Professional Documents
Culture Documents
4.5 Wireless Thin Clients in the control station and power station .............................................. 4-51
4.5.1 Administration of the wireless Access Point ............................................................. 4-53
4.6 Third party system connection via OPC ................................................................................ 4-54
4.6.1 OPC server/client system in the client intranet ......................................................... 4-55
4.6.2 OPC server/client system in the DMZ with access by external PI system in the
client intranet............................................................................................................ 4-57
4.7 Third party system connection via Modbus ........................................................................... 4-58
4.7.1 Modbus TCP connection via CM104........................................................................ 4-58
5 Annexes ......................................................................................................................................... 5-60
5.1 VPN details for Remote Service Access via cRSP................................................................ 5-60
5.1.1 IPSec details on establishing a VPN tunnel via the internet to the cRSP ................. 5-61
5.1.2 Configuration of the Cisco VPN client software ........................................................ 5-62
5.2 Applications and ports for the communication with SPPA-T3000.......................................... 5-63
5.3 Sample loading times for a workbench via DSL.................................................................... 5-64
6 Glossary ......................................................................................................................................... 6-65
1 Introduction
1.1 Purpose of the document
The T3000 Security Manual contains information, notes and guidelines for the planning and
implementation of external access to T3000 systems.
It describes standards of a binding nature which ensure a high degree of security for the T3000 systems
and the related plant operation.
Some exemplary typical scenarios of the connection of external clients to T3000 systems are illustrated
and dealt with in detail.
The aim is to establish a common basis for the cooperation of network administrators of company
networks and of automation networks.
The SPPA-T3000 standard architecture is formed from 3 functional levels connected via networks.
• Presentation Tier
• Processing Tier
• Data Tier
Overview
User Interfaces
Power server
• Application Server
o ft server
o non tf server
• Automation Servers
o S7
o CM104
Process Interfaces
• I/O modules
• Special I/O modules
switch switch
Thin Clients form the interface between users and the functions of SPPA-T3000. In principle every
computer with a web browser can access the web applications via the local network, an intranet or via the
internet. No particular applications need to be installed on the desktop system for this purpose.
Benefit
Scalable controllers
Scalable automation performance to project
needs
Time server
Distribution of time information via the network
• Redundant use
• Highest precision using GPS time
Standard I/Os
• ET200M
• ET200M fail-safe
Special I/Os
• Functional modules FUM
• Front-end modules AddFEM
• Layer 2 switching
• 10/100 Mbit/s
• Ring topology
• Up to 150 km, 50 OSM per network
• Max. 3000 m between two OSMs
• High availability through fast redundancy
switching (complete transfer in 0.3)
2.2.7.2 Profibus
Process integration withProfibus DP
Flexible and fast fieldbus
Profibus OLM
External firewall
Customer access gateway
Fast and safe service access
Connection via or
• ISDN
• Analog
• DSL
• LAN
The networks for T3000 are based on Ethernet standards and are used to connect the various SPPA-
T3000 system components. The are divided into:
• Application Highway
• Automation Highway
• Backbones (application and automation backbone)
• DMZ network
The standard topology of SPPA-T3000 consists of separate application and Automation Highways, a
DMZ network for remote access and an optional backbone for multi-unit systems. In small SPPA-T3000
systems the application and Automation Highway can be combined into a network.
The ring offers a 1 failure tolerance, i.e. if a network component in the ring fails or the ring cabling is
interrupted, all connected system components remain accessible. (Exceptions are single systems e.g.
Thin Clients, printers or gateways in case of a network component failure.)
An interruption in the ring exists if at least one of the two ring test telegram currents is interrupted. The
RM then re-activates its port 8 for user data and the 2 bus segments resulting from the interruptions are
reconnected. A ring interruption is rectified for <= 50 switch modules in the ring within 0.3 sec in the
manner described above.
Bild 4 RM activation
The ring test telegram currents remain interrupted until the ring structure has been restored. When both
ring test telegram currents are received the RM re-"opens" the closed ring structure and the standard
topology is restored.
