter a password in the next dialog.
Result: The files (and certificates) are stored in the folder you specify.
2.7
Configuration data for NCP VPN clients (Android)
NCP Secure VPN Client for Android
The NCP Secure Android Client allows a highly secure VPN connection to central data
networks of companies and organizations. Access to several different data networks is
possible using a separate VPN profile.
Based on the IPsec standard, tablets and smart phones can establish encrypted data
connections to VPN gateways of all well-known providers.
The client can be obtained in two variants from the Google Play Store:
Basics and application
68
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configuring with the Security Configuration Tool
2.7 Configuration data for NCP VPN clients (Android)
● NCP Secure VPN Client for Android (authentication with pre-shared key)
● NCP Secure VPN Client Premium for Android (authentication with pre-shared key or
certificate)
You will find further information on NCP Secure Android Clients here:
NCP Secure VPN Client for Android (http://www.ncp-e.com/en/products/ipsec-vpn-client-forandroid.html)
Meaning
You can generate the VPN information for the assignment of parameters to an NCP VPN
client (Android) using the Security Configuration Tool. With the generated files, you can then
configure the NCP VPN client software.
The following file types are generated:
● Export file with the configuration data
– File type: *.ini file in UTF-8 format
– Contains the exported configuration information for the NCP VPN client (Android)
including information on the additionally generated certificates.
● VPN group certificates for the module
– File type of the private key: *.p12 file
– The file contains the VPN group certificate of the module and the key material.
– Access is password protected.
● CA certificates of VPN groups:
– File type: *.crt file
Figure 2-2
Export file for an NCP VPN client (Android)
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
69
Configuring with the Security Configuration Tool
2.8 Managing users
Note
Configuration files are not transferred to the NCP VPN client (Android). An ASCII file is
generated with which you can configure the NCP VPN client (Android). To allow this, the
NCP VPN client (Android) must be located in at least one VPN group with a security module.
Generating configuration files
1. In the content area, select the NCP VPN client (Android) you want to edit.
2. Select the "Transfer" > "To module(s)..." menu command.
3. In the save dialog that then opens, enter the path and file name of the configuration file
and click the "Save" button.
4. In the dialog that follows, choose whether you want to create your own password for the
two created certificate files.
If you select "No", the project name is assigned as the password (for
example NCP_project_02), not the project password.
If you select "Yes" (recommended), you enter a password in the next dialog.
Result: The files are stored in the folder you specify.
2.8
Managing users
2.8.1
Overview of user management
How is the user management structured?
Access to the security configuration is managed by configurable user settings. Set up users
with a password for authentication. Assign a system-defined or a user-defined role to the
user. The roles are assigned configuration- and module-specific rights. When creating users
remember the specified configuration limits (Page 20).
Migrating existing users from STEP 7 to SCT
Users already created in STEP 7 can be migrated to SCT. When doing this, new passwords
have to be assigned.
You will find more detailed information in the online help.
You can call this with the F1 key or using the "Help" button in the relevant SCT dialog.
Basics and application
70
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configuring with the Security Configuration Tool
2.8 Managing users
Order for making entries when creating users and roles
Select one of the two options for the order of the entries:
● First, create a new user, then specify a role and as the last step assign the role to the
user.
● First, define a new role and then create a user and in the last step assign the role to the
user.
Note
Make sure that you keep your user passwords safe.
If you forget your user passwords, you can no longer access the relevant project or the
security module involved.
In this case, you need to create a new project and reset to factory defaults. You will,
however, lose the configuration.
Note
If the authentication settings are changed, the configuration must be downloaded to the
security modules again before the settings (for example, new users, password changes)
become active on the security modules.
User authentication when activating user-specific IP rule sets
Users that log on to the Web page of the security module to activate a user-specific IP rule
set, can be authorized either by the security module or by a RADIUS server.
How you specify a user for the "RADIUS" authentication method is described in the next
section:
● Create users (Page 71)
You will find more detailed information on user authentication by the RADIUS server in the
following section:
● Authentication using a RADIUS server (Page 80)
2.8.2
Create users
How to access this function
Menu command SCT: "Options" > "User management...", "Users" tab, "Add..." button.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
71
Configuring with the Security Configuration Tool
2.8 Managing users
STEP 7 menu command: "Users" > "Start of user administration", "Run" button. The user
administration can also be called up from individual tabs.
Parameter
Meaning
User name
Freely selectable user name.
Authentication method
•
Password: Use this authentication method for users that edit and
download the SCT project and that are intended to run diagnostics
on the security module. The authentication of the user is performed
by the security module when user-specific IP rule sets are activated.
•
RADIUS
: The authentication of the user is performed by a
RADIUS server when user-specific IP rule sets are activated.
The password of the user is not configured in SCT when using this
authentication method but must be stored on the RADIUS server.
Only use this authentication method for users that only need to log
on to the Web page of a security module. A user with the "RADIUS"
authentication method cannot log on to SCT projects.
Password (only with the
"Password" authentication
method)
Entry of the password for the user. When it is entered, the password
strength is checked. For more detailed information on password
strength, refer to the following section:
Configuration limits (Page 20)
Repeat password (only
with the "Password"
authentication method)
Repeat the entered password.
Comment
Entry of additional comments.
Maximum time of the
session
Entry of the time after which a user logged on to the Web page for userspecific IP rule sets of SCALANCE S modules is automatically logged
off. The time entered here starts after the logon and after renewing the
session on the Web page of the security module.
•
Assigned role
Table 2- 1
Default setting: 30 minutes
•
Minimum value: 5 minutes
•
Maximum value: 480 minutes
Depending on the assignment made.
Buttons in the "Users" tab
Name
Meaning / effect
Edit...
Select an entry and then click the button. In the dialog that is displayed,
change the settings listed above.
Add...
With this button, you can add a new user.
Delete
Use the button to delete the selected entry.
Note
Within a project, there must always be one user with the "Administrator"
role. The administrator that is created automatically when you create
the project can only be deleted if at least one other user exists that has
complete configuration rights.
Basics and application
72
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configuring with the Security Configuration Tool
2.8 Managing users
2.8.3
Creating roles
Which roles are available?
You can assign a system-defined or a user-defined role to a user. Specify the module rights
of a user-defined role for each security module.
System-defined roles
The following system-defined roles are predefined. Certain rights are assigned to the roles
that are the same on all modules and that the administrator can neither change nor delete.
Managing rights (Page 75)
● administrator
Default role when creating new SCT project.
Unrestricted access rights to all configuration data.
● standard
Role with restricted access rights.
● diagnostics
Default role when creating new user.
Read-only access.
● remote access
No rights except for logging on to the Web page for user-specific firewall rule sets.
● radius
Role that can be used to activate user-specific IP rule sets with authentication using a
RADIUS server.
Read-only access.
● administrator (radius)
Role that can be used to activate user-specific IP rule sets with authentication using a
RADIUS server.
Access rights to all configuration data except SNMP MIBs.
Note
For more detailed information on user-specific IP rule sets, refer to the following section:
User-specific IP rule sets (Page 140)
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
73
Configuring with the Security Configuration Tool
2.8 Managing users
Note
For more detailed information on authentication using a RADIUS server, refer to the
following section:
Authentication using a RADIUS server (Page 80)
User-defined role
In addition to the system-defined roles, you can create user-defined roles. For a user-defined
role, select the configuration or module rights and specify the appropriate rights for every
security module used in the project. You assign the user-defined roles to the relevant user
manually.
How to access this function
Menu command SCT: "Options" > "User management", "Roles" tab.
STEP 7 menu command: "Users" > "Start of user administration", "Run" button. The user
administration can also be called up from individual tabs.
Table 2- 2
Information in the "Roles" tab
Parameter
Meaning
Role name
Freely selectable role name.
Comment
Entry of additional comments.
Maximum time of the
session
Entry of the time after which a user with the assignment role is
automatically logged off from the Web page for user-specific IP rule sets
of SCALANCE S modules. The time entered here starts after the logon
and after renewing the session on the Web page of the security module.
•
Default setting: 30 minutes
•
Minimum value: 5 minutes
•
Maximum value: 480 minutes
Basics and application
74
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configuring with the Security Configuration Tool
2.8 Managing users
Table 2- 3
Buttons in the "Roles" tab
Name
Meaning / effect
Properties... / Edit...
Select a user-defined role in the list and click the button. In the dialog
that opens, change the properties of the role such as the role name, the
assignment of rights to the role and the maximum session time.
System-defined roles cannot be edited.
Add...
With this button, you can add a new user-defined role. In the dialog that
opens, enter the role name and assign the appropriate rights to the role
from the rights list. The rights of the system-defined role selected in the
rights template are displayed (default: "diagnostics").
Delete
Use the button to delete the selected entry.
Note
2.8.4
•
A user-defined role that has already been created can only be
deleted when it is not assigned to any user. If necessary, assign the
user a different role.
•
System-defined roles cannot be deleted.
Managing rights
How to access this function
Menu command SCT: "Options" > "User management", "Roles" tab, "Properties..." or
"Add..." button.
STEP 7 menu command: "Users" > "Start of user administration", "Run" button. The user
administration can also be called up from individual tabs.
Creating and assigning a user-defined role
1. Enter a role name.
2. Select a system-defined role from the rights template (default: "diagnostics"). Userdefined roles are not displayed for selection.
Result: Depending on the selected role, the rights for every security module used in the
project are displayed in the rights list. The rights of the security modules not used in the
project are grayed out.
3. For each security module, enable or disable the rights to be assigned to the user-defined
role.
4. If required, enter a comment and a maximum session time for the role to be created.
5. Click the "Apply" button to save the selection or "OK" to save and close window.
6. Assign the role to a user.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
75
Configuring with the Security Configuration Tool
2.8 Managing users
Copying the role rights of a security module
In the shortcut menu of a security module, select the "Copy rights" command and assign
these to another module using the "Paste rights" command.
Configuration rights
Depending on the role type, the following configuration rights are available for selection for
each security project:
Table 2- 4
Configuration rights for access to the security project
Configuration right
administrator
standard
diagnostics
Diagnose security
x
x
x
Configure security
x
x
-
Manage users and roles
x
-
-
x Right is enabled
- Right is disabled
Module rights
The "Service" column displays the system that is influenced by the particular right.
Depending on the role type, the following module rights are available for selection for each
security project:
Basics and application
76
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configuring with the Security Configuration Tool
2.8 Managing users
Table 2- 5
Module rights CP x43-1 Adv.
Right within the service
administrator
standard
diagnostics
Web: Format CP file system *
x
-
-
FTP: Read files from the CP file system
x
x
x
FTP: Write files to the CP file system
x
x
-
FTP: Read files (DBs) from the S7 CPU **
x
x
x
FTP: Write files (DBs) to the S7 CPU ***
x
x
-
Applet: Read tags using configured symbols *
x
x
x
Applet: Read tags using absolute addresses *
x
x
x
Applet: Write tags using absolute addresses *
x
x
-
Applet: Read status of the modules in the rack *
x
x
x
Applet: Read order number of the modules in the
rack *
x
x
x
SNMP: Read MIB-II
x
x
x
SNMP: Write MIB-II
x
x
-
SNMP: Read automation MIB
x
x
x
SNMP: Read LLDP-MIB
x
x
x
SNMP: Read SNMPv2-MIB
x
x
x
SNMP: Read MRP MIB
x
x
x
SNMP: Write MRP MIB
x
x
-
SCT: Run diagnostics of the security module ****
x
x
x
Web: Expand IP access control list *
x
-
-
Web: Access Web diagnostics and CP file system
x
x
x
Web: Send test mail *
x
x
x
Web: Update firmware *
x
x
-
Web: Load diagnostics texts later *
x
x
-
Service
File system
PLC
Applet: Write tags using configured symbols *
SNMP
Safety
Web
Maintenance
x Right is enabled
- Right is disabled
*
To be able to use the function, the module right "Web: Access Web diagnostics and CP
file system" must be enabled as well.
**
To be able to use the function, the module right "FTP: Read files from CP file system"
must be enabled as well.
***
To be able to use the function, the module right "FTP: Write files to CP file system"
must be enabled as well.
**** To use the function, the configuration right "Diagnose security" must also be enabled.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
77
Configuring with the Security Configuration Tool
2.8 Managing users
Table 2- 6
Module rights CP 1628
Right within the service
administrator
standard
diagnostics
Service
SNMP: Read MIB-II
x
x
x
SNMP
SNMP: Write MIB-II
x
x
-
SNMP: Read automation MIB
x
x
x
SNMP: Read SNMPv2-MIB
x
x
x
SCT: Run diagnostics of the security module
x
x
x
Safety
x Right is enabled
- Right is disabled
Table 2- 7
Module rights SCALANCE S ≥ V3.0
Right within the service
administrator
standard
diagnostics
Service
SNMP: Read MIB-II
x
x
x
SNMP
SNMP: Write MIB-II
x
x
-
SNMP: Read automation MIB
x
x
x
SNMP: Read SNMPv2-MIB
x
x
x
x
x
x
x
x
-
SCT: Run diagnostics of the security module
x
x
x
Download the configuration files
x
x
-
Web: Update firmware
x
x
-
SNMP: Read MRP MIB
SNMP: Write MRP MIB
Safety
Maintenanc
e
x Right is enabled
- Right is disabled
Table 2- 8
Module rights SCALANCE S < V3.0
Right within the service
administrator
standard
diagnostics
Service
Download the configuration files
x
x
-
Safety
SCT: Run diagnostics of the security module
x
x
x
x Right is enabled
- Right is disabled
Setting module rights before and after creating the security modules
Within a user-defined role, the module rights for each security module are defined
separately. If a security module was created for which module rights will be defined within a
role before the role was added, the module rights for this security module will be set
automatically according to the selected rights template and can, if necessary, be adapted. If
a security module was added after creating a role, SCT does not set any rights. In this case,
you will need to set all module rights for the security module yourself.
Basics and application
78
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configuring with the Security Configuration Tool
2.8 Managing users
You can also transfer existing module rights to another security module by copying and, if
necessary, adapting them there. To do this, select a security module in the shortcut menu in
the module rights and select the "Copy rights" or "Paste rights" menu command.
2.8.5
Configuring password policies
Meaning
Using the password policies, specifications can be defined that need to be taken into
account when assigning passwords to new users.
How to access this function
Select the "Options" > "User management..." menu command, "Password policies" tab. After
selecting a check box, the corresponding policy is active and can, if necessary, be adapted
using the relevant input box.
Parameter
Meaning
Minimum password length
Minimum number of characters that passwords are required
to contain. The corresponding check box is enabled as
default and cannot be disabled.
Minimum number of digits
Minimum number of special characters
Number of passwords blocked for further use
At least one uppercase and lowercase character
•
Minimum value: 8 characters
•
Maximum value: 32 characters
Minimum number of digits that passwords are required to
contain.
•
Minimum value: 1 digit
•
Maximum value: 32 digits
Minimum number of special characters that passwords are
required to contain. A special character is any character that
is neither a letter nor digit.
•
Minimum value: 1 special character
•
Maximum value: 32 special characters
Number of the most recently used passwords that are not
available for use as a new password if the password is
changed.
•
Minimum value: 1 password
•
Maximum value: 10 passwords
If you select this check box, passwords must contain at least
one lowercase and one uppercase letter.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
79
Configuring with the Security Configuration Tool
2.8 Managing users
2.8.6
Authentication using a RADIUS server
2.8.6.1
Overview
Meaning
RADIUS (Remote Authentication Dial-In User Service) is a protocol for authenticating users
by servers on which user data can be stored centrally. The use of RADIUS servers can
increase the protection of user names, assigned roles and passwords.
Scenario for the use of RADIUS servers
Authentication by RADIUS servers can be performed when activating user-specific IP rule
sets.
1
Entry of the user data on the Web page of the security module
2
Authentication by RADIUS server and activation of the user-specific IP rule set
3
Access to an automation cell
Basics and application
80
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configuring with the Security Configuration Tool
2.8 Managing users
The network setup shown above is simply an example. The RADIUS server can also be
located in the internal network or in the DMZ network of the security module.
For the configuration options described below, it is assumed that a RADIUS server is
configured in SCT and was assigned to the relevant security module. In addition to this, one
user or role must be configured with the "RADIUS" authentication method. For more detailed
information, refer to the following sections:
● Defining a RADIUS server (Page 83)
● Assigning a RADIUS server to a security module (Page 83)
● Create users (Page 71)
● Creating roles (Page 73)
For general information on user-specific IP rule sets, refer to the following section:
● User-specific IP rule sets (Page 140)
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
81
Configuring with the Security Configuration Tool
2.8 Managing users
Configuration options
To authenticate the user using a RADIUS server, there are two configuration options
available:
● The user and the user's role are known on the security module, only the password
management for the user is performed on the RADIUS server. The user and the
password are configured on the RADIUS server.
– A user with the "RADIUS" authentication method is configured.
– The user is assigned to the user-specific IP rule set.
Result:
– When a user logs on to the Web page of the security module, the authentication query
is forwarded to the RADIUS server.
– The RADIUS server runs a password check and signals the result back to the security
module.
– If the password check is passed successfully, the user-specific IP rule set is activated.
● The role is known on the security module, user management is via the RADIUS server.
The user and the password are configured on the RADIUS server.
– A user-defined role or a system-defined role is assigned to the user-specific IP rule
set.
– In the "RADIUS" tab of the security module, the "Allow RADIUS authentication of nonconfigured users" and the "Filter ID is required for authentication" check boxes are
enabled.
Result:
– When a user logs on to the Web page of the security module, the authentication and
authorization query is forwarded to the RADIUS server.
– The RADIUS server runs a password check and signals the result back to the security
module.
– Case a: If, in addition to this, the role name is configured on the RADIUS server:
The RADIUS server returns the role name assigned to the user to the security module.
– Case b: If the role name is not configured on the RADIUS server:
The security module assigns the user the system-defined role "radius".
– If the password check is passed successfully, the user-specific IP rule set is activated.
Conventions for RADIUS servers
● The RADIUS servers can be in any network connected to the security module.
● A maximum of two RADIUS servers can be configured per security module. During
operation only one of the RADIUS servers is active.
● When defining RADIUS servers, FQDNs can also be configured instead of IP addresses.
Basics and application
82
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configuring with the Security Configuration Tool
2.8 Managing users
2.8.6.2
Defining a RADIUS server
Meaning
Before authentication by a RADIUS server is possible, this first needs to be stored in the
SCT project. Following this, you assign the defined RADIUS server to the security module for
which the RADIUS server will handle user authentication.
Procedure
1. Select the "Options" > "Configuration of the RADIUS server..." menu command.
2. Click the "Add..." button.
3. Enter the required parameters according to the following table.
Parameter
Meaning
Name
Freely selectable name for the RADIUS server.
IP address / FQDN
IP address or FQDN of the RADIUS server.
Port
UDP port via which the RADIUS server can be
reached. As default, authentication data is
received at port 1812.
Shared secret
Entry of the password that will be used when
transferring the logon data between the
RADIUS server and security modules for
encryption.
Repeat shared secret
Confirmation of the password
Authentication method
Display of the method used to check the user
data. Only the "PAP" method (Password
Authentication Protocol) is supported.
Comment
Entry of freely selectable, optional comments.
Result
You have defined a RADIUS server and can now assign this to the required security
modules.
2.8.6.3
Assigning a RADIUS server to a security module
Requirement
You have defined a RADIUS server.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
83
Configuring with the Security Configuration Tool
2.9 Managing certificates
Procedure
1. Select the security module to which you want to assign a RADIUS server.
2. Select the "Edit" > "Properties..." menu command.
3. Select the "RADIUS" tab.
4. Select the "Enable RADIUS authentication" check box.
Note
Changing the method of authentication with the Web server on the security module
If RADIUS authentication is enabled on the security module, the method for
authentication with the Web server is changed from "Digest Access Authentication" to
"Basic Access Authentication".
5. In the "RADIUS timeout" input box, enter the maximum time in seconds that the security
module will wait for a response from the RADIUS server.
6. In the "RADIUS retries" input box, enter the number of connection establishment attempts
with the RADIUS server.
7. Select the "Allow RADIUS authentication of non-configured users" check box if the userspecific IP rule to be activated was assigned a role instead of a user.
8. Select the "Filter ID is required for authentication" check box if the assigned role is a userdefined role.
9. Click the "Add" button.
Result: The RADIUS server that was configured first is assigned to the security module.
10.From the "Name" drop-down list, select the RADIUS server you want to assign to the
security module.
You will find general information on authentication by the RADIUS server in the following
section:
Authentication using a RADIUS server (Page 80)
See also
Create users (Page 71)
Basics and application
84
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configuring with the Security Configuration Tool
2.9 Managing certificates
2.9
Managing certificates
2.9.1
Overview
How do you manage certificates?
In the certificate manager, you have an overview of all the certificates / CA certificates used
in the project with information about the applicant, issuer, validity, use in SCT and the
existence of a private key.
The CA certificate is a certificate issued by a certification authority from which the device
certificates are derived. The device certificates include the SSL certificates required to
authenticate during online communication between a security module and another network
node. Further device certificates include the VPN group certificates of security modules
located in VPN groups. Certification authorities can be:
● SCT itself. If the "applicant" and "issuer" are the same, this is a self-signed certificate; in
other words, issued by SCT.
● A higher ranking (commercial) certification authority. These third-party certificates are
external to the project and are imported and stored in the certificate store of SCT.
Certificates created by one of the two certification authorities always have a private key so
that the device certificates can be derived from them.
The following functions are also available in the certificate manager:
● Modification of existing certificates (for example duration of validity).
● Import of new certificates and certification authorities.
● Importing FTPS certificates if the CP is being used as an FTP client.
● Export of the certificates and certification authorities used in the project.
● Renewal of expired certificates and certification authorities.
● Replacement of existing certification authorities with others.
Note
Downloading the project
After replacing or renewing certificates, the project must be downloaded to the relevant
security module.
After replacing or renewing CA certificates, the project must be downloaded to all security
modules.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
85
Configuring with the Security Configuration Tool
2.9 Managing certificates
Note
Current date and current time of day on the security modules
When using secure communication (for example HTTPS, VPN...), make sure that the
security modules involved have the current time of day and the current date. Otherwise the
certificates used will not be evaluated as valid and the secure communication will not work.
How to access this function
Menu command SCT: "Options" > "Certificate manager...".
In the individual tabs, you have the following buttons available:
Button
Description
Import... / Export...
Import / export of device certificates or CA certificates that were
not created in SCT. The certificates are transferred to the security
module. The following formats are permitted:
*.pem (certificate only)
*.crt (certificate only)
*.p12 (certificate and corresponding private key)
Note
•
Display...
Users with the system-defined "diagnostics" role must not use
the export function.
Opens the certificate dialog of Windows where you will see an
overview of all certificate data.
"Certification authority" tab
The certificates displayed here are created by a certification authority.
● Certification authority of a project: When you create a new SCT project, a CA certificate is
generated for the project. The SSL certificates for the individual security modules are
derived from this certificate.
● Certification authority of a VPN group: When you create a new VPN group, a CA
certificate is generated for the VPN group. The VPN group certificates of security
modules located in the VPN group are derived from this certificate.
Basics and application
86
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configuring with the Security Configuration Tool
2.9 Managing certificates
"Device certificates" tab
Display of the device-specific certificates generated by SCT for a security module. These
include:
● SSL certificate of a security module: An SSL certificate that is derived from the CA
certificate of the project is generated for each security module created. SSL certificates
are used for authentication during communication between PG/PC and security module,
when downloading the configuration (not for CPs) and when logging.
● VPN group certificate of a security module: A VPN group certificate is also generated for
each security module for each VPN group in which it is located.
"Trusted root certification authorities" tab
Display of the third-party certificates imported into SCT. Server certificates can be imported
for example from external FTP servers or project certificates from other SCT projects.
The imported third-party certificate is transferred to all the CPs managed in the SCT project.
The security module can then identify itself with this certificate, for example when accessing
an FTPS server. The SCT configuration itself does not use the imported certificate.
Display of the certification authorities required for verification of external services such as
providers of dyn. DNS by the security modules.
2.9.2
Renewing certificates
Meaning
In this dialog, you renew CA certificates and device certificates. If necessary, for example
with compromised certificates, you can import a certificate or have a new certificate
generated by the Security Configuration Tool.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
87
Configuring with the Security Configuration Tool
2.9 Managing certificates
How to access this function
1. Right-click on a list entry in the certificate manager.
2. Select the "Renew certificate ..." entry.
3. Decide whether or not the new certificate will be self-signed or signed by a certification
authority.
4. If the certificate is to be signed by a certification authority, select the certification authority
to be used with the "Select..." button. Only certification authorities stored in the certificate
store of the current SCT project can be selected.
5. Select a period during which the certificate is valid. As default, the value of the current
certificate is entered in the "Valid from:" and "Valid until:" boxes.
6. Depending on the certificate, enter the following values:
Certificate to be renewed
Parameter
Applicant
Alternative applicant name
CA certificate of the project
Name of the CA certificate
-
CA certificate of a VPN
group
Name of the CA certificate
-
SSL certificate for S7 CP
Name of the security module
IP addresses of the gigabit and
PROFINET interface separated by a
comma.
SSL certificate for PC CP
Name of the security module
IP address of the security module.
SSL certificate for
SCALANCE S,
SCALANCE M and
SOFTNET Security Client
Name of the security module
-
VPN group certificate of a
security module
Name of the VPN group
certificate
Derived from the CA.
Basics and application
88
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configuring with the Security Configuration Tool
2.9 Managing certificates
2.9.3
Replacing certificates
Meaning
In the dialog, replace the existing CA certificate of the project or CA certificate of a VPN
group with a new one.
How to access this function
1. Right-click on a list entry in the "Certification authorities" tab.
2. Select the "Replace certificate..." entry.
3. The "Change certification authority" dialog opens.
All the certificates listed in the "Certificates involved" box are derived again. This means that
the CA certificate of an already configured VPN group can be replaced in the SCT project by
the CA certificate of a VPN group from a different SCT project. The VPN group certificates
for the VPN group members are therefore derived from the same CA certificate in both
projects.
If an information dialog opens when you close the certificate manager, download the
changed configuration to the security module again.
Which format can the certificate have?
Other certificates are derived from the imported CA certificate in SCT. For this reason, you
can only select certificates with a private key:
● *.p12
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
89
Configuring with the Security Configuration Tool
2.9 Managing certificates
Basics and application
90
Configuration Manual, 09/2013, C79000-G8976-C286-02
Creating modules and setting network parameters
3
This chapter familiarizes you with the procedures for creating modules and the possible
settings for the individual modules in a project.
Further information
You will find detailed information on the dialogs and parameter settings in the online help.
You can call this with the F1 key or using the "Help" button in the relevant SCT dialog.
Note
Performance features and device types
Note which functions the device type you are using supports.
See also
Online functions - test, diagnostics, and logging (Page 241)
How to access this function
1. Select the "All modules" object in the navigation panel.
2. Select the "Insert" > "Module" menu command.
3. Make the following settings.
Parameter
Meaning
Product type
Product type used when a new module is created.
SCALANCE S
SOFTNET Configuration (SOFTNET Security Client,
SCALANCE M87x/MD74x, NCP VPN client device)
Module
Depending on the selected product type, you can select the
module type here that will be used when you create a new
module.
Select the option "NCP VPN client for Android" to insert a VPN
client device as proxy for a device with NCP Secure VPN Client
for Android software installed.
Select the "VPN device" option to insert a VPN client device as
proxy for a device from another manufacturer.
Note
The checked out configuration file simply provides help on the
configuration of the VPN connection, but is no guarantee for
compatibility with products of other manufacturers.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
91
Creating modules and setting network parameters
Parameter
Meaning
Firmware release
You can specify the firmware/software versions here for the
SCALANCE S modules, the SOFTNET Security Client and for
NCP VPN client (). For SCALANCE M modules, you can choose
between SCALANCE M875/MD74x and SCALANCE M874-x
here.
Name of the module
Freely selectable name for the module.
MAC address
Entry of the MAC address of the module.
IP address (ext.)
IP address for the external interface.
The IP address consists of four decimal numbers with the range
from 0 to 255, each number separated by a period, example:
141.80.0.16
Subnet mask (ext.)
Range of values for subnet mask. Is proposed according to the
IP address entered.
The subnet mask consists of four decimal numbers with the
range from 0 to 255, each number separated by a period;
example: 255.255.0.0
Interface routing external/internal
Selecting the mode for the security module. The following
modes are available for SCALANCE S:
•
Bridge mode
• Routing mode
When selecting routing mode, you need to configure an IP
address and a subnet mask for the internal interface of the
security module.
IP address (int.)
IP address for the internal interface.
Only needs to be specified when
routing mode is enabled
The IP address consists of four decimal numbers with the range
from 0 to 255, each number separated by a period; example:
141.90.10.10
Subnet mask (int.)
Range of values for subnet mask. The subnet mask is proposed
according to the entered IP address.
Only needs to be specified when
routing mode is enabled
Save selection
The subnet mask consists of four decimal numbers with the
range from 0 to 255, each number separated by a period;
example: 255.255.0.0
If you enable this function, the currently set configuration is
adopted in the default initialization values. When you insert new
modules the "Selection of a module or software configuration"
dialog is no longer opened and a module is inserted in the
project according to the settings made.
To cancel this function again and to select a different module
type, you will need to disable this function in the following menu
path:
"Project" > "Properties" > "Default Initialization values"
Basics and application
92
Configuration Manual, 09/2013, C79000-G8976-C286-02
Creating modules and setting network parameters
3.1 Parameters in the content area
Note
Additional settings
You make further interface settings in the "Interfaces" tab of the module properties. For
information on this, refer to section:
• Configuring interfaces (SCALANCE S) (Page 96)
Creating CPs in STEP 7
CPs are created only in STEP 7. After they have been created and specified as security
modules, they appear with their STEP 7 module properties in the list of configured modules
in SCT. The address data is taken from STEP 7 and cannot be modified in SCT.
See also
Parameters in the content area (Page 93)
Range of values for IP address, subnet mask and address of the gateway (Page 253)
MAC address (Page 254)
3.1
Parameters in the content area
How to access this view
Select the "All modules" object in the navigation panel.
For CPs only the content of the "Comment" column can be edited.
The following properties of the modules are displayed in columns:
Property/column
Meaning
Comment/selection
No.
Consecutive module number
Assigned automatically
Name
Unique module name
Freely selectable
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
93
Creating modules and setting network parameters
3.1 Parameters in the content area
Property/column
Meaning
Comment/selection
Type
Device type
Note
For devices of the type "SOFTNET
Security Client" and "NCP VPN
Client for Android", there is no
properties dialog.
For SCALANCE M modules, you
can configure settings for the
external and internal interface in the
module properties.
For VPN devices, you can adapt the
file types of the configuration files to
be exported in the module
properties.
IP address ext.
IP address via which the device can
be reached in the external network,
for example for downloading the
configuration
Assigned as suitable in the network.
Subnet mask ext.
Subnet mask for the external IP
address
Assigned as suitable in the network.
IP address int.
IP address with which the device
can be reached in the internal
network when it is configured as a
router
Assigned as suitable in the network.
Subnet mask for the internal IP
address
Assigned as suitable in the network.
Standard router
IP address of the standard router
Assigned as suitable in the network.
MAC address
Hardware address of the module
The MAC address is printed on the
module housing.
Comment
Information on the module and the
subnet protected by the module
Freely selectable
Subnet mask int.
The input box can only be edited
when routing mode is enabled.
The input box can only be edited
when routing mode is enabled.
Changing address parameters for SCALANCE S
For SCALANCE S, some address parameters can be entered and modified in the content
area.
