Вы находитесь на странице: 1из 92

Cover

Protection of an Automation Cell


Using the SCALANCE S602 V3
Security Module via a Firewall
(Bridge/Routing)
SCALANCE S602 V3

Application Description August 2012

Applications & Tools


Answers for industry.
Siemens Industry Online Support
This document is taken from the Siemens Industry Online Support. The following
link takes you directly to the download page of this document:
http://support.automation.siemens.com/WW/view/en/22376747

Caution
The functions and solutions described in this entry predominantly confine
themselves to the realization of the automation task. Please also take into account
that corresponding protective measures have to be taken in the context of
Industrial Security when connecting your equipment to other parts of the plant, the
enterprise network or the Internet. For more information, please refer to Entry ID
50203404.
http://support.automation.siemens.com/WW/view/en/50203404

Please also actively use our technical forum in the Siemens Industry Online
Support regarding this subject. Share your questions, suggestions or problems and
discuss them with our strong forum community:
http://www.siemens.com/forum-applications
Siemens AG 2012 All rights reserved
Copyright

S602 V3 Firewall
2 V3.0, Entry ID: 22376747
s Problem 1

Automation Solution 2
Minimizing Risk through
Security 3
SCALANCE S
Product Overview 4
SIMATIC
Firewall with SCALANCE S602 V3 Installation 5
Industrial Security Commissioning in
Bridge Mode 6
Commissioning in
Routing Mode 7
Siemens AG 2012 All rights reserved

Operation of the
Application 8

References 9

10
Copyright

History

S602 V3 Firewall
V3.0, Entry ID: 22376747 3
Warranty and Liability

Warranty and Liability

Note The application examples are not binding and do not claim to be complete
regarding the circuits shown, equipping and any eventuality. The application
examples do not represent customer-specific solutions. They are only intended
to provide support for typical applications. You are responsible for ensuring that
the described products are correctly used. These application examples do not
relieve you of the responsibility of safely and professionally using, installing,
operating and servicing equipment. When using these application examples, you
recognize that Siemens cannot be made liable for any damage/claims beyond
the liability clause described. We reserve the right to make changes to these
application examples at any time without prior notice. If there are any deviations
between the recommendations provided in these application examples and other
Siemens publications e.g. Catalogs then the contents of the other documents
have priority.

We do not accept any liability for the information contained in this document.
Any claims against us based on whatever legal reason resulting from the use of
the examples, information, programs, engineering and performance data etc.
described in this application example shall be excluded. Such an exclusion shall
not apply in the case of mandatory liability, e.g. under the German Product Liability
Siemens AG 2012 All rights reserved

Act (Produkthaftungsgesetz), in case of intent, gross negligence, or injury of life,


body or health, guarantee for the quality of a product, fraudulent concealment of a
deficiency or breach of a condition which goes to the root of the contract
(wesentliche Vertragspflichten). However, claims arising from a breach of a
condition which goes to the root of the contract shall be limited to the foreseeable
damage which is intrinsic to the contract, unless caused by intent or gross
negligence or based on mandatory liability for injury of life, body or health. The
above provisions do not imply a change in the burden of proof to your detriment.
Copyright

It is not permissible to transfer or copy these application examples or excerpts of


them without first having prior authorization from Siemens Industry Sector in
writing.

S602 V3 Firewall
4 V3.0, Entry ID: 22376747
Table of Contents

Table of Contents
Warranty and Liability ..............................................................................................4
1 Problem...........................................................................................................7
1.1 Introduction .......................................................................................7
1.2 Overview ...........................................................................................7
2 Automation Solution ......................................................................................9
2.1 Overview of the overall solution .........................................................9
2.2 Description of the core functionality..................................................11
2.3 Hardware and software components used ....................................... 12
2.4 Alternative solution: VPN tunnel....................................................... 13
3 Minimizing Risk through Security ............................................................... 14
3.1 Conditions and requirements ........................................................... 14
3.2 The SIEMENS protection concept: Defense in depth........................ 15
3.3 Security mechanism: Firewall .......................................................... 15
3.3.1 Firewall classification ....................................................................... 15
3.3.2 Stateful packet inspection ................................................................ 16
3.4 Security mechanism: Address translation with NA(P)T ..................... 17
3.4.1 Address translation with NAT........................................................... 18
3.4.2 Address translation with NAPT......................................................... 20
3.4.3 FTP via a NAPT router..................................................................... 22
Siemens AG 2012 All rights reserved

3.5 Correlation between NA(P)T and firewall ......................................... 24


4 SCALANCE S Product Overview ................................................................. 29
4.1 The idea of the cell protection concept ............................................. 29
4.2 SCALANCE S602 V3....................................................................... 30
4.3 Security Configuration Tool.............................................................. 32
4.3.1 Symbolic addressing........................................................................33
4.3.2 User management ...........................................................................34
4.4 Firewall rules ...................................................................................35
Copyright

4.4.1 Precedence of rules......................................................................... 36


4.4.2 The different firewall rule sets .......................................................... 37
4.4.3 Conventions for the firewall rule sets................................................ 39
4.5 Logging and diagnostics options in the SCT..................................... 40
4.5.1 Online functions...............................................................................40
4.5.2 Logging ...........................................................................................41
5 Installation ....................................................................................................44
5.1 Installing the hardware..................................................................... 44
5.2 Installing the software ...................................................................... 46
6 Commissioning in Bridge Mode .................................................................. 47
6.1 Overview of the configuration mode ................................................. 47
6.2 Assigning the IP addresses.............................................................. 49
6.3 Creating a project in the SCT........................................................... 52
6.4 Enabling the DCP protocol............................................................... 53
6.5 Symbolic addressing in the SCT ...................................................... 54
6.6 Advanced mode...............................................................................55
6.7 Configuring Syslog logging .............................................................. 55
6.8 Configuring the firewall rules............................................................ 56
6.8.1 IP service definition..........................................................................56
6.8.2 Defining users for the SCT............................................................... 57
6.8.3 Creating the global firewall rule........................................................ 59
6.8.4 Creating the local firewall rules ........................................................ 60
6.8.5 Creating user-specific firewall rules.................................................. 62

S602 V3 Firewall
V3.0, Entry ID: 22376747 5
Table of Contents

6.9 Downloading the firewall rules to the S602 V3.................................. 64


7 Commissioning in Routing Mode ................................................................ 65
7.1 Overview of configuration mode....................................................... 65
7.2 Basic configurations from bridge mode ............................................ 66
7.3 Changing the operating mode to routing .......................................... 67
7.4 Configuring NA(P)T ......................................................................... 68
7.4.1 Configuring the NAT table................................................................ 68
7.4.2 Configuring the NAPT table ............................................................. 69
7.5 Downloading the SCALANCE S602 V3 configuration....................... 70
8 Operation of the Application........................................................................ 71
8.1 Operation in bridge mode ................................................................ 71
8.2 Operation in router mode ................................................................. 78
8.2.1 Routing via NAT ..............................................................................79
8.2.2 Routing via NAPT ............................................................................86
9 References....................................................................................................92
10 History ..........................................................................................................92
Siemens AG 2012 All rights reserved
Copyright

S602 V3 Firewall
6 V3.0, Entry ID: 22376747
1 Problem

1 Problem
1.1 Introduction
In industrial automation, security of networks in production has top priority.
In the past, automation islands were frequently physically separated and used the
integrated security of the field busses.
With the advance of industrial Ethernet solutions, increased networking with the
office world and a large number of unsecured interfaces at the field level, security
is of greatest importance.
Due to this progress, industrial communication faces the same threats that are
known from the office and IT environment, such as hackers, viruses, worms and
trojans but also communication load (broadcast).
The existing security concepts and the use of standard components from the office
world require continuous maintenance and special expert knowledge. Normally,
they are not suitable for the special requirements of industrial communication.

1.2 Overview
Overview of the automation problem
Siemens AG 2012 All rights reserved

The figure below provides an overview of the automation problem.


Figure 1-1

PC 1 PC 2 PC 3 PC 4
Copyright

Automation cell 1 Automation cell 2 Automation cell N

S602 V3 Firewall
V3.0, Entry ID: 22376747 7
1 Problem

Description of the automation problem


An automation cell is to be connected to the company network so that, via access
control, only certain devices or communication services have access to the internal
nodes.
The following user scenarios are released for selected partners:
Table 1-1
User scenarios Partner
Configuration / diagnostics with STEP 7 PC 1
Node initialization of internal nodes PC 1
Logging the data packets for the S7 communication PC 2
Access to cell-internal Web and FTP servers PC 3
Blocking unauthorized access attempts PC 4

Requirements
The implemented access control is to be easy and cost-effective and it is also
to be possible for the automation personnel to create and maintain it.
Integrated diagnostics of field devices and network components is to be
possible from the control level.
Siemens AG 2012 All rights reserved

The structure of the automation cells can be identical (same IP bands) (see
Figure 1-1).
Copyright

S602 V3 Firewall
8 V3.0, Entry ID: 22376747
2 Automation Solution

2 Automation Solution
2.1 Overview of the overall solution
Diagrammatic representation
The diagrammatic representation below shows the most important components of
the solution:
Figure 2-1

* Web browser Control room External PC * STEP 7


* FTP client
* Web browser
* FTP client

* Syslog server
* Data logging
X208 Service PC STEP 7

Syslog server
Siemens AG 2012 All rights reserved

S602 V3 * Security component


* Firewall
* Router
Copyright

* Web server * STEP 7


* FTP server program
* Simulation
CPU+CP X208 PN-CPU

Automation cell protected by firewall

S602 V3 Firewall
V3.0, Entry ID: 22376747 9
2 Automation Solution

Configuration
The protected automation cell contains two SIMATIC S7-300 stations that are
connected to the internal interface of the S602 V3 via a SCALANCE X208 as
follows:
S7-300 station 1 with a CPU317-2 PN/DP via a CP343-1 Advanced.
S7-300 station 2 via the integrated interface of the CPU319-3 PN/DP.
Via a SCALANCE X208, the following devices are connected to the external
interface of the SCALANCE S602 V3:
A PC in the control room via an integrated Ethernet interface.
A PC of a service employee via an integrated Ethernet interface.
A PC for recording log files.
An external PC for demonstrating unauthorized access.
Siemens AG 2012 All rights reserved
Copyright

S602 V3 Firewall
10 V3.0, Entry ID: 22376747
2 Automation Solution

2.2 Description of the core functionality


SCALANCE S602 V3
The core of this application is the SCALANCE S602 V3 Security Module. This
module is part of the Siemens security concept and was developed specifically for
industrial automation engineering. It can be configured as a firewall and thus be
used to protect automation cells/components.
This makes it easy to achieve that individual devices within the protected
automation cell can only be accessed from certain PCs. To meet the requirements
of the automation problem, the SCALANCE S602 V3 can be used for both cross-
subnet communication (routing mode) and in the flat network (bridge mode).

