Manualshelf

User's Manual

ManualsBrandsSiemens ManualsNetwork RouterSiemens Network Router Version: 1.2
12345678910
2. Security Services
2 Security Services
The security module has two Ethernet interfaces, one to the internal network which
is protected, and the other one to the external network. The interfaces are easily
recognizable by a color marker in green and red color. The processor is an Intel
IXP425, it supports AES, SHA-1, MD5, DES and 3DES in hardware. RSA is
implemented in software.
2.1 Assumptions
Assumptions were made for the security module in a way to suffice the special
needs of automation networks. The internal network is assumed to be confidential.
It is assumed that the authorized users are trustworthy and are trained in order to
operate the module correctly. However, the configuration is supposed to be as
simple as possibly.
Furthermore, it is assumed that the module is physically secure. The module only
provides a basic protection if an attacker has physical hand on the device and can
exchange the device with a manipulated device or exchange the removable media.
There is no content filter available in the security module. For the protection
against malicious contents such as viruses and Trojan horses, etc. a virus scanner
and/or content filter must be added.
To keep the automation network running the reliability and robustness are at first
place even before the security aspects. Hence, with respect to security restrictions
were accepted in some default settings.
2.2 System
The security module is based on a firewall and a virtual private network (VPN). The
firewall works as a packet filter and the VPN is based on IPsec. SSL is only used to
protect the communication for configuration of the Scalance devices. The device
incorporates a bridge that enables installing the security device without having to
change any settings in the existing network regarding the IP addresses, subnet
masks, and routers.
2.2.1 Firewall
In order to protect the internal network, only communication channels between
devices from the external network and the internal network that are defined in
advance are allowed. This task is carried out by a packet filter working on layer 2
19-Aug-05 escrypt GmbH 6