EAGLE
x
1 2
P FAULT
STATUS
LS/DA
1 2 V.24
R
IP ADDRESS
k
1
Aufkleber MAC-Adresse
2
FAULT
+24V*
+24V
0V
0V
V.24
* For multi-unit systems with backbone the time servers are connected to the automation backbone
This requires a connection of the individual system networks via 2 backbone highways.
• Application backbone
• Automation backbone
The backbone highways consist of a virtually divided redundant router to which the individual system
networks are connected also with redundancy.
EAGLE
x
1 2
P FAULT
STATUS
LS/DA
1 2 V.24
R
IP ADDRESS
k
1
Aufkleber MAC-Adresse
2
FAULT
+24V*
+24V
0V
0V
V.24
* Master connection
** Standby connection
IP ADDRESS
7 8 k
5 6 5 6 5 6
1
3 4 3 4 3 4
1 2 1 2 1 2
2
2 4 6 8 2 4 6 8 2 4 6 8 g
Aufkleber MAC-Adres se
2
FAULT
+24V*
+24V
0V
0V
V.24
Unit 1 Unit 2
1 3 5 7 1 3 5 7 1 3 5 7
LS/DA LS/DA LS/DA
7 8 7 8 7 8
5 6 5 6 5 6
3 4 3 4 3 4
1 2 1 2 1 2
2 4 6 8 2 4 6 8 2 4 6 8
Hirschmann Router 2
The DMZ network is a network segment which must be used for external access to the SPPA T3000
system. External access, e.g. remote service or the connection to an office network, are protected by a 1
or 2 stage firewall (inside and outside firewall) and, if necessary, decoupled via proxy systems.
When using proxies there is no direct access to the SPPA-T3000 system.
Only remote service access via Customer Access Gateway (CAG) via Terminal Server
SPPA-T3000 DMZ-Net
Control System CAG mit
Firewall Firewall
inside outside
WAN
Application
Server
Terminal Server
Automation-
Server
SPPA-T3000 DMZ-Net
Control System CAG mit
Firewall Firewall
inside outside
WAN
Application
Server Terminal Server
OPC Server/Client
(optional)
WIN TS
Automation- (optional)
Server
Bild 11 DMZ-Net with remote service access, intranet and optional systems
Inside Firewall
• Hirschmann Eagle mGuard
Due to the universal scalability of SPPA-T3000 the system can be used for diverse system sizes.
From the "small" HKW via the "standard" GuD system to the multi-unit large power station.
SPPA-T3000 - one System fits all!
With this system size the network is designed as a combined application/Automation Highway. A 1-fault
tolerant ring is implemented which can be adapted ideally to the system size of the SPPA-T3000. This
allows for the hardware costs of the network to be kept to a minimum.
EAGLE
x
1 2
P FAULT
STATUS
LS/DA
1 2 V.24
R
IP ADDRESS
k
1
Aufkleber MAC-Adresse
2
FAULT
+24V*
+24V
0V
0V
V.24
The SPPA-T3000 standard system has one separate application and Automation Highway each. These
are each designed as 1-fault tolerant ring.
EAGLE
x
1 2
P FAULT
STATUS
LS/DA
1 2 V.24
R
IP ADDRESS
k
1
Aufkleber MAC-Adresse
2
FAULT
+24V*
+24V
0V
0V
V.24
Several SPPA-T3000 standard systems with separate application and Automation Highways connected
via an additional backbone network. The system networks are always connected redundantly to both
backbone routers. This ensures the accessibility of the system networks even where one (1) hardware
fault is present.
