Instruction/ maintenance manual of the product Version: 1.2 Siemens
Go to page of 18
LISE-M EITNER-ALLEE 4 D - 44801 Boc hum TELEFON +49 (0) 234/43 87 02-09 TELE FAX +49 (0) 234/43 87 02-11 E-Mail info@e scrypt.com INTE RN ET www.e scrypt com Security Evaluation of the Siemens Scalance S 612/613 Security Module escrypt GmbH – Embedded Security http://www.
Index Index 1 Introducti on........................................................................................................ 4 2 Security Se rvices............................................................................................... 6 2.
Executive Summary Executive Summary The Scalance S 612/S 613 is a security module to protect the communication between automation networks and to avoid a ttacks to the networks. The security module provides the functionality of a fire wall and a virtual priv ate network (VPN).
1. Introduction 1 Introduction The Siemens Scalance S 613 is a security module which protects the communication between automat ion networks. It provides authentication, data integrity and confidentiality and protects against data theft and data manipulation.
1. Introduction Automation networks demand fo r a variety of security goals such that only basic default-rules are preset. Nonetheless, these default rules provide a secure configuration. The security modules are supposed to be easy to configure and handle, also by non IT-experts.
2. Security Services 2 Security Services The security module has two Ethernet inte rfaces, one to the internal network which is protected, and the other one to the external network. The interfaces are easily recognizable by a color marker in green an d red color.
2. Security Services and 3 on the security module. The packe t filter controls the communication between the internal network and the external network (see Figure 2 ). Figure 2: Firewall function of the security module The firewall offers a packet filter adapt ed from OpenBSD for IP-packets with stateful packet inspection.
2. Security Services Figure 3: VPN-function of the Security -module For the communication over a VPN the se curity modules are collected in groups. For each VPN there is a so called network certificate with corresponding private key that identifies the VPN.
2. Security Services 2.2.4 Firmware Update The firmware of the security device can be updated. For this purpose, Siemens supplies an encrypted and digitally signed firmware. The user has to authenticate to the security module before loadin g new firmware.
2. Security Services 2.3.1 First Initiation At first initialization an IP address is as signed to the Scalance S moduls. After the IP configuration the modules can also be configured over the network. The first user to take the module in operation ent ers a user name and pass word which puts him in the position of administrator.
2. Security Services • Exchange of addresses of the internal networks between security modules • Signalizing that a packet was reject ed because it was not received via an IPsec tunnel. The learning is always initiated if a node wants to communicate with another node and devices located in the same subnet actively scan by ICMP messages.
3. Security Analysis 3 Security Analysis The security module is designed for the use in automation networks. For automation networks availability and robust ness are of first priority since the network must be protected against any failure so that the production never stops.
3. Security Analysis The implementation of the IKE protocol does not show any known security weaknesses. No known security weak nesses of the OpenBSD-Isakmpd daemon were found.
3. Security Analysis The pf-packet filter of O penBSD does not include any know n weaknesses. A test of the filter rules set by t he configuration tool does not identify any implement ation failures. Also a test of the Layer-2 filt er e2f revealed no security weaknesses.
3. Security Analysis The MiniWeb server is well implemented. The SSL implementation does not show any failures. The only security weakness is the long life span of the certificate and the use of MD5 for the generat ion of the certificates. The key length of 1024 bits is sufficient for the next three to five years.
3. Security Analysis 3.2.1 Configuration Files The configuration tool transfers t he configuration data via SSL. Hence, eavesdropping of the connecti on and determination of the data is not possible. The analysis of the configurat ion files gives only information about the default settings of the firewall.
4. Summary 4 Summary The security module is designed for using it in an automation network in order to protect the network from data theft and m anipulation as well as attacks from the external network. The reliabili ty of the network is of first priority, the aspect of security follows right after.
5. References 5 References Functional Specification, Version 1.0, 7.10.2003 Security Target, Version 0.2, 31.10.2003 Instruction Handbook, 1/2005 Design Specification, 19.
An important point after buying a device Siemens Version: 1.2 (or even before the purchase) is to read its user manual. We should do this for several simple reasons:
If you have not bought Siemens Version: 1.2 yet, this is a good time to familiarize yourself with the basic data on the product. First of all view first pages of the manual, you can find above. You should find there the most important technical data Siemens Version: 1.2 - thus you can check whether the hardware meets your expectations. When delving into next pages of the user manual, Siemens Version: 1.2 you will learn all the available features of the product, as well as information on its operation. The information that you get Siemens Version: 1.2 will certainly help you make a decision on the purchase.
If you already are a holder of Siemens Version: 1.2, but have not read the manual yet, you should do it for the reasons described above. You will learn then if you properly used the available features, and whether you have not made any mistakes, which can shorten the lifetime Siemens Version: 1.2.
However, one of the most important roles played by the user manual is to help in solving problems with Siemens Version: 1.2. Almost always you will find there Troubleshooting, which are the most frequently occurring failures and malfunctions of the device Siemens Version: 1.2 along with tips on how to solve them. Even if you fail to solve the problem, the manual will show you a further procedure – contact to the customer service center or the nearest service center
