Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Caution
The functions and solutions described in this entry predominantly confine
themselves to the realization of the automation task. Please also take into account
that corresponding protective measures have to be taken in the context of
Industrial Security when connecting your equipment to other parts of the plant, the
enterprise network or the Internet. For more information, please refer to Entry ID
50203404.
http://support.automation.siemens.com/WW/view/en/50203404
Please also actively use our technical forum in the Siemens Industry Online
Support regarding this subject. Share your questions, suggestions or problems and
discuss them with our strong forum community:
http://www.siemens.com/forum-applications
Siemens AG 2012 All rights reserved
Copyright
S602 V3 Firewall
2 V3.0, Entry ID: 22376747
s Problem 1
Automation Solution 2
Minimizing Risk through
Security 3
SCALANCE S
Product Overview 4
SIMATIC
Firewall with SCALANCE S602 V3 Installation 5
Industrial Security Commissioning in
Bridge Mode 6
Commissioning in
Routing Mode 7
Siemens AG 2012 All rights reserved
Operation of the
Application 8
References 9
10
Copyright
History
S602 V3 Firewall
V3.0, Entry ID: 22376747 3
Warranty and Liability
Note The application examples are not binding and do not claim to be complete
regarding the circuits shown, equipping and any eventuality. The application
examples do not represent customer-specific solutions. They are only intended
to provide support for typical applications. You are responsible for ensuring that
the described products are correctly used. These application examples do not
relieve you of the responsibility of safely and professionally using, installing,
operating and servicing equipment. When using these application examples, you
recognize that Siemens cannot be made liable for any damage/claims beyond
the liability clause described. We reserve the right to make changes to these
application examples at any time without prior notice. If there are any deviations
between the recommendations provided in these application examples and other
Siemens publications e.g. Catalogs then the contents of the other documents
have priority.
We do not accept any liability for the information contained in this document.
Any claims against us based on whatever legal reason resulting from the use of
the examples, information, programs, engineering and performance data etc.
described in this application example shall be excluded. Such an exclusion shall
not apply in the case of mandatory liability, e.g. under the German Product Liability
Siemens AG 2012 All rights reserved
S602 V3 Firewall
4 V3.0, Entry ID: 22376747
Table of Contents
Table of Contents
Warranty and Liability ..............................................................................................4
1 Problem...........................................................................................................7
1.1 Introduction .......................................................................................7
1.2 Overview ...........................................................................................7
2 Automation Solution ......................................................................................9
2.1 Overview of the overall solution .........................................................9
2.2 Description of the core functionality..................................................11
2.3 Hardware and software components used ....................................... 12
2.4 Alternative solution: VPN tunnel....................................................... 13
3 Minimizing Risk through Security ............................................................... 14
3.1 Conditions and requirements ........................................................... 14
3.2 The SIEMENS protection concept: Defense in depth........................ 15
3.3 Security mechanism: Firewall .......................................................... 15
3.3.1 Firewall classification ....................................................................... 15
3.3.2 Stateful packet inspection ................................................................ 16
3.4 Security mechanism: Address translation with NA(P)T ..................... 17
3.4.1 Address translation with NAT........................................................... 18
3.4.2 Address translation with NAPT......................................................... 20
3.4.3 FTP via a NAPT router..................................................................... 22
Siemens AG 2012 All rights reserved
S602 V3 Firewall
V3.0, Entry ID: 22376747 5
Table of Contents
S602 V3 Firewall
6 V3.0, Entry ID: 22376747
1 Problem
1 Problem
1.1 Introduction
In industrial automation, security of networks in production has top priority.
In the past, automation islands were frequently physically separated and used the
integrated security of the field busses.
With the advance of industrial Ethernet solutions, increased networking with the
office world and a large number of unsecured interfaces at the field level, security
is of greatest importance.
Due to this progress, industrial communication faces the same threats that are
known from the office and IT environment, such as hackers, viruses, worms and
trojans but also communication load (broadcast).
The existing security concepts and the use of standard components from the office
world require continuous maintenance and special expert knowledge. Normally,
they are not suitable for the special requirements of industrial communication.
1.2 Overview
Overview of the automation problem
Siemens AG 2012 All rights reserved
PC 1 PC 2 PC 3 PC 4
Copyright
S602 V3 Firewall
V3.0, Entry ID: 22376747 7
1 Problem
Requirements
The implemented access control is to be easy and cost-effective and it is also
to be possible for the automation personnel to create and maintain it.
Integrated diagnostics of field devices and network components is to be
possible from the control level.
Siemens AG 2012 All rights reserved
The structure of the automation cells can be identical (same IP bands) (see
Figure 1-1).
Copyright
S602 V3 Firewall
8 V3.0, Entry ID: 22376747
2 Automation Solution
2 Automation Solution
2.1 Overview of the overall solution
Diagrammatic representation
The diagrammatic representation below shows the most important components of
the solution:
Figure 2-1
* Syslog server
* Data logging
X208 Service PC STEP 7
Syslog server
Siemens AG 2012 All rights reserved
S602 V3 Firewall
V3.0, Entry ID: 22376747 9
2 Automation Solution
Configuration
The protected automation cell contains two SIMATIC S7-300 stations that are
connected to the internal interface of the S602 V3 via a SCALANCE X208 as
follows:
S7-300 station 1 with a CPU317-2 PN/DP via a CP343-1 Advanced.
