Applications & Tools - Siemens · PDF fileApplications & Tools Answers for industry. Cover ... installing, operating and ... 6.8.2 Defining users for the SCT

Applications & Tools

Answers for industry.

Cover

Protection of an Automation Cell Using the SCALANCE S602 V3 Security Module via a Firewall (Bridge/Routing)

SCALANCE S602 V3

Application Description August 2012

2 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Siemens Industry Online Support This document is taken from the Siemens Industry Online Support. The following link takes you directly to the download page of this document: http://support.automation.siemens.com/WW/view/en/22376747 Caution The functions and solutions described in this entry predominantly confine themselves to the realization of the automation task. Please also take into account that corresponding protective measures have to be taken in the context of Industrial Security when connecting your equipment to other parts of the plant, the enterprise network or the Internet. For more information, please refer to Entry ID 50203404. http://support.automation.siemens.com/WW/view/en/50203404 Please also actively use our technical forum in the Siemens Industry Online Support regarding this subject. Share your questions, suggestions or problems and discuss them with our strong forum community: http://www.siemens.com/forum-applications

http://support.automation.siemens.com/WW/view/en/22376747


http://www.automation.siemens.com/WW/forum/guests/Conference.aspx?ForumID=230&Language=en

S602 V3 Firewall V3.0, Entry ID: 22376747 3

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

s

SIMATIC Firewall with SCALANCE S602 V3 Industrial Security

Problem 1

Automation Solution 2

Minimizing Risk through Security

3 SCALANCE S Product Overview

4

Installation 5

Commissioning in Bridge Mode

6 Commissioning in Routing Mode

7 Operation of the Application

8

References 9

History 10

Warranty and Liability

4 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Warranty and Liability

Note The application examples are not binding and do not claim to be complete regarding the circuits shown, equipping and any eventuality. The application examples do not represent customer-specific solutions. They are only intended to provide support for typical applications. You are responsible for ensuring that the described products are correctly used. These application examples do not relieve you of the responsibility of safely and professionally using, installing, operating and servicing equipment. When using these application examples, you recognize that Siemens cannot be made liable for any damage/claims beyond the liability clause described. We reserve the right to make changes to these application examples at any time without prior notice. If there are any deviations between the recommendations provided in these application examples and other Siemens publications – e.g. Catalogs – then the contents of the other documents have priority.

We do not accept any liability for the information contained in this document. Any claims against us – based on whatever legal reason – resulting from the use of the examples, information, programs, engineering and performance data etc. described in this application example shall be excluded. Such an exclusion shall not apply in the case of mandatory liability, e.g. under the German Product Liability Act (“Produkthaftungsgesetz”), in case of intent, gross negligence, or injury of life, body or health, guarantee for the quality of a product, fraudulent concealment of a deficiency or breach of a condition which goes to the root of the contract (“wesentliche Vertragspflichten”). However, claims arising from a breach of a condition which goes to the root of the contract shall be limited to the foreseeable damage which is intrinsic to the contract, unless caused by intent or gross negligence or based on mandatory liability for injury of life, body or health. The above provisions do not imply a change in the burden of proof to your detriment. It is not permissible to transfer or copy these application examples or excerpts of them without first having prior authorization from Siemens Industry Sector in writing.

Table of Contents


Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Table of Contents Warranty and Liability..............................................................................................4 1 Problem...........................................................................................................7

1.1 Introduction .......................................................................................7 1.2 Overview...........................................................................................7

2 Automation Solution ......................................................................................9 2.1 Overview of the overall solution .........................................................9 2.2 Description of the core functionality..................................................11 2.3 Hardware and software components used .......................................12 2.4 Alternative solution: VPN tunnel.......................................................13

3 Minimizing Risk through Security ...............................................................14 3.1 Conditions and requirements ...........................................................14 3.2 The SIEMENS protection concept: Defense in depth........................15 3.3 Security mechanism: Firewall ..........................................................15 3.3.1 Firewall classification.......................................................................15 3.3.2 Stateful packet inspection ................................................................16 3.4 Security mechanism: Address translation with NA(P)T.....................17 3.4.1 Address translation with NAT...........................................................18 3.4.2 Address translation with NAPT.........................................................20 3.4.3 FTP via a NAPT router.....................................................................22 3.5 Correlation between NA(P)T and firewall .........................................24

4 SCALANCE S Product Overview .................................................................29 4.1 The idea of the cell protection concept.............................................29 4.2 SCALANCE S602 V3.......................................................................30 4.3 Security Configuration Tool..............................................................32 4.3.1 Symbolic addressing........................................................................33 4.3.2 User management ...........................................................................34 4.4 Firewall rules ...................................................................................35 4.4.1 Precedence of rules.........................................................................36 4.4.2 The different firewall rule sets ..........................................................37 4.4.3 Conventions for the firewall rule sets................................................39 4.5 Logging and diagnostics options in the SCT.....................................40 4.5.1 Online functions...............................................................................40 4.5.2 Logging ...........................................................................................41

5 Installation ....................................................................................................44 5.1 Installing the hardware.....................................................................44 5.2 Installing the software ......................................................................46

6 Commissioning in Bridge Mode ..................................................................47 6.1 Overview of the configuration mode.................................................47 6.2 Assigning the IP addresses..............................................................49 6.3 Creating a project in the SCT...........................................................52 6.4 Enabling the DCP protocol...............................................................53 6.5 Symbolic addressing in the SCT ......................................................54 6.6 Advanced mode...............................................................................55 6.7 Configuring Syslog logging ..............................................................55 6.8 Configuring the firewall rules............................................................56 6.8.1 IP service definition..........................................................................56 6.8.2 Defining users for the SCT...............................................................57 6.8.3 Creating the global firewall rule........................................................59 6.8.4 Creating the local firewall rules ........................................................60 6.8.5 Creating user-specific firewall rules..................................................62

Table of Contents

6 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

6.9 Downloading the firewall rules to the S602 V3..................................64 7 Commissioning in Routing Mode ................................................................65

7.1 Overview of configuration mode.......................................................65 7.2 Basic configurations from bridge mode ............................................66 7.3 Changing the operating mode to routing ..........................................67 7.4 Configuring NA(P)T .........................................................................68 7.4.1 Configuring the NAT table................................................................68 7.4.2 Configuring the NAPT table .............................................................69 7.5 Downloading the SCALANCE S602 V3 configuration.......................70

8 Operation of the Application........................................................................71 8.1 Operation in bridge mode ................................................................71 8.2 Operation in router mode.................................................................78 8.2.1 Routing via NAT ..............................................................................79 8.2.2 Routing via NAPT............................................................................86

9 References....................................................................................................92 10 History ..........................................................................................................92

1 Problem


Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

1 Problem 1.1 Introduction

In industrial automation, security of networks in production has top priority. In the past, automation islands were frequently physically separated and used the integrated security of the field busses. With the advance of industrial Ethernet solutions, increased networking with the office world and a large number of unsecured interfaces at the field level, security is of greatest importance. Due to this progress, industrial communication faces the same threats that are known from the office and IT environment, such as hackers, viruses, worms and trojans but also communication load (broadcast). The existing security concepts and the use of standard components from the office world require continuous maintenance and special expert knowledge. Normally, they are not suitable for the special requirements of industrial communication.

1.2 Overview

Overview of the automation problem The figure below provides an overview of the automation problem. Figure 1-1

Automation cell 1 Automation cell 2 Automation cell N

PC 1 PC 2 PC 3 PC 4

1 Problem

8 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Description of the automation problem An automation cell is to be connected to the company network so that, via access control, only certain devices or communication services have access to the internal nodes. The following user scenarios are released for selected partners: Table 1-1

User scenarios Partner

Configuration / diagnostics with STEP 7 PC 1 Node initialization of internal nodes PC 1 Logging the data packets for the S7 communication PC 2 Access to cell-internal Web and FTP servers PC 3 Blocking unauthorized access attempts PC 4

Requirements The implemented access control is to be easy and cost-effective and it is also

to be possible for the automation personnel to create and maintain it. Integrated diagnostics of field devices and network components is to be

possible from the control level. The structure of the automation cells can be identical (same IP bands) (see

Figure 1-1).

2 Automation Solution


Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

2 Automation Solution 2.1 Overview of the overall solution

Diagrammatic representation The diagrammatic representation below shows the most important components of the solution: Figure 2-1

S602 V3

CPU+CP

Service PC

Control room

Automation cell protected by firewall

PN-CPUX208

X208

* Web browser* FTP client

STEP 7

* Security component* Firewall* Router

* STEP 7program

* Simulation

* Web server* FTP server

Syslog server

* Syslog server* Data logging

External PC * STEP 7* Web browser* FTP client


10 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Configuration The protected automation cell contains two SIMATIC S7-300 stations that are connected to the internal interface of the S602 V3 via a SCALANCE X208 as follows: S7-300 station 1 with a CPU317-2 PN/DP via a CP343-1 Advanced. S7-300 station 2 via the integrated interface of the CPU319-3 PN/DP.

