User Guide
Table Of Contents
System Security Guidelines
Protected System Configuration
3
14 | 26
A6V11979523_en_b
3.2.2 Access Through Untrusted Networks
Communication over untrusted networks between remote clients and the Protected
Zone must be protected with a highly secure communication channel.
● The Protected Zone must always be protected by a firewall.
● Use VPN technology for the communication channel.
VPN technology does not require to be integrated with every component. It is
enough that one VPN endpoint configured firewall is used to set the Protected
Zone in front of a non-protected trusted network.
If an authorized user or device uses a non-trusted network to communicate with
Protected Zone devices, a VPN connection must be created with the firewall at the
Protected Zone boundary.
If the use of VPN is not possible, the plant operator must create a connection
equally secured.
Fig. 4: Access Through Untrusted Networks
Remote Client with Remote Maintenance Tool
SC
Highly secure communication channel
MMS
Management station
FW
Firewall
UTNW
Untrusted network
ZBP
Zone Boundary Protection
VPN EP
VPN endpoint.
Protected Zone
Protected Zone
Protected Zone
ZBP + VPN-EP
Remote MMS
FW
FW
ZBP + VPN-EP
UTNW
SC