S7-300 station 2 via the integrated interface of the CPU319-3 PN/DP.
Via a SCALANCE X208, the following devices are connected to the external
interface of the SCALANCE S602 V3:
A PC in the control room via an integrated Ethernet interface.
A PC of a service employee via an integrated Ethernet interface.
A PC for recording log files.
An external PC for demonstrating unauthorized access.
Siemens AG 2012 All rights reserved
Copyright
S602 V3 Firewall
10 V3.0, Entry ID: 22376747
2 Automation Solution
S602 V3 Firewall
V3.0, Entry ID: 22376747 11
2 Automation Solution
Hardware components
Table 2-2
Component Qty. MLFB/order number Note
Tool V3 or higher
Required tools
This application uses software components that can be downloaded as freeware
from the Internet. The individual software components are listed in the following:
Web server
FTP client
Syslog server
Primary Setup Tool (for address setting of SIMATIC NET products. See \3\ in
chapter 9 (References)).
S602 V3 Firewall
12 V3.0, Entry ID: 22376747
2 Automation Solution
More information
For more information on VPN, please refer to the following applications and FAQs:
Table 2-6
Title Link
Secure Remote Access to SIMATIC Stations http://support.automation.siemens.com/WW/view/en/
with the SCALANCE S612 V3 via Internet and 24960449
Copyright
UMTS
Secure Remote Access to SIMATIC Stations
with the SOFTNET Security Client via Internet
and UMTS
Security with SCALANCE S612 V3 Modules http://support.automation.siemens.com/WW/vie
Over IPSec VPN Tunnels w/en/22056713
Remote Control Concept with SCALANCE S
Modules Over IPSec-Secured VPN Tunnels
How do you configure a VPN tunnel between a http://support.automation.siemens.com/WW/view/en/
PC station with Windows XP SP2 and 26098355
SCALANCE S61x V2.1 via the Internet with the
Microsoft Management Console?
How do you configure a VPN tunnel between a http://support.automation.siemens.com/WW/view/en/
PC station and SCALANCE S61x V2.1 via the 24953807
Internet with the SOFTNET Security Client
Edition 2005 HF1?
How is a VPN tunnel between two SCALANCE http://support.automation.siemens.com/WW/view/en/
S 61x modules configured in Routing mode via 24968211
the Internet?
S602 V3 Firewall
V3.0, Entry ID: 22376747 13
3 Minimizing Risk through Security
Note No one can guarantee one hundred percent protection. However, there are
numerous options to minimize the risk.
S602 V3 Firewall
14 V3.0, Entry ID: 22376747
3 Minimizing Risk through Security
A firewall is part of a security concept in the private and corporate sector that
prevents or restricts unauthorized access to networks or devices.
Firewalls are offered as a hardware- or software-based component.
Types of firewalls
There are three different types of firewalls. The respective names are defined at
the highest evaluated OSI layer:
Packet filter (evaluation of packets up to OSI layer 3 (network layer)).
Circuit-level gateway (evaluation of packets up to OSI layer 4 (transport layer)).
Application-level gateway or proxy (evaluation of packets up to OSI layer 7
(application layer)).
Packet filters analyze the IP data packets and forward them based on defined
criteria or filter them.
Circuit-level gateways access the transport layer and thus have the option to
analyze correlations between the network connections and the packets. Aside from
the term circuit-level gateway, there are also a number of other terms. This
includes the term stateful packet inspection.
S602 V3 Firewall
V3.0, Entry ID: 22376747 15
3 Minimizing Risk through Security
Selection criteria
The firewall to be used in a company or privately depends on several criteria:
The desired and achievable security.
The necessary overhead (hardware- or software-based firewall).
The achievable data throughput.
The costs.
Description
Stateful packet inspection is a firewall technology and operates at the network
layer, transport layer and optionally at the application layer of the OSI reference
model. Stateful inspection stands for state-controlled filtering and is an extension of
the packet filter. Access to various communication protocols enables stateful
packet inspection to create a status table of all network connections, to detect
correlations between data packets and to determine relations between existing
communication relationships.
Copyright
Principle of operation
Due to this insight into the communication, stateful packet inspection allows, for
example, only data packets from external sources into the internal network that are
used as a response to a request started previously by an internal node.
If the external node sends data that was not requested, the firewall will block the
transfer even if a connection exists between internal and external nodes.
An important property of stateful packet inspection is the dynamic generation and
deletion of filter rules. If an internal node sends data to an external target device,
the firewall, after the first data packet has passed, must define a rule for a limited
period of time that accepts the response packet and forwards it to the sender of
the request (internal node). After the time window has expired, the rule must be
deleted.
S602 V3 Firewall
16 V3.0, Entry ID: 22376747
3 Minimizing Risk through Security
Classification of IP addresses
IP addresses are used for logical addressing of devices in IP networks. IPv4
addresses consist of four numbers from 0 to 255 that are separated by dots.
There are different address categories for IP addresses that are managed and
assigned by the national organization, NIC (network information center).
