SCALANCE S623 Application Description y March 2013 · Applications & Tools Answers for industry. Cover Configuring Secure Remote Maintenance Access with the Aid of the SCALANCE S623

Applications & Tools

Answers for industry.

Cover

Configuring Secure Remote Maintenance Access with the Aid of the SCALANCE S623 SCALANCE S623

Application Description March 2013

2 VPN S623

V1.0, Entry ID: 22056713

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed

Siemens Industry Online Support This entry is taken from Siemens Industry Online Support. The following link takes you directly to the download page of this document: http://support.automation.siemens.com/WW/view/en/22056713 Caution The functions and solutions described in this entry predominantly confine themselves to the realization of the automation task. Please also take into account that corresponding protective measures have to be taken in the context of Industrial Security when connecting your equipment to other parts of the plant, the enterprise network or the Internet. For more information, please refer to Entry ID 50203404. http://support.automation.siemens.com/WW/view/en/50203404 Please also actively use our Technical Forum in Siemens Industry Online Support regarding this subject. Share your questions, suggestions or problems and discuss them with our strong forum community: http://www.siemens.com/forum-applications

http://support.automation.siemens.com/WW/view/en/22056713


http://www.automation.siemens.com/WW/forum/guests/Conference.aspx?ForumID=230&Language=en

http://www.automation.siemens.com/WW/forum/guests/Conference.aspx?ForumID=229&Language=de

VPN S623 V1.0, Entry ID: 22056713 3

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed

s

SIMATIC NET Remote Maintenance with the SCALANCE S623 Industrial Security

Task 1

Solution 2

Setting up Remote Maintenance in the SCALANCE S623

3 Function Mechanisms of the Scenarios

4

Installation 5

Startup of the Application 6

Operation of the Application

7

References 8

History 9

Warranty and Liability

4 VPN S623

V1.0, Entry ID: 22056713

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed

Warranty and Liability

Note The Application Examples are not binding and do not claim to be complete regarding the circuits shown, equipping and any eventuality. The Application Examples do not represent customer-specific solutions. They are only intended to provide support for typical applications. You are responsible for ensuring that the described products are used correctly. These Application Examples do not relieve you of the responsibility to use safe practices in application, installation, operation and maintenance. When using these Application Examples, you recognize that we cannot be made liable for any damage/claims beyond the liability clause described. We reserve the right to make changes to these Application Examples at any time without prior notice. If there are any deviations between the recommendations provided in these Application Examples and other Siemens publications – e.g. Catalogs – the contents of the other documents have priority.

We do not accept any liability for the information contained in this document.

Any claims against us – based on whatever legal reason – resulting from the use of the examples, information, programs, engineering and performance data etc., described in this Application Example shall be excluded. Such an exclusion shall not apply in the case of mandatory liability, e.g. under the German Product Liability Act (“Produkthaftungsgesetz”), in case of intent, gross negligence, or injury of life, body or health, guarantee for the quality of a product, fraudulent concealment of a deficiency or breach of a condition which goes to the root of the contract (“wesentliche Vertragspflichten”). The damages for a breach of a substantial contractual obligation are, however, limited to the foreseeable damage, typical for the type of contract, except in the event of intent or gross negligence or injury to life, body or health. The above provisions do not imply a change of the burden of proof to your detriment. Any form of duplication or distribution of these Application Examples or excerpts hereof is prohibited without the expressed consent of Siemens Industry Sector.

Table of Contents

VPN S623 V1.0, Entry ID: 22056713 5

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed

Table of Contents Warranty and Liability .............................................................................................. 4 1 Task................................................................................................................. 6

1.1 Introduction ....................................................................................... 6 1.2 Overview of the automation task ........................................................ 7

2 Solution........................................................................................................... 8 2.1 Overview of the overall solution ......................................................... 8 2.2 Description of the core functionality .................................................... 9 2.3 Hardware and software components used ....................................... 11 2.4 Alternative solution .......................................................................... 12

3 Setting up Remote Maintenance in the SCALANCE S623 .......................... 13 3.1 SCALANCE S623 product description.............................................. 13 3.2 The remote maintenance application in the SCALANCE S623 ......... 15

4 Function Mechanisms of the Scenarios ...................................................... 18 4.1 Functionality of the FTP scenario ..................................................... 18 4.2 Functionality of the OPC scenario .................................................... 20

5 Installation .................................................................................................... 21 5.1 Installing the hardware ..................................................................... 21 5.2 Installing the software ...................................................................... 23

6 Startup of the Application ............................................................................ 24 6.1 Assigning the IP addresses.............................................................. 24 6.2 Configuring with the Security Configuration Tool .............................. 27 6.2.1 Creating a project with the security modules .................................... 27 6.2.2 Activating the third port of the S623 ................................................. 29 6.2.3 Symbolic addressing in the Security Configuration Tool ................... 30 6.2.4 Advanced mode............................................................................... 31 6.2.5 Configuring the VPN connection ...................................................... 31 6.2.6 Configuring the firewall rules ............................................................ 33 6.2.7 Loading and exporting the configuration files ................................... 36 6.3 Configuring the DSL router .............................................................. 37 6.4 Configuring the FTP scenario .......................................................... 38 6.5 Configuring the OPC scenario.......................................................... 39 6.6 Activating the VPN tunnel with the SOFTNET Security Client ........... 41 6.7 Loading the controller ...................................................................... 42

7 Operation of the Application ........................................................................ 43 7.1 Overview ......................................................................................... 43 7.2 Demonstration of the scenarios........................................................ 44

8 References .................................................................................................... 48 9 History .......................................................................................................... 48

1 Task 1.1 Introduction

6 VPN S623

V1.0, Entry ID: 22056713

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed

1 Task 1.1 Introduction

More and more often, Ethernet connections extend all the way to the field level. For plant automation, this offers many advantages such as remote diagnostics and remote maintenance. Efficiency regarding the time required and associated costs is significantly higher than sending service staff to plants around the world. Faults can be detected and eliminated much more quickly. This reduces machine downtimes and increases their availability. At the same time, however, production processes that were secure in the past are now open to attack from both the outside and inside. Only an approach that combines security mechanisms and a comprehensive understanding of automation can provide reliable protection. To maintain security in automation, it is therefore necessary to use a security concept that is specifically tailored to the requirements of automation. For remote access, the security components from Siemens and today’s Internet access mechanisms (radio, broadband) make a successful combination.

