SPPA T3000 Security Manual

Siemens AG
SPPA-T30
SPPA-T3000
00 Secu
Securi
rity
ty Manual
T3000 Security Manual V1.0.3 1-1 24.01.2008

© Siemens AG 2007 All Rights Reserved
Siemens AG
SPPA-T3000 Security Manual
1 Introductio
Introductionn ...........................
........................................
...........................
...........................
...........................
...........................
...........................
........................
........................
................ .. 1-4
1.1 Purpose
Purpose of the document...............
document............................
..........................
...........................
..........................
..........................
...........................
.......................
.......... 1-4
1.2 Target
Target group ..........................
........................................
...........................
...........................
...........................
..........................
...........................
.........................
................
..... 1-4
1.3 Required
Required knowledge.......................
knowledge....................................
...........................
...........................
..........................
..........................
.........................
......................
.......... 1-4
2 T3000 introducti
introduction;
on; approx.
approx. 10 pages pages .........................
......................................
...........................
...........................
..........................
..........................
................ ... 2-5
2.1 Standard
Standard architectu
architecture.......
re...................
........................
........................
..........................
...........................
...........................
............................
.........................
............. 2-5
2.2 Components of SPPA-T3000 (Thin Client, Application Server, Automation Server S7,
Automation Server CM, Time Time Server, Firewalls, Firewalls, Router for Multi-Unit, Switches) Switches) .......... ......... 2-6
2.2.1 User interfaces
interfaces - Thin Clients......................
Clients..................................
.........................
..........................
...........................
.........................
........... 2-7
2.2.2 Power
Power server
server – Applicati
Application on Server
Server .........................
.......................................
...........................
..........................
.........................
............ 2-7
2.2.3 Power
Power server
server – Automation
Automation Server S7 ...........................
........................................
.........................
.........................
...................
...... 2-8
2.2.4 Power server – Automation Server CM104 ........... ............ ........... ........... ........... ........ 2-9
2.2.5 Time server server ..........................
........................................
...........................
..........................
............................
...........................
...........................
................... .... 2-9
2.2.6 Process
Process interfaces
interfaces ...........................
........................................
...........................
............................
...........................
...........................
....................
...... 2-9
2.2.7 Network
Network components
components .........................
.......................................
...........................
.........................
..........................
...........................
................. .... 2-10
2.2.7.1 EthernetEthernet componen
components ts .........................
......................................
...........................
...........................
...........................
.............. 2-10
2.2.7.2 Profibus..............
Profibus............................
...........................
...........................
...........................
...........................
...........................
..................
..... 2-10
2.2.7.3 Routers Routers and firewalls..
firewalls...............
..........................
.........................
.........................
...........................
...........................
............. 2-11
2.3 Networks (Application
(Application Highway,
Highway, Automation Highway, Highway, Backbone Highway, Highway, DMZ). ............ .. 2-12
2.3.1 Standard network network topology for application application and Automation Highways Highways .............. ....... 2-12
2.3.1.1 RedundanRedundancy cy manager
manager (RM)..................................
(RM)............................................... .........................
......................
.......... 2-13
2.3.1.2 ObserverObserver (for OSM/ESM).................
OSM/ESM).............................. ...........................
..........................
..........................
................. ... 2-14
2.3.2 Application Highway......
Highway...... ........... ........... ........... .......... ........... ............ .......... ........... .... 2-15
2.3.3 Automation Highway Highway ........... .......... ............ .......... ........... ........... ........... ........... ......... 2-16
2.3.4 Backbone
Backbone highwayshighways .........................
.......................................
............................
...........................
...........................
...........................
..................... 2-17
2.3.5 The DMZ network network ..........................
........................................
...........................
..........................
...........................
..........................
....................
........ 2-18
2.3.5.1 DMZ sample sample variants
variants in detail detail .........................
......................................
..........................
..........................
............... .. 2-19
2.4 Variants (small, standard, multi-unit configuration) .......... .......... ............ ........... ........... ......... 2-21
2.4.1 Small system............
system..........................
............................
...........................
...........................
...........................
...........................
...........................
............... 2-21
2.4.2 Standard
Standard system system ..........................
.......................................
...........................
............................
...........................
...........................
......................
........ 2-21
2.4.3 multi-uni
multi-unitt system
system ..........................
.........................................
............................
..........................
............................