Via a SCALANCE X208, the following devices are connected to the external interface of the SCALANCE S602 V3: A PC in the control room via an integrated Ethernet interface. A PC of a service employee via an integrated Ethernet interface. A PC for recording log files. An external PC for demonstrating unauthorized access.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

2.2 Description of the core functionality

SCALANCE S602 V3 The core of this application is the SCALANCE S602 V3 Security Module. This module is part of the Siemens security concept and was developed specifically for industrial automation engineering. It can be configured as a firewall and thus be used to protect automation cells/components. This makes it easy to achieve that individual devices within the protected automation cell can only be accessed from certain PCs. To meet the requirements of the automation problem, the SCALANCE S602 V3 can be used for both cross-subnet communication (routing mode) and in the flat network (bridge mode).

Description of the user scenarios The following table shows the scenarios presented in this application that are implemented in the SCALANCE S module with the respective firewall rules. These scenarios are demonstrated for both routing and bridge mode. Table 2-1

No. Application Description

1. Parameterization IP configuration of all cell-internal devices through node initialization in STEP 7 (via DCP).

2. Configuration/ diagnostics/ visualization

Enabling the full PG functionality (STEP 7) for the PC of the service employee.

3. Bandwidth limitation Restricting the data communication for the PC of the service employee.

4. Productive data transfer, visualization Enabling access to the FTP and Web server of the cell-internal Advanced CP for the control room PC.

5. Logging the data traffic Enabling data traffic logging for an external Syslog server.

Advantages of this solution

Protection against data espionage and data manipulation. Protection against overload of the communications system. User-friendly and easy configuration and administration without special

knowledge of IT security. Reaction-free installation of SCALANCE S in existing automation networks. Scalable security functionality. SCALANCE S configuration without expert knowledge of IT security by means

of a uniform configuration tool, “Security Configuration Tool”, and the standard mode settings.

Remote diagnostics: Log files can be evaluated using Syslog server.


12 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

2.3 Hardware and software components used

The application was created with the following components:

Hardware components Table 2-2

Component Qty. MLFB/order number

Note

SCALANCE S602 V3 1 6GK5602-0BA10-2AA3 PS307 2A power supply

2 6ES7 307-1BA00-0AA0

CPU319-3PN/DP 1 6AG1318-3EL00-2AB0 CPU317-2PN/DP 1 6ES73157-2EK14-0AB0

Alternatively, any other CPU can also be used.

CP343-1 Advanced 1 6GK7343-1GX31-0XE0 Alternatively, any other IT-CP can also be used.

SCALANCE X208 2 6GK5208-0BA10-2AA3 PC 4 Ethernet cable 8

Standard software components Table 2-3

Component Qty. MLFB/order number

Note

SIMATIC MANAGER V5.5 SP2

1 6ES7810-4CC08-0YA5

Security Configuration Tool V3 or higher

1 Comes with the SCALANCE S.

Required tools This application uses software components that can be downloaded as freeware from the Internet. The individual software components are listed in the following: Web server FTP client Syslog server Primary Setup Tool (for address setting of SIMATIC NET products. See \3\ in

chapter 9 (References)).

Sample files and projects The following list contains all files and projects that are used in this example. Table 2-4

Component Note

22376747_Firewall_S602_CODE_v30.zip This zip file contains the STEP 7 projects.

22376747_Firewall_S602_DOKU_v30_e.pdf This document.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

2.4 Alternative solution: VPN tunnel

As an alternative to protecting a network via a firewall, you can also use a VPN tunnel. A VPN tunnel is a “virtual private network” (comparable to a LAN) over an unsecured network (the Internet). Encryption of data packets and authentication of nodes make these secure networks possible.

Firewall vs. VPN The following table shows the differences or advantages/disadvantages compared to the firewall:

Table 2-5

VPN tunnel Firewall

Peer-to-peer connection; at least two devices are necessary to establish a VPN connection. (Gateway – gateway; gateway – host)

Only one device necessary; firewall can be hardware- and software-based.

Protection across the entire VPN connection. Security measures focused on one point. Data encryption, authentication (proof of one’s own identity) and authentification (check of the partner’s identity) via a password (pre-shared key) or certificates (X.509v3 certificates).

Data traffic controlled and filtered at OSI reference model layer 2-7. Data packets can be allowed or discarded.

More information For more information on VPN, please refer to the following applications and FAQs:

Table 2-6

Title Link

Secure Remote Access to SIMATIC Stations with the SCALANCE S612 V3 via Internet and UMTS Secure Remote Access to SIMATIC Stations with the SOFTNET Security Client via Internet and UMTS


Security with SCALANCE S612 V3 Modules Over IPSec VPN Tunnels Remote Control Concept with SCALANCE S Modules Over IPSec-Secured VPN Tunnels


How do you configure a VPN tunnel between a PC station with Windows XP SP2 and SCALANCE S61x V2.1 via the Internet with the Microsoft Management Console?


How do you configure a VPN tunnel between a PC station and SCALANCE S61x V2.1 via the Internet with the SOFTNET Security Client Edition 2005 HF1?


How is a VPN tunnel between two SCALANCE S 61x modules configured in Routing mode via the Internet?












3 Minimizing Risk through Security

14 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

3 Minimizing Risk through Security Ethernet-based communication plays a key role in the automation environment and its use of open and standardized IT technologies offers many advantages. However, the increasing openness and integration also increase the risk of unwanted manipulation. Therefore, a security concept is required that, on the one hand, reliably protects industrial communication and, on the other hand, also considers the special requirements of automation engineering.

Note No one can guarantee one hundred percent protection. However, there are numerous options to minimize the risk.

3.1 Conditions and requirements

Requirements The requirements for security include: Node authorization: Only defined nodes may participate in the data

communication. Authentication is required. Packet identification: It must be ensured that the data packets arrive

unchanged at their destination address. Confidentiality: Networks behind the security modules are to be hidden from

third parties.

Automation engineering conditions The special requirements of automation engineering are: Consideration of effectiveness and economic efficiency by using the existing

infrastructure. Reaction-free integration: The existing infrastructure must not be changed and

existing components must not be reconfigured. Preservation of data security through protection against unauthorized access.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

3.2 The SIEMENS protection concept: Defense in depth

Multi-level security concept More and more networking and the use of proven technologies of the “office world” in automation systems require an increased demand for security. It is not sufficient to offer only limited protection that is not in depth as attacks from external sources can involve multiple levels. Optimum protection requires strong security awareness. To achieve the required security objectives, Siemens uses the defense in depth strategy. This strategy is based on a security model with multiple layers: Plant security, network security and system integrity.

The advantage is that an attacker first has to crack several security mechanisms and that the security requirements of the individual layers can be considered separately.

Tools of the defense in depth strategy To implement this protection concept, for example, two security tools from the field of network security should be mentioned: Firewall and VPN tunnel. A firewall is used to control the data traffic. Filtering allows to discard packets, to analyze packet contents and to block or grant network access. The tunneling method is frequently used to secure communication.

3.3 Security mechanism: Firewall

Description A firewall is part of a security concept in the private and corporate sector that prevents or restricts unauthorized access to networks or devices. Firewalls are offered as a hardware- or software-based component.

3.3.1 Firewall classification

Types of firewalls There are three different types of firewalls. The respective names are defined at the highest evaluated OSI layer: Packet filter (evaluation of packets up to OSI layer 3 (network layer)). Circuit-level gateway (evaluation of packets up to OSI layer 4 (transport layer)). Application-level gateway or proxy (evaluation of packets up to OSI layer 7

(application layer)). Packet filters analyze the IP data packets and forward them based on defined criteria or filter them. Circuit-level gateways access the transport layer and thus have the option to analyze correlations between the network connections and the packets. Aside from the term circuit-level gateway, there are also a number of other terms. This includes the term stateful packet inspection.


16 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

An application-level gateway is a proxy server. It handles the entire communication between the network to be protected and the unsecured network. Security proxies are set up for each service (WWW, e-mail, Telnet, FTP, etc.). This means that the computers of the LAN do not directly access a server of the Internet, but they identify and authenticate themselves to the proxy and send the request to it. The proxy, in turn, establishes the connection to the server with its sender’s address and forwards the request. The application-level gateway allows to control and filter contents of transmitted data. In companies, this proxy server is also used to block certain Web sites in the internal network or to filter services such as ActiveX and JavaScript out of Web sites.

Selection criteria The firewall to be used in a company or privately depends on several criteria: The desired and achievable security. The necessary overhead (hardware- or software-based firewall). The achievable data throughput. The costs.