1 Task 1.2 Overview of the automation task

VPN S623 V1.0, Entry ID: 22056713 7

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed

1.2 Overview of the automation task

If an automation cell signals a maintenance / error alarm (e.g., failure of a module, values above or below a limit, cable break), it is necessary to quickly detect and eliminate the cause of the error. On the one hand, this can be done from a control center at the management level or, on the other hand, by an external service station. The figure below provides an overview of the automation task. Figure 1-1

InternetInternet

Automation cell

Management level

Service station

Allowed communicationForbidden communication

Company network

Description of the automation task An automation cell with devices accessible via Ethernet (S7 CPUs, Ethernet CPs) is to be connected to the management level of the automation plant via the company network. The aim is to enable a PG/PC from the management level to communicate with the automation cell and to execute all STEP 7 and office functions. In addition, also a service station is to be provided with the option to externally connect to the automation cell via the Internet. For this service station, however, access to the management level is to be completely blocked and access to the automation cell is to be restricted.

2 Solution 2.1 Overview of the overall solution

8 VPN S623

V1.0, Entry ID: 22056713

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed

2 Solution 2.1 Overview of the overall solution

Diagrammatic representation The diagrammatic representation below shows the most important components of the solution: Figure 2-1

SCALANCE S623

PN CPU with CP343-1 Advanced V3

Service PG

PC

FTP server

STEP 7VPN clientFTP client

STEP 7OPC server/

clientFTP client

Automation cell

Management level

Service station

VPN tunnelAccesspoint

Accesspoint

Configuration The SCALANCE S623 is the core of the overall solution. The module has three ports that are connected as follows: The non-secure port – recognizable by the lock symbol and the red marking – of the SCALANCE S623 is connected to the management level. Here this is represented by a PC with installed STEP 7, SIMATIC NET for the OPC application and the FTP client. The automation cell contains a SIMATIC S7-300 station with a CPU317-2 PN/DP and a CP343-1 Advanced V3. Via the PROFINET interface of the CP, the station is connected to the secure port – recognizable by the green marking – of the SCALANCE S623.

2 Solution 2.2 Description of the core functionality

VPN S623 V1.0, Entry ID: 22056713 9

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed

The third port of the SCALANCE S623 is a DMZ port – recognizable by the lock symbol and the yellow marking. This interface is the access for the service station for remote maintenance purposes. The service PG is equipped with the STEP 7 software, a VPN client (SOFTNET Security Client) and an FTP client.

Scope This application does not include basic information on Industrial Ethernet explanations of the basic terms in the context of Industrial Security detailed information on firewall and VPN technology.

Basic knowledge of these topics is required.

2.2 Description of the core functionality

SCALANCE S623 The core of this application is the SCALANCE S623 Security Module. This module is part of the Siemens security concept and was developed specifically for industrial automation. It can be configured as a firewall and / or VPN end point and thus be used to protect automation cells and components. With its three network ports, the module additionally offers the option to set up a demilitarized zone or use the additional port for remote maintenance purposes.

SOFTNET Security Client The SOFTNET Security Client is a software-based Industrial Security component. It allows PGs / PCs to establish a secure connection to the installed SCALANCE S modules.

Industrial Security with VPN For remote maintenance or diagnostics via a public, unsecured network, reliable security has the highest priority when transferring data. Confidential and sensitive information must not be sent through the Internet as plain text and therefore be read and / or manipulated by unauthorized third parties. To ensure secure and reliable data transfer, this application uses a VPN solution. VPN is the abbreviation for virtual private network. It combines two separate networks into one closed logical network. A firewall is used for controlled communication between the networks. Appropriate firewall rules allow you to grant the service station only access to the automation cell but not to the management level. This solution is configured using the Security Configuration Tool.

Description of the user scenarios The table below shows the scenarios presented in this application. Appropriate firewall rules in the SCALANCE S module ensure that only scenarios for defined networks are enabled.

2 Solution 2.2 Description of the core functionality

10 VPN S623

V1.0, Entry ID: 22056713

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed

Table 2-1

No. Application Description Enabled for ...

1. Productive data transfer

An FTP client can regularly request production data from the FTP server of the automation cell.

Management level

2. Production monitoring

An OPC application allows you to monitor and modify CPU variables.

Management level

3. Diagnostics The STEP 7 (online) functions allow you to diagnose, monitor and load the automation cell.

Management level and service station

The figure below shows the applications in combination with the yellow remote maintenance port of the SCALANCE S623. Figure 2-2

SCALANCE S623


Service PC

PC

Automation cell

Management level

Service station

OPC server / clientFTP clientSTEP 7


FTP server STEP 7 functio

n

FTP

data

OPC

var

iabl

es

STEP

7 fu

nctio

n

Accesspoint

2 Solution 2.3 Hardware and software components used

VPN S623 V1.0, Entry ID: 22056713 11

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed

Advantages of this solution Flexible, reaction-free and protocol-independent (layer 2 and higher, according

to IEEE 802.3) protection against data espionage and data manipulation. User-friendly and easy configuration and administration without special security

knowledge. Scalable security functionality. Access protection for any devices in Ethernet networks. Secure remote access via the Internet (e.g., with a DSL modem) can be

implemented.