...........................
....................
........ 2-23
2.5 Software
Software ...........................
.........................................
............................
...........................
...........................
...........................
...........................
........................
..................
........ 2-24
2.5.1 Software
Software architecture.........................
architecture.....................................
...........................
...........................
..........................
...........................
................. .... 2-24
2.5.1.1 Software component categories...... ........... ........... .......... ............ ........... .. 2-24
2.6 Crossove
Crossoverr to the "outside
"outside world"
world" ..........................
........................................
...........................
...........................
...........................
........................
........... 2-26
3 Coarse/ov
Coarse/overrid
erriding
ing security
security concept
concept .........................
......................................
..........................
..........................
..........................
..........................
...................
...... 3-27
3.1 Security
Security cells.............
cells............................
...........................
..........................
............................
...........................
...........................
...........................
.......................
................ 3-27
3.2 Communication rule: Everything is is prohibited unless unless explicitly
explicitly permitted............ ........... ....... 3-28
3.3 "Reinforcing" the Thin Clients of the Control systems ........... ........... ........... .......... ........... ..... 3-28
3.4 Thin Clients outside the security security cell "Control system"........ ........... ........... ........... ........... ...... 3-29
4 Scenarios
Scenarios for Remote
Remote ServiceService Access
Access ............................
.........................................
...........................
...........................
...........................
.......................
......... 4-30
4.1 General observations on Remote Service............... .......... ............ .......... ........... ........... ........ 4-30
4.1.1 Comparison of external Terminal Servers and combined Thin Clients / t erminal
servers
servers ..........................
........................................
...........................
...........................
...........................
...........................
............................
.......................
......... 4-30
4.1.2 File transfer using RDP and SSH............... SSH..... .......... ........... ............ .......... ............ .......... ....... 4-30
4.2 Service
Service access
access to SPPA SPPA-T300-T3000 0 .........................
......................................
..........................
..........................
..........................
...........................
................ 4-31
4.2.1 Service access to SPPA-T3000 SPPA-T3000 via Customer Access Gateway Gateway (CAG).... ............. .. 4-32
4.2.1.1 Service access via CAG through dial-up connection (ISDN or POTS*)
or internet..................
internet................................
...........................
..........................
..........................
..........................
..........................
............. 4-32
4.2.2 Service access via Customer Owned Gateway (COG) .......... ........... ........... ........... . 4-38
4.2.2.1 Service access through COG via via dial-up connectionconnection (ISDN)................. ... 4-38
4.2.2.2 Service access access through COG COG via internet VPN connection .......... ............ 4-38
4.3 Connectio
Connection n of SPPA
SPPA-T300-T3000 0 to an intranet
intranet .........................
......................................
........................
........................
..........................
............... 4-44
4.3.1 Thin Client in the intranet with with access
access to SPPA-T3000 .......... ............ ........... ........... 4-45
4.4 SPPA-T3000 connection to the internet ............. .......... ........... ........... .......... ........... ........... ... 4-49
4.4.1 Thin Client in the internet internet ........................
.....................................
...........................
............................
...........................
........................
........... 4-49
Siemens AG
4.5Wireless Thin Clients in the control station and power power station .......... ........... ........... ........... ... 4-51
4.5.1 Administration of the wireless wireless Access Point Point .......... ........... .......... ........... ........... ........ 4-53
4.6 Third party system connection via OPC........... OPC ........... ........... ........... ........... ........... ........... ........... ... 4-54
4.6.1 OPC server/client system in the client intranet .......... ............ .......... ............ ........... .. 4-55
4.6.2 OPC server/client system in the DMZ with access by external PI system in the
client
client intranet.......
intranet.....................
...........................
..........................
...........................
..........................
...........................
...........................
....................
........ 4-57
4.7 Third party system connection via Modbus ............ .......... ............ ........... ........... ............ ....... 4-58
4.7.1 Modbus TCP connection via CM104............. CM104. ............ ........... ............ ........... ........... ........... ... 4-58
5 Annexes .......... ........... ........... ........... .......... ........... ........... ........... ........... .......... ............ ............ ...... 5-60
5.1 VPN details for Remote Remote Service Access via cRSP............. ........... .......... ........... ........... ........ 5-60
5.1.1 IPSec details on on establishing
establishing a VPN tunnel via the internet internet to the cRSP cRSP ........... ...... 5-61
5.1.2 Configuration of the Cisco VPN client software............ software ............ .......... ............ ........... ........... 5-62
5.2 Applications
Applications and ports for the communication communication with SPPA-T3000............... ........... ........... ..... 5-63
5.3 Sample loading times for a workbench via DSL............ DSL. ........... ........... ........... ........... ........... ........... . 5-64
6 Glossary........................
Glossary.....................................
...........................
............................
............................
...........................
...........................
...........................
..........................
..................
..... 6-65