The table below shows the assignment of IP addresses:
Table 3-1
Class Max number Start address End address Private address range
of networks
A 126 1.0.0.0 126.0.0.0 10.0.0.0 10.255.255.255
B 16382 128.0.0.0 191.255.0.0 172.16.0.0 172.31.255.255
C 2097150 192.0.0.0 223.255.255.0 192.168.0.0
192.168.255.255
Siemens AG 2012 All rights reserved
Addresses starting with 224.0.0.0 are reserved for future applications; however,
they will no longer be used due to the upcoming implementation of IPv6.
Due to the shortage of IP addresses on the Internet, certain address ranges were
introduced that are not routed on the Internet and used for the private network.
This private address range is only visible within ones own network and cannot be
accessed by the Internet. Therefore, the same ranges can also be used multiple
times in other private networks.
Copyright
S602 V3 Firewall
V3.0, Entry ID: 22376747 17
3 Minimizing Risk through Security
Description
NAT is a protocol for address translation between two address spaces. The main
task is the translation of private addresses to public addresses, i.e. to IP addresses
used and also routed on the Internet.
This method achieves that the addresses of the internal network are not detected
externally in the external network. In the external network, the internal nodes are
only visible via the external IP address defined in the address translation list (NAT
table).
The classical NAT is a one-to-one translation, i.e. a private IP address is translated
to a public one.
Therefore, the access address for the internal nodes is again an IP address.
NAT table
The NAT table contains the assignment of private and public IP addresses and is
configured and managed in the gateway or router. The following screen shot shows
the NAT table of the SCALANCE S602 V3:
Figure 3-1
Siemens AG 2012 All rights reserved
Copyright
S602 V3 Firewall
18 V3.0, Entry ID: 22376747
3 Minimizing Risk through Security
Table 3-2
Option Meaning
NAT active The input area for NAT is activated.
NAT address translations only become effective with the
option described below and entries in the address translation
list.
In addition, the firewall must be configured appropriately.
Allow all internal nodes When this option is checked, the internal IP address (source
access to the outside IP address) is translated to the external module IP address
and a port number additionally assigned by the module for all
frames from internal to external.
This behavior is visible in the additionally shown bottom row
of the NAT table. A * symbol in the internal IP address
column indicates that all frames from internal to external are
translated.
Note: This translation corresponds to an n:1 translation, i.e.
several internal nodes are redirected to an external. This is
done by an additional assignment of a port number. Despite
the addition of a port, this option is assigned to the NAT input
area.
Table 3-3
Siemens AG 2012 All rights reserved
Sequence
If a device from the external network wants to send a packet to an internal device
(Dst-NAT), it uses a public address as the destination address. This IP address is
translated to a private IP address by the router.
As the source address in the IP header of the data packet, the public IP address of
the external device remains unchanged.
The response of the internal device is sent to the IP address that is stored as the
source address in the IP header. Due to the fact that its own address and the
source address are in different subnets, the internal device sends the packet to its
router, which forwards it to the external device.
S602 V3 Firewall
V3.0, Entry ID: 22376747 19
3 Minimizing Risk through Security
Description
NAPT is a variant of NAT and often used synonymously with it. The difference to
NAT is that this protocol also allows the translation of ports.
A one-to-one translation of the IP address does no longer exist. In fact, only one
public IP address exists that is translated to a number of private IP addresses by
adding port numbers.
Therefore, the access address for the internal nodes is an IP address with a port
number.
NAPT table
The NAPT table contains the assignment of private IP addresses to the ports of the
public IP address and is configured and managed in the gateway or router. The
following screen shot shows the NAPT table of the SCALANCE S602 V3:
Figure 3-2
Siemens AG 2012 All rights reserved
Copyright
Table 3-4
Option Meaning
NAPT active The input area for NAPT is activated. NAPT translations only
become effective with the option described below and entries
in the list. In addition, the firewall must be configured
appropriately.
S602 V3 Firewall
20 V3.0, Entry ID: 22376747
3 Minimizing Risk through Security
Table 3-5
Parameter Meaning Range of values
External port A node in the external network can Port or port ranges. Example
respond to a node in the internal subnet of the entry of a port range:
or send a frame by using this port 78:99
number.
internal IP IP address of the addressed node on the
address internal subnet.
Internal port Port number of a service for the node Port (no port range)
addressed on the internal subnet.
Sequence
If a device from the external network wants to send a packet to an internal device,
it uses its public address with the specified port as the destination address. This IP
address is translated to a private IP address with port address by the router.
As the source address in the IP header of the data packet, the public IP of the
external device remains unchanged.
The response of the internal device is sent to the IP address that is stored as the
source address in the IP header. Due to the fact that its own address and the
source address are in different subnets, the internal device sends the packet to its
Siemens AG 2012 All rights reserved
S602 V3 Firewall
V3.0, Entry ID: 22376747 21
3 Minimizing Risk through Security
Due to the one-to-one translation of IP addresses, FTP data transfer via NAT does
not involve any difficulties.
Via a NAPT router such as the SCALANCE S602 V3, it is not that trivial anymore.
Aside from the default ports 20 (data channel) and 21 (control channel), FTP also
uses dynamic ports beyond 1023 for data transmission, which are not known prior
to transmission.
For the address translation, NAPT uses ports that are entered in the NAPT table
during configuration. An extension of the NAPT table during runtime is not possible.
The dynamic port during FTP data transfer can thus not be applied to the NAPT
table.