EAGLE
x
1 2
P FAULT
STATUS
LS/DA
1 2 V.24
R
IP ADD RESS
k
1
Aufkleber MAC-Adresse
2
FAULT
+24V*
+24V
0V
0V
V.24
1 3 5 7 1 3 5 7 1 3 5 7
LS/DA LS/DA LS/DA
7 8 7 8 7 8
5 6 5 6 5 6
3 4 3 4 3 4
1 2 1 2 1 2
2 4 6 8 2 4 6 8 2 4 6 8
1 3 5 7 1 3 5 7 1 3 5 7
LS/DA LS/DA LS/DA
7 8 7 8 7 8
5 6 5 6 5 6
3 4 3 4 3 4
1 2 1 2 1 2
2 4 6 8 2 4 6 8 2 4 6 8
2.5 Software
During the development of SPPA-T3000 the following user requirements were considered from the
outset:
• Ease of use
• Flexibility in application
• Reliability during operation
• Scalability
• Openness
• Security
The SPPA-T3000 software architecture is based on software components The functional modules for
automation are represented by individual components providing standardized interfaces. These
components not only represent the standard AS (automation system) functions but also functionalities for
control/monitoring alarms, engineering and diagnosis. The traditional division into AS, HMI, ES and DS
thus becomes obsolete.
HMI, engineering, diagnosis etc. are merely different views of the system.
Project Container
Central data manager for engineering and
process data
Runtime container
Management and execution
Automation functions
Components with standardized interfaces
Hardware proxy
Represents an I/O module
Management proxy
Coordination of all software components and
services
• Operating System
• Server components
• Network communication
• Field device communication
As already described in the previous chapters the SPPA-T3000 system includes 3 functional levels:
• Presentation Tier
• Processing Tier
• Data Tier
Combined the systems of these levels form the control system.
Access by external systems to the control system is subject to strict rules which are described in more
detail in the following chapters.
"External" or "outside world" includes all systems which are not part of the control system but are to have
access to it. Access by these systems can be via:
Client Intranet
SPPA-T3000
Control System
Firewall
Dial-in
or
Internet
Application
Server
Terminal Server
(optional)
OPC Server/Client
(optional)
Automation- WIN TS
Server (optional)
Access to the security cell "Control system" from outside always takes place via at least one firewall
system. If a DMZ network is present the crossover to the outside is implemented via additional firewalls
and router/firewall combinations.
Client Intranet
SPPA-T3000 DMZ-Net
Control System
Firewall Firewall
inside outside
Dial-in
or
Internet
Application
Server Terminal Server
OPC Server/Client
(optional)
WIN TS
Automation- (optional)
Server
The framework conditions necessary for the DMZ network could be: e.g.
• Project requirements
• Client security policy
The inner cells consist of the application and Automation Servers; the next cell includes the Thin Clients.
Together they then form the security cell of the "Control system".
All other cells outside the control systems are considered as less secure.
External Thin
DMZ Net Intranet Client
Control System
Application
Internet
Automation
Field
The optional security cell DMZ Net is switched between the security cell Control system and the non-
secure cell intranet/internet. All access to the security cell Control system is then directed via the security
cell DMZ Net. The DMZ Net contains systems which communicate externally and internally.
For access to the security cells Control system and optional DMZ Net a restrictive basic approach is
used:
Everything is prohibited unless explicitly permitted!
In the firewalls of the optional DMZ Net and the Control system the source and target address and the
communication port used are checked. In future, application level firewalls may also be used.
A Thin Client is "reinforced" for operation in the security cell "Control system" on 3 levels:
Hardware
T3000 Security Manual V1.0.3 3-28 24.01.2008
© Siemens AG 2007 All Rights Reserved
Siemens AG
Firmware
• Setup of a BIOS password
Software
Strict limitation of the Thin Client functionality ("locking") for the user "operator" e.g.
• Automatic start of the web browser with login screen for the control technology application.
• No starting of other websites.
• No installation of additional software possible
• No starting of other applications
• No login possible under different user names
• No autostart of any drives present (e.g. CD ROM).
• No access to external drives and USB memories
• No icons, no start button, no task manager, no explorer
For external service access via WAN or internet, the access must always be via a Terminal Server (TS)
using Microsoft Terminal Services (MS-TS).Access cannot gained direct via the Application Server(s).
The Terminal Server is either a Thin Client at the Application Highway or a server in the DMZ. In the case
of a Thin Client as Terminal Server only a remote session is possible; the local session must be logged
out.
