setting up security in step 7 professional€¦ · setting up security in step 7 professional ....

Setting up security in STEP 7

Professional

___________________

___________________

___________________

___________________

___________________

SIMATIC NET

Industrial Ethernet Security Setting up security in STEP 7 Professional

Getting Started

09/2014 C79000-G8976-C379-01

Preface 1

User interface and menu commands

2

Basic configuration 3

Firewall in advanced mode 4

VPN for network linking 5

Siemens AG Industry Sector Postfach 48 48 90026 NÜRNBERG GERMANY

C79000-G8976-C379-01 Ⓟ 09/2014 Subject to change

Copyright © Siemens AG 2014. All rights reserved

Legal information Warning notice system

This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are graded according to the degree of danger.

DANGER indicates that death or severe personal injury will result if proper precautions are not taken.

WARNING indicates that death or severe personal injury may result if proper precautions are not taken.

CAUTION indicates that minor personal injury can result if proper precautions are not taken.

NOTICE indicates that property damage can result if proper precautions are not taken.

If more than one degree of danger is present, the warning notice representing the highest degree of danger will be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to property damage.

Qualified Personnel The product/system described in this documentation may be operated only by personnel qualified for the specific task in accordance with the relevant documentation, in particular its warning notices and safety instructions. Qualified personnel are those who, based on their training and experience, are capable of identifying risks and avoiding potential hazards when working with these products/systems.

Proper use of Siemens products Note the following:

WARNING Siemens products may only be used for the applications described in the catalog and in the relevant technical documentation. If products and components from other manufacturers are used, these must be recommended or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and maintenance are required to ensure that the products operate safely and without any problems. The permissible ambient conditions must be complied with. The information in the relevant documentation must be observed.

Trademarks All names identified by ® are registered trademarks of Siemens AG. The remaining trademarks in this publication may be trademarks whose use by third parties for their own purposes could violate the rights of the owner.

Disclaimer of Liability We have reviewed the contents of this publication to ensure consistency with the hardware and software described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the information in this publication is reviewed regularly and any necessary corrections are included in subsequent editions.

Setting up security in STEP 7 Professional Getting Started, 09/2014, C79000-G8976-C379-01 3

Table of contents

1 Preface ................................................................................................................................................... 5

2 User interface and menu commands ....................................................................................................... 9

2.1 User interface and menu commands ........................................................................................ 9

3 Basic configuration ................................................................................................................................ 15

3.1 Configuring IP addresses for SCALANCE S .......................................................................... 15 3.1.1 Overview ................................................................................................................................. 15 3.1.2 Set up SCALANCE S and the network ................................................................................... 16 3.1.3 Making IP settings for the PC ................................................................................................. 17 3.1.4 Creating a project and security module .................................................................................. 18 3.1.5 Creating the security project ................................................................................................... 19 3.1.6 Assigning IP addresses .......................................................................................................... 19 3.1.7 Downloading the configuration to SCALANCE S ................................................................... 21

3.2 Configuring IP addresses for a CP ......................................................................................... 22 3.2.1 Overview ................................................................................................................................. 22 3.2.2 Making IP settings for the PC ................................................................................................. 23 3.2.3 Creating a project and security module .................................................................................. 24 3.2.4 Creating the security project ................................................................................................... 25 3.2.5 Assigning IP addresses .......................................................................................................... 26 3.2.6 Downloading the configuration to the security module ........................................................... 26

4 Firewall in advanced mode .................................................................................................................... 29

4.1 Global rule sets ....................................................................................................................... 29 4.1.1 Overview ................................................................................................................................. 29 4.1.2 Make the IP settings for the PCs ............................................................................................ 32 4.1.3 Configuring the local firewall ................................................................................................... 33 4.1.4 Configuring global firewall rule sets ........................................................................................ 35 4.1.5 Downloading the configuration to the security module ........................................................... 37 4.1.6 Testing firewall function .......................................................................................................... 39

4.2 Firewall rules for connections ................................................................................................. 45 4.2.1 Overview ................................................................................................................................. 45 4.2.2 Make the IP settings for the PCs ............................................................................................ 47 4.2.3 Configuring the local firewall ................................................................................................... 49 4.2.4 Configuring connection firewall rules ...................................................................................... 50 4.2.5 Downloading the configuration to the security module ........................................................... 51 4.2.6 Testing firewall function .......................................................................................................... 52

4.3 User-specific firewall ............................................................................................................... 58 4.3.1 Overview ................................................................................................................................. 58 4.3.2 Make the IP settings for the PCs ............................................................................................ 59 4.3.3 Configuring the local firewall ................................................................................................... 61 4.3.4 Creating remote access users ................................................................................................ 61 4.3.5 Configuring user-specific firewall rule sets ............................................................................. 62 4.3.6 Downloading the configuration to the security module ........................................................... 65 4.3.7 Activating a user-specific firewall rule set ............................................................................... 66

Table of contents

Setting up security in STEP 7 Professional 4 Getting Started, 09/2014, C79000-G8976-C379-01

4.3.8 Testing firewall function ......................................................................................................... 67

4.4 NAT ........................................................................................................................................ 71 4.4.1 Overview ................................................................................................................................ 71 4.4.2 Making IP settings for the PC ................................................................................................ 73 4.4.3 Configuring destination NAT and local firewall ...................................................................... 75 4.4.4 Downloading the configuration to the security module .......................................................... 77 4.4.5 Testing NAT function ............................................................................................................. 78

5 VPN for network linking ......................................................................................................................... 87

5.1 VPN tunnel in the LAN between all security products ........................................................... 87 5.1.1 Overview ................................................................................................................................ 87 5.1.2 Make the IP settings for the PCs ........................................................................................... 89 5.1.3 Creating SOFTNET Security Client module .......................................................................... 91 5.1.4 Configuring a VPN group ....................................................................................................... 91 5.1.5 Saving the SOFTNET Security Client configuration .............................................................. 93 5.1.6 Downloading the configuration to the security module .......................................................... 93 5.1.7 Set up a tunnel with the SOFTNET Security Client ............................................................... 95 5.1.8 Testing the tunnel .................................................................................................................. 96

5.2 VPN tunnel SOFTNET Security Client and CPs or SCALANCE S ........................................ 99 5.2.1 Overview ................................................................................................................................ 99 5.2.2 Make the IP settings for the PCs ......................................................................................... 101 5.2.3 Creating SOFTNET Security Client module ........................................................................ 103 5.2.4 Configuring a VPN group ..................................................................................................... 103 5.2.5 Configuring VPN properties of the security module ............................................................. 105 5.2.6 Saving the SOFTNET Security Client configuration ............................................................ 105 5.2.7 Downloading the configuration to the security module ........................................................ 105 5.2.8 Set up a tunnel with the SOFTNET Security Client ............................................................. 107 5.2.9 Testing the tunnel ................................................................................................................ 108

5.3 VPN with SOFTNET Security Client and SCALANCE S as user-specific firewall ............... 111 5.3.1 Overview .............................................................................................................................. 111 5.3.2 Make the IP settings for the PCs ......................................................................................... 113 5.3.3 Creating SOFTNET Security Client module ........................................................................ 115 5.3.4 Configuring a VPN group ..................................................................................................... 115 5.3.5 Configuring VPN properties of the security module ............................................................. 117 5.3.6 Configuring the local firewall ................................................................................................ 117 5.3.7 Creating remote access users ............................................................................................. 118 5.3.8 Configuring user-specific firewall rule sets .......................................................................... 119 5.3.9 Saving the SOFTNET Security Client configuration ............................................................ 122 5.3.10 Downloading the configuration to the security module ........................................................ 122 5.3.11 Set up a tunnel with the SOFTNET Security Client ............................................................. 124 5.3.12 Activating a user-specific firewall rule set ............................................................................ 126 5.3.13 Testing the tunnel and firewall function ............................................................................... 127


Preface 1

Getting results fast with Getting Started Based on simple test networks, you will learn how to handle the security modules and the STEP 7 Professional configuration tool. You will soon see that you can implement the security functions of security modules in the network without any great project engineering effort.