As a result, all data packets sent from external to internal with a port unknown to
the NAPT table are not translated and therefore discarded. FTP data transfer
cannot take place.
Problem description
The figure below illustrates the problem:
Figure 3-3
Siemens AG 2012 All rights reserved
192.168.2.3:20 172.158.2.2:20
192.168.2.3:21 172.158.2.2:21 Port 21: 1
Sends user name
Port 21:
Copyright
Requests password
Port 21:
Sends password 2
Server
Client
Port 21:
Acknowledgement
Port 21: 3
Command: PORT with
data port, e.g. port 1027
Port 1027: 4
Establishes data connection
to desired port
S602 V3 Firewall
22 V3.0, Entry ID: 22376747
3 Minimizing Risk through Security
Table 3-6
Step Sequence Response
1. The client sends the user ID to the Port 21 is allowed by the NAPT router.
server via the control port. The server requests the password.
2. The client sends the password via Port 21 is allowed by the NAPT router.
port 21. The server confirms the password.
3. Via the PORT command, the client Port 21 is allowed by the NAPT router.
transmits the ports on which it
listens for the data connection.
4. Via these ports, the server attempts As these ports are not configured in the
to make contact with the FTP client. NAPT table, the data packets are
discarded by the NAPT router. The FTP
connection is not established.
Solution
To allow the data packets of the FTP server into the internal network despite
dynamic ports, it is necessary to generate a NAT entry in addition to the NAPT
entry. All data packets from the FTP server must be rewritten to the IP address of
the NAPT router.
This allows all data packets into the internal network, irrespective of the port.
Siemens AG 2012 All rights reserved
Copyright
S602 V3 Firewall
V3.0, Entry ID: 22376747 23
3 Minimizing Risk through Security
SCALANCE S602 V3
External network Internal network
IP frames NAT/NAPT IP frames
Dst-NAT Src-NAT
router
Firewall
Siemens AG 2012 All rights reserved
Note The firewall in the SCALANCE S602 V3 is preset so that IP data traffic between
the networks is not possible. Before communication can take place, the firewall
must first be configured.
Firewall and NAT/NAPT router support the stateful packet inspection mechanism.
If IP data traffic is enabled from internal to external, internal nodes can initiate a
communication connection to the external network. The response frames from the
external network can pass through the NAT/NAPT router and the firewall without
requiring their addresses to be additionally added to the firewall rule and the
NAT/NAPT address translation.
Frames that are not a response to a request from the internal network will be
discarded if there is no applicable firewall rule.
S602 V3 Firewall
24 V3.0, Entry ID: 22376747
3 Minimizing Risk through Security
NAT table
Firewall rules
Siemens AG 2012 All rights reserved
172.158.2.3 -> Allow External -> Service CP343-1 S7 All data packets from
CP343-1Advanced internal PC Advanced external to the CP343-1
(Dst-NAT) Advanced are allowed that
Allow External -> PG CP343-1 HTTP reach the firewall with the
internal Advanced IP address of the PG via
Allow External -> PG CP343-1 FTP port 80 (HTTP) or port 21
internal Advanced (FTP) and with the IP
address of the service PG
via port 102 (S7).
172.158.2.5 -> Allow External -> Service PN-CPU S7 All data packets from
PN-CPU internal PC external to the PN-CPU
(Dst-NAT) are allowed that reach the
firewall with the IP address
of the service PG via port
102 (S7).
172.158.2.2 <- * Allow Internal -> all All data packets from
(Src-NAT) external internal to external are
allowed.
S602 V3 Firewall
V3.0, Entry ID: 22376747 25
3 Minimizing Risk through Security
172.158.2.3
192.168.2.3
(HTTP)
Siemens AG 2012 All rights reserved
Firewall
192.168.2.3
(HTTP)
Copyright
Table 3-8
Step Meaning
1. A device from the external network wants to send a data packet to IP address
172.158.2.3 (HTTP application).
2. The NAT router translates this address to the private IP address 192.168.2.3
(here symbolically as CP343-1Advanced) using the NAT table.
3. The firewall checks how it should handle the data packet. The Allow External -
>Internal PG -> CP343-1Advanced http entry allows all data packets coming
from the PG via port 80 that are addressed to the CP343-1 Advanced to pass.
4. The data packet is directed to the internal network.
S602 V3 Firewall
26 V3.0, Entry ID: 22376747
3 Minimizing Risk through Security
Figure 3-7
NAT table
Firewall rules
During data communication between the external and internal network, the
following happens:
Figure 3-8
Siemens AG 2012 All rights reserved
172.158.2.5
NAT table (S7)
Copyright
172.158.2.5
192.168.2.5
(S7)
Firewall
S602 V3 Firewall
V3.0, Entry ID: 22376747 27
3 Minimizing Risk through Security
Table 3-9
Step Meaning
1. A device from the external network wants to send a data packet to IP address
172.158.2.5 (S7 application).
2. The NAT router translates this address to the private IP address 192.168.2.5
(here symbolically as PN-CPU) using the NAT table.
3. The firewall checks how it should handle the data packet. As no rules exists,
the data packet is discarded.