Siemens AG
1 Introduction
1.1 Purpose of the document
The T3000 Security Manual contains information, notes and guidelines for the planning and
implementation of external access to T3000 systems.
It describes standards of a binding nature which ensure a high degree of security for the T3000 systems
and the related plant operation.
Some exemplary typical scenarios of the connection of external clients to T3000 systems are illustrated
and dealt with in detail.
The T3000 Security Manual includes:

•the information source for distributors and clients who want to know "how security is implemented
in the T3000"
•guide for planning and project design
•reference for implementation
•instruction for the network administration
The aim is to establish a common basis f or the cooperation of network administrators of company
networks and of automation networks.
1.2 Target gro up

The T3000 Security Manual is aimed at
Clients
Distributors
Planners
Network administrators
1.3 Required know ledge

The information contained in the T3000 Security Manual is at times very specific. Therefore, some
knowledge of network administration would be an advantage.

Siemens AG
2 T3000 int roduction ; approx . 10 pages
2.1 Standard archi tect ure
The SPPA-T3000 standard architecture is formed f rom 3 functional levels connected via networks.
• Presentation Tier
• Processing Tier
• Data Tier
Functional levels Hardware
Bild 1 SPPA-T3000 levels

Siemens AG
2.2 Compon ents of SPPA-T3000 (Thin Client, Appl icati on Server, Aut omati on
Server S7, Automation Server CM, Time Server, Firewalls, Router for Multi-
Unit, Switch es)
Overview
User Interfaces
• Thin Clients with web browser

• Standard PCs, workstations, notebooks
Power server
• Application Server
o ft server
o non tf server
• Automation Servers
o S7
o CM104
Process Interfaces
• I/O modules
• Special I/O modules
Networks switch switch
switch switch
• Ethernet network with TCP/IP

• PROFIBUS DP fieldbus
Additional systems • Time server

• Router
• Firewalls

Siemens AG
2.2.1 User int erfaces - Thin Client s
Thin Clients form the interface between users and the functions of SPPA-T3000. In principle every
computer with a web browser can access the web applications via the local network, an intranet or via the
internet. No particular applications need to be installed on the desktop system for this purpose.
Benefit
• Existing IT infrastructure can be used

• Easy workstation configuration for
process control applications
• No engineering or process data are
stored on the Thin Client
• Only a single input device (mouse,
keyboard) for up to four monitors
2.2.2 Power server – Appl icati on Server
Stratus ft Appli cation Server 4300 (Aria)

High available online maintainable Application
Server
• Standard operating system (Microsoft

Window Server)
• High Performance Server (Dual Intel Xenon
Processor)
• Dual module redundancy (DMR)

Siemens AG
Bild 2 Ring structure
2.3.1.1 Redund ancy manager (RM)

Networks on Ethernet basis usually have a bus, tree or star topology.
For the current ring structure a redundancy manager is required. The redundancy manager is a specially
configured switch module which converts the physically closed ring structure into a virtual bus structure
and monitors the ring for interruptions. For this purpose port 8 of the RM is deactivated, for sending and
receiving user data. In the RM the ring structure is "open".
For every separate ring a separate RM is mandatory.
The ring is monitored via ring test telegrams which are sent by the redundancy manager into the ring in
both directions, including port 8.
Bild 3 Test telegram flow in the ring

Siemens AG
An interruption in the ring exists if at least one of the two ring test telegram currents is interrupted. The
RM then re-activates its port 8 for user data and the 2 bus segments resulting from the interruptions are
reconnected. A ring interruption is rectified for <= 50 switch modules in the ring within 0.3 sec in the
manner described above.
Bild 4 RM activation
The ring test telegram currents remain interrupted until the ring structure has been restored. When both
ring test telegram currents are received the RM re-"opens" the closed ring structure and the standard
topology is restored.
2.3.1.2 Observ er (for OSM/ESM)

The redundancy manager is an vital ring component. A RM malfunction, e.g. activating port 8 without
interruption in the ring structure, would result in a significant increase in the bus load in the ring. The
performance of the affected network would be reduced considerably.
For this reason a monitoring function for t he redundancy manager is provided: the observer.
The observer monitors the function of the RM and can open the ring on its behalf during a malfunction
causing the improper closing of the ring.

Siemens AG
2.3.2 App lic ation Highway

The Application Highway connects the components of the display level. It enables the communication
between the Thin Clients, network printers, Application Servers, backbone (for multi-unit) and internal
firewall.
The Application Highway is designed as a 1-fault tolerant ring.
All operationally relevant components are designed redundant in their communication interfaces and
CPUs or exist in multiples. Connection to the Application Highway is made in such a way, that no
component of a system redundancy may be connected to the same network component. This ensures
that the communication can continue via the remaining connection even when a network component fails.
Multiple non-redundant systems (e.g. Thin Clients) are distributed over different network components for
connection purposes. Non-redundant systems which exist only once (e.g. internal firewall) can be
plugged over onto a different network component should a component fail.
Systems at the Application Highway
System Redundant Notes

design
Application Server yes
Thin Clients no multiple existence
Printer no multiple existence
internal firewall no
Connection to the backbone yes optional for multi-unit
router
EAGLE
x
1 2
P FAULT
STATUS
LS/DA
1 2 V.24
S
S
E
R
D
D
A
P
I
1
e
s
s
e
r
d
A
- 2
C
A
M
r
e
b T
e
l L
k U
f A
u F *
A
V V
4 4
2 V V 2
+ 0 0 +
V.24
Bild 5 System connection to the Application Highway

