Beruflich Dokumente
Kultur Dokumente
___________________
Practical information 3
SIMATIC
Commissioning Manual
12/2011
A5E02657550-02
Legal information
Legal information
Warning notice system
This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent
damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert
symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are
graded according to the degree of danger.
DANGER
indicates that death or severe personal injury will result if proper precautions are not taken.
WARNING
indicates that death or severe personal injury may result if proper precautions are not taken.
CAUTION
with a safety alert symbol, indicates that minor personal injury can result if proper precautions are not taken.
CAUTION
without a safety alert symbol, indicates that property damage can result if proper precautions are not taken.
NOTICE
indicates that an unintended result or situation can occur if the relevant information is not taken into account.
If more than one degree of danger is present, the warning notice representing the highest degree of danger will
be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to
property damage.
Qualified Personnel
The product/system described in this documentation may be operated only by personnel qualified for the specific
task in accordance with the relevant documentation, in particular its warning notices and safety instructions.
Qualified personnel are those who, based on their training and experience, are capable of identifying risks and
avoiding potential hazards when working with these products/systems.
Proper use of Siemens products
Note the following:
WARNING
Siemens products may only be used for the applications described in the catalog and in the relevant technical
documentation. If products and components from other manufacturers are used, these must be recommended
or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and
maintenance are required to ensure that the products operate safely and without any problems. The permissible
ambient conditions must be complied with. The information in the relevant documentation must be observed.
Trademarks
All names identified by ® are registered trademarks of Siemens AG. The remaining trademarks in this publication
may be trademarks whose use by third parties for their own purposes could violate the rights of the owner.
Disclaimer of Liability
We have reviewed the contents of this publication to ensure consistency with the hardware and software
described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the
information in this publication is reviewed regularly and any necessary corrections are included in subsequent
editions.
1 Preface ...................................................................................................................................................... 5
1.1 Structure and organization of the document..................................................................................5
1.2 Special Notes .................................................................................................................................6
2 Managing the MS ISA Server/MS TMG as Access Point ........................................................................... 7
2.1 Managing the MS ISA Server/MS TMG as Access Point ..............................................................7
2.2 Network positions...........................................................................................................................9
2.2.1 Front firewall.................................................................................................................................10
2.2.2 Back firewall .................................................................................................................................11
2.2.3 Three-homed firewall ...................................................................................................................12
2.3 Technologies and configurations .................................................................................................13
2.3.1 General information .....................................................................................................................13
2.3.2 Web publication............................................................................................................................14
2.3.3 VPN server...................................................................................................................................16
2.3.4 Device direct dialing.....................................................................................................................20
2.3.5 IPSec connection .........................................................................................................................21
2.3.6 User-specific rules .......................................................................................................................21
2.4 Special case: Trust function between ERP and perimeter network.............................................22
3 Practical information ................................................................................................................................ 23
3.1 General information .....................................................................................................................23
3.1.1 Further information and instructions ............................................................................................26
● The basic document provides a central overview and guidance through Security
Concept PCS 7 & WinCC.
It systematically describes the basic principles and security strategies of the security
concept. All additional detail documents assume the reader has read the basic document.
● The detail documents (this is one such detail document) explain the individual
principles, solutions and configuration recommended there in detailed form, and each
focuses on a particular detailed issue. The detail documents are supplemented, updated
and published independently of one another to ensure that they are always up-to-date.
Required Knowledge
This documentation is aimed at anyone who is involved in configuring, commissioning and
operating automated systems based on SIMATIC. It is assumed that readers have
appropriate management knowledge of office IT.
Validity
Security Concept PCS 7 & WinCC incrementally replaces the following previous documents
and recommendations: "Security Concept PCS 7" and "Security Concept WinCC", and is
valid as of WinCC V6.2 and PCS 7 V7.0.
4. "As the ISA/TMG is Windows-based it cannot be used without a local virus scanner."