Siemens AG 2012 All rights reserved
Copyright
S602 V3 Firewall
28 V3.0, Entry ID: 22376747
4 SCALANCE S Product Overview
Automation network
S602 V3 S602 V3
S602 V3 Firewall
V3.0, Entry ID: 22376747 29
4 SCALANCE S Product Overview
Description
The SCALANCE S602 V3 is a product from the SIMATIC NET SCALANCE S
family. Like the other modules, the S602 V3 is optimized for use in the automation
environment and meets the special requirements of automation engineering.
The SCALANCE S602 V3 belongs to the category of circuit-level gateways and is a
stateful inspection firewall to protect all devices of an Ethernet network.
Properties
Copyright
S602 V3 Firewall
30 V3.0, Entry ID: 22376747
4 SCALANCE S Product Overview
Interfaces
The SCALANCE S602 V3 has two interfaces:
Port 1 (red); recognizable by the lock symbol.
Port 2 (green)
The unsecured, external network is connected to the red port, the internal network
to be secured is connected to the green port.
Figure 4-2
External network
Internal network
Siemens AG 2012 All rights reserved
Note The Ethernet connections on port 1 and port 2 are handled differently by the
SCALANCE S and must therefore not be mixed up when connecting to the
communication network. If the ports are swapped over, the device will lose its
protective function.
Copyright
S602 V3 Firewall
V3.0, Entry ID: 22376747 31
4 SCALANCE S Product Overview
Properties
The Security Configuration Tool has the following properties:
Copyright
S602 V3 Firewall
32 V3.0, Entry ID: 22376747
4 SCALANCE S Product Overview
In the Security Configuration Tool, symbolic names can be assigned in place of the
IP addresses of the nodes. These are limited to the configuration within a project,
i.e. they cannot be used on a cross-project basis.
A single unique IP or MAC address must be assigned to each symbolic name.
The advantage of symbolic names is that the configuration of the services and
rules is easier and more secure. For the following functions and their configuration,
symbolic names are accepted:
Firewall
NAT/NAPT
Syslog
DHCP
The following screen shot shows the symbolic addressing with the associated IP
addresses of this application:
Figure 4-4
Siemens AG 2012 All rights reserved
Copyright
S602 V3 Firewall
V3.0, Entry ID: 22376747 33
4 SCALANCE S Product Overview
Overview
In the user management of the Security Configuration Tool, you can create new
users and assign them system- or user-defined roles. You define the module rights
per security module.
Figure 4-5
Siemens AG 2012 All rights reserved
System-defined roles
The following system-defined roles are predefined:
Copyright
administrator
standard
diagnostics
remote access
The roles are assigned certain rights that are identical on all modules and that
cannot be changed or deleted by the administrator.
For more information, please refer to the security manual listed in /2/, chapter 9
(References).
S602 V3 Firewall
34 V3.0, Entry ID: 22376747
4 SCALANCE S Product Overview
User-defined roles
In addition to the system-defined roles, you can also create user-defined roles. For
each security module used in the project, you individually define the respective
rights and manually assign the role to the users.
S602 V3 Firewall
V3.0, Entry ID: 22376747 35
4 SCALANCE S Product Overview
In the Security Configuration Tool, you can define rules globally, locally and user-
specifically.
Note The Security Configuration Tool allows max. 256 IP/MAC rule sets.
The occurrence of the rules in the rule list also corresponds to their order of
processing.
The packet filter rules are evaluated as follows:
The list is evaluated from top to bottom; for opposing rules, the higher entry
applies.
For rules for communication between the internal and external network, the
final rule applies: All frames except the frames explicitly allowed in the list are
blocked.
For rules for communication between the internal network and IPSecTunnel,
the final rule applies: All frames except the frames explicitly blocked in the list
are allowed.
Note All frame types from internal -> external or vice versa are blocked with the
factory settings and must be explicitly allowed.
S602 V3 Firewall
36 V3.0, Entry ID: 22376747
4 SCALANCE S Product Overview
Module
Note Global firewall rules are particularly useful if several security modules are
managed in a project.
In this application, only one S602 V3 is configured and managed. In this case,
the use of global firewall rules has no advantage over local rules. However, they
are nevertheless used to demonstrate the application and creation of global
rules.
S602 V3 Firewall
V3.0, Entry ID: 22376747 37
4 SCALANCE S Product Overview
To log off the SCALANCE S602 V3, three options are available:
The Log off button on the Web page.
Automatically after the timer has elapsed.
The User check online function by selecting the user and the Log off button.
S602 V3 Firewall
38 V3.0, Entry ID: 22376747
4 SCALANCE S Product Overview
The following conventions apply to creating the global and user-specific firewall
rule sets:
They can only be created in advanced mode of the Security Configuration
Tool.
By default, locally defined rules have higher priority; if new global and/or user-
specific firewall rules are assigned to a security module, these rules will
therefore be initially added to the bottom of the local rule list. The priority can
be changed by changing the position in the rule list.
Global and user-specific firewall rules can only be assigned to a security
module as an entire rule set.
They cannot be edited in the local rule list of firewall rules in the module
properties; they can only be displayed there and positioned according to the
desired priority. It is not possible to delete a single rule from an assigned rule
set. It is only possible to take the complete rule set from the local rule list; this
does not change the definition in the global rule list.