Meaning of the address parameters for CPs
For the CPs, the following addresses from STEP 7 are displayed:
Box in SCT
CP x43-1 Adv.
CP 1628
IP address ext.
IP address gigabit
IP address IE (Industrial Ethernet)
IP address int.
IP address PROFINET
Is not displayed
Subnet mask ext
Subnet mask gigabit
Subnet mask IE
Basics and application
94
Configuration Manual, 09/2013, C79000-G8976-C286-02
Creating modules and setting network parameters
3.1 Parameters in the content area
Box in SCT
CP x43-1 Adv.
CP 1628
Subnet mask int.
Subnet mask PROFINET
Is not displayed
Standard router
Standard router configured in
STEP 7
Standard router configured in STEP 7
MAC address
MAC address gigabit (if
configured)
MAC address IE (if configured)
The address data is also displayed in the "Interfaces" tab.
Dynamically assigned IP address
If the IP address has been configured in STEP 7 so that it is assigned dynamically, this is
shown in SCT as follows depending on the settings:
Table 3- 1
Gigabit interface
Mode in STEP 7
IP address ext. / Subnet mask ext. (boxes in SCT)
Obtain IP address from a DHCP
server
dynamic
Table 3- 2
PROFINET interface
Mode in STEP 7
IP address int. / Subnet mask int. (boxes in SCT)
Obtain IP address from a DHCP
server
dynamic
Set IP address in the user
program
Set IP address using a different
method
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
95
Creating modules and setting network parameters
3.2 Configuring interfaces (SCALANCE S)
3.2
Configuring interfaces (SCALANCE S)
3.2.1
Overview of the connector options
Supported connector options
Each security module has a certain number of ports to which the network nodes can be
connected. Depending on the interface, the network nodes are handled differently.
Security
module
Interface
MAC address of
the interface*
SCALANCE
S602 / S612 /
S613
External
SCALANCE
S623
SCALANCE
S627-2M
Port type
MAC address of the port*
MAC address (see P1
labeling)
Built-in RJ-45 jack
(copper)
MAC address + 2
Internal
MAC address + 1
P2
Built-in RJ-45 jack
(copper)
MAC address + 3
External
MAC address (see P1
labeling)
Built-in RJ-45 jack
(copper)
MAC address + 3
Internal
MAC address + 1
P2
Built-in RJ-45 jack
(copper)
MAC address + 4
DMZ
MAC address + 2
P3
Built-in RJ-45 jack
(copper)
MAC address + 5
External
MAC address (see P1
labeling)
Built-in RJ-45 jack
(copper)
MAC address + 3
P4
Media module port
(copper/FOC)
MAC address + 4
P5
Media module port
(copper/FOC)
MAC address + 5
P2
Built-in RJ-45 jack
(copper)
MAC address + 6
P6
Media module port
(copper/FOC)
MAC address + 7
P7
Media module port
(copper/FOC)
MAC address + 8
P3
Built-in RJ-45 jack
(copper)
MAC address + 9
Internal
DMZ
MAC address + 1
MAC address + 2
Port of
the
interface
* When operating in bridge mode, the printed MAC address is valid both on the external and
on the internal interface.
The MAC addresses of the interfaces are used for all services except LLDP.
Basics and application
96
Configuration Manual, 09/2013, C79000-G8976-C286-02
Creating modules and setting network parameters
3.2 Configuring interfaces (SCALANCE S)
The MAC addresses of the ports are used for topology discovery with LLDP (only for
modules in routing mode).
Note
The Ethernet interfaces must not be confused when connecting to the communications
network:
• X1 interface - external
Red marking = unprotected network area;
• Interface X2 - internal
Green marking = network protected by SCALANCE S;
• Interface X3 - DMZ (universal network interface)
Yellow marking = unprotected network area or network area protected by SCALANCE S.
If the interfaces are swapped over, the device loses its protective function.
Functions of the DMZ interface
A demilitarized zone (DMZ) is used when services for an external network need to be
available and the internal network that supplies data for these services needs to remain
separated from the external network. The DMZ can, for example, contain terminal servers on
which maintenance and diagnostics programs are installed that allow defined access to
certain systems in the secure network. Only permitted users or clients from the non-secure
network or clients connected via VPN have access. The firewall rules can be configured so
that devices in the DMZ can be accessed from the Internet but devices in the internal
network cannot be accessed. To improve protection, it is also possible to allow access only
to VPN data traffic. An example of a configuration in which the DMZ interface is used to set
up a DMZ can be found in section "4.2 SCALANCE S as firewall between external network
and DMZ" of the "SIMATIC NET Industrial Ethernet Security - Getting started" manual.
To be able to assign a dynamic IP address to devices in the DMZ as well, A DHCP server
can enabled on the DMZ interface. However, with such a use case, it must be ensured that
the devices in the DMZ always receive the same IP address by DHCP because these IP
addresses need to be used when configuring the firewall. This means that the dynamic
address assignment cannot be used in the DHCP configuration but rather static address
assignment based on the MAC address or based on the client ID.
The DMZ interface can be used as a VPN endpoint. In conjunction with the DSL modem, the
DMZ interface is then operated in PPPoE mode or in conjunction with an upstream DSL
router with a static IP address. An example of a configuration in which the DMZ interface is
used for remote access via a VPN tunnel can be found in the section "5.2 VPN tunnel
between SCALANCE S623 and SCALANCE S612" in the "SIMATIC NET Industrial Ethernet
Security - Getting started" manual.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
97
Creating modules and setting network parameters
3.2 Configuring interfaces (SCALANCE S)
Media module ports of the external and internal interface
In addition to the functions of the SCALANCE S623, the SCALANCE S627-2M has two
media module slots in which an electrical or optical 2-port media module can be inserted.
This expands both the external and internal interface by up to two ports. If the media module
"MM992-2SFP" is used for an interface, you can insert up to two electrical or optical SFP
transceivers (Small Form-factor Pluggable transceiver) into the media module. The
additional ports can be used to connect the external and internal interface of the SCALANCE
S627-2M to MRP/HRP rings.
The media module ports are connected to the built-in port of the particular interface via a
switch chip. Between the ports connected via a switch chip, there is no firewall functionality
(layer 2 / layer 3). All the ports connected via a switch chip can be reached using the same
IP address.
Functions of the individual interfaces
The following functions can be used on the individual interfaces:
Function
Green (internal)
Red (external)
Yellow (DMZ)
Static IP address
x
x
x
WAN access with DSL
router
-
x
x
WAN access with DSL
modem (PPPoE,
dynamic IP address
from ISP)
-
Bridge mode
x
x
(when not on yellow
interface)
(when not on red
interface)
x
-
Routing mode
x
x
x
Ghost mode
-
x
-
DHCP server
x
-
x
Endpoint of a VPN
tunnel connection (with
DSL modem and DSL
router)
-
x
x
MRP/HRP client (in
routing mode, ring ports
on the media modules)
x
x
-
x
x
x
x
x
-
LLDP (in routing mode)
Passive listening (in
routing mode when
media modules are
plugged in)
x is supported
Basics and application
98
Configuration Manual, 09/2013, C79000-G8976-C286-02
Creating modules and setting network parameters
3.2 Configuring interfaces (SCALANCE S)
- is not supported
Duplex mode
One of the following two duplex modes can be selected for a port:
● Half duplex: At any one time, the security module can either receive or send data.
● Full duplex: At any one time, the security module can receive or send data at the same
time.
Note
Duplex method and transmission speed with optical ports
For ports with the port type "optical", the port mode is fixed by the media module used or by
the SFP transceiver used and cannot be adapted.
3.2.2
Interfaces
How to access this function:
1. Select the module to be edited.
2. Select the "Edit" > "Properties..." menu command, "Interfaces..." tab.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
99
Creating modules and setting network parameters
3.2 Configuring interfaces (SCALANCE S)
Interface routing - options available
If the security module is not in a VPN group and is not in a redundancy relationship, the
interface routing can be modified in this box. The selection applies to interface routing
between the external and internal interface. The DMZ interface (SCALANCE S623 and
SCALANCE S627-2M only) is always connected in routing mode.
Bridge mode
For operation in flat networks. External and internal interface are
in the same IP subnet.
For S623 / S627-2M: External and internal interface are in the
same IP subnet, the DMZ interface is in a different IP subnet or
is deactivated.
Routing mode
All interfaces are in different IP subnets.
Note
If you have enabled the routing mode for the SCALANCE S
module, no MAC firewall rules can be defined.
Ghost mode
In operation, the security module adopts the IP address of the
node connected to the internal interface of the security module
for the external interface. The IP address data specified for the
external interface is only used for downloading the configuration.
Note
The ghost mode can only be selected in the "Interfaces" tab if
the project is in advanced mode.
Configuring the interfaces
If the external interface or the DMZ interface (SCALANCE S623/S627-2M only) of a security
module needs to be configured, it must be activated using the "Activate interface" check box.
Set the IP address information for each interface and settings for the individual ports. There
are two ways in which you can assign an IP address for the external interface and for the
DMZ interface (SCALANCE S623/S627-2M only):
● Static IP address with subnet mask
● Address assignment using PPPoE
The internal interface can only be configured using a static IP address.
If alias IP addresses were registered on an interface due to configuring a NAT/NAPT rule,
these are displayed in the "Alias IP addresses" box.
Note
External interface and DMZ interface as Internet access
The simultaneous operation of PPPoE on the external interface and on the DMZ interface
(dual ISP) is not possible.
Basics and application
100
Configuration Manual, 09/2013, C79000-G8976-C286-02
Creating modules and setting network parameters
3.2 Configuring interfaces (SCALANCE S)
Meaning of the tunnel IP address
If you use the function "NAT/NAPT in the VPN tunnel", you need to assign an alias tunnel IP
address for the security module. This ensures the reachability of the security module via the
VPN tunnel and provides a configuration and diagnostics option. The configured IP address
is the first alias tunnel IP address of the security module in the VPN tunnel and can be
expanded by further alias tunnel IP addresses using suitable NAT/NAPT rules. The subnet
mask is fixed at 32 bits for the alias tunnel IP address and cannot be changed. The alias
tunnel IP address can only be configured if the following requirements are met:
● The security module is in a VPN group.
● The project is in advanced mode.
You will find further information on address translation with NAT/NAPT in VPN tunnels in the
following section:
Address translation with NAT/NAPT in VPN tunnels (Page 178)
Point to Point Protocol over Ethernet (PPPoE)
To allow Internet/WAN access directly via a DSL modem, the IP address on the external
interface or on the DMZ interface is assigned using PPPoE. PPPoE is a dial-in protocol for
obtaining IP addresses from an Internet service provider (ISP). SCALANCE S is operated
here in routing mode.
To use this IP address assignment mode, specify the ISP in the "Internet connection" tab.
The IP address, the subnet mask, the standard router and the DNS server of the interface
are specified by the ISP.
Note
A configured standard router is not taken into account when using PPPoE. This is assigned
dynamically to the module by the ISP.
Note
No network components between SCALANCE S and DSL modem
If the interface of a SCALANCE S module is operated using PPPoE, there must be no other
network components between this interface and the connected DSL modem otherwise the
dial-in data of the Internet Service Provider will be transferred unencrypted over this link due
to the protocol being used.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
101
Creating modules and setting network parameters
3.2 Configuring interfaces (SCALANCE S)
Port settings
Column
Meaning
Port ID
Automatically assigned ID for the port of the interface.
Port type
Physical characteristic of the port (copper/fiber)
Port mode
Autonegotiation
The transmission speed and the duplex setting are selected
automatically.
Note
A transmission speed of 1000 Mbps and the autocrossing
function are supported only if autonegotiation is selected.
10 Mbps, half and full duplex
Transmission speed of 10 Mbps
100 Mbps, half and full duplex
Transmission speed of 100 Mbps
Off (only external port or DMZ port with
SCALANCE S623 and SCALANCE S6272M)
The port is disabled.
Note
Ports of media modules using fiber-optic cables as the transmission medium always use full duplex and
operate at the maximum transmission speed. This means that the port mode of the ports of optical
media modules cannot be configured.
LLDP mode (in
routing mode)
MRP port (in
routing mode for
the media
module ports of
the external and
internal
interface)
HRP port (in
routing mode for
the media
module ports of
the external and
internal
interface)
Comment
RxTx
LLDP frames can be sent
and received.
Rx
Receive LLDP frames
For more detailed
information on LLDP, refer
to the following section:
LLDP (Page 106)
Display indicating whether the media module ports of the interface are connected to an MRP ring. If this
is the case, the character strings "RingportOne" and "RingportTwo" are displayed in the table rows of
the media module ports. For the ports with the port ID "X1 P1" and "X2 P1", the character string "None"
is displayed as default since these cannot be involved in an MRP ring.
You will find general information on media redundancy with MRP in the following section:
Media redundancy with MRP or HRP (Page 107)
You will find information on configuring MRP for the security module in the following section:
Configuring MRP/HRP for the security module (Page 108)
Display indicating whether the media module ports of the interface are connected to an HRP ring. If this
is the case, the character strings "RingportOne" and "RingportTwo" are displayed in the table rows of
the media module ports. For the ports with the port ID "X1 P1" and "X2 P1", the character string "None"
is displayed as default since these cannot be involved in an HRP ring.
You will find general information on media redundancy with HRP in the following section:
Media redundancy with MRP or HRP (Page 107)
You will find information on configuring HRP for the security module in the following section:
Configuring MRP/HRP for the security module (Page 108)
Freely selectable comment
Configuration of media modules
Click the "Configure media module..." button to call up the dialog for configuring the media
module for the corresponding interface.
The following configuration modes are available:
Basics and application
102
Configuration Manual, 09/2013, C79000-G8976-C286-02
Creating modules and setting network parameters
3.2 Configuring interfaces (SCALANCE S)
● "Automatic" (default setting): The media module you are using is detected automatically
during operation. The port mode is set to "Autonegotiation" for both ports.
● "Manual": Select the media module type being used from the "Module type" drop-down
list. If you select the media module type "MM992-2SFP", you can select the required
transceivers (SFPs) from the two "SFP type" drop-down lists.
For ports with the port type "Copper", you can specify the transmission speed and the
duplex method manually using the port mode. For ports with the port type "Optical", the
port mode is fixed by the media module used or by the SFP transceiver used and cannot
be adapted.
See also
Special features of the ghost mode (Page 110)
Overview of the connector options (Page 96)
3.2.3
Internet connection
How to access this function:
1. Select the security module to be edited.
2. Select the "Edit" > "Properties..." menu command, "Internet connection" tab.
Meaning
In this tab, you make settings related to the Internet Service Provider (ISP) if a connection
using PPPoE is set for one of the interfaces of the security module.
Table 3- 3
Settings for the ISP account
Function
Description
User name
Enter the name for logging on with the ISP account.
Password
Enter the password for logging on with the ISP account.
Repeat password
Enter the password for logging on with the ISP account again.
Authentication
Select none or one of the following authentication protocols:
•
PAP (Password Authentication Protocol)
• CHAP (Challenge Handshake Authentication Protocol)
Note
Both communications partners have to use the same
authentication method otherwise no connection can be
established.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
103
Creating modules and setting network parameters
3.2 Configuring interfaces (SCALANCE S)
Table 3- 4
Settings for the connection
Function
Description
Permanent connection
Permanent Internet connection. After the connection has been
terminated by the provider, the connection is automatically
restored even if there are currently no packets to be sent.
On-demand connection
The Internet connection is established automatically if packets
need to be sent to the Internet.
In this setting, delays in the sending of packets are possible.
3.2.4
Forced disconnection (only with
the "Permanent connection"
setting)
The provider terminates the Internet connection automatically
after a certain period. If you enter a time of day in the "Forced
disconnection" box, the security module terminates the Internet
connection itself at this time. This allows disconnection of the
Internet connection by the provider to be delayed under certain
circumstances. A self-initiated forced disconnection is only
possible with an existing permanent connection. Permitted
entries: 00:00 ... 23:59
Maximum idle time (only with the
setting "on-demand connection")
If no packets are sent during a certain time, the Internet
connection is automatically terminated. In the "Maximum idle
time" box, enter the time in seconds after which the connection
will be terminated. Permitted values: 10 … 3600.
Dynamic DNS (DDNS)
Meaning
With dynamic DNS, you can access a constantly changing IP address with a permanently
defined name (FQDN). This is necessary, for example, if you want to access a server that
can be reached via a public, IP address that changes.
How it works
The security module signals the current WAN IP address via which the security module can
be reached to a provider for dynamic DNS (for example DynDNS.org, no-ip.com). The
provider makes sure that DNS queries sent to the FQDN of the security module are replied
to with the current WAN IP address of the security module.
Dynamic DNS is permitted at the following interfaces:
● External interface
● DMZ interface
Basics and application
104
Configuration Manual, 09/2013, C79000-G8976-C286-02
Creating modules and setting network parameters
3.2 Configuring interfaces (SCALANCE S)
Setting up dynamic DNS - Requirements
Requirement:
● An account has been created with a providers of dynamic DNS and an FQDN has been
registered.
Setting up dynamic DNS - Follow the steps below:
1. Select the "DNS" tab in the module properties of the security module.
2. If the security module is downstream from a DSL router or DSL modem, you specify a
valid DNS server address. To do this, two options are available:
Option
Meaning
Obtain DNS server address automatically
The address of the DNS server can be obtained
automatically using PPPoE if the security
module is connected to the Internet via a DSL
modem. Can only be set for the external
interface and the DMZ interface.
Use the following DNS server address:
Enter the address of the preferred and of the
alternative DNS server manually.
3. Activate the "Activate service" check box in the "Primary dynamic DNS service" area and
make the following settings:
Setting
Meaning
Provider
Choose the provider with which you have set up
an account for dynamic DNS.
User account with the provider
Enter the user name that you specified when
you created the account.
Password with the provider
Enter the password that you specified when you
created the account.
FQDN
Enter the host name (e.g. mysecuritydevice)
and the domain name (e.g. dyndns.org) that is
registered with the provider separated by a
period. If an FQDN is also entered in the "VPN"
tab, both must match.
Monitor IP address change on DSL router
If the security module is connected to the
Internet via a DSL router, enabling this function
activates the function of the check IP service.
The security module periodically sends queries
to determine the current IP address of the DSL
router and to detect an IP address change on
the DSL router. The IP address specified in this
way is sent to the provider with each change ID.
Period
Specify the interval at which the Check IP
service is called. Permitted values: 10 … 1440
minutes
4. In case the primary provider fails, create a second provider in the "Secondary dynamic
DNS service" tab (optional setting).
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
105
Creating modules and setting network parameters
3.2 Configuring interfaces (SCALANCE S)
Setting up a user-defined provider - follow the steps below:
Select the "User-defined" entry in the "Provider" drop-down list and make the following
entries:
3.2.5
Setting
Meaning
Provider update URL
With the predefined providers (DynDNS.org and No-IP.com), the
URL is already populated.
Check IP service URL
With the predefined providers (DynDNS.org and No-IP.com), the
URL is already populated.
Ignore errors when checking the
server certificate
To ensure that the authentication data is protected, the
certificate of the update server is normally checked. If the
certificate check fails, the HTTP connection is terminated and
the account data is not transferred. If you select the check box,
the function is disabled, for example if the server certificate of
the dynamic DNS service is invalid (for example expired). It is
advisable not to ignore the check and not to select the check
box.
LLDP
Meaning
LLDP (Link Layer Discovery Protocol) is a protocol used to discover network topologies. A
device capable of LLDP can send information about itself to neighboring devices at regular
intervals and at the same time receive information from neighboring devices. The received
information is stored on every device with LLDP capability in an LLDP MIB file. Network
management systems can access these LLDP MIB files using SNMP and therefore recreate
the existing network topology.
Configurable parameters
The degree of activity of the security module in terms of LLDP can be configured in the
"Interfaces" tab of the module properties as follows:
● Send and receive LLDP frames (default setting "RxTx")
● Receive LLDP frames ("Rx")
Basics and application
106
Configuration Manual, 09/2013, C79000-G8976-C286-02
Creating modules and setting network parameters
3.2 Configuring interfaces (SCALANCE S)
3.2.6
Media redundancy in ring topologies
3.2.6.1
Media redundancy with MRP or HRP
Meaning
The term "media redundancy" groups together various methods for increasing availability in
Industrial Ethernet networks in which devices can be reached over different paths. This
might be achieved by meshing networks, arranging parallel transmission paths or by closing
a linear bus topology to form a ring.
Media redundancy methods MRP and HRP
Media redundancy within a ring topology is available with SIMATIC NET products with the
methods MRP (Media Redundancy Protocol) and HRP (High Speed Redundancy Protocol).
With both these methods, one of the nodes is configured as the redundancy manager. The
other nodes are redundancy clients. SCALANCE S627-2M modules can only adopt the role
of an MRP or HRP client. Using test frames, the redundancy manager checks the ring to
make sure it is not interrupted. The redundancy clients forward the test frames. If the test
frames of the redundancy manager no longer arrive at the other ring port of the redundancy
manager due to an interruption, the redundancy manager switches through its two ring ports
and informs the redundancy clients of the change immediately.
The two media redundancy methods MRP and HRP operate according to the same
functional principle. They differ in the time the SCALANCE X switches need to switch
through their ring ports as redundancy manager.
● MRP: 200 ms
● HRP: 300 ms
Note on the use of MRP and HRP
● MRP and HRP are supported in ring topologies with up to 50 devices. Exceeding this
number of devices can lead to a loss of data traffic.
● It is recommended that you set the ring ports involved to full duplex and 100 Mbps.
Otherwise there may be a loss of data traffic.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
107
Creating modules and setting network parameters
3.2 Configuring interfaces (SCALANCE S)
Possible uses of MRP/HRP on media module ports
MRP/HRP are supported only on the media module ports of the SCALANCE S627-2M. The
following table shows the possible uses of MRP/HRP on the media module ports of a
SCALANCE S627-2M:
Ring ports
Media module 1
MRP client or HRP
client*
Media module 2
P4
P5
P6
P7
-
-
-
-
Ring 1
Ring 1
-
-
-
-
Ring 2
Ring 2
Ring 1
Ring 1
Ring 2
Ring 2
* The simultaneous connection of the security module to an internal and an external ring is
possible only if at least one of the interfaces is connected as an MRP client.
With two lower-layer rings per SCALANCE S module, layer 3 communication is possible
between the rings.
3.2.6.2
Configuring MRP/HRP for the security module
Requirement
The security module is in routing mode.
How to access this function
1. Select the security module to be edited.
2. Select the "Edit" > "Properties..." menu command, "MRP/HRP" tab.
Configurable parameters
Parameter
Meaning
Possible selections
MRP/HRP interfaces
Selection of the interface to
be connected to the
MRP/HRP ring.
•
External
•
Internal
Selection of the media
redundancy protocol or
disabling of media
redundancy for the selected
interface.
•
Not a node in the ring
•
MRP client (default setting)
•
HRP Client
Media redundancy role
Basics and application
108
Configuration Manual, 09/2013, C79000-G8976-C286-02
Creating modules and setting network parameters
3.2 Configuring interfaces (SCALANCE S)
Parameter
Meaning
Possible selections
Activate 'passive listening'
Enable this check box if the
selected interface will be
connected to third-party
networks in which
STP/RSTP (Spanning Tree
Protocol/Rapid Spanning
Tree Protocol) is used.
•
Activate 'passive listening' (default)
•
Deactivate 'passive listening'
The members of an MRP
ring are specified with the
help of MRP domains. The
same MRP domain must be
selected for the interfaces of
all modules to be connected
to the same MRP ring.
As default, the predefined MRP domain
"mrpdomain-1" is selected for the external
interface. Using the buttons "Add...",
"Edit..."and "Remove", you can add new
MRP domains, edit the names of existing
MRP domains and delete existing MRP
domains.
MRP domain (only if the "MRP client" media
redundancy role is selected)
Ring port 1 (only when the media
Name of the first ring port of
redundancy role "MRP client" or "HRP client" the interface selected in
is selected)
"Interface" if "MRP client" or
"HRP client" was selected.
-
Ring port 2 (only when the media
Name of the second ring port
redundancy role "MRP client" or "HRP client" of the interface selected in
is selected)
"Interface" if "MRP client" or
"HRP client" was selected.
-
MRP node (only if the "MRP client" media
redundancy role is selected)
-
Display of information on all
security modules that belong
to the same MRP domain as
the selected interface.
Result
You have connected the security module to the MRP/HRP ring via the selected interface.
The media module ports of which interface(s) are connected to the MRP/HRP ring is also
shown in the "Interfaces" tab of the module properties.
Consistency check - this rule must be kept to
Remember the following rule when making the entries:
● The names of MRP domains may only be made up of lowercase letters, digits and the "-"
character. The names must begin with a lowercase letter or a digit.
See also
Consistency checks (Page 61)
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
109
Creating modules and setting network parameters
3.2 Configuring interfaces (SCALANCE S)
3.2.7
Special features of the ghost mode
Meaning
In ghost mode, the security module has no IP address of its own, neither on the internal nor
on the external interface. Instead, the security module obtains the IP address for its external
interface during runtime from a node connected to the internal interface of the security
module whose IP address parameters can be unknown at the time of configuration. It is
possible to change an IP address of the internal node and a corresponding IP address at the
external interface. Since the internal node is identified based on its MAC address, IP address
changes are made only for the learnt MAC address. No IP address is configured or obtained
on the internal interface of the security module.
As regards the MAC addresses, the security module replaces the MAC address of the
internal node with the MAC address of the security module in all outgoing packets on the
external interface (responses from the internal node).
Enabling ghost mode - follow the steps below:
Requirement: The ghost mode can only be selected if the project is in advanced mode.
1. Select the security module to be edited.
2. Select the "Edit" > "Properties..." menu command.
3. From the drop-down list "Interface routing external/internal" in the "Interfaces" tab, select
the "Ghost mode" entry.
Configurable module properties
In ghost mode, the module properties can be configured in the following tabs:
● Interfaces
● Firewall
● Time synchronization
● Log settings
● SNMP
● RADIUS
Requirement for identifying an internal node
The security module can only obtain the IP address of the internal node if the internal node
initiates data communication in the direction of the security module.
In addition to this, during the identification of the IP address, the security module does not
provide any server services. The security module can only reply to queries from external
after data packets have been sent to the security module by the internal node.
Basics and application
110
Configuration Manual, 09/2013, C79000-G8976-C286-02
Creating modules and setting network parameters
3.2 Configuring interfaces (SCALANCE S)
Port assignment for incoming and outgoing data connections
As the external interface of the security module and the internal node have the same IP
address, the network components must be addressed explicitly via the TCP/UDP ports. For
this reason, the ports are either assigned to the security module or the internal node. The
assignments of the ports to the corresponding devices are shown in the following tables for
incoming and outgoing data connections:
Table 3- 5
Port assignments for incoming connections (from external to security module)
Service
Port
Protocol
Comment
Web services,
configuration and
diagnostics access
443
TCP
The HTTPS port is
permanently activated for
configuration and diagnostics
access using the Security
Configuration Tool and cannot
be changed.
SNMP
161
TCP
Once SNMP is activated in the
Security Configuration Tool,
incoming SNMP queries are
transmitted via UDP port 161.
Transfer via TCP port 161 is
also possible, for example, to
be able to reach the internal
node.
UDP
Note
After activating SNMP, the
SNMP port is permanently
assigned to the security
module. If SNMP is not
activated, the internal node can
be accessed using SNMP with
the aid of a firewall rule.
Table 3- 6
Port assignments for outgoing connections (from security module to external)
Service
Port
Protocol
Comment
Syslog
514
UDP
If the syslog service is
activated in the Security
Configuration Tool, syslog
messages are transmitted via
UDP port 514 by the security
module. This port assignment
cannot be changed.
NTP
123
UDP
If NTP servers are used for
time synchronization, NTP
queries are transferred via
UDP port 123. This port
assignment cannot be
changed.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
111
Creating modules and setting network parameters
3.2 Configuring interfaces (SCALANCE S)
Recognizable IP addresses and subnet masks
The security module only recognizes internal nodes with IP addresses in the range of the
network classes A, B or C. The subnet mask is identified by the security module based on
the network class (see table "Network classes and corresponding subnet masks"). To allow
the subnet mask to be determined correctly, a standard router must be entered for the
internal node.
Nodes with IP addresses in the network classes D and E are rejected by the security
module.
Table 3- 7
Network classes and corresponding subnet masks
Network
class
IP addresses
Low limit
Subnet mask
High limit
A
0.0.0.0
127.255.255.255
255.0.0.0
B
128.0.0.0
191.255.255.255
255.255.0.0
C
192.0.0.0
223.255.255.255
255.255.255.0
D
224.0.0.0
239.255.255.255
Is rejected by the security module
I
240.0.0.0
255.255.255.255
Is rejected by the security module
Configuration limits
A maximum of one internal node is recognized by the security module. If several internal
nodes exist, the security module reacts as follows:
● The first device the security module recognizes in the internal network obtains access to
the external network segment if the firewall is suitably configured.
● The data traffic of any additional nodes in the internal network is blocked in the outgoing
direction at level 2 (MAC layer) based on the sender address.
Loading configurations and diagnostics after commissioning
After obtaining an IP address from the internal node, the security module has an IP address
on the external interface that can differ from the IP address with which the security module
was initially configured. To make a change to the configuration or for diagnostic purposes,
you need to replace the initially configured IP address for the external interface with the IP
address that the security module has obtained from the internal node during runtime in the
Security Configuration Tool.
Routing information for hierarchical networks at the external port
If there are hierarchical networks with subnet transitions on the external interface of the
security module, the security module needs to obtain the corresponding routing information
from the internal node. To achieve this, the internal node must respond to ICMP queries sent
to it. Responding to ICMP broadcasts is not necessary.
Basics and application
112
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configure the firewall
4
Meaning
The firewall functionality of the security modules is intended to protect networks and stations
from third-party influence and interference. This means that only certain, previously specified
communications relations are permitted. Disallowed frames are discarded by the firewall
without a reply being sent.
To filter the data traffic, IP addresses, IP subnets, port numbers or MAC addresses can be
used.
The firewall functionality can be configured for the following protocol levels:
● IP firewall with stateful packet inspection (layer 3 and 4)
● Firewall also for Ethernet "non-IP" frames according to IEEE 802.3 (layer 2)
The firewall can be used for encrypted (IPsec tunnel) and unencrypted data traffic.
Firewall rules
Firewall rules describe which packets in which direction are permitted or forbidden.
Automatic firewall rules for STEP 7 connections
With connections configured in STEP 7, firewall rules are automatically created in SCT that
enable the communications partner. The connection establishment directions are taken into
account.
The rules are only visible in advanced mode and can only be modified there.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
113
Configure the firewall
Project engineering
A distinction must be made between the two operating views:
● In standard mode, simple, predefined rules are used. You can only enable servicespecific rules. The enabled services are permitted for all nodes and full access is allowed
in the specified direction.
● In advanced mode, you can make detailed firewall settings. You can allow individual
services for a single node or all services for the node for access to the station or network.
The following firewall rules or rule sets must be distinguished in advanced mode:
– Local firewall rules are assigned to one security module. They are configured in the
properties dialog of the security modules.
– Global firewall rule sets can be assigned to individual or several security modules at
the same time. They are displayed in the navigation panel in advanced mode of the
Security Configuration Tool and configured globally.
– User-specific IP rule sets can be assigned to individual or several security modules at
the same time. They are displayed in the navigation panel in advanced mode of the
Security Configuration Tool and configured globally.
SCALANCE S V4 (RADIUS): User-specific IP rule sets can be assigned individual or
multiple users as well as individual or multiple roles.