In spite of its modern and secure design the ISA Server\TMG can be penetrated if it is
improperly configured or used incorrectly. The use of a local virus scanner represents a
potential risk to the security of the ISA Server\TMG. Currently there are no virus scan
clients that have been developed and approved for the ISA Server\TMG. A virus scanner
is in any case not necessary, as firewalls should in general not carry out local data
exchange, execute third-party programs or have local logins etc.
5. There are a number of modules by well-known virus scanner manufacturers that allow the
ISA Server\TMG to scan incoming network data traffic for viruses. Scanning and
forwarding, however, take place in layers 2-5, whereas a local virus scan client in general
only works in layers 6-7 and requires local execution and login.
"Microsoft products are insecure and have to be patched too often."
6. Since the publication of ISA Server 2004, in contrast to other firewall manufacturers, no
security gaps have been found.
Except for two service packs that have improved the functionality and range of functions,
no security-related patches have been issued for ISA Server 2004 and the more recent
ISA Server 2006.
7. “The ISA Server\TMG is an office firewall and is not suitable for industry."
Yes, it is correct that the ISA Server\TMG provides a lot of options and interfaces that
have been designed specifically for Web servers, mail servers and other office
applications. However, this does not equate to any restrictions whatsoever on industrial
use and operation of this firewall solution. On the contrary, these interfaces are being
used more and more frequently in industrial applications to implement more secure web-
based operating and observation solutions, for example. Appliance manufacturers
(manufacturers of ISA Server\TMG / hardware bundle systems) are also increasingly
offering ISA Server\TMG in industrial-grade housings, i.e. protected from dust and
splash- and explosion-proof. The high performance and the large number of potential
standard configurations are also of interest to industry.
ECN
(office network)
Support Station
WAN
Intranet
extern
Firewall
ISA Server
Front-Firewall Perimeter Network
Firewall
ISA Server
intern
Back-Firewall Router ISDN
ISDN 2
Process Control Network
Adequate security can be provided for small systems with a “single firewall strategy” or a
three-homed firewall to avoid the cost and administrative cost of the above solution.
)LUHZDOO
SURWHFWLQJWKH 'RPDLQ&RQWUROOHU
:LQ&&:HE 26:HE +LVWRULDQ:HE RIILFH
&OLHQW &OLHQW &OLHQW RIILFH1HWZRUN 6XSSRUW6WDWLRQ
:$1
,QWUDQHW
H[WHUQ
'LDO,Q
9LUXVVFDQ6HUYHU :6866HUYHU
)LUHZDOO
,6$6HUYHU 3HULPHWHU1HWZRUN
)URQW)LUHZDOO
3HULPHWHU1HWZRUN
3HULPHWHU 6XSSRUW6WDWLRQ
'RPDLQ 'RPDLQ '0=
&RQWUROOHU &RQWUROOHU 0(6
'LXDO,Q
)LUHZDOO
,6$6HUYHU
LQWHUQ
%DFN)LUHZDOO
5RXWHU,6'1
'RPDLQ 'RPDLQ
:LQ&&&OLHQW 26&OLHQW &RQWUROOHU &RQWUROOHU
3URFHVV&RQWURO1HWZRUN
6&$/$1&(;EDVHGUHGXQGDQW5LQJ
(QWHUSULVH&RQWURO1HWZRUN
)LUHZDOO 'RPDLQ
:LQ&&:HE 26:HE 'DWD0RQLWRU +LVWRULDQ:HE &RQWUROOHU 6XSSRUW6WDWLRQ
&OLHQW &OLHQW :HE&OLHQW &OLHQW
:$1
,QWUDQHW
3HULPHWHU1HWZRUN
)LUHZDOO
,6$6HUYHU
7KUHHKRPHG
)LUHZDOO
:HE1DYLJDWRU 26:HE6HUYHU
+LVWRULDQ:HE 6HUYHU
&OLHQW 6,0$7,&,76HUYHU
0DQXIDFWXULQJ2SHUDWLRQV1HWZRUN
:LQ&&&OLHQW 26&OLHQW
3URFHVV&RQWURO1HWZRUN
6&$/$1&(;EDVHGUHGXQGDQW5LQJ
&RQWURO6\VWHP1HWZRUN
6&$/$1&(;EDVHGUHGXQGDQW5LQJ
26:HE&OLHQW
(53
:$1
)LUHZDOO ,QIUDVWUXFWXU
,6$6HUYHU 6HUYHU
*$7()5217 ,1)5$
3HULPHWHU1HWZRUN
26:HE6HUYHU
350
26:HE&OLHQW
0(6 ,QIUDVWUXFWXU
6HUYHU
0DQXIDFWXULQJ2SHUDWLRQV1HWZRUN ,1)5$
3HULPHWHU1HWZRUN
)LUHZDOO
,6$6HUYHU
*$7(%$&.
