User Manual
Intended Operation Environment (Including Deployment Options)
Tunneled Network Deployment
3
A6V11917735_en_b_41
25 | 28
UTNW
Untrusted network
ZBP
Zone Boundary Protection. It is VPN endpoint.
VPN-EP
VPN endpoint
MMS
Management station
PACE PC
Computer with PACE-Design
Unauthorized Access and Manipulation of the Security-relevant
PACE Zone
In case of alarm, limited or no evacuation and personal injury due to corrupted
system.
● Create the communication from the MMS to the Cerberus PACE installation
using a secure network connection, for example with VPN.
The following requirements must be met for the components:
● It must not be part of the PACE zone.
● It must be connected to an untrusted one at the same time network.
● A
direct
connection is established between the PACE zone and the component
in the protection zone.
● Initiates a VPN connection to the zone border protection component.
Novigo/Cerberus PACE – Plant
● Physically separated network or standalone station.
● Forms a PACE zone.
Zone Boundary Protection
● Use firewall to protect the PACE zone.
● A
direct
connection is established between the PACE zone with a dedicated
cable.
NOTICE
Split tunneling must be disabled.
Novigo/Cerberus PACE – Plant
● Physically separated network or standalone station.
● Forms a PACE zone.
● Access to the PACE zone only through an external firewall.
● Configure the computer with PACE-Design as access point to the Cerberus
PACE – Plant.
● Configure a single route to the MMS using the computer with PACE-Design in
all the Ethernet subscribers of Cerberus PACE installation for one extended
network.
Computer with PACE-Design
● It must be part of the PACE zone.
● It must not have connection to other networks or systems.
● A
direct
connection is established between the PACE zone and the component
in the protection zone.
● Can be connected to any PN2005.
Direct
means that both devices and their cable connection are visible at the same
time and thus a potential manipulation might be recognizable.