3.3.2 Stateful packet inspection

Description Stateful packet inspection is a firewall technology and operates at the network layer, transport layer and optionally at the application layer of the OSI reference model. Stateful inspection stands for state-controlled filtering and is an extension of the packet filter. Access to various communication protocols enables stateful packet inspection to create a status table of all network connections, to detect correlations between data packets and to determine relations between existing communication relationships.

Principle of operation Due to this insight into the communication, stateful packet inspection allows, for example, only data packets from external sources into the internal network that are used as a response to a request started previously by an internal node. If the external node sends data that was not requested, the firewall will block the transfer – even if a connection exists between internal and external nodes. An important property of stateful packet inspection is the dynamic generation and deletion of filter rules. If an internal node sends data to an external target device, the firewall, after the first data packet has passed, must define a rule for a limited period of time that accepts the “response packet” and forwards it to the sender of the request (internal node). After the time window has expired, the rule must be deleted.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

3.4 Security mechanism: Address translation with NA(P)T

Description Network address translation (NAT) or network address port translation (NAPT) are methods for translating private IP addresses to public IP addresses.

Classification of IP addresses IP addresses are used for logical addressing of devices in IP networks. IPv4 addresses consist of four numbers from 0 to 255 that are separated by dots. There are different address categories for IP addresses that are managed and assigned by the national organization, NIC (network information center). The table below shows the assignment of IP addresses: Table 3-1

Class Max number of networks

Start address End address Private address range

A 126 1.0.0.0 126.0.0.0 10.0.0.0 – 10.255.255.255 B 16382 128.0.0.0 191.255.0.0 172.16.0.0 – 172.31.255.255 C 2097150 192.0.0.0 223.255.255.0 192.168.0.0 –

192.168.255.255

Addresses starting with 224.0.0.0 are reserved for future applications; however, they will no longer be used due to the upcoming implementation of IPv6. Due to the shortage of IP addresses on the Internet, certain address ranges were introduced that are not routed on the Internet and used for the private network. This private address range is only visible within one’s own network and cannot be accessed by the Internet. Therefore, the same ranges can also be used multiple times in other private networks.


18 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

3.4.1 Address translation with NAT

Description NAT is a protocol for address translation between two address spaces. The main task is the translation of private addresses to public addresses, i.e. to IP addresses used and also routed on the Internet. This method achieves that the addresses of the internal network are not detected externally in the external network. In the external network, the internal nodes are only visible via the external IP address defined in the address translation list (NAT table). The classical NAT is a one-to-one translation, i.e. a private IP address is translated to a public one. Therefore, the access address for the internal nodes is again an IP address.

NAT table The NAT table contains the assignment of private and public IP addresses and is configured and managed in the gateway or router. The following screen shot shows the NAT table of the SCALANCE S602 V3: Figure 3-1



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Table 3-2

Option Meaning

NAT active The input area for NAT is activated. NAT address translations only become effective with the option described below and entries in the address translation list. In addition, the firewall must be configured appropriately.

Allow all internal nodes access to the outside

When this option is checked, the internal IP address (source IP address) is translated to the external module IP address and a port number additionally assigned by the module for all frames from internal to external. This behavior is visible in the additionally shown bottom row of the NAT table. A “*” symbol in the “internal IP address” column indicates that all frames from internal to external are translated. Note: This translation corresponds to an n:1 translation, i.e. several internal nodes are redirected to an external. This is done by an additional assignment of a port number. Despite the addition of a port, this option is assigned to the NAT input area.

Table 3-3

Parameter Meaning Comment

External IP address

For frame direction “internal -> external”: Newly assigned IP address.

For frame direction “external -> internal”: Detected IP address

Alternatively, you can enter a symbolic name.

internal IP address

For frame direction “external -> internal”: Newly assigned IP address.

For frame direction “internal -> external”: Detected IP address

Direction Assign the frame direction. Scr-NAT (to external) Dst-NAT (from external) Scr-NAT + Dst-NAT (external)

Example: Src-NAT: Frames from the internal subnet are checked for the specified internal IP address and forwarded to the external network with the specified external IP address.

Sequence If a device from the external network wants to send a packet to an internal device (Dst-NAT), it uses a public address as the destination address. This IP address is translated to a private IP address by the router. As the source address in the IP header of the data packet, the public IP address of the external device remains unchanged. The response of the internal device is sent to the IP address that is stored as the source address in the IP header. Due to the fact that its own address and the source address are in different subnets, the internal device sends the packet to its router, which forwards it to the external device.


20 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

3.4.2 Address translation with NAPT

Description NAPT is a variant of NAT and often used synonymously with it. The difference to NAT is that this protocol also allows the translation of ports. A one-to-one translation of the IP address does no longer exist. In fact, only one public IP address exists that is translated to a number of private IP addresses by adding port numbers. Therefore, the access address for the internal nodes is an IP address with a port number.

NAPT table The NAPT table contains the assignment of private IP addresses to the ports of the public IP address and is configured and managed in the gateway or router. The following screen shot shows the NAPT table of the SCALANCE S602 V3: Figure 3-2

Table 3-4

Option Meaning

NAPT active The input area for NAPT is activated. NAPT translations only become effective with the option described below and entries in the list. In addition, the firewall must be configured appropriately.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Table 3-5

Parameter Meaning Range of values

External port A node in the external network can respond to a node in the internal subnet or send a frame by using this port number.

Port or port ranges. Example of the entry of a port range: 78:99

internal IP address

IP address of the addressed node on the internal subnet.

Internal port Port number of a service for the node addressed on the internal subnet.

Port (no port range)

Sequence If a device from the external network wants to send a packet to an internal device, it uses its public address with the specified port as the destination address. This IP address is translated to a private IP address with port address by the router. As the source address in the IP header of the data packet, the public IP of the external device remains unchanged. The response of the internal device is sent to the IP address that is stored as the source address in the IP header. Due to the fact that its own address and the source address are in different subnets, the internal device sends the packet to its router, which forwards it to the external device.


22 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

3.4.3 FTP via a NAPT router

Due to the one-to-one translation of IP addresses, FTP data transfer via NAT does not involve any difficulties. Via a NAPT router such as the SCALANCE S602 V3, it is not that trivial anymore. Aside from the default ports 20 (data channel) and 21 (control channel), FTP also uses dynamic ports beyond 1023 for data transmission, which are not known prior to transmission. For the address translation, NAPT uses ports that are entered in the NAPT table during configuration. An extension of the NAPT table during runtime is not possible. The dynamic port during FTP data transfer can thus not be applied to the NAPT table. As a result, all data packets sent from external to internal with a port unknown to the NAPT table are not translated and therefore discarded. FTP data transfer cannot take place.

Problem description The figure below illustrates the problem:

Figure 3-3

Clie

nt

Ser

ver

NAPT router

172.158.2.2:21192.168.2.3:21

172.158.2.2:20192.168.2.3:20

ExternalInternal

Port 21:Sends user name

Port 21:Requests password

Port 21:Sends password

Port 21:Command: PORT with

data port, e.g. port 1027

Port 21:Acknowledgement

Port 1027:Establishes data connection

to desired port

1

2

3

4

External network Internal network



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Table 3-6

Step Sequence Response

1. The client sends the user ID to the server via the control port.

Port 21 is allowed by the NAPT router. The server requests the password.

2. The client sends the password via port 21.

Port 21 is allowed by the NAPT router. The server confirms the password.

3. Via the PORT command, the client transmits the ports on which it listens for the data connection.

Port 21 is allowed by the NAPT router.

4. Via these ports, the server attempts to make contact with the FTP client.

As these ports are not configured in the NAPT table, the data packets are discarded by the NAPT router. The FTP connection is not established.

Solution To allow the data packets of the FTP server into the internal network despite dynamic ports, it is necessary to generate a NAT entry in addition to the NAPT entry. All data packets from the FTP server must be rewritten to the IP address of the NAPT router. This allows all data packets into the internal network, irrespective of the port.


24 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

3.5 Correlation between NA(P)T and firewall

Customizing the firewall The following applies to both directions Src-NAT (to external) and Dst-NAT (from external): Frames must first pass through the address translation in the NAT/NAPT router and then through the firewall. The settings for the NAT/NAPT router and the firewall rules must be coordinated so that frames with a translated address can pass through the firewall. Figure 3-4

SCALANCE S602 V3External network Internal network

NAT/NAPTrouter

Firewall

IP framesSrc-NAT

IP framesDst-NAT

Note The firewall in the SCALANCE S602 V3 is preset so that IP data traffic between the networks is not possible. Before communication can take place, the firewall must first be configured.