26:HE6HUYHU
350
The greatest advantage of Web bridging is that direct access to the target network from the
outside is not possible. The connection of the Web clients always ends at the external
interface of the ISA Server\TMG. The ISA Server\TMG checks these access attempts with
various application filters and can thus prevent "harmful" queries.
When Web tunneling is used, the Web server has to recognize "harmful" queries by itself
and its functionality can therefore be impaired.
A further advantage provided by Web bridging is that it allows public names to be used
externally. This means that in the perimeter network the Web server is called, for example,
PRM29.prm.plant.com but is accessed in the external network by the name
www.plant.com/Plant1. Special consideration needs to be given to such Web publication in
combination with the SIMATIC WebNavigator Server, see Chapter Practical information
(Page 23).
6XSSRUW6WDWLRQ
'0=
:$1
)LUHZDOO
,6$6HUYHU
*$7()5217 4XDUDQWLQH1HWZRUN
3HULPHWHU1HWZRUN
:LQ&&&OLHQW 26&OLHQW 7HUPLQDO6HUYHU ,QIUDVWUXFWXU
0(6 0(6 6HUYHU
7(50,1$/ ,1)5$
0DQXIDFWXULQJ2SHUDWLRQV1HWZRUN
)LUHZDOO
,6$6HUYHU
*$7(%$&.
If direct access to computer in the MON or PCN is required, i.e. access without Remote
Desktop, NetMeeting or a similar function, the VPN server has to be positioned at the back
firewall (see following graphic) and published at the front firewall. This is necessary as the
front firewall does not "know" the PCN and CSN for security reasons and it should not have
any routing information to the PCN and CSN. If an attacker were able to "take over" the front
firewall, he would have access to the perimeter network, but still not to the system itself. The
system continues to be reliably protected by the back firewall.
6XSSRUW6WDWLRQ
'0=
:$1
)LUHZDOO
,6$6HUYHU
*$7()5217
3HULPHWHU1HWZRUN
7HUPLQDO6HUYHU ,QIUDVWUXFWXU
:LQ&&&OLHQW 26&OLHQW
6HUYHU
0(6 0(6 7(50,1$/ ,1)5$
0DQXIDFWXULQJ2SHUDWLRQV1HWZRUN
)LUHZDOO
,6$6HUYHU 4XDUDQWLQH1HWZRUN
*$7(%$&.
:LQ&&&OLHQW 26&OLHQW
0&6 0&6
3URFHVV&RQWURO1HWZRUN
:LQ&&6HUYHU 266HUYHU
0&6 0&6
The VPN client (see previous graphic) establishes a connection to the front firewall (1.). This
query is passed on to the back firewall by the VPN publishing (2.). After successful
authentication and confirmation by the back and front firewalls (3.) (4.),the VPN client
establishes a tunnel through the front firewall into the VPN network of the back firewall (see
following graphic) (5.) and obtains defined access to the networks (see following graphic)
(6.).