Siemens AG
2.3.3 Aut omati on Highway

The Automation Highway connects the components of the processing level. It enables the communication
between Automation Servers, Application Servers, time servers and backbone (for multi-unit).
The Automation Highway is designed as a 1-fault tolerant ring.
All operationally relevant components are designed redundant in their communication interfaces and
CPUs. Connection to the Automation Highway is made in such a way that no component of a system
redundancy may be connected to the same network component. This ensures t hat the communication
can continue via the remaining connection even when a network component fails. Multiple non-redundant
systems (e.g. 2 time servers) are connected as the redundant systems to different network components.
Non-redundant systems which exist only once (e.g. CM104) can be plugged over onto a different network
component should a component fail.
Systems at the Automation Highway
System Redundant Notes

design
Application Server yes
Automation Server S7 yes
Automation Server CM104 yes/no
Time server no exists twice
Connection to the backbone yes optional for multi-unit
router
* For multi-unit systems with backbone the time servers are connected to the automation backbone
Bild 6 System connection to the Automation Highway

Siemens AG
Runtime container
Management
Management and execution
• Automation functions including

processing functions
• Hardware proxies
• Management proxies
• Connections between the two
• Scheduling
• Deterministic cycle time
• Execution management
Process automation functions run on

Automation Servers (CPU),
(CPU), the non-real-time
information functions are realized on
Application Servers
Servers
Auto
Au to matio
mat ion
n f un ct ions
io ns
Components with standardized interfaces
Offers the following main functions

• Automating tasks e.g. drives, controls,
adjustments, calculations and processing
functions
• User interface
• Message management
• Diagnosis interface
• Engineering interface
• Execution management
Connection to other automation functions via

LT input and output (LT I N/OUT)
Hardware proxy
Represents an I/O module
• Ensures the integration of the raw input

data to/from the LT interface (LT IN/OUT)
• Monitors field devices
• Collects diagnosis information about field
devices
• Integration and data conversion between

raw data and LT interface configurable
by the user
• Implements communication protocol with
a field device
Management proxy
Coordination of all software components and
services
Provides the following main functions

• SPPA-T3000 system services
Siemens AG
• Operating System
• Server components
• Network communication
• Field device communication
Connects to other automation functions or

proxies via I&C input and output
2.6
2.6 Crossover to the " outs ide world"
As already described

described in the previous chapters
chapters the SPPA-T3000
SPPA-T3000 system includes 3 functional
functional levels:
• Presentation Tier
• Processing Tier
• Data Tier
Combined the systems of these levels form the control system.
Access by external systems
systems to the control system is subject
subject to strict rules which are described
described in more
detail in the f ollowing chapters.
"External" or "outside world" includes all systems which are not part of the control system but are t o have
access to it. Access by t hese systems can be via:
• DMZ network (optional)

• Client intranet
• Internet
• Dial-in
Client Intranet
SPPA-T3000
Control System
Firewall
Dial-in
or
Internet
Application
Server
Terminal Server
(optional)
OPC Server/Client
(optional)
Automation-
WIN TS
Server
(optional)
Bild 15 Crossover to "external"

Siemens AG
Access to the security cell "Control system" from outside

outside always takes place
place via at least one firewall
firewall
system. If a DMZ network is present the crossover to t he outside is implemented via additional firewalls
and router/firewall combinations.
Client Intranet
SPPA-T3000 DMZ-Net
Control System
Firewall Firewall
inside outside
Dial-in
or
Internet
Application
Server
Terminal Server
OPC Server/Client
(optional)
WIN TS
Automation- (optional)
Server
Bild 16 Crossover to "external" with DMZ network
The framework conditions necessary for the DMZ network could be: e.g.
• Project requirements
• Client security policy
3 Coarse/
Coarse/overriding
overriding security concept
The SPPA-T3000 security concept includes the following sub-areas

Security cells and access points
•
Secured network access to the security cells

•
Network management
•
Computer, user and access right management

•
Time synchronization
• synchronization
3.1 Secur
Secur ity cells
A basic idea of the SPPA-T3000
SPPA-T3000 security
security concept is based on security
security cells with different
different security levels.
The cells can be structured hierarchically and the security levels can be reduced from the inside to the
outside from "secure" to "not secure".
Rules for the division into security cells