2.3 Hardware and software components used

The application was created with the following components:

Standard components Table 2-2

Component Qty. MLFB/order number Note CPU 317-2 PN/DP 1 6ES7 317-2EH14-0AB0 PS307 5A power supply 2 6ES7 307-1EA00-0AA0 Micro Memory Card 1 6ES7 953-8LF11-0AA0 At least 1 MB PG 2 6ES7 712-XXXXX-XXXX Configurator IE FC TP STANDARD CABLE 3 6XV1840-2AH10 IE connecting cable RJ45 plug connector 6 6GK1901-1BB10-2AA0 Can be integrally molded DSL router + modem with port forwarding

1 DLS must be accessible via a static IP address.

Security Table 2-3

Component Qty. MLFB/order number Note

SCALANCE S623 1 6GK5 623-0BA10-2AA3 Security Configuration Tool V3.1

1 - SCT is included in the scope of delivery of the SCALANCE S623.

CP343-1 Advanced V3 1 6GK7 343-1GX31-0XE0 Another S7-300 IT-CP can also be used.

SOFTNET Security Client V4 6GK1704-1VW04-0AA0

Software Table 2-4

Component Qty. MLFB/order number Note

STEP 7 V5.5 SP2 HF1 1 6ES7810-4CC08-0YA5 Or higher HSP1058 1 Hardware support package for CP343-1 Advanced V3; included

in the scope of delivery of the module. SIMATIC Net PC Software Edition 2008 + SP2

1 6GK1704-5C.. Or higher The CD contains the OPC server and the “OPC Scout” OPC client.

FTP client software 1 FTP server software 1

https://mall.automation.siemens.com/DE/guest/bizLogic/bizGotoMLFB.asp?nodeID=10026479&mlfb=6ES7315%2D2EH13%2D0AB0&siteID=DE&lang=de

https://mall.automation.siemens.com/DE/guest/configurators/ipc/ipcFrameset.asp?urlParams=PROD%5FID%3D6ES7712&MLFB=&proxy=mall%2Eautomation%2Esiemens%2Ecom&retURL=%2FDE%2Fguest%2Findex%2Easp%3FnodeID%3D9990040%26lang%3Dde&lang=de

https://mall.automation.siemens.com/DE/guest/bizLogic/bizGotoMLFB.asp?nodeID=10031216&mlfb=6GK7343%2D1GX21%2D0XE0&siteID=DE&lang=de

2 Solution 2.4 Alternative solution

12 VPN S623

V1.0, Entry ID: 22056713

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed

Sample files and projects The following list contains all files and projects that are used in this example.

Table 2-5

Component Note 22056713_VPN_S623_DOKU_V10_e.pdf This document. 22056713_VPN_S623_CODE_V10.zip This zip file contains the STEP 7 project.

2.4 Alternative solution

Instead of the SOFTNET Security Client VPN software, a PC with the CP1628 can also be used in the service station. The CP1628 is part of the SIMATIC NET security range and designed for industrial PCs. Computers equipped with this module can communicate via a secure VPN connection. In addition, the firewall integrated in the CP1628 protects the computer from unauthorized access. Figure 2-3

Note For information on configuring the CP1628, pleaser refer to the security manual in /1/, Chapter 8 (References).

3 Setting up Remote Maintenance in the SCALANCE S623 3.1 SCALANCE S623 product description

VPN S623 V1.0, Entry ID: 22056713 13

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed

3 Setting up Remote Maintenance in the SCALANCE S623 This chapter provides information on the SCALANCE S623 module and describes the remote maintenance application and its use. It highlights the additional product features of the SCALANCE S623 compared to the other SCALANCE S6xx modules and explains the advanced setting options in the Security Configuration Tool when using a SCALANCE S623. For basic descriptions of the general functions of the SCALANCE S623 and the Security Configuration Tool, please refer to the document “Industrial Security with SCALANCE S Modules Over IPSec VPN Tunnels” that can be found on the HTML page of this document and to the Industrial Security configuration manual in \9\ in Chapter 8.

3.1 SCALANCE S623 product description Description

The SCALANCE S623 is part of the SCALANCE S family of SIMATIC NET. Like the other modules, the SCALANCE S623 is optimized for use in the automation environment and meets the special requirements of automation. Through the combination of different security mechanisms, the SCALANCE S623 protects individual devices or entire automation cells from unauthorized access.

Properties The SCALANCE S623 features the following security functions: Protection of devices or entire automation cells with or without independent

security functions by the integrated firewall: – Inspection of data packets based on the source and destination address

(stateful packet inspection) – Support of Ethernet “non-IP” frames – Bandwidth limitation – Global and local firewall rules – User-defined firewall rules – Logging

Router mode: In router mode, the SCALANCE S separates the internal network from the external network. The internal network appears as a separate subnet.

Reaction-free integration of the SCALANCE S623 into an existing infrastructure with flat networks (bridge mode).

Establishment of secure communication connections over unsecured networks through VPN (virtual private network) via IPsec tunnels.

Additional third port to connect another network.

3 Setting up Remote Maintenance in the SCALANCE S623 3.1 SCALANCE S623 product description

14 VPN S623

V1.0, Entry ID: 22056713

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed

In addition, the SCALANCE S623 supports the following network functions: Address translation with NAT / NAPT DHCP server for IP address assignment in the internal network and / or DMZ

network. Logging and evaluation of log files via an external server SNMP for analysis and evaluation of network information Dynamic DNS support PPPoE client Time synchronization / NTP

Interfaces The SCALANCE S623 has three permanently installed interfaces: Port 1; red, with lock symbol Port 2; green Port 3; yellow, with lock symbol

The networks described in the previous chapters are connected as follows: The unsecured external network to the red port (management level) The internal network to be secured to the green port (automation network) The unsecured public network (Internet), as remote maintenance access, to

the yellow port Figure 3-1

Internal network

External network

Remote maintenance access

Note The Ethernet connections on the ports are handled differently by the SCALANCE S and must therefore not be swapped over when connecting to the communication network. If the ports are swapped over, the protective function is no longer ensured.