Based on a variety of security examples, you will be able to implement the basic functions of the security modules and the SOFTNET Security Client.

IP settings for the Examples

Note

The IP settings in the examples are freely selected and do not cause any conflicts in the isolated test network.

In a real network, you would need to adapt these IP settings to avoid possible address conflicts.

Validity of this Getting Started Configuration software:

● STEP 7 Professional V13

Products:

● SCALANCE S

– SCALANCE S602, order number: 6GK5 602-0BA10-2AA3



– SCALANCE S627-2M, order number: 6GK5 627-2BA10-2AA3

● CPs

– CP 343-1 Advanced GX31 as of V3.0, order number: 6GK7 343-1GX31-0XE0

– CP 443-1 Advanced GX30 as of V3.0, order number: 6GK7 443-1GX30-0XE0

– CP 1543-1 as of V1.1, order number: 6GK7 543-1AX00-0XE0

– CP 1243-1, order number: 6GK7 243-1BX30-0XE0

● VPN client software

– SOFTNET Security Client as of V4.0, order number: 6GK1 704-1VW04-0AA0

Preface


Windows:

● All the examples are implemented with Windows 7. For this reason, the path information of Windows 7 is also described.

General terminology "security modules" In this documentation, the following products are grouped together under the term "security module": SCALANCE S602 / SCALANCE S612 / SCALANCE S623 / SCALANCE S627-2M / CP 343-1 Advanced GX31 / CP 443-1 Advanced GX30 / CP 1243-1 / CP 1543-1.

The CPs 343-1 Advanced GX31 and 443-1 Advanced GX30 are called "CP x43-1 Adv.".

The CPs 1243-1 and 1543-1 are called "CP 1x43-1".

General use of the term "STEP 7" The configuration of the security functions used in this manual is supported as of STEP 7 Professional V13. In the rest of the document this is simply called "STEP 7".

Use of the terms "interface" and "port" In this documentation, the ports of security modules are named as follows:

● "External interface": The external port of the SCALANCE S602 / S612 / S623 or an external port of the SCALANCE S627- 2M

● "Ethernet interface": The external port of the CP x43-1 Adv. / CP 1x43-1

● "Internal interface": The internal port of the SCALANCE S602 / S612 / S623 or an internal port of the SCALANCE S627-2M

● "PROFINET interface": The internal port of the CP 43-1 Adv.

● "DMZ interface": The DMZ port of the SCALANCE S623 / S627-2M

The term "port" itself is used when the focus of interest is a special port of an interface.

IP addresses of the security modules in the configuration examples When downloading a configuration to a security module, the IP address via which the interface can currently be reached must always be specified. In the configuration examples in this manual, it is assumed that the IP addresses of the configuration are identical to the current IP addresses of the security modules.

If you want to know more You will find further information on the topic of "Industrial Ethernet Security" in the information system of STEP 7 (online help). The information system of STEP 7 also supports you during configuration and programming of your automation system.

You will find hardware descriptions and installation instructions in the documents relating to the individual modules.

Preface


Security information Siemens provides products and solutions with industrial security functions that support the secure operation of plants, solutions, machines, equipment and/or networks. They are important components in a holistic industrial security concept. With this in mind, Siemens’ products and solutions undergo continuous development. Siemens recommends strongly that you regularly check for product updates.

For the secure operation of Siemens products and solutions, it is necessary to take suitable preventive action (e.g. cell protection concept) and integrate each component into a holistic, state-of-the-art industrial security concept. Third-party products that may be in use should also be considered. For more information about industrial security, visit http://www.siemens.com/industrialsecurity.

To stay informed about product updates as they occur, sign up for a product-specific newsletter. For more information, visit http://support.automation.siemens.com.

Preface



User interface and menu commands 2 2.1 User interface and menu commands

User interface for security functions in STEP 7

User interface and menu commands 2.1 User interface and menu commands


① Global security settings

The global security settings are located in the project navigation. These security settings can be configured inde-pendently of the module and subsequently assigned to individual security modules as required. If the first security module to be configured is a CP, the global security settings are only displayed when the securi-ty functions have been enabled in the local security settings of the CP. If the first security module to be configured is a SCALANCE S module, the global security settings are displayed after logging in to the security project. The following main folders and entries are available in the global security settings: • User login

For the security configuration within a project, there is a separate user management. Log in to the security con-figuration using the "User login" entry. The first time that there is a login to the security configuration, a user with the system-defined role "Administrator" is created automatically. You can create further users in the securi-ty configuration in the user management.

• User administration In user administration, you can create users, define rights for roles and assign these roles to users.

• Certificate manager In the certificate manager, you see an overview of all the certificates used in the project. You can, for example, import new certificates as well as export, modify or replace existing certificates.

• Firewall Under the "Firewall" entry, you can define global IP and MAC firewall rule sets and user-specific IP rule sets (SCALANCE S modules only) and assign security modules. IP and MAC service definitions are used to define the IP and MAC firewall rules compactly and clearly.

• VPN groups All created VPN groups are contained in this folder. You can create new VPN groups here and assign security modules to these VPN groups. You can also adapt VPN group properties of VPN groups that have already been created.

• NTP Here, you can create NTP servers and assign them to one or more security modules. This ensures that time synchronization is performed through the assigned NTP server. Unsecured NTP servers can only be configured in the local security settings.



② Working area with security module

Once you have selected a security module in the work area, you can configure its local security settings in "Proper-ties" > "General". If the selected security module is in a VPN group, related information is displayed in the VPN tab.

③ VPN tab

This tab displays information about all the VPN groups to which the security module that was selected in the work-ing area belongs. Information about the respective participants of a VPN group can be displayed and hidden.



④ Local security settings

Local security settings are configured for a specific security module. After a security module has been selected in the working area, its local security settings are available in the inspector window under "Properties" > "General". Note for CPs: Before local security settings can be configured for CPs, these must first be enabled. To do this, log in to your security project and then in the Inspector window, select the "Activate security features" check box in the "Properties" > General" tab, "Security" entry. The local security settings are then displayed below the "Security" entry. When the check box is selected, the following settings (assuming they were enabled) are migrated automatically to the local security settings: CP x43-1 Adv.: • SNMP • FTP configuration • Time-of-day synchronization • Web server • Entries of IP access lists CP 1543-1: • SNMP • FTP configuration • Time-of-day synchronization CP 1243-1: • SNMP • Time-of-day synchronization Additional security functions are also available such as NTP (secure), SNMPv3, FTPS. In addition, firewall rules that enable a connection to be established are created automatically for configured con-nections. Log settings are available to record blocked packets.

Secure and non-secure configuration areas The user interface can be divided into secure and non-secure configuration areas.

The secure areas are areas in which configuration is possible only after logging in to the security configuration. These areas are encrypted and therefore only accessible to persons



authorized in the user management even if the project is accessible to a wider circle of people.

Functions from the non-secure areas, on the other hand, can be configured without logging in to the security configuration. The correctness of the settings must be checked before downloading the project to the plant components if a wider circle of people can make modifications to the project.

Below, you will find a list of the configuration areas of the user interface showing which areas are secure and which are non-secure. To some extent, this depends on the security module for which the configuration is created.

● All settings from the global security settings are secure.

● Secure and non-secure configuration areas for SCALANCE S modules:

– All the settings for the interfaces and ports, in particular IP addresses, are non-secure.

– The settings under the entry "General" in the local security settings are non-secure.

– Higher-level settings (e.g. MRP settings such as MRP manager etc.) that are not configured on the security module itself but may affect the security module are not secure. This does not relate to the global security settings.

– The other settings are protected.

● Secure and non-secure configuration areas for CP 343-1 Advanced, CP 443-1 Advanced, CP 1543-1, CP 1243-1 BX30:

– All settings outside the "Security" entry are non-secure.

– Higher-level settings (e.g. MRP settings such as MRP manager, PROFINET settings, connections etc.) that are not configured on the security module itself but may affect the security module are non-secure. This does not relate to the global security settings.

– All the settings for the interfaces and ports, in particular IP addresses, are non-secure.

– All settings below the "Security" entry are secure.