• Partial systems
systems which
which can be operated
operated for some time without being connected
connected to the remainder
remainder
of the system
• Direct connection of all
all components (e.g. no leased lines)
• Separation in space
• Defined access to or from
Siemens AG
• Access only after check, logging and monitoring

• Access only for trusted individuals with appropriate training
The inner cells consist of the application and Automation Servers; the next cell includes the Thin Clients.
Together they then form the security cell of the "Control system".
All other cells outside the control systems are considered as less secure.
External Thin
DMZ Net Client
Intranet
Control System
Application
Internet
Automation
Field
The optional security cell DMZ Net is switched between the security cell Control system and the non-
secure cell intranet/internet. All access to the security cell Control system is then directed via the security
cell DMZ Net. The DMZ Net contains systems which communicate externally and internally.
3.2 Communication rule: Everythi ng is prohib ited unless explicitl y permitted
For access to the security cells Control system and optional DMZ Net a restrictive basic approach is
used:
Everything i s prohibit ed unless explicitly p ermitted!
In the firewalls of the optional DMZ Net and the Control system the source and target address and the
communication port used are checked. In future, application level firewalls may also be used.
3.3 " Reinfor cing" the Thin Clients of the Control systems
The Thin Clients in the security cell "Control system" provide the operator workstations. This "physical
contact" between man and system implies an increased security risk. For this reason the Thin Clients are
specifically configured and locked for functions which are not required for normal control operation. This
ensures that the Thin Client is not modified in a way which could affect the t hink client itself or other
systems in the Control system.
Only "reinforced" Thin Clients may be used in the security cell "Control system".
A Thin Client is "reinforced" for operation in the security cell "Control system" on 3 levels:
Hardware
Siemens AG
• Disabling initegrated drives and interfaces

• Locked installation location of the Thin Client hardware. Only monitor, keyboard and mouse are
accessible to the operator.
Firmware
Setup of a BIOS password
•
Software
Strict limitation of the Thin Client functionality ("locking") for the user "operator" e.g.
• Automatic start of the web browser with login screen for the control technology application.
• No starting of other websites.
• No installation of additional software possible
• No starting of other applications
• No login possible under different user names
• No autostart of any drives present (e.g. CD ROM).
• No access to external drives and USB memories
• No icons, no start button, no task manager, no explorer
Note: The above limitations do not apply to t he user "administrator".
3.4 Thin Clients outside the security cell " Control syst em"
Thin Clients outside the security cell "Control system", e.g. in the client intranet, pose a security risk. In
addition to the access restrictions to the security cell "Control systems" external Thin Clients must meet
the minimum requirements below;
• Recognized anti-virus program with current signatures installed
• All relevant security updates of the manufacturers have been installed
• Only trusted standard software has been installed on this Thin Client

Siemens AG
4 Scenarios for Remote Service Acc ess

The following chapters describe various typical connection scenarios with SPPA-T3000.
4.1 General obs ervatio ns on Remot e Service
For external service access via WAN or internet, t he access must always be via a Terminal Server (TS)
using Microsoft Terminal Services (MS-TS).Access cannot gained direct via the Application Server(s).
The Terminal Server is either a Thin Client at the Application Highway or a server in the DMZ. In the case
of a Thin Client as Terminal Server only a remote session is possible; the local session must be logged
out.
If more than one terminal session is to be allowed at the Terminal Server, a standard server HW and
server operating system must be used.
The only exception to this rule are t he applications on SSH basis Secure Shell, SFTP and SCP, which for
exclusively service purposes, may also run direct on the Application Server and Thin Clients.
4.1.1 Comparis on of external Terminal Servers and com bined Thin Clients /
terminal servers
Property external Terminal Server combi ned TC / TS

Location outside the Security Cell Control inside the Security Cell Control System
System
Security secure, because it is outside the less secure, because it is inside the
Security Cell Control System Security Cell Control System
Number of sessions several; dependent on computing 1 session, either local or remote
power
Number of several; dependent on computing 1
workbenches to be power
connected
4.1.2 File transfer usin g RDP and SSH
File transfer is an important application between the service center and the Control syst em. Diagnosis
data, patches, virus pattern updates etc. are frequently transferred in both directions.
Microsoft Terminal Services (MS-TS) is one of the main service applications and also offers a file transfer
option. Resources, e.g. the client drives, are connected to the server. When using the cRSP the MS-TS
client runs on CAT clients in the intranet. When using the drive connection via MS-TS all network drives
and any inserted USB drives at t he CAT client would be connected to the server. This situation cannot be
modified administratively and poses a high security risk for the server. For this reason the connection of
drives via MS-TS is prohibited.
As an alternative the file transfer via SSH is used. On Application Servers and Thin Clients an SSH
program will be installed or enabled in future.
SSH File Transfer Protoco l (SFTP) permits the secure data transfer and data access on remote
systems.
Secure Copy or SCP ensures the confidentiality, integrity and authenticity of the transferred data. For
this the SSH uses.