Description of the user scenarios


The following table shows the scenarios presented in this application that are
implemented in the SCALANCE S module with the respective firewall rules.
These scenarios are demonstrated for both routing and bridge mode.
Table 2-1
No. Application Description
1. Parameterization IP configuration of all cell-internal devices
Siemens AG 2012 All rights reserved

through node initialization in STEP 7 (via


DCP).
2. Configuration/ diagnostics/ Enabling the full PG functionality (STEP
visualization 7) for the PC of the service employee.
3. Bandwidth limitation Restricting the data communication for
the PC of the service employee.
4. Productive data transfer, visualization Enabling access to the FTP and Web
server of the cell-internal Advanced CP
for the control room PC.
Copyright

5. Logging the data traffic Enabling data traffic logging for an


external Syslog server.

Advantages of this solution


Protection against data espionage and data manipulation.
Protection against overload of the communications system.
User-friendly and easy configuration and administration without special
knowledge of IT security.
Reaction-free installation of SCALANCE S in existing automation networks.
Scalable security functionality.
SCALANCE S configuration without expert knowledge of IT security by means
of a uniform configuration tool, Security Configuration Tool, and the standard
mode settings.
Remote diagnostics: Log files can be evaluated using Syslog server.

S602 V3 Firewall
V3.0, Entry ID: 22376747 11
2 Automation Solution

2.3 Hardware and software components used


The application was created with the following components:

Hardware components
Table 2-2
Component Qty. MLFB/order number Note

SCALANCE S602 V3 1 6GK5602-0BA10-2AA3


PS307 2A 2 6ES7 307-1BA00-0AA0
power supply
CPU319-3PN/DP 1 6AG1318-3EL00-2AB0 Alternatively, any other
CPU can also be used.
CPU317-2PN/DP 1 6ES73157-2EK14-0AB0
CP343-1 Advanced 1 6GK7343-1GX31-0XE0 Alternatively, any other
IT-CP can also be used.
SCALANCE X208 2 6GK5208-0BA10-2AA3
PC 4
Ethernet cable 8
Siemens AG 2012 All rights reserved

Standard software components


Table 2-3
Component Qty. MLFB/order number Note

SIMATIC MANAGER 1 6ES7810-4CC08-0YA5


V5.5 SP2
Security Configuration 1 Comes with the SCALANCE S.
Copyright

Tool V3 or higher

Required tools
This application uses software components that can be downloaded as freeware
from the Internet. The individual software components are listed in the following:
Web server
FTP client
Syslog server
Primary Setup Tool (for address setting of SIMATIC NET products. See \3\ in
chapter 9 (References)).

Sample files and projects


The following list contains all files and projects that are used in this example.
Table 2-4
Component Note
22376747_Firewall_S602_CODE_v30.zip This zip file contains the
STEP 7 projects.
22376747_Firewall_S602_DOKU_v30_e.pdf This document.

S602 V3 Firewall
12 V3.0, Entry ID: 22376747
2 Automation Solution

2.4 Alternative solution: VPN tunnel


As an alternative to protecting a network via a firewall, you can also use a VPN
tunnel. A VPN tunnel is a virtual private network (comparable to a LAN) over an
unsecured network (the Internet). Encryption of data packets and authentication of
nodes make these secure networks possible.

Firewall vs. VPN


The following table shows the differences or advantages/disadvantages compared
to the firewall:
Table 2-5
VPN tunnel Firewall
Peer-to-peer connection; at least two devices Only one device necessary; firewall can be hardware-
are necessary to establish a VPN connection. and software-based.
(Gateway gateway; gateway host)
Protection across the entire VPN connection. Security measures focused on one point.
Data encryption, authentication (proof of ones Data traffic controlled and filtered at OSI reference
own identity) and authentification (check of the model layer 2-7. Data packets can be allowed or
partners identity) via a password (pre-shared discarded.
key) or certificates (X.509v3 certificates).
Siemens AG 2012 All rights reserved

More information
For more information on VPN, please refer to the following applications and FAQs:
Table 2-6
Title Link
Secure Remote Access to SIMATIC Stations http://support.automation.siemens.com/WW/view/en/
with the SCALANCE S612 V3 via Internet and 24960449
Copyright

UMTS
Secure Remote Access to SIMATIC Stations
with the SOFTNET Security Client via Internet
and UMTS
Security with SCALANCE S612 V3 Modules http://support.automation.siemens.com/WW/vie
Over IPSec VPN Tunnels w/en/22056713
Remote Control Concept with SCALANCE S
Modules Over IPSec-Secured VPN Tunnels
How do you configure a VPN tunnel between a http://support.automation.siemens.com/WW/view/en/
PC station with Windows XP SP2 and 26098355
SCALANCE S61x V2.1 via the Internet with the
Microsoft Management Console?
How do you configure a VPN tunnel between a http://support.automation.siemens.com/WW/view/en/
PC station and SCALANCE S61x V2.1 via the 24953807
Internet with the SOFTNET Security Client
Edition 2005 HF1?
How is a VPN tunnel between two SCALANCE http://support.automation.siemens.com/WW/view/en/
S 61x modules configured in Routing mode via 24968211
the Internet?

S602 V3 Firewall
V3.0, Entry ID: 22376747 13
3 Minimizing Risk through Security

3 Minimizing Risk through Security


Ethernet-based communication plays a key role in the automation environment and
its use of open and standardized IT technologies offers many advantages.
However, the increasing openness and integration also increase the risk of
unwanted manipulation.
Therefore, a security concept is required that, on the one hand, reliably protects
industrial communication and, on the other hand, also considers the special
requirements of automation engineering.

Note No one can guarantee one hundred percent protection. However, there are
numerous options to minimize the risk.

3.1 Conditions and requirements


Requirements
The requirements for security include:
Node authorization: Only defined nodes may participate in the data
Siemens AG 2012 All rights reserved

communication. Authentication is required.


Packet identification: It must be ensured that the data packets arrive
unchanged at their destination address.
Confidentiality: Networks behind the security modules are to be hidden from
third parties.

Automation engineering conditions


The special requirements of automation engineering are:
Copyright

Consideration of effectiveness and economic efficiency by using the existing


infrastructure.
Reaction-free integration: The existing infrastructure must not be changed and
existing components must not be reconfigured.
Preservation of data security through protection against unauthorized access.

S602 V3 Firewall
14 V3.0, Entry ID: 22376747
3 Minimizing Risk through Security

3.2 The SIEMENS protection concept: Defense in depth


Multi-level security concept
More and more networking and the use of proven technologies of the office world
in automation systems require an increased demand for security. It is not sufficient
to offer only limited protection that is not in depth as attacks from external sources
can involve multiple levels. Optimum protection requires strong security
awareness.
To achieve the required security objectives, Siemens uses the defense in depth
strategy. This strategy is based on a security model with multiple layers:
Plant security,
network security and
system integrity.
The advantage is that an attacker first has to crack several security mechanisms
and that the security requirements of the individual layers can be considered
separately.

Tools of the defense in depth strategy


To implement this protection concept, for example, two security tools from the field
Siemens AG 2012 All rights reserved

of network security should be mentioned: Firewall and VPN tunnel.


A firewall is used to control the data traffic. Filtering allows to discard packets, to
analyze packet contents and to block or grant network access.
The tunneling method is frequently used to secure communication.

3.3 Security mechanism: Firewall


Description
Copyright

A firewall is part of a security concept in the private and corporate sector that
prevents or restricts unauthorized access to networks or devices.
Firewalls are offered as a hardware- or software-based component.

3.3.1 Firewall classification

Types of firewalls
There are three different types of firewalls. The respective names are defined at
the highest evaluated OSI layer:
Packet filter (evaluation of packets up to OSI layer 3 (network layer)).
Circuit-level gateway (evaluation of packets up to OSI layer 4 (transport layer)).
Application-level gateway or proxy (evaluation of packets up to OSI layer 7
(application layer)).
Packet filters analyze the IP data packets and forward them based on defined
criteria or filter them.
Circuit-level gateways access the transport layer and thus have the option to
analyze correlations between the network connections and the packets. Aside from
the term circuit-level gateway, there are also a number of other terms. This
includes the term stateful packet inspection.

S602 V3 Firewall
V3.0, Entry ID: 22376747 15
3 Minimizing Risk through Security

An application-level gateway is a proxy server. It handles the entire


communication between the network to be protected and the unsecured network.
Security proxies are set up for each service (WWW, e-mail, Telnet, FTP, etc.).
This means that the computers of the LAN do not directly access a server of the
Internet, but they identify and authenticate themselves to the proxy and send the
request to it. The proxy, in turn, establishes the connection to the server with its
senders address and forwards the request.
The application-level gateway allows to control and filter contents of transmitted
data. In companies, this proxy server is also used to block certain Web sites in the
internal network or to filter services such as ActiveX and JavaScript out of Web
sites.

Selection criteria
The firewall to be used in a company or privately depends on several criteria:
The desired and achievable security.
The necessary overhead (hardware- or software-based firewall).
The achievable data throughput.
The costs.

3.3.2 Stateful packet inspection


Siemens AG 2012 All rights reserved

Description
Stateful packet inspection is a firewall technology and operates at the network
layer, transport layer and optionally at the application layer of the OSI reference
model. Stateful inspection stands for state-controlled filtering and is an extension of
the packet filter. Access to various communication protocols enables stateful
packet inspection to create a status table of all network connections, to detect
correlations between data packets and to determine relations between existing
communication relationships.
Copyright

Principle of operation
Due to this insight into the communication, stateful packet inspection allows, for
example, only data packets from external sources into the internal network that are
used as a response to a request started previously by an internal node.
If the external node sends data that was not requested, the firewall will block the
transfer even if a connection exists between internal and external nodes.
An important property of stateful packet inspection is the dynamic generation and
deletion of filter rules. If an internal node sends data to an external target device,
the firewall, after the first data packet has passed, must define a rule for a limited
period of time that accepts the response packet and forwards it to the sender of
the request (internal node). After the time window has expired, the rule must be
deleted.

S602 V3 Firewall
16 V3.0, Entry ID: 22376747
3 Minimizing Risk through Security

3.4 Security mechanism: Address translation with NA(P)T


Description
Network address translation (NAT) or network address port translation (NAPT) are
methods for translating private IP addresses to public IP addresses.

Classification of IP addresses
IP addresses are used for logical addressing of devices in IP networks. IPv4
addresses consist of four numbers from 0 to 255 that are separated by dots.
There are different address categories for IP addresses that are managed and
assigned by the national organization, NIC (network information center).
The table below shows the assignment of IP addresses:
Table 3-1
Class Max number Start address End address Private address range
of networks
A 126 1.0.0.0 126.0.0.0 10.0.0.0 10.255.255.255
B 16382 128.0.0.0 191.255.0.0 172.16.0.0 172.31.255.255
C 2097150 192.0.0.0 223.255.255.0 192.168.0.0
192.168.255.255
Siemens AG 2012 All rights reserved

Addresses starting with 224.0.0.0 are reserved for future applications; however,
they will no longer be used due to the upcoming implementation of IPv6.
Due to the shortage of IP addresses on the Internet, certain address ranges were
introduced that are not routed on the Internet and used for the private network.
This private address range is only visible within ones own network and cannot be
accessed by the Internet. Therefore, the same ranges can also be used multiple
times in other private networks.
Copyright

S602 V3 Firewall
V3.0, Entry ID: 22376747 17
3 Minimizing Risk through Security

3.4.1 Address translation with NAT

Description
NAT is a protocol for address translation between two address spaces. The main
task is the translation of private addresses to public addresses, i.e. to IP addresses
used and also routed on the Internet.
This method achieves that the addresses of the internal network are not detected
externally in the external network. In the external network, the internal nodes are
only visible via the external IP address defined in the address translation list (NAT
table).
The classical NAT is a one-to-one translation, i.e. a private IP address is translated
to a public one.
Therefore, the access address for the internal nodes is again an IP address.