Stateful packet inspection Firewall and NAT/NAPT router support the “stateful packet inspection” mechanism. If IP data traffic is enabled from internal to external, internal nodes can initiate a communication connection to the external network. The response frames from the external network can pass through the NAT/NAPT router and the firewall without requiring their addresses to be additionally added to the firewall rule and the NAT/NAPT address translation. Frames that are not a response to a request from the internal network will be discarded if there is no applicable firewall rule.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Translation in this application using the example of NAT The following screen shots show the NAT table and the associated firewall rules of this application. The different colors indicate the correlations. Figure 3-5

Firewall rules

NAT table

The table compares the correlations:

Table 3-7

Firewall enable NAT

Action From/to Source Destination Service Description

Allow External -> internal

Service PC

CP343-1 Advanced

S7


PG CP343-1 Advanced

HTTP

172.158.2.3 -> CP343-1Advanced (Dst-NAT)


PG CP343-1 Advanced

FTP

All data packets from external to the CP343-1 Advanced are allowed that reach the firewall with the IP address of the PG via port 80 (HTTP) or port 21 (FTP) and with the IP address of the service PG via port 102 (S7).

172.158.2.5 -> PN-CPU (Dst-NAT)


Service PC

PN-CPU S7 All data packets from external to the PN-CPU are allowed that reach the firewall with the IP address of the service PG via port 102 (S7).

172.158.2.2 <- * (Src-NAT)

Allow Internal -> external

all All data packets from internal to external are allowed.


26 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

In a diagrammatic representation, this process can be described as follows: Figure 3-6

NAT router

NAT table

Firewall

Internal network External network

172.158.2.3(HTTP)

172.158.2.3192.168.2.3(HTTP)

192.168.2.3(HTTP)

Table 3-8

Step Meaning

1. A device from the external network wants to send a data packet to IP address 172.158.2.3 (HTTP application).

2. The NAT router translates this address to the private IP address 192.168.2.3 (here symbolically as CP343-1Advanced) using the NAT table.

3. The firewall checks how it should handle the data packet. The “Allow External ->Internal PG -> CP343-1Advanced http” entry allows all data packets coming from the PG via port 80 that are addressed to the CP343-1 Advanced to pass.

4. The data packet is directed to the internal network.

Behavior if the assignment is incorrect If NA(P)T entries and firewall rules do not match, the S602 V3 will block the data packets not listed in the rule. In the following sample configuration, no rule was created in the firewall for the translation of IP address 172.158.2.5 to the PN-CPU (symbolic for 192.168.2.5):



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Figure 3-7

Firewall rules

NAT table

During data communication between the external and internal network, the following happens:

Figure 3-8

NAT router

NAT table

Firewall

Internal network External network

172.158.2.5(S7)

172.158.2.5192.168.2.5(S7)

192.168.2.3(http)

No rule exists; packet will be discarded


28 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Table 3-9

Step Meaning

1. A device from the external network wants to send a data packet to IP address 172.158.2.5 (S7 application).

2. The NAT router translates this address to the private IP address 192.168.2.5 (here symbolically as PN-CPU) using the NAT table.

3. The firewall checks how it should handle the data packet. As no rules exists, the data packet is discarded.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

4 SCALANCE S Product Overview 4.1 The idea of the cell protection concept

Motivation If controllers or other intelligent devices with no or only minimum self-protection are located in a network segment, the only remaining option is to create a secure network environment for these devices. The easiest way to achieve this is to use special routers or gateways. They provide IT security through integrated industrial quality firewalls and are themselves protected.

The cell protection concept The security concept designed by Siemens was tailored specifically to the requirements in the automation environment to meet the increasing demand for network security. The core of this concept is to segment the automation network in terms of security and to create protected automation cells. Therefore, cells are network segments separated in terms of security. The network nodes within a cell are protected by special security modules to control the data traffic from and to the cell and to check for rights. Only authorized frames are allowed to pass. Figure 4-1

Robot cellRobot cellRobot cell

Automation network

S602 V3 S602 V3

Office network


30 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Advantages of the cell concept The main purpose of the cell protection concept is to protect all devices that cannot protect themselves. Mostly, these are devices for which an upgrade with security functions is not viable or too costly. Another reason is the technical feasibility. Especially smaller programmable controllers do not have the necessary hardware requirements. The security module that protects the entire cell protects several devices simultaneously, which results in lower costs and also reduces the configuration overhead. The integration of the security module into existing networks is reaction-free.

Real time and security Basically, real-time communication and security are two opposing requirements. The check of the frames using the rules or configurations costs time and performance. The cell protection concept allows to simultaneously meet both requirements. Within a cell, real-time communication can take place entirely unaffected by any security mechanisms. The security module controls data only at the cell entrance.

4.2 SCALANCE S602 V3

Description The SCALANCE S602 V3 is a product from the SIMATIC NET SCALANCE S family. Like the other modules, the S602 V3 is optimized for use in the automation environment and meets the special requirements of automation engineering. The SCALANCE S602 V3 belongs to the category of circuit-level gateways and is a stateful inspection firewall to protect all devices of an Ethernet network.

Properties The SCALANCE S602 V3 features the following security functions: Protection of devices with or without independent security functions by the

integrated firewall: – Analysis of data packets based on the source and destination address – Support of Ethernet “non-IP” frames – Bandwidth limitation – Global and local firewall rules – User-defined firewall rules

Simultaneous protection of several devices: The integration of the SCALANCE S as a link between two networks automatically protects the devices behind it.

Router mode: In router mode, the SCALANCE S separates the internal network from the external network. The internal network appears as a separate subnet.

Reaction-free integration of the SCALANCE S602 V3 into an existing infrastructure with flat networks (bridge mode).

In addition, the SCALANCE S602 V3 supports the following network functions: Address translation with NAT/ NAPT. DHCP server for IP address assignment in the internal network. Logging and evaluation of log files via an external server. SNMP for analysis and evaluation of network information.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Interfaces The SCALANCE S602 V3 has two interfaces: Port 1 (red); recognizable by the lock symbol. Port 2 (green)

The unsecured, external network is connected to the red port, the internal network to be secured is connected to the green port. Figure 4-2

Internal network

External network

Note The Ethernet connections on port 1 and port 2 are handled differently by the SCALANCE S and must therefore not be mixed up when connecting to the communication network. If the ports are swapped over, the device will lose its protective function.


32 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

4.3 Security Configuration Tool

Configuring the S602 V3 The SCALANCE S602 V3 is configured using the Security Configuration Tool (SCT). Its handling is very simple and, in the minimum configuration, requires no special knowledge of security. The following screen shot shows the user interface of the Security Configuration Tool:

Figure 4-3

Properties The Security Configuration Tool has the following properties: Configuration of the SCALANCE and SINAUT Security Modules possible in the

SCT. Test and diagnostic displays. Status displays. Standard mode for fast and easy configuration of the security modules, even

without security knowledge. Advanced mode for the individual configuration of the security modules. Access for authorized users only through password assignment when creating

a project. Consistency checks even during the configuration. Encryption of the saved project and configuration data. Symbolic addressing of nodes. Creation of global, local and user-specific firewall rules.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

4.3.1 Symbolic addressing

In the Security Configuration Tool, symbolic names can be assigned in place of the IP addresses of the nodes. These are limited to the configuration within a project, i.e. they cannot be used on a cross-project basis. A single unique IP or MAC address must be assigned to each symbolic name. The advantage of symbolic names is that the configuration of the services and rules is easier and more secure. For the following functions and their configuration, symbolic names are accepted: Firewall NAT/NAPT Syslog DHCP

The following screen shot shows the symbolic addressing with the associated IP addresses of this application: Figure 4-4


34 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

4.3.2 User management

Overview In the user management of the Security Configuration Tool, you can create new users and assign them system- or user-defined roles. You define the module rights per security module. Figure 4-5

System-defined roles The following system-defined roles are predefined: administrator standard diagnostics remote access

The roles are assigned certain rights that are identical on all modules and that cannot be changed or deleted by the administrator. For more information, please refer to the security manual listed in /2/, chapter 9 (References).



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

User-defined roles In addition to the system-defined roles, you can also create user-defined roles. For each security module used in the project, you individually define the respective rights and manually assign the role to the users.

4.4 Firewall rules Firewall rules are predefined or specifically configured rules for the data traffic and created using the Security Configuration Tool. Depending on sender, address, protocol and send operation, the data packets may pass or are discarded. The following screen shot shows a sample configuration of rule sets:

Figure 4-6

A firewall rule is composed of several components:

Table 4-1

Name Meaning Option

Action Allow rule (allow/ drop)

Allow: Allow frames as defined. Drop: Block frames as defined.

From/ To Allowed communication directions. Internal -> External External -> Internal Tunnel -> Internal Internal -> Tunnel

Source IP address Sender’s address Alternatively, you can enter a symbolic name.

Destination IP address Destination address Alternatively, you can enter a symbolic name.


36 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Name Meaning Option Service Name of the IP/ ICMP service or

service group used. The services are defined previously and stored with information such as protocol, source and destination port.