Siemens AG
4.3.1 Thin Client in the int ranet with access to SPPA-T3000

The client intranet is considered an "untrusted area". Access by Thin Clients from within the client intranet
must therefore be secured separately.
A Thin Client can have access to the SPPA-T3000 Application Server via a Terminal Server in the DMZ.
Bild 27 Connection of a Thin Client in the intranet to SPPA-T3000

Siemens AG
Communication relationships via the client firewall

Permissions required in the client f irewall
Appl ic ation Con necti on Source IP Target IP Protoc ol/

direction target port
Terminal session TC -> Terminal TC IP TS IP RDP
MS-TS Server TCP 3389
Communication relationships between TS in the DMZ and Control System

Permissions required at the "inside firewall", the access to the security cell "Control System"

Workbench Terminal Server-> TS IP Appl.Server IP HTTPS
connection Appl. server TCP 443
RMI registry Terminal Server-> TS IP Appl.Server IP RMI
Appl. server TCP 1099
RMI Terminal Server-> TS IP Appl.Server IP RMI
communication Appl. server TCP 50000-50050
RMI to Appl. Server -> Appl.Server IP TS IP RMI
Workbench* Terminal Server TCP 50000-50009
* outgoing connection

Siemens AG
Option: Thin Client access via VPN Client Connecti on
The Thin Client in the client intranet must first establish a VPN connection (VPN tunnel) to the inside
firewall (router/firewall) in the DMZ. The inside firewall acts as VPN gateway.
The HTTPS and RMI connections are then channeled through this protected tunnel.
The Thin Client in the client intranet must meet the requirements in chapter 3.5.
Conditions for the establishment of a VPN tunnel between TC and inside firewall:
• TC: VPN Client Software (Cisco VPN Client) installed and configured, for
configuring the Cisco VPN Client see "appendix"
• Inside firewall: Configuration as VPN gateway
Bild 28 Connection of a Thin Client in the client intranet to SPPA-T3000 via VPN Client Connection

Siemens AG
Communication relationships via the client firewall

Permissions required in the client f irewall

Establishment of TC-> VPN TC IP VPN gateway on ISAKMP
VPN connection, Gateway the inside firewall UDP 500
key management
IPSEC NAT TC-> VPN TC IP VPN gateway on UDP 10000
Transparency Gateway the inside firewall
IPSEC Tunnel TC-> VPN TC IP VPN gateway on ESP
Encapsulation Gateway the inside firewall
Communication relationships between TC in the client intranet and the VPN gateway in the inside
firewall
Permissions required at the inside firewall, the access to the security cell "Control System"
The communication here is divided into 2 parts:
1. Establishing the tunnel
2. Application communication
Re 1, establishing the tunnel

Establishment of TC-> VPN TC IP VPN gateway on ISAKMP
key management
IPSEC NAT TC-> VPN TC IP VPN gateway on UDP 10000
IPSEC Tunnel TC-> VPN TC IP VPN gateway on ESP
Re 2, application communication
Appl ic ation Connecti on Source IP Target IP Protoc ol/

Workbench TC-> Appl. server VPN-Client IP of Appl.Server IP HTTPS
HTTPS connection the TC* TCP 443
RMI reg TC-> Appl. server VPN-Client IP of Appl.Server IP RMI
the TC* TCP 1099
RMI com. TC-> Appl. server VPN-Client IP of Appl.Server IP RMI
the TC* TCP 50001-50050
RMI to Appl. server -> TC Appl.Server IP VPN-Client IP of RMI
Workbench** the TC* TCP 50000-50001
***
* allocated by the VPN gateway
** outgoing connection
*** Expandable up to 50009 if required (e.g. multi-unit)