3 Setting up Remote Maintenance in the SCALANCE S623 3.2 The remote maintenance application in the SCALANCE S623

VPN S623 V1.0, Entry ID: 22056713 15

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed

Configuring the SCALANCE S623 The SCALANCE S623 is configured using the Security Configuration Tool (SCT). Its handling is very easy and, in standard mode, it can also be done by non-IT experts. The following screen shot shows the user interface of the Security Configuration Tool:

Figure 3-2

3.2 The remote maintenance application in the SCALANCE S623

Remote maintenance via VPN A VPN is a private network that uses a public network (e.g., the Internet) as a transit network for transmitting private data to a private destination network. The networks must not be compatible with one another. VPN routers are required to set up a VPN. Although VPN uses the addressing mechanisms of the carrier network, it nevertheless uses its own network packets to separate the transport of private IP data packets from the others. Due to this fact, the private networks appear as a shared logical (virtual) network.

Yellow port of the SCALANCE S623 Aside from the usual two ports of the SCALANCE S modules, the SCALANCE S623 has an additional third port marked in yellow. The SCALANCE S623 and especially its firewall handle the three ports as independent interfaces. Data transfer from / to and between the ports can be controlled with the aid of the Security Configuration Tool and appropriate firewall rules. Depending on the use, the additional yellow port can be used for three use cases: Either as a DMZ port or as a remote maintenance port or as local port.

If the yellow port acts as a DMZ port, the SCALANCE S623 allows to connect another network. Through appropriate firewall rules, direct access from the external to the internal network can therefore be prevented. Like the red port, the yellow port can also be configured as a remote maintenance port. This provides the option to terminate a VPN IPsec tunnel and use this port for remote maintenance purposes.


16 VPN S623

V1.0, Entry ID: 22056713

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed

Furthermore, the yellow port can be used as a local port. For example, this is useful when the SCALANCE S623 is installed in a control cabinet and only the yellow port is to be made externally accessible for controlled service technician access to the networks. Due to the fact that both the DMZ function and the remote maintenance function expect the connection of a separate subnet, the yellow port is intended only for routing mode.

Note This application example covers only the VPN function of the yellow port. For more information on the different application options, please refer to the security manual in /1/ or the document “Setting up a Demilitarized Zone (DMZ) with the Aid of the SCALANCE S623” in /7/ in Chapter 8 (References).

Data communication control As is common for the SCALANCE S modules, a firewall concept is also implemented in the SCALANCE S623. The firewall rules are configured using the Security Configuration Tool. These rules define which data packets can pass or which ones are discarded. Sender, address, protocol, send operation and, if necessary, bandwidth can be used for filtering. The following screen shot shows a sample configuration of IP firewall rules:

Figure 3-3

The configuration and structure of the firewall rules correspond to the definitions commonly used for SCALANCE S modules. For more information, please refer to the document “Protection of an Automation Cell Using the SCALANCE S602 V3 Security Module via a Firewall (Bridge/Routing)” in /7/ and to the Industrial Security configuration manual in \9\ in Chapter 8 (References). The additional third port of the SCALANCE S623 expands the options for specifying the direction of the data packets. “DMZ” was added to the already known directions “Internal”, “External”, “Tunnel” and “Any”.


VPN S623 V1.0, Entry ID: 22056713 17

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed

The possible directions for the IP rule sets have been expanded as follows: Table 3-1

From To

Any Internal External DMZ

External Internal Tunnel DMZ Any

Internal Internal External Tunnel DMZ Any

Tunnel Internal External DMZ

DMZ Internal External Tunnel Any

The rule sets can be defined globally and locally.

4 Function Mechanisms of the Scenarios 4.1 Functionality of the FTP scenario

18 VPN S623

V1.0, Entry ID: 22056713

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed


Description This scenario shows the data transfer between a PC (FTP client) from the management level and an FTP server (CP). As an example, process data from the CPU is to be saved in DB format on the FTP client.

Procedure The following steps are necessary to transfer data between the FTP client and the FTP server: Establishment of a control connection to exchange the FTP commands Authentication Establishment of a data connection for the data transfer Data transfer

For FTP access, there are two different modes: Active and passive FTP. For active FTP, the control connection is initiated by the FTP client, but the data connection is initiated by the FTP server. For passive FTP, both connections are initiated by the FTP client. This application uses passive FTP. Figure 4-1

FTP client FTP serverFTP control connection

FTP data connection

Transferring the production data to the FTP client In this scenario, the process data from the CPU is saved in DB format on the FTP client. Figure 4-2

FTP server FTP client

Process data

When activating the FTP server in the CP343-1 Advanced V3, the option exists to use the CP as an FTP server for the CPU data. A file allocation table is used to define how the data blocks used for the file transfer in the S7 station are to be mapped to files. This table contains two areas where the assignments are stored on a row-oriented basis as shown in the example below: Rack/slot assignment of the CPU DB assignment


VPN S623 V1.0, Entry ID: 22056713 19

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed

Figure 4-3

When loading the configuration data to the CP, the “file_db.txt” file is generated from the configured file allocation table and stored in the /config directory of the CP’s file system. After the “file_db.txt” file has been transferred to the CP, a file with the data block contents is stored in the /cpuX (X=1…4) directory on the CP’s file system according to the allocation table. A STEP 7 program is not required for this procedure. Using FTP mechanisms, the FTP client (PC) can now connect to the FTP server (CP) and load the desired file by appropriate FTP commands.