Siemens AG 2012 All rights reserved
Copyright
S602 V3 Firewall
V3.0, Entry ID: 22376747 39
4 SCALANCE S Product Overview
S602 V3 Firewall
40 V3.0, Entry ID: 22376747
4 SCALANCE S Product Overview
4.5.2 Logging
Siemens AG 2012 All rights reserved
The events to be logged can be defined in the properties dialog of the SCALANCE
S602 V3. Two variants are available for logging:
Local log: Logs the messages in the local buffer of the S602 V3. Data
recording can be stored according to two selectable methods:
Ring buffer: Once the buffer is full, recording starts at the start of the buffer
and thus overwrites the oldest entries.
One-shot buffer: Recording stops when the buffer is full.
Copyright
The Security Configuration Tool enables you to access, visualize and archive
these logs.
Network Syslog: Instead of the local buffer, the messages are sent to an
external Syslog server.
S602 V3 Firewall
V3.0, Entry ID: 22376747 41
4 SCALANCE S Product Overview
Settings
The following screen shot shows the possible logging settings for the S602 V3:
Figure 4-10
Siemens AG 2012 All rights reserved
Event Meaning
Packet filter events Refers to data packets to which a configured packet filter
rule (firewall) applies or to which basic protection reacts.
Audit events Refers to security-relevant events such as enabling or
disabling packet logging or entering an incorrect password
during authentication.
System events System events are, e.g., the start of a process.
Aside from selecting events, this dialog also allows you to enable or disable logging
and to define the storage of data.
S602 V3 Firewall
42 V3.0, Entry ID: 22376747
4 SCALANCE S Product Overview
Logging functions
The following logging functions are available in online mode:
Table 4-4
Function Meaning Screen shot
System log Display of logged system
events.
events.
Copyright
S602 V3 Firewall
V3.0, Entry ID: 22376747 43
5 Installation
5 Installation
This chapter describes which hardware and software components have to be
installed. The descriptions and manuals as well as delivery information included in
the delivery of the respective products should be observed in any case.
X208 Service PC
Syslog server
Siemens AG 2012 All rights reserved
S602 V3
Copyright
S602 V3 Firewall
44 V3.0, Entry ID: 22376747
5 Installation
supply.
External network
Note To make sure that no old configuration is saved in the S602 V3, reset the module
to factory settings. For help, see /2/ in chapter 9 (References).
S602 V3 Firewall
V3.0, Entry ID: 22376747 45
5 Installation
S602 V3 Firewall
46 V3.0, Entry ID: 22376747
6 Commissioning in Bridge Mode
Overview
Figure 6-1
Control room: External PC:
192.168.2.1 192.168.2.7
Service PC:
X208 192.168.2.6
Syslog: 192.168.2.4
Siemens AG 2012 All rights reserved
IP addresses used
Table 6-1
Module IP address
PG in the control room 192.168.2.1
External
network
Service PC 192.168.2.6
S602 V3 Firewall
V3.0, Entry ID: 22376747 47
6 Commissioning in Bridge Mode
The following table now describes the necessary configurations for the scenarios.
Table 6-2
No. Application Description Chapter
1. Parameterization IP configuration of all cell- Enabling the DCP
internal devices through node protocol (chapter 6.4)
initialization in STEP 7 (via
DCP)
2. Configuration/ diagnostics/ Enabling the full PG functionality IP service definition
visualization (STEP 7) for the PC of the (chapter 6.8.1)
service employee. Creating the local firewall
rules (chapter 6.8.4)
3. Bandwidth limitation Restricting the data Creating the local firewall
communication for the PC of the rules (chapter 6.8.4)
service employee.
4. Productive data transfer, Enabling access to the FTP and IP service definition
visualization Web server of the cell-internal (chapter 6.8.1)
Advanced CP for the control Creating the local firewall
room PG.
rules (chapter 6.8.4)
Creating the global
firewall rule (chapter
Siemens AG 2012 All rights reserved
6.8.3)
5. Logging the data traffic Enabling data traffic logging for Creating the local
an external Syslog server. firewall rules (chapter
6.8.4))
Configuring Syslog
logging (chapter 6.7)
6. User-defined firewall rules Enabling access to the FTP and Defining users for the
Web server of the cell-internal SCT(chapter 6.8.2)
Advanced CP for selected Creating user-specific
Copyright
S602 V3 Firewall
48 V3.0, Entry ID: 22376747
6 Commissioning in Bridge Mode
Note:
For routing mode, you
additionally require a gateway
address. For this case, enter the
IP address of the associated
router as well.
Copyright
S602 V3 Firewall
V3.0, Entry ID: 22376747 49
6 Commissioning in Bridge Mode
S602 V3 Firewall
50 V3.0, Entry ID: 22376747
6 Commissioning in Bridge Mode
6. Proceed in this way to assign the respective IP Loading the SCT project assigns the
addresses to CP and CPU. SCALANCE its IP address.
7. Connect the service PC again to
port 7 of the second SCALANCE X208.
Copyright
S602 V3 Firewall
V3.0, Entry ID: 22376747 51
6 Commissioning in Bridge Mode
S602 V3 Firewall
52 V3.0, Entry ID: 22376747
6 Commissioning in Bridge Mode
S602 V3 Firewall
V3.0, Entry ID: 22376747 53
6 Commissioning in Bridge Mode
Router mode:
S602 V3 Firewall
54 V3.0, Entry ID: 22376747
6 Commissioning in Bridge Mode
NOTICE Once you have switched to advanced mode for the current project, this
action cannot be undone.