Siemens AG
4.4 SPPA-T3000 con necti on to the int ernet
The connection of SPPA-T3000 to the internet may be required for the following reasons:
• Access for client personnel
• Access for third parties
The use of the internet by Siemens remote service has already been covered in chapter 4.1. This also
defined that the internet access via Customer Access Gateway CAG (the internet is connected direct to
the DMZ Net via CAG) can only be used for service via cRSP.
The information above determines that access by client personnel and third parties to the SPPA-T3000
must be carried out via a separate internet access.
A connection over the internet uses public resources; therefore mechanisms for the security of the
transferred data are mandatory:
• A VPN tunnel is only established after successful authentication.
• Authentication is encrypted.
• In the VPN tunnel the data packages are encrypted using 3DES* encryption.
4.4.1 Thin Client in the int ernet
In addition to the Remote Service via t he internet it may be necessary also to connect individual Thin
Clients over the internet to SPPA-T3000, e.g. client personnel from home.
The client must provide the corresponding access for this purpose. This gateway forms the access point
for individual systems via internet or dial-in.
The internet is considered an "untrusted area". Therefore, access by TC f rom the internet must be
especially secure. The TC in the internet must first establish a VPN connection (VPN tunnel) to the client
gateway. Protected by this VPN tunnel a MS-TS connection to the Terminal Server in the DMZ can be
made. No direct access to SPPA-T3000 systems from the internet is permitted.
The Thin Client in the internet must meet a minimum of the following requirements:
• Recognized anti-virus program with current signatures installed
• All relevant security updates of the manufacturers have been installed
• Only trusted standard software has been installed on this Thin Client

Siemens AG
Bild 30 Connection of wireless Thin Clients to SPPA-T3000 via WLAN and VPN tunnel
Communicati on relation ships between wireless Thin Client (wTC) and the VPN gateway in th e
inside fir ewall
Permissions required at the inside firewall, the access to the security cell "Control System"
The communication here is divided into 2 parts:
1. Establishing the tunnel
2. Communication by the application(s)
Re 1, establishing the tunnel

Establishment of wTC-> VPN wTC IP VPN gateway on ISAKMP
key management
IPSEC NAT wTC-> VPN wTC IP VPN gateway on UDP 10000
IPSEC Tunnel wTC-> VPN wTC IP VPN gateway on ESP

Siemens AG
Re 2, application communication
Terminal session wTC -> Terminal VPN-Client IP of TS IP RDP
Server the TC* TCP 3389
Workbench Terminal Server -> TS IP Appl.Server IP HTTPS
HTTPS connection Appl. server TCP 443
RMI reg Terminal Server -> TS IP Appl.Server IP RMI
Appl. server TCP 1099
RMI com. Terminal Server -> TS IP Appl.Server IP RMI
Appl. server TCP 50001-50050
RMI to Appl. server -> Appl.Server IP TS IP TCP 50000+50009
Workbench** Terminal Server
* allocated by the VPN gateway
** outgoing connection
4.5.1 Admini stration of the wireless Access Point
Acces s r ig ht s t o t he w ir eless Acc ess Point :

Defining the systems by MAC address which may have access to t he wireless Access Point (e.g. for
administration) from within the LAN. The wireless Thin Clients must not have access to the wireless
Access Points.

Siemens AG
4.6 Third party syst em connectio n via OPC

OPC Openness, Productivity, Collaboration (formerly: OLE for Process Control)
OPC is a standardized software interface which enables applications by different manufacturers to

exchange data based on the client/server principle.
Bild 31 Principle of the OPC connection
For the communication between the applications OPC currently, mainly uses the DCOM technology
(Distributed Component Object Model).
The result of using DCOM would be:
• DCOM has to be configured
• An unpredictable number of TCP/UDP connections would be opened.
The 2nd point in particular would represent a serious security problem, because it would no longer make
a static firewall configuration possible.
The solution to the problem is in the use of an "OPC tunnelers" e.g. by Matrikon Inc., which reduces the
OPC communication between client and server to one (1) TCP connection.
The target port TCP 21379 has been defined for the tunneler.
Bild 32 OPC connection via an OPC tunnel

Siemens AG
5.3 Sample loading times for a workb ench via DSL
Connecting a workbench (approx. 20MB transfer) to a TC t akes approx.:
Loading times (download only)
sec. for
Modem (28.8 Kbps) 1 hours 32 min. 35 20 megabyte
approx.
sec. for
Modem (56 Kbps) 0 hours 47 min. 37 20 megabyte
approx.
sec. for
1 channel ISDN (64 Kbps) 0 hours 41 min. 40 20 megabyte
approx.
sec. for
2 channel ISDN (128 Kbps) 0 hours 20 min. 49 20 megabyte
approx.
sec. for
DSL-768 (768 Kbps, outdated) 0 hours 3 min. 28 20 megabyte
approx.
min sec. for
DSL 1000 (1024 kbps) 0 hours 2 36 20 megabyte
. approx.
sec. for
DSL-1500 (1536 Kbps, outdated) 0 hours 1 min. 44 20 megabyte
approx.
min sec. for
. approx.
min sec. for
. approx.
min sec. for
. approx.
min sec. for
DSL 16,000 (16000 kbps) 0 hours 0 10 20 megabyte
. approx.
Approx. 15% must be added to the times due to IPSec.