NAT table
The NAT table contains the assignment of private and public IP addresses and is
configured and managed in the gateway or router. The following screen shot shows
the NAT table of the SCALANCE S602 V3:
Figure 3-1
Siemens AG 2012 All rights reserved
Copyright

S602 V3 Firewall
18 V3.0, Entry ID: 22376747
3 Minimizing Risk through Security

Table 3-2
Option Meaning
NAT active The input area for NAT is activated.
NAT address translations only become effective with the
option described below and entries in the address translation
list.
In addition, the firewall must be configured appropriately.
Allow all internal nodes When this option is checked, the internal IP address (source
access to the outside IP address) is translated to the external module IP address
and a port number additionally assigned by the module for all
frames from internal to external.
This behavior is visible in the additionally shown bottom row
of the NAT table. A * symbol in the internal IP address
column indicates that all frames from internal to external are
translated.
Note: This translation corresponds to an n:1 translation, i.e.
several internal nodes are redirected to an external. This is
done by an additional assignment of a port number. Despite
the addition of a port, this option is assigned to the NAT input
area.

Table 3-3
Siemens AG 2012 All rights reserved

Parameter Meaning Comment


External IP For frame direction internal -> Alternatively, you can enter a
address external: Newly assigned IP symbolic name.
address.
For frame direction external ->
internal: Detected IP address
internal IP For frame direction external ->
address internal: Newly assigned IP address.
Copyright

For frame direction internal ->


external: Detected IP address
Direction Assign the frame direction. Example: Src-NAT:
Scr-NAT (to external) Frames from the internal
Dst-NAT (from external) subnet are checked for the
specified internal IP address
Scr-NAT + Dst-NAT (external)
and forwarded to the
external network with the
specified external IP
address.

Sequence
If a device from the external network wants to send a packet to an internal device
(Dst-NAT), it uses a public address as the destination address. This IP address is
translated to a private IP address by the router.
As the source address in the IP header of the data packet, the public IP address of
the external device remains unchanged.
The response of the internal device is sent to the IP address that is stored as the
source address in the IP header. Due to the fact that its own address and the
source address are in different subnets, the internal device sends the packet to its
router, which forwards it to the external device.

S602 V3 Firewall
V3.0, Entry ID: 22376747 19
3 Minimizing Risk through Security

3.4.2 Address translation with NAPT

Description
NAPT is a variant of NAT and often used synonymously with it. The difference to
NAT is that this protocol also allows the translation of ports.
A one-to-one translation of the IP address does no longer exist. In fact, only one
public IP address exists that is translated to a number of private IP addresses by
adding port numbers.
Therefore, the access address for the internal nodes is an IP address with a port
number.

NAPT table
The NAPT table contains the assignment of private IP addresses to the ports of the
public IP address and is configured and managed in the gateway or router. The
following screen shot shows the NAPT table of the SCALANCE S602 V3:
Figure 3-2
Siemens AG 2012 All rights reserved
Copyright

Table 3-4
Option Meaning
NAPT active The input area for NAPT is activated. NAPT translations only
become effective with the option described below and entries
in the list. In addition, the firewall must be configured
appropriately.

S602 V3 Firewall
20 V3.0, Entry ID: 22376747
3 Minimizing Risk through Security

Table 3-5
Parameter Meaning Range of values
External port A node in the external network can Port or port ranges. Example
respond to a node in the internal subnet of the entry of a port range:
or send a frame by using this port 78:99
number.
internal IP IP address of the addressed node on the
address internal subnet.
Internal port Port number of a service for the node Port (no port range)
addressed on the internal subnet.

Sequence
If a device from the external network wants to send a packet to an internal device,
it uses its public address with the specified port as the destination address. This IP
address is translated to a private IP address with port address by the router.
As the source address in the IP header of the data packet, the public IP of the
external device remains unchanged.
The response of the internal device is sent to the IP address that is stored as the
source address in the IP header. Due to the fact that its own address and the
source address are in different subnets, the internal device sends the packet to its
Siemens AG 2012 All rights reserved

router, which forwards it to the external device.


Copyright

S602 V3 Firewall
V3.0, Entry ID: 22376747 21
3 Minimizing Risk through Security

3.4.3 FTP via a NAPT router

Due to the one-to-one translation of IP addresses, FTP data transfer via NAT does
not involve any difficulties.
Via a NAPT router such as the SCALANCE S602 V3, it is not that trivial anymore.
Aside from the default ports 20 (data channel) and 21 (control channel), FTP also
uses dynamic ports beyond 1023 for data transmission, which are not known prior
to transmission.
For the address translation, NAPT uses ports that are entered in the NAPT table
during configuration. An extension of the NAPT table during runtime is not possible.
The dynamic port during FTP data transfer can thus not be applied to the NAPT
table.
As a result, all data packets sent from external to internal with a port unknown to
the NAPT table are not translated and therefore discarded. FTP data transfer
cannot take place.

Problem description
The figure below illustrates the problem:
Figure 3-3
Siemens AG 2012 All rights reserved

External network Internal network


NAPT router
Internal External

192.168.2.3:20 172.158.2.2:20
192.168.2.3:21 172.158.2.2:21 Port 21: 1
Sends user name
Port 21:
Copyright

Requests password

Port 21:
Sends password 2
Server

Client
Port 21:
Acknowledgement

Port 21: 3
Command: PORT with
data port, e.g. port 1027

Port 1027: 4
Establishes data connection
to desired port

S602 V3 Firewall
22 V3.0, Entry ID: 22376747
3 Minimizing Risk through Security

Table 3-6
Step Sequence Response
1. The client sends the user ID to the Port 21 is allowed by the NAPT router.
server via the control port. The server requests the password.
2. The client sends the password via Port 21 is allowed by the NAPT router.
port 21. The server confirms the password.
3. Via the PORT command, the client Port 21 is allowed by the NAPT router.
transmits the ports on which it
listens for the data connection.
4. Via these ports, the server attempts As these ports are not configured in the
to make contact with the FTP client. NAPT table, the data packets are
discarded by the NAPT router. The FTP
connection is not established.

Solution
To allow the data packets of the FTP server into the internal network despite
dynamic ports, it is necessary to generate a NAT entry in addition to the NAPT
entry. All data packets from the FTP server must be rewritten to the IP address of
the NAPT router.
This allows all data packets into the internal network, irrespective of the port.
Siemens AG 2012 All rights reserved
Copyright

S602 V3 Firewall
V3.0, Entry ID: 22376747 23
3 Minimizing Risk through Security

3.5 Correlation between NA(P)T and firewall


Customizing the firewall
The following applies to both directions Src-NAT (to external) and Dst-NAT (from
external): Frames must first pass through the address translation in the NAT/NAPT
router and then through the firewall.
The settings for the NAT/NAPT router and the firewall rules must be coordinated so
that frames with a translated address can pass through the firewall.
Figure 3-4

SCALANCE S602 V3
External network Internal network
IP frames NAT/NAPT IP frames
Dst-NAT Src-NAT
router

Firewall
Siemens AG 2012 All rights reserved

Note The firewall in the SCALANCE S602 V3 is preset so that IP data traffic between
the networks is not possible. Before communication can take place, the firewall
must first be configured.

Stateful packet inspection


Copyright

Firewall and NAT/NAPT router support the stateful packet inspection mechanism.
If IP data traffic is enabled from internal to external, internal nodes can initiate a
communication connection to the external network. The response frames from the
external network can pass through the NAT/NAPT router and the firewall without
requiring their addresses to be additionally added to the firewall rule and the
NAT/NAPT address translation.
Frames that are not a response to a request from the internal network will be
discarded if there is no applicable firewall rule.

S602 V3 Firewall
24 V3.0, Entry ID: 22376747
3 Minimizing Risk through Security

Translation in this application using the example of NAT


The following screen shots show the NAT table and the associated firewall rules of
this application. The different colors indicate the correlations.
Figure 3-5

NAT table

Firewall rules
Siemens AG 2012 All rights reserved

The table compares the correlations:


Table 3-7

NAT Firewall enable


Action From/to Source Destination Service Description
Copyright

172.158.2.3 -> Allow External -> Service CP343-1 S7 All data packets from
CP343-1Advanced internal PC Advanced external to the CP343-1
(Dst-NAT) Advanced are allowed that
Allow External -> PG CP343-1 HTTP reach the firewall with the
internal Advanced IP address of the PG via
Allow External -> PG CP343-1 FTP port 80 (HTTP) or port 21
internal Advanced (FTP) and with the IP
address of the service PG
via port 102 (S7).
172.158.2.5 -> Allow External -> Service PN-CPU S7 All data packets from
PN-CPU internal PC external to the PN-CPU
(Dst-NAT) are allowed that reach the
firewall with the IP address
of the service PG via port
102 (S7).
172.158.2.2 <- * Allow Internal -> all All data packets from
(Src-NAT) external internal to external are
allowed.

S602 V3 Firewall
V3.0, Entry ID: 22376747 25
3 Minimizing Risk through Security

In a diagrammatic representation, this process can be described as follows:


Figure 3-6

Internal network External network


NAT router

NAT table 172.158.2.3


(HTTP)

172.158.2.3
192.168.2.3
(HTTP)
Siemens AG 2012 All rights reserved

Firewall
192.168.2.3
(HTTP)
Copyright

Table 3-8
Step Meaning
1. A device from the external network wants to send a data packet to IP address
172.158.2.3 (HTTP application).
2. The NAT router translates this address to the private IP address 192.168.2.3
(here symbolically as CP343-1Advanced) using the NAT table.
3. The firewall checks how it should handle the data packet. The Allow External -
>Internal PG -> CP343-1Advanced http entry allows all data packets coming
from the PG via port 80 that are addressed to the CP343-1 Advanced to pass.
4. The data packet is directed to the internal network.