With the aid of service definitions, you can also define firewall rules clearly in a compact
form. Service definitions can be used in all the rule types listed above.
Enabling the firewall
In standard mode, the firewall is controlled by selecting the "Activate firewall" check box. If
you deselect the check box, the firewall settings you have entered remain displayed in the
list but cannot be modified. If the security module is in a VPN group, the check box is
enabled as default and cannot be deselected.
Enabling log settings
In standard mode, you can enable logging globally in the "Firewall" tab. With this, however,
not all the packets that pass the firewall are displayed.
In advanced mode, you can enable logging for each individual firewall rule. This means that
the restriction relating to displayed packets from the standard mode does not apply.
Note
Firewall of SCALANCE S627-2M
The media module ports of the SCALANCE S627-2M are connected to the built-in port of the
particular interface via a switch chip. For this reason, there is no firewall functionality (layer 2
/ layer 3) between the ports of the external interface themselves nor between the ports of the
internal interface themselves.
Basics and application
114
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configure the firewall
4.1 CPs in standard mode
4.1
CPs in standard mode
Enabling packet filter rules
If you enable the security function for the CPs in STEP 7, initially all access to and via the
CP is permitted. To enable individual packet filter rules, click the "Enable firewall" check box.
Then enable the required services. Firewall rules created automatically due to a connection
configuration have priority over the services set here. All nodes have access using the
services you have enabled.
Detailed firewall settings in advanced mode
In advanced mode, you can restrict firewall rules to individual nodes. To change to advanced
mode, select the "Advanced mode" check box.
Note
No return to standard mode possible
If you switch to the advanced mode for the current project, you cannot switch back.
Firewall configuration with VPN
If the security module is in a VPN group, the "Tunnel communication only" check box is
enabled as default. This means that no communication can miss out the tunnel via the
external interface and that only encrypted IPsec data transfer is permitted. The firewall rule
"Drop" > "Any" > "External" is created automatically.
If you deselect the check box, tunneled communication and also the types of communication
selected in the other boxes are permitted.
4.1.1
CP x43-1 Adv.
4.1.1.1
Default firewall setting
Response with defaults
The following diagrams show the standard settings in detail in each case for the IP packet
filter and the MAC packet filter when the "Enable firewall" check box is selected and there
are also no rules in advanced mode. The behavior can be modified by creating suitable
firewall rules in advanced mode.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
115
Configure the firewall
4.1 CPs in standard mode
Default setting for CP x43-1 Adv.
Figure 4-1
Default setting for the IP packet filter CP x43-1 Adv.
① All frame types from internal to external are blocked.
② All frames from internal to the security module are allowed.
③ All frames from external to internal and to the security module are blocked (including
ICMP echo request).
④ Frames of the following types from external sources (external nodes and external
security modules) to security module are permitted:
• ESP protocol (encryption)
• IKE (protocol for establishing the IPsec tunnel)
• NAT Traversal (protocol for establishing the IPsec tunnel)
⑤ IP communication over an IPsec tunnel is allowed.
⑥ Frames of the type Syslog in the direction of external are allowed by the security module
and not influenced by the firewall.
Note
Since Syslog is an unreliable protocol there is no guarantee that the log data will be
transferred reliably.
⑦ Frames from the security module to internal and external are allowed.
⑧ Responses to queries from the internal network or from the security module are allowed.
Basics and application
116
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configure the firewall
4.1 CPs in standard mode
Figure 4-2
Default setting for the MAC packet filter CP x43-1 Adv.
① All frames from internal to the security module are allowed.
② All frames from external to the security module are blocked.
③ All frames of the following type from external to the security module are allowed:
• ARP with bandwidth limitation
• PROFINET DCP with bandwidth limitation
• LLDP
④ Frames of the following type from the security module to external are allowed:
• ARP with bandwidth limitation
• PROFINET DCP with bandwidth limitation
⑤ The following protocols sent through an IPsec tunnel are permitted:
• ISO
• LLDP
Note
No communication bypasses the VPN tunnel
Communication between the VPN endpoints is also prevented from bypassing the tunnel for
all VPN partners known in the project. The behavior cannot be modified by creating suitable
firewall rules in advanced mode.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
117
Configure the firewall
4.1 CPs in standard mode
4.1.1.2
Configure the firewall
How to access this function
1. Select the security module to be edited.
2. Select the "Edit" > "Properties..." menu command, "Firewall" tab.
Table 4- 1
Available services and directions
Service
Station ⇒
External
Externa Externa External ⇔ Enabled ports
l⇒
l⇒
Station
Internal
Station
Internal ⇒
External
Meaning
Allow IP
communicat
ion
x
x
x
-
-
IP traffic for the selected communication
directions is allowed.
Allow S7
protocol
x
x
x
-
TCP port 102
Communication of the nodes using the S7
protocol is allowed.
Allow
FTP/FTPS
(explicit
mode)
x
x
x
-
TCP port 20
TCP port 21
For file management and file access between
server and client.
Allow HTTP
x
x
x
-
TCP port 80
For communication with a Web server.
Allow
HTTPS
x
x
x
-
TCP port 443
For secure communication with a Web server,
for example, for Web diagnostics.
Allow DNS
x
x
-
-
TCP port 53
Communications connection to a DNS server
is allowed.
UDP port 53
Allow
SNMP
x
x
x
-
TCP port
161/162
For monitoring nodes capable of SNMP.
UDP port
161/162
Allow SMTP
x
x
Allow NTP
x
x
Allow MAC
level
communicat
ion
-
-
Allow ISO
communicat
ion
-
-
-
Table 4- 2
-
-
TCP port 25
For the exchange of e-mails between
authenticated users via an SMTP server.
-
-
UDP port 123
For synchronization of the time of day.
-
x
-
The MAC traffic from external to the station
and vice versa is allowed.
x
-
ISO traffic from external to the station and vice
versa is allowed.
Logging for IP and MAC rule sets
Rule set
IP log settings
Log tunneled packets
Action when activated
Created rule
Action
Only active if the security module is Allow
From
To
Station
Tunnel
Basics and application
118
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configure the firewall
4.1 CPs in standard mode
Rule set
Log blocked incoming packets
Action when activated
a member of a VPN group. All IP
packets forwarded via the tunnel
are logged.
Created rule
Allow
Tunnel
Station
All incoming IP packets that were
discarded are logged.
Drop
External
Station
Action
From
To
MAC log settings
Log blocked incoming packets to station
All incoming MAC packets that
were discarded are logged.
Drop
External
Station
Log blocked outgoing packets from station
All outgoing MAC packets that
were discarded are logged.
Drop
Station
External
Note
Data traffic via configured connections is not logged.
4.1.1.3
Configuring the access list
Changing the IP access list / ACL entries
The list appears if the "Activate access protection for IP communication" check box is
selected in the IP Access Protection tab in STEP 7.
You set access protection for certain IP addresses using the IP access lists. List entries
already made in STEP 7 with the appropriate rights are displayed in SCT.
The right "Modify the access list (M)" that can be selected in STEP 7 is not transferred to the
SCT. To be able to assign the additional IP access rights, you need to assign the "Web:
Expand IP access control list" user right to the relevant user in SCT.
Note
Modified behavior following migration
• Following migration, the access protection is effective only on the external interface. To
make the access protection effective on the internal interface as well, configure suitable
firewall rules in the advanced mode of SCT.
• The security module also responds to ARP queries from IP addresses that have not been
enabled (layer 2).
• If you migrate an IP access control list without entries, the firewall is enabled and there is
no longer any access to the CP from external. To make the CP available, configure
suitable firewall rules in SCT.
How to access this function
Menu command SCT: Select the security module to be edited and then select the menu
command "Edit" > "Properties...", "Firewall" tab.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
119
Configure the firewall
4.1 CPs in standard mode
STEP 7 menu command: "IP access protection" > "Start of firewall configuration", "Run…"
button.
Table 4- 3
Parameter
Meaning
IP address
Permitted IP address or IP address range.
Rights
Depending on the assignment made. Rights that are enabled for the IP
address.
Comment
Entry of additional comments.
Logging
If you select the check box, the rules are logged in the packet filter log.
Enable advanced mode
If you select the check box, the entries in the following firewall rules are
converted.
Table 4- 4
4.1.1.4
Information
Buttons
Name
Meaning / effect
New...
Create a new IP address or a new IP address range with the
corresponding rights.
Modify...
Select an entry and click this button to edit an existing entry.
Delete
Use this button to delete the selected entry.
Adding an entry in the access list
Make the following settings
Box
Description
IP address (or start of the IP range)
Enter the IP address or the start value of an IP address
range.
End of the IP range (optional)
Enter the end value of an IP address range.
Basics and application
120
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configure the firewall
4.1 CPs in standard mode
Box
Description
Comment
Entry of an additional comment, for example to
describe the communication partner or the address
range.
This IP address is authorized for the
following accesses.
Access to station (A = access): Communications
partners with addresses in the specified range have
access to the station (CP / CPU) assigned to the CP.
This access permission is set implicitly for IP
addresses you have specified in the connection
configuration (does not apply to specified connections).
IP routing to another subnet (R = routing):
Communications partners with addresses in the
specified range have access to other subnets
connected to CP. This access permission is not set
automatically for IP addresses you have specified in
the connection configuration. Where necessary, this
access permission must be set here explicitly.
Other rules when making entries:
● There is a check to determine whether individual addresses are included more than once;
here, the following is detected: Multiple single entries; overlapping ranges.
● IP addresses specified individually can also occur within a range; the access permissions
assigned in total to an IP address then apply.
● The system does not check whether invalid addresses are included in a range (for
example, subnet broadcast addresses could be specified here although they cannot
occur as the IP address of a sender).
4.1.2
CP 1628
4.1.2.1
Default firewall setting
Response with defaults
The following diagrams show the standard settings in detail in each case for the IP packet
filter and the MAC packet filter when the "Enable firewall" check box is selected and there
are also no rules in advanced mode. The behavior can be modified by creating suitable
firewall rules in advanced mode.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
121
Configure the firewall
4.1 CPs in standard mode
Default setting for CP 1628
Figure 4-3
Default setting for the IP packet filter CP 1628
① All frames from the NDIS and IE (Industrial Ethernet) interface to external are allowed.
② All frames from external are blocked.
③ All frames of the following type from external to the security module and vice versa are
allowed:
• ESP protocol (encryption)
• IKE (protocol for establishing the IPsec tunnel)
• NAT Traversal (protocol for establishing the IPsec tunnel)
④ IP communication over an IPsec tunnel is allowed.
⑤ Frames of the type Syslog in the direction of external are allowed by the security module.
Basics and application
122
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configure the firewall
4.1 CPs in standard mode
Figure 4-4
Default setting for the MAC packet filter CP 1628
① All frames from external are blocked.
② All frames of the following type from external are allowed:
• ARP with bandwidth limitation
• PROFINET DCP with bandwidth limitation
③ Frames of the following type from the security module to external are allowed:
• PROFINET DCP with bandwidth limitation
④ MAC protocols sent through an IPsec tunnel are permitted.
Note
No communication bypasses the VPN tunnel
Communication between the VPN endpoints is also prevented from bypassing the tunnel for
all VPN partners known in the project. The behavior cannot be modified by creating suitable
firewall rules in advanced mode.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
123
Configure the firewall
4.1 CPs in standard mode
4.1.2.2
Configure the firewall
How to access this function
1. Select the security module to be edited.
2. Select the "Edit" > "Properties..." menu command, "Firewall" tab.
Table 4- 5
Available services and directions
Service
External ⇒
Station
External ⇔
Station
Enabled ports
Meaning
Allow IP communication
x
-
-
IP traffic for the selected
communication directions is
allowed.
Allow S7 protocol
x
-
TCP port 102
Communication of the nodes
using the S7 protocol is
allowed.
Allow FTP/FTPS (explicit
mode)
x
-
TCP port 20
For file management and file
access between server and
client.
Allow HTTP
x
-
TCP port 80
For communication with a Web
server.
Allow HTTPS
x
-
TCP port 443
For secure communication with
a Web server, for example, for
Web diagnostics.
Allow DNS
x
-
TCP port 53
Communications connection to
a DNS server is allowed.
Allow SNMP
x
-
TCP port 21
UDP port 53
TCP port 161/162
UDP port 161/162
For monitoring nodes capable
of SNMP.
Allow SMTP
x
-
TCP port 25
For the exchange of e-mails
between authenticated users
via an SMTP server.
Allow NTP
x
-
UDP port 123
For synchronization of the time
of day.
Allow MAC level
communication
-
x
-
The MAC traffic from external to
the station and vice versa is
allowed.
Allow ISO communication
-
x
-
ISO traffic from external to the
station and vice versa is
allowed.
Allow SiCLOCK
-
x
-
SiCLOCK time-of-day frames
from external to the station and
vice versa are allowed.
Basics and application
124
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configure the firewall
4.1 CPs in standard mode
Table 4- 6
Logging for IP and MAC rule sets
Rule set
Action when activated
IP log settings
Log tunneled packets
Log blocked incoming packets
Created rule
Action
From
To
Only active if the security
module is a member of a
VPN group. All IP packets
forwarded via the tunnel are
logged.
Allow
Station
Tunnel
Allow
Tunnel
Station
All incoming IP packets that
were discarded are logged.
Drop
External Station
Action
From
MAC log settings
To
Log blocked incoming packets
All incoming MAC packets
that were discarded are
logged.
Drop
External Station
Log blocked outgoing packets
All outgoing MAC packets
that were discarded are
logged.
Drop
Station
External
Note
Data traffic via configured connections is not logged.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
125
Configure the firewall
4.2 SCALANCE S in standard mode
4.2
SCALANCE S in standard mode
4.2.1
Default firewall setting
Response with defaults
The following diagrams show the default settings in detail for the IP packet filter and the
MAC packet filter. The behavior can be modified by creating suitable firewall rules in
advanced mode.
Default setting for SCALANCE S602/S612 as of V3
Figure 4-5
Default setting for the IP packet filter SCALANCE S S602/S612 as of V3
①
②
③
④
All frame types from internal to external are blocked.
All frames from internal to the security module are allowed.
All frames from external to internal and to the security module are blocked.
Frames of the following types from external sources (external nodes and external
security modules) to the security module are permitted:
• HTTPS (SSL)
• ESP protocol (encryption)
• IKE (protocol for establishing the IPsec tunnel)
• NAT Traversal (protocol for establishing the IPsec tunnel)
Basics and application
126
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configure the firewall
4.2 SCALANCE S in standard mode
⑤ IP communication over an IPsec tunnel is allowed.
⑥ Frames from internal to external are allowed.
⑦ Frames from external to tunnel on the external interface and vice versa are blocked.
Figure 4-6
Default setting for the MAC packet filter SCALANCE S S602/612 as of V3
① All frame types from internal to external are blocked except for the following frame types.
• ARP frames
② All frames from internal to the security module are allowed.
③ All frames from external to internal are blocked except for the following frame types.
• ARP frames with bandwidth limitation
④ Frames of the following type from external to the security module are allowed:
• ARP with bandwidth limitation
• PROFINET DCP with bandwidth limitation
• In routing mode: LLDP frames (Ethertype 0x88CC)
⑤ In bridge mode: MAC protocols sent through an IPsec tunnel are permitted.
⑥ Frames of the following type from the security module to external are allowed:
• PROFINET
• In routing mode: LLDP frames (Ethertype 0x88CC)
⑦ Multicast and broadcast frames of the following type from external to the security module
are allowed:
• PROFINET with bandwidth limitation
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
127
Configure the firewall
4.2 SCALANCE S in standard mode
Note
Automatic enabling of Ethertypes
If PPPoE is active, the Ethertypes 0x8863 and 0x8864 are automatically allowed (PPPoE
Discovery and Session Stage).
Basics and application
128
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configure the firewall
4.2 SCALANCE S in standard mode
Default setting for SCALANCE S623 as of V3 and S627-2M V4
The default firewall rules for the external and internal interfaces correspond to the rules
applying to SCALANCE S modules of the type S602 and S612. Only IP packet filter rules
relating to the DMZ interface are shown in the following two figures. MAC packet filter rules
cannot be defined for the DMZ interface because the frames are routed between the external
or internal network and DMZ interface.
Figure 4-7
Default setting for IP packet filter SCALANCE S623/S627-2M (traffic between DMZ network and internal
network or DMZ network and security module)
①All frames from internal to DMZ network are blocked.
②All frames from internal to tunnel on the DMZ interface and vice versa are allowed.
③All frames from DMZ network to internal are blocked.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
129
Configure the firewall
4.2 SCALANCE S in standard mode
④All frames from the DMZ network to tunnel on the DMZ interface and vice versa are
blocked.
⑤Frames of the following type from DMZ network (nodes in the DMZ network and security
modules in the DMZ network) to the security module are permitted:
• HTTPS (SSL)
• ESP protocol (encryption)
• IKE (protocol for establishing the IPsec tunnel)
• NAT Traversal (protocol for establishing the IPsec tunnel)
Figure 4-8
Default setting for IP packet filter SCALANCE S623/S627-2M (traffic between DMZ network and external
network)
① All frames from external to DMZ network are blocked.
② All frames from external to tunnel on the DMZ interface and vice versa are blocked.
Basics and application
130
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configure the firewall
4.2 SCALANCE S in standard mode
③ All frames from the DMZ network to tunnel on the external interface and vice versa are
blocked.
④ All frames from the DMZ network to external are blocked
Note
Automatic enabling of Ethertypes
If PPPoE is active, the Ethertypes 0x8863 and 0x8864 are automatically allowed (PPPoE
Discovery and Session Stage).
4.2.2
Configuring a firewall for SCALANCE S ≥ V3.0
How to access this function
1. Select the security module to be edited.
2. Select the "Edit" > "Properties..." menu command, "Firewall" tab.
Firewall enabled as default
The "Enable firewall" check box is enabled by default. The firewall is therefore automatically
active and all access from external to the security module is blocked. By clicking the relevant
check box in standard mode, enable the firewall for the specific directions.
Detailed firewall settings in advanced mode
In advanced mode, you can restrict firewall rules to individual nodes, refer to the following
section:
● Firewall in advanced mode (Page 136)
Firewall configuration with VPN
If the security module is in a VPN group and if the "Tunnel communication only" check box is
selected in standard mode, only encrypted IPsec data transfer is allowed via the external
interface or the DMZ interface.
If you deselect the check box, tunneled communication and also the types of communication
selected in the other boxes are permitted.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
131
Configure the firewall
4.2 SCALANCE S in standard mode
Table 4- 7
Service
Available firewall rules and directions (IP traffic)
Internal ⇒
External
External
⇒
Internal
From
internal
From
external
Allow IP
communicat
ion
x
x
x
x
-
-
Allow S7
protocol
x
x
x
x
-
-
TCP port 102
Communication
of the nodes
using the S7
protocol is
allowed.
Allow
FTP/FTPS
(explicit
mode)
x
x
x
x
-
-
TCP port 20
For file
management and
file access
between server
and client.
Allow HTTP
x
x
x
x
-
-
TCP port 80
For
communication
with a Web
server.
Allow
HTTPS
x
x
x
x
-
-
TCP port 443
For secure
communication
with a Web
server, for
example, for Web
diagnostics.
Allow DNS
x
x
x
x
-
-
TCP port 53
Communications
connection to a
DNS server is
allowed.
internal =>
DMZ =>
DMZ
Internal
Enabled ports
-
TCP port 21
UDP port 53
Allow
SNMP
x
x
x
x
-
-
TCP port
161/162
UDP port
161/162
Meaning
IP
communication
for the selected
communication
directions is
allowed.
For monitoring
nodes capable of
SNMP.
Allow SMTP
x
x
x
x
-
-
TCP port 25
For the exchange
of e-mails
between
authenticated
users via an
SMTP server.
Allow NTP
x
x
x
x
-
-
UDP port 123
For
synchronization
of the time of
day.
Allow DHCP
x
x
x
x
-
-
UDP Port 67
UDP Port 68
Communication
with a DHCP
server is allowed.
Basics and application
132
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configure the firewall
4.2 SCALANCE S in standard mode
Service
Internal ⇒
External
External
⇒
Internal
Allow MAC
level
communicat
ion
-
-
-
Allow ISO
communicat
ion
-
-
Allow
SiCLOCK
-
Allow DCP
-
Table 4- 8
From
internal
From
external
-
x
x
-
The MAC traffic
from internal to
external and vice
versa is allowed.
-
-
x
x
-
The ISO traffic
from internal to
external and vice
versa is allowed.
-
-
-
x
x
-
SiClock time
frames from
internal to
external nodes
and vice versa
are allowed.
-
-
-
x
x
-
Internal to
external or
external to
internal DCP
traffic for IP
address
assignment is
allowed.
internal =>
DMZ =>
DMZ
Internal
Enabled ports
Meaning
Logging for IP and MAC rule sets
Rule set
Action when activated
IP log settings
Log tunneled packets
Only active if the security module is a member of a VPN group. All IP packets forwarded
via the tunnel are logged.
Log blocked incoming packets
All incoming IP packets that were discarded are logged.
Log blocked outgoing packets
All outgoing IP packets that were discarded are logged.
MAC log settings
Log tunneled packets
Only active if the security module is a member of a VPN group. All MAC packets
forwarded via the tunnel are logged.
Log blocked incoming packets
All incoming MAC packets that were discarded are logged.
Log blocked outgoing packets
All outgoing MAC packets that were discarded are logged.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
133
Configure the firewall
4.2 SCALANCE S in standard mode
4.2.3
Configuring a firewall for SCALANCE S < V3.0
How to access this function
1. Select the security module to be edited.
2. Select the "Edit" > "Properties..." menu command, "Firewall" tab.
Note
Detailed firewall settings in advanced mode
In advanced mode, you can restrict firewall rules to individual nodes.
Note
No return to standard mode possible
If you switch to the advanced mode for the current project, you cannot switch back.
Remedy for SCT Standalone: Close the project without saving and open it again.
Table 4- 9
Available services and directions
Rule/option
Enabled ports
Function
Tunnel
communication only
-
This is the default setting. The option can only be selected if the security
module is in a VPN group.
With this setting, only encrypted IPsec data transfer is allowed; only nodes
protected by security modules with VPN mechanisms can communicate
with each other.
If this option is deselected, tunnel communication and the type of
communication selected in the other boxes are permitted.
Allow IP
communication from
internal to external
network
-
Allow IP traffic with
S7 protocol from the
internal to external
network
TCP port 102
Allow access to
DHCP server from
internal to external
network
UDP port 67
Internal nodes can initiate a communication connection to nodes in the
external network. Only response frames from the external network are
forwarded into the internal network.
No communication connection can be initiated from the external network
to nodes in the internal network.
Internal nodes can initiate an S7 communication connection to nodes in
the external network. Only response frames from the external network are
forwarded into the internal network.
No communication connection can be initiated from the external network
to nodes in the internal network.
UDP port 68
Internal nodes can initiate a communication connection to a DHCP server
in the external network. Only the response frames of the DHCP server are
forwarded into the internal network.
No communication connection can be initiated from the external network
to nodes in the internal network.
Basics and application
134
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configure the firewall
4.2 SCALANCE S in standard mode
Rule/option
Enabled ports
Allow access to NTP UDP port 123
server from internal to
external network
Function
Internal nodes can initiate a communication connection to an NTP
(Network Time Protocol) server in the external network. Only the response
frames of the NTP server are passed into the internal network.
No communication connection can be initiated from the external network
to nodes in the internal network.
Allow SiClock time-of- day frames from
external to internal
network
This option allows SiClock time-of-day frames from the external network to
the internal network.
Allow access to DNS TCP port 53
server from internal to UDP port 53
external network
Internal nodes can initiate a communication connection to a DNS server in
the external network. Only the response frames of the DNS server are
forwarded into the internal network.
No communication connection can be initiated from the external network
to nodes in the internal network.
Allow the
configuration of
network nodes using
DCP
-
The DCP protocol is used by the PST tool to set the IP parameters (node
initialization) of SIMATIC NET network components.
This rule allows nodes in the external network to access nodes in the
internal network using the DCP protocol.
Table 4- 10
Logging for IP and MAC rule sets
Rule set
Action when activated
IP log settings
Log tunneled packets
Only active if the security module is a member of a VPN group: All
IP packets forwarded via the tunnel are logged.
Log blocked incoming packets
All incoming IP packets that were discarded are logged.
Log blocked outgoing packets
All outgoing IP packets that were discarded are logged.
MAC log settings
Log tunneled packets
Only active if the security module is a member of a VPN group: All
MAC packets forwarded via the tunnel are logged.
Log blocked incoming packets
All incoming MAC packets that were discarded are logged.
Log blocked outgoing packets
All outgoing MAC packets that were discarded are logged.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
135
Configure the firewall
4.3 Firewall in advanced mode
4.3
Firewall in advanced mode
Advanced mode provides extended options allowing individual settings for the firewall rules
and security functionality.
Switch over to advanced mode
To use all the functions described in this section, switch over to advanced mode.
Note
No return to standard mode possible
If you switch to the advanced mode and change the configuration for the current project, you
can no longer switch back.
Remedy SCT standalone: Close the project without saving and open it again.
Symbolic names are supported
You can also enter the IP addresses or MAC addresses as symbolic names in the functions
described below. For further information on symbolic names, refer to the section:
● You can assign symbolic names for IP / MAC addresses. (Page 62)
4.3.1
Configuring the firewall in advanced mode
Meaning
In contrast to the configuration of fixed packet filter rules in standard mode, you can
configure individual packet filter rules in the Security Configuration Tool in advanced mode.
You can set the packet filter rules in selectable tabs for the following protocols:
● Layer 3, 4: IP protocol, IP services
● Layer 2: MAC protocol, MAC services
Note
No MAC rules if routing mode is enabled
If you have enabled the routing mode for the security module, MAC rules are irrelevant
(dialogs are disabled).
If you do not enter any rules in the dialogs described below, the default settings of the
firewall apply. For more detailed information, refer to the following section:
Basics and application
136
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configure the firewall
4.3 Firewall in advanced mode
● Default settings for CP x43-1 Adv.: Default firewall setting (Page 115)
● Default settings for CP 1628: Default firewall setting (Page 121)
● Default settings for SCALANCE S: Default firewall setting (Page 126)
Global, user-specific and local definition possible
● Global firewall rule sets can be assigned to several security modules at the same time.
They are displayed in the navigation panel in advanced mode of the Security
Configuration Tool and configured globally.
● User-specific IP rule sets can be assigned to individual or several security modules at the
same time. They are displayed in the navigation panel in advanced mode of the Security
Configuration Tool and configured globally.
SCALANCE S V4 (RADIUS): User-specific IP rule sets can be assigned individual or
multiple users as well as individual or multiple roles.
● Local firewall rules are assigned to one security module. They are configured in the
properties dialog of the security modules.
Several local firewall rules, several global firewall rule sets and several user-specific IP rule
sets can be assigned to a security module.
4.3.2
Global firewall rule sets
Application
Global firewall rule sets are configured depending on the module at project level and are
visible in the navigation panel of the Security Configuration Tool. A global firewall rule set
consists of one or more firewall rules and is assigned to the several security modules.
In the global firewall rule sets, a distinction is made between the following:
● IP rule sets
● MAC rule sets
The following schematic illustrates the relationship between globally defined rule sets and
locally used rule sets.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
137
Configure the firewall
4.3 Firewall in advanced mode
When are global firewall rule sets useful?
Global firewall rule sets are useful if you want to define identical communication filter criteria
for several security modules.
Note
Only assign firewall rule sets that are supported by the security module
A bad assignment of firewall rule sets can lead to undesirable results. You should therefore
always check the module-specific local firewall rules in the result. A bad rule assignment is
not detected in the automatic consistency check. Only rules that are actually supported by
the security module are adopted.
See also
User-specific IP rule sets (Page 140)
Basics and application
138
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configure the firewall
4.3 Firewall in advanced mode
4.3.2.1
Global firewall rule sets - conventions
Global firewall rule sets are used locally
The following conventions apply when creating a global set of firewall rules and when
assigning it to a security module:
● Configuration view
Global firewall rule sets can only be created in advanced mode.
● Priority
As default, locally defined firewall rules have a higher priority than the global firewall rule
sets that were assigned locally. Global firewall rule sets are therefore initially entered at
the bottom of the local rule list.
The priority can be changed by changing the position in the rule list.
● Entering, changing or deleting rule sets
Global firewall rule sets cannot be edited in the local rule list of the firewall rules in the
module properties. They can only be displayed there and positioned according to the
required priority.
In the local rule list, an individual firewall rule of an assigned global firewall rule set
cannot be deleted. Only the entire firewall rule set can be removed from the local list of
rules. Adaptation of the global rule set is possible at any time using the properties dialog
of the global rule set.
All devices affected by this change must then be downloaded again.
4.3.2.2
Creating and assigning global firewall rule sets
How to access this function
1. Select one of the following folders from the navigation area:
– "Global firewall rule sets" > "Firewall IP rule sets"
– "Global firewall rule sets" > "Firewall MAC rule sets"
2. Select the "Insert" > "Firewall rule set" menu command.
3. Enter the following data:
– Name: Project-wide, unique name of the rule set. The name appears in the local rule
list of the security module after the rule set is assigned.
– Description: Enter a description of the global rule set.
4. Click the "Add rule" button.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
139
Configure the firewall
4.3 Firewall in advanced mode
5. Enter the firewall rules one by one in the list. Note the parameter description in the
sections below:
For IP rule sets: IP packet filter rules (Page 147).
For MAC rule sets: MAC packet filter rules (Page 157).
6. Assign the global firewall rule set to the security modules in which you want it to be used.
To do this, select the global firewall rule set in the navigation panel and drag this to the
security modules in the navigation panel (drag and drop). As an alternative, you can
make the assignment in the local rule list of a security module using the "Add rule sets..."
button.
Result
The global firewall rule set is used by the security modules as a local rule set and
automatically appears in the module-specific lists of firewall rules.
See also
Global firewall rule sets - conventions (Page 139)
4.3.3
User-specific IP rule sets
Meaning
Initially, individual or multiple users are assigned to user-specific IP rule sets. The userspecific IP rule sets are then assigned to individual or multiple security modules. This makes
it possible, to allow user-specific access. If, for example all access to the networks
downstream from a security module is blocked, certain nodes can be allowed for a user
based on their IP addresses. This means that access is allowed for this user but access
remains blocked for other users.
User logon via the Internet
The user can log in to the external interface or the DMZ interface of the security module via a
Web page. If authentication is successful, the predefined IP rule set for this user is enabled.
The connection of the security module is via HTTPS using the IP address of the connected
port and taking into account the valid routing rules:
Example:
External interface: 192.168.10.1
Call up of the login page with: https://192.168.10.1/
Users can log on with every role as long as the user or the role is assigned to a user-specific
firewall rule set.
Basics and application
140
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configure the firewall
4.3 Firewall in advanced mode
Options for authenticating the user
Depending on the authentication method selected when the user who will log in to the
security module was created, the authentication is handled by different instances:
● Authentication method "Password": Authentication is handled by the security module.
● Authentication method "RADIUS": Authentication is handled by a RADIUS server.
Assignment of roles to user-specific IP rule sets
On SCALANCE S V4 modules, it is also possible to assign user-specific IP rule sets that are
assigned to roles. This makes it possible to enable a group of users for access to certain IP
addresses.
If a RADIUS server is used for user authentication and a role is assigned to the user-specific
IP rule set, users can also be authenticated by the RADIUS server although they are not
configured on the security module. These users must be stored on the RADIUS server
where they need to be assigned to the role assigned to the user-specific IP rule set in SCT.