If more than one terminal session is to be allowed at the Terminal Server, a standard server HW and
server operating system must be used.
The only exception to this rule are the applications on SSH basis Secure Shell, SFTP and SCP, which for
exclusively service purposes, may also run direct on the Application Server and Thin Clients.
File transfer is an important application between the service center and the Control system. Diagnosis
data, patches, virus pattern updates etc. are frequently transferred in both directions.
Microsoft Terminal Services (MS-TS) is one of the main service applications and also offers a file transfer
option. Resources, e.g. the client drives, are connected to the server. When using the cRSP the MS-TS
client runs on CAT clients in the intranet. When using the drive connection via MS-TS all network drives
and any inserted USB drives at the CAT client would be connected to the server. This situation cannot be
modified administratively and poses a high security risk for the server. For this reason the connection of
drives via MS-TS is prohibited.
As an alternative the file transfer via SSH is used. On Application Servers and Thin Clients an SSH
program will be installed or enabled in future.
SSH File Transfer Protocol (SFTP) permits the secure data transfer and data access on remote
systems.
Secure Copy or SCP ensures the confidentiality, integrity and authenticity of the transferred data. For
this the SSH uses.
SPPA-T3000 Service centers rely on the remote service for the fast analysis and correction of faults.
Remote Service implies a temporary data connection between the service center and the SPPA-T3000
system. The system can be connected to the service center via dial-up (ISDN or analog) or over the
internet.
There are 2 cases:
a.) A dedicated service access for SPPA-T3000, Customer Access Gateway (CAG)
b.) A service access provided by the client, Customer Owned Gateway (COG)
In both cases a connection from the Siemens-wide Common Remote Service Platform (cRSP) to the
system is made when required. The cRSP is a centralized infrastructure permitting connections to
systems with Siemens technology globally via 3 access points.
4.2.1.1 Service access via CAG through dial-up connection (ISDN or POTS*) or internet
* Plain Old Telephone Service = analog connection
Dial-up connections
• For dial-up connections the service access methods are as follows
• ISDN 64kBit/s
• POTS: typically 33.6kBit/s, often less
In dial-up connections IPSec (IP Security) must be used if there are no significant reasons* against it.
*) e.g. legal reasons, country-specific reasons.
Internet connections
In an internet connection as service access the bandwidth depends on the selected tariff.
Recommendations for minimum bandwidth:
• 192kBit/s upstream
• 2000kBit/s downstream
A connection between cRSP and the system over the internet uses public resources; therefore
mechanisms for the security of the transferred data are mandatory:
• A VPN tunnel is only established after successful authentication.
• Authentication is encrypted.
• In the VPN tunnel the data packages are encrypted using 3DES* encryption.
* In export-critical countries also only with DES
Note:
The Siemens remote service access is only intended for the service via cRSP. The specific setup of the
access does not permit any other use.