Behavior if the assignment is incorrect


If NA(P)T entries and firewall rules do not match, the S602 V3 will block the data
packets not listed in the rule.
In the following sample configuration, no rule was created in the firewall for the
translation of IP address 172.158.2.5 to the PN-CPU (symbolic for 192.168.2.5):

S602 V3 Firewall
26 V3.0, Entry ID: 22376747
3 Minimizing Risk through Security

Figure 3-7

NAT table

Firewall rules

During data communication between the external and internal network, the
following happens:
Figure 3-8
Siemens AG 2012 All rights reserved

Internal network External network


NAT router

172.158.2.5
NAT table (S7)
Copyright

172.158.2.5
192.168.2.5
(S7)

Firewall

192.168.2.3 No rule exists;


(http) packet will be discarded

S602 V3 Firewall
V3.0, Entry ID: 22376747 27
3 Minimizing Risk through Security

Table 3-9
Step Meaning
1. A device from the external network wants to send a data packet to IP address
172.158.2.5 (S7 application).
2. The NAT router translates this address to the private IP address 192.168.2.5
(here symbolically as PN-CPU) using the NAT table.
3. The firewall checks how it should handle the data packet. As no rules exists,
the data packet is discarded.
Siemens AG 2012 All rights reserved
Copyright

S602 V3 Firewall
28 V3.0, Entry ID: 22376747
4 SCALANCE S Product Overview

4 SCALANCE S Product Overview


4.1 The idea of the cell protection concept
Motivation
If controllers or other intelligent devices with no or only minimum self-protection are
located in a network segment, the only remaining option is to create a secure
network environment for these devices. The easiest way to achieve this is to use
special routers or gateways. They provide IT security through integrated industrial
quality firewalls and are themselves protected.

The cell protection concept


The security concept designed by Siemens was tailored specifically to the
requirements in the automation environment to meet the increasing demand for
network security.
The core of this concept is to segment the automation network in terms of security
and to create protected automation cells. Therefore, cells are network segments
separated in terms of security.
The network nodes within a cell are protected by special security modules to
control the data traffic from and to the cell and to check for rights. Only authorized
Siemens AG 2012 All rights reserved

frames are allowed to pass.


Figure 4-1
Office network
Copyright

Automation network

S602 V3 S602 V3

Robot cell Robot cell Robot cell

S602 V3 Firewall
V3.0, Entry ID: 22376747 29
4 SCALANCE S Product Overview

Advantages of the cell concept


The main purpose of the cell protection concept is to protect all devices that cannot
protect themselves. Mostly, these are devices for which an upgrade with security
functions is not viable or too costly. Another reason is the technical feasibility.
Especially smaller programmable controllers do not have the necessary hardware
requirements.
The security module that protects the entire cell protects several devices
simultaneously, which results in lower costs and also reduces the configuration
overhead.
The integration of the security module into existing networks is reaction-free.
Real time and security
Basically, real-time communication and security are two opposing requirements.
The check of the frames using the rules or configurations costs time and
performance. The cell protection concept allows to simultaneously meet both
requirements. Within a cell, real-time communication can take place entirely
unaffected by any security mechanisms. The security module controls data only at
the cell entrance.

4.2 SCALANCE S602 V3


Siemens AG 2012 All rights reserved

Description
The SCALANCE S602 V3 is a product from the SIMATIC NET SCALANCE S
family. Like the other modules, the S602 V3 is optimized for use in the automation
environment and meets the special requirements of automation engineering.
The SCALANCE S602 V3 belongs to the category of circuit-level gateways and is a
stateful inspection firewall to protect all devices of an Ethernet network.
Properties
Copyright

The SCALANCE S602 V3 features the following security functions:


Protection of devices with or without independent security functions by the
integrated firewall:
Analysis of data packets based on the source and destination address
Support of Ethernet non-IP frames
Bandwidth limitation
Global and local firewall rules
User-defined firewall rules
Simultaneous protection of several devices: The integration of the SCALANCE
S as a link between two networks automatically protects the devices behind it.
Router mode: In router mode, the SCALANCE S separates the internal
network from the external network. The internal network appears as a separate
subnet.
Reaction-free integration of the SCALANCE S602 V3 into an existing
infrastructure with flat networks (bridge mode).
In addition, the SCALANCE S602 V3 supports the following network functions:
Address translation with NAT/ NAPT.
DHCP server for IP address assignment in the internal network.
Logging and evaluation of log files via an external server.
SNMP for analysis and evaluation of network information.

S602 V3 Firewall
30 V3.0, Entry ID: 22376747
4 SCALANCE S Product Overview

Interfaces
The SCALANCE S602 V3 has two interfaces:
Port 1 (red); recognizable by the lock symbol.
Port 2 (green)
The unsecured, external network is connected to the red port, the internal network
to be secured is connected to the green port.
Figure 4-2

External network
Internal network
Siemens AG 2012 All rights reserved

Note The Ethernet connections on port 1 and port 2 are handled differently by the
SCALANCE S and must therefore not be mixed up when connecting to the
communication network. If the ports are swapped over, the device will lose its
protective function.
Copyright

S602 V3 Firewall
V3.0, Entry ID: 22376747 31
4 SCALANCE S Product Overview

4.3 Security Configuration Tool


Configuring the S602 V3
The SCALANCE S602 V3 is configured using the Security Configuration Tool
(SCT). Its handling is very simple and, in the minimum configuration, requires no
special knowledge of security.
The following screen shot shows the user interface of the Security Configuration
Tool:
Figure 4-3
Siemens AG 2012 All rights reserved

Properties
The Security Configuration Tool has the following properties:
Copyright

Configuration of the SCALANCE and SINAUT Security Modules possible in the


SCT.
Test and diagnostic displays.
Status displays.
Standard mode for fast and easy configuration of the security modules, even
without security knowledge.
Advanced mode for the individual configuration of the security modules.
Access for authorized users only through password assignment when creating
a project.
Consistency checks even during the configuration.
Encryption of the saved project and configuration data.
Symbolic addressing of nodes.
Creation of global, local and user-specific firewall rules.

S602 V3 Firewall
32 V3.0, Entry ID: 22376747
4 SCALANCE S Product Overview

4.3.1 Symbolic addressing

In the Security Configuration Tool, symbolic names can be assigned in place of the
IP addresses of the nodes. These are limited to the configuration within a project,
i.e. they cannot be used on a cross-project basis.
A single unique IP or MAC address must be assigned to each symbolic name.
The advantage of symbolic names is that the configuration of the services and
rules is easier and more secure. For the following functions and their configuration,
symbolic names are accepted:
Firewall
NAT/NAPT
Syslog
DHCP
The following screen shot shows the symbolic addressing with the associated IP
addresses of this application:
Figure 4-4
Siemens AG 2012 All rights reserved
Copyright

S602 V3 Firewall
V3.0, Entry ID: 22376747 33
4 SCALANCE S Product Overview

4.3.2 User management

Overview
In the user management of the Security Configuration Tool, you can create new
users and assign them system- or user-defined roles. You define the module rights
per security module.
Figure 4-5
Siemens AG 2012 All rights reserved

System-defined roles
The following system-defined roles are predefined:
Copyright

administrator
standard
diagnostics
remote access

The roles are assigned certain rights that are identical on all modules and that
cannot be changed or deleted by the administrator.
For more information, please refer to the security manual listed in /2/, chapter 9
(References).

S602 V3 Firewall
34 V3.0, Entry ID: 22376747
4 SCALANCE S Product Overview

User-defined roles
In addition to the system-defined roles, you can also create user-defined roles. For
each security module used in the project, you individually define the respective
rights and manually assign the role to the users.

4.4 Firewall rules


Firewall rules are predefined or specifically configured rules for the data traffic and
created using the Security Configuration Tool. Depending on sender, address,
protocol and send operation, the data packets may pass or are discarded.
The following screen shot shows a sample configuration of rule sets:
Figure 4-6
Siemens AG 2012 All rights reserved
Copyright

A firewall rule is composed of several components:


Table 4-1
Name Meaning Option
Action Allow rule Allow: Allow frames as defined.
(allow/ drop) Drop: Block frames as defined.
From/ To Allowed communication directions. Internal -> External
External -> Internal
Tunnel -> Internal
Internal -> Tunnel
Source IP address Senders address Alternatively, you can enter a symbolic
name.
Destination IP address Destination address Alternatively, you can enter a symbolic
name.

S602 V3 Firewall
V3.0, Entry ID: 22376747 35
4 SCALANCE S Product Overview

Name Meaning Option


Service Name of the IP/ ICMP service or The drop-down list offers the
service group used. configured services and service groups
The services are defined previously for selection. When all is selected, no
and stored with information such as service is checked; the rule applies to
protocol, source and destination all services.
port.
Bandwidth Setting option for bandwidth Range of values: 0..100 Mbps
limitation.
A packet passes through the
firewall if the pass rule applies and
the allowed bandwidth for this rule
has not yet been exceeded.
Logging Enabling or disabling logging for
this rule.
No. Serial number assigned by the
Security Configuration Tool to
identify the firewall rule in the log
table.
Comment Here you can enter your own
explanations of the rule.
Siemens AG 2012 All rights reserved

In the Security Configuration Tool, you can define rules globally, locally and user-
specifically.

Note The Security Configuration Tool allows max. 256 IP/MAC rule sets.

4.4.1 Precedence of rules


Copyright

The occurrence of the rules in the rule list also corresponds to their order of
processing.
The packet filter rules are evaluated as follows:
The list is evaluated from top to bottom; for opposing rules, the higher entry
applies.
For rules for communication between the internal and external network, the
final rule applies: All frames except the frames explicitly allowed in the list are
blocked.
For rules for communication between the internal network and IPSecTunnel,
the final rule applies: All frames except the frames explicitly blocked in the list
are allowed.

Note All frame types from internal -> external or vice versa are blocked with the
factory settings and must be explicitly allowed.

S602 V3 Firewall
36 V3.0, Entry ID: 22376747
4 SCALANCE S Product Overview

4.4.2 The different firewall rule sets

Local rule sets


Each local rule set is assigned to one module and directly defined in the properties
dialog of a module.

Global firewall rules


Global firewall rules are defined outside the modules at the project level.
The advantage is that rules that apply to several modules must only be configured
once. Using drag and drop, the global firewall rules are simply moved to the
module to which these firewall rules are to apply. This global firewall rule set
appears automatically in the module-specific list of firewall rules.
Global firewall rules can be defined for:
IP rule sets
MAC rule sets
Figure 4-7
Siemens AG 2012 All rights reserved

Module

Local rule set


Global rule set 1
Local rule 1
Regel
Global rule set 2 1
Global rule set 2
Rule 1Regel 2

Rule 2Regel 3 Local rule 2

Rule 3 Global rule set 1


Copyright

Note Global firewall rules are particularly useful if several security modules are
managed in a project.
In this application, only one S602 V3 is configured and managed. In this case,
the use of global firewall rules has no advantage over local rules. However, they
are nevertheless used to demonstrate the application and creation of global
rules.

S602 V3 Firewall
V3.0, Entry ID: 22376747 37
4 SCALANCE S Product Overview

User-specific firewall rules


For the user-specific firewall, the rule sets can be assigned to one or several users
and then to the individual security modules. This allows to make accesses
dependent on the user and not (only) on IP or MAC addresses.
For this purpose, the user can log on to the SCALANCE S602 V3 on a Web page.
If logon was successful, the firewall rule set intended for this user will be enabled.
Users can log on with the following role:
administrator
diagnostics
remote access
After logon, a 30-minute timer is started. After this time has elapsed, the user is
automatically logged off the SCALANCE S602 V3.
In online mode of the Security Configuration Tool, an overview table is offered for
the user check. It lists all users currently logged on to the SCALANCE S602 V3.
Figure 4-8
Siemens AG 2012 All rights reserved
Copyright

To log off the SCALANCE S602 V3, three options are available:
The Log off button on the Web page.
Automatically after the timer has elapsed.
The User check online function by selecting the user and the Log off button.