This procedure has the advantage that all user data is stored exclusively on the RADIUS
server.
You will find more information on authentication by the RADIUS server in the following
section:
Authentication using a RADIUS server (Page 80)
User-specific IP rule sets are used locally - conventions
The same conventions as described in the following section apply:
● Global firewall rule sets - conventions (Page 139)
4.3.3.1
Creating and assigning user-specific IP rule sets
How to access this function
1. In the navigation panel, select the "User-specific IP rule sets" folder.
2. Select the "Insert" > "Firewall rule set" menu command.
3. Enter the following data:
– Name: Project-wide, unique name of the user-specific IP rule set. The name appears
in the local rule list of the security module after the rule set is assigned.
– Description: Enter a description of the user-specific IP rule set.
4. Click the "Add rule" button.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
141
Configure the firewall
4.3 Firewall in advanced mode
5. Enter the firewall rules one by one in the list.
Note the parameter description in the following section:
–
IP packet filter rules (Page 147)
Note the special features of firewall rules generated automatically by SCT for NAT/NAPT
rules:
– Relationship between NAT/NAPT router and user-specific firewall (Page 181)
6. Assign one or more users and/or one or more roles to the user-specific IP rule set. The
assignment of roles to user-specific IP rule sets is possible only for SCALANCE S V4
modules.
Note
Assignment of user-specific IP rule sets
• A security module can only be assigned one user-specific rule set per user.
• Due to the assignment, the right "User/role may log in to module" is activated implicitly
for all users or roles assigned to the IP rule set.
7. Assign the user-specific IP rule set to the security modules in which you want it to be
used. To do this, select the user-specific IP rule set in the navigation panel and drag this
to the security modules in the navigation panel (drag and drop). As an alternative, you
can make the assignment in the local rule list of a security module using the "Add rule
sets..." button.
Basics and application
142
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configure the firewall
4.3 Firewall in advanced mode
Result
● The user-specific rule set is used by the assigned security modules as a local rule set and
automatically appears in the module-specific list of firewall rules.
● The user can log on to the security module. Authentication of the user is performed
depending on the selected authentication method either by the security module or a
RADIUS server.
Range of values for the maximum session time
The time after which the user is automatically logged out can be specified when creating or
editing a user, the default is 30 minutes. On the Web page of the security module, the
session time can be extended to the value assigned to the user.
You will find more information creating users in the following section:
Managing users (Page 70)
4.3.4
Connection-related automatic firewall rules
Automatically created firewall rules in SCT
For the following application, the firewall rules are created automatically:
● Connections configured in STEP 7
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
143
Configure the firewall
4.3 Firewall in advanced mode
Firewall rules for configured connections
If connections have been created in STEP 7, firewall rules are automatically created for
these in SCT. To achieve this there is system synchronization between STEP 7 and SCT
during which all connections configured in the project are checked. For each
communications partner, the IP address/MAC address, the action and the interface are
synchronized automatically. Regardless of the number of connections, 2 rules result per
communications partner.
Note
Enabling UDP multicast and UDP broadcast connections manually
No automatic firewall rules are created for UDP multicast and UDP broadcast connections.
To enable the connections, add the relevant firewall rules manually in advanced mode.
Depending on how the connection establishment is configured in STEP 7, the following level
3 firewall rules are created in SCT. If the security module is in a VPN group, the direction
"External" changes to "Tunnel".
The IP address of the connection partner is entered in the "Source IP address" or
"Destination IP address" column of these firewall rules.
CP->external
Action
From
To
active
Allow
Station
External
Drop
External
Station
Drop
Station
External
Allow
External
Station
Allow
External
Station
Allow
Station
External
CP->internal
Action
From
To
active
Allow
Station
Internal
Drop
Internal
Station
Drop
Station
Internal
Allow
Internal
Station
Allow
Internal
Station
Allow
Station
Internal
passive
active and passive
passive
active and passive
For level 2 connections, "Allow" rules are created for both directions. If the security module is
in a VPN group, the direction "External" changes to "Tunnel".
The MAC address of the connection partner is entered in the "Source MAC address" or
"Destination MAC address" column of these firewall rules.
Basics and application
144
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configure the firewall
4.3 Firewall in advanced mode
CP->external
Action
From
To
active, passive, active and passive
Allow
Station
External
Allow
External
Station
Conventions for automatically created firewall rules
● Priority
The rules have highest priority and are therefore inserted at the top in the local rule list.
● Deleting rules
The rule sets cannot be deleted. Logging can be enabled and services can be assigned.
You can also insert a bandwidth and a comment.
● Changing the action
In SCT, if you set the action from "Allow" to "Drop" or vice versa, this will be overwritten
again if the system synchronization is repeated. If you want to retain your changes, select
"Allow*" or "Drop*". In this case, only the IP address/MAC address is synchronized with
STEP 7 and the action and direction remain as set. Settings for logging, service,
bandwidth and comment are also retained after a renewed system synchronization even
without changing the action to "Allow*" or "Drop*". If the corresponding connection does
not exist in STEP 7, the rule is removed from the list.
Security module in VPN group
As default, the "Tunnel communication only" check box is enabled. If you deselect the check
box, in addition to tunnel communication between tunnel partners, communication is also
possible with network nodes to which there is no tunnel.
● Communication is outside the tunnel if the partner address belongs to a station known in
SCT for which no VPN tunnel is configured.
● Communication is through the tunnel if the partner address is a VPN endpoint.
● If it is not clear whether connection should bypass or run through the VPN tunnel, the
connection is assigned to the VPN tunnel and a message to this effect is displayed. The
assignment can be adapted in advanced mode, for example by changing the "From"
direction "Tunnel" to "External". To avoid this adaptation being overwritten by the next
system synchronization, the "Allow*" or "Drop*" action must be selected.
Note
If you want to ensure that only communication through the tunnel is possible, you will
need to create suitable firewall rules in advanced mode, for example for internal nodes or
NDIS addresses.
To allow only tunneled communication for a CP, add a "Drop" > "Any" > "External" rule.
For the CP 1628, add a "Drop" > "Station" > "External" rule. In addition to this, you need
to remove existing firewall rules that allow untunneled communication.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
145
Configure the firewall
4.3 Firewall in advanced mode
4.3.5
Setting local IP packet filter rules
Using the IP packet filter rules, you can filter IP packets such as UDP, TCP, ICMP packets.
Within an IP packet filter rule, you can also include service definitions and further restrict the
filter criteria. If you do not specify services, the IP packet filter rule applies to all services.
Opening the dialog for local IP packet filter rules
SCT: Select the security module to be edited and then select the menu command "Edit" >
"Properties...", "Firewall" tab.
STEP 7: In the "Security" tab, click the "Run" button beside "Start of security configuration",
"Firewall tab.
Entering IP packet filter rules
Enter the firewall rules in the list one after the other; note the following parameter description
and the examples in the following sections or in the online help.
Basics and application
146
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configure the firewall
4.3 Firewall in advanced mode
Using global and user-specific firewall rule sets
Global firewall rule sets and user-specific rule sets you have assigned to the module are
automatically entered in the local rule list. If the assigned rule set appears at the end of the
rule list, it is processed with the lowest priority. You can change the priority by changing the
position in the rule list.
The online help explains the meaning of the individual buttons.
4.3.6
IP packet filter rules
IP packet rules are processed based on the following evaluations:
● Parameters entered in the rule;
● Order and associated priority of the rules.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
147
Configure the firewall
4.3 Firewall in advanced mode
Parameter
The configuration of an IP rule includes the following parameters:
Name
Meaning/comment
Available options / ranges of values
Action
Allow/disallow (enable/block)
•
Allow
Allow frames according to definition.
•
Drop
Block frames according to definition.
For automatically created connection rules:
•
Allow*
• Drop*
If you select these rules, there is no synchronization with
STEP 7. Modified rules are therefore not overwritten in
SCT.
From / To
The permitted communications
directions.
Is described in the following tables.
Source IP address
Source address of the IP packets
Refer to the following section:
Destination IP
address
Destination address of the IP packets
• IP packet filter rules (Page 147)
As an alternative, you can enter symbolic names.
Note on the ghost mode
If ghost mode is activated, the IP address of the internal
node is dynamically determined by security module at
runtime. Depending on the selected direction, you cannot
make entries in the column "Source IP address" (for
direction "From internal to external) or in the column
"Target IP address" (for direction "From external to
internal"). Instead, the IP address is inserted in the firewall
rule automatically by the SCALANCE S itself.
Service
Name of the IP/ICMP service or
service group used.
The drop-down list box displays the configured services
and service groups you can select.
Using the service definitions, you can
define packet filter rules.
No entry means: No service is checked, the rule applies to
all services.
Here, you select one of the services
you defined in the IP services dialog:
Note:
•
IP services
•
ICMP services
So that the predefined IP services appear in the drop-down
list, select this first in standard mode.
Service group including IP and/or
ICMP services
If you have not yet defined any
services or want to define an
additional service, click the "IP
services…" button (in the "IP rules"
tab) or "MAC services…" button (in
the "MAC rules" tab).
•
Basics and application
148
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configure the firewall
4.3 Firewall in advanced mode
Name
Meaning/comment
Available options / ranges of values
Bandwidth (Mbps)
Option for setting a bandwidth
limitation. Can only be entered if the
"Allow" action is selected.
CP x43-1 Adv. and SCALANCE S < V3.0: 0.001 ... 100
A packet passes through the firewall if
the pass rule matches and the
permitted bandwidth for this rule has
not yet been exceeded.
CP 1628 and SCALANCE S ≥ V3.0: 0.001 ... 1000
For rules in global and user-specific rule sets: 0.001 ... 100
Logging
Enable or disable logging for this rule.
For more information on logging
settings, refer to the following section:
Logging events (Page 244)
No.
Automatically assigned number of the
rule for assignment of the logged
packets to a configured firewall rule.
Comment
Space for your own explanation of the If a comment is marked with "AUTO", it was created for an
rule.
automatic connection rule.
Table 4- 11
Directions with a CP
Available options / ranges
of values
From
To
Internal
External
Station
Tunnel
Any
Table 4- 12
Security module
Meaning
CP x43-1
Adv.
CP 1628
Station
x
-
Access from the internal network to the station.
Any
x
-
Access from internal to the external network, VPN tunnel partner
and the station.
Station
x
x
Access from the external network to the station.
Any
x
-
Access from external to the internal network and the station.
Internal
x
-
Access from the station to the internal network.
External
x
x
Access from the station to the external network.
Tunnel
x
x
Access from the station to the VPN tunnel partner.
Station
x
x
Access via the VPN tunnel partner to the station.
Any
x
-
Access from VPN tunnel partners to the internal network and the
station.
External
x
-
Access from the internal network and the station to the external
network.
SCALANCE S directions
Available options / ranges of values
Security module
From
To
S602
S61x
S623 / S627-2M
Internal
External
x
x
x
Tunnel
-
x
x
Any
-
x
x
DMZ
-
-
x
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
149
Configure the firewall
4.3 Firewall in advanced mode
Available options / ranges of values
External
Tunnel
Any
DMZ
Security module
Internal
x
x
x
Internal
x
x
x
Any
-
-
x
Tunnel
-
-
x
DMZ
-
-
x
Internal
-
x
x
External
-
x
x
DMZ
-
-
x
Internal
-
x
x
External
-
-
x
DMZ
-
-
x
Internal
-
-
x
External
-
-
x
Any
-
-
x
Tunnel
-
-
x
Order for rule evaluation by the security module
The packet filter rules are evaluated as follows:
● The list is evaluated from top to bottom; if rules are contradictory (e.g entries with the
same direction information but different actions), the rule higher in the list is therefore
applied.
● In rules for communication between the internal network, external network and DMZ
network, the following applies: All frames except for the frames explicitly allowed in the list
are blocked.
● In rules for communication to and from the IPsec tunnel, the following applies: All frames
except for the frames explicitly blocked in the list are allowed.
Basics and application
150
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configure the firewall
4.3 Firewall in advanced mode
Example
The packet filter rules shown have the following effect:
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
151
Configure the firewall
4.3 Firewall in advanced mode
①
②
③
④
⑤
⑥
All frame types from internal to external are blocked as default, except for those explicitly allowed.
All frame types from external to internal are blocked as default, except for those explicitly allowed.
IP packet filter rule 1 allows packets with the service definition "Service X1" from internal to external.
IP packet filter rule 2 allows frames from external to internal when the following conditions are met:
•
IP address of the sender: 196.65.254.2
•
IP address of the recipient: 197.54.199.4
•
Service definition: "Service X2"
IP packet filter rule 3 blocks frames with the service definition "Service X1" sent from the VPN tunnel to the internal
network.
IPsec tunnel communication is allowed as default except for the explicitly blocked frame types.
See also
MAC packet filter rules (Page 157)
Range of values for IP address, subnet mask and address of the gateway (Page 253)
IP addresses in IP packet filter rules
The IP address consists of four decimal numbers with the range from 0 to 255, each number
separated by a period; example: 141.80.0.16
In the packet filter rule, you have the following options for specifying IP addresses:
● Nothing specified
There is no check, the rule applies to all IP addresses.
● An IP address
The rule applies specifically to the specified address.
Basics and application
152
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configure the firewall
4.3 Firewall in advanced mode
● Address range
The rule applies to all the IP addresses covered by the address range.
An address range is defined by specifying the number of valid bit places in the IP address
in the format: [IP address]/[number of bits to be included]
– [IP address]/24 therefore means that only the most significant 24 bits of the IP address
are included in the filter rule: These are the first three octets of the IP address.
– [IP address ]/25 means that only the first three octets and the highest bit of the fourth
octet of the IP address are included in the filter rule.
● Address area
For the source IP address, an address range can be specified separated by a hyphen:
[Start IP address]-[End IP address]
For more detailed information, refer to the following section:
● Range of values for IP address, subnet mask and address of the gateway (Page 253)
Table 4- 13
Examples of address ranges in IP addresses
Source IP address or
destination IP address
Address range
from
4.3.7
Number of
addresses
to
192.168.0.0/16
192.168.0.0
192.168.255.255
65.536
192.168.10.0/24
192.168.10.0
192.168.10.255
256
192.168.10.0/25
192.168.10.0
192.168.10.127
128
192.168.10.0/26
192.168.10.0
192.168.10.63
64
192.168.10.0/27
192.168.10.0
192.168.10.31
32
192.168.10.0/28
192.168.10.0
192.168.10.15
16
192.168.10.0/29
192.168.10.0
192.168.10.7
8
192.168.10.0/30
192.168.10.0
192.168.10.3
4
Defining IP services
How to access this function
● Using the menu command "Options" > "IP services...".
or
● From the "IP Rules" tab with the "IP services..." button.
Meaning
Using the IP service definitions, you can define succinct and clear firewall rules for specific
services. You select a name and assign the service parameters to it.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
153
Configure the firewall
4.3 Firewall in advanced mode
These services defined in this way can also be grouped together under a group name.
When you configure the global or local packet filter rules, you use this name.
Parameters for IP services
You define the IP services using the following parameters:
Table 4- 14
IP services: Parameter
Name
Meaning/comment
Available options / ranges of
values
Name
User-definable name for the service that is used as
identification in the rule definition or in the group.
Can be selected by user
Protocol
Name of the protocol type
TCP
UDP
Any
Source port
The filtering is based on the specified port number;
this defines the service access at the frame sender.
Examples:
*: Port is not checked
20 or 21: FTP service
Destination
port
The filtering is based on the specified port number;
this defines the service access at the frame
recipient.
Examples:
*: Port is not checked
80: Web HTTP service
102: S7 protocol - TCP/port
4.3.8
defining ICMP services
Using the ICMP service definitions, you can define firewall rules for specific ICMP services.
You select a name and assign the service parameters to it. The defined services can also be
grouped together under a group name. When you configure the packet filter rules, you then
use this group name.
Basics and application
154
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configure the firewall
4.3 Firewall in advanced mode
How to access this function
● Using the menu command "Options" > "IP services...", "ICMP" tab.
or
● From the "IP rules" tab with the "IP services..." button, "ICMP" tab
Parameters for ICMP services
You define the ICMP services using the following parameters:
Table 4- 15
ICMP services: Parameter
Name
Meaning/comment
Available options / ranges of
values
Name
User-definable name for the service that is used as Can be selected by user
identification in the rule definition or in the group.
Type
Type of ICMP message
Refer to the dialog illustration.
Code
Codes of the ICMP type
Values depend on the selected
type.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
155
Configure the firewall
4.3 Firewall in advanced mode
4.3.9
Setting MAC packet filter rules
With MAC packet filter rules, you can filter MAC packets.
Note
No MAC rules if routing mode is enabled
If you have enabled the routing mode for the SCALANCE S module, MAC rules are
irrelevant.
Dialog / tab
Select the security module to be edited.
Select the "Edit" > "Properties..." menu command, "Firewall" > "MAC rules" tab.
Entering packet filter rules
Enter the firewall rules in the list one after the other; note the following parameter description
and the examples in the following sections or in the online help.
Basics and application
156
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configure the firewall
4.3 Firewall in advanced mode
Using global firewall rule sets
Global firewall rule sets you have assigned to the module are automatically entered in the
local rule list. If the assigned rule set appears at the end of the rule list, it is processed with
the lowest priority. You can change the priority by changing the position in the rule list.
The online help explains the meaning of the individual buttons.
4.3.10
MAC packet filter rules
MAC packet filter rules are processed based on the following evaluations:
● Parameters entered in the rule;
● Priority of the rule within the rule set.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
157
Configure the firewall
4.3 Firewall in advanced mode
MAC packet filter rules
The configuration of a MAC rule includes the following parameters:
Table 4- 16
MAC rules: Parameter
Name
Meaning/comment
Available options / ranges of values
Action
Allow/disallow (enable/block)
•
Allow
Allow frames according to definition.
•
Drop
Block frames according to definition.
For automatically created connection rules:
•
Allow*
• Drop*
If you select these rules, there is no synchronization with
STEP 7. Modified rules are therefore not overwritten in
SCT.
From / To
The permitted communications
directions.
Source MAC address Source address of the MAC packets
Are described in the following tables.
As an alternative, you can enter symbolic names.
Destination MAC
address
Destination address of the MAC
packets
Service
Name of the MAC service or service
group used.
The drop-down list box displays the configured services and
service groups you can select.
"Any" groups together the directions
permitted for the individual entry.
No entry means: No service is checked, the rule applies to
all services.
Note:
So that the predefined MAC services appear in the dropdown list, select this first in standard mode.
Bandwidth (Mbps)
Option for setting a bandwidth
limitation. Can only be entered if the
"Allow" action is selected.
A packet passes through the firewall
if the pass rule matches and the
permitted bandwidth for this rule has
not yet been exceeded.
Logging
Enable or disable logging for this
rule.
No.
Automatically assigned number for
assignment to a configured firewall
rule.
Comment
Space for your own explanation of
the rule
CP x43-1 Adv. and SCALANCE S ≤ V3.0: 0.001 ... 100
CP 1628 and SCALANCE S ≥ V3.0: 0.001 ... 1000
For rules in global and user-specific rule sets: 0.001 ... 100
If a comment is marked with "AUTO", it was created for an
automatic connection rule.
Permitted directions
The following directions can be set:
Basics and application
158
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configure the firewall
4.3 Firewall in advanced mode
Table 4- 17
Firewall directions with a CP
Available options /
ranges of values
Meaning
From
To
CP x43-1 Adv.
CP 1628
External
Station
x
x
Access from the external network to
the station.
Station
External
x
x
Access from the station to the
external network.
Tunnel
x
x
Access from the station to the VPN
tunnel partner.
Station
x
x
Access via the VPN tunnel partner to
the station.
Tunnel
Table 4- 18
Security module
Firewall directions SCALANCE S
Available options / ranges of values
From
To
Internal
External
Tunnel
Any
Security module
S602
S61x
S623 / S627-2M
External
x
x
x
Tunnel
-
x
x
Any
-
x
x
Internal
x
x
x
Any
-
-
x
Tunnel
-
-
x
Internal
-
x
x
External
-
x
x
Internal
-
x
x
External
-
-
x
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
159
Configure the firewall
4.3 Firewall in advanced mode
Rule evaluation by the security module
The packet filter rules are evaluated as follows:
● The list is evaluated from top to bottom; if rules are contradictory, the rule higher in the list
is applied.
● The following applies to all frames not explicitly listed in the rules for communication in
the direction to "External" or from "External": All frames except for the frames explicitly
allowed in the list are blocked.
● The following applies to all frames not explicitly listed in the rules for communication in
the direction to "Tunnel" or from "Tunnel": All frames except for the frames explicitly
blocked in the list are allowed.
Note
IP rules apply to IP packets, MAC rules apply to layer 2 packets
For the firewall, you can define both IP rules and MAC rules. Rules for editing in the
firewall are based on the Ethertype.
IP packets are forwarded or blocked depending on the IP rules and layer 2 packets are
forwarded or blocked depending on the MAC rules.
It is not possible to filter an IP packet using a MAC firewall rule, for example based on a
MAC address.
Examples
You can apply the example of an IP packet filter in Section 5.4.3 (Page 147) analogously to
the MAC packet filter rules.
4.3.11
defining MAC services
How to access this function
● Using the menu command "Options" > "MAC services...".
or
● From the "MAC Rules" tab with the "MAC services..." button.
Meaning
Using the MAC service definitions, you can define firewall rules for specific services. You
select a name and assign the service parameters to it. These services defined in this way
can be grouped together under a group name. When you configure the global or local packet
filter rules, you use this name.
Basics and application
160
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configure the firewall
4.3 Firewall in advanced mode
Parameters for MAC services
A MAC service definition includes a category of protocol-specific MAC parameters:
Table 4- 19
MAC services - parameters
Name
Meaning/comment
Available options / ranges of values
Name
User-definable name for the service that is used as
identification in the rule definition or in the group.
Can be selected by user
Protocol
Name of the protocol type:
•
•
•
ISO
ISO
•
SNAP
ISO identifies frames with the following properties:
•
PROFINET IO
Lengthfield <= 05DC (hex),
DSAP= userdefined
SSAP= userdefined
CTRL= userdefined
•
0x (code entry)
SNAP
SNAP identifies frames with the following properties:
Lengthfield <= 05DC (hex),
DSAP=AA (hex),
SSAP=AA (hex),
CTRL=03 (hex),
OUI=userdefined,
OUI-Type=userdefined
•
PROFINET IO
DSAP
Destination Service Access Point: LLC recipient address
SSAP
Source Service Access Point: LLC sender address
CTRL
LLC control field
OUI
Organizationally Unique Identifier (the first 3 bytes of the
MAC address = vendor identification)
OUI type
Protocol type/identification
*) The protocol entries 0800 (hex) and 0806 (hex) are not accepted since these values apply to IP or ARP frames.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
161
Configure the firewall
4.3 Firewall in advanced mode
Note
Processing for S7-CPs
Only settings for ISO frames with DSAP=SSAP=FE (hex) are processed. Other frame types
are not relevant for S7 CPs and are therefore discarded even before processing by the
firewall.
Special settings for SIMATIC NET services
To filter special SIMATIC NET services, please use the following SNAP settings:
● DCP (Primary Setup Tool):
PROFINET
● SiCLOCK:
OUI= 08 00 06 (hex) , OUI-Type= 01 00 (hex)
4.3.12
Setting up service groups
Forming service groups
You can put several services together by creating service groups. In this way, you can set up
more complex services that can be used in the packet filter rules simply by selecting the
name.
Basics and application
162
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configure the firewall
4.3 Firewall in advanced mode
Dialogs / tabs
You open the dialog with the following menu command:
"Options" > "IP services..." or "MAC services...", "Service groups" tab.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
163
Configure the firewall
4.3 Firewall in advanced mode
4.3.13
Adjusting standard rules for IP services
How to access this function:
1. Select the security module to be edited.
2. Select the "Edit" > "Properties..." menu command, "Firewall" tab > "Default rules for IP
services" tab.
Meaning of the advanced settings
Parameter
Meaning when activated
Use advanced status options
The permitted number of connections and firewall statuses
per time unit is limited. If a network node exceeds this limit,
its IP address is entered in the IP blacklist of the security
module. The IP blacklist of the security module can be
viewed in online mode.
Log all activated rules
Packets that are allowed according to the default rules for IP
services are logged.
Enable ICMP test for interfaces
Ping queries coming in on an interface of the security
module can be forwarded to other interfaces. This means
that, for example, ping queries can be made from the
external network to the internal interface of the security
module.
Meaning of the default firewall rules
This dialog allows you to adjust the service-specific firewall rules set as default for the
interfaces of the security module. The standard settings of the dialog correspond to the
standard firewall rules of the particular security module.
Default firewall rules for SCALANCE S
The following table lists the default firewall rules for SCALANCE S modules. In some cases,
the firewall rules are only set if the relevant service is used by the security module (e.g.
SNMP).
Service
Direction
Interface rerouting
outgoing
HTTPS
ICMP
incoming
X1 interface
(red)
Interface X2
(green)
Interface X3 Tunnel
interface
(yellow)
-
x
-
-
x
x*
x
x*
-
x
-
x
Basics and application
164
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configure the firewall
4.3 Firewall in advanced mode
Service
Direction
X1 interface
(red)
outgoing
-
x
-
-
SNMP
incoming
x
x
x
x
Syslog
outgoing
x
x
x
x
NTP
outgoing
x
x
x
x
DNS
outgoing
x
x
x
x
HTTP
outgoing
x
-
x
-
VPN (IKE)
x
-
x
-
VPN (NAT Traversal)
x
-
x
-
-
x
x
-
ICMP pathfinder
Interface X2
(green)
Interface X3 Tunnel
interface
(yellow)
BootP Server
incoming
BootP Client
outgoing
-
x
x
-
RADIUS
outgoing
x
x
x
x
outgoing
x*
x*
-
-
outgoing
-
-
x*
-
CARP
Pfsync
x enabled as default
- disabled as default
* cannot be adapted
Default firewall rules for S7 CPs
The following table lists the default firewall rules for S7 CPs. In some cases, the firewall rules
are only set if the relevant service is activated in the Security Configuration Tool.
Service
Direction
VPN (IKE)
External (Gbit)
x*
VPN (NAT traversal)
Internal (PN-IO)
-*
x*
-*
BootP Server
outgoing
x*
x*
BootP Client
incoming
x*
x*
x enabled as default
- disabled as default
* cannot be adapted
The two services "BootP Server" and "BootP Client" are both active together either on the
external interface or on the internal interface. Accordingly, either both firewall rules are active
on the external interface or they are both active on the internal interface.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
165
Configure the firewall
4.3 Firewall in advanced mode
Basics and application
166
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configuring additional module properties
5.1
Security module as router
5.1.1
Overview
5
Meaning
By using the security module as router, the networks become separate subnets on the
internal, external and DMZ interface (SCALANCE S623/S627-2M only, see section below).
You have the following options:
● Routing - can be set in both standard and advanced mode
● NAT/NAPT routing - can be set in advanced mode
All network queries that do not belong to a subnet are forwarded by a router to a different
subnet, see following section:
● Specifying a standard router and routes (Page 168)
Enable routing mode or DMZ interface - "Interfaces" tab
If you have enabled routing mode or the DMZ interface, frames intended for an existing IP
address in the subnet (internal, external, DMZ) are forwarded. The firewall rules configured
for the direction of transmission also apply.
For this mode, you need to configure an IP address and a subnet mask for addressing the
router on the internal subnet and/or on the DMZ subnet for the internal interface and/or for
the DMZ interface. All network queries that do not belong to a subnet are forwarded by the
standard router to a different subnet.
Note
In contrast to the bridge mode of the security module, VLAN tags are lost in routing mode.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
167
Configuring additional module properties
5.1 Security module as router
Bridge and routing mode with SCALANCE S623/S627-2M
The DMZ network is always a separate subnet. The difference between bridge and routing
mode lies in the division of the external and internal network:
● "Bridge" mode: Internal and external network are in the same subnet; DMZ network is in a
separate subnet.
● "Routing" mode: Internal and external network are each in their own subnet; DMZ
network is in an additional separate subnet.
5.1.2
Specifying a standard router and routes
How to access this function
1. Select the security module to be edited.
2. Select the "Edit" > "Properties..." menu command, "Routing" tab.
3. If you enter the IP address / FQDN for the standard router, all routes are directed via this
router if no specific routes apply. You can enter specific routes in the "Routes" input area.
4. Click the "Add route" button.
5. Enter the following values:
Parameter
Function
Example of a value
Network ID
Requests to nodes of the subnet with the network ID
and the subnet mask specified here are forwarded to
the subnet via the specified router IP address.
192.168.11.0
Based on the network ID, the router recognizes
whether a target address is inside or outside the
subnet.
The specified network ID must not be located in the
same subnet as the IP address of the security module.
Subnet mask
The subnet mask determines the network structure.
Based on the network ID, the router recognizes
whether a destination address is inside or outside the
subnet. The subnet mask to be specified cannot be
restricted to a single network node (255.255.255.255).
255.255.255.0
Router IP address
IP address / FQDN of the router that connects to the
subnet.
192.168.10.2 / myrouter.dyndns.org
The IP address of the router must be in the same
subnet as the IP address of the security module.
Activate rerouting
Select this check box if the frames of the entered route
(SCALANCE S
will enter and leave on the same interface of the
V3/V4 modules only) security module (rerouting). Rerouting is only
supported on the internal interface of the security
module.
Basics and application
168
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configuring additional module properties
5.1 Security module as router
Special features with a standard router
● If the IP assignment configured in the "Interfaces" tab is via "PPPoE", no standard router
needs to be configured because the standard route is always automatically via the
PPPoE interface.
● If the address assignment configured in the "Interfaces" tab is via a "Static address" and if
the security module is connected to the Internet via a DSL (NAPT) router, the DSL router
must be entered as the standard router.
● For security modules in ghost mode (SCALANCE S602 ≥ V3.1 only), no standard routers
can be configured since these are identified during runtime. Specific routes cannot be
configured for security modules in ghost mode.
5.1.3
NAT/NAPT routing
Requirement
● The project is in advanced mode.
● The security module is in routing mode or the DMZ interface is activated (SCALANCE
S623 / S627-2M only).
How to access this function
1. Select the security module to be edited.
2. Select the "Edit" > "Properties..." menu command, "NAT/NAPT" tab.
3. When required, enable address translation according to NAT(Network Address
Translation) or NAPT (Network Address Port Translation).
Address translation with NAT (Network Address Translation)
NAT is a protocol for address translation between two address spaces.
The main task is to translate private addresses into public addresses; in other words into IP
addresses that are used and even routed on the Internet. As a result, the IP addresses of the
internal network are not known to the outside in the external network. The internal nodes are
only visible in the external network using the external IP addresses specified in the address
translation list (NAT table). If the external IP address is not the address of the security
module and if the internal IP address is unique, this is known as 1:1 NAT. With 1:1 NAT, the
internal address is translated to this external address without port translation. Otherwise, n:1
NAT is being used.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
169
Configuring additional module properties
5.1 Security module as router
Address translation with NAPT (Network Address Port Translation)
The address translation with NAPT changes the destination IP address and the destination
port to a communications relation (port forwarding).
Frames coming from the external network or DMZ network and intended for the IP address
of the security module are translated. If the destination port of the frame is identical to one of
the values specified in the "Source port" column, the security module replaces the
destination IP address and the destination port as specified in the corresponding row of the
NAPT table. With the reply, the security module uses the values for the destination IP
address and destination port as contained in the initial frame as the source IP address and
the source port.
The difference to NAT is that with this protocol ports can also be translated. There is no 1:1
translation of the IP address. There is now only a public IP address that is translated to a
series of private IP addresses with the addition of port numbers.
