Siemens Network Router Version: 1.2 - Manuals

Page 2 - Index

Index Index 1 Introduction........................................................................................................ 4 2 Security Services............................................................................................... 6 2.1 Assumptions .....................................

Page 3 - Executive Summary; the industrialization engineering branch).

Executive Summary Executive Summary The Scalance S 612/S 613 is a security module to protect the communication between automation networks and to avoid attacks to the networks. The security module provides the functionality of a firewall and a virtual private network (VPN). The system is based on th...

Page 4 - Introduction; The Siemens Scalance S 613 is a security module which protects the

1. Introduction 1 Introduction The Siemens Scalance S 613 is a security module which protects the communication between automation networks. It provides authentication, data integrity and confidentiality and protects against data theft and data manipulation. In automation engineering more and more c...

Page 6 - Security; implemented in software.

2. Security Services 2 Security Services The security module has two Ethernet interfaces, one to the internal network which is protected, and the other one to the external network. The interfaces are easily recognizable by a color marker in green and red color. The processor is an Intel IXP425, it s...

Page 7 - Figure 2: Firewall function of the security module; attacks and cache flooding.

2. Security Services and 3 on the security module. The packet filter controls the communication between the internal network and the external network (see Figure 2). Figure 2: Firewall function of the security module The firewall offers a packet filter adapted from OpenBSD for IP-packets with statef...

Page 8 - implementation was adapted from OpenBSD.

2. Security Services Figure 3: VPN-function of the Security-module For the communication over a VPN the security modules are collected in groups. For each VPN there is a so called network certificate with corresponding private key that identifies the VPN. Each security module that belongs to the VPN...

Page 9 - Firmware Update; Management; sent to the modules via HTTPs.

2. Security Services 2.2.4 Firmware Update The firmware of the security device can be updated. For this purpose, Siemens supplies an encrypted and digitally signed firmware. The user has to authenticate to the security module before loading new firmware. The new firmware is transferred to the securi...

Page 10 - First Initiation

2. Security Services 2.3.1 First Initiation At first initialization an IP address is assigned to the Scalance S moduls. After the IP configuration the modules can also be configured over the network. The first user to take the module in operation enters a user name and password which puts him in the...

Page 11 - Firmware

2. Security Services • Exchange of addresses of the internal networks between security modules • Signalizing that a packet was rejected because it was not received via an IPsec tunnel. The learning is always initiated if a node wants to communicate with another node and devices located in the same s...

Page 12 - Security; VPN

3. Security Analysis 3 Security Analysis The security module is designed for the use in automation networks. For automation networks availability and robustness are of first priority since the network must be protected against any failure so that the production never stops. For instance, in the chem...

Page 13 - and MD5 is no longer necessary.

3. Security Analysis The implementation of the IKE protocol does not show any known security weaknesses. No known security weaknesses of the OpenBSD-Isakmpd daemon were found. Additionally, the system incorporates a VPN bridge to transport non- IP-packets through the IPsec-tunnel Broadcast and multi...

Page 15 - Time Synchronization and Logging

3. Security Analysis The MiniWeb server is well implemented. The SSL implementation does not show any failures. The only security weakness is the long life span of the certificate and the use of MD5 for the generation of the certificates. The key length of 1024 bits is sufficient for the next three ...

Page 16 - Configuration Files

3. Security Analysis 3.2.1 Configuration Files The configuration tool transfers the configuration data via SSL. Hence, eavesdropping of the connection and determination of the data is not possible. The analysis of the configuration files gives only information about the default settings of the firew...

Page 17 - Summary; These basic assumptions are reflected in the standard settings.

4. Summary 4 Summary The security module is designed for using it in an automation network in order to protect the network from data theft and manipulation as well as attacks from the external network. The reliability of the network is of first priority, the aspect of security follows right after. F...

Page 18 - References

5. References 5 References Functional Specification, Version 1.0, 7.10.2003 Security Target, Version 0.2, 31.10.2003 Instruction Handbook, 1/2005 Design Specification, 19.1.2004 19-Aug-05 escrypt GmbH 18