Siemens AG
6 Glossary
AES Advanced Encryption Standard Encryption based on the Rijndael algorithm
AH Authentication Header H Authentication authenticates the whole IP

packet including the outer (gateway) IP
address
cRSP Common Remote Service Platform Siemens-wide Remote Service Platform
CAG Customer access gateway Service access point in accordance with the
cRSP standard
COG Customer Owned Gateway Service access point provided by the client
DCOM Distributed Component Object Model a protocol defined by Microsoft to allow
program components to communicate via a
network
DMZ Demilitarized Zone Computer network with access options
controlled by security technology
ESP Encapsulating Security Payload ESP authentication authenticates the inner IP
header (e.g. of the external system) but not the
outer IP header.
https Hyper Text Transfer Protocol Encryption and for the authentication of the
(Secure) communication between Web server and
Browser
IP Internet protocol prevalent network protocol
IPSec Internet Protocol Sercurity provides a security architecture for the

communication via IP networks
MAC Media Access Control the hardware address of each individual
network adapter
NAT Net Address Translation Method to replace address information in data
packages in an automated and transparent
fashion.
OPC Openess, Productivity, Collaboration a standardized interface which permits the data
(in the past: OLE f or Process Control) exchange between applications of different
manufacturers
PFS Perfect Forward Secrecy: it is impossible to deduct keys used earlier or
later from an exposed key
PSK Preshared Key Encryption method in which the keys must be
known to both nodes prior to communication
RT Run Time Runtime describes the time period during
which a program is executed by a computer
SSID Service Set Identifier Identification of a wireless network
TC Thin Client End device or terminal of a network whose

functionality is limited to input and output
TKIP Temporal Key Integrity Protocol Method for the cyclical replacement of keys in
WLAN
TS Terminal server Computer, emulating several terminals

Siemens AG
VLAN Virtual Local Area Network a virtual local network within a physical network
VPN Virtual Private Network facilitates the secure transmission via an
unsecured network
WPA Wi-Fi Protected Access an encryption method for a wireless LAN
wTC Wireless Thin Client Thin Client connected via a wireless network
infrastructure


SPPA T3000 Security Manual

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SPPA T3000 Security Manual

Uploaded by

Copyright:

Available Formats

Siemens AG

T3000 Security Manual V1.0.3 1-1 24.01.2008

SPPA-T3000 Security Manual

T3000 Security Manual V1.0.3 1-3 24.01.2008

The T3000 Security Manual includes:

1.2 Target gro up

1.3 Required know ledge

T3000 Security Manual V1.0.3 1-4 24.01.2008

2 T3000 int roduction ; approx . 10 pages

2.1 Standard archi tect ure

Functional levels Hardware

Bild 1 SPPA-T3000 levels

T3000 Security Manual V1.0.3 2-5 24.01.2008

• Thin Clients with web browser

Networks switch switch

• Ethernet network with TCP/IP

Additional systems • Time server

T3000 Security Manual V1.0.3 2-6 24.01.2008

2.2.1 User int erfaces - Thin Client s

• Existing IT infrastructure can be used

2.2.2 Power server – Appl icati on Server

Stratus ft Appli cation Server 4300 (Aria)

• Standard operating system (Microsoft

T3000 Security Manual V1.0.3 2-7 24.01.2008

Bild 2 Ring structure

2.3.1.1 Redund ancy manager (RM)

Bild 3 Test telegram flow in the ring

T3000 Security Manual V1.0.3 2-13 24.01.2008

2.3.1.2 Observ er (for OSM/ESM)

T3000 Security Manual V1.0.3 2-14 24.01.2008

2.3.2 App lic ation Highway

Systems at the Application Highway

System Redundant Notes

Bild 5 System connection to the Application Highway

T3000 Security Manual V1.0.3 2-15 24.01.2008

2.3.3 Aut omati on Highway

Systems at the Automation Highway

System Redundant Notes

Bild 6 System connection to the Automation Highway

T3000 Security Manual V1.0.3 2-16 24.01.2008

• Automation functions including

Process automation functions run on

Offers the following main functions

Connection to other automation functions via

• Ensures the integration of the raw input

• Integration and data conversion between

Provides the following main functions

Connects to other automation functions or

As already described

• DMZ network (optional)

Bild 15 Crossover to "external"

T3000 Security Manual V1.0.3 2-26 24.01.2008

Access to the security cell "Control system" from outside

Bild 16 Crossover to "external" with DMZ network

The SPPA-T3000 security concept includes the following sub-areas

Secured network access to the security cells

Computer, user and access right management

Rules for the division into security cells

• Access only after check, logging and monitoring

3.2 Communication rule: Everythi ng is prohib ited unless explicitl y permitted

• Disabling initegrated drives and interfaces

Note: The above limitations do not apply to t he user "administrator".

T3000 Security Manual V1.0.3 3-29 24.01.2008

4 Scenarios for Remote Service Acc ess