Address translation in VPN tunnels
Address translations with NAT/NAPT can also be performed for communications relations
established via a VPN tunnel. This is supported for connection partners of the type
SCALANCE M (only 1:1-NAT) and SCALANCE S612 / S623 / S627-2M V4.
You will find further information on address translations in VPN tunnels in the following
sections:
● Address translation with NAT/NAPT (Page 172)
● Address translation with NAT/NAPT in VPN tunnels (Page 178)
Conversion of NAT/NAPT rules from old projects
With SCT V4.0, the configuration mode of NAT/NAPT rules and the corresponding firewall
rules was changed. If you want to adapt or expand the NAT/NAPT rules from a project
created with SCT V3.0/V3.1 in SCT V4.0, you first need to convert the NAT/NAPT rules to
SCT V4.0. To do this, select the menu command "Convert all NAT/NAPT rules to SCT V4" or
"Convert selected NAT/NAPT rule to SCT V4" in the shortcut menu of a NAT/NAPT rule.
SCT will then automatically generate firewall rules for the converted NAT/NAPT rules that
enable communication in the configured address translation direction. Then modify or
remove the firewall rules you created manually for the NAT/NAPT rules if these contradict
the automatically generated firewall rules. Then make the required adaptations and/or
expansions to the NAT/NAPT and firewall rules.
Basics and application
170
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configuring additional module properties
5.1 Security module as router
Consistency check - these rules must be adhered to
When assigning addresses, remember the following rules to obtain consistent entries:
● The internal IP addresses must not be identical to the IP addresses of the security
module.
● Use the part specified by the subnet mask for the IP addresses:
– IP addresses that you specify for the direction "external" must be in the same subnet
range as the external IP address of the security module in the "Interfaces" tab.
– IP addresses that you specify for the direction "internal" must be in the same subnet
range as the internal IP address of the security module in the "Interfaces" tab.
– IP addresses that you specify for the direction "DMZ" must be in the same subnet
range as the DMZ IP address of the security module in the "Interfaces" tab.
● An IP address used in the NAT/NAPT address conversion list must not be a multicast or
broadcast address.
● The external ports assigned for the NAPT translation are in the range > 0 and ≤ 65535.
Port 123 (NTP), 443 (HTTPS), 514 (Syslog), 161 (SNMP), 67+68 (DHCP) and 500+4500
(IPsec) are excluded if the relevant services are activated on the security module.
● The external IP address of the security module or the IP address of the DMZ interface
may only be used in the NAT table for the action "Source NAT".
● Checking for duplicates in the NAT table
An external IP address or an IP address in the DMZ network used in the direction
"Destination NAT" or "Source NAT +Destination NAT" may only occur once in the NAT
table for each specified direction.
● Checking for duplicates in the NAPT table
– A source port number may only be entered once for each interface.
– The port numbers or port ranges of the external ports and DMZ ports must not
overlap.
● Internal NAPT ports can be in the range > 0 and ≤ 65535.
Once you have completed your entries, run a consistency check.
Select the "Options" > "Consistency checks" menu command.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
171
Configuring additional module properties
5.1 Security module as router
5.1.4
Address translation with NAT/NAPT
Enabling NAT
The input boxes for NAT are enabled. NAT address translations only take effect with the
entries in the address translation list described below. After creating NAT rules, the
corresponding firewall rules are generated and displayed in advanced mode, see section:
Relationship between NAT/NAPT router and firewall (Page 179)
If PPPoE is activated for the external interface or the DMZ interface, the action "Destination
NAT" cannot be configured. When configuring the action "Source NAT", the IP address
cannot be entered in the "Source translation" input box because this is obtained dynamically
during runtime.
Possible address translations for NAT
The following tables show the input options for address translation with NAT.
Action "Destination-NAT" - "Redirect"
The action "Destination NAT" can be performed in the following direction:
● External to internal
If the DMZ interface of the security module (SCALANCE S623/S627-2M only) is activated,
the action "Destination NAT" can also be performed in the following directions.
● External to DMZ
● DMZ to internal
● DMZ to external
If the security module is in a VPN group (not for SCALANCE S602), the action "Destination
NAT" can also be performed in the following directions:
● Tunnel to internal
● Tunnel to external
● Tunnel to DMZ (only if the DMZ interface is activated)
The following applies, for example for the direction "external to internal": The destination IP
address of a frame coming from the external network is checked to see whether it matches
the IP address specified in the "Destination IP address" input box. If it matches, the frame is
forwarded into the internal network by replacing the destination IP address of the frame with
the IP address specified in the "Destination translation" input box. Access from external to
internal using the external address is possible.
The following table shows the input required for the action "Destination NAT".
Box
Possible entries
Meaning
Source IP address
Not relevant for this action.
-
Source translation
Not relevant for this action.
-
Basics and application
172
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configuring additional module properties
5.1 Security module as router
Box
Possible entries
Meaning
Destination IP address
IP address in the source network
Destination IP address in the source network with
which an IP address in the destination network will be
accessed.
If the destination IP address in a frame matches the
address entered, the address is replaced by the
corresponding IP address in the destination network.
If the IP address entered here is not the IP address of
the security module, this becomes an alias address.
This means that the specified IP address is also
registered as an IP address on the selected interface.
Alias addresses are also shown in the "Interfaces"
tab of the security module. Make sure that the alias
address does not cause an IP address conflict in the
network.
Destination translation
IP address in the destination network
No.
-
The destination IP address is replaced by the IP
address specified here.
Consecutive number assigned by SCT used to
reference the firewall rule generated by SCT for the
NAT rule.
Action "Source NAT" - "Masquerading"
The action "Source NAT" can be performed in the following direction:
● Internal to external
If the DMZ interface of the security module (SCALANCE S623/S627-2M only) is activated,
the action "Source NAT" can also be performed in the following directions.
● Internal to DMZ
● External to DMZ
● DMZ to external
If the security module is in a VPN group (not for SCALANCE S602), the action "Source NAT"
can also be performed in the following directions:
● Internal to tunnel
● External to tunnel
● DMZ to tunnel (only if the DMZ interface is activated)
The following applies, for example for the direction "internal to external": The source IP
address of a frame coming from the internal network is checked to see whether it matches
the IP address specified in the "Source IP address" input box. If it matches, the frame with
the external IP address specified in the "Source translation" input box is forwarded to the
external network as a new source IP address. In the external network, the external IP
address is effective.
The following table shows the input required for the action "Source NAT".
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
173
Configuring additional module properties
5.1 Security module as router
Box
Possible entries
Meaning
Source IP address
IP address in the source network
The source IP address of the specified node is replaced
by the IP address specified in the "Source translation"
input box.
IP address range in the source
network
The IP address range is replaced by the IP address
specified in the "Source translation" input box.
IP address in the destination network
Entry of the IP address that will be used as the new
source IP address.
Source translation
If the IP address entered here is not the IP address of
the security module, this becomes an alias address.
This means that the specified address is also registered
as an IP address on the selected interface. Alias
addresses are also shown in the "Interfaces" tab of the
security module. Make sure that the alias address does
not cause an IP address conflict in the network.
Destination IP address
Not relevant for this action.
Not relevant for this action.
Destination translation
Not relevant for this action.
Not relevant for this action.
No.
-
Consecutive number assigned by SCT used to
reference the firewall rule generated by SCT for the
NAT rule.
You can configure an address translation to the module IP address in the destination
network for all frames going from a source network to a destination network. The security
module also assigns a port number for each frame. This is an n:1 NAT address translation in
which multiple IP addresses of the source network are translated to one IP address of the
destination network.
Enter, for example, the following parameters for the direction "internal to external":
● Action: "Source NAT"
● From: "Internal"
● To "External"
● Source IP address: "*"
● Source translation: External IP address of the security module
Action "Source NAT + Destination NAT" - "1:1-NAT"
The action "Source NAT + Destination NAT" can be performed in the following direction:
● Internal to external
If the DMZ interface of the security module (SCALANCE S623/S627-2M only) is activated,
the action "Source NAT + Destination" can also be performed in the following directions.
Basics and application
174
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configuring additional module properties
5.1 Security module as router
● Internal to DMZ
● External to DMZ
● DMZ to external
If the security module is in a VPN group (not for SCALANCE S602), the action "Source NAT
+ Destination" can also be performed in the following directions:
● External to tunnel
● Internal to tunnel
● DMZ to tunnel (only if the DMZ interface is activated)
The following applies, for example for the direction "internal to external": When accessing
from internal to external, the action "Source NAT" is performed. When accessing from
external to internal, the action "Destination NAT" is performed.
The following table shows the input required for the action "Source NAT + Destination NAT":
Box
Possible entries
Meaning
Source IP address
IP address in the source network
The configuration is always specified in the source
NAT direction. The IP addresses of the destination
NAT direction are then inserted automatically by
SCT.
IP address range in the source network
Source translation
IP address in the destination network
Destination IP address
Not relevant for this action.
Destination translation
Not relevant for this action.
No.
-
Consecutive number assigned by SCT used to
reference the firewall rules generated by SCT for the
NAT rule.
Action "Double NAT"
The action "Double NAT" can be performed in the following directions:
● Internal to external
● External to internal
If the DMZ interface of the security module (SCALANCE S623/S627-2M only) is activated,
the action "Double NAT" can also be performed in the following directions.
● Internal to DMZ
● External to DMZ
● DMZ to internal
● DMZ to external
In every direction, Source and Destination NAT always take place at the same time.
The following applies, for example for the direction "external to internal": When accessing
from external to internal, the source IP address of the external node is replaced (Source
NAT). Access to the internal network also uses the external IP address specified in the
"Destination IP address" input box (Destination NAT).
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
175
Configuring additional module properties
5.1 Security module as router
You can, for example, use this action if a standard router other than the security module is
entered for a device to be accessed using Destination NAT. Response frames from this
device are then not sent to the entered standard router but to the corresponding interface of
the security module.
The following table shows the input required for the action "Double NAT".
Box
Possible entries
Meaning
Source IP address
IP address in the source network
IP address of the node in the source
network
Source translation
-
Destination IP address
The Source NAT address translation is
always to the IP address of the security
module in the destination network. For
this reason, the "Source translation"
input box cannot be configured.
IP address in the source network
Destination IP address in the source
network with which an IP address in the
destination network will be accessed.
If the destination IP address in a frame
matches the IP address entered, the IP
address is replaced by the IP address
specified in the "Destination translation"
input box.
If the IP address entered here is not the
IP address of the security module, this
becomes an alias address. This means
that the specified address is also
registered as an IP address on the
selected interface. Alias addresses are
also shown in the "Interfaces" tab of the
security module. Make sure that the
alias address does not cause an IP
address conflict in the network.
Destination translation
IP address in the destination network
No.
-
The destination IP address is replaced
by the IP address specified here.
Consecutive number assigned by SCT
used to reference the firewall rule
generated by SCT for the NAT rule.
Enabling NAPT
The input boxes for NAPT are enabled. NAPT translations only take effect with the entries in
the list described below. After creating NAPT rules, the corresponding firewall rules are
generated and displayed in advanced mode, see section:
Relationship between NAT/NAPT router and firewall (Page 179)
The IP address translation with NAPT can be performed in the following direction:
● External to internal
If the DMZ interface of the security module (SCALANCE S623/S627-2M only) is activated,
the IP address translation with NAPT can also be performed in the following directions.
Basics and application
176
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configuring additional module properties
5.1 Security module as router
● External to DMZ
● DMZ to internal
● DMZ to external
If the security module is in a VPN group (not for SCALANCE S602), IP address translation
with NAPT can also be performed in the following directions:
● External to tunnel
● Tunnel to internal
● Tunnel to external
● DMZ to tunnel (only if the DMZ interface is activated)
● Tunnel to DMZ (only if the DMZ interface is activated)
The following applies, for example for the direction "external to internal": Frames intended for
the external IP address of the security module and for the port entered in the "Source port"
column are forwarded to the specified destination IP address in the internal network and to
the specified destination port.
The following table shows the input required for address translation with NAPT.
Box
Possible entries
Meaning
Source port
TCP/UDP port or port range
A node in the source network can send a frame to a node in
the destination network by using this port number.
Example of entering a port range: 78:99
Destination IP
address
IP address in the destination network
Frames intended for the IP address of the security module in
the source network and the TCP/UDP port specified in the
"Source port" box are forwarded to the IP address specified
here.
Destination
port
TCP/UDP port
Port number to which the frames coming from the source
network are forwarded.
Protocol
•
TCP+UDP
•
TCP
•
UDP
No.
Selection of the protocol family for the specified port numbers
-
Consecutive number assigned by SCT used to reference the
firewall rule generated by SCT for the NAPT rule.
See also
IP packet filter rules (Page 147)
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
177
Configuring additional module properties
5.1 Security module as router
5.1.5
Address translation with NAT/NAPT in VPN tunnels
Meaning
Address translations with NAT/NAPT can also be performed for communications relations
established via a VPN tunnel.
Requirements
The following requirements apply generally to a SCALANCE S module that will perform an
address translation with NAT/NAPT in a VPN tunnel:
● The SCALANCE S module is in a VPN group.
● The SCALANCE S module is in routing mode and/or the DMZ interface of the
SCALANCE S module is activated.
Supported address translation directions
The address translation directions described in the following section are supported:
Address translation with NAT/NAPT (Page 172)
Supported address translation actions
With tunneled communications relations, the following address translation actions are
supported:
● Destination NAT ("Redirect")
● Source NAT ("Masquerading")
● Source and Destination NAT ("1:1-NAT")
● NAPT ("Port forwarding")
You will find basic information on these address translation actions in the following section:
Address translation with NAT/NAPT (Page 172)
Supported VPN links
In conjunction with NAT/NAPT, the following VPN links are supported:
VPN link
VPN link is initiated by
Address translation is
performed by
SCALANCE S (a)
SCALANCE S (b)
SCALANCE S (a) or SCALANCE S (b) SCALANCE S (a) and/or
SCALANCE S (b)
SCALANCE S
S7-CP / PC-CP
SCALANCE S or S7-CP / PC-CP
SCALANCE S
Basics and application
178
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configuring additional module properties
5.1 Security module as router
VPN link
VPN link is initiated by
Address translation is
performed by
SCALANCE S
SCALANCE M
(SCALANCE S or) SCALANCE M
SCALANCE S and/or
SCALANCE M*
SOFTNET Security Client
SCALANCE S
SOFTNET Security Client
SCALANCE S and/or
SOFTNET Security Client
(action: "Source NAT",
direction: "Tunnel to
internal")
SCALANCE S
NCP VPN client
(Android)
NCP VPN client (Android)
SCALANCE S
* Only 1:1 NAT is supported.
SCALANCE S modules of the type SCALANCE S623 V4 and SCALANCE S627-2M V4 that
have a VPN endpoint on the external interface and on the DMZ interface can perform
address translations on both interfaces at the same time.
Address translation characteristics when involved in several VPN groups
If a SCALANCE S module is a member of several VPN groups, the address translation rules
configured for the tunnel interface of the SCALANCE S module apply for all VPN
connections of this SCALANCE S module.
Note:
Once you have configured a NAT address translation to or from the direction of the tunnel,
only the IP addresses involved in the NAT address translation rules can be reached via the
VPN tunnel.
5.1.6
Relationship between NAT/NAPT router and firewall
Meaning
After creating NAT/NAPT rules, SCT automatically generates firewall rules that enable
communication in the configured address translation direction. The generated firewall rules
can, if necessary, be moved and expanded (additional IP address, services, bandwidth).
Firewall parameters generated by SCT cannot be adapted. After deactivating NAT/NAPT,
the firewall rules generated by SCT are removed.
To clarify the relationship between the NAT/NAPT rules and the corresponding firewall rules,
the rules are identified by corresponding, consecutive numbers in the "NAT/NAPT" and
"Firewall" tabs.
The following table shows the system behind the firewall rules generated for NAT rules.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
179
Configuring additional module properties
5.1 Security module as router
Table 5- 1
NAT address translation and corresponding firewall rules
NAT action
Created firewall rule
Action
From
To
Source IP address
Source NAT
Allow
Source network
Destination
network
IP address of the
node specified in
the "Source IP
address" input box
Destination
NAT
Allow
Source network
Destination
network
-
Source NAT +
Destination
NAT
Allow
Source network
Destination
network
IP address of the
node specified in
the "Source IP
address" input box
Allow
Destination
network
Source network
Allow
Source network
Destination
network
Double NAT
Destination IP
address
-
IP address of the
node specified in
the "Destination
translation" input
box
-
-
IP address of the
node that was
inserted in the
"Destination
translation" input
box by SCT
IP address of the
node specified in
the "Source IP
address" input box
IP address of the
node specified in
the "Destination
translation" input
box
The following table shows the system behind the firewall rules generated for NAT rules.
Table 5- 2
NAPT translations and created firewall rules
Created firewall rule
Action
From
To
Allow
Source network
Destination
network
Source IP address
Destination IP
address
Service
-
IP address of
the node
specified in the
"Destination IP
address" input
box
[Portnumber_proto
col]
Stateful packet inspection
The firewall and NAT/NAPT router supports the "Stateful Packet Inspection" mechanism. As
a result, reply frames can pass through the NAT/NAPT router and firewall without it being
necessary for their addresses to be included extra in the firewall rule and the NAT/NAPT
address translation.
Basics and application
180
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configuring additional module properties
5.1 Security module as router
5.1.7
Relationship between NAT/NAPT router and user-specific firewall
Meaning
After creating NAT/NAPT rules, SCT automatically generates a user-specific IP rule set in
the user-specific firewall that enables communication in the configured address translation
direction. You can then assign this user-specific IP rule set to individual or multiple users
and/or individual or multiple roles (only for SCALANCE S V4 modules).
The generated firewall rules can, if necessary, be moved and expanded (additional IP
address, services, bandwidth). Firewall parameters generated by SCT cannot be adapted. If
the user-specific IP rule set is dragged ith the mouse to a security module with NAT/NAPT
deactivated, the NAT/NAPT rules from the user-specific firewall are also applied to this
security module.
Note
The address translation action "Double NAT" is not supported in conjunction with the userspecific firewall.
How to access this function
"NAT" or "NAPT" tab in the configuration dialog for user-specific IP rules sets, refer to the
following section:
User-specific IP rule sets (Page 140)
Supported address translation directions for the action "Source NAT"
The action "Source NAT" can be performed in the following directions:
● External to DMZ
● DMZ to external
● ...
No IP address can be entered in the "Source IP address" box. This is entered automatically
when the node logs on to the security module.
Supported address translation directions for the action "Destination NAT"
The action "Destination NAT" can be performed in the following directions:
● External to internal
● External to DMZ
● DMZ to internal
● DMZ to external
● ...
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
181
Configuring additional module properties
5.2 Security module as DHCP server
Supported address translation directions for the action "Source NAT + Destination NAT"
The action "Source NAT + Destination NAT" can be performed in the following directions:
● External to DMZ
● DMZ to external
No IP address can be entered in the "Source IP address" box. This is entered automatically
when the node logs on to the security module.
Supported address translation directions for NAPT
The address translation with NAPT can be performed in the following directions:
● External to internal
● External to DMZ
● DMZ to internal
● DMZ to external
● ...
NAT/NAPT address translation and corresponding user-specific IP rule sets
The firewall rules for user-specific IP rule sets generated based on NAT/NAPT rules are
identical to the firewall rules generated locally for individual security modules, refer to
section:
Relationship between NAT/NAPT router and firewall (Page 179)
5.2
Security module as DHCP server
5.2.1
Overview
Overview
You can operate the security module in the internal network and in the DMZ network as a
DHCP server (DHCP = Dynamic Host Configuration Protocol). This allows IP addresses to
be assigned automatically to the connected devices.
Simultaneous DHCP server operation on both interfaces is possible.
The IP addresses are either distributed dynamically from an address band you have
specified or you can select a specific IP address and assign it to a particular device. If
devices on the internal interface or on the DMZ interface should always be assigned the
same IP address for firewall configuration, the address assignment must only be static based
on the MAC address or based on the client ID.
Basics and application
182
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configuring additional module properties
5.2 Security module as DHCP server
Requirement
You configure the devices in the internal network or in the DMZ network so that they obtain
the IP address from a DHCP server.
Depending on the mode, the security module sends an IP address of the standard router to
the nodes in the relevant subnet or you inform the nodes in the subnet of a router IP
address.
● Router IP address will be transferred
In the following situations, the security module will inform the nodes of the router IP
address using the DHCP protocol:
– The node is connected to the DMZ interface (SCALANCE S623/S627-2M only)
In this case, the security module sends its own IP address as the router IP address.
– The node is connected to the internal interface and the security module is configured
for router mode
In this case, the security module sends its own IP address as the router IP address.
– The node is connected to the internal interface and the security module is not
configured for router mode, there is, however, a standard router specified in the
configuration of the security module.
In this case, the security module transfers the IP address of the standard router as the
router IP address.
● Router IP address will not be transferred
In the following situations, enter the router IP address manually on the node:
– The node is connected to the internal interface and the security module is not
configured for router mode. There is also no standard router specified in the
configuration of the security module.
See also
Consistency checks (Page 61)
5.2.2
Configuring a DHCP server
Requirement
The "DHCP server" tab is only displayed if the project is in advanced mode.
Note
No return to standard mode possible
If you switch to the advanced mode and change the configuration for the current project, you
can no longer switch back.
Remedy SCT standalone: You close the project without saving and open it again.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
183
Configuring additional module properties
5.2 Security module as DHCP server
How to access this function
1. Select the security module to be edited.
2. Select the "Edit" > "Properties..." menu command, "DHCP server" tab.
3. Select the "Enable DHCP" check box.
4. Select the interface for which you want to make the DHCP settings.
5. Make the address assignment. You have the following configuration options:
Basics and application
184
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configuring additional module properties
5.2 Security module as DHCP server
● Static address assignments
Devices with a specific MAC address or client ID are assigned the specified IP
addresses. You specify these addresses by entering the devices in the address list in the
"Static address assignments" group box. This option makes sense with respect to firewall
rules with explicit specification of source or destination IP address.
● Dynamic address assignments
Devices whose MAC address or whose client ID was not specified specifically, are
assigned a random IP address from a specified address range. You set this address
range in the "Dynamic address assignments" group box.
Note
Dynamic address assignment - reaction after interrupting the power supply
Please note that dynamically assigned IP addresses are not saved if the power supply is
interrupted. On return of the power, you must therefore make sure that the nodes request
an IP address again.
You should therefore only use dynamic address assignment for the following nodes:
• Nodes that are used temporarily in the subnet (such as service devices);
• Nodes that have been assigned an IP address and send this as the "preferred
address" the next time they request an address from the DHCP server (for example
PC stations).
For nodes in permanent operation, use of a static address assignment by specifying a
client ID should be preferred (recommended for S7 CPs because it is simpler to replace
modules) or the MAC address.
Symbolic names are supported
You can also enter the IP or MAC addresses as symbolic names in the function described
here.
Consistency check - these rules must be adhered to
Remember the following rules when making the entries:
● The IP addresses assigned in the address list in the "Static address assignments" group
box must not be in the range of the dynamic IP addresses.
● Symbolic names must have a numeric address assignment. If you assign symbolic
names for the first time here, you must still make the address assignment in the
"Symbolic names" dialog.
● IP addresses, MAC addresses and client IDs may only occur once in the "Static address
assignments" input area (related to the security module).
● For the statically assigned IP addresses, you must specify either the MAC address or the
client ID (computer name).
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
185
Configuring additional module properties
5.2 Security module as DHCP server
● The client ID is a string with a maximum of 63 characters. Only the following characters
may be used: a-z, A-Z, 0-9 and - (dash).
Note
In SIMATIC S7, a client ID can be assigned to the devices on the Ethernet interface to
allow them to obtain an IP address using DHCP.
With PCs, the procedure depends on the operating system being used; it is advisable to
use the MAC address here for the assignment.
● For the statically assigned IP addresses, you must specify the IP address.
● The following IP addresses must not be located in the range of the dynamic address
assignments:
– All router IP addresses in the "Routing" tab
– Syslog server
– Standard router
– Address(es) of the security module
● DHCP is supported by the security module on the interface to the internal subnet and on
the interface to the DMZ network. The following additional requirements for IP addresses
in the range of the dynamic address assignments result from this operational behavior of
the security module:
– Bridge mode
The range must be within the network subnet defined by the security module.
– Routing mode
The range must be within the internal subnet defined by the security module.
Note
The DMZ network always represents a separate subnet. When using DHCP on the
DMZ interface, make sure that the free IP address range (dynamic IP addresses) is
within the DMZ subnet.
● The free IP address range must be fully specified by entering the start address and the
end address. The end address must be higher than the start address.
● The IP addresses you enter in the address list in the "Static address assignments" input
area must be in the address range of the internal subnet or in the DMZ network of the
security module.
Note the explanations in section Consistency checks (Page 61).
Basics and application
186
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configuring additional module properties
5.3 Time synchronization
5.3
Time synchronization
5.3.1
Overview
Meaning
The date and time are kept on the security module to check the validity (time) of a certificate
and for the time stamps of log entries.
The following alternatives can be configured:
● The module time is set automatically to the PC time when a configuration is downloaded.
● Automatic setting and periodic synchronization of the time using a Network Time Protocol
server (NTP server).
Synchronization by an NTP server
The following rules apply when creating the NTP server:
● NTP servers can be created throughout a project using the SCT menu "Options" >
"Configuration of the NTP servers...". On the properties tab "Time synchronization" assign
an NTP server to a security module. If different security modules in the SCT project use
the same NTP server, its data only needs to be entered once.
● You can create 32 NTP servers throughout the project.
● You can assign a maximum of 4 NTP servers to one security module.
● Symbolic names are supported in the definition of NTP servers.
● FQDNs are supported in the definition of NTP servers.
● The IP address and the update interval of NTP servers already created in STEP 7 are
migrated to SCT.
● If you select "Time-of-day synchronization with NTP (secure)", the security module only
accepts the time from suitably configured (secure) NTP servers. A mixed configuration of
non-secure and secure NTP servers on a security module is not possible.
5.3.2
Configuring time keeping
How to access this function
Menu command SCT:
1. Select the security module to be edited.
2. Select the "Edit" > "Properties..." menu command, "Time-of-day synchronization" tab.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
187
Configuring additional module properties
5.3 Time synchronization
Menu command STEP 7 (if the option " Activate NTP time-of-day synchronization" is
enabled): "Time-of-day synchronization" > " Activate NTP time-of-day synchronization",
"Run" button.
Alternatives for time synchronization
The following alternatives can be configured:
Table 5- 3
Time synchronization for CPs
Possible selection
Meaning / effect
No time synchronization
No time synchronization via a PC or an NTP server.
Time-of-day synchronization with NTP
Automatic setting and periodic synchronization of the
time using an NTP server.
Time synchronization using NTP (secured)
Automatic setting and periodic synchronization of the
time using an NTP server (secure).
Table 5- 4
Time synchronization for SCALANCE S ≥ V3.0
Possible selection
Meaning / effect
No time synchronization
No time synchronization.
Set time with each download
The module time is set automatically to the PC time
when a configuration is downloaded.
Time-of-day synchronization with NTP
Automatic setting of the time using an NTP server.
Time synchronization using NTP (secured)
Automatic setting and periodic synchronization of the
time using an NTP server (secure).
Basics and application
188
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configuring additional module properties
5.3 Time synchronization
Selecting the mode for synchronization
Follow these steps:
1. Select the synchronization mode.
2. For SCALANCE S < V3.0: For synchronization by an NTP server, enter the update
interval in seconds. For SCALANCE S ≥ V3.0, the time interval for querying the NTP
server is specified automatically.
Note
NTP servers created in STEP 7 are automatically migrated to SCT with the update
interval. The update interval can only be changed in STEP 7.
3. If you have selected the synchronization mode "Time synchronization with NTP" or "Time
synchronization with NTP (secure)", with the "Add" button, you assign a previously
created NTP server of the same type as in the "Synchronization mode" box to the security
module.
If no NTP servers exist yet, create an NTP server with the "Configure server..." button.
5.3.3
Defining an NTP server
How to define a new NTP server:
1. Enter a name for the NTP server.
2. Enter the IP address / FQDN of the NTP server.
3. Select the Type.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
189
Configuring additional module properties
5.4 SNMP
Settings for NTP (secure)
1. Click the "Add..." button.
2. Enter the following data:
Parameter
Meaning
Key ID
Numeric value between 1 and 65534.
Authentication
Select the authentication algorithm.
Hex/ASCII
Select the format for the NTP key.
Key
Enter the NTP key with the following lengths:
Hex: 22 ... 40 characters
ASCII: 11 ... 20 characters
Importing/exporting NTP servers
Using the "Import..." or "Export..." buttons, you can export the key list of the currently
displayed NTP server and import the file into an NTP server or vice versa.
5.4
SNMP
5.4.1
Overview
What is SNMP?
The security module supports the transfer of management information using the Simple
Network Management Protocol (SNMP). To allow this, an SNMP agent is installed on the
security module that receives and responds to SNMP queries. The information on the
properties of SNMPcompliant devices is entered in MIB files (Management Information
Base) for which the user must have the required rights (SNMPv3).
In SNMPv1, the "community string" is also sent. The "community string" is like a password
that is sent along with the SNMP query. If the community string is correct, the security
module replies with the required information. If the string is incorrect, the security module
discards the query and does not reply.
In SNMPv3, the data can be transferred encrypted.
Basics and application
190
Configuration Manual, 09/2013, C79000-G8976-C286-02
Configuring additional module properties
5.4 SNMP
5.4.2
Enabling SNMP
Requirement
HW Config: In the "SNMP" tab of the CP properties, the "Enable SNMP" check box is
selected. If it is not activated, SNMP cannot be configured in the Security Configuration Tool.
Configuring SNMP - Follow the steps below:
1. Select the security module to be edited.
2. Select the "Edit" > "Properties..." menu command, "SNMP" tab.
3. Select the "Enable SNMP" check box.
4. Select one of the following SNMP protocol versions.
Note
Encrypted data transfer with SNMPv3
To increase security, you should use SNMPv3 since the data is then transferred
unencrypted.
– SNMPv1
The security module uses the following default values for the community strings to
control the access rights in the SNMP agent:
For read access: public
For read and write access: private
To enable write access using SNMP, select the "Allow write access" check box.
– SNMPv3
Select either an authentication method or an authentication and encryption method.
Authentication algorithm: none, MD5, SHA-1
Encryption algorithm: none, AES-128, DES
Note
Avoiding the use of DES
DES is not a secure encryption algorithm. It should therefore only be used where
downwards compatibility is required.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
191
Configuring additional module properties
5.5 Proxy ARP
5. In the "Advanced settings" area, configure module-specific information on the author,
location and e-mail address that overwrites the information from the project properties.
If you select the "Keep values written by SNMP set" check box, values written to the
security module with an SNMP tool using an SNMP-SET command are not overwritten
when downloading an SCT configuration again to the security module.
6. If you want to use SNMPv3, assign a user a role for which the corresponding SNMP
rights are activated so that it can reach the security module via SNMP.
For more detailed information on configuring users, rights and roles, refer to the next
section:
– Managing users (Page 70)
5.5
Proxy ARP
Overview
Proxy ARP allows routers to respond to ARP queries for hosts. The hosts are in networks
separated by routers but use the same IP address range.
If PC1 sends an ARP request to PC2, it receives an ARP response and the hardware
address of the interface (MAC address of the port of the security module) on which the query
was received from the security module located in between and not from PC2. The querying
PC1 then sends its data to the security module that then forwards it to PC2.