4 Function Mechanisms of the Scenarios 4.2 Functionality of the OPC scenario

20 VPN S623

V1.0, Entry ID: 22056713

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed

4.2 Functionality of the OPC scenario

Description OPC (OLE for Process Control) is a vendor-independent software interface that allows data exchange between hardware and software. The OPC interface is part of the software that runs on a PC as a platform for operator control and monitoring systems or other applications. This scenario shows how an OPC client can monitor and modify CPU variables from the external network via a local OPC server.

Procedure OPC is based on a server / client architecture. An OPC server connects to a device such as a controller and converts the data to a standardized OPC format. Now OPC clients can establish communication with the OPC server and read and write the device data. In this application example, the SIMATIC NET OPC Server is used as an OPC server: Figure 4-4

The OPC Scout is used as an OPC client: Figure 4-5

5 Installation 5.1 Installing the hardware

VPN S623 V1.0, Entry ID: 22056713 21

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed

5 Installation This chapter describes which hardware and software components have to be installed. The descriptions and manuals as well as delivery information included in the delivery of the respective products must be observed in any case.

5.1 Installing the hardware For the description of the hardware components, please refer to Chapter 2.3 (Hardware and software components used). Figure 5-1

SCALANCE S623


PC

Automation cell

Management level

Accesspoint

Service PC

Service station

Accesspoint

5 Installation 5.1 Installing the hardware

22 VPN S623

V1.0, Entry ID: 22056713

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed

To install the hardware, follow the instructions in the table below: Table 5-1

Aut

omat

ion

cell No. Action Remark

1. Mount all modules on a DIN rail. Connect the CPU317-2 PN/DP and the CP343-1 Advanced V3 via a backplane bus.

CPU317-2 PN/DP CP343-1 Advanced V3

2. Via the PROFINET interface, connect the CP343-1 Advanced V3 to the internal interface (green) of the SCALANCE S623.

Man

agem

ent

leve

l

3. Connect the PC from the management level to the external port (red with lock symbol) of the SCALANCE S623.

Serv

ice

stat

ion

4. Connect the DSL router to the remote maintenance port (yellow with lock symbol) of the SCALANCE S623.

5. Connect the service PG to the Internet. This can be done via another DSL router or also via the cellular network.

Connect all components to a 24 V power supply. For this purpose, use either terminal strips or multiple power supply units.

Note Always follow the installation guidelines for the components.

Note To make sure that no old configuration is saved in the SCALANCE S623, reset the module to factory settings. For help, please refer to the security manual in /1/, Chapter 8 (References).

5 Installation 5.2 Installing the software

VPN S623 V1.0, Entry ID: 22056713 23

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed

5.2 Installing the software

Installing the software packages on the PC of the management level This configuration requires the following software packages: Security Configuration Tool FTP client SIMATIC NET STEP 7

Follow the instructions of the installation programs.

Installing the software packages on the service station PG This configuration requires the following software packages: Security Configuration Tool FTP client SIMATIC NET STEP 7 SOFTNET Security Client

Follow the instructions of the installation programs.

Installing the hardware support package This application uses the CP343-1 Advanced V3. To use this module, the module catalog must be updated in the hardware configuration of STEP 7 using HSP 1058. Install HSP on the management level PC. For instructions to install HSP 1058, please refer to /5/ in Chapter 8 (References).

Installing the sample project On the PC, start STEP 7 and select “File > Retrieve” to retrieve the 22056713_VPN_S623_CODE_V10.zip file. Repeat this step also on the service PG.

6 Startup of the Application 6.1 Assigning the IP addresses

24 VPN S623

V1.0, Entry ID: 22056713

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed


IP addresses used To come closer to a real application, IP addresses from the public range were used. Table 6-1

Network Module IP address Subnet External network

PC 140.80.0.100 255.255.255.0

External port S623 140.80.0.1

Internal network

CP343-1 Advanced V3 192.168.0.2 255.255.255.0

Internal port S623 192.168.0.1 Remote maintenance

DSL router 172.16.0.1 255.255.0.0 Remote maintenance

port S623 172.16.41.2

Assigning the IP address for the PC The following table shows you how to adjust the IP address for the PC from the management level.

Table 6-2

No. Action Remark 1. To change the network address,

select “Start > Settings > Network Connection > Local Connections” to open the Internet Protocol (TCP/IP) Properties dialog box. Change the IP address and the default router for the PC from the management level as shown in Table 6-1.


VPN S623 V1.0, Entry ID: 22056713 25

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed

Assigning the IP address for the CP343-1 Advanced V3 The IP address of the CP343-1 Advanced V3 is set using STEP 7.

Table 6-3

No. Action Note

1. Connect the PC from the management level to an unused PROFINET interface of the CP343-1 Advanced V3.

2. Open the SIMATIC MANAGER and the STEP 7 project. In the “PLC” menu, select the “Edit Ethernet Node…” option.

3. Click on the Browse… button.

4. Select the desired module and click on OK to

confirm the selection.


26 VPN S623

V1.0, Entry ID: 22056713

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed

No. Action Note

5. In the Set IP configurations section, enter IP address 192.168.0.2 with subnet mask 255.255.255.0 and as the router, enter 192.168.0.1. Click on the Assign IP Configuration button. Select Close to close the dialog box.

6. Reconnect the PC to the external port of the

SCALANCE S623.

6 Startup of the Application 6.2 Configuring with the Security Configuration Tool

VPN S623 V1.0, Entry ID: 22056713 27

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed

6.2 Configuring with the Security Configuration Tool

6.2.1 Creating a project with the security modules

The SCALANCE S623 and SOFTNET Security Client V4 are integrated into the SCT project.