Service Access via dial-up or internet connection through combined CAG/firewalls System on
TC/TS
Bild 18 Service Access via dial-up or internet connection on Thin Client/Terminal Server
TC/TS: Combined Thin Client / terminal serverService Access via dial-up or internet connection on
Terminal Server in the DMZ
Bild 19 Service access via dial-up or internet connection on terminal server in the DMZ
Terminal session Terminal Server-> Terminal Server IP Thin Client IPs RDP
MS-TS Thin Clients TCP 3389
Workbench Terminal Server-> Terminal Server IP Appl. server IP HTTPS
connection Appl. Servers TCP 443
Remote Diagnostic Terminal Server-> Terminal Server IP Appl. server IP HTTP
View HTTP Appl. server TCP 8080
Secure Shell Terminal Server-> Terminal Server IP Appl. server IP SSH
SSH Appl. server TCP 22
cRSP-> Appl. 194.138.39.24 Appl. server IP
server 194.138.243.178
cRSP -> TCs 129.73.116.92 TC IPs
T3000 Security Manual V1.0.3 4-34 24.01.2008
© Siemens AG 2007 All Rights Reserved
Siemens AG
Service Access via dial-up or internet connection through combined CAG/Firewall system on Thin
Client/Terminal Server and WIN TS
Bild 20 Service Access via dial-up or internet connection on TC/TS and WIN TS
Communication relationships between cRSP, TC/TS, WIN TS, and Control System
Permissions required in the CAG/Firewall System
Service Access via dial-up or internet connection through CAG, Terminal Server and WIN TS in
the DMZ
Siemens
cRSP Access
SPPA-T3000 Server
DMZ-Net
Control System
CAG with
Firewall inside Firewall outside
Application
Server
Terminal Server
WIN TS
Automation- (optional)
Server
Bild 21 Service Access via dial-up or internet connection, TS and WIN TS in the DMZ
Communication relationships between cRSP, TS, and WIN TS in the DMZ and Control System
Permissions required in the CAG "outside firewall"
Communication relationships between TS and WIN TS in the DMZ, cRSP, and Control System
Permissions required at the "inside firewall", the access to the security cell "Control System"
Terminal session Terminal Server-> Terminal Server IP Thin Client IPs RDP
MS-TS Thin Clients TCP 3389
Workbench Terminal Server-> Terminal Server IP Appl. server IP TCP 443
connection Appl. server
Diagnostic View Terminal Server-> Terminal Server IP Appl. server IP HTTP
HTTP connection Appl. Servers TCP 8080
Secure Shell Terminal Server-> Terminal Server IP Appl. server IP SSH
SSH Appl. server TCP 22
cRSP -> Appl. 194.138.39.24 TC IPs
Servers 194.138.243.178
cRSP -> TCs 129.73.116.92
WIN TS OPC WIN TS<-> Appl, WIN-TS IP Appl. server IP OPC Tunneler
Connection via Server TCP 21379
OPC Tunnel
If the client provides a service access this is a Customer Owned Gateway (COG).
Where a COG exists, the connection is not made direct from the cRSP to the CAG and the DMZ of the
SPPA-T3000 system but to the client gateway. After authentication the data is transferred from the cRSP
over the client network to the gateway at the DMZ.
With regard to the communication relationships there is little change compared to access through a CAG.
The client must at his access gateway and in his network enable the protocols required by the service.
For external access via WAN or internet the access may not be direct to the Application Server(s) but
must always be via a Terminal Server (TS) using Microsoft Terminal Services (MS-TS). See chapter 4.1
Optional additional systems, e.g. WIN-TS are also connected at least via the T3000 firewall or are within
the optional DMZ. This means they can also be accessed externally through the COG.
For the external access via internet the same conditions as for dial-up connections apply.
Bild 22 Service Access through COG and client intranet on TS in the DMZ
Note:
This variant is only permitted with RDP encryption. Encryption must be enabled at the Terminal Server.
Siemens
cRSP Access
Client Server
Intranet
COG
VPN Tunnel Data
Service
Internet or
Dial up lines
Client Firewall via VPN
SPPA-T3000
Control System
TC/TS
Firewall
Application
Server
Automation-
Server
Bild 23 Service Access via dial-up or internet connection on Thin Client/Terminal Server
Service Access through COG, Thin Client as Terminal Server and optional WIN TS
Bild 24 Service Access via dial-up or internet connection on TC/TS and optional WIN TS
Communication relationships between cRSP, COG, Thin Client/Terminal Server, and optional WIN
TS
Permissions required in the firewall of the Customer Owned Gateways, in the client intranet and in the
T3000 firewall
Service Access through COG, Terminal Server and optional WIN TS in the DMZ
Bild 25 Service Access via dial-up or internet connection on TS and optional WIN TS in the DMZ
Communication relationships between cRSP and COG and the DMZ Net
Permissions required in the firewall of the Customer Owned Gateway and the inside firewall in the DMZ
Net
Client
Intranet
COG
Client
Firewall
SPPA-T3000
Control System
Router with
Firewall inside
DMZ-Net
Application
Server
Terminal Server
WIN TS
Automation- (optional)
Server
The details for remote access through COG and client intranet have already been covered in previous
chapters (see chapter 4.1). The following describes in detail additional rules for access of Thin Clients
from within the client intranet.