The drop-down list offers the configured services and service groups for selection. When “all” is selected, no service is checked; the rule applies to all services.

Bandwidth Setting option for bandwidth limitation. A packet passes through the firewall if the pass rule applies and the allowed bandwidth for this rule has not yet been exceeded.

Range of values: 0..100 Mbps

Logging Enabling or disabling logging for this rule.

No. Serial number assigned by the Security Configuration Tool to identify the firewall rule in the log table.

Comment Here you can enter your own explanations of the rule.

In the Security Configuration Tool, you can define rules globally, locally and user-specifically.

Note The Security Configuration Tool allows max. 256 IP/MAC rule sets.

4.4.1 Precedence of rules

The occurrence of the rules in the rule list also corresponds to their order of processing. The packet filter rules are evaluated as follows: The list is evaluated from top to bottom; for opposing rules, the higher entry

applies. For rules for communication between the internal and external network, the

final rule applies: All frames except the frames explicitly allowed in the list are blocked.

For rules for communication between the internal network and IPSecTunnel, the final rule applies: All frames except the frames explicitly blocked in the list are allowed.

Note All frame types from internal -> external or vice versa are blocked with the factory settings and must be explicitly allowed.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

4.4.2 The different firewall rule sets

Local rule sets Each local rule set is assigned to one module and directly defined in the properties dialog of a module.

Global firewall rules Global firewall rules are defined outside the modules at the project level. The advantage is that rules that apply to several modules must only be configured once. Using drag and drop, the global firewall rules are simply moved to the module to which these firewall rules are to apply. This global firewall rule set appears automatically in the module-specific list of firewall rules. Global firewall rules can be defined for: IP rule sets MAC rule sets

Figure 4-7

Global rule set 1

Regel 1

Regel 2

Regel 3

Module

Local rule set

Local rule 1

Local rule 2

Global rule set 2

Global rule set 1

Global rule set 2

Rule 1

Rule 2

Rule 3

Note Global firewall rules are particularly useful if several security modules are managed in a project.

In this application, only one S602 V3 is configured and managed. In this case, the use of global firewall rules has no advantage over local rules. However, they are nevertheless used to demonstrate the application and creation of global rules.


38 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

User-specific firewall rules For the user-specific firewall, the rule sets can be assigned to one or several users and then to the individual security modules. This allows to make accesses dependent on the user and not (only) on IP or MAC addresses. For this purpose, the user can log on to the SCALANCE S602 V3 on a Web page. If logon was successful, the firewall rule set intended for this user will be enabled. Users can log on with the following role: administrator diagnostics remote access

After logon, a 30-minute timer is started. After this time has elapsed, the user is automatically logged off the SCALANCE S602 V3. In online mode of the Security Configuration Tool, an overview table is offered for the user check. It lists all users currently logged on to the SCALANCE S602 V3. Figure 4-8

To log off the SCALANCE S602 V3, three options are available: The “Log off” button on the Web page. Automatically after the timer has elapsed. The User check online function by selecting the user and the “Log off” button.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

4.4.3 Conventions for the firewall rule sets

The following conventions apply to creating the global and user-specific firewall rule sets: They can only be created in advanced mode of the Security Configuration

Tool. By default, locally defined rules have higher priority; if new global and/or user-

specific firewall rules are assigned to a security module, these rules will therefore be initially added to the bottom of the local rule list. The priority can be changed by changing the position in the rule list.

Global and user-specific firewall rules can only be assigned to a security module as an entire rule set.

They cannot be edited in the local rule list of firewall rules in the module properties; they can only be displayed there and positioned according to the desired priority. It is not possible to delete a single rule from an assigned rule set. It is only possible to take the complete rule set from the local rule list; this does not change the definition in the global rule list.


40 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

4.5 Logging and diagnostics options in the SCT For test and monitoring purposes, the online view of the Security Configuration Tool provides various diagnostics and logging options.

Requirements for the online view To obtain access to the online view, please note the following: Online mode in the Security Configuration Tool is enabled

(“View > Online”). A network connection to the selected module exists.

4.5.1 Online functions

The following screen shot shows the online dialog: Figure 4-9



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

It offers the following functions: Table 4-2

Function Meaning

Status Display of the device status of the SCALANCE S module selected in the project.

Date and time of day Setting of date and time of day. Cache tables ARP table of the security module. User check Overview of logged in users for the user-defined firewall

rules. Internal nodes

Display of the internal network node of the SCALANCE S module.

Interface settings Status display of the selected interface (PPPoE, DynDNS).

System log Display of logged system events. Audit log Display of logged security events. Packet filter log Display of logged data packets and start and stop of

packet logging.

4.5.2 Logging

The events to be logged can be defined in the properties dialog of the SCALANCE S602 V3. Two variants are available for logging: Local log: Logs the messages in the local buffer of the S602 V3. Data

recording can be stored according to two selectable methods: – Ring buffer: Once the buffer is full, recording starts at the start of the buffer

and thus overwrites the oldest entries. – One-shot buffer: Recording stops when the buffer is full.

The Security Configuration Tool enables you to access, visualize and archive these logs.

Network Syslog: Instead of the local buffer, the messages are sent to an external Syslog server.


42 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Settings The following screen shot shows the possible logging settings for the S602 V3:

Figure 4-10

The following events can be logged: Table 4-3

Event Meaning

Packet filter events Refers to data packets to which a configured packet filter rule (firewall) applies or to which basic protection reacts.

Audit events Refers to security-relevant events such as enabling or disabling packet logging or entering an incorrect password during authentication.

System events System events are, e.g., the start of a process.

Aside from selecting events, this dialog also allows you to enable or disable logging and to define the storage of data.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Logging functions The following logging functions are available in online mode:

Table 4-4

Function Meaning Screen shot

System log Display of logged system events.

Audit log Display of logged security

events.

Packet filter log

Display of logged data packets and start and stop of packet logging.

5 Installation

44 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

5 Installation This chapter describes which hardware and software components have to be installed. The descriptions and manuals as well as delivery information included in the delivery of the respective products should be observed in any case.

5.1 Installing the hardware

For the hardware components, please refer to chapter 2.3. Figure 5-1

S602 V3

CPU 317-2 PN/DP+CP343-1 Advanced

Service PC

Control room


CPU 319-3 PN/DPX208

X208

Syslog server

External PC

5 Installation


Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

To install the hardware, follow the instructions in the table below: Table 5-1

No. Action Remark

1. Mount all modules on a DIN rail. CPU319-3PN/DP CPU317-2PN/DP CP343-1 Advanced S602 V3 X208

2. Connect the CPU317-2 PN/DP and the CP343-1 Advanced via a backplane bus.

3. Connect all components to a 24 V power supply. To be able to connect all modules, use either terminal strips or several power supply units. In

tern

al n

etw

ork

4. Connect the modules via Ethernet as follows: CPU319-3PN/DP to port 6 of the first SCALANCE X208 CP343-1 Advanced to port 1 of the first SCALANCE X208 Internal interface (green) of the S602 V3 to port 5 of the

first SCALANCE X208

5. Connect the second SCALANCE X208 to a 24 V power supply.

Exte

rnal

net

wor

k

6. Connect the modules in the external network via Ethernet as follows: PC of the control room to port 2 of the second

SCALANCE X208 Service PC to port 2 of the second SCALANCE X208 Syslog server to port 7 of the second SCALANCE X208 External PC to port 6 of the second SCALANCE X208 The external interface (red) of the S602 V3 to port 8 of the

second SCALANCE X208.

Note Always follow the installation guidelines for the components.

Note To make sure that no old configuration is saved in the S602 V3, reset the module to factory settings. For help, see /2/ in chapter 9 (References).

5 Installation

46 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

5.2 Installing the software

Installing the standard tools Table 5-2

No. Action Remark

1. Install STEP 7 V5.5 SP2 on the service PC and the external PC.

Follow the instructions of the installation program.

2. Install the Security Configuration Tool on the PG. Follow the instructions of the installation program.

3. Install the FTP client on the PG and the external PC. Follow the instructions of the installation program.

4. Install a Syslog program on the Syslog server. Follow the instructions of the installation program.

Installing the application software Extract the 22376747_Firewall_S602_V30_CODE code folder. It contains two STEP 7 projects: Bridge.zip project for setup in bridge mode. NAT_NAPT.zip project for setup in router mode.

On the service PC, open the SIMATIC MANAGER and select “File > Retrieve” to unzip the required STEP 7 project. For bridge mode, use Bridge.zip; in router mode, use NAT_NAPT.zip.

6 Commissioning in Bridge Mode


Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

6 Commissioning in Bridge Mode 6.1 Overview of the configuration mode

Bridge mode is a flat network. The external and internal network are in the same subnet.