S602 V3 Firewall
38 V3.0, Entry ID: 22376747
4 SCALANCE S Product Overview

4.4.3 Conventions for the firewall rule sets

The following conventions apply to creating the global and user-specific firewall
rule sets:
They can only be created in advanced mode of the Security Configuration
Tool.
By default, locally defined rules have higher priority; if new global and/or user-
specific firewall rules are assigned to a security module, these rules will
therefore be initially added to the bottom of the local rule list. The priority can
be changed by changing the position in the rule list.
Global and user-specific firewall rules can only be assigned to a security
module as an entire rule set.
They cannot be edited in the local rule list of firewall rules in the module
properties; they can only be displayed there and positioned according to the
desired priority. It is not possible to delete a single rule from an assigned rule
set. It is only possible to take the complete rule set from the local rule list; this
does not change the definition in the global rule list.
Siemens AG 2012 All rights reserved
Copyright

S602 V3 Firewall
V3.0, Entry ID: 22376747 39
4 SCALANCE S Product Overview

4.5 Logging and diagnostics options in the SCT


For test and monitoring purposes, the online view of the Security Configuration
Tool provides various diagnostics and logging options.

Requirements for the online view


To obtain access to the online view, please note the following:
Online mode in the Security Configuration Tool is enabled
(View > Online).
A network connection to the selected module exists.

4.5.1 Online functions

The following screen shot shows the online dialog:


Figure 4-9
Siemens AG 2012 All rights reserved
Copyright

S602 V3 Firewall
40 V3.0, Entry ID: 22376747
4 SCALANCE S Product Overview

It offers the following functions:


Table 4-2
Function Meaning
Status Display of the device status of the SCALANCE S module
selected in the project.
Date and time of day Setting of date and time of day.
Cache tables ARP table of the security module.
User check Overview of logged in users for the user-defined firewall
rules.
Internal nodes Display of the internal network node of the SCALANCE S
module.
Interface settings Status display of the selected interface (PPPoE,
DynDNS).
System log Display of logged system events.
Audit log Display of logged security events.
Packet filter log Display of logged data packets and start and stop of
packet logging.

4.5.2 Logging
Siemens AG 2012 All rights reserved

The events to be logged can be defined in the properties dialog of the SCALANCE
S602 V3. Two variants are available for logging:
Local log: Logs the messages in the local buffer of the S602 V3. Data
recording can be stored according to two selectable methods:
Ring buffer: Once the buffer is full, recording starts at the start of the buffer
and thus overwrites the oldest entries.
One-shot buffer: Recording stops when the buffer is full.
Copyright

The Security Configuration Tool enables you to access, visualize and archive
these logs.
Network Syslog: Instead of the local buffer, the messages are sent to an
external Syslog server.

S602 V3 Firewall
V3.0, Entry ID: 22376747 41
4 SCALANCE S Product Overview

Settings
The following screen shot shows the possible logging settings for the S602 V3:
Figure 4-10
Siemens AG 2012 All rights reserved

The following events can be logged:


Table 4-3
Copyright

Event Meaning
Packet filter events Refers to data packets to which a configured packet filter
rule (firewall) applies or to which basic protection reacts.
Audit events Refers to security-relevant events such as enabling or
disabling packet logging or entering an incorrect password
during authentication.
System events System events are, e.g., the start of a process.

Aside from selecting events, this dialog also allows you to enable or disable logging
and to define the storage of data.

S602 V3 Firewall
42 V3.0, Entry ID: 22376747
4 SCALANCE S Product Overview

Logging functions
The following logging functions are available in online mode:
Table 4-4
Function Meaning Screen shot
System log Display of logged system
events.

Audit log Display of logged security


Siemens AG 2012 All rights reserved

events.
Copyright

Packet Display of logged data packets


filter log and start and stop of packet
logging.

S602 V3 Firewall
V3.0, Entry ID: 22376747 43
5 Installation

5 Installation
This chapter describes which hardware and software components have to be
installed. The descriptions and manuals as well as delivery information included in
the delivery of the respective products should be observed in any case.

5.1 Installing the hardware


For the hardware components, please refer to chapter 2.3.
Figure 5-1

Control room External PC

X208 Service PC

Syslog server
Siemens AG 2012 All rights reserved

S602 V3
Copyright

CPU 317-2 PN/DP+


CP343-1 Advanced X208 CPU 319-3 PN/DP

Automation cell protected by firewall

S602 V3 Firewall
44 V3.0, Entry ID: 22376747
5 Installation

To install the hardware, follow the instructions in the table below:


Table 5-1
No. Action Remark
1. Mount all modules on a DIN rail. CPU319-3PN/DP
CPU317-2PN/DP
CP343-1 Advanced
S602 V3
X208
Internal network

2. Connect the CPU317-2 PN/DP and the CP343-1 Advanced via


a backplane bus.
3. Connect all components to a 24 V power supply. To be able to connect all
modules, use either
terminal strips or several
power supply units.
4. Connect the modules via Ethernet as follows:
CPU319-3PN/DP to port 6 of the first SCALANCE X208
CP343-1 Advanced to port 1 of the first SCALANCE X208
Internal interface (green) of the S602 V3 to port 5 of the
first SCALANCE X208
5. Connect the second SCALANCE X208 to a 24 V power
Siemens AG 2012 All rights reserved

supply.
External network

6. Connect the modules in the external network via Ethernet as


follows:
PC of the control room to port 2 of the second
SCALANCE X208
Service PC to port 2 of the second SCALANCE X208
Copyright

Syslog server to port 7 of the second SCALANCE X208


External PC to port 6 of the second SCALANCE X208
The external interface (red) of the S602 V3 to port 8 of the
second SCALANCE X208.

Note Always follow the installation guidelines for the components.

Note To make sure that no old configuration is saved in the S602 V3, reset the module
to factory settings. For help, see /2/ in chapter 9 (References).

S602 V3 Firewall
V3.0, Entry ID: 22376747 45
5 Installation

5.2 Installing the software


Installing the standard tools
Table 5-2
No. Action Remark
1. Install STEP 7 V5.5 SP2 on the service PC and the Follow the instructions of the
external PC. installation program.
2. Install the Security Configuration Tool on the PG. Follow the instructions of the
installation program.
3. Install the FTP client on the PG and the external PC. Follow the instructions of the
installation program.
4. Install a Syslog program on the Syslog server. Follow the instructions of the
installation program.

Installing the application software


Extract the 22376747_Firewall_S602_V30_CODE code folder. It contains two
STEP 7 projects:
Bridge.zip project for setup in bridge mode.
Siemens AG 2012 All rights reserved

NAT_NAPT.zip project for setup in router mode.


On the service PC, open the SIMATIC MANAGER and select File > Retrieve to
unzip the required STEP 7 project.
For bridge mode, use Bridge.zip; in router mode, use NAT_NAPT.zip.
Copyright

S602 V3 Firewall
46 V3.0, Entry ID: 22376747
6 Commissioning in Bridge Mode

6 Commissioning in Bridge Mode


6.1 Overview of the configuration mode
Bridge mode is a flat network. The external and internal network are in the same
subnet.

Overview
Figure 6-1
Control room: External PC:
192.168.2.1 192.168.2.7

Service PC:
X208 192.168.2.6

Syslog: 192.168.2.4
Siemens AG 2012 All rights reserved

S602 V3: 192.168.2.2

CP: 192.168.2.3 X208 CPU:192.168.2.5


Copyright

Automation cell protected by firewall

IP addresses used
Table 6-1
Module IP address
PG in the control room 192.168.2.1
External
network

Service PC 192.168.2.6

Syslog server 192.168.2.4


External PC 192.168.2.7
S602 V3 192.168.2.2
network
Internal

CP343-1 Advanced 192.168.2.3


PN-CPU 192.168.2.5

S602 V3 Firewall
V3.0, Entry ID: 22376747 47
6 Commissioning in Bridge Mode

The following table now describes the necessary configurations for the scenarios.
Table 6-2
No. Application Description Chapter
1. Parameterization IP configuration of all cell- Enabling the DCP
internal devices through node protocol (chapter 6.4)
initialization in STEP 7 (via
DCP)
2. Configuration/ diagnostics/ Enabling the full PG functionality IP service definition
visualization (STEP 7) for the PC of the (chapter 6.8.1)
service employee. Creating the local firewall
rules (chapter 6.8.4)
3. Bandwidth limitation Restricting the data Creating the local firewall
communication for the PC of the rules (chapter 6.8.4)
service employee.
4. Productive data transfer, Enabling access to the FTP and IP service definition
visualization Web server of the cell-internal (chapter 6.8.1)
Advanced CP for the control Creating the local firewall
room PG.
rules (chapter 6.8.4)
Creating the global
firewall rule (chapter
Siemens AG 2012 All rights reserved

6.8.3)
5. Logging the data traffic Enabling data traffic logging for Creating the local
an external Syslog server. firewall rules (chapter
6.8.4))
Configuring Syslog
logging (chapter 6.7)
6. User-defined firewall rules Enabling access to the FTP and Defining users for the
Web server of the cell-internal SCT(chapter 6.8.2)
Advanced CP for selected Creating user-specific
Copyright

users. firewall rules (chapter


6.8.5)

S602 V3 Firewall
48 V3.0, Entry ID: 22376747
6 Commissioning in Bridge Mode

6.2 Assigning the IP addresses


Assigning IP addresses of the PCs/PGs
In the following, the PCs/PGs are configured with the necessary IP addresses.
Table 6-3
No. Action Remark
1. To change the network address,
select
Start > Settings > Network
Connection > Local
Connections
to open Internet Protocol
(TCP/IP).
Change the IP address for
the PG in the control room,
the service PC,
the Syslog server and
the external PC
in this way as shown in
Table 6-1.
Siemens AG 2012 All rights reserved

Note:
For routing mode, you
additionally require a gateway
address. For this case, enter the
IP address of the associated
router as well.
Copyright

S602 V3 Firewall
V3.0, Entry ID: 22376747 49
6 Commissioning in Bridge Mode

Assigning the IP addresses of the modules


To load the STEP7 project to the CPU, change the module IP address via which
the project is loaded. This can be the CPU itself or a CP.
Table 6-4
No. Action Note
1. Connect the service PC to the internal network In the default mode, the S602 V3 does not
via the first SCALANCE X208. allow node initialization of all cell-internal
devices by an external PG with STEP 7. For
this reason, the PG must be directly in the
internal network for node initialization.
2. On the service PC, open the SIMATIC
MANAGER and the STEP 7 project.
In the PLC menu, select the Edit Ethernet
Node option.
Siemens AG 2012 All rights reserved
Copyright

3. Click on the Browse button.

S602 V3 Firewall
50 V3.0, Entry ID: 22376747
6 Commissioning in Bridge Mode

No. Action Note


4. Select the desired module and click on OK to
confirm the selection.

5. In the Set IP configurations window that


appears, enter the IP address as shown in
Table 6-1.
Note:
For routing mode, you additionally require a
gateway address. For this case, check Use
router and enter the IP address of the
associated router.
Siemens AG 2012 All rights reserved

Click on the Assign IP Configuration button.