Basic configuration 3 3.1 Configuring IP addresses for SCALANCE S

3.1.1 Overview

Overview In this example, IP addresses are configured in STEP 7 for a SCALANCE S module that has the factory settings. Then, the configuration is downloaded to the security module via the external interface.

Required devices/components: Use the following components to set up the network:

● 1 x SCALANCE S (additional option: a suitably installed DIN rail with fittings)

● 1 x 24 V power supply with cable connector and terminal block plug

● 1 x PC on which the STEP 7 configuration tool is installed

● The required network cable, TP cable (twisted pair) complying with the IE FC RJ-45 standard for Industrial Ethernet

Requirement To be able to work through this example, the following requirements must be met:

● The SCALANCE S module has the factory-settings. You can restore this status by pressing the Reset button on the SCALANCE S and holding it down for at least 5 seconds. For further information on the Reset button of the SCALANCE S, refer to the section "4.3 Reset button - resetting the configuration to the factory settings" in the manual "SIMATIC NET Industrial Ethernet Security - SCALANCE S V4".

Basic configuration 3.1 Configuring IP addresses for SCALANCE S


Overview of the next steps:

3.1.2 Set up SCALANCE S and the network

Follow the steps outlined below: 1. First unpack the SCALANCE S and check that it is undamaged.

2. Connect the power supply to the SCALANCE S.

Result: After connecting the power, the Fault LED (F) is lit yellow.

WARNING

Use safety extra-low voltage only

The SCALANCE S device is designed for operation with safety extra-low voltage. This means that only safety extra-low voltages (SELV) complying with IEC950/EN60950/ VDE0805 can be connected to the power supply terminals.

The power supply unit to supply the SCALANCE S must comply with NEC Class 2 (voltage range 18 - 32 V, current requirement approx. 250 mA).



3. Establish the physical network connection by connecting the external interface of the SCALANCE S to the PC.

4. Turn on the PC.

Note

The Ethernet interfaces are handled differently by the SCALANCE S and must not be swapped over when connecting to the communication network: • Interface X1 - external network

Red marking = unprotected network area; • Interface X2 - internal network

Green marking = network protected by SCALANCE S; • Only for SCALANCE S623 and SCALANCE S627-2M: Interface X3 - DMZ port

(universal network interface) Yellow marking = unprotected network area or network area protected by SCALANCE S.

If the interfaces are swapped over, the device loses its protective function.

3.1.3 Making IP settings for the PC The following IP address settings are made for the PC: PC IP address Subnet mask PC1 192.168.10.100 255.255.255.0

Follow the steps outlined below:

1. On the PC, open the Control Panel with the menu command "Start" > "Control Panel".

2. Click the "Network and Internet" icon > "Network and Sharing Center" and select the "Change adapter settings" option in the navigation menu on the left.

3. Double-click on the required network connection.

4. In the "Status of [network]" dialog, click the "Properties" button.

5. Confirm the Windows prompt with "Yes".

6. Make sure that the option "Internet Protocol Version 4 (TCP/IPv4)" is enabled and double-click on it.



7. In the "Internet Protocol Version 4 (TCP/IPv4) Properties" dialog, select the "Use the following IP address" radio button.

8. Enter the values assigned to the PC from the table "Making IP settings for the PC" in the

relevant boxes.

9. Close the dialogs with "OK" and close the Control Panel.

3.1.4 Creating a project and security module

Creating a new project: 1. Install and start the STEP 7 configuration tool on PC1.

2. Select the menu item "Create new project".

3. In the dialog that follows, assign a project name for your project, if necessary change the storage path and confirm the dialog with "Create".

Result: A new STEP 7 is created and opened in the Portal view.



Creating a new security module 1. Change to the project view with the "Open the project view". menu item.

2. In the Project tree, double-click on the "Devices & networks" menu item.

Result: The network view opens.

3. Open the "Hardware catalog" and drag the relevant security module to add it to the network view. Make sure that the firmware version is correct; this can be adapted in the "Information" area.

You will find the security module by navigating as follows in the "Hardware catalog":

Security module Navigation in the hardware catalog SCALANCE S "Network components" > "Industrial Security" > "SCALANCE S"

3.1.5 Creating the security project

Follow the steps below: 1. Change to the device view.

2. Select the security module so that you can configure the properties.

3. In the Inspector window, "General" tab, select the menu item "Security properties".

4. In the dialog that follows click "User login".

5. Create a new user with user name and the corresponding password. The "administrator" role is assigned to the user automatically.

6. Confirm your entries with "Log in".

Result: The security project has been created. All the security settings you make from now on will be stored in the project encrypted and can only be edited or viewed with the user and password you have created.

3.1.6 Assigning IP addresses

Assigning the external IP address: 1. Select the menu "Online" > "Accessible devices".

2. From the "Type of the PG/PC interface" drop-down list, select the entry "PN/IE".

3. Select the network adapter via which you are connected to the security module.

4. If the MAC address of the SCALANCE S is displayed, select the corresponding entry in the table and click the "Show" button.

Result: The SCALANCE S is displayed in the project tree in the "Online access" menu below the selected network adapter:



5. Double-click on "Online & Diagnostics".

6. In the window that follows, select the "Functions" > "Assign IP address" menu.

7. Enter the external IP address (192.168.10.1) and the external subnet mask (255.255.255.0).

8. Click the "Assign IP address" button.

Configuring IP addresses for the internal interface and the DMZ interface: 1. In the Inspector window, "General" tab, check whether "Routing mode" is enabled under

"Mode".

2. Enter the following IP addresses:

Interface IP address Subnet mask External interface [P1] red 192.168.10.1 255.255.255.0 Internal interface [P2] green 192.168.9.1 255.255.255.0 Only for S623 or S627-2M: DMZ interface [P3] yellow

192.168.8.1

255.255.255.0

3. For each address, click the "Add new subnet" button in the "Interface networked with" box.

Result: The IP addresses have been assigned and the interfaces networked.



3.1.7 Downloading the configuration to SCALANCE S

Follow the steps below: 1. Select the security module in the project tree.

2. Select the menu command "Online" > "Download to device".

3. In the next window, select the "Type of the PG/PC interface" and the "PG/PC interface".

4. In the "Connection to interface/subnet" drop-down list, select the entry "Try all interfaces".

With SCALANCE S modules, the HTTPS protocol is used for the download.

5. Click the "Start search" button.

Result: The security module is displayed in the "Compatible devices in target subnet" list.

6. Select the security module in the list and click the "Load" button.

7. After the check, click the "Load" button in the next dialog.

Result: The configuration is downloaded to the security module.

8. If the download was completed free of error, click the "Finish" button.

Basic configuration 3.2 Configuring IP addresses for a CP


Result: The security module restarts automatically and the downloaded configuration is activated.

Result: SCALANCE S in productive operation The SCALANCE S is now in productive operation. This mode is indicated by the Fault display being lit green. You can now download configurations via all interfaces. The basic configuration is completed.

3.2 Configuring IP addresses for a CP

3.2.1 Overview

Overview In this example, IP addresses are configured in STEP 7 for one of the following CPs. Following this, the configuration is downloaded to the station via the security module.

● CP 1243-1

● CP 1543-1

● CP 343-1 Advanced

● CP 443-1 Advanced

Requirement To be able to work through this example, the following requirements must be met:

● The STEP 7 configuration tool is installed on a PC and a station with a CPU has already been created.

● The memory card of the CPU is empty.

● The CPU memory has been reset.

● The CPU has a valid time of day and forwards this via the backplane bus.

You will find more detailed information on the precise procedure in the relevant device manual and in the information system (online help) of STEP 7.





relevant boxes.


3.2.3 Creating a project and security module

Creating a new project: 1. Install and start the STEP 7 configuration tool on PC1.

2. Select the menu item "Create new project".

3. In the dialog that follows, assign a project name for your project, if necessary change the storage path and confirm the dialog with "Create".

Result: A new STEP 7 is created and opened in the Portal view.






3. Open the "Hardware catalog" and drag the relevant security module to add it to the network view. Make sure that the firmware version is correct; this can be adapted in the "Information" area.

