Applications & Tools - Siemens · PDF fileApplications & Tools Answers for industry. Cover...
Transcript of Applications & Tools - Siemens · PDF fileApplications & Tools Answers for industry. Cover...
Applications & Tools
Answers for industry.
Cover
Protection of an Automation Cell Using the SCALANCE S602 V3 Security Module via a Firewall (Bridge/Routing)
SCALANCE S602 V3
Application Description August 2012
2 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Siemens Industry Online Support This document is taken from the Siemens Industry Online Support. The following link takes you directly to the download page of this document: http://support.automation.siemens.com/WW/view/en/22376747 Caution The functions and solutions described in this entry predominantly confine themselves to the realization of the automation task. Please also take into account that corresponding protective measures have to be taken in the context of Industrial Security when connecting your equipment to other parts of the plant, the enterprise network or the Internet. For more information, please refer to Entry ID 50203404. http://support.automation.siemens.com/WW/view/en/50203404 Please also actively use our technical forum in the Siemens Industry Online Support regarding this subject. Share your questions, suggestions or problems and discuss them with our strong forum community: http://www.siemens.com/forum-applications
S602 V3 Firewall V3.0, Entry ID: 22376747 3
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
s
SIMATIC Firewall with SCALANCE S602 V3 Industrial Security
Problem 1
Automation Solution 2
Minimizing Risk through Security
3 SCALANCE S Product Overview
4
Installation 5
Commissioning in Bridge Mode
6 Commissioning in Routing Mode
7 Operation of the Application
8
References 9
History 10
Warranty and Liability
4 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Warranty and Liability
Note The application examples are not binding and do not claim to be complete regarding the circuits shown, equipping and any eventuality. The application examples do not represent customer-specific solutions. They are only intended to provide support for typical applications. You are responsible for ensuring that the described products are correctly used. These application examples do not relieve you of the responsibility of safely and professionally using, installing, operating and servicing equipment. When using these application examples, you recognize that Siemens cannot be made liable for any damage/claims beyond the liability clause described. We reserve the right to make changes to these application examples at any time without prior notice. If there are any deviations between the recommendations provided in these application examples and other Siemens publications – e.g. Catalogs – then the contents of the other documents have priority.
We do not accept any liability for the information contained in this document. Any claims against us – based on whatever legal reason – resulting from the use of the examples, information, programs, engineering and performance data etc. described in this application example shall be excluded. Such an exclusion shall not apply in the case of mandatory liability, e.g. under the German Product Liability Act (“Produkthaftungsgesetz”), in case of intent, gross negligence, or injury of life, body or health, guarantee for the quality of a product, fraudulent concealment of a deficiency or breach of a condition which goes to the root of the contract (“wesentliche Vertragspflichten”). However, claims arising from a breach of a condition which goes to the root of the contract shall be limited to the foreseeable damage which is intrinsic to the contract, unless caused by intent or gross negligence or based on mandatory liability for injury of life, body or health. The above provisions do not imply a change in the burden of proof to your detriment. It is not permissible to transfer or copy these application examples or excerpts of them without first having prior authorization from Siemens Industry Sector in writing.
Table of Contents
S602 V3 Firewall V3.0, Entry ID: 22376747 5
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Table of Contents Warranty and Liability..............................................................................................4 1 Problem...........................................................................................................7
1.1 Introduction .......................................................................................7 1.2 Overview...........................................................................................7
2 Automation Solution ......................................................................................9 2.1 Overview of the overall solution .........................................................9 2.2 Description of the core functionality..................................................11 2.3 Hardware and software components used .......................................12 2.4 Alternative solution: VPN tunnel.......................................................13
3 Minimizing Risk through Security ...............................................................14 3.1 Conditions and requirements ...........................................................14 3.2 The SIEMENS protection concept: Defense in depth........................15 3.3 Security mechanism: Firewall ..........................................................15 3.3.1 Firewall classification.......................................................................15 3.3.2 Stateful packet inspection ................................................................16 3.4 Security mechanism: Address translation with NA(P)T.....................17 3.4.1 Address translation with NAT...........................................................18 3.4.2 Address translation with NAPT.........................................................20 3.4.3 FTP via a NAPT router.....................................................................22 3.5 Correlation between NA(P)T and firewall .........................................24
4 SCALANCE S Product Overview .................................................................29 4.1 The idea of the cell protection concept.............................................29 4.2 SCALANCE S602 V3.......................................................................30 4.3 Security Configuration Tool..............................................................32 4.3.1 Symbolic addressing........................................................................33 4.3.2 User management ...........................................................................34 4.4 Firewall rules ...................................................................................35 4.4.1 Precedence of rules.........................................................................36 4.4.2 The different firewall rule sets ..........................................................37 4.4.3 Conventions for the firewall rule sets................................................39 4.5 Logging and diagnostics options in the SCT.....................................40 4.5.1 Online functions...............................................................................40 4.5.2 Logging ...........................................................................................41
5 Installation ....................................................................................................44 5.1 Installing the hardware.....................................................................44 5.2 Installing the software ......................................................................46
6 Commissioning in Bridge Mode ..................................................................47 6.1 Overview of the configuration mode.................................................47 6.2 Assigning the IP addresses..............................................................49 6.3 Creating a project in the SCT...........................................................52 6.4 Enabling the DCP protocol...............................................................53 6.5 Symbolic addressing in the SCT ......................................................54 6.6 Advanced mode...............................................................................55 6.7 Configuring Syslog logging ..............................................................55 6.8 Configuring the firewall rules............................................................56 6.8.1 IP service definition..........................................................................56 6.8.2 Defining users for the SCT...............................................................57 6.8.3 Creating the global firewall rule........................................................59 6.8.4 Creating the local firewall rules ........................................................60 6.8.5 Creating user-specific firewall rules..................................................62
Table of Contents
6 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
6.9 Downloading the firewall rules to the S602 V3..................................64 7 Commissioning in Routing Mode ................................................................65
7.1 Overview of configuration mode.......................................................65 7.2 Basic configurations from bridge mode ............................................66 7.3 Changing the operating mode to routing ..........................................67 7.4 Configuring NA(P)T .........................................................................68 7.4.1 Configuring the NAT table................................................................68 7.4.2 Configuring the NAPT table .............................................................69 7.5 Downloading the SCALANCE S602 V3 configuration.......................70
8 Operation of the Application........................................................................71 8.1 Operation in bridge mode ................................................................71 8.2 Operation in router mode.................................................................78 8.2.1 Routing via NAT ..............................................................................79 8.2.2 Routing via NAPT............................................................................86
9 References....................................................................................................92 10 History ..........................................................................................................92
1 Problem
S602 V3 Firewall V3.0, Entry ID: 22376747 7
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
1 Problem 1.1 Introduction
In industrial automation, security of networks in production has top priority. In the past, automation islands were frequently physically separated and used the integrated security of the field busses. With the advance of industrial Ethernet solutions, increased networking with the office world and a large number of unsecured interfaces at the field level, security is of greatest importance. Due to this progress, industrial communication faces the same threats that are known from the office and IT environment, such as hackers, viruses, worms and trojans but also communication load (broadcast). The existing security concepts and the use of standard components from the office world require continuous maintenance and special expert knowledge. Normally, they are not suitable for the special requirements of industrial communication.
1.2 Overview
Overview of the automation problem The figure below provides an overview of the automation problem. Figure 1-1
Automation cell 1 Automation cell 2 Automation cell N
PC 1 PC 2 PC 3 PC 4
1 Problem
8 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Description of the automation problem An automation cell is to be connected to the company network so that, via access control, only certain devices or communication services have access to the internal nodes. The following user scenarios are released for selected partners: Table 1-1
User scenarios Partner
Configuration / diagnostics with STEP 7 PC 1 Node initialization of internal nodes PC 1 Logging the data packets for the S7 communication PC 2 Access to cell-internal Web and FTP servers PC 3 Blocking unauthorized access attempts PC 4
Requirements The implemented access control is to be easy and cost-effective and it is also
to be possible for the automation personnel to create and maintain it. Integrated diagnostics of field devices and network components is to be
possible from the control level. The structure of the automation cells can be identical (same IP bands) (see
Figure 1-1).
2 Automation Solution
S602 V3 Firewall V3.0, Entry ID: 22376747 9
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
2 Automation Solution 2.1 Overview of the overall solution
Diagrammatic representation The diagrammatic representation below shows the most important components of the solution: Figure 2-1
S602 V3
CPU+CP
Service PC
Control room
Automation cell protected by firewall
PN-CPUX208
X208
* Web browser* FTP client
STEP 7
* Security component* Firewall* Router
* STEP 7program
* Simulation
* Web server* FTP server
Syslog server
* Syslog server* Data logging
External PC * STEP 7* Web browser* FTP client
2 Automation Solution
10 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Configuration The protected automation cell contains two SIMATIC S7-300 stations that are connected to the internal interface of the S602 V3 via a SCALANCE X208 as follows: S7-300 station 1 with a CPU317-2 PN/DP via a CP343-1 Advanced. S7-300 station 2 via the integrated interface of the CPU319-3 PN/DP.
Via a SCALANCE X208, the following devices are connected to the external interface of the SCALANCE S602 V3: A PC in the control room via an integrated Ethernet interface. A PC of a service employee via an integrated Ethernet interface. A PC for recording log files. An external PC for demonstrating unauthorized access.
2 Automation Solution
S602 V3 Firewall V3.0, Entry ID: 22376747 11
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
2.2 Description of the core functionality
SCALANCE S602 V3 The core of this application is the SCALANCE S602 V3 Security Module. This module is part of the Siemens security concept and was developed specifically for industrial automation engineering. It can be configured as a firewall and thus be used to protect automation cells/components. This makes it easy to achieve that individual devices within the protected automation cell can only be accessed from certain PCs. To meet the requirements of the automation problem, the SCALANCE S602 V3 can be used for both cross-subnet communication (routing mode) and in the flat network (bridge mode).