6. Proceed in this way to assign the respective IP Loading the SCT project assigns the
addresses to CP and CPU. SCALANCE its IP address.
7. Connect the service PC again to
port 7 of the second SCALANCE X208.
Copyright

S602 V3 Firewall
V3.0, Entry ID: 22376747 51
6 Commissioning in Bridge Mode

6.3 Creating a project in the SCT


The SCALANCE S module is configured with the aid of the Security Configuration
Tool (SCT).
Table 6-5
No. Action Remark
1. Select Start > SIMATIC >
Security to open the Security
Configuration Tool.
Select Project -> New to create
a new project.

2. You are prompted to assign an


authentication for the new
project. Enter a user name and
password. Confirm with OK.
Siemens AG 2012 All rights reserved

3. Select the S602 module and


version V3.
Select any name and apply the
MAC address of the module that
can be found on the housing.
As the external IP address,
assign 192.168.2.2 with subnet
mask 255.255.255.0.
Copyright

Confirm the entries with OK.

S602 V3 Firewall
52 V3.0, Entry ID: 22376747
6 Commissioning in Bridge Mode

6.4 Enabling the DCP protocol


Enabling the DCP protocol allows node initialization of all cell-internal devices
using an external PG with STEP 7.
Table 6-6
No. Action Remark
1. Select the module and use the
right mouse button ->
Properties to open the module
properties. Go to the Firewall
tab.

2. Check the Allow DCP option in


both directions.
This allows setting IP addresses
or device names (node
Siemens AG 2012 All rights reserved

initialization) by means of the


Primary Setup Tool (PST)
integrated in STEP 7.
Confirm the change with OK.
Copyright

3. Save the configuration with a


meaningful name (e.g., S602
V3_FW).

4. Now transfer the configuration to


the module. Select the row with
the module and select:
Transfer > To module.
The F LED changes from yellow
orange to green. Wait until the
Transfer finished
successfully message
appears.

5. You can now use a network scan


to detect the internal nodes.

S602 V3 Firewall
V3.0, Entry ID: 22376747 53
6 Commissioning in Bridge Mode

6.5 Symbolic addressing in the SCT


Symbolic addressing of nodes facilitates the configuration of the individual
services.
Table 6-7
No. Action Remark
1. Select Options > Symbolic
Names to open the table for
symbolic addressing.

2. Use Add to enter all nodes and Bridge mode:


Siemens AG 2012 All rights reserved

their IP address and MAC


address in the table. Use the IP
addresses from Table 6-1.
Close the dialog with OK.
Copyright

Router mode:

S602 V3 Firewall
54 V3.0, Entry ID: 22376747
6 Commissioning in Bridge Mode

6.6 Advanced mode


In addition to the default settings, advanced mode offers more configuration
options.

NOTICE Once you have switched to advanced mode for the current project, this
action cannot be undone.

Table 6-8
No. Action Remark
1. An individual configuration of the
firewall is only possible in
advanced mode.
Select
View > Advanced Mode
to activate it.

2. Confirm the warning message


Siemens AG 2012 All rights reserved

with Yes.

6.7 Configuring Syslog logging


Logging of data packets is to be logged on a Syslog server.
Table 6-9
No. Action Remark
Copyright

1. Select the S602 V3 module in


the Security Configuration Tool
and use the right mouse button
-> Properties to open the
properties dialog. Go to the Log
Settings tab.
Enable logging with a Syslog
server and add that the symbolic
names of the internal nodes are
displayed instead of IP
addresses. Enter Syslog-
Server as the IP address.
Enable the messages to be
transferred to the Syslog server.
Close the dialog with OK.

S602 V3 Firewall
V3.0, Entry ID: 22376747 55
6 Commissioning in Bridge Mode

6.8 Configuring the firewall rules


Requirements
Requirements for configuring the firewall are:
An SCT project was created with an S602 V3.
The S602 V3 module was configured with the MAC address of the real S602
V3 module.
In bridge mode: 192.168.2.2 has been entered as the external IP address.
Advanced mode is activated.

6.8.1 IP service definition

IP service definitions allow the compact and clear definition of firewall rules that are
applied to certain services. Each service parameter is assigned a name.
When configuring the global or local packet filter rules, these names are used
once.
Table 6-10
No. Action Remark
1. Select Options > IP Services
Siemens AG 2012 All rights reserved

to open the required table.


Copyright

2. Use Add IP Service to add new


IP services.

S602 V3 Firewall
56 V3.0, Entry ID: 22376747
6 Commissioning in Bridge Mode

No. Action Remark


3. For S7 communication:
Name: S7
Protocol: TCP
Source Port: *
Target Port: 102
********************************
For HTTP communication:
Name: HTTP
Protocol: TCP
Source Port: *
Target Port: 80
********************************
For FTP access:
Name: FTP
Protocol: TCP
Source Port: *
Target Port: 21
********************************
Once you have entered all
services, close the dialog with
Siemens AG 2012 All rights reserved

OK.

6.8.2 Defining users for the SCT

Table 6-11
No. Action Remark
1. Select Options > User
Management to open the user
Copyright

management in the Security


Configuration Tool.

S602 V3 Firewall
V3.0, Entry ID: 22376747 57
6 Commissioning in Bridge Mode

No. Action Remark


2. The start screen lists all users
that have already been
configured with their names and
roles.
You can use Add to create more
users.

3. Define a name and password.


From the drop-down list, select
the remote access role.
The user with the remote
access role has no rights except
logon to the Web page for user-
specific firewall rules.
Siemens AG 2012 All rights reserved

Close the window with OK.

4. The new user is displayed in the


overview table.
Copyright

Close the window with OK.

5. Confirm the warning message


with OK.

S602 V3 Firewall
58 V3.0, Entry ID: 22376747
6 Commissioning in Bridge Mode

6.8.3 Creating the global firewall rule

For this application, the firewall rule for the FTP server is created as a global rule.
Table 6-12
No. Action Remark
1. In Global firewall rule sets, select
Firewall IP rule sets and use the
right mouse button > Insert rule
set to insert a new rule set.

2. To better identify the global


firewall rule, you can enter a
name and a description.
Siemens AG 2012 All rights reserved
Copyright

3. Use Add Rule to create a new


global firewall rule.
Enter the following values:
************************************
Action: Allow
From/To:
External -> Internal
Source IP: PG
Destination IP: CP343-
1Advanced
Service: FTP
Logging: Enabled
************************************
Close the dialog with OK.
4. A new global firewall rule was
created.

S602 V3 Firewall
V3.0, Entry ID: 22376747 59
6 Commissioning in Bridge Mode

No. Action Remark


5. Select this rule and use drag and
drop to move it to the S602 V3
module.

6.8.4 Creating the local firewall rules

The S7 protocol and HTTP communication are enabled as local firewall rules.
Table 6-13
No. Action Remark
1. Select the S602 V3 and use the
right mouse button ->
Properties to open the
properties. Go to the Firewall
Setting and IP Rules tab.
The global firewall rule that has
Siemens AG 2012 All rights reserved

just been moved to the module


using drag and drop now also
appears in the local firewall
settings.

2. Click on Add Rule to create a


new local firewall rule.
Copyright

3. Enter the following values:


Action: Allow
From/To: External-> Internal
Source IP: Service-PC
Destination IP: PN-CPU
Service: S7
Bandwidth: 10 (Mbps)
Enable Logging.

S602 V3 Firewall
60 V3.0, Entry ID: 22376747
6 Commissioning in Bridge Mode

No. Action Remark


4. You can use Add Rule to add
more rules. For S7
communication and HTTP
communication, enter the
following rows:
Action: Allow
From/To: External-> Internal
Source IP: Service-PC
Destination IP: CP343-
1Advanced
Service: S7
Bandwidth: 10 (Mbps)
Enable Logging.

*************************************
Action: Allow
From/To:External-> Internal
Source IP: PG
Destination IP: CP343-
1Advanced
Service: HTTP
Siemens AG 2012 All rights reserved

Enable Logging.
*************************************
Action: Allow
From/To: Internal-> External
Source IP: *
Destination IP: *
*************************************
Close the dialog with OK.
Copyright

Note The Security Configuration Tool automatically assigns a unique label to each
firewall rule.
To determine which firewall rule was active when logging system and security
events, the log row displays the associated label.

S602 V3 Firewall
V3.0, Entry ID: 22376747 61
6 Commissioning in Bridge Mode

6.8.5 Creating user-specific firewall rules

Table 6-14
No. Action Remark
1. Select User-specific firewall rules
and use the right mouse
button > Insert rule set to insert
a new rule set.

2. To better identify the user-


specific firewall rule, you can
assign a name and a description.
Siemens AG 2012 All rights reserved

The bottom part displays all


configured users.
Copyright

3. Use Add Rule to create a new


firewall rule.

S602 V3 Firewall
62 V3.0, Entry ID: 22376747
6 Commissioning in Bridge Mode

No. Action Remark


4. Enter the following values:
************************************
Action: Allow
From/To: External-> Internal
Source IP:
Destination IP: CP343-
1Advanced
Service: HTTP
Logging: Enabled

************************************
Action: Allow
From/To: External-> Internal
Source IP:
Destination IP: CP343-
1Advanced
Service : FTP
Logging: Enabled
5. Select the configured user and
use Add to assign this rule set to
Siemens AG 2012 All rights reserved

the user.

6. Close this dialog with OK.


Copyright

7. A new user-specific firewall rule


was created.

8. Select this rule and use drag and


drop to move it to the
SCALANCE S602 V3.

S602 V3 Firewall
V3.0, Entry ID: 22376747 63
6 Commissioning in Bridge Mode

Note The following rules apply to the assignment of user-specific firewall rules:
A module can only be assigned one user-specific rule set per user. The
assignment enables the User can log on with module role for all roles of the
users defined in the rule set.

6.9 Downloading the firewall rules to the S602 V3


Once all firewall rules have been configured, the project can be downloaded to the
SCALANCE S602 V3.
Table 6-15
No. Action Remark
1. Save the configuration with a
meaningful name (e.g., S602
V3_FW).
2. Now transfer the configuration to
the module. Select the row with
the module and select:
Siemens AG 2012 All rights reserved

Transfer > To module. The F


LED changes from yellow
orange to green. Wait until the
Transfer completed
successfully message appears.
Copyright

3. The module has now been


configured with the current
firewall configuration.

S602 V3 Firewall
64 V3.0, Entry ID: 22376747
7 Commissioning in Routing Mode

7 Commissioning in Routing Mode

Note This chapter discusses only the additional configuration steps that go beyond the
necessary configurations in bridge mode.

7.1 Overview of configuration mode


The router mode is a cross-subnet network. The external and internal networks are
located in different subnets.

