Siemens Version: 1.2 manual Security Services, Assumptions, System, Firewall

Page 6

2. Security Services

2 Security Services

The security module has two Ethernet interfaces, one to the internal network which is protected, and the other one to the external network. The interfaces are easily recognizable by a color marker in green and red color. The processor is an Intel IXP425, it supports AES, SHA-1, MD5, DES and 3DES in hardware. RSA is implemented in software.

2.1Assumptions

Assumptions were made for the security module in a way to suffice the special needs of automation networks. The internal network is assumed to be confidential. It is assumed that the authorized users are trustworthy and are trained in order to operate the module correctly. However, the configuration is supposed to be as simple as possibly.

Furthermore, it is assumed that the module is physically secure. The module only provides a basic protection if an attacker has physical hand on the device and can exchange the device with a manipulated device or exchange the removable media.

There is no content filter available in the security module. For the protection against malicious contents such as viruses and Trojan horses, etc. a virus scanner and/or content filter must be added.

To keep the automation network running the reliability and robustness are at first place even before the security aspects. Hence, with respect to security restrictions were accepted in some default settings.

2.2System

The security module is based on a firewall and a virtual private network (VPN). The firewall works as a packet filter and the VPN is based on IPsec. SSL is only used to protect the communication for configuration of the Scalance devices. The device incorporates a bridge that enables installing the security device without having to change any settings in the existing network regarding the IP addresses, subnet masks, and routers.

2.2.1 Firewall

In order to protect the internal network, only communication channels between devices from the external network and the internal network that are defined in advance are allowed. This task is carried out by a packet filter working on layer 2

19-Aug-05

escrypt GmbH

6

Image 6
Contents Version Date 19-Aug-05 Index VPNExecutive Summary Introduction External network internal networkIntroduction System Security ServicesAssumptions Firewall2 VPN Firewall function of the security moduleRemovable Media C-Plug VPN-function of the Security-moduleFirmware Update Configuration ManagementFirst Initiation User ManagementLearning Key Management Security Analysis 1 VPNFirewall Operating System Web ServerConfiguration Time Synchronization and LoggingConfiguration Files BridgeSummary References