How to access this function
This function is only available for the internal interface of a security module that is a member
of a VPN group and is in bridge mode. The project must also be in advanced mode.
1. Select the security module to be edited.
2. Select the "Edit" > "Properties..." menu command, "Proxy ARP" tab.
3. If the security module is to respond to an ARP query from its own LAN as a substitute for
the specific connection partner, enter the corresponding IP address.
Basics and application
192
Configuration Manual, 09/2013, C79000-G8976-C286-02
Secure communication in the VPN via an IPsec
tunnel
6
In this section, you will learn how to connect IP subnets protected by the security module to
a VPN (Virtual Private Network).
As already described in the section on module properties, you can once again use the
default settings to ensure secure communication in your internal networks.
Further information
You will find detailed information on the dialogs and parameter settings in the online help.
You can call this with the F1 key or using the "Help" button in the relevant dialog.
See also
Online functions - test, diagnostics, and logging (Page 241)
6.1
VPN with security modules
Secure connection through an unprotected network
For security modules that protect the internal network, IPsec tunnels provide a secure data
connection through the non-secure external network.
Due to the data exchange via IPsec, the following security aspects are implemented for the
communication.
● Confidentiality
Makes sure that the data is transferred encrypted.
● Integrity
Makes sure that the data has not been changed.
● Authenticity
Makes sure that the VPN endpoints are also trustworthy.
The security module uses the IPsec protocol for tunneling (tunnel mode of IPsec).
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
193
Secure communication in the VPN via an IPsec tunnel
6.1 VPN with security modules
Tunnel connections exist between modules in the same VPN group
The properties of a VPN are put together for all IPsec tunnels for the security modules of a
VPN group.
IPsec tunnels are established automatically between all security modules and SOFTNET
Security Clients that belong to one VPN group. A security module can belong to several
different VPN groups at the same time in one project.
Basics and application
194
Configuration Manual, 09/2013, C79000-G8976-C286-02
Secure communication in the VPN via an IPsec tunnel
6.2 Authentication method
Note
If the name of a security module is changed, all the security modules of the groups to which
the changed security module belongs must be reconfigured (menu command "Transfer" >
"To all modules...").
If the name of a VPN group is changed, all security modules of this VPN group must be
reconfigured in (menu command "Transfer" > "To all modules...").
Note
Layer 2 frames are also tunneled when there is a router between two security modules. To
make this possible, however, the MAC addresses of the communications partners must be
configured statically in the Security Configuration Tool and, where necessary, static ARP
entries must be entered on the communications devices.
The following applies in general: Non-IP packets are transferred through a tunnel only when
the devices that send or receive the packets were able to communicate previously; in other
words, without using the security modules.
6.2
Authentication method
Authentication method
The authentication method is specified within a VPN group and decides the type of
authentication used.
Key-based or certificate-based authentication methods are supported:
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
195
Secure communication in the VPN via an IPsec tunnel
6.2 Authentication method
● Pre-shared keys
Authentication is achieved using a previously agreed character string that is distributed to
all modules in the VPN group.
To do this, enter a password in the "Key" box of the "VPN group properties" dialog or
generate a password using the "New..." button.
● Certificate
Certificate-based authentication "Certificate" is the default that is also enabled in standard
mode. The procedure is as follows:
– When you create a VPN group, a CA certificate is generated automatically for the VPN
group.
– Each security module in the VPN group receives a VPN group certificate signed with
the key of the certification authority of the VPN group.
All certificates are based on the ITU standard X.509v3 (ITU, International
Telecommunications Union).
The certificates are generated by a certification function in the Security Configuration
Tool.
Note
Restriction in VLAN operation
With IP packets through the VPN tunnel of the security module, no VLAN tagging is
transferred. The VLAN tags included in IP packets are lost when they pass through the
security modules because IPsec is used to transfer the IP packets.
As default, no IP broadcast or IP multicast frames can be transferred with IPsec through
a layer 3 VPN tunnel. Through a layer 2 VPN tunnel of the security module, IP broadcast
or IP multicast packets are "packaged" just like MAC packets including the Ethernet
header in UDP and transferred. With these packets, the VLAN tagging is therefore
retained.
Basics and application
196
Configuration Manual, 09/2013, C79000-G8976-C286-02
Secure communication in the VPN via an IPsec tunnel
6.3 VPN groups
6.3
VPN groups
6.3.1
Rules for forming VPN groups
Remember the following rules:
● For SCALANCE S612 / S613 / S623 / S627-2M / SCALANCE M / VPN device
The first module assigned in a VPN group decides which other modules can be added to
it.
If the first added SCALANCE S module is in routing mode or if the first security module is
a SCALANCE M module or a VPN device, then only SCALANCE S modules with
activated routing or SCALANCE M modules or VPN devices can be
added because SCALANCE M modules and VPN devices always operate in routing
mode.
If the first added SCALANCE S module is in bridge mode, then only SCALANCE S
modules in bridge mode can be added.
A CP or an SSC and an NCP VPN client (Android) can be added to a VPN group with a
SCALANCE S in bridge or routing mode.
● For CP / SSC / NCP VPN client (Android)
If a CP / SSC / NCP VPN client (Android) is the first module in a VPN group, security
modules in any mode can be added until a SCALANCE S or SCALANCE M module is
added. From this point on, the rules for SCALANCE S and SCALANCE M modules apply,
see above.
● It is not possible to add a SCALANCE M module to a VPN group that contains a
SCALANCE S module in bridge mode.
Refer to the following table to see which modules can be grouped together in a VPN group:
Table 6- 1
Rules for forming VPN groups
Module
The following can be included in a VPN group containing the
following module:
SCALANCE S in
bridge mode
SCALANCE S in
routing mode /
SCALANCE M /
VPN device / NCP
VPN client
(Android)
CP / SSC
x
-
x
SCALANCE S in routing mode
-
x
x
CP x43-1 Adv.
x
x
x
CP 1628
x
x
x
SOFTNET Security Client 2005
x
-
-
SOFTNET Security Client 2008
x
x
x
SOFTNET Security Client V3.0
x
x
x
SCALANCE S in bridge mode
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
197
Secure communication in the VPN via an IPsec tunnel
6.3 VPN groups
Module
6.3.2
The following can be included in a VPN group containing the
following module:
SCALANCE S in
bridge mode
SCALANCE S in
routing mode /
SCALANCE M /
VPN device / NCP
VPN client
(Android)
CP / SSC
SOFTNET Security Client V4.0
x
x
x
SCALANCE M / VPN device
-
x
x
NCP VPN client (Android)
-
x
x
Supported tunnel communication relations
Meaning
The following tables show which tunnel interfaces can establish a tunnel between them.
Here, a distinction is made depending on whether the SCALANCE S module is in routing or
in bridge mode.
Regardless of the interface via which the VPN tunnel is established, as default the nodes of
the internal subnets of the security modules can always communicate with each other. If
communication via the VPN tunnel should also extend to other subnets, these can be
enabled for tunnel communication in the "VPN" tab in the advanced module properties, see
following section:
● Configuring other nodes and subnets for the VPN tunnel (Page 213)
Subnets that need to be enabled for tunnel communication are as follows:
● Subnet on the external interface (if the external interface is not a VPN endpoint)
● Subnet on the DMZ interface (if the DMZ interface is not a VPN endpoint)
● Other subnets that can be reached by the router on the various interfaces (if these are not
VPN endpoints)
Basics and application
198
Configuration Manual, 09/2013, C79000-G8976-C286-02
Secure communication in the VPN via an IPsec tunnel
6.3 VPN groups
Table 6- 2
Tunnel communication between CPs, SCALANCE M modules, SOFTNET Security Clients and SCALANCE S
modules in routing mode
Responder interface
Initiator interface
External (SCALANCE
M875)
GBit, IE (CP)
External (SCALANCE
S)
DMZ (SCALANCE S623 /
S627-2M)
PC/PG
(SSC)
x
x
x
x
External
(SCALANCE M875)
x
x
x
x
Gbit, IE
(CP)
-
x
x
x
External
(SCALANCE S)
-
x
x
x
DMZ
(SCALANCE S623 /
S627-2M)
-
x
x
x
x is supported
- is not supported
Table 6- 3
Tunnel communication between CPs, SOFTNET Security Clients and SCALANCE S modules in bridge mode
Responder interface
Initiator interface
GBit, IE (CP)
External (SCALANCE S)
DMZ (SCALANCE S623 /
S627-2M)
PC/PG (SSC)
x
x
-
GBit, IE (CP)
x
x
-
External (SCALANCE S)
x
x
-
DMZ (SCALANCE S623 /
S627-2M)
-
-
-
x is supported
- is not supported
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
199
Secure communication in the VPN via an IPsec tunnel
6.3 VPN groups
6.3.3
Creating VPN groups and assigning modules
Requirement
Note
Current date and current time of day on the security modules
When using secure communication (for example HTTPS, VPN...), make sure that the
security modules involved have the current time of day and the current date. Otherwise the
certificates used will not be evaluated as valid and the secure communication will not work.
How to access this function
1. Create a VPN group with the "Insert" > "Group" menu command.
2. Assign the security modules, SOFTNET Security Clients, VPN devices and NCP VPN
clients (Android) intended for a VPN group to the group by dragging the modules to the
required VPN group with the mouse.
Configuring properties
Just as when configuring modules, the two selectable operating views in the Security
Configuration Tool have an effect on configuring VPN groups:
● Standard mode
In standard mode, you retain the defaults set by the system. Even if you are not an IT
expert, you can nevertheless configure IPsec tunnels and operate secure data
communication.
● Advanced mode
The advanced mode provides you with options for setting specific configurations for
tunnel communication.
Basics and application
200
Configuration Manual, 09/2013, C79000-G8976-C286-02
Secure communication in the VPN via an IPsec tunnel
6.4 Tunnel configuration in standard mode
Displaying all configured VPN groups and their properties
● Select the "VPN groups" object in the navigation panel.
The following properties of the groups are displayed in columns:
Property/column
Meaning
Comment/selection
Name
Group Name
Freely selectable
Authentication
Type of authentication
•
Pre-shared key
•
Certificate
Group membership until
Life of certificates
See section "Setting the lifetime
of certificates"
Comment
Comment
Freely selectable
Setting the life of certificates
Open the dialog in which you can set the expiry date of the certificate as follows:
1. In the navigation panel, select the VPN group for which you want to configure a
certificate.
2. Right-click on the security module in the content area and select the "New certificate…"
command in the shortcut menu.
Note
Expiry of a certificate
Communication through the VPN tunnel continues after the certificate has expired until
the tunnel is terminated or the SA lifetime expires. You will find more information on
certificates, in the following section:
• Managing certificates (Page 85)
6.4
Tunnel configuration in standard mode
Opening the dialog for displaying default values
1. Select the required VPN group.
2. Select the "Edit" > "Properties..." menu command.
The display of the VPN group properties is identical to the display in advanced mode; you
cannot, however, change the values in standard mode.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
201
Secure communication in the VPN via an IPsec tunnel
6.5 Tunnel configuration in advanced mode
6.5
Tunnel configuration in advanced mode
The advanced mode provides you with options for setting specific configurations for tunnel
communication.
Switch over to advanced mode
To use all the functions described in this section, change the project to advanced mode.
Note
No return to standard mode possible
If you switch to the advanced mode and change the configuration for the current project, you
can no longer switch back.
Remedy SCT standalone: You close the project without saving and open it again.
6.5.1
Configuring VPN group properties
VPN group properties
Note
Knowledge of IPsec necessary
To be able to set these parameters, you require IPsec experience. If you do not make or
modify any settings, the defaults of standard mode apply.
The following VPN group properties can be set in advanced mode:
● Authentication method
● IKE settings (dialog area: Advanced Settings Phase 1)
● IPsec settings (dialog area: Advanced Settings Phase 2)
Basics and application
202
Configuration Manual, 09/2013, C79000-G8976-C286-02
Secure communication in the VPN via an IPsec tunnel
6.5 Tunnel configuration in advanced mode
How to access this function
1. In the navigation panel, select the VPN group you want to edit.
2. Select the "Edit" > "Properties..." menu command.
3. Select whether a pre-shared key or certificate will be used for authentication. For more
detailed information, refer to the following section:
– Authentication method (Page 195).
Parameters for advanced settings phase 1 - IKE settings
Phase 1: Key exchange (IKE = Internet Key Exchange):
Here, you set the parameters for the IKEv1 protocol of the IPsec key management. The key
exchange uses the standardized IKEv1 method for which you can set the following protocol
parameters:
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
203
Secure communication in the VPN via an IPsec tunnel
6.5 Tunnel configuration in advanced mode
Parameter
Description
IKE mode
Key exchange method:
•
Main mode
• Aggressive mode
The difference between the main and aggressive mode is the "identity
protection" used in the main mode. The identity is transferred encrypted in
main mode but not in aggressive mode.
Phase 1 DH group
Diffie-Hellman key agreement:
•
Group 1
•
Group 2
•
Group 5
• Group 14
Diffie-Hellman groups (selectable cryptographic algorithms in the Oakley
key exchange protocol).
SA lifetime type
Phase 1 Security Association (SA):
• Time: Time limit in minutes
The lifetime of the current key material is limited in time. When the time
expires, the key material is renegotiated.
SA lifetime
Numeric value:
Range of values for time: 1440 ... 2500000 minutes (default: 2500000)
Phase 1 encryption
Encryption algorithm:
•
Phase 1 authentication
DES*: Data Encryption Standard (56 bit key length, mode CBC)
•
3DES-168: Triple DES (168-bit key length, mode CBC)
•
AES-128, 192, 256: Advanced Encryption Standard (128-bit, 192-bit or
256-bit key length, mode CBC)
Authentication algorithm;:
•
MD5: Message Digest Algorithm 5
•
SHA1: Secure Hash Algorithm 1
* DES is not a secure encryption algorithm. It should therefore only be used where
downwards compatibility is required.
Parameters for advanced settings phase 2 - IPsec settings
Phase 2: Data exchange (ESP = Encapsulating Security Payload)
Here, you set the parameters for the protocol of the IPsec data exchange. The data
exchange is in "quick mode". The entire communication during this phase is encrypted using
the standardized security protocol ESP for which you can set the following protocol
parameters:
Basics and application
204
Configuration Manual, 09/2013, C79000-G8976-C286-02
Secure communication in the VPN via an IPsec tunnel
6.5 Tunnel configuration in advanced mode
Parameter
Description
SA lifetime type
Phase 2 Security Association (SA):
SA lifetime
Phase 2 encryption
•
Time: Time limit in minutes The use of the current key material has a
time limit. When the time expires, the key material is renegotiated.
•
Limit: Limitation of the data volume in MB
Numeric value:
•
Range of values for time: 60 ... 16666666 minutes (default: 2880)
•
Range of values for limit: 2000 ... 500000 MB (default: 4000)
Encryption algorithm:
•
Phase 2 authentication
Perfect Forward
Secrecy
DES*: Data Encryption Standard (56 bit key length, mode CBC)
•
3DES-168: Triple DES (168-bit key length, mode CBC)
•
AES-128: Advanced Encryption Standard (128-bit key length, mode
CBC)
Authentication algorithm;:
•
MD5: Message Digest Algorithm 5
•
SHA1: Secure Hash Algorithm 1
Select whether or not before each time an IPsec-SA is renegotiated, the
key is negotiated again using the Diffie-Hellman method. Perfect Forward
Secrecy ensures that the new key cannot be derived from keys generated
previously.
* DES is not a secure encryption algorithm. It should therefore only be used where
downwards compatibility is required.
6.5.2
Including security module in configured VPN group
The configured group properties are adopted for security modules to be included in an
existing VPN group.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
205
Secure communication in the VPN via an IPsec tunnel
6.5 Tunnel configuration in advanced mode
Including active nodes in a VPN group
If an active node is added to an existing VPN group, this can reach the group members
without needing to download the project to all members of the VPN group again.
Note
If you remove an active node from an existing VPN group, this can still establish a
connection to the group members even if you have downloaded the project to all members of
the VPN group again.
If you do not want the removed active node to be able to establish the connection any
longer, renew the CA certificate of the VPN group and download the project again to the
members of the VPN group.
The CA certificate of the VPN group can be renewed in the group properties of the VPN
group or in the certificate manager, "Certification authorities" tab.
Follow the steps below
During this procedure, the following distinctions must be made:
● Case a: If you have not changed the group properties and the module to be added
establishes the connection to the already configured modules:
1. Add the new security module to the VPN group.
2. Download the configuration to the new security module.
● Case b:If you have not changed the group properties or the module to be added does not
establish the connection to the already configured modules actively:
1. Add the new security module to the VPN group.
2. Download the configuration to all security modules that belong to the VPN group.
Advantage in case a
Existing security modules that have already been commissioned do not need to be
reconfigured and downloaded. Active communication is not influenced or interrupted.
Basics and application
206
Configuration Manual, 09/2013, C79000-G8976-C286-02
Secure communication in the VPN via an IPsec tunnel
6.5 Tunnel configuration in advanced mode
Settings for nodes with an unknown IP address
Nodes whose IP address is unknown at the time of configuration (unknown peers) can be
inserted in an existing VPN group. Since the nodes are usually mobile and obtain their IP
addresses dynamically (for example a SOFTNET Security Client or SCALANCE M), the VPN
tunnel can only be established if you set the parameters for Phase 1 according to one of the
following tables. If you use other settings, you cannot establish a VPN tunnel to the end
device.
Table 6- 4
Encryption parameter 1
Parameter
Setting
Phase 1 encryption
AES-256
Phase 1 DH group
Group2
Phase 1 authentication
SHA1
Authentication method
Certificate
SA lifetime
1440 … 2500000 minutes
Table 6- 5
Encryption parameter 2
Parameter
Setting
Phase 1 encryption
3DES-168
Phase 1 DH group
Group2
Phase 1 authentication
SHA1
Authentication method
Certificate
SA lifetime
1440 … 2500000 minutes
Table 6- 6
Encryption parameter 3
Parameter
Setting
Phase 1 encryption
DES
Phase 1 DH group
Group2
Phase 1 authentication
MD5
Authentication method
Certificate
SA lifetime
1440 … 2500000 minutes
Table 6- 7
Encryption parameter 4
Parameter
Setting
Phase 1 encryption
3DES-168
Phase 1 DH group
Group2
Phase 1 authentication
SHA1
Authentication method
Pre-shared key
SA lifetime
1440 … 2500000 minutes
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
207
Secure communication in the VPN via an IPsec tunnel
6.5 Tunnel configuration in advanced mode
Additional restrictions for the SOFTNET Security Client
For the SOFTNET Security Client, the following restrictions also apply:
6.5.3
Parameter
Setting / special feature
Phase 1 encryption
AES-256 possible only with Windows 7
Phase 1 SA lifetime
1440 to 2879 minutes
SA lifetime type
Must be selected identical for both phases
Phase 2 encryption
No AES 128 possible
Phase 2 SA lifetime
60 to 2879 minutes
Phase 2 authentication
No MD5 possible
Configuring module-specific VPN properties
Meaning
You can configure the following module-specific properties for data exchange via the IPsec
tunnel in the VPN:
● Dead peer detection
● Permission to initiate connection establishment
● WAN IP address / FQDN for communication via Internet gateways
Requirements
● You can only make settings in the "VPN" tab if the security module you are configuring is
in a VPN group.
● The "VPN nodes" dialog area in the "VPN" tab is only displayed if the project is in
advanced mode.
How to access this function
1. Select the security module to be edited.
2. Select the "Edit" > "Properties..." menu command, "VPN" tab.
The settings made here are adopted as settings for the entire module for settings that can
be made for specific connections. Settings for specific connections can overwrite settings
for the entire module and can be configured in the Details window. You will find further
information on configuring settings for specific connections in the following section:
Configuring VPN properties for specific connections (Page 211)
Dead peer detection (DPD)
As default, DPD is enabled. For DPD to operate reliably, it must be activated on both
security modules involved.
Basics and application
208
Configuration Manual, 09/2013, C79000-G8976-C286-02
Secure communication in the VPN via an IPsec tunnel
6.5 Tunnel configuration in advanced mode
If DPD is activated, the security modules exchange additional messages at selectable
intervals when there is currently no data traffic via the VPN tunnel. This means that it can be
recognized whether the IPsec connection is still valid or possibly needs to be re-established.
If there is no longer a connection, the security associations (SA) of phase 2 are terminated
prematurely. If DPD is disabled, the SA is ended only after the SA lifetime has expired. For
information on setting the SA lifetime, see the following section
Configuring VPN group properties (Page 202)
Permission to initiate connection establishment
You can restrict the permission for initiating the VPN connection establishment to certain
security modules in the VPN.
The decisive factor for the setting of the parameter described is the assignment of the IP
address for the gateway of the security module you are configuring. If a static IP address is
assigned, the security module can be found by the partner. If the IP address is assigned
dynamically, and therefore changes constantly, the partner cannot establish a connection as
things stand.
Mode
Meaning
Start connection to partner
(initiator/responder) (default)
If this option is selected, the security module is "active", in
other words, it attempts to establish a connection to a
partner.
This option is recommended if the security module being
configured is assigned a dynamic IP address by the ISP.
The partner is addressed using its configured WAN IP
address, its configured external module IP address or the
configured DNS name.
Wait for partner (responder)
If this option is selected, the security module is "passive",
in other words, it waits for the partner to initiate the
connection.
This option is recommended if the security module being
configured is assigned a static IP address by the ISP.
Note
Make sure that you do not set all the security modules in a VPN group to "Wait for partner"
otherwise no connection will be established.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
209
Secure communication in the VPN via an IPsec tunnel
6.5 Tunnel configuration in advanced mode
WAN IP address / FQDN - IP addresses of the security modules and gateways in a VPN via Internet
When operating a VPN with IPsec tunnel over the Internet, additional IP addresses are
generally required for the Internet gateways such as DSL routers. The individual security or
SCALANCE M modules must know the public IP addresses of the partner modules in the
VPN that need to be reached via the Internet.
Note
If you use a DSL router as Internet gateway, the following ports (at least) must be opened on
it and the data packets forwarded to the security module:
• Port 500 (ISAKMP)
• Port 4500 (NAT-T)
To do this, it is possible to specify a "WAN IP address" in the configuration of the security
module. When you download the module configuration, the group members are then
informed of the WAN IP addresses of the partner modules. As an alternative to a WAN IP
address, you can also enter an FQDN. If you have configured dynamic DNS on the security
module at the same time, this FQDN must match the FQDN entered in the "DNS" tab that is
registered with a provider for dynamic DNS.
Whether the external IP address, the IP address of the DMZ interface (only SCALANCE
S623 / S627-2M) or the WAN IP address / the FQDN will be used can be specified in the
VPN properties for specific connections. For more detailed information on VPN properties for
specific connections, refer to the following section:
Configuring VPN properties for specific connections (Page 211)
If you do not enter an access point here, the external IP address or the IP address of the
DMZ interface (SCALANCE S623/S627-2M only) will be used as the VPN endpoint.
Basics and application
210
Configuration Manual, 09/2013, C79000-G8976-C286-02
Secure communication in the VPN via an IPsec tunnel
6.5 Tunnel configuration in advanced mode
①
②
③
④
Internal IP address - of a security module
External IP address - of a module
IP address of an Internet gateway (for example GPRS gateway)
IP address (WAN IP address) of an Internet gateway (for example DSL router)
Configuring VPN nodes
In the "VPN nodes" dialog area, you enable the subnets or nodes for VPN tunnel
communication.
Which nodes and subnets need to be enabled and how they are enabled for VPN tunnel
communication is explained in the following sections:
Configuring other nodes and subnets for the VPN tunnel (Page 213)
Configuring internal network nodes (Page 212)
6.5.4
Configuring VPN properties for specific connections
Meaning
While module-specific VPN properties are configured for a specific security module,
connection-specific VPN properties relate to the VPN connections of a security module. If a
security module establishes several tunnel connections to other security modules, with
connection-specific VPN properties, it is possible, for example, to configure which
connections the security module initiates and which it does not.
Requirements
● The security module is a member of a VPN group.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
211
Secure communication in the VPN via an IPsec tunnel
6.6 Configuring internal network nodes
How to access this function
1. Select the VPN group in the navigation panel to which the security module you are editing
belongs.
2. In the content area, select the security module whose properties you want to configure.
In the Details window, you can now configure the connection-specific VPN properties.
The default values were taken from the module-specific VPN properties.
Parameter
Parameter
Meaning
Initiator/Responder
Specifies the permission to initiate connection establishment
Partner module
Display of the module name of the partner module.
Type of transferred packets
Display of the layer on which the packets are transferred.
Local interface
Specifies the interface that will be used as the VPN endpoint
on the selected security module. If a WAN access point (IP
address / FQDN) is configured for the security module, this
can also be selected here.
Partner interface
Specifies the interface that will be used as the VPN endpoint
on the partner module. If a WAN access point (IP address /
FQDN) is configured for the VPN partner, this can also be
selected here.
6.6
Configuring internal network nodes
Configuring internal network nodes
Each security module must know the network nodes in the entire internal network to be able
to recognize the authenticity of a frame.
The security module must know both its own internal nodes as well as the internal nodes of
the security modules in the same VPN group. This information is used on a security module
to decide which data packet will be transferred in which tunnel.
SCALANCE S
Apart from the static configuration of the network nodes, a SCALANCE S module also
provides the option of learning these automatically.
How to configure the network nodes is described in the following section:
Configuring other nodes and subnets for the VPN tunnel (Page 213)
For more information on automatic learning of internal network nodes, refer to the following
section:
How the learning mode works (Page 214)
Basics and application
212
Configuration Manual, 09/2013, C79000-G8976-C286-02
Secure communication in the VPN via an IPsec tunnel
6.6 Configuring internal network nodes
CP x43-1 Adv. and CP 1628
● CP x43-1 Adv.
Decide whether or not tunnel communication to the CP and/or to the internal subnet is
permitted for VPN connection partners in routing mode (SCALANCE S / M / VPN device /
NCP VPN client (Android)).
● CP 1628
Enter the NDIS nodes you want to be reachable through the tunnel of VPN connection
partners in routing mode (SCALANCE S / M / VPN device / NCP VPN client (Android)).
6.6.1
Configuring other nodes and subnets for the VPN tunnel
Meaning
By adding a security module to a VPN group, the local, internal network nodes/subnets of
the security module are automatically enabled for VPN tunnel communication. To allow
communication via the VPN tunnel with other subnets or nodes of another subnet, these
subnets or nodes need to be enabled for VPN tunnel communication in the configuration.
A subnet that needs to be enabled in the configuration may be as follows:
● A subnet that is reachable via the local network on the internal interface if a VPN tunnel
terminates on the external interface or on the DMZ interface.
● A subnet that can be reached via the DMZ interface if a VPN tunnel terminates at the
external interface.
● A subnet that can be reached via the external interface if a VPN tunnel terminates at the
DMZ interface.
Requirement
Before the nodes or subnets can be enabled for tunnel communication, the following
requirements must be met:
● The security module is in a VPN group.
● The "VPN nodes" dialog area in the "VPN" tab is only displayed if the project is in
advanced mode.
Note
No return to standard mode possible
If you switch to the advanced mode and change the configuration for the current project,
you can no longer switch back.
Remedy SCT standalone: You close the project without saving and open it again.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
213
Secure communication in the VPN via an IPsec tunnel
6.6 Configuring internal network nodes
How to access this function - Bridge mode
Note: If nodes or subnets connected to the DMZ interface (SCALANCE S623/S627-2M only)
need to be enabled, follow the description for the routing mode.
1. Select the security module to be edited.
2. Select the "Edit" > "Properties..." menu command, "VPN" tab.
You enable nodes and subnets during configuration in the "VPN nodes" dialog area.
3. If you want to enable entire subnets for tunnel communication, enter these in the "Internal
subnets" tab. If you want to enable individual nodes for tunnel communication, enter the
nodes in the "Internal IP nodes" or Internal MAC nodes" tab.
Note: Before subnets specified here can be reached, a router must also be entered in the
"Routing" tab for them. In addition to this, the firewall must also allow communication with the
nodes.
How to access this function - Routing mode
1. Select the security module to be edited.
2. Select the "Edit" > "Properties..." menu command, "VPN" tab.
You enable subnets during configuration in the "VPN nodes" dialog area.
3. In the "Subnets to be reached through tunnel" tab, enter the network ID and the subnet
mask of the subnet to be included in tunnel communication.
Note: Before subnets specified here can be reached, a router must also be entered in the
"Routing" tab for them. In addition to this, the firewall must also allow communication with the
subnets.
6.6.2
How the learning mode works
Finding nodes for tunnel communication automatically (SCALANCE S in bridge mode only)
One great advantage of configuration and operation of tunnel communication is that
SCALANCE S modules can find nodes in the internal network automatically. This means that
you do not need to configure the internal network nodes involved in tunnel communication
manually.
New nodes are detected by the SCALANCE S module during operation. The detected nodes
are signaled to the SCALANCE S module belonging to the same group. This allows data
exchange within the tunnels of a VPN group in both directions at any time.
Basics and application
214
Configuration Manual, 09/2013, C79000-G8976-C286-02
Secure communication in the VPN via an IPsec tunnel
6.6 Configuring internal network nodes
Requirements
The following nodes are detected:
● Network nodes with IP capability
Network nodes with IP capability are found when an ICMP response to the ICMP subnet
broadcast is sent.
IP nodes downstream from routers can be found if the routers pass on ICMP broadcasts.
● ISO network nodes
Network nodes without IP capability but that can be addressed over ISO protocols can
also be learnt.
This is only possible if they reply to XID or TEST packets. TEST and XID (Exchange
Identification) are auxiliary protocols for exchanging information on layer 2. By sending
these packets with a broadcast address, these network nodes can be located.
● PROFINET nodes
Using DCP (Discovery and basic Configuration Protocol), it is possible to find PROFINET
nodes.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
215
Secure communication in the VPN via an IPsec tunnel
6.6 Configuring internal network nodes
Network nodes that do not meet these conditions must be configured statically.
Note
No learning mode for VPN tunnel on DMZ interface
The learning of internal nodes is supported only on interfaces that are connected in bridge
mode. The DMZ interface is always connected in routing mode.
How to access the function
1. Select the SCALANCE S module to be edited.
2. Select the "Edit" > "Properties..." menu command, "VPN" tab.
When is it useful to disable the automatic learning mode?
The default settings for the security module assume that internal networks are always
secure; in other words, in a normal situation, no network node is connected to the internal
network if it is not trustworthy.
Disabling the learning mode is useful if the internal network is static; in other words, when
the number of internal notes and their addresses do not change.
If the learning mode is disabled, this reduces the load on the medium and the network nodes
in the internal network resulting from the learning packets. The performance of the
SCALANCE S module is also improved since it does not need to process the learning
frames.
Basics and application
216
Configuration Manual, 09/2013, C79000-G8976-C286-02
Secure communication in the VPN via an IPsec tunnel
6.6 Configuring internal network nodes
Note: In learning mode, all network nodes in the internal network are detected. The
information relating to VPN configuration limits relates only to network nodes that
communicate over VPN in the internal network.
Note
If more than 128 internal nodes are being operated, the permitted configuration limits are
exceeded and an illegal operating status results. Due to the dynamics in the network traffic,
this causes internal nodes that have already been learned to be replaced by new previously
unknown internal nodes.
Network nodes that cannot be learnt
There are nodes in the internal network that cannot be learnt. This involves nodes of subnets
located in the local internal network of the SCALANCE S module (for example downstream
from routers). These subnets can also not be learnt. Nodes and subnets that cannot be
learnt must be configured statically in advanced mode.