Table 6-8
No. Action Remark
1. An individual configuration of the
firewall is only possible in
advanced mode.
Select
View > Advanced Mode
to activate it.
with Yes.
S602 V3 Firewall
V3.0, Entry ID: 22376747 55
6 Commissioning in Bridge Mode
IP service definitions allow the compact and clear definition of firewall rules that are
applied to certain services. Each service parameter is assigned a name.
When configuring the global or local packet filter rules, these names are used
once.
Table 6-10
No. Action Remark
1. Select Options > IP Services
Siemens AG 2012 All rights reserved
S602 V3 Firewall
56 V3.0, Entry ID: 22376747
6 Commissioning in Bridge Mode
OK.
Table 6-11
No. Action Remark
1. Select Options > User
Management to open the user
Copyright
S602 V3 Firewall
V3.0, Entry ID: 22376747 57
6 Commissioning in Bridge Mode
S602 V3 Firewall
58 V3.0, Entry ID: 22376747
6 Commissioning in Bridge Mode
For this application, the firewall rule for the FTP server is created as a global rule.
Table 6-12
No. Action Remark
1. In Global firewall rule sets, select
Firewall IP rule sets and use the
right mouse button > Insert rule
set to insert a new rule set.
S602 V3 Firewall
V3.0, Entry ID: 22376747 59
6 Commissioning in Bridge Mode
The S7 protocol and HTTP communication are enabled as local firewall rules.
Table 6-13
No. Action Remark
1. Select the S602 V3 and use the
right mouse button ->
Properties to open the
properties. Go to the Firewall
Setting and IP Rules tab.
The global firewall rule that has
Siemens AG 2012 All rights reserved
S602 V3 Firewall
60 V3.0, Entry ID: 22376747
6 Commissioning in Bridge Mode
*************************************
Action: Allow
From/To:External-> Internal
Source IP: PG
Destination IP: CP343-
1Advanced
Service: HTTP
Siemens AG 2012 All rights reserved
Enable Logging.
*************************************
Action: Allow
From/To: Internal-> External
Source IP: *
Destination IP: *
*************************************
Close the dialog with OK.
Copyright
Note The Security Configuration Tool automatically assigns a unique label to each
firewall rule.
To determine which firewall rule was active when logging system and security
events, the log row displays the associated label.
S602 V3 Firewall
V3.0, Entry ID: 22376747 61
6 Commissioning in Bridge Mode
Table 6-14
No. Action Remark
1. Select User-specific firewall rules
and use the right mouse
button > Insert rule set to insert
a new rule set.
S602 V3 Firewall
62 V3.0, Entry ID: 22376747
6 Commissioning in Bridge Mode
************************************
Action: Allow
From/To: External-> Internal
Source IP:
Destination IP: CP343-
1Advanced
Service : FTP
Logging: Enabled
5. Select the configured user and
use Add to assign this rule set to
Siemens AG 2012 All rights reserved
the user.
S602 V3 Firewall
V3.0, Entry ID: 22376747 63
6 Commissioning in Bridge Mode
Note The following rules apply to the assignment of user-specific firewall rules:
A module can only be assigned one user-specific rule set per user. The
assignment enables the User can log on with module role for all roles of the
users defined in the rule set.
S602 V3 Firewall
64 V3.0, Entry ID: 22376747
7 Commissioning in Routing Mode
Note This chapter discusses only the additional configuration steps that go beyond the
necessary configurations in bridge mode.
Overview
Figure 7-1
Control room: External PC:
172.158.2.1 172.158.2.7
Siemens AG 2012 All rights reserved
Service PC:
X208 172.158.2.6
Syslog: 172.158.2.4
S602 V3 external:
Copyright
172.158.2.2
S602 V3 internal:
192.168.2.2
S602 V3 Firewall
V3.0, Entry ID: 22376747 65
7 Commissioning in Routing Mode
IP addresses used
Table 7-1
Module IP address Router
PG of the control room 172.158.2.1 172.158.2.2
Service PC 172.158.2.6 172.158.2.2
External
network
Table 7-2
No. Chapter Remark
1. Assigning the IP addresses Use the IP address from Table 7-1.
(chapter 6.2) Make sure to configure also a router
address in the devices.
2. Creating a project in the SCT
(chapter 6.3).
Copyright
3. Symbolic addressing in the SCT Use the IP address from Table 7-1.
(chapter 6.5)
4. Advanced mode (chapter 6.6)
5. Configuring Syslog logging (chapter 6.7)
6. Configuring the firewall rules Requirements for configuring the
(chapter 6.8) firewall are:
An SCT project was created with
an S602 V3.
The S602 V3 module was provided
with the MAC address of the real
S602 V3 module.
In routing mode: 172.158.2.2 has
been entered as the external IP
address.
Advanced mode is activated.
S602 V3 Firewall
66 V3.0, Entry ID: 22376747
7 Commissioning in Routing Mode
address.
Close the dialog with OK.
Copyright
S602 V3 Firewall
V3.0, Entry ID: 22376747 67
7 Commissioning in Routing Mode
S602 V3 Firewall
68 V3.0, Entry ID: 22376747
7 Commissioning in Routing Mode
2. Activate NAPT.
S602 V3 Firewall
V3.0, Entry ID: 22376747 69
7 Commissioning in Routing Mode
Note An external port number must only be entered once. As the IP address of the
SCALANCE S is always used as the external IP address, there would be no
uniqueness if it was used multiple times.
