SIEMENS
8/10
Siemens IK PI · 2015
Industrial Security
Security Integrated
SCALANCE S
8
■
Design
SCALANCE S602
•
Checking of data traffic and protection against unauthorized
access by means of stateful inspection firewall.
•
Simple and fast configuration of the firewall through global
firewall rules and symbolic names for IP addresses.
•
Specific access privileges for users in accordance with user-
specific firewall rules.
•
10/100/1 000 Mbit/s ports for the connection and operation of
SCALANCE S in Gigabit networks as well
•
In addition to bridge mode, can also be operated in router
mode and can therefore also be used directly at IP subnet
limits
•
Address translation
-
NAT (Network Address Translation) permits the use of private
IP addresses in the internal network in that public IP
addresses are converted to private ones
- NAPT (Network Address and Port Translation) permits the
use of private IP addresses in the internal network in that
frames are converted to private IP addresses depending on
the communications port used
•
Internal network nodes can receive their IP addresses from
the integral DHCP server
•
Log files can also be evaluated by the Syslog server
•
Enhanced integration in IT infrastructures and network
management systems by means of SNMP
•
Protection of individual, even alternating, devices by dynami-
cally taking over the IP address (ghost mode)
SCALANCE S612
As SCALANCE S602; additionally:
•
Encryption of data transmission with VPN (IPSec)
- Protection against espionage
- Protection against unauthorized manipulation
•
Secure remote access over the Internet, e.g. in conjunction
with the SOFTNET Security Client and the SCALANCE M
UMTS router (with IPSec VPN function)
SCALANCE S623
As SCALANCE S612; additionally:
•
DMZ port with which a protected zone (DMZ = demilitarized)
can be set up between two networks. The DMZ is used to
provide data for other networks without granting direct access
to the automation network, thus increasing security. The DMZ
port can also be used to protect remote maintenance access,
where, for example, only access to lower-level automation
cells is possible and no access to the plant network is
required.
•
Secure, redundant connection of automation cells through
router and firewall redundancy
SCALANCE S627-2M
As SCALANCE S623; additionally:
•
Two media module slots for two additional switched red or
green ports each.
- Direct integration in line or ring topologies is possible
- Integration into redundant rings (MRP, HRP) is possible
- Secure, redundant connection of automation cells or rings
-
Direct integration in FO networks is possible through the use
of FO media modules
-
Bridging of longer cable runs or use of existing 2-wire cables
(e.g. PROFIBUS) by deploying the MM992-2VD media
modules (variable distance).
■
Function
Security functions
VPN (Virtual Private Network)
(only for SCALANCE S612, S623 and SCALANCE S627-2M);
for reliable authentication (identification) of the network stations,
for encrypting data and checking data integrity.
• Authentication;
All incoming data traffic is monitored and checked. As IP
addresses can be falsified (IP spoofing), checking the IP
address (of the client access) is not sufficient. In addition,
Client PCs may have changing IP addresses. For this reason
the authentication is performed by means of tried and tested
VPN mechanisms.
•
Data encryption;
Secure encryption is necessary in order to protect data
communication from espionage and unauthorized manipu-
lation. This means that the data traffic remains incomprehen-
sible to any eavesdropper in the network. The SCALANCE
Security Module establishes VPN tunnels to other Security
Modules for this purpose.
The firewall
can be used as an alternative or to supplement VPN with flexible
access control.
The firewall filters data packets and disables or enables
communication links in accordance with the filter list and stateful
inspection. Both incoming and outgoing communication can be
filtered, either according to IP and MAC addresses as well as
communication protocols (ports) or user-specific.
• Logging;
access data are saved by the Security Module in a log file.
Detection of how, when and by whom it has been accessed is
as important as detecting access attempts, to ensure that
appropriate preventative measures can be taken.
Configuration
Configuration is carried out using the Security Configuration Tool
(SCT). Therefore all SIMATIC NET security products can be
configured and diagnosed from a central position. All the config-
uration data can be saved on the optional C-PLUG swap media
(not included in scope of supply) so that the Security Module
can be replaced quickly in the event of a fault and without the
need of a programming device.
© Siemens AG 2014