Note
No return to standard mode possible
If you switch to advanced mode and change the configuration for the current project, you can
no longer switch back.
Remedy SCT standalone: You close the project without saving and open it again.
6.6.3
Displaying the detected internal nodes
All network nodes found are displayed in the Security Configuration Tool.
1. Change to "Online" mode.
2. Select the "Edit" > "Online diagnostics..." menu command, "Internal nodes" tab.
Result: The found internal network nodes are displayed.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
217
Secure communication in the VPN via an IPsec tunnel
6.6 Configuring internal network nodes
Basics and application
218
Configuration Manual, 09/2013, C79000-G8976-C286-02
Router and firewall redundancy
7.1
7
Overview
Meaning
Failures of the security modules SCALANCE S623 V4 and SCALANCE S627-2M V4 can be
automatically compensated by routers and firewall redundancy during operation. To do this,
group two security modules of the type SCALANCE S623 or SCALANCE S627-2M in a
redundancy relationship and then decide which will be the active security module of the
redundancy relationship during normal operation. If the active security module fails, the
passive security module automatically takes over its function as firewall and (NAT/NAPT)
router. To ensure the identical configuration of both security modules, these are connected
together via their DMZ interfaces and their configurations are synchronized during operation.
Address redundancy
The two security modules share a common IP address both on the external and internal
interface so that if one of the security modules fails, no modification of the IP addresses is
necessary. To do this, you need to configure an IP address for the external and for the
internal interface of the redundancy relationship.
Configuring redundancy relationships and the security modules involved
After the security modules have been included in a redundancy relationship, part of the
module properties is configured solely based on the redundancy relationship. This part of the
module properties is disabled for the individual security modules and only becomes active
and editable again after removing the security modules from the redundancy relationship.
The following properties are configured based on the redundancy relationship:
● Basic settings of the redundancy relationship (network parameters, primary module)
● Firewall
● Routing
● NAT/NAPT routing (not 1:1 NAT)
The settings listed below remain active for the individual security modules even after
including them in a redundancy relationship. These settings can still be adapted separately
for both security modules.
● Interface settings (it is not possible to deactivate interfaces)
● Standard rules for IP services (firewall)
● DDNS
● Time synchronization
● Log settings
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
219
Router and firewall redundancy
7.2 Creating redundancy relationships and assigning security modules
● SNMP
● MRP/HRP
● RADIUS
7.2
Creating redundancy relationships and assigning security modules
Requirements
Security modules can only be assigned to a redundancy relationship if they meet the
following requirements:
● Security module is of the type "S623 V4" or "S627-2M V4"
● The security module is in routing mode.
● All interfaces of the security module are active
● IP assignment method "static address" is configured for all interfaces
● The security module is not a member of a VPN group.
● The security module is not assigned to any other redundancy relationship
Procedure
1. Select the "Redundancy relationships" object in the navigation panel.
2. Select the menu command "Insert redundancy relationship..." in the shortcut menu (right
mouse key) of the object.
Result: The created redundancy relationship is shown in the navigation panel.
3. Assign the security modules to the redundancy relationship by selecting them in the
content area and dragging them to the created redundancy relationship in the navigation
panel.
4. in the "Configuration of the redundancy relationship" dialog, you have the following
options for configuring the redundancy relationship:
– Adoption of the configuration from the "Firewall", "Routing" and "NAT/NAPT" tabs of a
security module for the redundancy relationship. From the drop-down list, you can
select the security module whose configuration you want to use for the redundancy
relationship. This overwrites an existing configuration of the redundancy relationship.
– Creation of the assigned security module within the redundancy relationship. This is
possible only when only one security module is assigned to a created redundancy
relationship.
As an alternative, you can configure the redundancy relationship later using the
properties of the redundancy relationship, see section:
Configuring redundancy relationships (Page 221)
Result: You have created a redundancy relationship and assigned the required security
modules to it.
Basics and application
220
Configuration Manual, 09/2013, C79000-G8976-C286-02
Router and firewall redundancy
7.3 Configuring redundancy relationships
7.3
Configuring redundancy relationships
How to access this function
Select the redundancy relationship in the navigation panel and select the "Edit" >
"Properties..." menu command.
Configuring network parameters of the redundancy relationship
Table 7- 1
Parameters in the "Basic settings" tab
Configurable parameter
Meaning
Primary module
Selection of the security module that will be the active
security module in normal operation.
IP address
Virtual IP address of the external or internal interface of the
redundancy relationship
Subnet mask
Subnet mask of the virtual external or internal interface of
the redundancy relationship
Comment
Optional comment
For general information on configuring network parameters, refer to the following section:
Creating modules and setting network parameters (Page 91)
Configuring the firewall
The configuration of IP packet filter rules for redundancy relationships is basically the same
as when configuring IP packet filter rules for individual security modules. The
communications directions "From external to internal" and "From internal to external" are
available.
For general information on configuring IP packet filter rules in advanced mode, refer to the
following section:
IP packet filter rules (Page 147)
Configuring address translation with NAT/NAPT
The configuration of address translation with NAT/NAPT for the redundancy relationship is
basically the same as configuring the address translation with NAT/NAPT for individual
security modules. For redundancy relationships, only Source NAT and NAPT can be
configured. With Source NAT, source IP addresses in the internal subnet can only be
replaced with the virtual external IP address of the redundancy relationship. No alias IP
addresses can be registered on the external interface of the redundancy relationship. With
NAPT, only the "External to internal" address translation direction can be configured.
For general information on configuring address translations with NAT/NAPT, refer to the
following section:
Address translation with NAT/NAPT (Page 172)
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
221
Router and firewall redundancy
7.3 Configuring redundancy relationships
Configuring routing
The configuration of routes for the redundancy relationship is basically the same as when
configuring routes for individual security modules.
For general information on configuring routing, refer to the following section:
Specifying a standard router and routes (Page 168)
See also
MAC packet filter rules (Page 157)
Basics and application
222
Configuration Manual, 09/2013, C79000-G8976-C286-02
SOFTNET Security Client
8
With the SOFTNET Security Client PC software, secure remote access is possible from
PCs/PGs to automation systems protected by security modules via public networks.
This chapter describes how to configure the SOFTNET Security Client in the Security
Configuration Tool and then commission it on the PC/PG.
Further information
You will also find detailed information on the dialogs and parameter settings in the online
help of the SOFTNET Security Client.
You can call this with the F1 key or using the "Help" button in the relevant dialog.
See also
Secure communication in the VPN via an IPsec tunnel (Page 193)
8.1
Using the SOFTNET Security Client
Area of application - access over VPN
With the SOFTNET Security Client, you configure a PC/PG so that it can automatically
establish a secure IPsec tunnel connection in the VPN (Virtual Private Network) to one or
more security modules.
PG/PC applications such as NCM Diagnostics or STEP 7 can access devices or networks in
an internal network protected by the security module via a secure tunnel connection.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
223
SOFTNET Security Client
8.1 Using the SOFTNET Security Client
Automatic communication over VPN
For your application, it is important that the SOFTNET Security Client detects access to the
IP address of a VPN node. You address the node using the IP address as if it was located in
the local subnet to which the PC/PG with the application is attached.
Note
Via the IPsec tunnel, IP-based communication is possible only between SSC and the
security modules as well the internal nodes behind the security modules. Layer 2
communication is not possible with the SSC.
Operation
The SOFTNET Security Client PC software is used for configuration of the security
properties required for communication with devices protected by security modules. Following
configuration, the SOFTNET Security Client runs in the background - visible as an icon in the
symbol bar on the PG/PC.
Details in the online help
You will find detailed information on the dialogs and input boxes in the online help of the
SOFTNET Security Client user interface.
You can open the online help with the "Help" button or the F1 key.
Basics and application
224
Configuration Manual, 09/2013, C79000-G8976-C286-02
SOFTNET Security Client
8.1 Using the SOFTNET Security Client
How does the SOFTNET Security Client work?
The SOFTNET Security Client reads in the configuration created with the Security
Configuration Tool and, if applicable, obtains the required information on the certificates to
be imported from the file. The root certificate and the private keys are imported and stored
on the local PG/PC.
Following this, security settings are made based on the data from the configuration so that
applications can access services on and downstream from the security modules using IP
addresses.
If the learning mode for the internal nodes or programmable controllers is enabled, the
configuration module first sets a security policy for the secure access to the security
modules. Afterwards, the SOFTNET Security Client identifies the IP addresses of the internal
nodes and enters these in special filter lists of the security policy.
Result: Applications such as STEP 7 communicate with the programmable controllers via
VPN.
Note
On a Windows system, the IP security policies are stored separately for specific users. Only
one IP security policy can ever be valid at one time for a user.
If you do not want an existing IP security policy to be overwritten by installing the SOFTNET
Security Client, you should install and use the SOFTNET Security Client under a user
specifically set up for it.
Supported operating systems
The SOFTNET Security Client is suitable for use with the following operating systems:
● Microsoft Windows XP 32-bit + Service Pack 3
● Microsoft Windows 7 Professional 32/64-bit
● Microsoft Windows 7 Professional 32/64-bit + Service Pack 1
● Microsoft Windows 7 Ultimate 32/64-bit
● Microsoft Windows 7 Ultimate 32/64-bit + Service Pack 1
Response to problems
If problems occur on your PG/PC, SOFTNET Security Client reacts as follows:
● Established security policies are retained when you turn your PG/PC off and on again;
● Messages are displayed if a configuration is not found.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
225
SOFTNET Security Client
8.2 Installation and commissioning of the SOFTNET Security Client
8.2
Installation and commissioning of the SOFTNET Security Client
8.2.1
Installing and starting SOFTNET Security Client
You install the SOFTNET Security Client PC software from the product DVD.
1. First read the information in the README file of your SCALANCE S DVD and follow any
additional installation instructions it contains.
2. Run the Setup program;
The simplest way is to open the overview of the contents of your SCALANCE S DVD →
this is started automatically when you insert the DVD or can be opened from the start.exe
file. You can then select the entry "Installation SOFTNET Security Client" directly
Following installation and startup of the SOFTNET Security Client, the symbol of the
SOFTNET Security Client appears in the Windows taskbar:
NOTICE
Incompatibility with other VPN client software
If other VPN client software is installed on your PC in addition to the SOFTNET Security
Client, it may no longer be possible to establish VPN tunnels using the SOFTNET Security
Client. You should therefore uninstall this VPN client software before using the SOFTNET
Security Client.
Setting up the SOFTNET Security Client
Once activated, the most important functions run in the background on your PG/PC.
The SOFTNET Security Client is configured as follows:
● Export of a security configuration from the Security Configuration Tool.
● Import of the security configuration in its own user interface as described in the next
section.
Basics and application
226
Configuration Manual, 09/2013, C79000-G8976-C286-02
SOFTNET Security Client
8.3 Creating a configuration file with the Security Configuration Tool
Startup behavior
Downloading the security rules can take some time. The CPU of the PG/PC is utilized up to
100% during this time.
Exiting SOFTNET Security Client
You exit SOFTNET Security Client as follows:
● Right-click on the SOFTNET Security Client symbol and select the option "Exit SOFTNET
Security Client".
● Click the "Exit" button in the open user interface.
Result: If SOFTNET Security Client is exited and the security policy is deactivated.
8.2.2
Uninstalling SOFTNET Security Client
When you uninstall, the security properties set by the SOFTNET Security Client are reset.
8.3
Creating a configuration file with the Security Configuration Tool
Configuring SOFTNET Security Client in the SCT project
The SOFTNET Security Client is created as a module in the SCT project. In contrast to the
other security modules, you do not need to configure any further properties.
Assign the created SOFTNET Security Client to the VPN group or groups in which an IPsec
tunnel is to be set up to the PG/PC. The group properties you configured for these VPN
groups are adopted.
Note
Refer to the information on parameters in the following section:
• Including security module in configured VPN group (Page 205)
Note
If you create several SOFTNET Security Clients within a group, no tunnels are set up
between these clients but only from the relevant client to the security modules.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
227
SOFTNET Security Client
8.3 Creating a configuration file with the Security Configuration Tool
Configuration files for the SOFTNET Security Client
The interface between the Security Configuration Tool and the SOFTNET Security Client is
controlled by configuration files.
The configuration is stored in the following file types:
● *.dat
● *.p12
● *.cer
Basics and application
228
Configuration Manual, 09/2013, C79000-G8976-C286-02
SOFTNET Security Client
8.3 Creating a configuration file with the Security Configuration Tool
Procedure
To generate the configuration files, perform the following steps in SCT:
1. Create a module of the type SOFTNET Security Client in SCT.
2. Assign the SSC module to the VPN groups in which the PG/PC will communicate over
IPsec tunnels.
3. Select the "Project" > "Save" menu command.
4. Select the module of the type "SOFTNET Security Client" and select the menu command
"Transfer" > "To module(s)...".
5. Select the storage location for the configuration files.
6. If you selected certificate as the authentication method, specify a password for the
certificate of the VPN configuration. If you do not assign a password, the project name
(not the password of the logged on user) is used as the password.
Result: Export of the configuration files is completed.
7. Transfer the files of the type *.dat, *.p12, *.cer to the PG/PC on which you want to operate
the SOFTNET Security Client.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
229
SOFTNET Security Client
8.4 Working with SOFTNET Security Client
8.4
Working with SOFTNET Security Client
Configurable properties
You can use the following individual services:
● Setting up secure IPsec tunnel communication (VPN) between the PC/PG and all security
modules or individual security modules of a project or several projects. The PC/PG can
access the security module and the internal nodes of the security module via this IPsec
tunnel.
● Enabling and disabling existing secure connections.
● Setting up connections after adding end devices later. The learning mode must be
enabled for this.
● Check a configuration; in other words, which connections are set up or possible.
How to open SOFTNET Security Client for configuration
Double-click on the symbol in the Windows taskbar or select the menu command "Maximize
SOFTNET Security Client" from the shortcut menu.
Basics and application
230
Configuration Manual, 09/2013, C79000-G8976-C286-02
SOFTNET Security Client
8.4 Working with SOFTNET Security Client
With the buttons, you can activate the following functions:
Button
Load Configuration
Meaning
Dialog for selecting a configuration file for import
Select a file and click the "Open" button.
Result: The configuration is read in.
In the dialog, you are asked whether you want to set up the tunnels for all security modules
immediately. For the IP addresses of the security modules entered in the configuration, the
tunnels for these addresses are set up immediately. This procedure is fast and efficient
particularly with larger configurations.
As an option, you can set up all tunnels in the "Tunnel Overview" dialog using the shortcut
menu.
Note: You can import the configuration files from several projects created with SCT one
after the other (see also the explanation of the procedure below).
Tunnel Overview
Dialog for setting up and editing the tunnels and diagnostics of the tunnel status
This is the dialog in which you actually configure the SOFTNET Security Client.
A list of secure tunnels along with the IP addresses of the security modules is displayed.
Based on the icons of each list entry, you can identify the tunnel status of the relevant
security modules. Using the shortcut menu, you can activate / deactivate or test the tunnels
and also remove the entry from the list.
If you have more than one network adapter on your PG/PC, the SOFTNET Security Client
automatically selects one adapter via which an attempt is made to set up a tunnel. In some
cases, the SOFTNET Security Client does not find an adapter to suit your node and then
enters any one of the adapters. In this case, you will need to change the network adapter
setting manually in the "Network adapter" dialog. You can call this dialog in the shortcut
menu of the nodes and security modules with the "Select Network Device…" entry.
Disable
All secure tunnels are deactivated.
Minimize
The user interface of the SOFTNET Security Client is closed.
The symbol for the SOFTNET Security Client remains displayed in the Windows taskbar.
Exit
The SOFTNET Security Client is closed and all tunnels disabled.
Help
Open online help
Info
Information on the version of the SOFTNET Security Client
Details: List of all the files required for the SOFTNET Security Client to function with
feedback as to whether these could be found on the system.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
231
SOFTNET Security Client
8.5 Setting up and editing tunnels
8.5
Setting up and editing tunnels
Setting up secure connections to all security modules
In the dialog for importing the configuration, select whether or not the tunnel connection will
be set up for all internal nodes of the security module immediately. This results in the
following possibilities:
● "Yes" - Enable tunnels automatically
For the IP addresses of the security modules entered in the configuration, the tunnels for
these addresses are set up.
● "No" - Read in tunnel configuration only
As an option, you can simply read in the configured tunnels and then set them up
individually in the "Tunnel Overview" dialog.
Basics and application
232
Configuration Manual, 09/2013, C79000-G8976-C286-02
SOFTNET Security Client
8.5 Setting up and editing tunnels
How to set up tunnel connections
1. With the "Download configuration" button, open the dialog for importing the configuration
file.
2. Select the configuration file created with SCT (file format ".dat").
You can read in configuration data from several projects at the same time. If there is
already configuration data in the SOFTNET Security client, select one of the following
options:
– "deleted": Only the last downloaded configuration data is available.
– "imported and replaced": This is useful if you have modified configuration data, for
example, you have only changed the configuration in project a, project b and c remain
unchanged and the modified configuration data is replaced in project a.
– "not imported": is useful if a security module has been added to a project. The existing
SCC configuration with previously imported security modules is not modified, learnt
internal nodes of these modules would be lost with a different option.
3. If you have selected "certificate" as the authentication method in SCT, enter the
password. If you selected certificate as the authentication method, specify a password for
the certificate of the VPN configuration. If you have not assigned a password in SCT, the
project name (not the project password of the logged-on user) is adopted as the
password.
4. If you have configured a SCALANCE M87x, SCALANCE M874-x module or an S7 CP
with DHCP activated on the Gbit interface in the Security Configuration Tool, the "IP/DNS
settings" dialog opens. Follow the steps below depending on the configured module type:
– For SCALANCE M87x modules and SCALANCE M874-x modules: Decide whether or
not the tunnel to the module will be established using the IP address obtained from the
ISP at runtime or alternatively using a DNS name.
– For S7 CPUs with DHCP activated on the Gbit interface: Enter the IP address
assigned using DHCP to be deleted.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
233
SOFTNET Security Client
8.5 Setting up and editing tunnels
5. Decide whether or not to enable the tunnel connections for the internal nodes of the
security module.
If you do not enable the tunnel connections here, you can do this at any time in the
"Tunnel Overview" dialog described below.
If you have decided to enable the tunnel connections, the tunnel connections between the
SOFTNET Security Client and the security modules are now established.
This may take some time.
6. Open the "Tunnel Overview" dialog.
The table displays the security modules and internal nodes with status information about
the tunnel connections.
Basics and application
234
Configuration Manual, 09/2013, C79000-G8976-C286-02
SOFTNET Security Client
8.5 Setting up and editing tunnels
7. If nodes are not displayed in the table, use the command line to send a ping command to
the missing nodes.
Result: The node is learned by the security module and passed on to the SOFTNET
Security Client. If it is nevertheless not learned, you should configure the node statically
in the VPN tab.
Note:
If the dialog is not open while a node is detected, the dialog is displayed automatically.
This function can be disabled with "Options" > "Settings…".
Note
Statically configured nodes and subnets
If you configure nodes or subnets statically at a later point in time, you will also need to
download the configuration for a SOFTNET Security Client used in the VPN again.
8. Enable the nodes for which no tunnel connection has yet been established.
After successful establishment of the connection, start the application that will establish a
communication connection to one of the nodes, for example STEP 7.
Note
If there are several network adapters in the PG/PC, SSC automatically selects the
network adapter to establish a tunnel. It is possible that this is not the required network
adapter. If there is no network adapter suitable for the project, SSC automatically enters
one. In this case, adapt the setting for the network adapter using the shortcut menu of the
nodes and security modules in the "Tunnel Overview" dialog.
Meaning of the parameters
Table 8- 1
Meaning of the parameters in the "Tunnel Overview" dialog box
Parameter
Meaning / range of values
Status
You will find the meaning of the status displays in the following
table.
Name
Name of the module or node adopted from the SCT configuration.
IP address int. / subnet
If there are internal nodes / subnets, the IP address of the internal
node or the network ID of the internal subnet is displayed.
Tunnel endpoint IP
IP address of the assigned security module.
Tunnel over...
If the PC is operated with more than one network adapter, the
assigned IP address via which the VPN tunnel is established is
displayed.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
235
SOFTNET Security Client
8.5 Setting up and editing tunnels
Table 8- 2
Symbol
Status displays*
Meaning
There is no connection to the security module or node.
There are more nodes that are not displayed. Double-click on the symbol to display further
nodes.
Tunnel to node is disabled. There is no IP security policy set up in the system. You
communicate with this node without encryption.
Tunnel to node is enabled. There is an IP security policy set up in the system. You
communicate with encryption and therefore securely with this node.
Tunnel to SCALANCE S module is disabled. There is no IP security policy set up in the
system. You communicate with this security module without encryption.
Tunnel to SCALANCE S module is enabled. There is an IP security policy set up in the
system. You communicate with encryption and therefore securely with this security
module.
Tunnel to SCALANCE M module is disabled. There is no IP security policy set up in the
system. You communicate with this security module without encryption.
Tunnel to SCALANCE M module is enabled. There is an IP security policy set up in the
system. You communicate with encryption and therefore securely with this security
module.
Tunnel to CP343-1 Advanced is disabled. There is no IP security policy set up in the
system. You communicate with this CP without encryption.
Tunnel to CP 343-1 Advanced is enabled. There is an IP security policy set up in the
system. You communicate with encryption and therefore securely with this CP.
Tunnel to CP 443-1 Advanced is disabled. There is no IP security policy set up in the
system. You communicate with this CP without encryption.
Tunnel to CP 443-1 Advanced is enabled. There is an IP security policy set up in the
system. You communicate with encryption and therefore securely with this CP.
Tunnel to CP 1628 is disabled. There is no IP security policy set up in the system. You
communicate with this CP without encryption.
Tunnel to CP 1628 is enabled. There is an IP security policy set up in the system. You
communicate with encryption and therefore securely with this CP.
Tunnel to internal subnet is disabled. There is no IP security policy set up in the system.
You communicate with this subnet without encryption.
Tunnel to internal subnet is enabled. There is an IP security policy set up in the system.
You communicate with encryption and therefore securely with this subnet.
Module / node cannot be reached.
Module / node can be reached, tunnel to module / node is, however, disabled. There is no
IP security policy set up in the system. You communicate with this module / node without
encryption.
Module / node can be reached, tunnel to module / node is, enabled.
Reachability test disabled. No statement can be made as to whether the module / node
can be reached.
* The table is valid for Windows XP. In Windows 7, the table is valid if the Windows firewall is
activated.
Basics and application
236
Configuration Manual, 09/2013, C79000-G8976-C286-02
SOFTNET Security Client
8.5 Setting up and editing tunnels
Operator controls in the "Tunnel Overview" dialog
Operator element
Meaning
"enable active learning" check box
If the learning mode is enabled in the configuration of the
security modules, this can also be enabled for the
SOFTNET Security Client. This automatically provides you
with the information about the internal nodes of the security
modules in the tunnel overview. Otherwise the list box
"Learn internal nodes" is disabled and no information about
the internal nodes of the security modules will be shown in
the tunnel overview.
"Delete All" button
The IP security policies of the entries set up using SSC are
deleted.
"Clear" button
Deletes all entries in the logging console.
Selecting and working with a tunnel entry - options in the shortcut menu
Select an entry in the "Tunnel Overview" dialog and open further options using the shortcut
menu.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
237
SOFTNET Security Client
8.5 Setting up and editing tunnels
Menu command
Meaning
Enable all Members / Disable all members
You can disable set-up secure connections with the "Disable
all Members" entry. Result: The security policy is disabled
on the PC. To undo the change and to reactivate the tunnel,
click the "Enable all Members" entry.
Select Network Device...
For each security module, you can select a network adapter
with the "Select Network Device" menu command in the
shortcut menu via which the tunnel will be set up.
Test Tunnel
Test the tunnel connection.
Extended Diagnostics
Opens the "Extended Diagnostics" dialog.
Change IP Address/DNS Name (for SCALANCE M only)
Changes the IP address or DNS name of the selected entry.
Delete Entry
The IP security policy of the selected entry is deleted.
Note
Extension of the policy when activating internal nodes
Please note that the policy in the system is extended each time the internal nodes are
activated individually. Deactivation of the overall system (via the dropdown menu of the
upstream SCALANCE S) does not result in the adjustment of the policy but only to
deactivation of the policy. This means that the deactivated overall policy plus the additional
internal node are activated upon activation of an internal node. If you want to make sure that
the established policy completely refers to the nodes you activated, close the SOFTNET
Security Client and reopen it.
Expanded module diagnostics
To call extended module diagnostics, select the "Extended Diagnostics" menu command in
the shortcut menu of an entry. As an alternative, you can open the dialog using the "Options"
> "Advanced Module Diagnostics" menu command in the main window of the SOFTNET
Security Client.
The view is used only for diagnostics of the system status relating to the configured security
modules and can be useful when contacting Customer Support for help.
● SCALANCE S / MD74x module / CP
Here, select the security module for which the current system status will be diagnosed.
Note: All the security modules read in using the configuration can be selected.
● Routing settings (module-specific parameters)
Shows the settings for interfaces and internal nodes/subnets detected in the
configuration.
● Active main modes / active quick modes
If you have set up main modes or quick modes for the selected module on the PG/PC,
the details are displayed here. This also includes the total number of main modes or
quick modes found on the system for the selected module.
Basics and application
238
Configuration Manual, 09/2013, C79000-G8976-C286-02
SOFTNET Security Client
8.5 Setting up and editing tunnels
● Routing settings (network settings of the computer)
Shows the current routing settings of the computer.
You can obtain additional routing information with the "Show all routing settings" option.
● Assigned IP addresses
List of the network interfaces known to the computer in conjunction with the configured or
assigned IP addresses.
Logging Console
In the "Settings" dialog, you can select which entries are displayed in the logging console.
You can open this dialog with the menu command "Options" > "Settings" in the main dialog
of the SOFTNET Security Client.
The following information is shown:
● Diagnostics information about connection establishment with the configured security
modules and internal nodes / subnets.
● Date and time stamp at the time of the events
● Establishment and termination of a security association
● Negative reachability test (test ping) to the configured nodes
● Download configuration files
● Learn / unlearn internal nodes/subnets
Global settings for the SOFTNET Security Client
1. Select the menu command "Options" > "Settings" in the main dialog of the SOFTNET
Security Client.
2. Make the global settings that will be retained after closing and opening the SOFTNET
Security Client.
You will find the functions in the following table:
Function
Description / options
Log file size
Size of the file containing the messages output in
the logging console of the tunnel overview. Since
the log data is saved in the file via a ring buffer,
use the size of the file to select how long the log
data remains saved in the file.
Number of messages to be displayed in the
logging console of the tunnel overview.
Number of messages that will be extracted from
the log file and displayed in the logging console
of the tunnel overview.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
239
SOFTNET Security Client
8.5 Setting up and editing tunnels
Function
Description / options
Output the following log messages in the logging
console of the tunnel overview:
Selection of the types of messages displayed in
the logging console of the tunnel overview.
•
Display of the negative reachability test (ping)
•
Creation/deletion of security associations
(quick modes)
•
Creation / deletion of main modes
•
Download configuration files
•
Learn internal nodes
Log file size (debug log files)
Log file size of the source files for debug
messages of the SOFTNET Security Client (can
be requested from Customer Support to make
analyses easier)
Reachability test, wait time for reply
Selectable wait time for a ping that will establish
whether a tunnel partner can be reached. It is
important to make this setting especially for
tunnels with slow transmission paths (UMTS,
GPRS, etc.) on which the delay of the data
packets is significantly higher.
This therefore directly influences the display of
the reachability in the tunnel overview.
Disable reachability test globally
If you enable this function, the reachability test is
disabled globally for all the configurations
contained in the SOFTNET Security Client.
Advantage: No additional data volume is created.
Disadvantage: In the tunnel overview, there is no
feedback message to indicate whether a tunnel
partner can be reached or not.
Show Tunnel Overview window in the foreground
when a new internal member is learned
If you enable this function, the "Tunnel Overview"
dialog is displayed if a new internal node has
been detected.
Basics and application
240
Configuration Manual, 09/2013, C79000-G8976-C286-02
Online functions - test, diagnostics, and logging
9
For test and monitoring purposes, the security module has diagnostics and logging functions.
● Diagnostic functions
These include various system and status functions that you can use in online mode.
● Logging functions
This involves the recording of system and security events.
The events are logged in the buffer areas of the security module or on a Syslog server.
These functions can only be assigned parameters and evaluated when there is a network
connection to the selected security module.
Recording events with logging functions
You select the events to be logged in the log settings for the relevant security module.
You can configure the following variants for logging:
● Local logging
In this variant, you log events in local buffers of the security module. You can then access
these logs, display them and archive them on the service station in the online dialog of
the Security Configuration Tool.
● Network Syslog
With Network Syslog, you use a Syslog server in the network to which the events are
sent. You specify the events that can be sent in the log settings of the relevant security
module.
Archiving log data and reading in from a file
You can save the logged events for archiving in a log file and open this in offline mode. To
do this, select the menu command "Options" > "Log files..." and select the log file to be
opened using the "Open..." button. For more detailed information, refer to the following
section:
● Overview of the functions in the online dialog (Page 242)
Diagnostics in ghost mode
After obtaining an IP address from the internal node, the security module has an IP address
on the external interface that can differ from the IP address with which the security module
was initially configured. Before you can run diagnostics via the external interface, you first
need to replace the IP address initially configured for the external interface with the IP
address obtained by the security module during runtime from the internal node in the
Security Configuration Tool.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
241
Online functions - test, diagnostics, and logging
9.1 Overview of the functions in the online dialog
9.1
Overview of the functions in the online dialog
In the Security Configuration Tool, the security module provides the following functions in the
online dialog:
Table 9- 1
Functions and logging in online diagnostics
Function / tab in the online dialog
Meaning
System and status functions
Status
Display of the device status of the security module selected
in the project.
Date and time of day
Date and time setting.
Interface settings
Overview of the settings of the individual interfaces.
Dynamic DNS
Overview of the settings for dynamic DNS
ARP table
Display of the ARP table of the security module.
Logged-on users
Shows the users logged on to the Internet page for userspecific IP rule sets.
Communications status
Display of the communication status and the internal
network nodes of security modules located in the same
VPN group as the selected security module.
Internal nodes
Display of the internal network nodes of the security
module.
Dynamically updated
firewall rules
Display of the IP addresses enabled dynamically by HTTP
or HTTPS or downloaded later by a user. The IP addresses
in this tab can be updated by the following events:
•
Expansion/modification of the IP access control list
•
Updating he firewall rules
Dynamic expansions entered by the CP during runtime,
for example PROFINET IO devices
Since this tab only shows the dynamically updated firewall
rules, to gain an overall view of the current firewall status of
the module, the firewall rules that were configured offline
must also be included.
•
Ghost mode
Dialog for the ghost mode of the SCALANCE S602 with
information on the IP address of the internal node (identical
to the external IP address of the security module) and on IP
address changes at the internal node.
IP blacklist
Display of the IP addresses that were entered in the
blacklist of the firewall.
Logging functions
System log
Display of logged system events as well as starting and
stopping the display.
Audit log
Display of logged security events as well as starting and
stopping the display.
Basics and application
242
Configuration Manual, 09/2013, C79000-G8976-C286-02
Online functions - test, diagnostics, and logging
9.1 Overview of the functions in the online dialog
Function / tab in the online dialog
Packet filter log
Meaning
Display of logged data packets as well as starting and
stopping the display.
For more detailed information on the possible settings, in the individual tabs, refer to the
online help.