You will find the security module by navigating as follows in the "Hardware catalog": Security module Navigation in the hardware catalog CP 343-1 Advanced "Controller" >"SIMATIC S7-300" > "Communications modules" > "PROFINET/Ethernet" >

"CP 343-1 Advanced-IT" CP 443- Advanced "Controller" >"SIMATIC S7-400" > "Communications modules" > "PROFINET/Ethernet" >

"CP 443-1 Advanced-IT" CP 1243-1 "Controller" > "SIMATIC S7-1200" > "Communications modules" > "Industrial Remote Control" >

"CP 1243-1" CP 1543-1 "Controller" > "SIMATIC S7-1500" > "Communications modules" > "PROFINET/Ethernet" >

"CP 1543-1"

3.2.4 Creating the security project

Follow the steps below: 1. Change to the device view.

2. Select the security module so that you can configure the properties.

3. In the Inspector window, "General" tab, select the menu item "Security > Security properties".

4. In the dialog that follows click "User login".

5. Create a new user with user name and the corresponding password. The "administrator" role is assigned to the user automatically.

6. Confirm your entries with "Log in".

7. Change to the network view and select the security module.

8. Under "Security", select the "Activate security features" check box.

Result: The security project has been created. All the security settings you make from now on will be stored in the project encrypted and can only be edited or viewed with the user and password you have created.



3.2.5 Assigning IP addresses

Assigning the external IP address: 1. Select the menu "Online" > "Accessible devices".

2. From the "Type of the PG/PC interface" drop-down list, select the entry "PN/IE".

3. Select the network adapter via which you are connected to the security module.

4. If the MAC address of the CP is displayed, select the corresponding entry in the table and click the "Show" button.

Result: The CP is displayed in the project tree in the "Online access" menu below the selected network adapter.

5. Click on "Online & Diagnostics".

6. In the window that follows, select the "Functions" > "Assign IP address" menu.

7. Enter the external IP address (192.168.10.1) and the external subnet mask (255.255.255.0).

8. Click the "Assign IP address" button.



Configuring IP addresses for the internal interface: 1. Enter the following IP addresses in the Inspector window "General tab:

Security module IP address Subnet mask CP 1x43-1 Ethernet interface [X1]: 192.168.10.1 255.255.255.0 CP x43-1 Adv. Ethernet interface [X1]: 192.168.10.1 255.255.255.0

PROFINET interface [X2]: 192.168.9.1 255.255.255.0



3.2.6 Downloading the configuration to the security module






4. In the "Connection to interface/subnet" drop-down list, select the entry "Try all interfaces".

For CPs, the S7 protocol is used for the download.




7. After the check, click the "Load" button in the next dialog. Result: The configuration is downloaded to the security module.



Result: Security module in productive mode The security module is now in productive operation. You can now download configurations via all interfaces. The basic configuration is complete.


Firewall in advanced mode 4 4.1 Global rule sets

4.1.1 Overview In this example you configure the advanced firewall and use the function of the global rule sets.

By making the settings in the firewall of the security module, you restrict configuration and diagnostics of the controllers using the S7 protocol to the IP address of PC1 and therefore make this possible from the external network.

In addition to this, all nodes from the external network can use the HTTPS protocol for communication. This allows security diagnostics of the security modules or, depending on the test setup, communication with Web servers in the internal network.

With the global rule sets, denied access attempts to the security module or the internal network are logged.

Setting up the test network for SCALANCE S, CP x43-1 Adv.

Firewall in advanced mode 4.1 Global rule sets


● Internal network - connection to the internal interface of the security module

In the internal network in the test setup, the network node is implemented by a SIMATIC S7 station with an integrated Web server that supports the HTTPS protocol. The station is connected to the internal interface of the security module.

Station1: Represents a node in the internal network

● Security module - A security module for protection of the internal network can be:

– SCALANCE S

– CP 343-1 Advanced in a SIMATIC S7-300 station


External network - connection to the external interface of the security module

The public, external network is connected to the external interface of the security module.

PC1: PC with configuration software STEP 7

Setup of the test network CP 1x43-1

● Station - one of the following stations with security module:

– CP 1243-1 in a SIMATIC S7-1200 station


● External network - connection to the external interface of the security module





Requirement: To be able to work through the example, the following requirements must be met:

● The STEP 7 configuration software is installed on PC1.

● Only for CP x43-1 Adv. and SCALANCE S: A SIMATIC S7 station with integrated Web server that supports the HTTPS protocol exists as a node in the internal network with the following settings:

Controller IP address Subnet mask Default gateway Controller 192.168.9.10 255.255.255.0 192.168.9.1

● A STEP 7 project has already been created with one of the following settings and downloaded to the security module or the controller (for more detailed information on the precise procedure, refer to the section Basic configuration (Page 15)):

Security module IP address Subnet mask SCALANCE S

External interface [P1] red: 192.168.10.1 255.255.255.0 Internal interface [P2] green: 192.168.9.1 255.255.255.0

CP 1x43-1 Ethernet interface [X1]: 192.168.10.1 255.255.255.0 CP x43-1 Adv. Ethernet interface [X1]: 192.168.10.1 255.255.255.0


● The project with the "basic configuration" of the security module is open on PC1.

Figure 4-1 IP settings of the basic configuration

● You have logged in with your security login in the project tree with the "Global security settings" > "User login" menu.




4.1.2 Make the IP settings for the PCs For the test, PC1 is given the following IP address setting: PC IP address Subnet mask Default gateway PC1 192.168.10.100 255.255.255.0 192.168.10.1

Follow the steps below for PC1: 1. On the PC, open the Control Panel with the menu command "Start" > "Control Panel".



4. In the "Status of [network]"" dialog, click the "Properties" button.






8. Now enter the values assigned to the PC from the table "Make the IP settings for the

PCs" in the relevant boxes.


4.1.3 Configuring the local firewall

Follow the steps below: 1. Change to the device view and select the security module.

Result: The properties of the security module become configurable.

2. For a CP: Select the "Security" menu item and then the "Activate security features" check box.

Result: The security functions of the module are shown below the "Security" entry and can be configured.



3. Select the "Firewall" menu item.

4. In the "General" box, enable the "Activate firewall" option.

5. Enable the "Activate firewall in advanced mode" function. Confirm the prompt with "Yes".

Result: The firewall of the security module is switched to the advanced mode. You can now configure firewall rules that filter for IP addresses and services. Switching back to the standard mode of the firewall is not possible.

6. Select the "IP rules" menu and add the following firewall rules depending on the security module you are using:

Security module Action From To 1) Source IP address Destination IP address Service SCALANCE S Allow External Internal 192.168.10.100 - S7

Allow External Internal - - HTTPS CP 1x43-1 Allow External Station 192.168.10.100 - S7

Allow External Station - - Security diagnostics CP x43-1 Allow External Any 192.168.10.100 - S7

Allow External Any - - HTTPS 1) Due to the "Stateful inspection" function of the firewall, the response frames are allowed automatically and do not need

to be allowed specifically.

Result: The local firewall rules are displayed in the list:

Figure 4-2 Local IP rules in advanced firewall mode



4.1.4 Configuring global firewall rule sets

Follow the steps below: 1. In the project tree, double-click on the entry "Global security settings" > "Firewall" >

"Global firewall rule sets" > "IP rule sets" > "Add new IP rule set".

Result: A global IP rule set is created.

2. Enter any name and a description for the IP rule set. In this example:

– Name: IP rule set 1

– Description: Logging denied accesses

3. Add the following firewall rules to the list:

Action From To Source IP address Destination IP address

Service Logging

Drop External Internal - - All ☑ Drop External Station - - All ☑ Drop External Any - - All ☑

Result: A new global firewall rule set is created. You can assign the global firewall rule set to every security module without needing to create these rules separately for each security module.

Figure 4-3 Global IP rule set

4. In the project tree, double-click on the entry "Global security settings" > "Firewall" > "Global firewall rule sets" > "IP rule sets" > "Assign module to a firewall rule set".

