2. Security Services
2 Security Services
The security module has two Ethernet interfaces, one to the internal network which is protected, and the other one to the external network. The interfaces are easily recognizable by a color marker in green and red color. The processor is an Intel IXP425, it supports AES,
2.1Assumptions
Assumptions were made for the security module in a way to suffice the special needs of automation networks. The internal network is assumed to be confidential. It is assumed that the authorized users are trustworthy and are trained in order to operate the module correctly. However, the configuration is supposed to be as simple as possibly.
Furthermore, it is assumed that the module is physically secure. The module only provides a basic protection if an attacker has physical hand on the device and can exchange the device with a manipulated device or exchange the removable media.
There is no content filter available in the security module. For the protection against malicious contents such as viruses and Trojan horses, etc. a virus scanner and/or content filter must be added.
To keep the automation network running the reliability and robustness are at first place even before the security aspects. Hence, with respect to security restrictions were accepted in some default settings.
2.2System
The security module is based on a firewall and a virtual private network (VPN). The firewall works as a packet filter and the VPN is based on IPsec. SSL is only used to protect the communication for configuration of the Scalance devices. The device incorporates a bridge that enables installing the security device without having to change any settings in the existing network regarding the IP addresses, subnet masks, and routers.
2.2.1 Firewall
In order to protect the internal network, only communication channels between devices from the external network and the internal network that are defined in advance are allowed. This task is carried out by a packet filter working on layer 2
escrypt GmbH | 6 |
