User interface and menu commands, Firewall in advanced mode, VPN for network linking,... as the main contents of the document Simatic Net Industrial Ethernet Security Setting up security in STEP 7 Professional. Invite you to refer to the lecture content more learning materials and research.
Setting up security in STEP _ Preface Professional User interface and menu _ commands SIMATIC NET Industrial Ethernet Security Setting up security in STEP Professional Getting Started 09/2014 C79000-G8976-C379-01 _ Basic configuration _ Firewall in advanced mode _ VPN for network linking Legal information Warning notice system This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent damage to property The notices referring to your personal safety are highlighted in the manual by a safety alert symbol, notices referring only to property damage have no safety alert symbol These notices shown below are graded according to the degree of danger DANGER indicates that death or severe personal injury will result if proper precautions are not taken WARNING indicates that death or severe personal injury may result if proper precautions are not taken CAUTION indicates that minor personal injury can result if proper precautions are not taken NOTICE indicates that property damage can result if proper precautions are not taken If more than one degree of danger is present, the warning notice representing the highest degree of danger will be used A notice warning of injury to persons with a safety alert symbol may also include a warning relating to property damage Qualified Personnel The product/system described in this documentation may be operated only by personnel qualified for the specific task in accordance with the relevant documentation, in particular its warning notices and safety instructions Qualified personnel are those who, based on their training and experience, are capable of identifying risks and avoiding potential hazards when working with these products/systems Proper use of Siemens products Note the following: WARNING Siemens products may only be used for the applications described in the catalog and in the relevant technical documentation If products and components from other manufacturers are used, these must be recommended or approved by Siemens Proper transport, storage, installation, assembly, commissioning, operation and maintenance are required to ensure that the products operate safely and without any problems The permissible ambient conditions must be complied with The information in the relevant documentation must be observed Trademarks All names identified by ® are registered trademarks of Siemens AG The remaining trademarks in this publication may be trademarks whose use by third parties for their own purposes could violate the rights of the owner Disclaimer of Liability We have reviewed the contents of this publication to ensure consistency with the hardware and software described Since variance cannot be precluded entirely, we cannot guarantee full consistency However, the information in this publication is reviewed regularly and any necessary corrections are included in subsequent editions Siemens AG Industry Sector Postfach 48 48 90026 NÜRNBERG GERMANY C79000-G8976-C379-01 Ⓟ 09/2014 Subject to change Copyright © Siemens AG 2014 All rights reserved Table of contents Preface User interface and menu commands 2.1 User interface and menu commands Basic configuration 15 3.1 3.1.1 3.1.2 3.1.3 3.1.4 3.1.5 3.1.6 3.1.7 Configuring IP addresses for SCALANCE S 15 Overview 15 Set up SCALANCE S and the network 16 Making IP settings for the PC 17 Creating a project and security module 18 Creating the security project 19 Assigning IP addresses 19 Downloading the configuration to SCALANCE S 21 3.2 3.2.1 3.2.2 3.2.3 3.2.4 3.2.5 3.2.6 Configuring IP addresses for a CP 22 Overview 22 Making IP settings for the PC 23 Creating a project and security module 24 Creating the security project 25 Assigning IP addresses 26 Downloading the configuration to the security module 26 Firewall in advanced mode 29 4.1 4.1.1 4.1.2 4.1.3 4.1.4 4.1.5 4.1.6 Global rule sets .29 Overview 29 Make the IP settings for the PCs 32 Configuring the local firewall 33 Configuring global firewall rule sets 35 Downloading the configuration to the security module 37 Testing firewall function 39 4.2 4.2.1 4.2.2 4.2.3 4.2.4 4.2.5 4.2.6 Firewall rules for connections 45 Overview 45 Make the IP settings for the PCs 47 Configuring the local firewall 49 Configuring connection firewall rules 50 Downloading the configuration to the security module 51 Testing firewall function 52 4.3 4.3.1 4.3.2 4.3.3 4.3.4 4.3.5 4.3.6 4.3.7 User-specific firewall .58 Overview 58 Make the IP settings for the PCs 59 Configuring the local firewall 61 Creating remote access users 61 Configuring user-specific firewall rule sets .62 Downloading the configuration to the security module 65 Activating a user-specific firewall rule set .66 Setting up security in STEP Professional Getting Started, 09/2014, C79000-G8976-C379-01 Table of contents 4.3.8 Testing firewall function 67 4.4 4.4.1 4.4.2 4.4.3 4.4.4 4.4.5 NAT 71 Overview 71 Making IP settings