The Thin Client in the client intranet must first establish a VPN connection (VPN tunnel) to the inside
firewall (router/firewall) in the DMZ. The inside firewall acts as VPN gateway.
The HTTPS and RMI connections are then channeled through this protected tunnel.
The Thin Client in the client intranet must meet the requirements in chapter 3.5.
Conditions for the establishment of a VPN tunnel between TC and inside firewall:
• TC: VPN Client Software (Cisco VPN Client) installed and configured, for
configuring the Cisco VPN Client see "appendix"
• Inside firewall: Configuration as VPN gateway
Bild 28 Connection of a Thin Client in the client intranet to SPPA-T3000 via VPN Client Connection
Communication relationships between TC in the client intranet and the VPN gateway in the inside
firewall
Permissions required at the inside firewall, the access to the security cell "Control System"
The communication here is divided into 2 parts:
1. Establishing the tunnel
2. Application communication
Re 2, application communication
The connection of SPPA-T3000 to the internet may be required for the following reasons:
• Access for client personnel
• Access for third parties
The use of the internet by Siemens remote service has already been covered in chapter 4.1. This also
defined that the internet access via Customer Access Gateway CAG (the internet is connected direct to
the DMZ Net via CAG) can only be used for service via cRSP.
The information above determines that access by client personnel and third parties to the SPPA-T3000
must be carried out via a separate internet access.
A connection over the internet uses public resources; therefore mechanisms for the security of the
transferred data are mandatory:
• A VPN tunnel is only established after successful authentication.
• Authentication is encrypted.
• In the VPN tunnel the data packages are encrypted using 3DES* encryption.
In addition to the Remote Service via the internet it may be necessary also to connect individual Thin
Clients over the internet to SPPA-T3000, e.g. client personnel from home.
The client must provide the corresponding access for this purpose. This gateway forms the access point
for individual systems via internet or dial-in.
The internet is considered an "untrusted area". Therefore, access by TC from the internet must be
especially secure. The TC in the internet must first establish a VPN connection (VPN tunnel) to the client
gateway. Protected by this VPN tunnel a MS-TS connection to the Terminal Server in the DMZ can be
made. No direct access to SPPA-T3000 systems from the internet is permitted.
The Thin Client in the internet must meet a minimum of the following requirements:
• Recognized anti-virus program with current signatures installed
• All relevant security updates of the manufacturers have been installed
• Only trusted standard software has been installed on this Thin Client
4.5 Wireless Thin Clients in the control station and power station
Wireless networks in power stations permit greater independence and flexibility during commissioning,
service and operation of the plant.
Via wireless Thin Clients the SPPA-T3000 control and monitoring interface is available at any location
within wireless reach.
The wireless connection is considered an "untrusted area". Therefore, access by wireless Thin Clients
must be specially secured.
Note: For the security mechanisms described the export and country-specific restrictions on encryption
methods and the length of keys must be taken into account.
1. Security mechanisms in the wireless route, i.e. between wireless access point and wireless
client through:
2. Securing the complete communication path between the wireless Thin Client and the inside
firewall through a VPN connection.
For the communication between a wireless Thin Client and SPPA-T3000 a VPN connection (VPN tunnel)
to the inside firewall (router/firewall) in the DMZ must be established. The inside firewall acts as VPN
gateway.
The HTTPS and potentially RMI connections are then channeled through this protected tunnel.