Table 6-4

No. Action Remark 1. On the management level PC,

select “Start > SIMATIC > Security” to open the Security Configuration Tool. Select “Project > New…” to create a new project.

2. You are prompted to assign a

user login for the new project. Enter a user name and password. Confirm with OK.

3. The dialog box for the first

module opens automatically. In Module, select S623. Assign any name and apply the MAC address of the module that can be identified on the housing. As the external IP address, use 140.80.0.1 with subnet mask 255.255.255.0. Select Routing mode and as the internal IP address, assign 192.168.0.1 with subnet mask 255.255.255.0. Confirm the entries with OK.


28 VPN S623

V1.0, Entry ID: 22056713

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed

No. Action Remark 4. In the content area in the row of

the SCALANCE S623, click on the Standard router column and enter the LAN IP address of the DSL router (172.16.0.1).

5. Use the context menu or the relevant icon to add another module.

6. As the module, select the

SOFTNET Security Client with Firmware release 4. Assign any name and confirm the selection with OK.


VPN S623 V1.0, Entry ID: 22056713 29

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed

6.2.2 Activating the third port of the S623

The Security Configuration Tool is used to activate and configure the “Remote maintenance” application for the third port on the SCALANCE S623.

Table 6-5

No. Action Remark

1. Select the S623 module and double-click to open the properties.

2. In the Interface tab, activate the

third port (DMZ port (P3)). As the IP assignment, select static address and assign IP address 172.16.41.2 with subnet mask 255.255.0.0 to this port. Close the dialog with OK.


30 VPN S623

V1.0, Entry ID: 22056713

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed

6.2.3 Symbolic addressing in the Security Configuration Tool

Symbolic addressing of nodes facilitates configuring the individual services. Table 6-6

No. Action Remark 1. Select “Options > Symbolic

Names…” to open the table for symbolic addressing.

2. Use Add to enter all nodes and

their IP address in the table. Use the IP addresses from Table 6-1. Close the dialog with OK.


VPN S623 V1.0, Entry ID: 22056713 31

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed

6.2.4 Advanced mode

In addition to the default settings, Advanced mode of the Security Configuration Tool offers more configuration options.

NOTICE Once you have changed to Advanced mode for the current project, you cannot return to standard mode.

Table 6-7

No. Action Remark 1. The firewall can be individually

configured only in Advanced mode. Activate it by selecting “View > Advanced Mode”.

2. Confirm the warning message

with Yes.

6.2.5 Configuring the VPN connection

Security modules can establish an IPsec tunnel for secure communication if they are assigned to the same group in the project.

Table 6-8

No. Action Remark 1. In the navigation area, select

VPN groups and use the context menu (“right mouse button > Insert group”) or the appropriate button to create a new group.

2. For a VPN connection between

the SCALANCE S623 and the SOFTNET Security Client, the Security Configuration Tool automatically adjusts the VPN group parameters.


32 VPN S623

V1.0, Entry ID: 22056713

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed

No. Action Remark 3. Now select All modules in the

navigation area and use drag and drop to move one module at a time from the content area to the group. Once a module has been assigned to a group, the color of the key icon will change from gray to blue.

4. In All modules, select the S623

module and double-click to open the properties. In the VPN tab, enter the static WAN IP address of your static DSL access in WAN IP address. Close the dialog box with OK.

Note The yellow port is only compatible with VPN groups in Routing mode (see also Chapter 3 Setting up Remote Maintenance in the SCALANCE S623).


VPN S623 V1.0, Entry ID: 22056713 33

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed

6.2.6 Configuring the firewall rules

Note By default, the firewall of the SCALANCE S623 V3 is set so that only tunneled data traffic is possible between the networks. Before communication can take place outside a tunnel, the firewall must first be configured.

IP service definition IP service definitions allow the compact and clear definition of firewall rules that are applied to certain services. Each service parameter is assigned a name. When configuring the packet filter rules, these names are used once.

Table 6-9

No. Action Remark 1. Select “Options > IP services…”

to open the Definitions of the IP services dialog box.

2. Select Add IP service to add a

new IP service. For S7 communication: Name: S7 Protocol: TCP Source Port: * Target Port: 102 ******************************** Close the dialog box with OK.


34 VPN S623

V1.0, Entry ID: 22056713

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed

Creating the local firewall rules The Internal, External and DMZ networks are separated with the aid of firewall rules. In this application, the data packets are filtered by specifying allowed ports and the IP addresses of the allowed communication partners. For this application, data traffic between the networks is to take place as follows: Figure 6-1

SCALANCE S623


Service PC

PC

Automation cell

Management level

Service station




n

FTP

data

OPC

var

iabl

es

STEP

7 fu

nctio

n

Accesspoint


VPN S623 V1.0, Entry ID: 22056713 35

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed

Table 6-10

No. Action Remark 1. Select the SCALANCE S623 and

double-click to open the properties. Go to the Firewall and IP Rules tab. Click on Add rule to create new local firewall rules.

2. Insert the following rules into the list:

Action: Allow From/To: External-> Internal Source IP: PC Destination IP: CP343-1Adv Service: all ********************************** Action: Allow From/To: Internal-> External Source IP: CP343-1Adv Destination IP: PC Service: all ********************************** Action: Drop From/To: Tunnel-> External Source IP: Destination IP: PC Service: all ********************************* Action: Allow From/To: Tunnel-> Internal Source IP: Destination IP: CP343-1Adv Service: S7 ********************************* Action: Drop From/To: Tunnel-> Internal Source IP: Destination IP: CP343-1Adv Service: all In each case, enable Logging. Close the dialog box with OK.

Note The Security Configuration Tool automatically assigns a unique number to each firewall rule that has been created. When logging system and security events, the log row displays the associated number to better understand data communication.