Description of the user scenarios The following table shows the scenarios presented in this application that are implemented in the SCALANCE S module with the respective firewall rules. These scenarios are demonstrated for both routing and bridge mode. Table 2-1
No. Application Description
1. Parameterization IP configuration of all cell-internal devices through node initialization in STEP 7 (via DCP).
2. Configuration/ diagnostics/ visualization
Enabling the full PG functionality (STEP 7) for the PC of the service employee.
3. Bandwidth limitation Restricting the data communication for the PC of the service employee.
4. Productive data transfer, visualization Enabling access to the FTP and Web server of the cell-internal Advanced CP for the control room PC.
5. Logging the data traffic Enabling data traffic logging for an external Syslog server.
Advantages of this solution
Protection against data espionage and data manipulation. Protection against overload of the communications system. User-friendly and easy configuration and administration without special
knowledge of IT security. Reaction-free installation of SCALANCE S in existing automation networks. Scalable security functionality. SCALANCE S configuration without expert knowledge of IT security by means
of a uniform configuration tool, “Security Configuration Tool”, and the standard mode settings.
Remote diagnostics: Log files can be evaluated using Syslog server.
2 Automation Solution
12 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
2.3 Hardware and software components used
The application was created with the following components:
Hardware components Table 2-2
Component Qty. MLFB/order number
Note
SCALANCE S602 V3 1 6GK5602-0BA10-2AA3 PS307 2A power supply
2 6ES7 307-1BA00-0AA0
CPU319-3PN/DP 1 6AG1318-3EL00-2AB0 CPU317-2PN/DP 1 6ES73157-2EK14-0AB0
Alternatively, any other CPU can also be used.
CP343-1 Advanced 1 6GK7343-1GX31-0XE0 Alternatively, any other IT-CP can also be used.
SCALANCE X208 2 6GK5208-0BA10-2AA3 PC 4 Ethernet cable 8
Standard software components Table 2-3
Component Qty. MLFB/order number
Note
SIMATIC MANAGER V5.5 SP2
1 6ES7810-4CC08-0YA5
Security Configuration Tool V3 or higher
1 Comes with the SCALANCE S.
Required tools This application uses software components that can be downloaded as freeware from the Internet. The individual software components are listed in the following: Web server FTP client Syslog server Primary Setup Tool (for address setting of SIMATIC NET products. See \3\ in
chapter 9 (References)).
Sample files and projects The following list contains all files and projects that are used in this example. Table 2-4
Component Note
22376747_Firewall_S602_CODE_v30.zip This zip file contains the STEP 7 projects.
22376747_Firewall_S602_DOKU_v30_e.pdf This document.
2 Automation Solution
S602 V3 Firewall V3.0, Entry ID: 22376747 13
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
2.4 Alternative solution: VPN tunnel
As an alternative to protecting a network via a firewall, you can also use a VPN tunnel. A VPN tunnel is a “virtual private network” (comparable to a LAN) over an unsecured network (the Internet). Encryption of data packets and authentication of nodes make these secure networks possible.
Firewall vs. VPN The following table shows the differences or advantages/disadvantages compared to the firewall:
Table 2-5
VPN tunnel Firewall
Peer-to-peer connection; at least two devices are necessary to establish a VPN connection. (Gateway – gateway; gateway – host)
Only one device necessary; firewall can be hardware- and software-based.
Protection across the entire VPN connection. Security measures focused on one point. Data encryption, authentication (proof of one’s own identity) and authentification (check of the partner’s identity) via a password (pre-shared key) or certificates (X.509v3 certificates).
Data traffic controlled and filtered at OSI reference model layer 2-7. Data packets can be allowed or discarded.
More information For more information on VPN, please refer to the following applications and FAQs:
Table 2-6
Title Link
Secure Remote Access to SIMATIC Stations with the SCALANCE S612 V3 via Internet and UMTS Secure Remote Access to SIMATIC Stations with the SOFTNET Security Client via Internet and UMTS
http://support.automation.siemens.com/WW/view/en/24960449
Security with SCALANCE S612 V3 Modules Over IPSec VPN Tunnels Remote Control Concept with SCALANCE S Modules Over IPSec-Secured VPN Tunnels
http://support.automation.siemens.com/WW/view/en/22056713
How do you configure a VPN tunnel between a PC station with Windows XP SP2 and SCALANCE S61x V2.1 via the Internet with the Microsoft Management Console?
http://support.automation.siemens.com/WW/view/en/26098355
How do you configure a VPN tunnel between a PC station and SCALANCE S61x V2.1 via the Internet with the SOFTNET Security Client Edition 2005 HF1?
http://support.automation.siemens.com/WW/view/en/24953807
How is a VPN tunnel between two SCALANCE S 61x modules configured in Routing mode via the Internet?
http://support.automation.siemens.com/WW/view/en/24968211
3 Minimizing Risk through Security
14 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
3 Minimizing Risk through Security Ethernet-based communication plays a key role in the automation environment and its use of open and standardized IT technologies offers many advantages. However, the increasing openness and integration also increase the risk of unwanted manipulation. Therefore, a security concept is required that, on the one hand, reliably protects industrial communication and, on the other hand, also considers the special requirements of automation engineering.
Note No one can guarantee one hundred percent protection. However, there are numerous options to minimize the risk.
3.1 Conditions and requirements
Requirements The requirements for security include: Node authorization: Only defined nodes may participate in the data
communication. Authentication is required. Packet identification: It must be ensured that the data packets arrive
unchanged at their destination address. Confidentiality: Networks behind the security modules are to be hidden from
third parties.
Automation engineering conditions The special requirements of automation engineering are: Consideration of effectiveness and economic efficiency by using the existing
infrastructure. Reaction-free integration: The existing infrastructure must not be changed and
existing components must not be reconfigured. Preservation of data security through protection against unauthorized access.
3 Minimizing Risk through Security
S602 V3 Firewall V3.0, Entry ID: 22376747 15
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
3.2 The SIEMENS protection concept: Defense in depth
Multi-level security concept More and more networking and the use of proven technologies of the “office world” in automation systems require an increased demand for security. It is not sufficient to offer only limited protection that is not in depth as attacks from external sources can involve multiple levels. Optimum protection requires strong security awareness. To achieve the required security objectives, Siemens uses the defense in depth strategy. This strategy is based on a security model with multiple layers: Plant security, network security and system integrity.
The advantage is that an attacker first has to crack several security mechanisms and that the security requirements of the individual layers can be considered separately.
Tools of the defense in depth strategy To implement this protection concept, for example, two security tools from the field of network security should be mentioned: Firewall and VPN tunnel. A firewall is used to control the data traffic. Filtering allows to discard packets, to analyze packet contents and to block or grant network access. The tunneling method is frequently used to secure communication.
3.3 Security mechanism: Firewall
Description A firewall is part of a security concept in the private and corporate sector that prevents or restricts unauthorized access to networks or devices. Firewalls are offered as a hardware- or software-based component.
3.3.1 Firewall classification
Types of firewalls There are three different types of firewalls. The respective names are defined at the highest evaluated OSI layer: Packet filter (evaluation of packets up to OSI layer 3 (network layer)). Circuit-level gateway (evaluation of packets up to OSI layer 4 (transport layer)). Application-level gateway or proxy (evaluation of packets up to OSI layer 7
(application layer)). Packet filters analyze the IP data packets and forward them based on defined criteria or filter them. Circuit-level gateways access the transport layer and thus have the option to analyze correlations between the network connections and the packets. Aside from the term circuit-level gateway, there are also a number of other terms. This includes the term stateful packet inspection.
3 Minimizing Risk through Security
16 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
An application-level gateway is a proxy server. It handles the entire communication between the network to be protected and the unsecured network. Security proxies are set up for each service (WWW, e-mail, Telnet, FTP, etc.). This means that the computers of the LAN do not directly access a server of the Internet, but they identify and authenticate themselves to the proxy and send the request to it. The proxy, in turn, establishes the connection to the server with its sender’s address and forwards the request. The application-level gateway allows to control and filter contents of transmitted data. In companies, this proxy server is also used to block certain Web sites in the internal network or to filter services such as ActiveX and JavaScript out of Web sites.
Selection criteria The firewall to be used in a company or privately depends on several criteria: The desired and achievable security. The necessary overhead (hardware- or software-based firewall). The achievable data throughput. The costs.
3.3.2 Stateful packet inspection
Description Stateful packet inspection is a firewall technology and operates at the network layer, transport layer and optionally at the application layer of the OSI reference model. Stateful inspection stands for state-controlled filtering and is an extension of the packet filter. Access to various communication protocols enables stateful packet inspection to create a status table of all network connections, to detect correlations between data packets and to determine relations between existing communication relationships.
Principle of operation Due to this insight into the communication, stateful packet inspection allows, for example, only data packets from external sources into the internal network that are used as a response to a request started previously by an internal node. If the external node sends data that was not requested, the firewall will block the transfer – even if a connection exists between internal and external nodes. An important property of stateful packet inspection is the dynamic generation and deletion of filter rules. If an internal node sends data to an external target device, the firewall, after the first data packet has passed, must define a rule for a limited period of time that accepts the “response packet” and forwards it to the sender of the request (internal node). After the time window has expired, the rule must be deleted.
3 Minimizing Risk through Security
S602 V3 Firewall V3.0, Entry ID: 22376747 17
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
3.4 Security mechanism: Address translation with NA(P)T
Description Network address translation (NAT) or network address port translation (NAPT) are methods for translating private IP addresses to public IP addresses.