5. Select the created rule set from the "Rule set " drop-down list.

6. Select the security module being used in the Available modules list.



7. With the "<<" button, move it to "Assigned modules" list.

Figure 4-4 Assigning a global rule set

Result: The global firewall rule set has been inserted in the local firewall of the security module

8. To check this, go to the Inspector window and open the menu "Properties" > "Firewall" > "IP rules".

Figure 4-5 Displaying a global rule set



Result: The global firewall rule set has been added to the list after the last local firewall rule. Depending on the security module you are using, only the firewall rules from the global firewall rule set will be adopted if these are valid for the security module. You can see the resulting firewall rules in the following table:

Security module Action From To Source IP address Destination IP

address Service Logging

CP 1x43-1 Drop Exter-nal

Station - - All ☑

CP x43-1 Adv. Drop Exter-nal

Station - - All ☑

Drop Exter-nal

Any - - All ☑

SCALANCE S602/S612 Drop Exter-nal

Internal - - All ☑







4. Select the "Connection to interface/subnet" via which you are connected to the security module.

For CPs, the S7 protocol is used for the download, for SCALANCE S the HTTPS protocol.

Figure 4-6 Downloading to the security module










Result: Security module in productive mode The configuration is complete. The security module protects the station in which the security module is located or Station1 in the internal network of the security module (if it exists).

Incoming S7 data traffic is permitted only from PC1 and HTTPS communication for diagnostics of the security module is allowed for every node from the external network. Every blocked access attempt is logged.

4.1.6 Testing firewall function

How can you test the configured function? The function tests are performed with PC1 on which a Web browser is installed.

So that the denied access attempts are recorded and displayed by the firewall, use the packet filter logging function.

Test phase 1 - PC1: S7 diagnostics and configuration of the station Now test the function of the S7 firewall rule for PC1 from external:

1. Open the project for configuration and diagnostics of the station:

– for CP x43-1 Adv. and SCALANCE S: the project for Station1 from the internal network

– for CP 1x43-1 (as an alternative also possible for station1 with CP x43-1 Adv.): the project for the station in which the security module is located

2. Select the station in the project tree.

3. Select the menu command "Online" > "Connect online".

Result: Diagnostics and downloading of a configuration are possible using the S7 protocol.



Figure 4-7 S7 diagnostics and configuration of the station

Test phase 2 - PC1: HTTPS access to the Web server of the station Now test the function of the HTTPS firewall rule for all nodes from the external network as follows:

Open a standard Web browser on PC1 and enter the following URL:

● for CP x43-1 Adv. and SCALANCE S: "https://192.168.9.10"

● for CP 1x43-1 (as an alternative also possible for station1 with CP x43-1 Adv.): "https://192.168.10.1"

Result: Access to the Web server using the HTTPS protocol is possible.



Figure 4-8 HTTPS access to the Web server of the station

Test phase 3 – PC1 with modified IP address: S7 diagnostics and configuration of the station By changing the IP address of PC1 in this test phase, an unauthorized access attempt will be simulated. To do this, change the IP address from "192.168.10.100" to "192.168.10.101" as explained in the section "Make the IP settings for the PCs (Page 32)".

Now test the function of the S7 firewall rule for PC1 from external with the modified IP address as follows:






Result: Diagnostics and downloading of a configuration are not possible using the S7 protocol. The time for the connection attempt expires and no connection can be established to the station.




Test phase 4 – PC1 with modified IP address: HTTPS access to the Web server of the station By changing the IP address of PC1 in this test phase, an access attempt by another PC will be simulated. In keeping with test phase 3, here instead of the IP address "192.168.10.100", PC1 has the IP address "192.168.10.101".

Open a standard Web browser on PC1 and enter the following URL:

● for CP x43-1 Adv. and SCALANCE S: "https://192.168.9.10"

● for CP 1x43-1 (as an alternative also possible for station1 with CP x43-1 Adv.): "https://192.168.10.1"


Figure 4-10 HTTPS access to the Web server of the security module

Test phase 5 - PC1: S7 diagnostics and configuration of the station As explained in the section "Make the IP settings for the PCs (Page 32)", change the IP address of PC1 from "192.168.10.101" back to "192.168.10.100".



Now test the function of the packet filter logging of the firewall rules you activated in the global firewall rules as follows:

1. Open the project for configuration and diagnostics of the station.

2. To log in to the project, enter your login in the project tree using "Global security settings" > "User login".

3. Select the security module in the project tree.

4. Select the menu command "Online" > "Online & Diagnostics".

5. For CPs: In the "Diagnostics" > "Security" > "Status" menu, click the "Connect online" button.

Figure 4-11 Connecting to the security module online

Result: The "Online access" dialog opens. As "Type of the PG/PC interface", the "HTTPS" protocol is preset.

6. Select the "PG/PC interface" and the "Connection to interface/subnet via which you are connected to the security module.



7. Click the "Connect online" button.

Result: The online connection to the security module is established and security diagnostics with HTTPS is possible.

Figure 4-12 Running security diagnostics with HTTPS

8. In the "Diagnostics" > "Packet filter log" menu, click the "Start reading" button.

Result: The unauthorized connection attempts from test phase 3 were recorded in the packet filter log and will be displayed as follows:

Figure 4-13 Display of the unauthorized connection attempts

Firewall in advanced mode 4.2 Firewall rules for connections


4.2 Firewall rules for connections

4.2.1 Overview In this example, you configure the advanced firewall.

With the settings made in the firewall of the security module, the connections configured via the CPs are allowed in the firewall and restricted to the services used.

The configuration and diagnostics of the controllers using the S7 protocol are restricted in the firewall to the IP address of PC1 and therefore allowed from the external network.

In addition to this, all nodes from the external network can use the HTTPS protocol for communication. This allows security diagnostics of the security modules.

Denied attempts to access the security module or the station are logged.

Setting up the test network



● Station1 - one of the following stations with security module:

– SIMATIC S7-300 where CP 343-1 Advanced

– SIMATIC S7-400 where CP 443-1 Advanced

– SIMATIC S7-1200 where CP 1243-1

– SIMATIC S7-1500 where CP 1543-1



Switch: Switch to network the connection partners and PC1 with each other.


Active partner station (Station2): Partner station that actively establishes the connections to Station1

Passive partner station (Station3): Partner station that accepts active connections from Station1






● In the STEP 7 project, communications connections were configured via the CP. The type and number of communications connections are irrelevant. In this example, the following communications connections of the CP to the partner stations were configured:

Connection type

Connection establishment

Partner station Partner address

S7 connection passive active_partner_station 192.168.10.2 S7 connection active passive_partner_station 192.168.10.3






2. Select the "Security" menu item and then the "Activate security features" check box.





Result: The firewall of the security module is switched to the advanced mode. You can now configure firewall rules that filter for IP addresses and services. Switching back to the standard modem firewall is not possible.


Security module Action From To Source IP

address Destination IP address

Service Logging

CP 1x43-1 Allow External Station 192.168.10.100 - S7 Allow External Station - - Security diagnostics Drop External Station - - All ☑

CP x43-1 Adv. Allow External Station 192.168.10.100 - S7 Allow External Station - - HTTPS Drop External Station - - All ☑





4.2.4 Configuring connection firewall rules

Follow the steps below: 1. Click the "Update connection rules" button.

Result: The firewall rules for the active and passive connection to the station are automatically added at the start of the list of IP rules.

Figure 4-16 Configuring connection firewall rules

According to the connection establishment, only the direction in which the connection is established is opened in the firewall. Due to the "Stateful inspection" function of the firewall, the response frames are allowed automatically and do not need to be allowed specifically. The additional Drop firewall rule prevents connections being established in the opposite direction.

In the following table, you will find the firewall rules that result for connection establishment depending on the configured direction:

Connection estab-lishment

Action From To Source IP address Destination IP ad-dress

passive Allow External Station 192.168.10.2 192.168.10.1 Drop Station External 192.168.10.1 192.168.10.2

active Drop External Station 192.168.10.3 192.168.10.1 Allow Station External 192.168.10.1 192.168.10.3

2. Restrict the connection firewall rules to the protocol being used. In this example, S7 connections were configured; the S7 protocol therefore needs to be used.