Overview Figure 6-1

S602 V3: 192.168.2.2

CP: 192.168.2.3

Service PC:192.168.2.6

Control room: 192.168.2.1


CPU:192.168.2.5X208

X208

Syslog: 192.168.2.4

External PC: 192.168.2.7

IP addresses used Table 6-1

Module IP address

PG in the control room 192.168.2.1

Service PC 192.168.2.6

Syslog server 192.168.2.4 Exte

rnal

ne

twor

k

External PC 192.168.2.7

S602 V3 192.168.2.2 CP343-1 Advanced 192.168.2.3

Inte

rnal

ne

twor

k

PN-CPU 192.168.2.5


48 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

The following table now describes the necessary configurations for the scenarios. Table 6-2

No. Application Description Chapter

1. Parameterization IP configuration of all cell-internal devices through node initialization in STEP 7 (via DCP)

Enabling the DCP protocol (chapter 6.4)

2. Configuration/ diagnostics/ visualization

Enabling the full PG functionality (STEP 7) for the PC of the service employee.

IP service definition (chapter 6.8.1)

Creating the local firewall rules (chapter 6.8.4)

3. Bandwidth limitation Restricting the data communication for the PC of the service employee.


4. Productive data transfer, visualization

Enabling access to the FTP and Web server of the cell-internal Advanced CP for the control room PG.

IP service definition (chapter 6.8.1)


Creating the global firewall rule (chapter 6.8.3)

5. Logging the data traffic Enabling data traffic logging for an external Syslog server.

Creating the local firewall rules (chapter 6.8.4))

Configuring Syslog logging (chapter 6.7)

6. User-defined firewall rules Enabling access to the FTP and Web server of the cell-internal Advanced CP for selected users.

Defining users for the SCT(chapter 6.8.2)

Creating user-specific firewall rules (chapter 6.8.5)



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

6.2 Assigning the IP addresses

Assigning IP addresses of the PCs/PGs In the following, the PCs/PGs are configured with the necessary IP addresses.

Table 6-3

No. Action Remark

1. To change the network address, select “Start > Settings > Network Connection > Local Connections” to open Internet Protocol (TCP/IP). Change the IP address for the PG in the control room, the service PC, the Syslog server and the external PC

in this way as shown in Table 6-1. Note: For routing mode, you additionally require a gateway address. For this case, enter the IP address of the associated router as well.


50 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Assigning the IP addresses of the modules To load the STEP7 project to the CPU, change the module IP address via which the project is loaded. This can be the CPU itself or a CP.

Table 6-4

No. Action Note

1. Connect the service PC to the internal network via the first SCALANCE X208.

In the default mode, the S602 V3 does not allow node initialization of all cell-internal devices by an external PG with STEP 7. For this reason, the PG must be directly in the internal network for node initialization.

2. On the service PC, open the SIMATIC MANAGER and the STEP 7 project. In the “PLC” menu, select the “Edit Ethernet Node…” option.

3. Click on the Browse… button.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

No. Action Note

4. Select the desired module and click on OK to confirm the selection.

5. In the Set IP configurations window that

appears, enter the IP address as shown in Table 6-1. Note: For routing mode, you additionally require a gateway address. For this case, check Use router and enter the IP address of the associated router. Click on the Assign IP Configuration button.

6. Proceed in this way to assign the respective IP

addresses to CP and CPU. Loading the SCT project assigns the SCALANCE its IP address.

7. Connect the service PC again to port 7 of the second SCALANCE X208.


52 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

6.3 Creating a project in the SCT The SCALANCE S module is configured with the aid of the Security Configuration Tool (SCT).

Table 6-5

No. Action Remark

1. Select “Start > SIMATIC > Security” to open the Security Configuration Tool. Select “Project -> New” to create a new project.

2. You are prompted to assign an

authentication for the new project. Enter a user name and password. Confirm with OK.

3. Select the S602 module and

version V3. Select any name and apply the MAC address of the module that can be found on the housing. As the external IP address, assign 192.168.2.2 with subnet mask 255.255.255.0. Confirm the entries with OK.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

6.4 Enabling the DCP protocol

Enabling the DCP protocol allows node initialization of all cell-internal devices using an external PG with STEP 7.

Table 6-6

No. Action Remark

1. Select the module and use the “right mouse button -> Properties” to open the module properties. Go to the Firewall tab.

2. Check the Allow DCP option in

both directions. This allows setting IP addresses or device names (node initialization) by means of the Primary Setup Tool (PST) integrated in STEP 7. Confirm the change with OK.

3. Save the configuration with a

meaningful name (e.g., S602 V3_FW).

4. Now transfer the configuration to

the module. Select the row with the module and select: “Transfer > To module…”. The F LED changes from yellow orange to green. Wait until the “Transfer finished successfully” message appears.

5. You can now use a network scan

to detect the internal nodes.


54 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

6.5 Symbolic addressing in the SCT Symbolic addressing of nodes facilitates the configuration of the individual services.

Table 6-7

No. Action Remark

1. Select “Options > Symbolic Names…” to open the table for symbolic addressing.

2. Use Add to enter all nodes and

their IP address and MAC address in the table. Use the IP addresses from Table 6-1. Close the dialog with OK.

Bridge mode:

Router mode:



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

6.6 Advanced mode In addition to the default settings, advanced mode offers more configuration options.

NOTICE Once you have switched to advanced mode for the current project, this action cannot be undone.

Table 6-8

No. Action Remark

1. An individual configuration of the firewall is only possible in advanced mode. Select “View > Advanced Mode” to activate it.

2. Confirm the warning message

with Yes.

6.7 Configuring Syslog logging

Logging of data packets is to be logged on a Syslog server. Table 6-9

No. Action Remark

1. Select the S602 V3 module in the Security Configuration Tool and use the “right mouse button -> Properties” to open the properties dialog. Go to the Log Settings tab. Enable logging with a Syslog server and add that the symbolic names of the internal nodes are displayed instead of IP addresses. Enter “Syslog-Server” as the IP address. Enable the messages to be transferred to the Syslog server. Close the dialog with OK.


56 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

6.8 Configuring the firewall rules

Requirements Requirements for configuring the firewall are: An SCT project was created with an S602 V3. The S602 V3 module was configured with the MAC address of the real S602

V3 module. In bridge mode: 192.168.2.2 has been entered as the external IP address. Advanced mode is activated.

6.8.1 IP service definition

IP service definitions allow the compact and clear definition of firewall rules that are applied to certain services. Each service parameter is assigned a name. When configuring the global or local packet filter rules, these names are used once.

Table 6-10

No. Action Remark

1. Select “Options > IP Services…” to open the required table.

2. Use Add IP Service to add new

IP services.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

No. Action Remark

3. For S7 communication: Name: S7 Protocol: TCP Source Port: * Target Port: 102 ******************************** For HTTP communication: Name: HTTP Protocol: TCP Source Port: * Target Port: 80 ******************************** For FTP access: Name: FTP Protocol: TCP Source Port: * Target Port: 21 ******************************** Once you have entered all services, close the dialog with OK.

6.8.2 Defining users for the SCT

Table 6-11

No. Action Remark

1. Select “Options > User Management” to open the user management in the Security Configuration Tool.


58 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

No. Action Remark

2. The start screen lists all users that have already been configured with their names and roles. You can use Add to create more users.

3. Define a name and password.

From the drop-down list, select the remote access role. The user with the remote access role has no rights except logon to the Web page for user-specific firewall rules. Close the window with OK.

4. The new user is displayed in the

overview table. Close the window with OK.

5. Confirm the warning message

with OK.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

6.8.3 Creating the global firewall rule

For this application, the firewall rule for the FTP server is created as a global rule. Table 6-12

No. Action Remark

1. In Global firewall rule sets, select Firewall IP rule sets and use the “right mouse button > Insert rule set” to insert a new rule set.

2. To better identify the global

firewall rule, you can enter a name and a description.

3. Use Add Rule to create a new

global firewall rule. Enter the following values: ************************************ Action: Allow From/To: External -> Internal Source IP: PG Destination IP: CP343-1Advanced Service: FTP Logging: Enabled ************************************ Close the dialog with OK.

4. A new global firewall rule was created.


60 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

No. Action Remark

5. Select this rule and use drag and drop to move it to the S602 V3 module.

6.8.4 Creating the local firewall rules

The S7 protocol and HTTP communication are enabled as local firewall rules. Table 6-13

No. Action Remark

1. Select the S602 V3 and use the “right mouse button -> Properties” to open the properties. Go to the Firewall Setting and IP Rules tab. The global firewall rule that has just been moved to the module using drag and drop now also appears in the local firewall settings.