Classification of IP addresses IP addresses are used for logical addressing of devices in IP networks. IPv4 addresses consist of four numbers from 0 to 255 that are separated by dots. There are different address categories for IP addresses that are managed and assigned by the national organization, NIC (network information center). The table below shows the assignment of IP addresses: Table 3-1
Class Max number of networks
Start address End address Private address range
A 126 1.0.0.0 126.0.0.0 10.0.0.0 – 10.255.255.255 B 16382 128.0.0.0 191.255.0.0 172.16.0.0 – 172.31.255.255 C 2097150 192.0.0.0 223.255.255.0 192.168.0.0 –
192.168.255.255
Addresses starting with 224.0.0.0 are reserved for future applications; however, they will no longer be used due to the upcoming implementation of IPv6. Due to the shortage of IP addresses on the Internet, certain address ranges were introduced that are not routed on the Internet and used for the private network. This private address range is only visible within one’s own network and cannot be accessed by the Internet. Therefore, the same ranges can also be used multiple times in other private networks.
3 Minimizing Risk through Security
18 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
3.4.1 Address translation with NAT
Description NAT is a protocol for address translation between two address spaces. The main task is the translation of private addresses to public addresses, i.e. to IP addresses used and also routed on the Internet. This method achieves that the addresses of the internal network are not detected externally in the external network. In the external network, the internal nodes are only visible via the external IP address defined in the address translation list (NAT table). The classical NAT is a one-to-one translation, i.e. a private IP address is translated to a public one. Therefore, the access address for the internal nodes is again an IP address.
NAT table The NAT table contains the assignment of private and public IP addresses and is configured and managed in the gateway or router. The following screen shot shows the NAT table of the SCALANCE S602 V3: Figure 3-1
3 Minimizing Risk through Security
S602 V3 Firewall V3.0, Entry ID: 22376747 19
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Table 3-2
Option Meaning
NAT active The input area for NAT is activated. NAT address translations only become effective with the option described below and entries in the address translation list. In addition, the firewall must be configured appropriately.
Allow all internal nodes access to the outside
When this option is checked, the internal IP address (source IP address) is translated to the external module IP address and a port number additionally assigned by the module for all frames from internal to external. This behavior is visible in the additionally shown bottom row of the NAT table. A “*” symbol in the “internal IP address” column indicates that all frames from internal to external are translated. Note: This translation corresponds to an n:1 translation, i.e. several internal nodes are redirected to an external. This is done by an additional assignment of a port number. Despite the addition of a port, this option is assigned to the NAT input area.
Table 3-3
Parameter Meaning Comment
External IP address
For frame direction “internal -> external”: Newly assigned IP address.
For frame direction “external -> internal”: Detected IP address
Alternatively, you can enter a symbolic name.
internal IP address
For frame direction “external -> internal”: Newly assigned IP address.
For frame direction “internal -> external”: Detected IP address
Direction Assign the frame direction. Scr-NAT (to external) Dst-NAT (from external) Scr-NAT + Dst-NAT (external)
Example: Src-NAT: Frames from the internal subnet are checked for the specified internal IP address and forwarded to the external network with the specified external IP address.
Sequence If a device from the external network wants to send a packet to an internal device (Dst-NAT), it uses a public address as the destination address. This IP address is translated to a private IP address by the router. As the source address in the IP header of the data packet, the public IP address of the external device remains unchanged. The response of the internal device is sent to the IP address that is stored as the source address in the IP header. Due to the fact that its own address and the source address are in different subnets, the internal device sends the packet to its router, which forwards it to the external device.
3 Minimizing Risk through Security
20 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
3.4.2 Address translation with NAPT
Description NAPT is a variant of NAT and often used synonymously with it. The difference to NAT is that this protocol also allows the translation of ports. A one-to-one translation of the IP address does no longer exist. In fact, only one public IP address exists that is translated to a number of private IP addresses by adding port numbers. Therefore, the access address for the internal nodes is an IP address with a port number.
NAPT table The NAPT table contains the assignment of private IP addresses to the ports of the public IP address and is configured and managed in the gateway or router. The following screen shot shows the NAPT table of the SCALANCE S602 V3: Figure 3-2
Table 3-4
Option Meaning
NAPT active The input area for NAPT is activated. NAPT translations only become effective with the option described below and entries in the list. In addition, the firewall must be configured appropriately.
3 Minimizing Risk through Security
S602 V3 Firewall V3.0, Entry ID: 22376747 21
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Table 3-5
Parameter Meaning Range of values
External port A node in the external network can respond to a node in the internal subnet or send a frame by using this port number.
Port or port ranges. Example of the entry of a port range: 78:99
internal IP address
IP address of the addressed node on the internal subnet.
Internal port Port number of a service for the node addressed on the internal subnet.
Port (no port range)
Sequence If a device from the external network wants to send a packet to an internal device, it uses its public address with the specified port as the destination address. This IP address is translated to a private IP address with port address by the router. As the source address in the IP header of the data packet, the public IP of the external device remains unchanged. The response of the internal device is sent to the IP address that is stored as the source address in the IP header. Due to the fact that its own address and the source address are in different subnets, the internal device sends the packet to its router, which forwards it to the external device.
3 Minimizing Risk through Security
22 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
3.4.3 FTP via a NAPT router
Due to the one-to-one translation of IP addresses, FTP data transfer via NAT does not involve any difficulties. Via a NAPT router such as the SCALANCE S602 V3, it is not that trivial anymore. Aside from the default ports 20 (data channel) and 21 (control channel), FTP also uses dynamic ports beyond 1023 for data transmission, which are not known prior to transmission. For the address translation, NAPT uses ports that are entered in the NAPT table during configuration. An extension of the NAPT table during runtime is not possible. The dynamic port during FTP data transfer can thus not be applied to the NAPT table. As a result, all data packets sent from external to internal with a port unknown to the NAPT table are not translated and therefore discarded. FTP data transfer cannot take place.
Problem description The figure below illustrates the problem:
Figure 3-3
Clie
nt
Ser
ver
NAPT router
172.158.2.2:21192.168.2.3:21
172.158.2.2:20192.168.2.3:20
ExternalInternal
Port 21:Sends user name
Port 21:Requests password
Port 21:Sends password
Port 21:Command: PORT with
data port, e.g. port 1027
Port 21:Acknowledgement
Port 1027:Establishes data connection
to desired port
1
2
3
4
External network Internal network
3 Minimizing Risk through Security
S602 V3 Firewall V3.0, Entry ID: 22376747 23
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Table 3-6
Step Sequence Response
1. The client sends the user ID to the server via the control port.
Port 21 is allowed by the NAPT router. The server requests the password.
2. The client sends the password via port 21.
Port 21 is allowed by the NAPT router. The server confirms the password.
3. Via the PORT command, the client transmits the ports on which it listens for the data connection.
Port 21 is allowed by the NAPT router.
4. Via these ports, the server attempts to make contact with the FTP client.
As these ports are not configured in the NAPT table, the data packets are discarded by the NAPT router. The FTP connection is not established.
Solution To allow the data packets of the FTP server into the internal network despite dynamic ports, it is necessary to generate a NAT entry in addition to the NAPT entry. All data packets from the FTP server must be rewritten to the IP address of the NAPT router. This allows all data packets into the internal network, irrespective of the port.
3 Minimizing Risk through Security
24 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
3.5 Correlation between NA(P)T and firewall
Customizing the firewall The following applies to both directions Src-NAT (to external) and Dst-NAT (from external): Frames must first pass through the address translation in the NAT/NAPT router and then through the firewall. The settings for the NAT/NAPT router and the firewall rules must be coordinated so that frames with a translated address can pass through the firewall. Figure 3-4
SCALANCE S602 V3External network Internal network
NAT/NAPTrouter
Firewall
IP framesSrc-NAT
IP framesDst-NAT
Note The firewall in the SCALANCE S602 V3 is preset so that IP data traffic between the networks is not possible. Before communication can take place, the firewall must first be configured.
Stateful packet inspection Firewall and NAT/NAPT router support the “stateful packet inspection” mechanism. If IP data traffic is enabled from internal to external, internal nodes can initiate a communication connection to the external network. The response frames from the external network can pass through the NAT/NAPT router and the firewall without requiring their addresses to be additionally added to the firewall rule and the NAT/NAPT address translation. Frames that are not a response to a request from the internal network will be discarded if there is no applicable firewall rule.
3 Minimizing Risk through Security
S602 V3 Firewall V3.0, Entry ID: 22376747 25
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Translation in this application using the example of NAT The following screen shots show the NAT table and the associated firewall rules of this application. The different colors indicate the correlations. Figure 3-5
Firewall rules
NAT table
The table compares the correlations:
Table 3-7
Firewall enable NAT
Action From/to Source Destination Service Description
Allow External -> internal
Service PC
CP343-1 Advanced
S7
Allow External -> internal
PG CP343-1 Advanced
HTTP
172.158.2.3 -> CP343-1Advanced (Dst-NAT)
Allow External -> internal
PG CP343-1 Advanced
FTP
All data packets from external to the CP343-1 Advanced are allowed that reach the firewall with the IP address of the PG via port 80 (HTTP) or port 21 (FTP) and with the IP address of the service PG via port 102 (S7).
172.158.2.5 -> PN-CPU (Dst-NAT)
Allow External -> internal
Service PC
PN-CPU S7 All data packets from external to the PN-CPU are allowed that reach the firewall with the IP address of the service PG via port 102 (S7).
172.158.2.2 <- * (Src-NAT)
Allow Internal -> external
all All data packets from internal to external are allowed.
3 Minimizing Risk through Security
26 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
In a diagrammatic representation, this process can be described as follows: Figure 3-6
NAT router
NAT table
Firewall
Internal network External network
172.158.2.3(HTTP)
172.158.2.3192.168.2.3(HTTP)
192.168.2.3(HTTP)
Table 3-8
Step Meaning
1. A device from the external network wants to send a data packet to IP address 172.158.2.3 (HTTP application).
2. The NAT router translates this address to the private IP address 192.168.2.3 (here symbolically as CP343-1Advanced) using the NAT table.
3. The firewall checks how it should handle the data packet. The “Allow External ->Internal PG -> CP343-1Advanced http” entry allows all data packets coming from the PG via port 80 that are addressed to the CP343-1 Advanced to pass.
4. The data packet is directed to the internal network.
Behavior if the assignment is incorrect If NA(P)T entries and firewall rules do not match, the S602 V3 will block the data packets not listed in the rule. In the following sample configuration, no rule was created in the firewall for the translation of IP address 172.158.2.5 to the PN-CPU (symbolic for 192.168.2.5):
3 Minimizing Risk through Security
S602 V3 Firewall V3.0, Entry ID: 22376747 27
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Figure 3-7
Firewall rules
NAT table
During data communication between the external and internal network, the following happens:
Figure 3-8
NAT router
NAT table
Firewall
Internal network External network
172.158.2.5(S7)
172.158.2.5192.168.2.5(S7)
192.168.2.3(http)
No rule exists; packet will be discarded
3 Minimizing Risk through Security
28 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Table 3-9
Step Meaning
1. A device from the external network wants to send a data packet to IP address 172.158.2.5 (S7 application).
2. The NAT router translates this address to the private IP address 192.168.2.5 (here symbolically as PN-CPU) using the NAT table.
3. The firewall checks how it should handle the data packet. As no rules exists, the data packet is discarded.
4 SCALANCE S Product Overview
S602 V3 Firewall V3.0, Entry ID: 22376747 29
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
4 SCALANCE S Product Overview 4.1 The idea of the cell protection concept
Motivation If controllers or other intelligent devices with no or only minimum self-protection are located in a network segment, the only remaining option is to create a secure network environment for these devices. The easiest way to achieve this is to use special routers or gateways. They provide IT security through integrated industrial quality firewalls and are themselves protected.
The cell protection concept The security concept designed by Siemens was tailored specifically to the requirements in the automation environment to meet the increasing demand for network security. The core of this concept is to segment the automation network in terms of security and to create protected automation cells. Therefore, cells are network segments separated in terms of security. The network nodes within a cell are protected by special security modules to control the data traffic from and to the cell and to check for rights. Only authorized frames are allowed to pass. Figure 4-1
Robot cellRobot cellRobot cell
Automation network
S602 V3 S602 V3
Office network
4 SCALANCE S Product Overview
30 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Advantages of the cell concept The main purpose of the cell protection concept is to protect all devices that cannot protect themselves. Mostly, these are devices for which an upgrade with security functions is not viable or too costly. Another reason is the technical feasibility. Especially smaller programmable controllers do not have the necessary hardware requirements. The security module that protects the entire cell protects several devices simultaneously, which results in lower costs and also reduces the configuration overhead. The integration of the security module into existing networks is reaction-free.
Real time and security Basically, real-time communication and security are two opposing requirements. The check of the frames using the rules or configurations costs time and performance. The cell protection concept allows to simultaneously meet both requirements. Within a cell, real-time communication can take place entirely unaffected by any security mechanisms. The security module controls data only at the cell entrance.
4.2 SCALANCE S602 V3
Description The SCALANCE S602 V3 is a product from the SIMATIC NET SCALANCE S family. Like the other modules, the S602 V3 is optimized for use in the automation environment and meets the special requirements of automation engineering. The SCALANCE S602 V3 belongs to the category of circuit-level gateways and is a stateful inspection firewall to protect all devices of an Ethernet network.
Properties The SCALANCE S602 V3 features the following security functions: Protection of devices with or without independent security functions by the
integrated firewall: – Analysis of data packets based on the source and destination address – Support of Ethernet “non-IP” frames – Bandwidth limitation – Global and local firewall rules – User-defined firewall rules
Simultaneous protection of several devices: The integration of the SCALANCE S as a link between two networks automatically protects the devices behind it.
Router mode: In router mode, the SCALANCE S separates the internal network from the external network. The internal network appears as a separate subnet.
Reaction-free integration of the SCALANCE S602 V3 into an existing infrastructure with flat networks (bridge mode).
In addition, the SCALANCE S602 V3 supports the following network functions: Address translation with NAT/ NAPT. DHCP server for IP address assignment in the internal network. Logging and evaluation of log files via an external server. SNMP for analysis and evaluation of network information.
4 SCALANCE S Product Overview
S602 V3 Firewall V3.0, Entry ID: 22376747 31
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Interfaces The SCALANCE S602 V3 has two interfaces: Port 1 (red); recognizable by the lock symbol. Port 2 (green)
The unsecured, external network is connected to the red port, the internal network to be secured is connected to the green port. Figure 4-2
Internal network
External network
Note The Ethernet connections on port 1 and port 2 are handled differently by the SCALANCE S and must therefore not be mixed up when connecting to the communication network. If the ports are swapped over, the device will lose its protective function.
4 SCALANCE S Product Overview
32 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
4.3 Security Configuration Tool
Configuring the S602 V3 The SCALANCE S602 V3 is configured using the Security Configuration Tool (SCT). Its handling is very simple and, in the minimum configuration, requires no special knowledge of security. The following screen shot shows the user interface of the Security Configuration Tool:
Figure 4-3
Properties The Security Configuration Tool has the following properties: Configuration of the SCALANCE and SINAUT Security Modules possible in the
SCT. Test and diagnostic displays. Status displays. Standard mode for fast and easy configuration of the security modules, even
without security knowledge. Advanced mode for the individual configuration of the security modules. Access for authorized users only through password assignment when creating
a project. Consistency checks even during the configuration. Encryption of the saved project and configuration data. Symbolic addressing of nodes. Creation of global, local and user-specific firewall rules.
4 SCALANCE S Product Overview
S602 V3 Firewall V3.0, Entry ID: 22376747 33
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
4.3.1 Symbolic addressing
In the Security Configuration Tool, symbolic names can be assigned in place of the IP addresses of the nodes. These are limited to the configuration within a project, i.e. they cannot be used on a cross-project basis. A single unique IP or MAC address must be assigned to each symbolic name. The advantage of symbolic names is that the configuration of the services and rules is easier and more secure. For the following functions and their configuration, symbolic names are accepted: Firewall NAT/NAPT Syslog DHCP
The following screen shot shows the symbolic addressing with the associated IP addresses of this application: Figure 4-4
4 SCALANCE S Product Overview
34 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
4.3.2 User management
Overview In the user management of the Security Configuration Tool, you can create new users and assign them system- or user-defined roles. You define the module rights per security module. Figure 4-5
System-defined roles The following system-defined roles are predefined: administrator standard diagnostics remote access
The roles are assigned certain rights that are identical on all modules and that cannot be changed or deleted by the administrator. For more information, please refer to the security manual listed in /2/, chapter 9 (References).
4 SCALANCE S Product Overview
S602 V3 Firewall V3.0, Entry ID: 22376747 35
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
User-defined roles In addition to the system-defined roles, you can also create user-defined roles. For each security module used in the project, you individually define the respective rights and manually assign the role to the users.
4.4 Firewall rules Firewall rules are predefined or specifically configured rules for the data traffic and created using the Security Configuration Tool. Depending on sender, address, protocol and send operation, the data packets may pass or are discarded. The following screen shot shows a sample configuration of rule sets:
Figure 4-6
A firewall rule is composed of several components:
Table 4-1
Name Meaning Option
Action Allow rule (allow/ drop)
Allow: Allow frames as defined. Drop: Block frames as defined.
From/ To Allowed communication directions. Internal -> External External -> Internal Tunnel -> Internal Internal -> Tunnel
Source IP address Sender’s address Alternatively, you can enter a symbolic name.
Destination IP address Destination address Alternatively, you can enter a symbolic name.
4 SCALANCE S Product Overview
36 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Name Meaning Option Service Name of the IP/ ICMP service or
service group used. The services are defined previously and stored with information such as protocol, source and destination port.
The drop-down list offers the configured services and service groups for selection. When “all” is selected, no service is checked; the rule applies to all services.
Bandwidth Setting option for bandwidth limitation. A packet passes through the firewall if the pass rule applies and the allowed bandwidth for this rule has not yet been exceeded.
Range of values: 0..100 Mbps
Logging Enabling or disabling logging for this rule.
No. Serial number assigned by the Security Configuration Tool to identify the firewall rule in the log table.
Comment Here you can enter your own explanations of the rule.
In the Security Configuration Tool, you can define rules globally, locally and user-specifically.
Note The Security Configuration Tool allows max. 256 IP/MAC rule sets.
4.4.1 Precedence of rules
The occurrence of the rules in the rule list also corresponds to their order of processing. The packet filter rules are evaluated as follows: The list is evaluated from top to bottom; for opposing rules, the higher entry
applies. For rules for communication between the internal and external network, the
final rule applies: All frames except the frames explicitly allowed in the list are blocked.
For rules for communication between the internal network and IPSecTunnel, the final rule applies: All frames except the frames explicitly blocked in the list are allowed.
Note All frame types from internal -> external or vice versa are blocked with the factory settings and must be explicitly allowed.
4 SCALANCE S Product Overview
S602 V3 Firewall V3.0, Entry ID: 22376747 37
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
4.4.2 The different firewall rule sets
Local rule sets Each local rule set is assigned to one module and directly defined in the properties dialog of a module.
Global firewall rules Global firewall rules are defined outside the modules at the project level. The advantage is that rules that apply to several modules must only be configured once. Using drag and drop, the global firewall rules are simply moved to the module to which these firewall rules are to apply. This global firewall rule set appears automatically in the module-specific list of firewall rules. Global firewall rules can be defined for: IP rule sets MAC rule sets
Figure 4-7
Global rule set 1
Regel 1
Regel 2
Regel 3
Module
Local rule set
Local rule 1
Local rule 2
Global rule set 2
Global rule set 1
Global rule set 2
Rule 1
Rule 2
Rule 3
Note Global firewall rules are particularly useful if several security modules are managed in a project.
In this application, only one S602 V3 is configured and managed. In this case, the use of global firewall rules has no advantage over local rules. However, they are nevertheless used to demonstrate the application and creation of global rules.
4 SCALANCE S Product Overview
38 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
User-specific firewall rules For the user-specific firewall, the rule sets can be assigned to one or several users and then to the individual security modules. This allows to make accesses dependent on the user and not (only) on IP or MAC addresses. For this purpose, the user can log on to the SCALANCE S602 V3 on a Web page. If logon was successful, the firewall rule set intended for this user will be enabled. Users can log on with the following role: administrator diagnostics remote access
After logon, a 30-minute timer is started. After this time has elapsed, the user is automatically logged off the SCALANCE S602 V3. In online mode of the Security Configuration Tool, an overview table is offered for the user check. It lists all users currently logged on to the SCALANCE S602 V3. Figure 4-8
To log off the SCALANCE S602 V3, three options are available: The “Log off” button on the Web page. Automatically after the timer has elapsed. The User check online function by selecting the user and the “Log off” button.
4 SCALANCE S Product Overview
S602 V3 Firewall V3.0, Entry ID: 22376747 39
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
4.4.3 Conventions for the firewall rule sets
The following conventions apply to creating the global and user-specific firewall rule sets: They can only be created in advanced mode of the Security Configuration
Tool. By default, locally defined rules have higher priority; if new global and/or user-
specific firewall rules are assigned to a security module, these rules will therefore be initially added to the bottom of the local rule list. The priority can be changed by changing the position in the rule list.
Global and user-specific firewall rules can only be assigned to a security module as an entire rule set.
They cannot be edited in the local rule list of firewall rules in the module properties; they can only be displayed there and positioned according to the desired priority. It is not possible to delete a single rule from an assigned rule set. It is only possible to take the complete rule set from the local rule list; this does not change the definition in the global rule list.
4 SCALANCE S Product Overview
40 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
4.5 Logging and diagnostics options in the SCT For test and monitoring purposes, the online view of the Security Configuration Tool provides various diagnostics and logging options.
Requirements for the online view To obtain access to the online view, please note the following: Online mode in the Security Configuration Tool is enabled
(“View > Online”). A network connection to the selected module exists.
4.5.1 Online functions
The following screen shot shows the online dialog: Figure 4-9
4 SCALANCE S Product Overview
S602 V3 Firewall V3.0, Entry ID: 22376747 41
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
It offers the following functions: Table 4-2
Function Meaning
Status Display of the device status of the SCALANCE S module selected in the project.
Date and time of day Setting of date and time of day. Cache tables ARP table of the security module. User check Overview of logged in users for the user-defined firewall
rules. Internal nodes
Display of the internal network node of the SCALANCE S module.
Interface settings Status display of the selected interface (PPPoE, DynDNS).
System log Display of logged system events. Audit log Display of logged security events. Packet filter log Display of logged data packets and start and stop of
packet logging.
4.5.2 Logging
The events to be logged can be defined in the properties dialog of the SCALANCE S602 V3. Two variants are available for logging: Local log: Logs the messages in the local buffer of the S602 V3. Data
recording can be stored according to two selectable methods: – Ring buffer: Once the buffer is full, recording starts at the start of the buffer
and thus overwrites the oldest entries. – One-shot buffer: Recording stops when the buffer is full.
The Security Configuration Tool enables you to access, visualize and archive these logs.
Network Syslog: Instead of the local buffer, the messages are sent to an external Syslog server.
4 SCALANCE S Product Overview
42 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Settings The following screen shot shows the possible logging settings for the S602 V3:
Figure 4-10
The following events can be logged: Table 4-3
Event Meaning
Packet filter events Refers to data packets to which a configured packet filter rule (firewall) applies or to which basic protection reacts.
Audit events Refers to security-relevant events such as enabling or disabling packet logging or entering an incorrect password during authentication.
System events System events are, e.g., the start of a process.
Aside from selecting events, this dialog also allows you to enable or disable logging and to define the storage of data.
4 SCALANCE S Product Overview
S602 V3 Firewall V3.0, Entry ID: 22376747 43
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Logging functions The following logging functions are available in online mode:
Table 4-4
Function Meaning Screen shot
System log Display of logged system events.
Audit log Display of logged security
events.
Packet filter log
Display of logged data packets and start and stop of packet logging.
5 Installation
44 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
5 Installation This chapter describes which hardware and software components have to be installed. The descriptions and manuals as well as delivery information included in the delivery of the respective products should be observed in any case.
5.1 Installing the hardware
For the hardware components, please refer to chapter 2.3. Figure 5-1
S602 V3
CPU 317-2 PN/DP+CP343-1 Advanced
Service PC
Control room
Automation cell protected by firewall
CPU 319-3 PN/DPX208
X208
Syslog server
External PC
5 Installation
S602 V3 Firewall V3.0, Entry ID: 22376747 45
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
To install the hardware, follow the instructions in the table below: Table 5-1
No. Action Remark
1. Mount all modules on a DIN rail. CPU319-3PN/DP CPU317-2PN/DP CP343-1 Advanced S602 V3 X208
2. Connect the CPU317-2 PN/DP and the CP343-1 Advanced via a backplane bus.
3. Connect all components to a 24 V power supply. To be able to connect all modules, use either terminal strips or several power supply units. In
tern
al n
etw
ork
4. Connect the modules via Ethernet as follows: CPU319-3PN/DP to port 6 of the first SCALANCE X208 CP343-1 Advanced to port 1 of the first SCALANCE X208 Internal interface (green) of the S602 V3 to port 5 of the
first SCALANCE X208
5. Connect the second SCALANCE X208 to a 24 V power supply.
Exte
rnal
net
wor
k
6. Connect the modules in the external network via Ethernet as follows: PC of the control room to port 2 of the second
SCALANCE X208 Service PC to port 2 of the second SCALANCE X208 Syslog server to port 7 of the second SCALANCE X208 External PC to port 6 of the second SCALANCE X208 The external interface (red) of the S602 V3 to port 8 of the
second SCALANCE X208.
Note Always follow the installation guidelines for the components.
Note To make sure that no old configuration is saved in the S602 V3, reset the module to factory settings. For help, see /2/ in chapter 9 (References).
5 Installation
46 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
5.2 Installing the software
Installing the standard tools Table 5-2
No. Action Remark
1. Install STEP 7 V5.5 SP2 on the service PC and the external PC.
Follow the instructions of the installation program.
2. Install the Security Configuration Tool on the PG. Follow the instructions of the installation program.
3. Install the FTP client on the PG and the external PC. Follow the instructions of the installation program.
4. Install a Syslog program on the Syslog server. Follow the instructions of the installation program.
Installing the application software Extract the 22376747_Firewall_S602_V30_CODE code folder. It contains two STEP 7 projects: Bridge.zip project for setup in bridge mode. NAT_NAPT.zip project for setup in router mode.
On the service PC, open the SIMATIC MANAGER and select “File > Retrieve” to unzip the required STEP 7 project. For bridge mode, use Bridge.zip; in router mode, use NAT_NAPT.zip.
6 Commissioning in Bridge Mode
S602 V3 Firewall V3.0, Entry ID: 22376747 47
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
6 Commissioning in Bridge Mode 6.1 Overview of the configuration mode
Bridge mode is a flat network. The external and internal network are in the same subnet.
Overview Figure 6-1
S602 V3: 192.168.2.2
CP: 192.168.2.3
Service PC:192.168.2.6
Control room: 192.168.2.1
Automation cell protected by firewall
CPU:192.168.2.5X208
X208
Syslog: 192.168.2.4
External PC: 192.168.2.7
IP addresses used Table 6-1
Module IP address
PG in the control room 192.168.2.1
Service PC 192.168.2.6
Syslog server 192.168.2.4 Exte
rnal
ne
twor
k
External PC 192.168.2.7
S602 V3 192.168.2.2 CP343-1 Advanced 192.168.2.3
Inte
rnal
ne
twor
k
PN-CPU 192.168.2.5
6 Commissioning in Bridge Mode
48 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
The following table now describes the necessary configurations for the scenarios. Table 6-2
No. Application Description Chapter
1. Parameterization IP configuration of all cell-internal devices through node initialization in STEP 7 (via DCP)
Enabling the DCP protocol (chapter 6.4)
2. Configuration/ diagnostics/ visualization
Enabling the full PG functionality (STEP 7) for the PC of the service employee.
IP service definition (chapter 6.8.1)
Creating the local firewall rules (chapter 6.8.4)
3. Bandwidth limitation Restricting the data communication for the PC of the service employee.
Creating the local firewall rules (chapter 6.8.4)
4. Productive data transfer, visualization
Enabling access to the FTP and Web server of the cell-internal Advanced CP for the control room PG.
IP service definition (chapter 6.8.1)
Creating the local firewall rules (chapter 6.8.4)
Creating the global firewall rule (chapter 6.8.3)
5. Logging the data traffic Enabling data traffic logging for an external Syslog server.
Creating the local firewall rules (chapter 6.8.4))
Configuring Syslog logging (chapter 6.7)
6. User-defined firewall rules Enabling access to the FTP and Web server of the cell-internal Advanced CP for selected users.
Defining users for the SCT(chapter 6.8.2)
Creating user-specific firewall rules (chapter 6.8.5)
6 Commissioning in Bridge Mode
S602 V3 Firewall V3.0, Entry ID: 22376747 49
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
6.2 Assigning the IP addresses
Assigning IP addresses of the PCs/PGs In the following, the PCs/PGs are configured with the necessary IP addresses.
Table 6-3
No. Action Remark
1. To change the network address, select “Start > Settings > Network Connection > Local Connections” to open Internet Protocol (TCP/IP). Change the IP address for the PG in the control room, the service PC, the Syslog server and the external PC
in this way as shown in Table 6-1. Note: For routing mode, you additionally require a gateway address. For this case, enter the IP address of the associated router as well.
6 Commissioning in Bridge Mode
50 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Assigning the IP addresses of the modules To load the STEP7 project to the CPU, change the module IP address via which the project is loaded. This can be the CPU itself or a CP.
Table 6-4
No. Action Note
1. Connect the service PC to the internal network via the first SCALANCE X208.
In the default mode, the S602 V3 does not allow node initialization of all cell-internal devices by an external PG with STEP 7. For this reason, the PG must be directly in the internal network for node initialization.
2. On the service PC, open the SIMATIC MANAGER and the STEP 7 project. In the “PLC” menu, select the “Edit Ethernet Node…” option.
3. Click on the Browse… button.
6 Commissioning in Bridge Mode
S602 V3 Firewall V3.0, Entry ID: 22376747 51
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
No. Action Note
4. Select the desired module and click on OK to confirm the selection.
5. In the Set IP configurations window that
appears, enter the IP address as shown in Table 6-1. Note: For routing mode, you additionally require a gateway address. For this case, check Use router and enter the IP address of the associated router. Click on the Assign IP Configuration button.
6. Proceed in this way to assign the respective IP
addresses to CP and CPU. Loading the SCT project assigns the SCALANCE its IP address.
7. Connect the service PC again to port 7 of the second SCALANCE X208.
6 Commissioning in Bridge Mode
52 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
6.3 Creating a project in the SCT The SCALANCE S module is configured with the aid of the Security Configuration Tool (SCT).
Table 6-5
No. Action Remark
1. Select “Start > SIMATIC > Security” to open the Security Configuration Tool. Select “Project -> New” to create a new project.
2. You are prompted to assign an
authentication for the new project. Enter a user name and password. Confirm with OK.
3. Select the S602 module and
version V3. Select any name and apply the MAC address of the module that can be found on the housing. As the external IP address, assign 192.168.2.2 with subnet mask 255.255.255.0. Confirm the entries with OK.
6 Commissioning in Bridge Mode
S602 V3 Firewall V3.0, Entry ID: 22376747 53
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
6.4 Enabling the DCP protocol
Enabling the DCP protocol allows node initialization of all cell-internal devices using an external PG with STEP 7.
Table 6-6
No. Action Remark
1. Select the module and use the “right mouse button -> Properties” to open the module properties. Go to the Firewall tab.
2. Check the Allow DCP option in
both directions. This allows setting IP addresses or device names (node initialization) by means of the Primary Setup Tool (PST) integrated in STEP 7. Confirm the change with OK.
3. Save the configuration with a
meaningful name (e.g., S602 V3_FW).
4. Now transfer the configuration to
the module. Select the row with the module and select: “Transfer > To module…”. The F LED changes from yellow orange to green. Wait until the “Transfer finished successfully” message appears.
5. You can now use a network scan
to detect the internal nodes.
6 Commissioning in Bridge Mode
54 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
6.5 Symbolic addressing in the SCT Symbolic addressing of nodes facilitates the configuration of the individual services.
Table 6-7
No. Action Remark
1. Select “Options > Symbolic Names…” to open the table for symbolic addressing.
2. Use Add to enter all nodes and
their IP address and MAC address in the table. Use the IP addresses from Table 6-1. Close the dialog with OK.
Bridge mode:
Router mode:
6 Commissioning in Bridge Mode
S602 V3 Firewall V3.0, Entry ID: 22376747 55
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
6.6 Advanced mode In addition to the default settings, advanced mode offers more configuration options.
NOTICE Once you have switched to advanced mode for the current project, this action cannot be undone.
Table 6-8
No. Action Remark
1. An individual configuration of the firewall is only possible in advanced mode. Select “View > Advanced Mode” to activate it.
2. Confirm the warning message
with Yes.
6.7 Configuring Syslog logging
Logging of data packets is to be logged on a Syslog server. Table 6-9
No. Action Remark
1. Select the S602 V3 module in the Security Configuration Tool and use the “right mouse button -> Properties” to open the properties dialog. Go to the Log Settings tab. Enable logging with a Syslog server and add that the symbolic names of the internal nodes are displayed instead of IP addresses. Enter “Syslog-Server” as the IP address. Enable the messages to be transferred to the Syslog server. Close the dialog with OK.
6 Commissioning in Bridge Mode
56 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
6.8 Configuring the firewall rules
Requirements Requirements for configuring the firewall are: An SCT project was created with an S602 V3. The S602 V3 module was configured with the MAC address of the real S602
V3 module. In bridge mode: 192.168.2.2 has been entered as the external IP address. Advanced mode is activated.
6.8.1 IP service definition
IP service definitions allow the compact and clear definition of firewall rules that are applied to certain services. Each service parameter is assigned a name. When configuring the global or local packet filter rules, these names are used once.
Table 6-10
No. Action Remark
1. Select “Options > IP Services…” to open the required table.
2. Use Add IP Service to add new
IP services.
6 Commissioning in Bridge Mode
S602 V3 Firewall V3.0, Entry ID: 22376747 57
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
No. Action Remark
3. For S7 communication: Name: S7 Protocol: TCP Source Port: * Target Port: 102 ******************************** For HTTP communication: Name: HTTP Protocol: TCP Source Port: * Target Port: 80 ******************************** For FTP access: Name: FTP Protocol: TCP Source Port: * Target Port: 21 ******************************** Once you have entered all services, close the dialog with OK.
6.8.2 Defining users for the SCT
Table 6-11
No. Action Remark
1. Select “Options > User Management” to open the user management in the Security Configuration Tool.
6 Commissioning in Bridge Mode
58 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
No. Action Remark
2. The start screen lists all users that have already been configured with their names and roles. You can use Add to create more users.
3. Define a name and password.
From the drop-down list, select the remote access role. The user with the remote access role has no rights except logon to the Web page for user-specific firewall rules. Close the window with OK.
4. The new user is displayed in the
overview table. Close the window with OK.
5. Confirm the warning message
with OK.
6 Commissioning in Bridge Mode
S602 V3 Firewall V3.0, Entry ID: 22376747 59
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
6.8.3 Creating the global firewall rule
For this application, the firewall rule for the FTP server is created as a global rule. Table 6-12
No. Action Remark
1. In Global firewall rule sets, select Firewall IP rule sets and use the “right mouse button > Insert rule set” to insert a new rule set.
2. To better identify the global
firewall rule, you can enter a name and a description.
3. Use Add Rule to create a new
global firewall rule. Enter the following values: ************************************ Action: Allow From/To: External -> Internal Source IP: PG Destination IP: CP343-1Advanced Service: FTP Logging: Enabled ************************************ Close the dialog with OK.
4. A new global firewall rule was created.
6 Commissioning in Bridge Mode
60 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
No. Action Remark
5. Select this rule and use drag and drop to move it to the S602 V3 module.
6.8.4 Creating the local firewall rules
The S7 protocol and HTTP communication are enabled as local firewall rules. Table 6-13
No. Action Remark
1. Select the S602 V3 and use the “right mouse button -> Properties” to open the properties. Go to the Firewall Setting and IP Rules tab. The global firewall rule that has just been moved to the module using drag and drop now also appears in the local firewall settings.
2. Click on Add Rule to create a new local firewall rule.
3. Enter the following values:
Action: Allow From/To: External-> Internal Source IP: Service-PC Destination IP: PN-CPU Service: S7 Bandwidth: 10 (Mbps) Enable Logging.
6 Commissioning in Bridge Mode
S602 V3 Firewall V3.0, Entry ID: 22376747 61
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
No. Action Remark
4. You can use Add Rule to add more rules. For S7 communication and HTTP communication, enter the following rows: Action: Allow From/To: External-> Internal Source IP: Service-PC Destination IP: CP343-1Advanced Service: S7 Bandwidth: 10 (Mbps) Enable Logging. ************************************* Action: Allow From/To:External-> Internal Source IP: PG Destination IP: CP343-1Advanced Service: HTTP Enable Logging. ************************************* Action: Allow From/To: Internal-> External Source IP: * Destination IP: * ************************************* Close the dialog with OK.
Note The Security Configuration Tool automatically assigns a unique label to each firewall rule.
To determine which firewall rule was active when logging system and security events, the log row displays the associated label.
6 Commissioning in Bridge Mode
62 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
6.8.5 Creating user-specific firewall rules
Table 6-14
No. Action Remark
1. Select User-specific firewall rules and use the “right mouse button > Insert rule set” to insert a new rule set.
2. To better identify the user-
specific firewall rule, you can assign a name and a description. The bottom part displays all configured users.
3. Use Add Rule to create a new
firewall rule.
6 Commissioning in Bridge Mode
S602 V3 Firewall V3.0, Entry ID: 22376747 63
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
No. Action Remark
4. Enter the following values: ************************************ Action: Allow From/To: External-> Internal Source IP: Destination IP: CP343-1Advanced Service: HTTP Logging: Enabled ************************************ Action: Allow From/To: External-> Internal Source IP: Destination IP: CP343-1Advanced Service : FTP Logging: Enabled
5. Select the configured user and use Add to assign this rule set to the user.
6. Close this dialog with OK.
7. A new user-specific firewall rule
was created.
8. Select this rule and use drag and
drop to move it to the SCALANCE S602 V3.
6 Commissioning in Bridge Mode
64 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Note The following rules apply to the assignment of user-specific firewall rules:
A module can only be assigned one user-specific rule set per user. The assignment enables the “User can log on with module” role for all roles of the users defined in the rule set.
6.9 Downloading the firewall rules to the S602 V3
Once all firewall rules have been configured, the project can be downloaded to the SCALANCE S602 V3.
Table 6-15
No. Action Remark
1. Save the configuration with a meaningful name (e.g., S602 V3_FW).
2. Now transfer the configuration to the module. Select the row with the module and select: “Transfer > To module…”. The F LED changes from yellow orange to green. Wait until the Transfer completed successfully message appears.
3. The module has now been
configured with the current firewall configuration.
7 Commissioning in Routing Mode
S602 V3 Firewall V3.0, Entry ID: 22376747 65
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
7 Commissioning in Routing Mode
Note This chapter discusses only the additional configuration steps that go beyond the necessary configurations in bridge mode.