Overview
Figure 7-1
Control room: External PC:
172.158.2.1 172.158.2.7
Siemens AG 2012 All rights reserved

Service PC:
X208 172.158.2.6

Syslog: 172.158.2.4

S602 V3 external:
Copyright

172.158.2.2

S602 V3 internal:
192.168.2.2

CP: 192.168.2.3 X208 CPU:192.168.2.5

Automation cell protected by firewall

S602 V3 Firewall
V3.0, Entry ID: 22376747 65
7 Commissioning in Routing Mode

IP addresses used
Table 7-1
Module IP address Router
PG of the control room 172.158.2.1 172.158.2.2
Service PC 172.158.2.6 172.158.2.2
External
network

Syslog server 172.158.2.4 172.158.2.2


External PC 172.158.2.7 172.158.2.2
S602 V3 (external interface) 172.158.2.2
S602 V3 (internal interface) 192.168.2.2
network
Internal

CP343-1 Advanced 192.168.2.3 192.168.2.2


PN-CPU 192.168.2.5 192.168.2.2

255.255.255.0 is always used as the subnet mask.

7.2 Basic configurations from bridge mode


Most configuration steps from bridge mode are the basis for routing mode.
The following configuration steps are required for routing mode:
Siemens AG 2012 All rights reserved

Table 7-2
No. Chapter Remark
1. Assigning the IP addresses Use the IP address from Table 7-1.
(chapter 6.2) Make sure to configure also a router
address in the devices.
2. Creating a project in the SCT
(chapter 6.3).
Copyright

3. Symbolic addressing in the SCT Use the IP address from Table 7-1.
(chapter 6.5)
4. Advanced mode (chapter 6.6)
5. Configuring Syslog logging (chapter 6.7)
6. Configuring the firewall rules Requirements for configuring the
(chapter 6.8) firewall are:
An SCT project was created with
an S602 V3.
The S602 V3 module was provided
with the MAC address of the real
S602 V3 module.
In routing mode: 172.158.2.2 has
been entered as the external IP
address.
Advanced mode is activated.

S602 V3 Firewall
66 V3.0, Entry ID: 22376747
7 Commissioning in Routing Mode

7.3 Changing the operating mode to routing


Table 7-3
No. Action Remark
1. Open the Security Configuration
Tool project.

2. Select the SCALANCE S602 V3


and double-click to open the
Properties.
In the Interface tab, set the
module to routing mode.
Change the external IP address
to 172.158.2.2 and enter
192.168.2.2 with subnet mask
255.255.255.0 as the internal IP
Siemens AG 2012 All rights reserved

address.
Close the dialog with OK.
Copyright

S602 V3 Firewall
V3.0, Entry ID: 22376747 67
7 Commissioning in Routing Mode

7.4 Configuring NA(P)T


The next chapter shows the configuration steps necessary to implement NAT or
NAPT in the SCALANCE S602 V3.
In this application, you have the option to operate the scenarios either with NAT or
with NAPT:
For operation with NAT, follow the steps of chapter 7.4.1
(Configuring the NAT table).
For operation with NAPT, follow the steps of chapter 7.4.2
(Configuring the NAPT table).

7.4.1 Configuring the NAT table

NAT is a one-to-one translation. This means that one IP address is translated to


another, internal IP address.
Table 7-4
No. Action Remark
1. Go to the NAT tab.
The left part of the dialog
Siemens AG 2012 All rights reserved

includes the NAT table.


Copyright

2. Activate NAT and allow all nodes


to communicate from internal to
external.
The 172.158.2.2 * SrcNat
(to external) entry is inserted
automatically.

S602 V3 Firewall
68 V3.0, Entry ID: 22376747
7 Commissioning in Routing Mode

No. Action Remark


3. The Add button enables you to
insert a new entry.
Enter the following address
translations in the table:
***********************************
External IP address: 172.158.2.3
internal IP address:
CP343-1Advanced
Direction: Dst-NAT (from
external)
***********************************
External IP address: 172.158.2.5
internal IP address: PN-CPU
Direction: Dst-NAT from
external)
***********************************
Close the dialog with OK.
Siemens AG 2012 All rights reserved

7.4.2 Configuring the NAPT table

For NAPT, a public IP address exists that is translated to a number of private IP


addresses by adding port numbers.
Table 7-5
No. Action Remark
1. Select the S602 V3 module in
Copyright

the Security Configuration Tool


and use the right mouse button
-> Properties to open the
properties. Go to the NAT tab.
The right part of the dialog
includes the NAPT table.

2. Activate NAPT.

S602 V3 Firewall
V3.0, Entry ID: 22376747 69
7 Commissioning in Routing Mode

No. Action Remark


3. The Add button enables you to
insert a new entry.
Enter the following address
translations in the table:
***********************************
External port: 8000
internal IP address: CP343-1
Advanced
Internal port: 80
***********************************
External port: 21
internal IP address: CP343-1
Advanced
Internal port: 21
***********************************
External port: 102
internal IP address: PN-CPU
Internal port: 102
***********************************
Siemens AG 2012 All rights reserved

Note An external port number must only be entered once. As the IP address of the
SCALANCE S is always used as the external IP address, there would be no
uniqueness if it was used multiple times.
For this reason, only one CPU (here: PN-CPU) can be accessed.

7.5 Downloading the SCALANCE S602 V3 configuration


Copyright

To download the configuration, proceed as described in chapter 6.9 (Downloading


the firewall rules to the S602 V3).
Figure 7-2

S602 V3 Firewall
70 V3.0, Entry ID: 22376747
8 Operation of the Application

8 Operation of the Application


Access rights
By means of the firewall rules, the scenarios were only enabled for certain PCs. An
attempt to test the scenarios with a PC other than the one specified will be
unsuccessful.
The following table provides an overview:
Table 8-1
User scenarios Access right
Node initialization of internal nodes Service PC
Configuration / diagnostics with STEP 7 Service PC
Access to cell-internal Web and FTP servers PG of the control
room
Logging the data packets for the S7 communication Syslog server
Blocking unauthorized access attempts External PC

8.1 Operation in bridge mode


Configuration
Siemens AG 2012 All rights reserved

The figure below shows the configuration and the associated IP addresses of the
application in bridge mode:
Figure 8-1
Control room: External PC:
192.168.2.1 192.168.2.7
Copyright

Service PC:
X208 192.168.2.6

Syslog: 192.168.2.4

S602 V3: 192.168.2.2

CP: 192.168.2.3 X208 CPU:192.168.2.5

Automation cell protected by firewall

S602 V3 Firewall
V3.0, Entry ID: 22376747 71
8 Operation of the Application

Node initialization via the DCP protocol


Table 8-2
No. Action Remark
1. On the service PC, open the
SIMATIC MANAGER and the
Bridge STEP 7 project.
In the PLC menu, select the
Edit Ethernet Node
option. Start the network scan.
Enabling the DCP protocol now
allows node initialization of the
internal nodes.

Downloading and monitoring the STEP 7 project


Table 8-3
Siemens AG 2012 All rights reserved

No. Action Remark


1. On the service PC, open the
SIMATIC MANAGER and the
associated Bridge project.
2. Successively select the S7-300
stations and download them to the
CPU.
Copyright

3. Open the variable table in the


Blocks folder. The clock bit
memories of the CPU are stored in
the variable table. Use the glasses
icon or select View > Monitor to
monitor the variables.

S602 V3 Firewall
72 V3.0, Entry ID: 22376747
8 Operation of the Application

Access to the Web server


Access to the Web and FTP server of the CP343-1 Advanced is permitted only for
the control room. In the firewall rules, HTTP and FTP were explicitly allowed for the
following IP address: 192.168.2.1.
Table 8-4
No. Action Remark
1. On the PG of the control room,
open a Web browser and in the
address bar enter the IP address of
the CP343-1 Advanced
(http://192.168.2.3). The
standard HTML page opens.

2. The HMTL page of the CP can be


Siemens AG 2012 All rights reserved

used, for example, to view the


diagnostics buffer of the CPU, to
retrieve module information, to
check the ring redundancy status
and to obtain information on the
configured connections.
Copyright

Access to the FTP server


Table 8-5
No. Action Remark
1. On the PG of the control room,
open an FTP client.
Create a new server with the
following data:
Server: 192.168.2.3
Port: 21
User: ftp_user
Password: ftp_user
Transfer mode: Active
Connect to the FTP server.
Note:
Do not use a Web browser as an
FTP client but an FTP client
program.

S602 V3 Firewall
V3.0, Entry ID: 22376747 73
8 Operation of the Application

No. Action Remark


2. The file structure of the Advanced
CP is displayed.

Logging the data traffic


Table 8-6
No. Action Remark
1. On the Syslog server, open the
Siemens AG 2012 All rights reserved

Syslog program. The messages of


the S602 V3 are displayed here.

2. In the Security Configuration Tool,


select the S602 V3 module and
select View -> Online to go to
online mode.
Copyright

3. Double-click on the module. The


online dialog opens.
The first Status tab shows all
information (hardware, IP/MAC
address, change date of the
configuration).

S602 V3 Firewall
74 V3.0, Entry ID: 22376747
8 Operation of the Application

No. Action Remark


4. The System log, Audit log and
Packet filter log tabs show the
local logs. In the Packet filter log
tab, you can start the logs either in
a ring buffer or a one-shot buffer
using the Start logging button.
The selection is directly displayed.
The Start reading button activates
the display in the dialog.

Blocking unauthorized access


Table 8-7
No. Action Remark
Siemens AG 2012 All rights reserved

1. On the external PC, open an FTP


client.
Create a new server with the
following data:
Server: 192.168.2.3
Port: 21
User: ftp_user
Password: ftp_user
Transfer mode: Active
Copyright

Connect to the FTP server.


2. The CPs file system cannot be
accessed.

3. Try to open the Web page of the


CP using a Web browser. Here,
too, access is not possible.

4. On the external PC, open the


SIMATIC MANAGER and the
Bridge STEP 7 project.

S602 V3 Firewall
V3.0, Entry ID: 22376747 75
8 Operation of the Application

No. Action Remark


5. Select an S7-300 station and try to
download it to the CPU.

6. Downloading is not possible.


Siemens AG 2012 All rights reserved

Access via user-defined firewall rule sets


To activate this specific firewall, you first have to log on on the Web page of the
SCALANCE S602 V3.
The connection to the security module is established via HTTPS using the IP
address of the external port.
Table 8-8
No. Action Remark
Copyright

1. On the external PC, use a Web


browser to open the Web page of
the S602 V3.
https://192.168.2.2.

2. Log on with the user name and


password configured in chapter
6.8.2.

S602 V3 Firewall
76 V3.0, Entry ID: 22376747
8 Operation of the Application

No. Action Remark


3. After 30 minutes, the user is
automatically logged off the
SCALANCE.
If you need more time, you can
restart the timer.

4. On the external PC, open an FTP


client.
Create a new server with the
following data:
Server: 192.168.2.3
Port: 21
User: ftp_user
Password: ftp_user
Transfer mode: Active
Connect to the FTP server.
5. The file structure of the Advanced
Siemens AG 2012 All rights reserved

CP is displayed.
Copyright

6. Due to the user-specific rule,


access to the Web page of the CP
is now allowed as well.