Requirements for access
To be able to use the online functions with a security module, the following requirements
must be met:
● There is a network connection to the selected module
● The project with which the module was configured is open
● The online mode is active in the Security Configuration Tool or the module-specific online
diagnostics was opened using the shortcut menu.
Note
Requirement for online diagnostics in ghost mode
Online diagnostics is only available in ghost mode if the security module has learnt the IP
address of the internal node and has adopted this as its external interface. After this, the
security module can be reached via the IP address of the external interface.
Warning if the configuration is not up-to-date or the wrong project has been selected
When you open the online dialog, the program checks whether the current configuration on
the security module matches the configuration of the loaded project. If there are differences
between the two configurations, a warning is displayed. This signals that you have either not
yet updated the configuration or have selected the wrong project.
Display of the logging status
The current logging status results from the loaded configuration or from the reconfiguration in
the online dialog. Possible buffer settings are ring buffers or linear buffers. You can see
which setting is currently active as follows:
1. Change the mode using the "View" > "Online" menu command.
2. Select the security module to be edited.
3. Select the "Edit" > "Online diagnostics..." menu command.
When you open one of the tabs for logging functions, you will see the current status of the
buffer setting of the selected security module in the lower part of the tab:
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
243
Online functions - test, diagnostics, and logging
9.2 Logging events
Online settings are not saved in the configuration
Settings that you make in online mode (for example buffer settings for logging functions) are
not stored in the configuration on the security module. Following a module restart, the
settings from the offline configuration are therefore always effective.
9.2
Logging events
Overview
Events on the security module can be logged. Depending on the event type, they are stored
in volatile or non-volatile buffers. As an alternative, you can also record on a network server.
Configuration in standard mode and in advanced mode
The options that can be selected in the Security Configuration Tool depend on the selected
view:
● Standard mode
"Local logging" is enabled as default in standard mode; packet filter events can be
enabled globally in the "Firewall" tab. "Network Syslog" is not possible in this view.
● Advanced mode
All the logging functions can be enabled or disabled in the "Log settings" tab of a selected
module; packet filter events must also be selected and activated in the "Firewall" tab
(local or global rules).
Logging procedures and event classes
During configuration, you can specify which data should be logged. As a result, you enable
logging as soon as you download the configuration to the security module.
During configuration, you also select one or both of the possible logging procedures:
● Local logging
● Network Syslog
The security module recognizes the following events for both logging methods:
Basics and application
244
Configuration Manual, 09/2013, C79000-G8976-C286-02
Online functions - test, diagnostics, and logging
9.2 Logging events
Function
How it works
Packet filter events (firewall)
The packet filter log records certain packets of the data traffic. Data packets are only
logged if they match a configured packet filter rule (firewall) or to which the basic
protection reacts (corrupt or invalid packets). This is only possible when logging is
enabled for the packet filter rule.
Audit events
The audit log automatically records security-relevant events, for example user actions
such as activating or deactivating packet logging.
System events
The system log automatically records system events, for example the start of a
process or actions for which a user has not been authenticated correctly using a
password. The logging can be scaled based on event classes.
Line diagnostics: Line diagnostics can also be configured. Line diagnostics returns
messages as soon as the number of bad packets exceeds a selectable limit.
Storage of logged data in local logging
There are two options for storage of recorded data:
● Ring buffer
At the end of the buffer, the recording continues at the start of the buffer and overwrites the
oldest entries.
● One-shot buffer
Recording stops when the buffer is full.
Enabling or disabling logging
In "Offline" mode in advanced mode, you can enable local logging for the event classes in
the log settings in the module properties and can select the storage mode. These log
settings are loaded on the module with the configuration and take effect when the security
module starts up.
When required, you can also enable or disable local logging of packet filter events and
system events in the online functions. This does not change the settings in the project
configuration.
Display of the logging status
Online settings are not saved in the configuration.
9.2.1
Local logging - settings in the configuration
In "offline" mode, you can enable the event classes in the log settings and can select the
storage mode. These log settings are loaded on the module with the configuration and take
effect when the security module starts up.
If necessary, you can modify these configured log settings in the online functions. This does
not change the settings in the project configuration.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
245
Online functions - test, diagnostics, and logging
9.2 Logging events
Log settings in standard mode
The log settings in standard mode correspond to the defaults in advanced mode. In standard
mode, however, you cannot change the settings.
Log settings in advanced mode
1. Select the module to be edited.
2. Select the "Edit" > "Properties..." menu command, "Log settings" tab.
The following dialog shows the default settings for the security module; the dialog for
configuration of the logging of system events is also opened:
Basics and application
246
Configuration Manual, 09/2013, C79000-G8976-C286-02
Online functions - test, diagnostics, and logging
9.2 Logging events
Configuring event classes
Table 9- 2
Local log - overview of the functions
Function / tab in the online dialog
Project engineering
Remarks
Packet filter events (firewall)
You enable options using the
check boxes.
Packet filter log data is not retentive
You select the storage mode
using the check boxes.
In the "Packets to be logged"
drop-down list, you can specify
the data packets to be logged:
Audit events (always enabled)
•
"All packets": The data
packets that are logged are
those to which a configured
firewall rule (standard mode
or advanced mode) applies.
In addition to this, all the
response packets to such
packets are recorded that
have passed the firewall
according to a configured
allow rule.
•
"Status generating packets":
The only data packets that
are logged are those to which
a configured firewall rule
(standard mode or advanced
mode) applies.
The data is stored in volatile memory on the
security module and is therefore no longer
available after the power supply has been
turned off.
Logging is always enabled.
Audit log data is retentive
The logged information is always
stored in the ring buffer.
The data is stored in a retentive memory of
the security module and is therefore still
available after turning off the power supply.
Note on CPs:
The audit log data is not retentive on CPs. A
syslog server should therefore be used to
back up the data.
System events
You enable options using the
check boxes.
You select the storage mode
using the check boxes.
To configure the event filter and
line diagnostics, open a further
dialog with the "Configure..."
button.
System log data is not retentive
The data is stored in volatile memory on the
security module and is therefore no longer
available after the power supply has been
turned off.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
247
Online functions - test, diagnostics, and logging
9.2 Logging events
Function / tab in the online dialog
Project engineering
Filtering of the system events
In this sub-dialog, set a filter level Select "Error" as the filter level or a higher
for the system events. As default, value to stop logging of general, uncritical
the following values are set:
events.
SCALANCE S: Level 3
•
CP: Level 3
Note on CPs
For a CP, select only level 3 or level 6.
Line diagnostics generates a
special system event. Set the
percentage of bad frames as of
which a system event is
generated. Assign a facility and a
severity to the system event.
Line diagnostics
9.2.2
•
Remarks
•
If you select level 3, the error messages
of levels 0 to 3 are output.
•
If you select level 6, the error messages
of levels 0 to 6 are output.
Using the severity, you weight the system
events of line diagnostics relative to the
severity of the other system events.
Note
Assign the system events of line diagnostics
a lower severity than the filtering of system
events. Otherwise, these events will not pass
through the filter and are not logged.
Network syslog - settings in the configuration
You can configure the security module as a client that sends logging information to a Syslog
server. The Syslog server can be in the local internal or external subnet. The implementation
corresponds to RFC 3164.
Note
Firewall - Syslog server not active in the external network
If the Syslog server is not enabled on the addressed computer, this computer generally
returns ICMP responses "port not reachable". If these reply frames are logged due to the
firewall configuration and sent to the Syslog server, the procedure can become never ending
(storm of events).
Remedies:
• Start the Syslog server;
• Change the firewall rules;
• Take the computer with the disabled Syslog server out of the network.
Basics and application
248
Configuration Manual, 09/2013, C79000-G8976-C286-02
Online functions - test, diagnostics, and logging
9.2 Logging events
Making the log settings
1. Change the mode with the menu command "View" > "Advanced mode".
Note
No return to standard mode possible
If you switch to the advanced mode and change the configuration for the current project,
you can no longer switch back.
Remedy SCT standalone: You close the project without saving and open it again.
2. Select the security module to be edited.
3. Select the "Edit" > "Properties..." menu command, "Log settings" tab.
The following dialog shows the standard settings for the security module when logging is
enabled for the network syslog:
Establishing a connection to the Syslog server
For SCALANCE S: The security module uses the configured module name as the hostname
to identify itself to the Syslog server.
For CPs: The security module uses its own IP address as the hostname to identify itself to
the Syslog server.
Enter the IP address / FQDN of the Syslog server in the "Syslog server" box. You can enter
the IP address either as a symbolic name or as a numeric name.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
249
Online functions - test, diagnostics, and logging
9.2 Logging events
The Syslog server must be reachable from the security module using the specified IP
address, if necessary using the router configuration in the "Routing" tab. If the Syslog server
cannot be reached, the sending of Syslog information is disabled. You can recognize this
operating situation based on the system messages. To enable the sending of Syslog
information again, you may need to update the routing information and restart the security
module.
Use symbolic names in log
If you enable the "Use symbolic name in logging" option, the address information of the log
frames transferred to the Syslog server is replaced by symbolic names. The security module
checks whether corresponding symbolic names have been configured and enters these in
the log frames.
Note
Longer a processing time when using symbolic names
If the "Use symbolic name in logging" check box is selected, the processing time on the
security module is increased.
The module names are automatically used as symbolic names for the IP addresses of the
security modules. In routing mode, these names have a port name added to them as follows:
"Modulename-P1", "Modulename-P2" etc.
Configuring event classes
Table 9- 3
Network Syslog - overview of the functions
Function / tab in the online dialog
Packet filter events (firewall)
Project engineering
Remarks
You enable this using the check box.
Which value you select here, depends on
the evaluation in the Syslog server. This
allows you to adapt to the requirements
in the Syslog server.
By setting facility and severity, Syslog
messages can be classified
according to their origin and their
severity. The assignment is made in
drop-down lists. Each event is
assigned the severity and facility you
set here.
Audit events
You enable this using the check box.
The severity and facility are assigned
in drop-down lists. Each event is
assigned the severity and facility you
set here.
If you leave the default setting, the
security module specifies which
combination of facility and severity is
displayed for the event.
The value you select here for the severity
and facility, depends on the evaluation in
the Syslog server. This allows you to
adapt to the requirements in the Syslog
server.
If you leave the default setting, the
security module specifies which
combination of facility and severity is
displayed for the event.
Basics and application
250
Configuration Manual, 09/2013, C79000-G8976-C286-02
Online functions - test, diagnostics, and logging
9.2 Logging events
Function / tab in the online dialog
Project engineering
Remarks
System events
You enable this using the check box.
To configure the event filter and line
diagnostics, open a further dialog with
the "Configure..." button.
Filtering of the system events
In this dialog, set a filter level for the
system events. As default, the
following values are set:
Select "Error" as the filter level or a
higher value to stop logging of general,
uncritical events.
•
SCALANCE S: Level 3
•
CP: Level 3
Line diagnostics generates a special
system event. Set the percentage of
bad frames as of which a system
event is generated. Assign a facility
and a severity to the system event.
Line diagnostics
Note on CPs
For a CP, select only level 3 or level 6.
•
If you select level 3, the error
messages of levels 0 to 3 are output.
•
If you select level 6, the error
messages of levels 0 to 6 are output.
Using the severity, you weight the
system events of line diagnostics relative
to the severity of the other system
events.
Note
Assign the system events of line
diagnostics a lower severity than the
filtering of system events. Otherwise,
these events will not pass through the
filter and are not recorded by the Syslog
server.
9.2.3
Configuring packet logging
Configuring logging in standard mode
You will find information on logging IP and MAC rule sets in the following sections:
● SCALANCE S in standard mode (Page 126)
● CPs in standard mode (Page 115)
Note
Relationship between log settings in standard mode and firewall rules
Log settings in standard mode do not affect firewall rules generated automatically during
connection configuration. This means, for example, that tunneled frames of a configured
connection cannot be logged. In advanced mode, logging can be extended to the
automatically generated firewall rules of connections.
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
251
Online functions - test, diagnostics, and logging
9.2 Logging events
Configuring logging in advanced mode
Enabling logging is identical for both rule types (IP or MAC) and all rules. To log data
packets of specific packet filter rules, put a check mark in the "Logging" column in the
"Firewall" tab.
Basics and application
252
Configuration Manual, 09/2013, C79000-G8976-C286-02
A
Appendix
A.1
DNS compliance
DNS-compliance according to RFC1035 involves the following rules:
● Restriction to 255 characters in total (letters, numbers, dash or period);
● The name must begin with a letter;
● The must end with a letter or a number;
● A separate name within the name, in other words a string between two periods may be a
maximum of 63 characters long:
● No special characters such as umlauts, brackets, underscores, slashes or spaces etc.
A.2
Range of values for IP address, subnet mask and address of the
gateway
Range of values for IP address
The IP address consists of four decimal numbers with the range from 0 to 255, each number
separated by a period; example: 141.80.0.16
Range of values for subnet mask
The subnet mask consists of four decimal numbers with the range from 0 to 255, each
number separated by a period; example: 255.255.0.0
The binary representation of the 4 subnet mask decimal numbers must contain a series of
consecutive 1s from the left and a series of consecutive 0s from the right.
The 1s specify the network number within the IP address. The 0s specify the host address
within the IP address.
Example:
Correct values:
255.255.0.0 decimal = 11111111.11111111.00000000.00000000 binary
255.255.128.0 decimal = 11111111.11111111.10000000.00000000 binary
255.254.0.0 decimal = 11111111.11111110.00000000.00000000 binary
Incorrect value:
255.255.1.0 decimal = 11111111.11111111.00000001.00000000 binary
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
253
Appendix
A.3 MAC address
Relationship between the IP address and subnet mask
The first decimal number of the IP address (from the left) determines the structure of the
subnet mask with regard to the number of "1" values (binary) as follows (where "x" is the
host address):
First decimal number of the IP address
Subnet mask
0 to 127
255.x.x.x
128 to 191
255.255.x.x
192 to 223
255.255.255.x
Note:
You can also enter a value between 224 and 255 for the first decimal number of the IP
address. This is, however, not advisable since this address range is reserved for other tasks
and with some configuration tools (e.g. STEP 7), there is no check of these values.
Value range for gateway address
The address consists of four decimal numbers taken from the range 0 to 255, each number
being separated by a period; example: 141.80.0.1
Range of values for IP address and gateway address
The only parts of the IP address and network transition address that may differ are those in
which "0" appears in the subnet mask.
Example:
You have entered the following: 255.255.255.0 for the subnet mask; 141.30.0.5 for the IP
address and 141.30.128.254 for the gateway address. Only the fourth decimal number of the
IP address and gateway address may be different. In the example, however, the 3rd position
is different.
You must, therefore, change one of the following in the example:
The subnet mask to: 255.255.0.0 or
the IP address to 141.30.128.5 or
the gateway address to: 141.30.0.254
A.3
MAC address
Note on the structure of the MAC address:
MAC addresses are hardware addresses for identifying network nodes. A MAC address
consists of six byes separated by hyphens in hexadecimal notation.
The MAC address consists of a fixed and a variable part. The fixed part ("basic MAC
address") identifies the manufacturer (Siemens, 3COM, ...). The variable part of the MAC
address distinguishes the various Ethernet nodes.
Basics and application
254
Configuration Manual, 09/2013, C79000-G8976-C286-02
B
References
B.1
Introduction - without CD/DVD
Finding the SIMATIC NET documentation
● Catalogs
You will find the order numbers for the Siemens products of relevance here in the
following catalogs:
– SIMATIC NET Industrial Communication / Industrial Identification, catalog IK PI
– SIMATIC Products for Totally Integrated Automation and Micro Automation, catalog
ST 70
You can request the catalogs and additional information from your Siemens
representative.
You can go to the Industry Mall on the Internet at the following address:
Link to Siemens Industry Mall (http://www.siemens.com/industrymall)
● Documentation on the Internet
You will find SIMATIC NET manuals on the Internet pages of Siemens Automation
Customer Support:
Link to Customer Support (http://support.automation.siemens.com/WW/view/en)
Go to the required product group and make the following settings:
"Entry list" tab, Entry type "Manuals / Operating Instructions"
● Documentation from the STEP 7 installation
Manuals that are included in the online documentation of the STEP 7 installation on your
PG/PC can be found in the start menu ("Start" > "All Programs" > "Siemens Automation"
> "Documentation").
See also
Link to the documentation:
(http://www.automation.siemens.com/simatic/portal/html_00/techdoku.htm)
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
255
References
B.2 S7 CPs / On configuring, commissioning and using the CP
B.2
S7 CPs / On configuring, commissioning and using the CP
B.2.1
/1/
SIMATIC NET
S7 CPs for Industrial Ethernet
Configuring and Commissioning
Manual Part - General Application
Configuration Manual
Siemens AG
(SIMATIC NET Manual Collection)
On the Internet under the following entry ID:
30374198 (http://support.automation.siemens.com/WW/view/en/30374198)
B.2.2
/2/
SIMATIC NET
S7CPs for Industrial Ethernet
Manual Part B
Manual
Siemens AG
(SIMATIC NET Manual Collection)
You will find the manuals for the individual CPs under the following entry IDs:
CP 343-1 Advanced (GX31): 28017299
(http://support.automation.siemens.com/WW/view/en/28017299)
CP 443-1 Advanced (GX30): 59187252
(http://support.automation.siemens.com/WW/view/en/59187252)
B.3
For configuration with STEP 7 / NCM S7
B.3.1
/3/
SIMATIC NET
NCM S7 for Industrial Ethernet
Primer
Siemens AG
(part of the online documentation in STEP 7)
Basics and application
256
Configuration Manual, 09/2013, C79000-G8976-C286-02
References
B.4 S7 CPs On installing and commissioning the CP
B.3.2
/4/
SIMATIC NET
Commissioning PC Stations - instructions and getting started
Configuration manual
Siemens AG
(SIMATIC NET Manual Collection)
On the Internet under following entry ID:
13542666 (http://support.automation.siemens.com/WW/view/en/13542666)
B.3.3
/5/
SIMATIC
Configuring Hardware and Connections with STEP 7
Siemens AG
Part of the documentation package "STEP 7 Basic Knowledge"
(Part of the online documentation in STEP 7)
B.4
S7 CPs On installing and commissioning the CP
B.4.1
/6/
SIMATIC S7
Automation System S7-300
● CPU 31xC and 31x Installation: Operating instructions
Entry ID: 13008499 (http://support.automation.siemens.com/WW/view/en/13008499)
● Module Data: Reference manual
Entry ID: 8859629 (http://support.automation.siemens.com/WW/view/en/8859629)
Siemens AG
and
SIMATIC S7
Automation System S7-400, M7-400
● Installation: Installation manual
Entry ID: 1117849 (http://support.automation.siemens.com/WW/view/en/1117849)
● Module Data: Reference manual
Entry ID: 1117740 (http://support.automation.siemens.com/WW/view/en/1117740)
Siemens AG
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
257
References
B.5 On setting up and operating an Industrial Ethernet network
B.5
On setting up and operating an Industrial Ethernet network
B.5.1
/7/
SIMATIC NET
Twisted-Pair and Fiber-Optic Networks Manual
Siemens AG
(SIMATIC NET Manual Collection)
B.6
SIMATIC and STEP 7 basics
B.6.1
/8/
SIMATIC
Communication with SIMATIC
system manual
Siemens AG
Entry ID:
25074283 (http://support.automation.siemens.com/WW/view/en/25074283)
B.6.2
/9/
Documentation package "STEP 7 Basic Knowledge"
● Working with STEP 7 Getting Started (ID: 18652511
(http://support.automation.siemens.com/WW/view/en/18652511))
● Programming with STEP 7 (ID: 18652056
(http://support.automation.siemens.com/WW/view/en/18652056))
● Configuring Hardware and Connections with STEP 7 (ID: 18652631
(http://support.automation.siemens.com/WW/view/en/18652631))
● From S5 to S7, Converter Manual (ID: 1118413
(http://support.automation.siemens.com/WW/view/en/1118413))
Siemens AG
Order number 6ES7 810-4CA08-8AW0
(part of the online documentation in STEP 7)
Basics and application
258
Configuration Manual, 09/2013, C79000-G8976-C286-02
References
B.7 Industrial Communication Volume 2
B.7
Industrial Communication Volume 2
B.7.1
/10/
SIMATIC NET
Industrial Ethernet Network Manual
Siemens AG
(SIMATIC NET Manual Collection)
On the Internet under the following entry ID: 27069465
(http://support.automation.siemens.com/WW/view/en/27069465)
B.8
On the configuration of PC stations / PGs
B.8.1
/11/
SIMATIC NET
Commissioning PC Stations - Manual and Quick Start
Configuration Manual
Siemens AG
entry ID: 13542666 (http://support.automation.siemens.com/WW/view/en/13542666)
B.9
On configuration of PC CPs
B.9.1
/12/
SIMATIC NET Industrial Ethernet CP 1628
Compact Operating Instructions
Siemens AG
(SIMATIC NET Manual Collection)
On the Internet under the following entry ID: 56714413
(http://support.automation.siemens.com/WW/view/en/56714413)
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
259
References
B.10 SIMATIC NET Industrial Ethernet Security
B.10
SIMATIC NET Industrial Ethernet Security
B.10.1
/13/
SIMATIC NET Industrial Ethernet Security
SCALANCE S as of V3.0
Commissioning and installation manual
Siemens AG
(SIMATIC NET Manual Collection)
On the Internet under the following entry ID: 56576669
(http://support.automation.siemens.com/WW/view/en/56576669)
B.10.2
/14/
SIMATIC NET Industrial Remote Communication
SCALANCE M874
Configuration Manual
Siemens AG
(SIMATIC NET Manual Collection)
On the Internet under the following entry ID: 78389151
See also
78389151 (http://support.automation.siemens.com/WW/view/en/78389151)
B.10.3
/15/
SIMATIC NET
Telecontrol SCALANCE M875
Operating Instructions
Siemens AG
(SIMATIC NET Manual Collection)
On the Internet under the following entry ID: 58122394
(http://support.automation.siemens.com/WW/view/en/58122394)
Basics and application
260
Configuration Manual, 09/2013, C79000-G8976-C286-02
Index
*
C
*.cer, 66, 228
*.dat, 228
*.p12, 65, 89, 228
CA certificate, 85, 88, 89
CA group certificate, 89
Certificate, 86, 196
Exporting, 85
Importing, 85
Renewing, 87
Replace, 89
Replacing, 89
self-signed, 88
signed by certification authority, 88
Certificate manager, 86
Certification authority, 85, 86
CHAP, 103
Configuration limits, 21
Configuration rights, 76
Configuring time keeping, 187
Connection rules, 144
Consistency check, 64, 109, 185
local, 61
project-wide, 62
Content area, 45, 93
CP 1628
Purpose, 37
CP x43-1 Adv.
Purpose, 34
C-PLUG, 39, 61
Creating a route, 168
3
3DES, 204
A
Access protection, 39
Active nodes, 206
Address of the gateway, 254
Address parameters, 94
Address range, 153
Administrator, 73
Advanced Encryption Standard (AES), 204
Advanced mode, 42
DHCP server, 183
Firewall rules, 136
Global firewall rules, 137
Local logging, 244, 246
Logging, 252
Network Syslog, 244
User-specific firewall rules, 140
AES, 191, 204
Aggressive mode, 204
Applet, 77
ARP, 195
ARP proxy, 192
Audit events, 245
Authentication, 71
Authentication method, 195, 202
Autocrossover, 102
Automatic firewall rules, 143
Autonegotiation, 102
B
Bandwidth, 149, 158
Bridge mode, 100
Broadcast, 171
Buffer, 245
D
Data Encryption Standard (DES), 205
Data espionage, 27
DCP, 135
DCP (Primary Setup Tool), 162
Dead peer detection (DPD), 208
Default firewall setting
CP 1628, 121
CP x43 Adv., 115
SCALANCE S < V3.0, 126
Default initialization values, 61
Dependencies of rights, 77
DES, 191, 205
Details window, 46
Device rights, 76
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
261
Index
DHCP
Server, 134
Server configuration, 182
Symbolic names, 62
DHCP server, 184
Diagnostics, 241
Diagnostics user, 73
Diffie-Hellman key agreement, 204
DNS
Server, 135
DNS conformity, 253
E
Enabling the firewall
CP 1628, 115
CP x43-1 Adv., 115
SCALANCE S < V3.0, 134
SCALANCE S V3, 131
Enabling tunneled communication
CP x43-1 Adv., 115
SCALANCE S < V3.0, 134
SCALANCE S V3, 131
Encryption, 43, 61
ESP protocol, 116, 122, 204
Ethernet non IP frames, 113
Exporting an NTP server, 190
External network nodes
CP x43-1 Adv., 36
SCALANCE 602, 26
SCALANCE S612 / S623 / S627-2M, 29
F
Facility, 250
Firewall, 28
Advanced mode, 136
Firewall rules, 113
Symbolic names, 62
Firewall rule sets
Global, 57
User-defined, 140
Firmware version, 5
Flat network, 100
FTP, 77
FTP/FTPS, 54
FTPS certificates, 85
Full duplex, 99
G
Ghost mode, 100
Gigabit address, 88
Global firewall rule sets, 157
Global firewall rules, 137
Assigning, 139
Global packet filter rules, 139
Glossary, 7
Group assignments, 56
Group name, 154, 160
Group properties, 202
H
Half duplex, 99
HTTP, 154
I
ICMP, 146
ICMP services, 155
IEEE 802.3, 28, 113
IKE, 116, 122
IKE settings, 202
Installation
SCALANCE S, 43
Interface routing, 92, 100
Interfaces, 167
Internal network nodes
Configuring, 212
CP x43-1 Adv., 36
SCALANCE 602, 26
SCALANCE S612 / S623 / S627-2M, 29
Internet Key Exchange (IKE), 203
IP access control list, 77
IP access protection, 54
IP address, 152, 253
IP blacklist, 242
IP communication
From internal to external network, 134
With S7 protocol, 134
IP packet filter
local, 146
IP packet filter rules, 147
CP 1628, 149
CP x43-1 Adv., 149
SCALANCE S, 149
IP protocol, 136
IP rule sets, 137
User-specific, 140
IP services, 153
Basics and application
262
Configuration Manual, 09/2013, C79000-G8976-C286-02
Index
IPsec settings, 202
IPsec tunnel, 193
ISAKMP, 210
ISO protocol, 215
ISP account, 103
L
Layer 2, 113, 136, 195
Layer 3, 113, 136
Layer 4, 113
Learning mode, 214
Life of certificates, 201
Line Diagnostics, 245, 248, 251
LLDP, 77
Local firewall rules, 114, 137
Local logging, 241, 244, 247
Audit events, 247
Packet filter events, 247
System events, 247
Logging, 114, 241
CP x43-1 Adv., 115
Event classes, 250
SCALANCE S < V3.0, 134
SCALANCE S V3, 131
M
M874-x, 3, 66
MAC address, 254
MAC packet filter rules, 156, 158
MAC protocol, 136
MAC rule sets, 137
MAC services, 160
Main mode, 204
Maximum time of the session, 72, 74
MD5, 191, 205
Meaning of the symbols, 5
Menu bar, 48
Menu commands, 48
MIB, 77
Module properties, 91
Multicast, 171
N
NAT/NAPT
Routing, 169
NAT/NAPT router
Symbolic names, 62
Navigation panel, 45
NCP VPN client, 91
CA group certificate, 69
Creating a configuration file, 66, 69
Group certificate, 69
Network ID, 168
Network Syslog, 241, 244
No repercussions, 29
Nodes with an unknown IP address, 207
Non IP packets, 195
NTP
Symbolic names, 62
NTP (secure), 188
NTP server, 135, 188
O
Offline configuration view, 42
One-shot buffer, 245
Online diagnostics, 243
Online diagnostics view, 42
Overview of the functions
Module types, 18
P
Packet filter events, 245
PAP, 103
PC-CP, 3
Perfect Forward Secrecy, 205
Port
102 (S7 protocol - TCP), 154
123 (NTP), 171
20/21 (FTP), 154
443 (HTTPS), 171
4500 (IPsec), 171
500 (IPsec), 171
500 (ISAKMP), 210
514 (Syslog), 171
80 (HTTP), 154
Predefined firewall rules
CP x43-1 Adv., 115
SCALANCE S < V3.0, 134
SCALANCE S V3, 131
Pre-shared keys, 196
Product from other manufacturer, 91
PROFINET, 215
PROFINET address, 88
Project
Initialization values, 61
Properties of the VPN group, 202
Protocol, 154
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
263
Index
R
Range of values for IP address, 253
Remote access user, 73
Renewing the CA group certificate, 206
Ring buffer, 245
Role name, 74
Roles, 73
System-defined, 73
User-defined, 74
Root certification authorities, 87
Router IP address, 168
Routing mode, 100, 167
Enable, 167
S
S7-CP, 3
SA lifetime, 205
SCALANCE M, 3
Certification authority, 65
Creating a configuration file, 64
Group certificate, 65
SCALANCE M875, 3
SCALANCE M87x, 66
SCALANCE S, 3
Creating a module, 91
Operating systems supported, 43
SCALANCE S product DVD, 44
SCALANCE S602
Purpose, 24
SCALANCE S612
Purpose, 27
SCALANCE S623
Purpose, 27
SCALANCE S627-2M
Purpose, 27
Security Configuration Tool, 39, 41, 42
in STEP 7, 42
Installation, 44
Installation of CP x34-1 Adv., 44
Installation of the CP 1628, 44
Menu bar, 48
Operating modes, 42
Standalone, 42, 51
Security module, 3
Security settings, 225
Service group, 162
Settings
Project wide, 57
Severity, 250
SHA1, 191, 205
SiClock, 162
SiClock time-of-day frames, 135
SIMATIC NET glossary, 7
SNMP, 77
SNMPv1, 191
SNMPv3, 191
SOFTNET Security Client, 3
Configuring in the project, 227
Creating a configuration file, 227
Database, 228
Enable active learning, 237
Operating systems supported, 225
Purpose, 24
Startup behavior, 227
Uninstalling, 227
Specified connections, 53, 113
SSL certificate, 88
Standard mode, 42
Firewall, 114
Local logging, 244
Logging, 251
Standard router, 94, 168
Standard user, 73
Stateful packet inspection, 113
Status bar, 46
STEP 7, 51
Migrated data, 52
Object properties, 52
User migration, 70
Subnet mask, 94, 253
Supported operating systems
SCALANCE S, 43
SOFTNET Security Client, 225
Symbolic names, 62, 250
Symbols, 5
Syslog
Audit events, 250
Packet filter events, 250
Symbolic names, 62
Syslog server, 59, 241, 248
System events, 251
System events, 245
System-defined role
Administrator, 73
diagnostics, 73
Remote access, 73
standard, 73
T
TCP, 146, 154
Time synchronization, 187
Basics and application
264
Configuration Manual, 09/2013, C79000-G8976-C286-02
Index
Tunnel, 193
Tunnel functionality, 193
U
UDP, 146, 154
Unknown peers, 207
Unspecified connections, 53
Update firmware, 78
User
Assigning roles, 75
Creating roles, 73
Setting up, 71
User management, 57, 70
User name, 72
User permissions, 76
User-defined roles, 74
User-specific firewall rules, 140
Remote access user, 73
Timeout parameters, 143
User-specific IP rule sets, 141
V
VLAN operation, 196
VLAN tagging, 196
VPN, 24, 193
Module-specific properties, 208
SOFTNET Security Client, 223
VPN device, 91
Module certificate, 67
VPN group, 200
W
WAN IP address
Specifying, 210
Basics and application
Configuration Manual, 09/2013, C79000-G8976-C286-02
265
Index
Basics and application
266
Configuration Manual, 09/2013, C79000-G8976-C286-02
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement