Simatic Net: Industrial Ethernet Security Setting up security in STEP 7 Professional

User interface and menu commands, Firewall in advanced mode, VPN for network linking,... as the main contents of the document Simatic Net Industrial Ethernet Security Setting up security in STEP 7 Professional. Invite you to refer to the lecture content more learning materials and research.

Trang 1

Setting up security in STEP 7

Professional

_ _ _ _ _

SIMATIC NET

Industrial Ethernet Security

Setting up security in STEP 7

Firewall in advanced mode 4

VPN for network linking 5

Trang 2

Warning notice system

This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent damage to property The notices referring to your personal safety are highlighted in the manual by a safety alert symbol, notices referring only to property damage have no safety alert symbol These notices shown below are graded according to the degree of danger

DANGER

indicates that death or severe personal injury will result if proper precautions are not taken

WARNING indicates that death or severe personal injury may result if proper precautions are not taken

CAUTION indicates that minor personal injury can result if proper precautions are not taken

NOTICE

indicates that property damage can result if proper precautions are not taken

If more than one degree of danger is present, the warning notice representing the highest degree of danger will

be used A notice warning of injury to persons with a safety alert symbol may also include a warning relating to property damage

Qualified Personnel

The product/system described in this documentation may be operated only by personnel qualified for the specific task in accordance with the relevant documentation, in particular its warning notices and safety instructions Qualified personnel are those who, based on their training and experience, are capable of identifying risks and avoiding potential hazards when working with these products/systems

Proper use of Siemens products

Note the following:

WARNING Siemens products may only be used for the applications described in the catalog and in the relevant technical documentation If products and components from other manufacturers are used, these must be recommended

or approved by Siemens Proper transport, storage, installation, assembly, commissioning, operation and maintenance are required to ensure that the products operate safely and without any problems The permissible ambient conditions must be complied with The information in the relevant documentation must be observed

Trademarks

All names identified by ® are registered trademarks of Siemens AG The remaining trademarks in this publication may be trademarks whose use by third parties for their own purposes could violate the rights of the owner

Disclaimer of Liability

We have reviewed the contents of this publication to ensure consistency with the hardware and software

described Since variance cannot be precluded entirely, we cannot guarantee full consistency However, the information in this publication is reviewed regularly and any necessary corrections are included in subsequent editions

Trang 3

Table of contents

1 Preface 5

2 User interface and menu commands 9

2.1 User interface and menu commands 9

3 Basic configuration 15

3.1 Configuring IP addresses for SCALANCE S 15

3.1.1 Overview 15

3.1.2 Set up SCALANCE S and the network 16

3.1.3 Making IP settings for the PC 17

3.1.4 Creating a project and security module 18

3.1.5 Creating the security project 19

3.1.6 Assigning IP addresses 19

3.1.7 Downloading the configuration to SCALANCE S 21

3.2 Configuring IP addresses for a CP 22

3.2.1 Overview 22

3.2.3 Creating a project and security module 24

3.2.4 Creating the security project 25

3.2.5 Assigning IP addresses 26

3.2.6 Downloading the configuration to the security module 26

4 Firewall in advanced mode 29

4.1 Global rule sets 29

4.1.1 Overview 29

4.1.2 Make the IP settings for the PCs 32

4.1.3 Configuring the local firewall 33

4.1.4 Configuring global firewall rule sets 35

4.1.6 Testing firewall function 39

4.2 Firewall rules for connections 45

4.2.1 Overview 45

4.2.4 Configuring connection firewall rules 50

4.3 User-specific firewall 58

4.3.1 Overview 58

4.3.4 Creating remote access users 61

4.3.5 Configuring user-specific firewall rule sets 62

Trang 4

4.4 NAT 71

4.4.1 Overview 71

4.4.3 Configuring destination NAT and local firewall 75

4.4.5 Testing NAT function 78

5 VPN for network linking 87

5.1 VPN tunnel in the LAN between all security products 87

5.1.1 Overview 87

5.1.3 Creating SOFTNET Security Client module 91

5.1.4 Configuring a VPN group 91

5.1.5 Saving the SOFTNET Security Client configuration 93

5.1.7 Set up a tunnel with the SOFTNET Security Client 95

5.1.8 Testing the tunnel 96

5.2 VPN tunnel SOFTNET Security Client and CPs or SCALANCE S 99

5.2.1 Overview 99

5.2.5 Configuring VPN properties of the security module 105

5.2.9 Testing the tunnel 108

5.3 VPN with SOFTNET Security Client and SCALANCE S as user-specific firewall 111

5.3.1 Overview 111

5.3.5 Configuring VPN properties of the security module 117

5.3.7 Creating remote access users 118

5.3.8 Configuring user-specific firewall rule sets 119

Trang 5

Preface 1

Getting results fast with Getting Started

Based on simple test networks, you will learn how to handle the security modules and the STEP 7 Professional configuration tool You will soon see that you can implement the security functions of security modules in the network without any great project engineering effort

Based on a variety of security examples, you will be able to implement the basic functions of the security modules and the SOFTNET Security Client

IP settings for the Examples

Note The IP settings in the examples are freely selected and do not cause any conflicts in the isolated test network

In a real network, you would need to adapt these IP settings to avoid possible address conflicts

Validity of this Getting Started

Configuration software:

● STEP 7 Professional V13 Products:

● SCALANCE S – SCALANCE S602, order number: 6GK5 602-0BA10-2AA3 – SCALANCE S612, order number: 6GK5 612-0BA10-2AA3 – SCALANCE S623, order number: 6GK5 623-0BA10-2AA3 – SCALANCE S627-2M, order number: 6GK5 627-2BA10-2AA3

● CPs – CP 343-1 Advanced GX31 as of V3.0, order number: 6GK7 343-1GX31-0XE0 – CP 443-1 Advanced GX30 as of V3.0, order number: 6GK7 443-1GX30-0XE0 – CP 1543-1 as of V1.1, order number: 6GK7 543-1AX00-0XE0

– CP 1243-1, order number: 6GK7 243-1BX30-0XE0

● VPN client software

Trang 6

Windows:

● All the examples are implemented with Windows 7 For this reason, the path information

of Windows 7 is also described

General terminology "security modules"

In this documentation, the following products are grouped together under the term "security module":

SCALANCE S602 / SCALANCE S612 / SCALANCE S623 / SCALANCE S627-2M / CP

343-1 Advanced GX3343-1 / CP 443-343-1 Advanced GX30 / CP 343-1243-343-1 / CP 343-1543-343-1

The CPs 343-1 Advanced GX31 and 443-1 Advanced GX30 are called "CP x43-1 Adv." The CPs 1243-1 and 1543-1 are called "CP 1x43-1"

General use of the term "STEP 7"

The configuration of the security functions used in this manual is supported as of STEP 7 Professional V13 In the rest of the document this is simply called "STEP 7"

Use of the terms "interface" and "port"

In this documentation, the ports of security modules are named as follows:

● "External interface": The external port of the SCALANCE S602 / S612 / S623 or an external port of the SCALANCE S627- 2M

● "Ethernet interface": The external port of the CP x43-1 Adv / CP 1x43-1

● "Internal interface": The internal port of the SCALANCE S602 / S612 / S623 or an internal port of the SCALANCE S627-2M

● "PROFINET interface": The internal port of the CP 43-1 Adv

● "DMZ interface": The DMZ port of the SCALANCE S623 / S627-2M The term "port" itself is used when the focus of interest is a special port of an interface

IP addresses of the security modules in the configuration examples

When downloading a configuration to a security module, the IP address via which the interface can currently be reached must always be specified In the configuration examples

in this manual, it is assumed that the IP addresses of the configuration are identical to the

Trang 7

Security information

Siemens provides products and solutions with industrial security functions that support the secure operation of plants, solutions, machines, equipment and/or networks They are important components in a holistic industrial security concept With this in mind, Siemens’ products and solutions undergo continuous development Siemens recommends strongly that you regularly check for product updates

For the secure operation of Siemens products and solutions, it is necessary to take suitable preventive action (e.g cell protection concept) and integrate each component into a holistic, state-of-the-art industrial security concept Third-party products that may be in use should also be considered For more information about industrial security, visit

http://www.siemens.com/industrialsecurity

To stay informed about product updates as they occur, sign up for a product-specific newsletter For more information, visit http://support.automation.siemens.com

Trang 9

User interface and menu commands 2

2.1 User interface and menu commands

User interface for security functions in STEP 7

Trang 10

① Global security settings

The global security settings are located in the project navigation These security settings can be configured pendently of the module and subsequently assigned to individual security modules as required

inde-If the first security module to be configured is a CP, the global security settings are only displayed when the

securi-ty functions have been enabled in the local securisecuri-ty settings of the CP

If the first security module to be configured is a SCALANCE S module, the global security settings are displayed after logging in to the security project The following main folders and entries are available in the global security settings:

• User login

For the security configuration within a project, there is a separate user management Log in to the security figuration using the "User login" entry The first time that there is a login to the security configuration, a user with the system-defined role "Administrator" is created automatically You can create further users in the securi-

con-ty configuration in the user management

• VPN groups

All created VPN groups are contained in this folder You can create new VPN groups here and assign security modules to these VPN groups You can also adapt VPN group properties of VPN groups that have already been created

Trang 11

② Working area with security module

Once you have selected a security module in the work area, you can configure its local security settings in ties" > "General" If the selected security module is in a VPN group, related information is displayed in the VPN tab

"Proper-③ VPN tab

This tab displays information about all the VPN groups to which the security module that was selected in the ing area belongs Information about the respective participants of a VPN group can be displayed and hidden

Trang 12

work-④ Local security settings

Local security settings are configured for a specific security module After a security module has been selected in the working area, its local security settings are available in the inspector window under "Properties" > "General"

Note for CPs:

Before local security settings can be configured for CPs, these must first be enabled

To do this, log in to your security project and then in the Inspector window, select the "Activate security features" check box in the "Properties" > General" tab, "Security" entry The local security settings are then displayed below the "Security" entry When the check box is selected, the following settings (assuming they were enabled) are migrated automatically to the local security settings:

Trang 13

authorized in the user management even if the project is accessible to a wider circle of people

Functions from the non-secure areas, on the other hand, can be configured without logging

in to the security configuration The correctness of the settings must be checked before downloading the project to the plant components if a wider circle of people can make modifications to the project

Below, you will find a list of the configuration areas of the user interface showing which areas are secure and which are non-secure To some extent, this depends on the security module for which the configuration is created

● All settings from the global security settings are secure

● Secure and non-secure configuration areas for SCALANCE S modules:

– All the settings for the interfaces and ports, in particular IP addresses, are non-secure – The settings under the entry "General" in the local security settings are non-secure – Higher-level settings (e.g MRP settings such as MRP manager etc.) that are not configured on the security module itself but may affect the security module are not secure This does not relate to the global security settings

– The other settings are protected

● Secure and non-secure configuration areas for CP 343-1 Advanced, CP 443-1 Advanced,

CP 1543-1, CP 1243-1 BX30:

– All settings outside the "Security" entry are non-secure

– Higher-level settings (e.g MRP settings such as MRP manager, PROFINET settings, connections etc.) that are not configured on the security module itself but may affect the security module are non-secure This does not relate to the global security settings

– All the settings for the interfaces and ports, in particular IP addresses, are non-secure – All settings below the "Security" entry are secure

Trang 15

Required devices/components:

Use the following components to set up the network:

● 1 x SCALANCE S (additional option: a suitably installed DIN rail with fittings)

● 1 x 24 V power supply with cable connector and terminal block plug

● 1 x PC on which the STEP 7 configuration tool is installed

● The required network cable, TP cable (twisted pair) complying with the IE FC RJ-45 standard for Industrial Ethernet

Requirement

To be able to work through this example, the following requirements must be met:

● The SCALANCE S module has the factory-settings You can restore this status by pressing the Reset button on the SCALANCE S and holding it down for at least 5 seconds For further information on the Reset button of the SCALANCE S, refer to the section "4.3 Reset button - resetting the configuration to the factory settings" in the manual "SIMATIC NET Industrial Ethernet Security - SCALANCE S V4"

Trang 16

Overview of the next steps:

3.1.2 Set up SCALANCE S and the network

Follow the steps outlined below:

1 First unpack the SCALANCE S and check that it is undamaged

2 Connect the power supply to the SCALANCE S

Result: After connecting the power, the Fault LED (F) is lit yellow

WARNING Use safety extra-low voltage only The SCALANCE S device is designed for operation with safety extra-low voltage This means that only safety extra-low voltages (SELV) complying with IEC950/EN60950/ VDE0805 can be connected to the power supply terminals

The power supply unit to supply the SCALANCE S must comply with NEC Class 2 (voltage range 18 - 32 V, current requirement approx 250 mA)

Trang 17

3 Establish the physical network connection by connecting the external interface of the SCALANCE S to the PC

4 Turn on the PC

Note The Ethernet interfaces are handled differently by the SCALANCE S and must not be swapped over when connecting to the communication network:

• Interface X1 - external network Red marking = unprotected network area;

• Interface X2 - internal network Green marking = network protected by SCALANCE S;

• Only for SCALANCE S623 and SCALANCE S627-2M: Interface X3 - DMZ port (universal network interface)

Yellow marking = unprotected network area or network area protected by SCALANCE

S

If the interfaces are swapped over, the device loses its protective function

3.1.3 Making IP settings for the PC

The following IP address settings are made for the PC:

PC IP address Subnet mask PC1 192.168.10.100 255.255.255.0

1 On the PC, open the Control Panel with the menu command "Start" > "Control Panel"

2 Click the "Network and Internet" icon > "Network and Sharing Center" and select the

"Change adapter settings" option in the navigation menu on the left

3 Double-click on the required network connection

4 In the "Status of [network]" dialog, click the "Properties" button

5 Confirm the Windows prompt with "Yes"

6 Make sure that the option "Internet Protocol Version 4 (TCP/IPv4)" is enabled and double-click on it

Trang 18

7 In the "Internet Protocol Version 4 (TCP/IPv4) Properties" dialog, select the "Use the following IP address" radio button

8 Enter the values assigned to the PC from the table "Making IP settings for the PC" in the relevant boxes

9 Close the dialogs with "OK" and close the Control Panel

3.1.4 Creating a project and security module

Trang 19

Creating a new security module

1 Change to the project view with the "Open the project view" menu item

2 In the Project tree, double-click on the "Devices & networks" menu item

Result: The network view opens

3 Open the "Hardware catalog" and drag the relevant security module to add it to the network view Make sure that the firmware version is correct; this can be adapted in the

"Information" area

You will find the security module by navigating as follows in the "Hardware catalog":

Security module Navigation in the hardware catalog SCALANCE S "Network components" > "Industrial Security" > "SCALANCE S"

3.1.5 Creating the security project

Follow the steps below:

1 Change to the device view

2 Select the security module so that you can configure the properties

3 In the Inspector window, "General" tab, select the menu item "Security properties"

4 In the dialog that follows click "User login"

5 Create a new user with user name and the corresponding password The "administrator" role is assigned to the user automatically

6 Confirm your entries with "Log in"

Result: The security project has been created All the security settings you make from now

on will be stored in the project encrypted and can only be edited or viewed with the user and password you have created

3.1.6 Assigning IP addresses

Assigning the external IP address:

1 Select the menu "Online" > "Accessible devices"

2 From the "Type of the PG/PC interface" drop-down list, select the entry "PN/IE"

3 Select the network adapter via which you are connected to the security module

4 If the MAC address of the SCALANCE S is displayed, select the corresponding entry in the table and click the "Show" button

Result: The SCALANCE S is displayed in the project tree in the "Online access" menu below the selected network adapter:

Trang 20

5 Double-click on "Online & Diagnostics"

6 In the window that follows, select the "Functions" > "Assign IP address" menu

7 Enter the external IP address (192.168.10.1) and the external subnet mask (255.255.255.0)

8 Click the "Assign IP address" button

Configuring IP addresses for the internal interface and the DMZ interface:

1 In the Inspector window, "General" tab, check whether "Routing mode" is enabled under

"Mode"

2 Enter the following IP addresses:

Trang 21

3.1.7 Downloading the configuration to SCALANCE S

1 Select the security module in the project tree

2 Select the menu command "Online" > "Download to device"

3 In the next window, select the "Type of the PG/PC interface" and the "PG/PC interface"

4 In the "Connection to interface/subnet" drop-down list, select the entry "Try all interfaces" With SCALANCE S modules, the HTTPS protocol is used for the download

5 Click the "Start search" button

Result: The security module is displayed in the "Compatible devices in target subnet" list

6 Select the security module in the list and click the "Load" button

7 After the check, click the "Load" button in the next dialog

Result: The configuration is downloaded to the security module

8 If the download was completed free of error, click the "Finish" button

Trang 22

Result: The security module restarts automatically and the downloaded configuration is activated

Result: SCALANCE S in productive operation

The SCALANCE S is now in productive operation This mode is indicated by the Fault display being lit green You can now download configurations via all interfaces The basic configuration is completed

3.2 Configuring IP addresses for a CP

Overview

In this example, IP addresses are configured in STEP 7 for one of the following CPs

Following this, the configuration is downloaded to the station via the security module

To be able to work through this example, the following requirements must be met:

● The STEP 7 configuration tool is installed on a PC and a station with a CPU has already been created

● The memory card of the CPU is empty

● The CPU memory has been reset

● The CPU has a valid time of day and forwards this via the backplane bus

Trang 23

3.2.2 Making IP settings for the PC

The following IP address settings are made for the PC:

PC IP address Subnet mask PC1 192.168.10.100 255.255.255.0

4 In the "Status of [network]" dialog, click the "Properties" button

Trang 24

8 Enter the values assigned to the PC from the table "Making IP settings for the PC" in the relevant boxes

3.2.3 Creating a project and security module

Trang 25

Creating a new security module

1 Change to the project view with the "Open the project view" menu item

2 In the Project tree, double-click on the "Devices & networks" menu item

Result: The network view opens

3 Open the "Hardware catalog" and drag the relevant security module to add it to the network view Make sure that the firmware version is correct; this can be adapted in the

"Information" area

You will find the security module by navigating as follows in the "Hardware catalog":

Security module Navigation in the hardware catalog

CP 343-1 Advanced "Controller" >"SIMATIC S7-300" > "Communications modules" > "PROFINET/Ethernet" >

3.2.4 Creating the security project

1 Change to the device view

2 Select the security module so that you can configure the properties

3 In the Inspector window, "General" tab, select the menu item "Security > Security properties"

4 In the dialog that follows click "User login"

5 Create a new user with user name and the corresponding password The "administrator" role is assigned to the user automatically

6 Confirm your entries with "Log in"

7 Change to the network view and select the security module

8 Under "Security", select the "Activate security features" check box

Result: The security project has been created All the security settings you make from now

on will be stored in the project encrypted and can only be edited or viewed with the user and password you have created

Trang 26

3.2.5 Assigning IP addresses

Assigning the external IP address:

1 Select the menu "Online" > "Accessible devices"

2 From the "Type of the PG/PC interface" drop-down list, select the entry "PN/IE"

3 Select the network adapter via which you are connected to the security module

4 If the MAC address of the CP is displayed, select the corresponding entry in the table and click the "Show" button

Result: The CP is displayed in the project tree in the "Online access" menu below the selected network adapter

5 Click on "Online & Diagnostics"

6 In the window that follows, select the "Functions" > "Assign IP address" menu

7 Enter the external IP address (192.168.10.1) and the external subnet mask (255.255.255.0)

8 Click the "Assign IP address" button

9 For each address, click the "Add new subnet" button in the "Interface networked with" box

Result: The IP addresses have been assigned and the interfaces networked

Configuring IP addresses for the internal interface:

1 Enter the following IP addresses in the Inspector window "General tab:

Security module IP address Subnet mask

Trang 27

4 In the "Connection to interface/subnet" drop-down list, select the entry "Try all interfaces" For CPs, the S7 protocol is used for the download

7 After the check, click the "Load" button in the next dialog

Result: The configuration is downloaded to the security module

8 If the download was completed free of error, click the "Finish" button

Result: The security module restarts automatically and the downloaded configuration is activated

Result: Security module in productive mode

The security module is now in productive operation You can now download configurations via all interfaces The basic configuration is complete

Trang 29

Firewall in advanced mode 4

4.1 Global rule sets

In addition to this, all nodes from the external network can use the HTTPS protocol for communication This allows security diagnostics of the security modules or, depending on the test setup, communication with Web servers in the internal network

With the global rule sets, denied access attempts to the security module or the internal network are logged

Setting up the test network for SCALANCE S, CP x43-1 Adv

Trang 30

● Internal network - connection to the internal interface of the security module

In the internal network in the test setup, the network node is implemented by a SIMATIC S7 station with an integrated Web server that supports the HTTPS protocol The station is connected to the internal interface of the security module

Station1: Represents a node in the internal network

● Security module - A security module for protection of the internal network can be:

– SCALANCE S – CP 343-1 Advanced in a SIMATIC S7-300 station – CP 443-1 Advanced in a SIMATIC S7-400 station External network - connection to the external interface of the security module The public, external network is connected to the external interface of the security module PC1: PC with configuration software STEP 7

Setup of the test network CP 1x43-1

● Station - one of the following stations with security module:

– CP 1243-1 in a SIMATIC S7-1200 station

Trang 31

Requirement:

To be able to work through the example, the following requirements must be met:

● The STEP 7 configuration software is installed on PC1

● Only for CP x43-1 Adv and SCALANCE S: A SIMATIC S7 station with integrated Web server that supports the HTTPS protocol exists as a node in the internal network with the following settings:

Controller IP address Subnet mask Default gateway Controller 192.168.9.10 255.255.255.0 192.168.9.1

● A STEP 7 project has already been created with one of the following settings and downloaded to the security module or the controller (for more detailed information on the precise procedure, refer to the section Basic configuration (Page 15)):

Security module IP address Subnet mask SCALANCE S External interface [P1] red: 192.168.10.1 255.255.255.0

Internal interface [P2] green: 192.168.9.1 255.255.255.0

CP 1x43-1 Ethernet interface [X1]: 192.168.10.1 255.255.255.0

CP x43-1 Adv Ethernet interface [X1]: 192.168.10.1 255.255.255.0

PROFINET interface [X2]: 192.168.9.1 255.255.255.0

● The project with the "basic configuration" of the security module is open on PC1

Figure 4-1 IP settings of the basic configuration

● You have logged in with your security login in the project tree with the "Global security settings" > "User login" menu

Trang 32

4.1.2 Make the IP settings for the PCs

For the test, PC1 is given the following IP address setting:

PC IP address Subnet mask Default gateway PC1 192.168.10.100 255.255.255.0 192.168.10.1

Follow the steps below for PC1:

4 In the "Status of [network]"" dialog, click the "Properties" button

Trang 33

8 Now enter the values assigned to the PC from the table "Make the IP settings for the PCs" in the relevant boxes

4.1.3 Configuring the local firewall

1 Change to the device view and select the security module

Result: The properties of the security module become configurable

2 For a CP: Select the "Security" menu item and then the "Activate security features" check box

Result: The security functions of the module are shown below the "Security" entry and can be configured

Trang 34

3 Select the "Firewall" menu item

4 In the "General" box, enable the "Activate firewall" option

5 Enable the "Activate firewall in advanced mode" function Confirm the prompt with "Yes" Result: The firewall of the security module is switched to the advanced mode You can now configure firewall rules that filter for IP addresses and services Switching back to the standard mode of the firewall is not possible

6 Select the "IP rules" menu and add the following firewall rules depending on the security module you are using:

Security module Action From To 1) Source IP address Destination IP address Service

SCALANCE S Allow External Internal 192.168.10.100 - S7

Allow External Internal - - HTTPS

CP 1x43-1 Allow External Station 192.168.10.100 - S7

Allow External Station - - Security diagnostics

CP x43-1 Allow External Any 192.168.10.100 - S7

Allow External Any - - HTTPS

1) Due to the "Stateful inspection" function of the firewall, the response frames are allowed automatically and do not need

to be allowed specifically

Result: The local firewall rules are displayed in the list:

Figure 4-2 Local IP rules in advanced firewall mode

Trang 35

4.1.4 Configuring global firewall rule sets

1 In the project tree, double-click on the entry "Global security settings" > "Firewall" >

"Global firewall rule sets" > "IP rule sets" > "Add new IP rule set"

Result: A global IP rule set is created

2 Enter any name and a description for the IP rule set In this example:

– Name: IP rule set 1 – Description: Logging denied accesses

3 Add the following firewall rules to the list:

Action From To Source IP address Destination IP

address Service Logging Drop External Internal - - All ☑ Drop External Station - - All ☑ Drop External Any - - All ☑

Result: A new global firewall rule set is created You can assign the global firewall rule set

to every security module without needing to create these rules separately for each security module

Figure 4-3 Global IP rule set

4 In the project tree, double-click on the entry "Global security settings" > "Firewall" >

"Global firewall rule sets" > "IP rule sets" > "Assign module to a firewall rule set"

5 Select the created rule set from the "Rule set " drop-down list

6 Select the security module being used in the Available modules list

Trang 36

7 With the "<<" button, move it to "Assigned modules" list

Figure 4-4 Assigning a global rule set

Result: The global firewall rule set has been inserted in the local firewall of the security module

8 To check this, go to the Inspector window and open the menu "Properties" > "Firewall" >

"IP rules"

Figure 4-5 Displaying a global rule set

Trang 37

Result: The global firewall rule set has been added to the list after the last local firewall rule Depending on the security module you are using, only the firewall rules from the global firewall rule set will be adopted if these are valid for the security module You can see the resulting firewall rules in the following table:

Security module Action From To Source IP address Destination IP

address Service Logging

CP 1x43-1 Drop

Exter-nal Station - - All ☑

CP x43-1 Adv Drop

Exter-nal Station - - All ☑ Drop Exter-

nal Any - - All ☑ SCALANCE S602/S612 Drop Exter-

nal Internal - - All ☑

4.1.5 Downloading the configuration to the security module

1 Select the security module in the project tree

2 Select the menu command "Online" > "Download to device"

3 In the next window, select the "Type of the PG/PC interface" and the "PG/PC interface"

Trang 38

4 Select the "Connection to interface/subnet" via which you are connected to the security module

For CPs, the S7 protocol is used for the download, for SCALANCE S the HTTPS protocol

Figure 4-6 Downloading to the security module

Trang 39

Result: Security module in productive mode

The configuration is complete The security module protects the station in which the security module is located or Station1 in the internal network of the security module (if it exists) Incoming S7 data traffic is permitted only from PC1 and HTTPS communication for diagnostics of the security module is allowed for every node from the external network Every blocked access attempt is logged

4.1.6 Testing firewall function

How can you test the configured function?

The function tests are performed with PC1 on which a Web browser is installed

So that the denied access attempts are recorded and displayed by the firewall, use the packet filter logging function

Test phase 1 - PC1: S7 diagnostics and configuration of the station

Now test the function of the S7 firewall rule for PC1 from external:

1 Open the project for configuration and diagnostics of the station:

– for CP x43-1 Adv and SCALANCE S: the project for Station1 from the internal network

– for CP 1x43-1 (as an alternative also possible for station1 with CP x43-1 Adv.): the project for the station in which the security module is located

2 Select the station in the project tree

3 Select the menu command "Online" > "Connect online"

Result: Diagnostics and downloading of a configuration are possible using the S7 protocol

Trang 40

Figure 4-7 S7 diagnostics and configuration of the station

Test phase 2 - PC1: HTTPS access to the Web server of the station

Now test the function of the HTTPS firewall rule for all nodes from the external network as

Định dạng
Số trang	130
Dung lượng	6,72 MB