7.1 Overview of configuration mode
The router mode is a cross-subnet network. The external and internal networks are located in different subnets.
Overview Figure 7-1
S602 V3 internal: 192.168.2.2
CP: 192.168.2.3
Service PC:172.158.2.6
Control room: 172.158.2.1
Automation cell protected by firewall
CPU:192.168.2.5X208
X208
Syslog: 172.158.2.4
External PC: 172.158.2.7
S602 V3 external: 172.158.2.2
7 Commissioning in Routing Mode
66 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
IP addresses used Table 7-1
Module IP address Router
PG of the control room 172.158.2.1 172.158.2.2 Service PC 172.158.2.6 172.158.2.2 Syslog server 172.158.2.4 172.158.2.2 External PC 172.158.2.7 172.158.2.2 Ex
tern
al
netw
ork
S602 V3 (external interface) 172.158.2.2 S602 V3 (internal interface) 192.168.2.2
CP343-1 Advanced 192.168.2.3 192.168.2.2
Inte
rnal
ne
twor
k
PN-CPU 192.168.2.5 192.168.2.2
255.255.255.0 is always used as the subnet mask.
7.2 Basic configurations from bridge mode
Most configuration steps from bridge mode are the basis for routing mode. The following configuration steps are required for routing mode: Table 7-2
No. Chapter Remark
1. Assigning the IP addresses (chapter 6.2)
Use the IP address from Table 7-1. Make sure to configure also a router address in the devices.
2. Creating a project in the SCT (chapter 6.3).
3. Symbolic addressing in the SCT (chapter 6.5)
Use the IP address from Table 7-1.
4. Advanced mode (chapter 6.6)
5. Configuring Syslog logging (chapter 6.7)
6. Configuring the firewall rules (chapter 6.8)
Requirements for configuring the firewall are: An SCT project was created with
an S602 V3. The S602 V3 module was provided
with the MAC address of the real S602 V3 module.
In routing mode: 172.158.2.2 has been entered as the external IP address.
Advanced mode is activated.
7 Commissioning in Routing Mode
S602 V3 Firewall V3.0, Entry ID: 22376747 67
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
7.3 Changing the operating mode to routing Table 7-3
No. Action Remark
1. Open the Security Configuration Tool project.
2. Select the SCALANCE S602 V3
and double-click to open the Properties. In the Interface tab, set the module to routing mode. Change the external IP address to 172.158.2.2 and enter 192.168.2.2 with subnet mask 255.255.255.0 as the internal IP address. Close the dialog with OK.
7 Commissioning in Routing Mode
68 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
7.4 Configuring NA(P)T
The next chapter shows the configuration steps necessary to implement NAT or NAPT in the SCALANCE S602 V3. In this application, you have the option to operate the scenarios either with NAT or with NAPT: For operation with NAT, follow the steps of chapter 7.4.1
(Configuring the NAT table). For operation with NAPT, follow the steps of chapter 7.4.2
(Configuring the NAPT table).
7.4.1 Configuring the NAT table
NAT is a one-to-one translation. This means that one IP address is translated to another, internal IP address.
Table 7-4
No. Action Remark
1. Go to the NAT tab. The left part of the dialog includes the NAT table.
2. Activate NAT and allow all nodes
to communicate from internal to external. The 172.158.2.2 * SrcNat (to external) entry is inserted automatically.
7 Commissioning in Routing Mode
S602 V3 Firewall V3.0, Entry ID: 22376747 69
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
No. Action Remark
3. The Add button enables you to insert a new entry. Enter the following address translations in the table: *********************************** External IP address: 172.158.2.3 internal IP address: CP343-1Advanced Direction: Dst-NAT (from external) *********************************** External IP address: 172.158.2.5 internal IP address: PN-CPU Direction: Dst-NAT from external) *********************************** Close the dialog with OK.
7.4.2 Configuring the NAPT table
For NAPT, a public IP address exists that is translated to a number of private IP addresses by adding port numbers.
Table 7-5
No. Action Remark
1. Select the S602 V3 module in the Security Configuration Tool and use the “right mouse button -> Properties” to open the properties. Go to the NAT tab. The right part of the dialog includes the NAPT table.
2. Activate NAPT.
7 Commissioning in Routing Mode
70 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
No. Action Remark
3. The Add button enables you to insert a new entry. Enter the following address translations in the table: *********************************** External port: 8000 internal IP address: CP343-1 Advanced Internal port: 80 *********************************** External port: 21 internal IP address: CP343-1 Advanced Internal port: 21 *********************************** External port: 102 internal IP address: PN-CPU Internal port: 102 ***********************************
Note An external port number must only be entered once. As the IP address of the SCALANCE S is always used as the external IP address, there would be no uniqueness if it was used multiple times.
For this reason, only one CPU (here: PN-CPU) can be accessed.
7.5 Downloading the SCALANCE S602 V3 configuration
To download the configuration, proceed as described in chapter 6.9 (Downloading the firewall rules to the S602 V3). Figure 7-2
8 Operation of the Application
S602 V3 Firewall V3.0, Entry ID: 22376747 71
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
8 Operation of the Application Access rights
By means of the firewall rules, the scenarios were only enabled for certain PCs. An attempt to test the scenarios with a PC other than the one specified will be unsuccessful. The following table provides an overview: Table 8-1
User scenarios Access right
Node initialization of internal nodes Service PC Configuration / diagnostics with STEP 7 Service PC Access to cell-internal Web and FTP servers PG of the control
room Logging the data packets for the S7 communication Syslog server Blocking unauthorized access attempts External PC
8.1 Operation in bridge mode
Configuration The figure below shows the configuration and the associated IP addresses of the application in bridge mode: Figure 8-1
S602 V3: 192.168.2.2
CP: 192.168.2.3
Service PC:192.168.2.6
Control room: 192.168.2.1
Automation cell protected by firewall
CPU:192.168.2.5X208
X208
Syslog: 192.168.2.4
External PC: 192.168.2.7
8 Operation of the Application
72 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Node initialization via the DCP protocol Table 8-2
No. Action Remark
1. On the service PC, open the SIMATIC MANAGER and the Bridge STEP 7 project. In the PLC menu, select the Edit Ethernet Node… option. Start the network scan. Enabling the DCP protocol now allows node initialization of the internal nodes.
Downloading and monitoring the STEP 7 project Table 8-3
No. Action Remark
1. On the service PC, open the SIMATIC MANAGER and the associated Bridge project.
2. Successively select the S7-300 stations and download them to the CPU.
3. Open the variable table in the
Blocks folder. The clock bit memories of the CPU are stored in the variable table. Use the glasses icon or select “View > Monitor” to monitor the variables.
8 Operation of the Application
S602 V3 Firewall V3.0, Entry ID: 22376747 73
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Access to the Web server Access to the Web and FTP server of the CP343-1 Advanced is permitted only for the control room. In the firewall rules, HTTP and FTP were explicitly allowed for the following IP address: 192.168.2.1.
Table 8-4
No. Action Remark
1. On the PG of the control room, open a Web browser and in the address bar enter the IP address of the CP343-1 Advanced (http://192.168.2.3). The standard HTML page opens.
2. The HMTL page of the CP can be
used, for example, to view the diagnostics buffer of the CPU, to retrieve module information, to check the ring redundancy status and to obtain information on the configured connections.
Access to the FTP server Table 8-5
No. Action Remark
1. On the PG of the control room, open an FTP client. Create a new server with the following data: Server: 192.168.2.3 Port: 21 User: ftp_user Password: ftp_user Transfer mode: Active Connect to the FTP server. Note: Do not use a Web browser as an FTP client but an FTP client program.
8 Operation of the Application
74 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
No. Action Remark
2. The file structure of the Advanced CP is displayed.
Logging the data traffic Table 8-6
No. Action Remark
1. On the Syslog server, open the Syslog program. The messages of the S602 V3 are displayed here.
2. In the Security Configuration Tool,
select the S602 V3 module and select “View -> Online” to go to online mode.
3. Double-click on the module. The
online dialog opens. The first Status tab shows all information (hardware, IP/MAC address, change date of the configuration…).
8 Operation of the Application
S602 V3 Firewall V3.0, Entry ID: 22376747 75
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
No. Action Remark
4. The System log, Audit log and Packet filter log tabs show the local logs. In the Packet filter log tab, you can start the logs either in a ring buffer or a one-shot buffer using the Start logging button. The selection is directly displayed. The Start reading button activates the display in the dialog.
Blocking unauthorized access Table 8-7
No. Action Remark
1. On the external PC, open an FTP client. Create a new server with the following data: Server: 192.168.2.3 Port: 21 User: ftp_user Password: ftp_user Transfer mode: Active Connect to the FTP server.
2. The CP’s file system cannot be accessed.
3. Try to open the Web page of the
CP using a Web browser. Here, too, access is not possible.
4. On the external PC, open the
SIMATIC MANAGER and the Bridge STEP 7 project.
8 Operation of the Application
76 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
No. Action Remark
5. Select an S7-300 station and try to download it to the CPU.
6. Downloading is not possible.
Access via user-defined firewall rule sets To activate this specific firewall, you first have to log on on the Web page of the SCALANCE S602 V3. The connection to the security module is established via HTTPS using the IP address of the external port.
Table 8-8
No. Action Remark
1. On the external PC, use a Web browser to open the Web page of the S602 V3. https://192.168.2.2.
2. Log on with the user name and
password configured in chapter 6.8.2.
8 Operation of the Application
S602 V3 Firewall V3.0, Entry ID: 22376747 77
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
No. Action Remark
3. After 30 minutes, the user is automatically logged off the SCALANCE. If you need more time, you can restart the timer.
4. On the external PC, open an FTP
client. Create a new server with the following data: Server: 192.168.2.3 Port: 21 User: ftp_user Password: ftp_user Transfer mode: Active Connect to the FTP server.
5. The file structure of the Advanced CP is displayed.
6. Due to the user-specific rule,
access to the Web page of the CP is now allowed as well.