6XSSRUW6WDWLRQ
'0=
:$1
)LUHZDOO
,6$6HUYHU
*$7()5217
3HULPHWHU1HWZRUN
7HUPLQDO6HUYHU ,QIUDVWUXFWXU
:LQ&&&OLHQW
0(6
26&OLHQW
0(6 7(50,1$/
6HUYHU
,1)5$
0DQXIDFWXULQJ2SHUDWLRQV1HWZRUN
)LUHZDOO 4XDUDQWLQH1HWZRUN
,6$6HUYHU
*$7(%$&.
:LQ&&&OLHQW 26&OLHQW
0&6 0&6
3URFHVV&RQWURO1HWZRUN
:LQ&&6HUYHU 266HUYHU
0&6 0&6
A certificate-based L2TP connection should always be used for every VPN dialup.
The use of PPTP is only adequate for connections that are additionally protected via VPN.
For authentication of the VPN user we recommend the use of a radius server positioned
either in the perimeter network or, if the VPN server was set up on the back firewall, installed
directly on the domain controllers in the PCN network. In addition, the quarantine function of
the ISA Server\TMG should be used for every VPN connection, as it allows the client that is
dialing to be checked to ensure, for example, that all security updates have been installed
and that a virus scanner is installed on the client and is up-to-date etc.
3HULPHWHU1HWZRUN
:LQ&&&OLHQW 26&OLHQW
0(6 0(6
0DQXIDFWXULQJ2SHUDWLRQV1HWZRUN
7HUPLQDO6HUYHU ,QIUDVWUXFWXU
6HUYHU
7(50,1$/ ,1)5$
)LUHZDOO
:LQ&&&OLHQW 26&OLHQW
,6$6HUYHU 5RXWHU,6'1 5RXWHU,6'1
0&6 0&6 *$7(%$&. ,6'1 ,6'1 6XSSRUW6WDWLRQ
'0=
3URFHVV&RQWURO1HWZRUN
:LQ&&6HUYHU 266HUYHU
0&6 0&6
&RQWURO6\VWHP1HWZRUN
Always ensure that the dialup device does not connect directly to the ISA Server\TMG when
using direct dialup for devices. If the device, e.g. an ISDN card, were installed directly in the
ISA Server\TMG, the ISA Server\TMG cannot protect itself against potential attacks by this
device. An external device, e.g. an ISDN router, should therefore always be used for dialup.
The router is connected with ISA Server\TMG and integrated there as a separate network.
The ISA Server\TMG can therefore control any traffic with its built-in firewall mechanisms.
2.4 Special case: Trust function between ERP and perimeter network
A trust function between the ECN, i.e. the corporate or office network, which is also
protected by its own firewall (see following graphic) (GateCorp) and the system's perimeter
network is not recommended from the perspective of maximum protection of the front
firewall. However, it is often necessary for economic reasons and in order to avoid duplicate
user account maintenance.
The purpose of such a trust function is that user accounts from the ERP domains in the
office network can, for example, access resources from the perimeter network. However, this
requires several configurations to be made, and the advice above was not to avoid multiple
configurations. The ECN (office network) must be made known to the front firewall, and the
back firewall needs its own routing information in order to reach this network. Normally the
ECN, like all other external networks, is not known to the firewalls and is covered by the ISA
Server\TMG-specific standard "external" network and is therefore checked with the strictest
rules. In addition, a separate production domain must be established. If user-dependent
rules also have to be created for office user accounts, the front firewall ISA Server\TMG has
to become a member of the production domain or be able to query this information from the
production domain via the radius protocol. At least a one-sided trust function then has to be
established between the production domain and the ERP domain (see “Management of
Computers and Users" detail document). Users of the ERP domain can now be
authenticated by the production domain (1.) and access can be granted to the specified
resources in the system (2.).