Result: Only S7 connections to the partner station can pass through the firewall.

Result: The firewall is now completely configured Connection firewall rules are automatically inserted at the start of the firewall list and cannot be moved. Settings such as service, bandwidth or logging can be adapted. The "Source IP address" and "Destination IP address" boxes have default values and cannot be changed since the information is taken from the connection configuration.

The configuration of the firewall is completed.








For CPs, the S7 protocol is used for the download.










Result: Security module in productive mode The configuration is complete. The security module protects the station in which the security module is located.

S7 connections to the partner stations are allowed.

Incoming S7 data traffic is permitted only from PC1 and HTTPS communication for diagnostics of the security module is allowed for every node from the external network.

Every blocked access attempt is logged.











Figure 4-17 Uploading S7 diagnostics



6. Start special diagnostics in the "Functions" > "Special diagnostics" menu.

Result: NCM S7 diagnostics for CPs starts and sets up a connection to the CP.

7. In the "Connections" > "S7 connections" menu, you can check the connection status for the connections that have been set up.

Result: The S7 connections are established and ready for communication.




● Open a standard Web browser on PC1 and enter the following URL: "https://192.168.10.1".


Test phase 3 – PC1 with modified IP address: S7 diagnostics and configuration of the station By changing the IP address of PC1 in this test phase, an unauthorized access attempt will be simulated. To do this, change the IP address from "192.168.10.100" to "192.168.10.101" as explained in the section "Make the IP settings for the PCs (Page 47)".

Now test the function of the S7 firewall rule for PC1 from external with the modified IP address as follows:











Test phase 5 - PC1: S7 diagnostics and configuration of the station As explained in the section "Make the IP settings for the PCs (Page 47)", change the IP address of PC1 from "192.168.10.101" back to "192.168.10.100".








5. In the "Diagnostics" > "Security" > "Status" menu, click the "Connect online" button.




Firewall in advanced mode 4.3 User-specific firewall


4.3 User-specific firewall

4.3.1 Overview In this example you configure the advanced firewall and use the function of the user-specific rule sets.

By making these settings in the firewall of the security module, you restrict configuration and diagnostics of the station in the internal network using the S7 protocol to one user making the station accessible only for this one user from the external network.

In addition to this, all nodes from the external network can use the HTTPS protocol for communication. This allows security diagnostics of the security modules and communication with Web servers in the internal network.







– SCALANCE S





● PC1: PC with configuration software STEP 7



● A SIMATIC S7 station with integrated Web server that supports the HTTPS protocol exists as a node in the internal network with the following settings:


● A STEP 7 project has already been created with the following settings and downloaded to the security module or the controller (for more detailed information on the precise procedure, refer to the section Basic configuration (Page 15)):

Security module IP address Subnet mask SCALANCE S External interface [P1] red: 192.168.10.1 255.255.255.0

Internal interface [P2] green: 192.168.9.1 255.255.255.0


Figure 4-20 IP settings











Result: The firewall of the security module is switched to the advanced mode. You can now configure firewall rules that filter for IP addresses and services. Switching back to the standard modem firewall is not possible.

5. Select the "IP rules" menu and add the following firewall rules:

Action From To Source IP address Destination IP address Service Logging Allow External Internal - - HTTPS Drop External Internal - - All ☑


4.3.4 Creating remote access users

Follow the steps below: 1. In the project tree, double-click on the entry "Global security settings" > "User

management".

2. Create a new user and password with the following settings:

– User name: remote

– Role: Remote access

– Password: <freely selectable>



Figure 4-21 Creating remote access users

4.3.5 Configuring user-specific firewall rule sets





– Name: User-specific IP rule set 1

– Description: Access using S7 protocol

3. Add the following firewall rules to the list:

Action From To Source IP address Destination IP address Service Logging Allow External Internal - 192.168.9.10 S7 ☑

Result: A user-specific IP rule set is created:

Figure 4-22 User-specific IP rule set

4. Change from the "User-specific IP rule set" view to the "User" view. Assign a user to the rule set who will have the right to activate the rule set.

5. Select the remote user in the "Available users" list.



6. With the "<<" button, move the user to "Assigned users" list.

Figure 4-23 Assigning remote access user

7. In the project tree, double-click on the entry "Global security settings" > "Firewall" > "User-specific IP rule sets" > "Assign user-specific IP rule set".





10.With the "<<" button, move it to "Assigned modules" list.

Result: The user-specific firewall rule set has been inserted in the local firewall of the security module.

Figure 4-24 Assigning a user-specific IP rule set to a module

11.To check this, go to the Inspector window and open the menu "Properties" > "Firewall" > "IP rules".

Result: The user-specific firewall rule set has been added to the list before the local firewall rules. The firewall configuration is complete.

Figure 4-25 Displaying a user-specific rule set








With SCALANCE S, the HTTPS protocol is used for the download.








Result: The configuration is downloaded to the security module



Result: Security module in productive mode The configuration is complete. The security module protects the station in the internal network.

S7 communication for configuration and diagnostics of the station in the internal network is only possible after successful authentication with the user-specific firewall of the security module.

HTTPS communication for diagnostics of the station in the internal network is allowed for every node from the external network.

Every blocked access attempt is logged.

4.3.7 Activating a user-specific firewall rule set 1. Open a standard Web browser on PC1 and enter the following URL:

"https://192.168.10.1"

2. In the following window, enter the user name "remote" and the corresponding password.

3. Click the "Login" button.

Result: The defined firewall rule set is enabled for the "remote" user. Access to the station in the internal network of the security module using the S7 protocol of PC1 in the external network is permitted for 30 minutes.






Test phase 1 - PC1: S7 diagnostics and configuration of the station Now test the function of the S7 firewall rule for PC1 from external as follows:

1. Activate the user-specific firewall rule set as described in the section "Activating a user-specific firewall rule set (Page 66)":

2. Open the project for configuration and diagnostics of the station in the internal network.







5. Deactivate the user-specific firewall rule set by clicking the "Logout" button in the Web browser.

6. As described in points 2-4, try to reach the station again using the S7 protocol.








Test phase 3 - diagnostics of denied access attempts with packet filter logging Now test the function of the packet filter logging of the firewall rules you activated in the global firewall rules as follows:




Firewall in advanced mode 4.4 NAT


4.4 NAT

4.4.1 Overview In this example, you configure NAT function and the advanced firewall.

With the configuration, Station1 is reachable via an NAT IP address that belongs to the external subnet. Only Station1 from the internal network will be reachable for PC1 from the external network. Other nodes from the internal subnet cannot be reached.

By making the settings in the firewall of the security module, you restrict configuration of the controller Station1 using the S7 protocol to the IP address of PC1 and therefore make this possible from the external network.

In addition to this, all nodes from the external network can use the HTTPS protocol for communication. This allows security diagnostics of the security modules or also communication with Web servers in the internal network.






In the internal network in the test setup, the network node is implemented by a SIMATIC S7 station with an integrated Web server that supports the HTTPS protocol.



– SCALANCE S











Security module IP address Subnet mask SCALANCE S External interface [P1] red: 192.168.10.1 255.255.255.0

Internal interface [P2] green: 192.168.9.1 255.255.255.0 CP x43-1 Adv. Ethernet interface [X1]: 192.168.10.1 255.255.255.0







relevant boxes.




4.4.3 Configuring destination NAT and local firewall



2. For a CP: Select the "Security" menu item and then the "Activate security features" check box.


3. Select the "NAT/NAPT" menu item.

4. Select the "Activate NAT" function and add the following NAT rules:

Action From To Source IP address

Source translation Destination IP address Destination translation

Destination NAT External Internal - - 192.168.10.10 192.168.9.10 Destination NAT External Internal - - 192.168.10.11 192.168.9.10

Result: The following NAT rule sets will be created:

Figure 4-31 NAT rules






7. Select the "IP rules" menu.

Result: The previously inserted NAT rules have automatically generated two firewall rules to which you can now add additional IP addresses and services. The expanded firewall rules then filter based on the specified IP addresses and services.