8 Operation of the Application
78 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
8.2 Operation in router mode
Configuration The figure below shows the configuration and the associated IP addresses of the application in router mode: Figure 8-2
S602 V3 internal: 192.168.2.2
CP: 192.168.2.3
Service PC:172.158.2.6
Control room: 172.158.2.1
Automation cell protected by firewall
CPU:192.168.2.5X208
X208
Syslog: 172.158.2.4
External PC: 172.158.2.7
S602 V3 external: 172.158.2.2
8 Operation of the Application
S602 V3 Firewall V3.0, Entry ID: 22376747 79
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
8.2.1 Routing via NAT
Downloading and monitoring the STEP 7 project Table 8-9
No. Action Remark
1. On the service PC, open the SIMATIC MANAGER and the NAT_NAPT project.
2. Successively select the S7-300 stations and download them to the CPU.
3. When asked for an access address
for the SIMATIC CPU station, select the PROFINET interface of the CP343-1 Advanced.
4. Open the variable table in the
Blocks folder. The clock bit memories of the CPU are stored in the variable table. Use the glasses icon or select “View > Monitor” to monitor the variables.
8 Operation of the Application
80 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Access to the Web server Table 8-10
No. Action Remark
1. On the PG of the control room, open a Web browser and in the address bar enter the IP address of the CP343-1 Advanced (http://172.158.2.3). The standard HTML page opens.
2. The HMTL page of the CP can be
used, for example, to view the diagnostics buffer of the CPU, to retrieve module information, to check the ring redundancy status and to obtain information on the configured connections.
Access to the FTP server Table 8-11
No. Action Remark
1. On the PG of the control room, open an FTP client. Create a new server with the following data: Server: 172.158.2.3 Port: 21 User: ftp_user Password: ftp_user Transfer: Active Connect to the FTP server.
8 Operation of the Application
S602 V3 Firewall V3.0, Entry ID: 22376747 81
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
No. Action Remark
2. The file structure of the Advanced CP is displayed.
Logging the data traffic Table 8-12
No. Action Remark
1. On the Syslog server, open the Syslog program. The messages of the S602 V3 are displayed here.
2. In the Security Configuration Tool,
select the S602 V3 module and select “View -> Online” to go to online mode.
3. Double-click on the module. The
online dialog opens. The first Status tab shows all information (hardware, IP/MAC address, change date of the configuration…).
8 Operation of the Application
82 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
No. Action Remark
4. The System log, Audit log and Packet filter log tabs show the local logs. In the Packet filter log tab, you can start the logs either in a ring buffer or a one-shot buffer using the Start logging button. The selection is directly displayed. The Start reading button activates the display in the dialog.
Blocking unauthorized access Table 8-13
No. Action Remark
1. On the external PC, open an FTP client. Create a new server with the following data: Server: 172.158.2.3 Port: 21 User: ftp_user Password: ftp_user Transfer mode: Active Connect to the FTP server.
2. The CP’s file system cannot be accessed.
3. Try to open the Web page of the
CP using a Web browser (http://172.158.2.3). Here, too, access is not possible.
4. On the service PC, open the
SIMATIC MANAGER and the NAT_NAPT project.
8 Operation of the Application
S602 V3 Firewall V3.0, Entry ID: 22376747 83
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
No. Action Remark
5. Successively select the S7-300 stations and download them to the CPU.
6. When asked for an access address
for the SIMATIC CPU station, select the PROFINET interface of the CP343-1 Advanced.
7. Downloading is not possible.
8 Operation of the Application
84 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Access via user-defined firewall rule sets To activate this specific firewall, you first have to log on on the Web page of the SCALANCE S602 V3. The connection to the security module is established via HTTPS using the IP address of the external port.
Table 8-14
No. Action Remark
1. On the external PC, use a Web browser to open the Web page of the S602 V3. https://172.158.2.2.
2. Log on with the user name and
password configured in chapter 6.8.2.
3. After 30 minutes, the user is
automatically logged off the SCALANCE. If you need more time, you can restart the timer.
4. On the external PC, open an FTP
client. Create a new server with the following data: Server: 172.158.2.3 Port: 21 User: ftp_user Password: ftp_user Transfer mode: Active Connect to the FTP server.
8 Operation of the Application
S602 V3 Firewall V3.0, Entry ID: 22376747 85
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
No. Action Remark
5. The file structure of the Advanced CP is displayed.
6. Due to the user-specific rule,
access to the Web page of the CP (http://172.158.2.3) is now allowed as well.
8 Operation of the Application
86 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
8.2.2 Routing via NAPT
Downloading and monitoring the STEP 7 project Table 8-15
No. Action Remark
1. On the service PC, open the SIMATIC MANAGER and the NAT_NAPT project.
2. Select the SIMATIC PN-CPU S7-300 station and download it to the CPU.
3. Open the variable table in the
Blocks folder. The clock bit memories of the CPU are stored in the variable table. Use the glasses icon or select “View > Monitor” to monitor the variables.
Access to the Web server Table 8-16
No. Action Remark
1. On the PG of the control room, open a Web browser and in the address bar enter the IP address of the des CP343-1 Advanced (http://172.158.2.2:8000/). The standard HTML page opens.
8 Operation of the Application
S602 V3 Firewall V3.0, Entry ID: 22376747 87
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
No. Action Remark
2. The HMTL page of the CP can be used, for example, to view the diagnostics buffer of the CPU, to retrieve module information, to check the ring redundancy status and to obtain information on the configured connections.
Access to the FTP server
NOTICE Make sure you that you are using active FTP and that the client sends a random listen port to the server.
For passive FTP, the server opens a new port and sends it to the client. However, it sends it with its own IP address (here: 192.168.2.3) and not with the translated address (172.158.2.2). It is thus not possible to establish a connection.
Table 8-17
No. Action Remark
1. On the PG of the control room, open an FTP client. Create a new server with the following data: Server: 172.158.2.2 Port: 21 User: ftp_user Password: ftp_user Transfer: Active FTP Connect to the FTP server.
2. The file structure of the Advanced CP is displayed.
8 Operation of the Application
88 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Logging the data traffic Table 8-18
No. Action Remark
1. On the Syslog server, open the Syslog program. The messages of the S602 V3 are displayed here.
2. In the Security Configuration Tool,
select the S602 V3 module and select “View -> Online” to go to online mode.
3. Double-click on the module. The
online dialog opens. The first Status tab shows all information (hardware, IP/MAC address, change date of the configuration…).
4. The System log, Audit log and
Packet filter log tabs show the local logs. In the Packet filter log tab, you can start the logs either in a ring buffer or a one-shot buffer using the Start logging button. The selection is directly displayed. The Start reading button activates the display in the dialog.
8 Operation of the Application
S602 V3 Firewall V3.0, Entry ID: 22376747 89
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Blocking unauthorized access Table 8-19
No. Action Remark
1. On the external PC, open an FTP client. Create a new server with the following data: Server: 172.158.2.2 Port: 21 User: ftp_user Password: ftp_user Transfer mode: Active Connect to the FTP server.
2. The CP’s file system cannot be accessed.
3. Try to open the Web page of the
CP using a Web browser (http://172.158.2.2:8000/). Here, too, access is not possible.
4. On the service PC, open the
SIMATIC MANAGER and the NAT_NAPT project.
5. Select the SIMATIC PN-CPU S7-300 station and download it to the CPU.
6. Downloading is not possible.
8 Operation of the Application
90 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
Access via user-defined firewall rule sets To activate this specific firewall, you first have to log on on the Web page of the SCALANCE S602 V3. The connection to the security module is established via HTTPS using the IP address of the external port.
Table 8-20
No. Action Remark
1. On the external PC, use a Web browser to open the Web page of the S602 V3. https://172.158.2.2
2. Log on with the user name and
password configured in chapter 6.8.2.
3. After 30 minutes, the user is
automatically logged off the SCALANCE. If you need more time, you can restart the timer.
4. On the external PC, open an FTP
client. Create a new server with the following data: Server: 172.158.2.2 Port: 21 User: ftp_user Password: ftp_user Transfer mode: Active Connect to the FTP server.
8 Operation of the Application
S602 V3 Firewall V3.0, Entry ID: 22376747 91
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
No. Action Remark
5. The file structure of the Advanced CP is displayed.
6. Due to the user-specific rule,
access to the Web page of the CP (http://172.158.2.2:8000/) is now allowed as well.
9 References
92 S602 V3 Firewall
V3.0, Entry ID: 22376747
Cop
yrig
ht
Sie
men
s A
G 2
012
All
right
s re
serv
ed
9 References These lists are by no means complete and only present a selection of related references.
References Table 9-1
Topic Title
/1/ STEP7 Automating with STEP7 in STL and SCL Hans Berger Publicis Corporate Publishing ISBN 978-3-89578-412-5
/2/ SIMATIC NET security SIMATIC NET Industrial Ethernet Security Basics and application Configuration Manual http://support.automation.siemens.com/WW/view/en/56577508
/3/ Getting Started SIMATIC NET Industrial Ethernet Security Setting up security Getting Started http://support.automation.siemens.com/WW/view/en/61630590
/4/ Installation manual for the SCALANCE S602 V3
SIMATIC NET Industrial Ethernet Security SCALANCE S V3.0 Commissioning and Hardware Installation Manual http://support.automation.siemens.com/WW/view/en/56576669
Internet links Table 9-2
Topic Title
\1\ Reference to the document
http://support.automation.siemens.com/WW/view/en/22376747
\2\ Siemens Industry Online Support
http://support.automation.siemens.com
\3\ Primary Setup Tool http://support.automation.siemens.com/WW/view/en/19440762
10 History Table 10-1
Version Date Modification
V1.0 03/02/06 First edition V2.0 09/01/09 S612 replaced by S602
Configuration in bridge and routing mode V3.0 07/20/12 SCALANCE S602 V3 hardware update
User-specific firewall rules Chapters revised