For this reason, only one CPU (here: PN-CPU) can be accessed.
S602 V3 Firewall
70 V3.0, Entry ID: 22376747
8 Operation of the Application
The figure below shows the configuration and the associated IP addresses of the
application in bridge mode:
Figure 8-1
Control room: External PC:
192.168.2.1 192.168.2.7
Copyright
Service PC:
X208 192.168.2.6
Syslog: 192.168.2.4
S602 V3 Firewall
V3.0, Entry ID: 22376747 71
8 Operation of the Application
S602 V3 Firewall
72 V3.0, Entry ID: 22376747
8 Operation of the Application
S602 V3 Firewall
V3.0, Entry ID: 22376747 73
8 Operation of the Application
S602 V3 Firewall
74 V3.0, Entry ID: 22376747
8 Operation of the Application
S602 V3 Firewall
V3.0, Entry ID: 22376747 75
8 Operation of the Application
S602 V3 Firewall
76 V3.0, Entry ID: 22376747
8 Operation of the Application
CP is displayed.
Copyright
S602 V3 Firewall
V3.0, Entry ID: 22376747 77
8 Operation of the Application
Service PC:
X208 172.158.2.6
Syslog: 172.158.2.4
Siemens AG 2012 All rights reserved
S602 V3 external:
172.158.2.2
S602 V3 internal:
192.168.2.2
S602 V3 Firewall
78 V3.0, Entry ID: 22376747
8 Operation of the Application
S602 V3 Firewall
V3.0, Entry ID: 22376747 79
8 Operation of the Application
configured connections.
Table 8-11
No. Action Remark
1. On the PG of the control room,
open an FTP client.
Create a new server with the
following data:
Server: 172.158.2.3
Port: 21
User: ftp_user
Password: ftp_user
Transfer: Active
Connect to the FTP server.
S602 V3 Firewall
80 V3.0, Entry ID: 22376747
8 Operation of the Application
S602 V3 Firewall
V3.0, Entry ID: 22376747 81
8 Operation of the Application
S602 V3 Firewall
82 V3.0, Entry ID: 22376747
8 Operation of the Application
S602 V3 Firewall
V3.0, Entry ID: 22376747 83
8 Operation of the Application
S602 V3 Firewall
84 V3.0, Entry ID: 22376747
8 Operation of the Application
allowed as well.
Copyright
S602 V3 Firewall
V3.0, Entry ID: 22376747 85
8 Operation of the Application
S602 V3 Firewall
86 V3.0, Entry ID: 22376747
8 Operation of the Application
NOTICE Make sure you that you are using active FTP and that the client sends a
random listen port to the server.
For passive FTP, the server opens a new port and sends it to the client.
However, it sends it with its own IP address (here: 192.168.2.3) and not with
the translated address (172.158.2.2). It is thus not possible to establish a
connection.
Siemens AG 2012 All rights reserved
Table 8-17
No. Action Remark
1. On the PG of the control room,
open an FTP client.
Create a new server with the
Copyright
following data:
Server: 172.158.2.2
Port: 21
User: ftp_user
Password: ftp_user
Transfer: Active FTP
Connect to the FTP server.
2. The file structure of the Advanced
CP is displayed.
S602 V3 Firewall
V3.0, Entry ID: 22376747 87
8 Operation of the Application
S602 V3 Firewall
88 V3.0, Entry ID: 22376747
8 Operation of the Application
S602 V3 Firewall
V3.0, Entry ID: 22376747 89
8 Operation of the Application
S602 V3 Firewall
90 V3.0, Entry ID: 22376747
8 Operation of the Application
allowed as well.
Copyright
S602 V3 Firewall
V3.0, Entry ID: 22376747 91
9 References
9 References
These lists are by no means complete and only present a selection of related
references.
References
Table 9-1
Topic Title
/1/ STEP7 Automating with STEP7 in STL and SCL
Hans Berger
Publicis Corporate Publishing
ISBN 978-3-89578-412-5
/2/ SIMATIC NET security SIMATIC NET Industrial Ethernet Security Basics and application
Configuration Manual
http://support.automation.siemens.com/WW/view/en/56577508
/3/ Getting Started SIMATIC NET Industrial Ethernet Security Setting up security Getting
Started
http://support.automation.siemens.com/WW/view/en/61630590
/4/ Installation manual for SIMATIC NET Industrial Ethernet Security SCALANCE S V3.0
the SCALANCE S602 Commissioning and Hardware Installation Manual
Siemens AG 2012 All rights reserved
V3 http://support.automation.siemens.com/WW/view/en/56576669
Internet links
Table 9-2
Topic Title
\1\ Reference to the http://support.automation.siemens.com/WW/view/en/22376747
document
Copyright
10 History
Table 10-1
Version Date Modification
V1.0 03/02/06 First edition
V2.0 09/01/09 S612 replaced by S602
Configuration in bridge and routing mode
V3.0 07/20/12 SCALANCE S602 V3 hardware update
User-specific firewall rules
Chapters revised
S602 V3 Firewall
92 V3.0, Entry ID: 22376747