2. Click on Add Rule to create a new local firewall rule.

3. Enter the following values:

Action: Allow From/To: External-> Internal Source IP: Service-PC Destination IP: PN-CPU Service: S7 Bandwidth: 10 (Mbps) Enable Logging.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

No. Action Remark

4. You can use Add Rule to add more rules. For S7 communication and HTTP communication, enter the following rows: Action: Allow From/To: External-> Internal Source IP: Service-PC Destination IP: CP343-1Advanced Service: S7 Bandwidth: 10 (Mbps) Enable Logging. ************************************* Action: Allow From/To:External-> Internal Source IP: PG Destination IP: CP343-1Advanced Service: HTTP Enable Logging. ************************************* Action: Allow From/To: Internal-> External Source IP: * Destination IP: * ************************************* Close the dialog with OK.

Note The Security Configuration Tool automatically assigns a unique label to each firewall rule.

To determine which firewall rule was active when logging system and security events, the log row displays the associated label.


62 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

6.8.5 Creating user-specific firewall rules

Table 6-14

No. Action Remark

1. Select User-specific firewall rules and use the “right mouse button > Insert rule set” to insert a new rule set.

2. To better identify the user-

specific firewall rule, you can assign a name and a description. The bottom part displays all configured users.

3. Use Add Rule to create a new

firewall rule.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

No. Action Remark

4. Enter the following values: ************************************ Action: Allow From/To: External-> Internal Source IP: Destination IP: CP343-1Advanced Service: HTTP Logging: Enabled ************************************ Action: Allow From/To: External-> Internal Source IP: Destination IP: CP343-1Advanced Service : FTP Logging: Enabled

5. Select the configured user and use Add to assign this rule set to the user.

6. Close this dialog with OK.

7. A new user-specific firewall rule

was created.

8. Select this rule and use drag and

drop to move it to the SCALANCE S602 V3.


64 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Note The following rules apply to the assignment of user-specific firewall rules:

A module can only be assigned one user-specific rule set per user. The assignment enables the “User can log on with module” role for all roles of the users defined in the rule set.

6.9 Downloading the firewall rules to the S602 V3

Once all firewall rules have been configured, the project can be downloaded to the SCALANCE S602 V3.

Table 6-15

No. Action Remark

1. Save the configuration with a meaningful name (e.g., S602 V3_FW).

2. Now transfer the configuration to the module. Select the row with the module and select: “Transfer > To module…”. The F LED changes from yellow orange to green. Wait until the Transfer completed successfully message appears.

3. The module has now been

configured with the current firewall configuration.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed


Note This chapter discusses only the additional configuration steps that go beyond the necessary configurations in bridge mode.

7.1 Overview of configuration mode

The router mode is a cross-subnet network. The external and internal networks are located in different subnets.

Overview Figure 7-1

S602 V3 internal: 192.168.2.2

CP: 192.168.2.3




CPU:192.168.2.5X208

X208

Syslog: 172.158.2.4


S602 V3 external: 172.158.2.2


66 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

IP addresses used Table 7-1

Module IP address Router

PG of the control room 172.158.2.1 172.158.2.2 Service PC 172.158.2.6 172.158.2.2 Syslog server 172.158.2.4 172.158.2.2 External PC 172.158.2.7 172.158.2.2 Ex

tern

al

netw

ork

S602 V3 (external interface) 172.158.2.2 S602 V3 (internal interface) 192.168.2.2

CP343-1 Advanced 192.168.2.3 192.168.2.2

Inte

rnal

ne

twor

k

PN-CPU 192.168.2.5 192.168.2.2

255.255.255.0 is always used as the subnet mask.

7.2 Basic configurations from bridge mode

Most configuration steps from bridge mode are the basis for routing mode. The following configuration steps are required for routing mode: Table 7-2

No. Chapter Remark

1. Assigning the IP addresses (chapter 6.2)

Use the IP address from Table 7-1. Make sure to configure also a router address in the devices.

2. Creating a project in the SCT (chapter 6.3).

3. Symbolic addressing in the SCT (chapter 6.5)

Use the IP address from Table 7-1.

4. Advanced mode (chapter 6.6)

5. Configuring Syslog logging (chapter 6.7)

6. Configuring the firewall rules (chapter 6.8)

Requirements for configuring the firewall are: An SCT project was created with

an S602 V3. The S602 V3 module was provided

with the MAC address of the real S602 V3 module.

In routing mode: 172.158.2.2 has been entered as the external IP address.

Advanced mode is activated.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

7.3 Changing the operating mode to routing Table 7-3

No. Action Remark

1. Open the Security Configuration Tool project.

2. Select the SCALANCE S602 V3

and double-click to open the Properties. In the Interface tab, set the module to routing mode. Change the external IP address to 172.158.2.2 and enter 192.168.2.2 with subnet mask 255.255.255.0 as the internal IP address. Close the dialog with OK.


68 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

7.4 Configuring NA(P)T

The next chapter shows the configuration steps necessary to implement NAT or NAPT in the SCALANCE S602 V3. In this application, you have the option to operate the scenarios either with NAT or with NAPT: For operation with NAT, follow the steps of chapter 7.4.1

(Configuring the NAT table). For operation with NAPT, follow the steps of chapter 7.4.2

(Configuring the NAPT table).

7.4.1 Configuring the NAT table

NAT is a one-to-one translation. This means that one IP address is translated to another, internal IP address.

Table 7-4

No. Action Remark

1. Go to the NAT tab. The left part of the dialog includes the NAT table.

2. Activate NAT and allow all nodes

to communicate from internal to external. The 172.158.2.2 * SrcNat (to external) entry is inserted automatically.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

No. Action Remark

3. The Add button enables you to insert a new entry. Enter the following address translations in the table: *********************************** External IP address: 172.158.2.3 internal IP address: CP343-1Advanced Direction: Dst-NAT (from external) *********************************** External IP address: 172.158.2.5 internal IP address: PN-CPU Direction: Dst-NAT from external) *********************************** Close the dialog with OK.

7.4.2 Configuring the NAPT table

For NAPT, a public IP address exists that is translated to a number of private IP addresses by adding port numbers.

Table 7-5

No. Action Remark

1. Select the S602 V3 module in the Security Configuration Tool and use the “right mouse button -> Properties” to open the properties. Go to the NAT tab. The right part of the dialog includes the NAPT table.

2. Activate NAPT.


70 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

No. Action Remark

3. The Add button enables you to insert a new entry. Enter the following address translations in the table: *********************************** External port: 8000 internal IP address: CP343-1 Advanced Internal port: 80 *********************************** External port: 21 internal IP address: CP343-1 Advanced Internal port: 21 *********************************** External port: 102 internal IP address: PN-CPU Internal port: 102 ***********************************

Note An external port number must only be entered once. As the IP address of the SCALANCE S is always used as the external IP address, there would be no uniqueness if it was used multiple times.

For this reason, only one CPU (here: PN-CPU) can be accessed.

7.5 Downloading the SCALANCE S602 V3 configuration

To download the configuration, proceed as described in chapter 6.9 (Downloading the firewall rules to the S602 V3). Figure 7-2



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

8 Operation of the Application Access rights

By means of the firewall rules, the scenarios were only enabled for certain PCs. An attempt to test the scenarios with a PC other than the one specified will be unsuccessful. The following table provides an overview: Table 8-1

User scenarios Access right

Node initialization of internal nodes Service PC Configuration / diagnostics with STEP 7 Service PC Access to cell-internal Web and FTP servers PG of the control

room Logging the data packets for the S7 communication Syslog server Blocking unauthorized access attempts External PC

8.1 Operation in bridge mode

Configuration The figure below shows the configuration and the associated IP addresses of the application in bridge mode: Figure 8-1

S602 V3: 192.168.2.2

CP: 192.168.2.3




CPU:192.168.2.5X208

X208

Syslog: 192.168.2.4



72 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Node initialization via the DCP protocol Table 8-2

No. Action Remark

1. On the service PC, open the SIMATIC MANAGER and the Bridge STEP 7 project. In the PLC menu, select the Edit Ethernet Node… option. Start the network scan. Enabling the DCP protocol now allows node initialization of the internal nodes.

Downloading and monitoring the STEP 7 project Table 8-3

No. Action Remark

1. On the service PC, open the SIMATIC MANAGER and the associated Bridge project.

2. Successively select the S7-300 stations and download them to the CPU.

3. Open the variable table in the

Blocks folder. The clock bit memories of the CPU are stored in the variable table. Use the glasses icon or select “View > Monitor” to monitor the variables.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Access to the Web server Access to the Web and FTP server of the CP343-1 Advanced is permitted only for the control room. In the firewall rules, HTTP and FTP were explicitly allowed for the following IP address: 192.168.2.1.

Table 8-4

No. Action Remark

1. On the PG of the control room, open a Web browser and in the address bar enter the IP address of the CP343-1 Advanced (http://192.168.2.3). The standard HTML page opens.

2. The HMTL page of the CP can be

used, for example, to view the diagnostics buffer of the CPU, to retrieve module information, to check the ring redundancy status and to obtain information on the configured connections.