for the PC 73 Configuring destination NAT and local firewall 75 Downloading the configuration to the security module 77 Testing NAT function 78 VPN for network linking 87 5.1 5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 5.1.6 5.1.7 5.1.8 VPN tunnel in the LAN between all security products 87 Overview 87 Make the IP settings for the PCs 89 Creating SOFTNET Security Client module 91 Configuring a VPN group 91 Saving the SOFTNET Security Client configuration 93 Downloading the configuration to the security module 93 Set up a tunnel with the SOFTNET Security Client 95 Testing the tunnel 96 5.2 5.2.1 5.2.2 5.2.3 5.2.4 5.2.5 5.2.6 5.2.7 5.2.8 5.2.9 VPN tunnel SOFTNET Security Client and CPs or SCALANCE S 99 Overview 99 Make the IP settings for the PCs 101 Creating SOFTNET Security Client module 103 Configuring a VPN group 103 Configuring VPN properties of the security module 105 Saving the SOFTNET Security Client configuration 105 Downloading the configuration to the security module 105 Set up a tunnel with the SOFTNET Security Client 107 Testing the tunnel 108 5.3 5.3.1 5.3.2 5.3.3 5.3.4 5.3.5 5.3.6 5.3.7 5.3.8 5.3.9 5.3.10 5.3.11 5.3.12 5.3.13 VPN with SOFTNET Security Client and SCALANCE S as user-specific firewall 111 Overview 111 Make the IP settings for the PCs 113 Creating SOFTNET Security Client module 115 Configuring a VPN group 115 Configuring VPN properties of the security module 117 Configuring the local firewall 117 Creating remote access users 118 Configuring user-specific firewall rule sets 119 Saving the SOFTNET Security Client configuration 122 Downloading the configuration to the security module 122 Set up a tunnel with the SOFTNET Security Client 124 Activating a user-specific firewall rule set 126 Testing the tunnel and firewall function 127 Setting up security in STEP Professional Getting Started, 09/2014, C79000-G8976-C379-01 Preface Getting results fast with Getting Started Based on simple test networks, you will learn how to handle the security modules and the STEP Professional configuration tool You will soon see that you can implement the security functions of security modules in the network without any great project engineering effort Based on a variety of security examples, you will be able to implement the basic functions of the security modules and the SOFTNET Security Client IP settings for the Examples Note The IP settings in the examples are freely selected and not cause any conflicts in the isolated test network In a real network, you would need to adapt these IP settings to avoid possible address conflicts Validity of this Getting Started Configuration software: ● STEP Professional V13 Products: ● SCALANCE S – SCALANCE S602, order number: 6GK5 602-0BA10-2AA3 – SCALANCE S612, order number: 6GK5 612-0BA10-2AA3 – SCALANCE S623, order number: 6GK5 623-0BA10-2AA3 – SCALANCE S627-2M, order number: 6GK5 627-2BA10-2AA3 ● CPs – CP 343-1 Advanced GX31 as of V3.0, order number: 6GK7 343-1GX31-0XE0 – CP 443-1 Advanced GX30 as of V3.0, order number: 6GK7 443-1GX30-0XE0 – CP 1543-1 as of V1.1, order number: 6GK7 543-1AX00-0XE0 – CP 1243-1, order number: 6GK7 243-1BX30-0XE0 ● VPN client software – SOFTNET Security Client as of V4.0, order number: 6GK1 704-1VW04-0AA0 Setting up security in STEP Professional Getting Started, 09/2014, C79000-G8976-C379-01 Preface Windows: ● All the examples are implemented with Windows For this reason, the path information of Windows is also described General terminology "security modules" In this documentation, the following products are grouped together under the term "security module": SCALANCE S602 / SCALANCE S612 / SCALANCE S623 / SCALANCE S627-2M / CP 3431 Advanced GX31 / CP 443-1 Advanced GX30 / CP 1243-1 / CP 1543-1 The CPs 343-1 Advanced GX31 and 443-1 Advanced GX30 are called "CP x43-1 Adv." The CPs 1243-1 and 1543-1 are called "CP 1x43-1" General use of the term "STEP 7" The configuration of the security functions used in this manual is supported as of STEP Professional V13 In the rest of the document this is simply called "STEP 7" Use of the terms "interface" and "port" In this documentation, the ports of security modules are named as follows: ● "External interface": The external port of the SCALANCE S602 / S612 / S623 or an external port of the SCALANCE S627- 2M ● "Ethernet interface": The external port of the CP x43-1 Adv / CP 1x43-1 ● "Internal interface": The internal port of the SCALANCE S602 / S612 / S623 or an internal port of the SCALANCE S627-2M ● "PROFINET interface": The internal port of the CP 43-1 Adv ● "DMZ interface": The DMZ port of the SCALANCE S623 / S627-2M The term "port" itself is used when the focus of interest is a special port of an interface IP addresses of the security modules in the configuration examples When downloading a configuration to a security module, the IP address via which the interface can currently be reached must always be specified In the configuration examples in this manual, it is assumed that the IP addresses of the configuration are identical to the current IP addresses of the security modules If you want to know more You will find further information on