Expand the two NAT firewall rules and add a logging rule at the end according to the following table:

Security module Action From To Source IP address Destination IP address Service Logging SCALANCE S NAT_1

Allow External Internal 192.168.10.100 192.168.10.10 S7 NAT_2 Allow External Internal - 192.168.10.11 HTTPS Drop External Internal - - All ☑

CP x43-1 Adv. NAT_1 Drop External Station - 192.168.10.1 S7 Allow External Any 192.168.10.100 192.168.9.10 S7 NAT_2 Drop External Station - 192.168.10.1 HTTPS Allow External Any - 192.168.9.10 HTTPS Drop External Any - - All ☑










Incoming S7 data traffic to Station1 is only permitted from PC1 and uses the NAT IP address 192.168.10.10 of the security module.

The HTTPS communication for diagnostics of Station1 is permitted for every node from the external network via the NAT IP address 192.168.10.11. Every blocked access attempt is logged.

4.4.5 Testing NAT function



Test phase 1 - PC1: S7 diagnostics and configuration of the station Now test the function of the S7 NAT firewall rule for PC1 from external as follows:

1. Open the project for configuration and diagnostics of the station in the internal network.





4. In the "Compatible devices in target subnet" list, enter the NAT IP address "192.168.10.10" in the Access address box. Confirm the input by clicking on a point outside the row.

Result: The NAT IP address is defined as the access address to Station1.

5. Click the "Load" button.

6. In the "Load preview" dialog, click the "Load" button.


7. Click the "Finish" button to complete the download and to restart Station1.

Result: Diagnostics and downloading configuration data via the NAT IP address are possible using the S7 protocol.



Result: Access to the Web server via the NAT IP address using the HTTPS protocol is possible.



Test phase 3 – PC1 with modified IP address: S7 diagnostics and configuration of the station By changing the IP address of PC1 in this test phase, an unauthorized access attempt will be simulated. To do this, change the IP address from "192.168.10.100" to "192.168.10.101" as explained in the section "Making IP settings for the PC (Page 73)".

Now test the function of the S7 NAT firewall rule for PC1 from external with the modified IP address as follows:




4. In the "Compatible devices in target subnet" list, enter the NAT IP address "192.168.10.10" in the Access address box. Confirm the input by clicking on a point outside the row.

Result: The NAT IP address cannot be reached. Diagnostics and downloading of a configuration are not possible using the S7 protocol. The time for the connection attempt expires and no connection can be established to the station.





Result: Access to the Web server via the NAT IP address using the HTTPS protocol is possible.

Test phase 5 - PC1: S7 diagnostics and configuration of the station As explained in the section "Making IP settings for the PC (Page 73)", change the IP address of PC1 from "192.168.10.101" back to "192.168.10.100".








5. For CPs: In the "Diagnostics" > "Security" > "Status" menu, click the "Connect online" button.








Figure 4-36 Running security diagnostics with HTTPS




VPN for network linking 5 5.1 VPN tunnel in the LAN between all security products

5.1.1 Overview In this example the VPN tunnel function will be configured. In this example, the security modules form the tunnel endpoints via a local network.

With this configuration, IP traffic is possible only over the established VPN tunnel connections between the authorized partners.


VPN for network linking 5.1 VPN tunnel in the LAN between all security products





PC2: Is used to test the tunnel function with S7 diagnostics and for configuration of Station1.

● Security module 1- A security module for protection of the internal network can be:

– SCALANCE S (not S602)



● Station2 with security module 2 - One of the following stations with security module:



● External network - attachment to the external interface of the security module

The external network is represented by a switch to which the external interfaces of all security modules are connected. If there are only two security modules to connect, these can also be connected directly via the external interface.

PC1: PC with configuration software STEP 7 and SOFTNET Security Client


● The STEP 7 configuration software and the SOFTNET Security Client are installed on PC1.






CP 1x43-1 Ethernet interface [X1]: 192.168.10.2 255.255.255.0 CP x43-1 Adv. Ethernet interface [X1]: 192.168.10.3 255.255.255.0




Follow these steps: 1. On PC1, open the Control Panel with the menu command "Start" > "Control Panel".

2. Click the "Network and Internet" icon > "Network and Sharing Center" and select the "Change Adapter Settings" option in the navigation menu on the left.






8. Now enter the values assigned to the PC from the table "Making the IP settings for the





10.Repeat the steps listed above on PC2 and assign the following network parameters:

– IP address: 192.168.8.100

– Subnet mask: 255.255.255.0

– Default gateway: 192.168.8.3

Note

To be able to communicate within the various internal networks of the security modules, you need to set explicit routes on the PC.

To do this, use the "route add" function in the command prompt.

5.1.3 Creating SOFTNET Security Client module




3. Open the "Hardware catalog" and drag the relevant security module to add it to the network view.


Security module Navigation in the hardware catalog SOFTNET Security Client "PC systems" > "Softnet Security Client"

5.1.4 Configuring a VPN group The SOFTNET Security Client and the security modules can establish a VPN tunnel for secure communication if they are assigned to the same group in the project.

Follow the steps below: 1. In the project tree, double-click on the entry "Global security settings" > "VPN groups" >

"Add new VPN group".

Result: A VPN group is created.

2. In the project tree, double-click on the entry "Global security settings" > "VPN groups" > "Assign module to a VPN group".

3. Select the created VPN group from the "VPN " drop-down list.



4. Select the SOFTNET Security Client module and the security module being used in the Available modules list.

5. With the "<<" button, move this to the "Assigned modules" list.

Result: The security modules were added to the VPN group.

Figure 5-2 VPN assignment

6. To check this, open the "VPN" tab in the network view.

Figure 5-3 Displaying VPN membership

7. Double-click on the newly created VPN group in the project tree.

8. In the Inspector window, select the "Advanced settings phase 1" menu item and change the "SA lifetime" to the value "2879".




5.1.5 Saving the SOFTNET Security Client configuration

Follow the steps below: 1. Select the SOFTNET Security Client in the project tree.

2. Select the "Edit" > "Compile" menu command and assign a password for the private key of the certificate.

Result: The configuration file "Projectname.SSC-Modulename.dat" and the certificates are stored in the "Path to the SSC configuration files". You can adapt the path in the properties of the SOFTNET Security Client module.
















Result: The security module restarts automatically and the downloaded configuration is activated. Perform the steps listed above for all existing security modules.




The communication with the station or to the station in internal network can now only be encrypted and via the VPN tunnel.

5.1.7 Set up a tunnel with the SOFTNET Security Client

Follow the steps outlined below: 1. Start the SOFTNET Security Client on PC1.

2. Click the "Load Configuration" button, change to your project folder and load the "Projectname.SSC-Modulename.dat" configuration file.

3. Enter the password for the private key of the certificate and confirm with "Next".

4. You will now be asked whether the tunnel connections for all internal nodes should be activated. Click the "Yes" button in this dialog.

5. Click the "Tunnel Overview" button.

Result: Active tunnel connection The tunnel between the security module and the SOFTNET Security Client was established. This status is indicated by the green circle beside the "S612" entry.

In the Logging Console of the Tunnel Overview, among other things information on the sequence of executed connection attempts is displayed.



The configuration is complete. The security module and the SOFTNET Security Client have established a communication tunnel over which network nodes can communicate securely with PC2 from within the internal network.

5.1.8 Testing the tunnel

How can you test the configured function? The function tests are performed with PC1. Test phase 1 can also be performed analogously with PC2.



Result: Diagnostics and downloading of a configuration are possible using the S7 protocol. Since no other communication has been explicitly allowed in the firewall, these packets must have been transported through the VPN tunnel.

Test phase 2 - PC1: S7 diagnostics and configuration of the station Now repeat the test for the function with the terminated tunnel connection for PC1 from external as follows:

1. Close the tunnel overview in the SOFTNET Security Client.

2. Click the "Enable" button.

3. Confirm the next dialog with "OK".

Result: The tunnel connection to the security module is terminated.






Result: Diagnostics and downloading of a configuration are not possible using the S7 protocol. Since no other communication has been explicitly allowed in the firewall, these packets cannot reach the station without a VPN tunnel.