36 VPN S623

V1.0, Entry ID: 22056713

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed

6.2.7 Loading and exporting the configuration files

Loading the configuration data differs depending on the security module. The following sections explain this step by step. To load the configuration data to the SCALANCE S623, proceed as follows:

Table 6-11

No. Action Remark

1. Save the configuration with any name (e.g., VPN_S623).

2. In the content area, select the SCALANCE S623 and select “Transfer > To module(s)…” or the appropriate button. Select Start to start loading. Wait until the “Transfer completed successfully” message appears.

3. The F LED changes from yellow

orange to green. The SCALANCE S623 is now ready.

To export the configuration data of the SOFTNET Security Client, proceed as follows:

Table 6-12

No. Action Remark

1. In the content area, select the SOFTNET Security Client and select “Transfer > To module(s)…” or the appropriate button.

2. Select a storage location for the

export files. The directory can be freely selected.

3. Assign a password to protect the private key of the certificate.

6 Startup of the Application 6.3 Configuring the DSL router

VPN S623 V1.0, Entry ID: 22056713 37

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed

No. Action Remark

4. In the input box, enter the password and repeat it. Close the window with OK.

5. The following files are saved to the selected directory:

VPN_S623.SSC.dat VPN_S623.<character>.SSC.p12 VPN_S623.Group1.cer

6.3 Configuring the DSL router

In this application, the SCALANCE S623 is a VPN server and, as a passive node, waits for connection establishment of the VPN client (SOFTNET Security Client). To ensure that the required data packets reach the SCALANCE S623, the DSL router – connected to the remote maintenance port (yellow) of the S623 – must be configured accordingly. For the configuration, no specific router is discussed as the screen forms differ from router to router. Most routers have a Web page for the configuration. Table 6-13

No. Action Remark/note

1. Open the configuration user interface of the router.

This can be additional software, “Telnet” or a Web page.

2. Enter the connection data for your Internet connection.

Login, password, etc. you received from your provider.

3. Disable dynamic DNS. Your Internet access has a static IP address.

4. Enter your DNS server. The address is generally provided together with the login data.

5. Assign an internal IP address to the router.

172.16.0.1

6. Turn off the DHCP server of the router. A static IP address is assigned to the SCALANCE S and the PC.

7. Forward TCP/UDP ports 500 and 4500 to the same ports of the SCALANCE S.

TCP/UDP port 500 to TCP/UDP port 500 of 172.16.41.2 (IP address of the remote maintenance port). TCP/UDP port 4500 to TCP/UDP port 4500 of 172.16.41.2 (IP address of the remote maintenance port).

Note Some routers feature the “IPsec Pass through” function. Enable this function (if it explicitly exists in your router) to support IPsec.

6 Startup of the Application 6.4 Configuring the FTP scenario

38 VPN S623

V1.0, Entry ID: 22056713

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed

6.4 Configuring the FTP scenario

To operate the FTP scenario, the following components are necessary: In the internal network: CP343-1 Advanced V3 as an FTP server At the management level: FTP client software tool

Setting for the FTP clients (software-based) This section does not provide step-by-step instructions as the configuration screen forms differ for the numerous FTP software tools available on the market. The following section lists the settings you have to make in your FTP client to access the FTP servers: The IP address of the FTP server is 192.168.0.2 (IP address of the CP343-1

Advanced V3 in the internal network). Passive mode is always used for the transfer setting. In this application, the login for the FTP servers is defined as follows:

– User name: ftp_user – Password: ftp_user

Settings for the FTP server (CP343-1 Advanced V3) All the information required for using FTP such as the login data for the FTP client is stored in the hardware configuration of the CP343-1 Advanced V3 in STEP 7.

Note If you want to use different data to log in to the FTP server, you can also change the login data.

6 Startup of the Application 6.5 Configuring the OPC scenario

VPN S623 V1.0, Entry ID: 22056713 39

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed

6.5 Configuring the OPC scenario

Parameterizing the PC station The OPC server is required for the “Production monitoring” scenario. In the supplied STEP 7 project, the PC station with the OPC server has already been configured accordingly. This configuration data is now loaded to the PC from the management level.

Table 6-14

No. Action Remark

1. On the PC, select “Start > Component Configurator” or the appropriate icon in the notification area of the Windows taskbar to open the Station Configuration Editor. Use the Import Station… button to load the configuration data of the PC station from STEP 7.

2. Navigate to the installation

directory of the supplied STEP 7 project. In the XDBs folder, you will find the pcst_1.xdb file. Select this file and use the appropriate button to open it.

6 Startup of the Application 6.5 Configuring the OPC scenario

40 VPN S623

V1.0, Entry ID: 22056713

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed

No. Action Remark

3. Confirm the PC station import with OK.

4. The configuration data of the PC

station is loaded.

5. If the import is completed without

error, the OPC server and the network adapter will be displayed with the RUN symbol. If the OPC server and / or the network adapter are in STOP mode, the Diagnostics tab will provide more information on the cause. Close the dialog box with OK.

6 Startup of the Application 6.6 Activating the VPN tunnel with the SOFTNET Security Client

VPN S623 V1.0, Entry ID: 22056713 41

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed

6.6 Activating the VPN tunnel with the SOFTNET Security Client

Note It is assumed that the service PG has a configured Internet connection and access to the Internet.

Table 6-15

No. Action Remark 1. On the service PG, open the

SOFTNET Security Client. Use Load Configuration to parameterize the SOFTNET Security Client.

2. Navigate to the configuration file

and open the *.dat file you have previously created with the Security Configuration Tool.

3. When exporting the

configuration, enter your assigned password.

4. Activate the static configured

members.

6 Startup of the Application 6.7 Loading the controller

42 VPN S623

V1.0, Entry ID: 22056713

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed

No. Action Remark 5. The SOFTNET Security Client

now attempts to establish a VPN tunnel to the SCALANCE S623. Use Tunnel Overview to view the current status.