the topic of "Industrial Ethernet Security" in the information system of STEP (online help) The information system of STEP also supports you during configuration and programming of your automation system You will find hardware descriptions and installation instructions in the documents relating to the individual modules Setting up security in STEP Professional Getting Started, 09/2014, C79000-G8976-C379-01 Preface Security information Siemens provides products and solutions with industrial security functions that support the secure operation of plants, solutions, machines, equipment and/or networks They are important components in a holistic industrial security concept With this in mind, Siemens’ products and solutions undergo continuous development Siemens recommends strongly that you regularly check for product updates For the secure operation of Siemens products and solutions, it is necessary to take suitable preventive action (e.g cell protection concept) and integrate each component into a holistic, state-of-the-art industrial security concept Third-party products that may be in use should also be considered For more information about industrial security, visit http://www.siemens.com/industrialsecurity To stay informed about product updates as they occur, sign up for a product-specific newsletter For more information, visit http://support.automation.siemens.com Setting up security in STEP Professional Getting Started, 09/2014, C79000-G8976-C379-01 Preface Setting up security in STEP Professional Getting Started, 09/2014, C79000-G8976-C379-01 User interface and menu commands 2.1 User interface and menu commands User interface for security functions in STEP Setting up security in STEP Professional Getting Started, 09/2014, C79000-G8976-C379-01 User interface and menu commands 2.1 User interface and menu commands ① Global security settings The global security settings are located in the project navigation These security settings can be configured independently of the module and subsequently assigned to individual security modules as required If the first security module to be configured is a CP, the global security settings are only displayed when the security functions have been enabled in the local security settings of the CP If the first security module to be configured is a SCALANCE S module, the global security settings are displayed after logging in to the security project The following main folders and entries are available in the global security settings: • User login For the security configuration within a project, there is a separate user management Log in to the security configuration using the "User login" entry The first time that there is a login to the security configuration, a user with the system-defined role "Administrator" is created automatically You can create further users in the security configuration in the user management • User administration In user administration, you can create users, define rights for roles and assign these roles to users • Certificate manager In the certificate manager, you see an overview of all the certificates used in the project You can, for example, import new certificates as well as export, modify or replace existing certificates • Firewall Under the "Firewall" entry, you can define global IP and MAC firewall rule sets and user-specific IP rule sets (SCALANCE S modules only) and assign security modules IP and MAC service definitions are used to define the IP and MAC firewall rules compactly and clearly • VPN groups All created VPN groups are contained in this folder You can create new VPN groups here and assign security modules to these VPN groups You can also adapt VPN group properties of VPN groups that have already been created • NTP Here, you can create NTP servers and assign them to one or more security modules This ensures that time synchronization is performed through the assigned NTP server Unsecured NTP servers can only be configured in the local security settings Setting up security in STEP Professional 10 Getting Started, 09/2014, C79000-G8976-C379-01 VPN for network linking 5.3 VPN with SOFTNET Security Client and SCALANCE S as user-specific firewall With the " "Packet filter log" menu, click the "Start reading" button Result: The unauthorized connection attempts from test phase were recorded in the packet filter log and will be displayed as follows: Figure 5-15 Display of the unauthorized connection attempts Setting up security in STEP Professional 130 Getting Started, 09/2014, C79000-G8976-C379-01 ... logged in with your security login in the project tree with the "Global security settings" > "User login" menu Setting up security in STEP Professional Getting Started, 09/2014, C79000-G8 976 -C 379 -01... commands User interface for security functions in STEP Setting up security in STEP Professional Getting Started, 09/2014, C79000-G8 976 -C 379 -01 User interface and menu commands 2.1 User interface... security in STEP Professional Getting Started, 09/2014, C79000-G8 976 -C 379 -01 27 Basic configuration 3.2 Configuring IP addresses for a CP Setting up security in STEP Professional 28 Getting Started,