Conditions for the establishment of a VPN tunnel between wireless Thin Client and inside firewall:
• Wireless Thin Client: VPN Client Software (Cisco VPN Client) installed and
configured, for configuring the Cisco VPN Client see
"appendix"
• Inside firewall: Configuration as VPN gateway
Bild 30 Connection of wireless Thin Clients to SPPA-T3000 via WLAN and VPN tunnel
Communication relationships between wireless Thin Client (wTC) and the VPN gateway in the
inside firewall
Permissions required at the inside firewall, the access to the security cell "Control System"
The communication here is divided into 2 parts:
1. Establishing the tunnel
2. Communication by the application(s)
Re 2, application communication
Application Connection Source IP Target IP Protocol/
direction target port
Terminal session wTC -> Terminal VPN-Client IP of TS IP RDP
Server the TC* TCP 3389
Workbench Terminal Server -> TS IP Appl.Server IP HTTPS
HTTPS connection Appl. server TCP 443
RMI reg Terminal Server -> TS IP Appl.Server IP RMI
Appl. server TCP 1099
RMI com. Terminal Server -> TS IP Appl.Server IP RMI
Appl. server TCP 50001-50050
RMI to Appl. server -> Appl.Server IP TS IP TCP 50000+50009
Workbench** Terminal Server
* allocated by the VPN gateway
** outgoing connection
For the communication between the applications OPC currently, mainly uses the DCOM technology
(Distributed Component Object Model).
The result of using DCOM would be:
• DCOM has to be configured
• An unpredictable number of TCP/UDP connections would be opened.
The 2nd point in particular would represent a serious security problem, because it would no longer make
a static firewall configuration possible.
The solution to the problem is in the use of an "OPC tunnelers" e.g. by Matrikon Inc., which reduces the
OPC communication between client and server to one (1) TCP connection.
The target port TCP 21379 has been defined for the tunneler.
If the external OPC server is located in an insecure environment, e.g. in the client intranet, a VPN
connection is required in addition between the OPC server and the VPN gateway on the inside firewall
Here a VPN tunnel between the OPC system in the client intranet and the VPN gateway in the inside
firewall is mandated.
OPC Server/Client
via OPC- and VPN Tunnel Client
Intranet
VPN Client
Connection Client
Firewall
OPC Tunnel
SPPA-T3000 with OPC
Control System Connection
Router with
Firewall inside +
VPN Gateway
DMZ-Net
Application
Server with
OPC
Terminal Server
WIN TS
Automation- (optional)
Server
Communication relationships between OPC server/client in the client intranet and the VPN
gateway in the inside firewall
Settings in the inside firewall, the access to the security cell "Control System"
The communication here is divided into 2 parts:
1 establishing the tunnel
2 communication by the application
4.6.2 OPC server/client system in the DMZ with access by external PI system in
the client intranet
Here the OPC system is located within the DMZ, access is e.g. via a PI system in the intranet.
Client
Firewall
SPPA-T3000
Control System
Router with
Firewall inside +
VPN Gateway
DMZ-Net
OPC
Application
Server
with OPC
Terminal Server
WIN TS
Automation- (optional)
Server
Bild 35 PI server in the client intranet and OPC connection through an OPC tunnel
SPPA-T3000 provides the option to control and monitor 3rd party PLC / PLS
Protocols
• MODBUS
• CS275
• IEC 60870-5
Interfaces
• Ethernet
• RS 232, 422, 482
In the present version of the SPPA-T3000 Security Manual only the Modbus connection via CM 104 is
initially described. Other connections will follow.
The Modbus CM is connected to the Automation Highway. If the access by the 3rd party Modbus system
is implemented via an unsecured network, a firewall is required for modbus communication.
SPPA-T3000 Router/
Control System inside 3rd Party Plant Area
DMZ-Net
switch Firewall
switch switch
Application
Server
Terminal
Server
switch switch
WIN TS
(optional)
switch switch Firewall
(optional)
EAGLE
x
1 2
P FAULT
STATUS
LS/DA
1 2 V.24
R
IP ADDRESS
k
1
g
LAN
Aufkleber MAC-Adresse
2
FAULT
Automation CM104
+24V*
+24V
Automation
0V
0V
V.24
Modbus TCP
Server 1 Server 25 Connection
5 Annexes
Fuerth (Europe)
Newark/CA (America)
Singapore (Asia)
Fuerth
dial-up IP internet IP local DMZ access server FTP Server
169.254.0.3 194.138.39.1 194.138.39.0/27 194.138.39.24 194.138.39.19
Singapore
dial-up IP internet IP local DMZ access server FTP Server
194.138.243.169 194.138.240.3 194.138.243.176/29 194.138.243.178 -
Newark (CA)
dial-up IP internet IP local DMZ access server FTP Server
129.73.116.86 129.46.135.193 129.73.116.88/29 129.73.116.92 129.73.116.91
5.1.1 IPSec details on establishing a VPN tunnel via the internet to the cRSP
Note: The current version of cRSP only supports Shared Secret, not certificates.