Access to the FTP server Table 8-5

No. Action Remark

1. On the PG of the control room, open an FTP client. Create a new server with the following data: Server: 192.168.2.3 Port: 21 User: ftp_user Password: ftp_user Transfer mode: Active Connect to the FTP server. Note: Do not use a Web browser as an FTP client but an FTP client program.

http://192.168.2.3/


74 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

No. Action Remark

2. The file structure of the Advanced CP is displayed.

Logging the data traffic Table 8-6

No. Action Remark

1. On the Syslog server, open the Syslog program. The messages of the S602 V3 are displayed here.

2. In the Security Configuration Tool,

select the S602 V3 module and select “View -> Online” to go to online mode.

3. Double-click on the module. The

online dialog opens. The first Status tab shows all information (hardware, IP/MAC address, change date of the configuration…).



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

No. Action Remark

4. The System log, Audit log and Packet filter log tabs show the local logs. In the Packet filter log tab, you can start the logs either in a ring buffer or a one-shot buffer using the Start logging button. The selection is directly displayed. The Start reading button activates the display in the dialog.

Blocking unauthorized access Table 8-7

No. Action Remark

1. On the external PC, open an FTP client. Create a new server with the following data: Server: 192.168.2.3 Port: 21 User: ftp_user Password: ftp_user Transfer mode: Active Connect to the FTP server.

2. The CP’s file system cannot be accessed.

3. Try to open the Web page of the

CP using a Web browser. Here, too, access is not possible.

4. On the external PC, open the

SIMATIC MANAGER and the Bridge STEP 7 project.


76 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

No. Action Remark

5. Select an S7-300 station and try to download it to the CPU.

6. Downloading is not possible.

Access via user-defined firewall rule sets To activate this specific firewall, you first have to log on on the Web page of the SCALANCE S602 V3. The connection to the security module is established via HTTPS using the IP address of the external port.

Table 8-8

No. Action Remark

1. On the external PC, use a Web browser to open the Web page of the S602 V3. https://192.168.2.2.

2. Log on with the user name and

password configured in chapter 6.8.2.

https://192.168.2.2/



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

No. Action Remark

3. After 30 minutes, the user is automatically logged off the SCALANCE. If you need more time, you can restart the timer.

4. On the external PC, open an FTP

client. Create a new server with the following data: Server: 192.168.2.3 Port: 21 User: ftp_user Password: ftp_user Transfer mode: Active Connect to the FTP server.


6. Due to the user-specific rule,

access to the Web page of the CP is now allowed as well.


78 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

8.2 Operation in router mode

Configuration The figure below shows the configuration and the associated IP addresses of the application in router mode: Figure 8-2

S602 V3 internal: 192.168.2.2

CP: 192.168.2.3




CPU:192.168.2.5X208

X208

Syslog: 172.158.2.4


S602 V3 external: 172.158.2.2



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

8.2.1 Routing via NAT


No. Action Remark

1. On the service PC, open the SIMATIC MANAGER and the NAT_NAPT project.


3. When asked for an access address

for the SIMATIC CPU station, select the PROFINET interface of the CP343-1 Advanced.




80 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

Access to the Web server Table 8-10

No. Action Remark

1. On the PG of the control room, open a Web browser and in the address bar enter the IP address of the CP343-1 Advanced (http://172.158.2.3). The standard HTML page opens.

2. The HMTL page of the CP can be

used, for example, to view the diagnostics buffer of the CPU, to retrieve module information, to check the ring redundancy status and to obtain information on the configured connections.

Access to the FTP server Table 8-11

No. Action Remark

1. On the PG of the control room, open an FTP client. Create a new server with the following data: Server: 172.158.2.3 Port: 21 User: ftp_user Password: ftp_user Transfer: Active Connect to the FTP server.

http://172.158.2.3/



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

No. Action Remark



No. Action Remark







82 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

No. Action Remark

4. The System log, Audit log and Packet filter log tabs show the local logs. In the Packet filter log tab, you can start the logs either in a ring buffer or a one-shot buffer using the Start logging button. The selection is directly displayed. The Start reading button activates the display in the dialog.


No. Action Remark




CP using a Web browser (http://172.158.2.3). Here, too, access is not possible.

4. On the service PC, open the

SIMATIC MANAGER and the NAT_NAPT project.

http://172.158.2.3/



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

No. Action Remark


6. When asked for an access address

for the SIMATIC CPU station, select the PROFINET interface of the CP343-1 Advanced.



84 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed


Table 8-14

No. Action Remark

1. On the external PC, use a Web browser to open the Web page of the S602 V3. https://172.158.2.2.



3. After 30 minutes, the user is

automatically logged off the SCALANCE. If you need more time, you can restart the timer.



https://172.158.2.2/



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

No. Action Remark



access to the Web page of the CP (http://172.158.2.3) is now allowed as well.

http://172.158.2.3/


86 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

8.2.2 Routing via NAPT


No. Action Remark

1. On the service PC, open the SIMATIC MANAGER and the NAT_NAPT project.

2. Select the SIMATIC PN-CPU S7-300 station and download it to the CPU.



Access to the Web server Table 8-16

No. Action Remark

1. On the PG of the control room, open a Web browser and in the address bar enter the IP address of the des CP343-1 Advanced (http://172.158.2.2:8000/). The standard HTML page opens.

http://172.158.2.2:8000/



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

No. Action Remark

2. The HMTL page of the CP can be used, for example, to view the diagnostics buffer of the CPU, to retrieve module information, to check the ring redundancy status and to obtain information on the configured connections.

Access to the FTP server

NOTICE Make sure you that you are using active FTP and that the client sends a random listen port to the server.

For passive FTP, the server opens a new port and sends it to the client. However, it sends it with its own IP address (here: 192.168.2.3) and not with the translated address (172.158.2.2). It is thus not possible to establish a connection.

Table 8-17

No. Action Remark

1. On the PG of the control room, open an FTP client. Create a new server with the following data: Server: 172.158.2.2 Port: 21 User: ftp_user Password: ftp_user Transfer: Active FTP Connect to the FTP server.



88 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed


No. Action Remark






4. The System log, Audit log and

Packet filter log tabs show the local logs. In the Packet filter log tab, you can start the logs either in a ring buffer or a one-shot buffer using the Start logging button. The selection is directly displayed. The Start reading button activates the display in the dialog.



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed


No. Action Remark




CP using a Web browser (http://172.158.2.2:8000/). Here, too, access is not possible.

4. On the service PC, open the

SIMATIC MANAGER and the NAT_NAPT project.

5. Select the SIMATIC PN-CPU S7-300 station and download it to the CPU.


http://172.158.2.2:8000/


90 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed


Table 8-20

No. Action Remark

1. On the external PC, use a Web browser to open the Web page of the S602 V3. https://172.158.2.2



3. After 30 minutes, the user is

automatically logged off the SCALANCE. If you need more time, you can restart the timer.



https://172.158.2.2/



Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

No. Action Remark



access to the Web page of the CP (http://172.158.2.2:8000/) is now allowed as well.

http://172.158.2.2:8000/

9 References

92 S602 V3 Firewall

V3.0, Entry ID: 22376747

Cop

yrig

ht

Sie

men

s A

G 2

012

All

right

s re

serv

ed

9 References These lists are by no means complete and only present a selection of related references.

References Table 9-1

Topic Title

/1/ STEP7 Automating with STEP7 in STL and SCL Hans Berger Publicis Corporate Publishing ISBN 978-3-89578-412-5

/2/ SIMATIC NET security SIMATIC NET Industrial Ethernet Security Basics and application Configuration Manual http://support.automation.siemens.com/WW/view/en/56577508

/3/ Getting Started SIMATIC NET Industrial Ethernet Security Setting up security Getting Started http://support.automation.siemens.com/WW/view/en/61630590

/4/ Installation manual for the SCALANCE S602 V3

SIMATIC NET Industrial Ethernet Security SCALANCE S V3.0 Commissioning and Hardware Installation Manual http://support.automation.siemens.com/WW/view/en/56576669

Internet links Table 9-2

Topic Title

\1\ Reference to the document


\2\ Siemens Industry Online Support

http://support.automation.siemens.com

\3\ Primary Setup Tool http://support.automation.siemens.com/WW/view/en/19440762

10 History Table 10-1

Version Date Modification

V1.0 03/02/06 First edition V2.0 09/01/09 S612 replaced by S602

Configuration in bridge and routing mode V3.0 07/20/12 SCALANCE S602 V3 hardware update

User-specific firewall rules Chapters revised





http://support.automation.siemens.com/


Documents

Applications & Tools - Siemens · PDF fileApplications & Tools Answers for industry. Cover ... installing, operating and ... 6.8.2 Defining users for the SCT