User Manual

ManualsBrandsSiemens ManualsBuilding automationDesigo CC MP 5.0 BACnet Server, BACnet Protocol Implementation Conformance Statement (PICS), Basic Documentation

Network Security Controls

Siemens Application Note

Smart Infrastructure

3.1.1 Zone Boundary Protection

 The Desigo CC Backbone Level and DMZ Level are security zones that are

physically protected (e.g. locked in rack in server room) and that use

separated networks that only permit Restricted access to its components.

 A separate VLAN alone does not meet the requirements for zone boundary

protection. A firewall is required, too.

 Allowed components in the Desigo CC Backbone Level protection zone are:

Desigo CC Server, Desigo CC computer with Secure Global Desktop and

Samba server, related clients and printers. In case one of the allowed

components is remote, a physically protected and secured communication is

also required.

 Allowed components in the Desigo CC DMZ Level protection zone are: Desigo

CC as well as optional computer with OPC Clients or Secure Global Desktop.

 The zone boundary protection must be implemented via firewall to limit the

inbound and outbound communication among network zones.

Customer IT – Server Backbone

Customer IT – Local Office

DCC – Control Room

Customer IT - DMZ

DCC – Server Backbone

DCC – Subsystem nDCC – FS20 DCC – System One

FS20 System One Cameras

DCC – Subsystem m

VMS

DCC – Sipass

Sipass

DCC – Desigo PX

Desigo PX

DCC – SPC

Cameras

DCC Server

WinCC OA

MS SQL

Tomcat

DCC Client

BIRT

IIS

DCC WSI

DCC Server

WinCC OA

DCC FEP

WinCC OA

DCC Client

HTML5

DCC Client

HTML5

DCC Client

HTML5

DCC Client

HTML5

MS SQL

BIRT

Tomcat

IIS

DCC WSI

Firewall Firewall Firewall Firewall FirewallFirewallFirewall

Firewall Firewall

Firewall

Figure 2: Zone Boundary Protection.