IPSec parameters
Authentication algorithm: ESP/MD5/HMAC-128
Encryption algorithm: 3DES-168
Encapsulation mode: Tunnel
Perfect Forward Secrecy: Disabled
Lifetime Measurement: Time
Data Lifetime: 10000kB
Time Lifetime: 28800sec
IKE Parameters:
Negotiation Mode: Main
Digital Certificate: none
IKE Proposal: IKE-3DES-MD5
A port is an address component to allocate data to the correct services (protocols). This concept is
implemented e.g. in TCP and UDP .
Port ranges:
• Port numbers between 0 and 1023 are permanently allocated to specific applications
• Port numbers between 1024 and 49151 are "registered ports" of specific application
manufacturers
• Port numbers between 49152 and 65535 are private ports which can be used variably
For security reasons the communication to the security cell Control system must be reduced to the
absolute necessary minimum.
Depending on the design, with or without DMZ Net, this is implemented using 1 or 2 firewalls.
Where a DMZ Net exists there is an inside firewall at the security cell Control system and an outside
firewall at the remote access point (Customer Access Gateway). If the client intranet is connected, this
access also terminates at the inside firewall of the Control system.
The following applications and communication ports are currently provided for SPPA-T3000.
* OPC Server/Client
sec. for
Modem (28.8 Kbps) 1 hours 32 min. 35 20 megabyte
approx.
sec. for
Modem (56 Kbps) 0 hours 47 min. 37 20 megabyte
approx.
sec. for
1 channel ISDN (64 Kbps) 0 hours 41 min. 40 20 megabyte
approx.
sec. for
2 channel ISDN (128 Kbps) 0 hours 20 min. 49 20 megabyte
approx.
sec. for
DSL-768 (768 Kbps, outdated) 0 hours 3 min. 28 20 megabyte
approx.
min sec. for
DSL 1000 (1024 kbps) 0 hours 2 36 20 megabyte
. approx.
sec. for
DSL-1500 (1536 Kbps, outdated) 0 hours 1 min. 44 20 megabyte
approx.
min sec. for
DSL 2000 (2048 kbps) 0 hours 1 18 20 megabyte
. approx.
min sec. for
DSL 3000 (3072 kbps) 0 hours 0 52 20 megabyte
. approx.
min sec. for
DSL 6000 (6016 kbps) 0 hours 0 26 20 megabyte
. approx.
min sec. for
DSL 16,000 (16000 kbps) 0 hours 0 10 20 megabyte
. approx.
6 Glossary
AES Advanced Encryption Standard Encryption based on the Rijndael algorithm
CAG Customer access gateway Service access point in accordance with the
cRSP standard
COG Customer Owned Gateway Service access point provided by the client
DCOM Distributed Component Object Model a protocol defined by Microsoft to allow
program components to communicate via a
network
DMZ Demilitarized Zone Computer network with access options
controlled by security technology
ESP Encapsulating Security Payload ESP authentication authenticates the inner IP
header (e.g. of the external system) but not the
outer IP header.
https Hyper Text Transfer Protocol Encryption and for the authentication of the
(Secure) communication between Web server and
Browser
IP Internet protocol prevalent network protocol
VLAN Virtual Local Area Network a virtual local network within a physical network
VPN Virtual Private Network facilitates the secure transmission via an
unsecured network
WPA Wi-Fi Protected Access an encryption method for a wireless LAN
wTC Wireless Thin Client Thin Client connected via a wireless network
infrastructure