(QWHUSULVH&RQWURO1HWZRUN
&RPSDQ\
)LUHZDOO
+LVWRULDQ:HE &RPSDQ\'RPDLQ
&OLHQW &RQWUROOHU *$7(&253
(53 (53
:$1
75
86
7
)LUHZDOO
,6$6HUYHU
*$7()5217 &$%6HUYHU
350
3HULPHWHU1HWZRUN
7HUPLQDO6HUYHU ,QIUDVWUXFWXU6HUYHU
7(50,1$/ ,1)5$
Background networks
If the network structures are more complex and there are, for example, reasons for dividing
the load, several stepped networks must also be configured on the ISA Server\TMG. As the
ISA Server\TMG has no physical contact in these networks and therefore does not
“recognize" them, the address ranges of these networks must be added to the known
networks of the ISA Server\TMG.
Routes must also be configured so that the ISA Server\TMG can reach these networks.
In the example shown in the graphic below, the address range 192.168.35.x of network
MCS 2 must be added to the ISA Server\TMG in addition to the known network MCS 1 with
address range 192.168.25.x. A route must also be created on the ISA Server\TMG that
defines the 192.168.25.201 gateway for the MCS2 network.
Ping
ICMP (INTERNET CONTROL MESSAGE PROTOCOL), often informally referred to simply
as ping, is used to check the availability of network devices and computers. Many devices
and programs use it before actual communication to check whether the partner is even
reachable. We therefore recommend permitting “pinging" between all networks on the ISA
Server\TMG as a "network diagnosis tool”, as long as this creates no security risk.
Pinging must always be allowed between a PCS 7/WinCC Engineering Station and all the
computers to be loaded from it.
● A separate publishing rule with its own link compilation, etc. has to be created for both the
"WebNavigator" web page and for the virtual directory "SCSWebBridge".
The following graphic shows an implementation with split DNS. In the external network, all
the external DNS names point to the external IP address of the front firewall. In the local
network they point to the real IP address of the relevant WebNavigator server.
26:HE&OLHQW
:HE6HUYHUHQWFRP
:HE6HUYHUHQWFRP
,QWHUQHW,QWUDQHW
'166HUYHU
:HE6HUYHUHQWFRP
:HE6HUYHUHQWFRP
)LUHZDOO
,6$6HUYHU
)URQW)LUHZDOO '166HUYHU
3HULPHWHU1HWZRUN
26:HE6HUYHU 26:HE6HUYHU
350 350
)LUHZDOO
,6$6HUYHU
%DFN)LUHZDOO
ISA
http://www.microsoft.com/technet/isa/2006/security_guide.mspx
http://www.microsoft.com/technet/isa/2004/plan/securityhardeningguide.mspx
The second link refers to the ISA Server 2004. However, the described settings are also
valid for the ISA Server 2006.
TMG
Included in the standard documentation
http://technet.microsoft.com/en-us/library/ff355324.aspx
The Security Configuration Wizard can also be used to harden the ISA Server\TMG.
ISA
http://www.microsoft.com/downloads/details.aspx?familyid=2748a927-bd3c-4d87-80fa-
8687d5e2ab35&displaylang=en
TMG
TMGRolesForSCW.exe Part of the Microsoft® Forefront Threat Management Gateway
(TMG) 2010 Tools & Software Development Kit:
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=11183
Deactivate the "IP routing" option in order to further increase the security of the ISA
Server\TMG (this option is set for TMG by default and can no longer be changed). It is
activated automatically as soon as a network rule with the “Route" relation is created. It is
often claimed that this option is required for routing rules, but this is not correct. If the option
is enabled, the ISA Server\TMG passes packages directly on to the target. If it is disabled,
the ISA Server\TMG generates a new package and copies the data block of the incoming
package into the new package. This eliminates the danger that the target devices may be
attacked via corrupt header information. The data throughput of the ISA Server\TMG is
slightly lower if IP routing is disabled. However, as protection and not the throughput has top
priority for industrial usage as a front firewall, this option should be disabled.
This option can be found under "Configuration > General > Configure IP protection > IP
routing" (see the following graphic).