VPN for network linking 5.2 VPN tunnel SOFTNET Security Client and CPs or SCALANCE S


5.2 VPN tunnel SOFTNET Security Client and CPs or SCALANCE S

5.2.1 Overview In this example, you configure the VPN tunnel function. In this example, the SOFTNET Security Client and a security module form the two tunnel endpoints for the secure tunnel connection via a public network.

With this configuration, IP traffic is possible only over the established VPN tunnel connection between the two authorized partners.

Setting up the test network for SCALANCE S, CP x43-1 Adv.


In the internal network in the test setup, the network node is implemented by a SIMATIC S7-Station with an integrated Web server that supports the HTTPS protocol. The station is connected to the internal interface of the security module.











Setup of the test network CP 1x43-1

● Station - one of the following stations with security module:





PC1: PC with configuration software STEP 7 and SOFTNET Security Client software













● You have logged in with your security login in the project tree with the "Global security

settings" > "User login" menu.












5.2.4 Configuring a VPN group The SOFTNET Security Client and a security module can establish a VPN tunnel for secure communication when they are assigned to the same VPN group in the project.






4. Select the created SOFTNET Security Client module and the security module being used in the Available modules list.



5. With the "<<" button, move this to the "Assigned modules" list.



Figure 5-6 Displaying VPN membership






5.2.5 Configuring VPN properties of the security module



2. Select the "VPN" menu item.

3. Change the entry from "Permission to initiate connection establishment" to "Waiting for partner (responder)".

Result: The security module waits for a VPN connection to be established by the client (SSC).

Note

If a WAN is used as an external public network, enter an IP address from the internal subnet of your DSL router as "IP address ext.". As the standard router, the internal IP address of the DSL router must be entered. Enter the public IP address assigned by the provider in the "VPN" tab of the module properties in "WAN IP address / FQDN".

If you use a DSL router as Internet gateway, the following ports of the router must be forwarded to the external IP address of the security module:

• Port 500 (ISAKMP)

• Port 4500 (NAT-T)











5.2.9 Testing the tunnel

How can you test the configured function? The function tests are performed with PC1.



Test phase 1 - PC1: S7 diagnostics and configuration of the station Now test the function of the S7 firewall rule for PC1 from external as follows:









Result: Diagnostics and downloading of a configuration are possible using the S7 protocol. Since no other communication has been explicitly allowed in the firewall, these packets must have been transported through the VPN tunnel.

Test phase 2 - PC1: S7 diagnostics and configuration of the station Now repeat the test for the function with the terminated tunnel connection for PC1 from external as follows:

1. Close the tunnel overview in the SOFTNET Security Client.

2. Click the "Enable" button.

3. Confirm the next dialog with "OK".

Result: The tunnel connection to the security module is terminated.



– for CP 1x43-1 (also possible as an alternative to Station 1 with CP x43-1 Adv.): the project for the station in which the security module is located



Result: Diagnostics and downloading of a configuration are not possible using the S7 protocol. Since no other communication has been explicitly allowed in the firewall, these packets cannot reach the station without a VPN tunnel.

VPN for network linking 5.3 VPN with SOFTNET Security Client and SCALANCE S as user-specific firewall


5.3 VPN with SOFTNET Security Client and SCALANCE S as user-specific firewall

5.3.1 Overview In this example, you configure the VPN tunnel function. In this example, the SOFTNET Security Client and a security module form the two tunnel endpoints for the secure tunnel connection via a public network.

With this configuration, IP traffic is possible only over the established VPN tunnel connection between the two authorized partners.

In this example you also configure the advanced firewall and use the function of the user-specific rule sets.

By making these settings in the firewall of the security module, you restrict configuration and diagnostics of the station in the internal network using the S7 protocol to one user making the station accessible only for this one user via the VPN tunnel connection that has been set up.

In addition to this, all nodes can use the HTTPS protocol for communication via the tunnel connection. This allows security diagnostics of the security modules and communication with Web servers in the internal network.






In the internal network in the test setup, the network node is implemented by a device with an integrated Web server that supports the HTTPS protocol. The device is connected to the internal interface of the security module.


























5.3.4 Configuring a VPN group The SOFTNET Security Client and a SCALANCE S can establish a VPN tunnel for secure communication if they are assigned to the same VPN group in the project.






4. Select the SOFTNET Security Client module and the security module being used in the Available modules list.



5. With the "<<" button, move these to the "Assigned modules" list.








5.3.5 Configuring VPN properties of the security module



2. Select the "VPN" menu item.

3. Change the entry from "Permission to initiate connection establishment" to "Waiting for partner (responder)".

Result: The security module waits for a VPN connection to be established by the client (SSC).

Note

If a WAN is used as an external public network, enter an IP address from the internal subnet of your DSL router as "IP address ext.". As the standard router, the internal IP address of the DSL router must be entered. Enter the public IP address assigned by the provider in the "VPN" tab of the module properties in "WAN IP address / FQDN".

If you use a DSL router as Internet gateway, the following ports of the router must be forwarded to the external IP address of the security module:

• Port 500 (ISAKMP)

• Port 4500 (NAT-T)












Service Logging

Allow Tunnel Internal - - HTTPS Drop Tunnel Internal - - All ☑



5.3.7 Creating remote access users

Follow the steps below: 1. In the project tree, double-click on the entry "Global security settings" > "User

management".

2. Create a new user and password with the following settings:

– User name: remote

– Role: Remote access

– Password: <freely selectable>



Figure 5-11 Creating remote access users

5.3.8 Configuring user-specific firewall rule sets





– Name: User-specific IP rule set 1

– Description: Access using S7 protocol

3. Add the following firewall rule to the list:


Service Logging

Allow Tunnel Internal - 192.168.9.10 S7 ☑

Result: A user-specific IP rule set is created.

Figure 5-12 User-specific IP rule set

4. Change from the "User-specific IP rule set" view to the "User" view. Assign a user to the rule set who will have the right to activate the rule set.

5. Select the remote user in the "Available users" list.



6. With the "<<" button, move the user to "Assigned users" list.

7. In the project tree, double-click on the entry "Global security settings" > "Firewall" >

"User-specific IP rule sets" > "Assign user-specific IP rule set".





10.With the "<<" button, move it to "Assigned modules" list.

Result: The user-specific firewall rule set has been inserted in the local firewall of the security module.

Figure 5-13 Assigning a user-specific IP rule set to a module

11.To check this, go to the Inspector window and open the menu "Properties" > "Firewall" > "IP rules".

Result: The user-specific firewall rule set has been added to the list before the local firewall rules. The firewall configuration is therefore complete.

Figure 5-14 Displaying a user-specific rule set




With SCALANCE S, the HTTPS protocol is used for the download.








Result: Security module in productive mode The configuration is complete. The security module protects Station1 in the internal network of the security module (if this exists).



5.3.12 Activating a user-specific firewall rule set 1. Open a standard Web browser on PC1 and enter the following URL:

"https://192.168.10.1"

2. In the following window, enter the user name "remote" and the corresponding password.

3. Click the "Login" button.

Result: The defined firewall rule set is enabled for the "remote" user. Access to the station in the internal network of the security module using the S7 protocol of PC1 in the external network is permitted for 30 minutes.



5.3.13 Testing the tunnel and firewall function




1. Activate the user-specific firewall rule set as described in the section "Activating a user-specific firewall rule set (Page 126)":

2. Open the project for configuration and diagnostics of the station in the internal network:





Result: Diagnostics and downloading of a configuration are possible using the S7 protocol. Since no other communication other than via the VPN tunnel was allowed explicitly in the firewall, these packets must have been transported through the VPN tunnel.

5. Deactivate the user-specific firewall rule set by clicking the "Logout" button in the Web

browser.

6. As described in points 2-4, try to reach the station again using the S7 protocol.







Test phase 3 - diagnostics of denied access attempts with packet filter logging Now test the function of the packet filter logging of the firewall rules you activated in the global firewall rules as follows:


2. Enter your login in the project tree with "Global security settings" >"User login" to log in to the project.




setting up security in step 7 professional€¦ · setting up security in step 7 professional ....

Documents