6. If the tunnel has been

established, the status changes from red to green.

6.7 Loading the controller Table 6-16

No. Action Note

1. On the management level PC, open the SIMATIC Manager and the STEP 7 project. Select the CPU and use the appropriate button to load the project to the controller.

7 Operation of the Application 7.1 Overview

VPN S623 V1.0, Entry ID: 22056713 43

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed

7 Operation of the Application 7.1 Overview

The figure below shows the scenarios presented in this application:

SCALANCE S623


Service PC

PC

Automation cell

Management level

Service station




n

FTP

data

OPC

var

iabl

es

STEP

7 fu

nctio

n

Accesspoint

Table 7-1

No. Application Description Enabled for ...

1. Productive data transfer

An FTP client can regularly request production data from the FTP server of the automation cell.

Management level

2. Production monitoring

An OPC application allows you to monitor and modify CPU variables.

Management level

3. Diagnostics The STEP 7 (online) functions allow you to diagnose, monitor and load the automation cell.

Management level and service station

7 Operation of the Application 7.2 Demonstration of the scenarios

44 VPN S623

V1.0, Entry ID: 22056713

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed

7.2 Demonstration of the scenarios

Scenario 1: Productive data transfer For productive data transfer, the management unit PC can access the CP343-1 Advanced V3 and read the DB184 data block mapped in a binary file. For the service PG, this function is blocked by the firewall.

Table 7-2

No. Action Remark

1. On the management level PC, open the FTP client.

2. Connect to the CP343-1 Advanced V3 (192.168.0.2). As login details, the user ftp_user and the password ftp_user were stored in the supplied STEP 7 project in the hardware configuration of the CP.

3. The file is stored on the file system of

the CP343-1 Advanced V3 in the cpu1 folder.

4. Now you can access the file system

and, for example, load the file to the FTP client.

Table 7-3

No. Action Remark

1. On the service PG, open your FTP client.

2. Try to connect to the CP343-1 Advanced V3.

3. The connection attempt is blocked by

the firewall in the SCALANCE S623.


VPN S623 V1.0, Entry ID: 22056713 45

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed

Scenario 2: Production monitoring To monitor production, the OPC server from the management level regularly queries defined variables from the CPU in the internal network. Appropriate firewall rules in the SCALANCE S623 block this function for the service PG.

Table 7-4

No. Action Remark

1. On the PC, open the OPC Scout. 2. In Server Explorer, navigate to “Local

COM server > OPC.SimaticNET”.

3. Open the local OPC server and

navigate to “\SYM\Station1\CPU317-2 PN/DP”. Here you will find all data blocks from the STEP 7 project. Open, for example, the PROCESS_DATA data block. Select your desired variables and use drag and drop to move them to the Views area.

4. Use the Monitoring ON button to read

the current variable values from the OPC server.


46 VPN S623

V1.0, Entry ID: 22056713

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed

Scenario 3: Diagnostics The application example is configured so that the service PG can connect to the internal network via a secure VPN tunnel. By enabling S7 communication (port 102) in the firewall, all respective data packets can pass. Therefore, the service PG user has the option to load STEP 7 projects to or from the controller. monitor and modify variables. perform online diagnostics. locate errors online and eliminate them if possible.

Table 7-5

No. Action Remark 1. On the service PG, open the

SIMATIC MANAGER and the associated project.

2. Select the S7-300 station and load it to the CPU.

3. Select Station1 > CPU317-2

PN/DP > S7 Program > Blocks to open the variable table. Simulated process variables are stored in the variable table. Use the glasses icon or select “View > Monitor” to monitor the variables.


VPN S623 V1.0, Entry ID: 22056713 47

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed

No. Action Remark 4. Open HW Config. Select the

appropriate button to go to Online view.

5. In Online view, you will find the

current status of the modules. Double-click on a module to be provided with more information.

8 References

48 VPN S623

V1.0, Entry ID: 22056713

Cop

yrig

ht

Sie

men

s A

G 2

013

All

right

s re

serv

ed

8 References This list is by no means complete and only presents a selection of related references.

References Table 8-1

Topic Title /1/ SIMATIC NET security SIMATIC NET Industrial Ethernet Security Basics and

application Configuration Manual http://support.automation.siemens.com/WW/view/en/56577508

/2/ Getting Started SIMATIC NET Industrial Ethernet Security Setting up security Getting Started http://support.automation.siemens.com/WW/view/en/60166939

/3/ SCALANCE S V3 SIMATIC NET Industrial Ethernet Security SCALANCE S V3.0 Commissioning and Hardware Installation Manual http://support.automation.siemens.com/WW/view/en/56576669

/4/ Siemens Industry Online Support

http://support.automation.siemens.com

/5/ What can you do if required modules are missing in the module catalog of the STEP 7 hardware configuration?


/6/ Security with SIMATIC NET http://support.automation.siemens.com/WW/view/en/27043887

/7/ Setting up a Demilitarized Zone (DMZ) with the Aid of the SCALANCE S623


Protection of an Automation Cell Using the SCALANCE S602 V3 Security Module via a Firewall (Bridge/Routing)

/8/ Security with SCALANCE S Modules over IPSec-secured VPN tunnels


/9/ Information on SIMATIC NET security


/10/ Manuals for SIMATIC NET security

http://support.automation.siemens.com/WW/view/en/18701555/130000

9 History Table 9-1

Version Date Modifications

V1.0 02/2013 First version




http://support.automation.siemens.com/








Documents

SCALANCE S623 Application Description y March 2013 · Applications & Tools Answers for industry. Cover Configuring Secure Remote Maintenance Access with the Aid of the SCALANCE S623