S602 V3 Firewall
V3.0, Entry ID: 22376747 77
8 Operation of the Application

8.2 Operation in router mode


Configuration
The figure below shows the configuration and the associated IP addresses of the
application in router mode:
Figure 8-2
Control room: External PC:
172.158.2.1 172.158.2.7

Service PC:
X208 172.158.2.6

Syslog: 172.158.2.4
Siemens AG 2012 All rights reserved

S602 V3 external:
172.158.2.2

S602 V3 internal:
192.168.2.2

CP: 192.168.2.3 X208 CPU:192.168.2.5


Copyright

Automation cell protected by firewall

S602 V3 Firewall
78 V3.0, Entry ID: 22376747
8 Operation of the Application

8.2.1 Routing via NAT

Downloading and monitoring the STEP 7 project


Table 8-9
No. Action Remark
1. On the service PC, open the
SIMATIC MANAGER and the
NAT_NAPT project.
2. Successively select the S7-300
stations and download them to the
CPU.

3. When asked for an access address


for the SIMATIC CPU station,
select the PROFINET interface of
the CP343-1 Advanced.
Siemens AG 2012 All rights reserved
Copyright

4. Open the variable table in the


Blocks folder. The clock bit
memories of the CPU are stored in
the variable table. Use the glasses
icon or select View > Monitor to
monitor the variables.

S602 V3 Firewall
V3.0, Entry ID: 22376747 79
8 Operation of the Application

Access to the Web server


Table 8-10
No. Action Remark
1. On the PG of the control room,
open a Web browser and in the
address bar enter the IP address of
the CP343-1 Advanced
(http://172.158.2.3). The
standard HTML page opens.

2. The HMTL page of the CP can be


used, for example, to view the
diagnostics buffer of the CPU, to
retrieve module information, to
check the ring redundancy status
and to obtain information on the
Siemens AG 2012 All rights reserved

configured connections.

Access to the FTP server


Copyright

Table 8-11
No. Action Remark
1. On the PG of the control room,
open an FTP client.
Create a new server with the
following data:
Server: 172.158.2.3
Port: 21
User: ftp_user
Password: ftp_user
Transfer: Active
Connect to the FTP server.

S602 V3 Firewall
80 V3.0, Entry ID: 22376747
8 Operation of the Application

No. Action Remark


2. The file structure of the Advanced
CP is displayed.

Logging the data traffic


Table 8-12
No. Action Remark
1. On the Syslog server, open the
Siemens AG 2012 All rights reserved

Syslog program. The messages of


the S602 V3 are displayed here.

2. In the Security Configuration Tool,


select the S602 V3 module and
select View -> Online to go to
online mode.
Copyright

3. Double-click on the module. The


online dialog opens.
The first Status tab shows all
information (hardware, IP/MAC
address, change date of the
configuration).

S602 V3 Firewall
V3.0, Entry ID: 22376747 81
8 Operation of the Application

No. Action Remark


4. The System log, Audit log and
Packet filter log tabs show the
local logs. In the Packet filter log
tab, you can start the logs either in
a ring buffer or a one-shot buffer
using the Start logging button.
The selection is directly displayed.
The Start reading button activates
the display in the dialog.

Blocking unauthorized access


Table 8-13
No. Action Remark
Siemens AG 2012 All rights reserved

1. On the external PC, open an FTP


client.
Create a new server with the
following data:
Server: 172.158.2.3
Port: 21
User: ftp_user
Password: ftp_user
Transfer mode: Active
Copyright

Connect to the FTP server.


2. The CPs file system cannot be
accessed.

3. Try to open the Web page of the


CP using a Web browser
(http://172.158.2.3). Here, too,
access is not possible.

4. On the service PC, open the


SIMATIC MANAGER and the
NAT_NAPT project.

S602 V3 Firewall
82 V3.0, Entry ID: 22376747
8 Operation of the Application

No. Action Remark


5. Successively select the S7-300
stations and download them to the
CPU.

6. When asked for an access address


for the SIMATIC CPU station,
select the PROFINET interface of
the CP343-1 Advanced.
Siemens AG 2012 All rights reserved

7. Downloading is not possible.


Copyright

S602 V3 Firewall
V3.0, Entry ID: 22376747 83
8 Operation of the Application

Access via user-defined firewall rule sets


To activate this specific firewall, you first have to log on on the Web page of the
SCALANCE S602 V3.
The connection to the security module is established via HTTPS using the IP
address of the external port.
Table 8-14
No. Action Remark
1. On the external PC, use a Web
browser to open the Web page of
the S602 V3.
https://172.158.2.2.
Siemens AG 2012 All rights reserved

2. Log on with the user name and


password configured in
chapter 6.8.2.
Copyright

3. After 30 minutes, the user is


automatically logged off the
SCALANCE.
If you need more time, you can
restart the timer.

4. On the external PC, open an FTP


client.
Create a new server with the
following data:
Server: 172.158.2.3
Port: 21
User: ftp_user
Password: ftp_user
Transfer mode: Active
Connect to the FTP server.

S602 V3 Firewall
84 V3.0, Entry ID: 22376747
8 Operation of the Application

No. Action Remark


5. The file structure of the Advanced
CP is displayed.

6. Due to the user-specific rule,


access to the Web page of the CP
(http://172.158.2.3) is now
Siemens AG 2012 All rights reserved

allowed as well.
Copyright

S602 V3 Firewall
V3.0, Entry ID: 22376747 85
8 Operation of the Application

8.2.2 Routing via NAPT

Downloading and monitoring the STEP 7 project


Table 8-15
No. Action Remark
1. On the service PC, open the
SIMATIC MANAGER and the
NAT_NAPT project.
2. Select the SIMATIC PN-CPU
S7-300 station and download it to
the CPU.

3. Open the variable table in the


Blocks folder. The clock bit
memories of the CPU are stored in
the variable table. Use the glasses
icon or select View > Monitor to
monitor the variables.
Siemens AG 2012 All rights reserved

Access to the Web server


Table 8-16
Copyright

No. Action Remark


1. On the PG of the control room,
open a Web browser and in the
address bar enter the IP address of
the des CP343-1 Advanced
(http://172.158.2.2:8000/). The
standard HTML page opens.

S602 V3 Firewall
86 V3.0, Entry ID: 22376747
8 Operation of the Application

No. Action Remark


2. The HMTL page of the CP can be
used, for example, to view the
diagnostics buffer of the CPU, to
retrieve module information, to
check the ring redundancy status
and to obtain information on the
configured connections.

Access to the FTP server

NOTICE Make sure you that you are using active FTP and that the client sends a
random listen port to the server.
For passive FTP, the server opens a new port and sends it to the client.
However, it sends it with its own IP address (here: 192.168.2.3) and not with
the translated address (172.158.2.2). It is thus not possible to establish a
connection.
Siemens AG 2012 All rights reserved

Table 8-17
No. Action Remark
1. On the PG of the control room,
open an FTP client.
Create a new server with the
Copyright

following data:
Server: 172.158.2.2
Port: 21
User: ftp_user
Password: ftp_user
Transfer: Active FTP
Connect to the FTP server.
2. The file structure of the Advanced
CP is displayed.

S602 V3 Firewall
V3.0, Entry ID: 22376747 87
8 Operation of the Application

Logging the data traffic


Table 8-18
No. Action Remark
1. On the Syslog server, open the
Syslog program. The messages of
the S602 V3 are displayed here.

2. In the Security Configuration Tool,


select the S602 V3 module and
select View -> Online to go to
online mode.

3. Double-click on the module. The


online dialog opens.
The first Status tab shows all
Siemens AG 2012 All rights reserved

information (hardware, IP/MAC


address, change date of the
configuration).
Copyright

4. The System log, Audit log and


Packet filter log tabs show the
local logs. In the Packet filter log
tab, you can start the logs either in
a ring buffer or a one-shot buffer
using the Start logging button.
The selection is directly displayed.
The Start reading button activates
the display in the dialog.

S602 V3 Firewall
88 V3.0, Entry ID: 22376747
8 Operation of the Application

Blocking unauthorized access


Table 8-19
No. Action Remark
1. On the external PC, open an FTP
client.
Create a new server with the
following data:
Server: 172.158.2.2
Port: 21
User: ftp_user
Password: ftp_user
Transfer mode: Active
Connect to the FTP server.
2. The CPs file system cannot be
accessed.

3. Try to open the Web page of the


Siemens AG 2012 All rights reserved

CP using a Web browser


(http://172.158.2.2:8000/). Here,
too, access is not possible.
Copyright

4. On the service PC, open the


SIMATIC MANAGER and the
NAT_NAPT project.
5. Select the SIMATIC PN-CPU
S7-300 station and download it to
the CPU.

6. Downloading is not possible.

S602 V3 Firewall
V3.0, Entry ID: 22376747 89
8 Operation of the Application

Access via user-defined firewall rule sets


To activate this specific firewall, you first have to log on on the Web page of the
SCALANCE S602 V3.
The connection to the security module is established via HTTPS using the IP
address of the external port.
Table 8-20
No. Action Remark
1. On the external PC, use a Web
browser to open the Web page of
the S602 V3.
https://172.158.2.2
Siemens AG 2012 All rights reserved

2. Log on with the user name and


password configured in chapter
6.8.2.
Copyright

3. After 30 minutes, the user is


automatically logged off the
SCALANCE.
If you need more time, you can
restart the timer.

4. On the external PC, open an FTP


client.
Create a new server with the
following data:
Server: 172.158.2.2
Port: 21
User: ftp_user
Password: ftp_user
Transfer mode: Active
Connect to the FTP server.

S602 V3 Firewall
90 V3.0, Entry ID: 22376747
8 Operation of the Application

No. Action Remark


5. The file structure of the Advanced
CP is displayed.

6. Due to the user-specific rule,


access to the Web page of the CP
(http://172.158.2.2:8000/) is now
Siemens AG 2012 All rights reserved

allowed as well.
Copyright

S602 V3 Firewall
V3.0, Entry ID: 22376747 91
9 References

9 References
These lists are by no means complete and only present a selection of related
references.

References
Table 9-1
Topic Title
/1/ STEP7 Automating with STEP7 in STL and SCL
Hans Berger
Publicis Corporate Publishing
ISBN 978-3-89578-412-5
/2/ SIMATIC NET security SIMATIC NET Industrial Ethernet Security Basics and application
Configuration Manual
http://support.automation.siemens.com/WW/view/en/56577508

/3/ Getting Started SIMATIC NET Industrial Ethernet Security Setting up security Getting
Started
http://support.automation.siemens.com/WW/view/en/61630590
/4/ Installation manual for SIMATIC NET Industrial Ethernet Security SCALANCE S V3.0
the SCALANCE S602 Commissioning and Hardware Installation Manual
Siemens AG 2012 All rights reserved

V3 http://support.automation.siemens.com/WW/view/en/56576669

Internet links
Table 9-2
Topic Title
\1\ Reference to the http://support.automation.siemens.com/WW/view/en/22376747
document
Copyright

\2\ Siemens Industry http://support.automation.siemens.com


Online Support
\3\ Primary Setup Tool http://support.automation.siemens.com/WW/view/en/19440762

10 History
Table 10-1
Version Date Modification
V1.0 03/02/06 First edition
V2.0 09/01/09 S612 replaced by S602
Configuration in bridge and routing mode
V3.0 07/20/12 SCALANCE S602 V3 hardware update
User-specific firewall rules
Chapters revised

S602 V3 Firewall
92 V3.0, Entry ID: 22376747