You are on page 1of 66

Siemens AG

SPPA-T3000 Security Manual

T3000 Security Manual V1.0.3 1-1 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

SPPA-T3000 Security Manual

1 Introduction ...................................................................................................................................... 1-4


1.1 Purpose of the document........................................................................................................ 1-4
1.2 Target group ........................................................................................................................... 1-4
1.3 Required knowledge ............................................................................................................... 1-4
2 T3000 introduction; approx. 10 pages .............................................................................................. 2-5
2.1 Standard architecture.............................................................................................................. 2-5
2.2 Components of SPPA-T3000 (Thin Client, Application Server, Automation Server S7,
Automation Server CM, Time Server, Firewalls, Router for Multi-Unit, Switches) ................... 2-6
2.2.1 User interfaces - Thin Clients ..................................................................................... 2-7
2.2.2 Power server – Application Server ............................................................................. 2-7
2.2.3 Power server – Automation Server S7 ....................................................................... 2-8
2.2.4 Power server – Automation Server CM104 ................................................................ 2-9
2.2.5 Time server ................................................................................................................ 2-9
2.2.6 Process interfaces ..................................................................................................... 2-9
2.2.7 Network components ............................................................................................... 2-10
2.2.7.1 Ethernet components ............................................................................... 2-10
2.2.7.2 Profibus.................................................................................................... 2-10
2.2.7.3 Routers and firewalls................................................................................ 2-11
2.3 Networks (Application Highway, Automation Highway, Backbone Highway, DMZ)............... 2-12
2.3.1 Standard network topology for application and Automation Highways ..................... 2-12
2.3.1.1 Redundancy manager (RM) ..................................................................... 2-13
2.3.1.2 Observer (for OSM/ESM)......................................................................... 2-14
2.3.2 Application Highway................................................................................................. 2-15
2.3.3 Automation Highway ................................................................................................ 2-16
2.3.4 Backbone highways ................................................................................................. 2-17
2.3.5 The DMZ network .................................................................................................... 2-18
2.3.5.1 DMZ sample variants in detail .................................................................. 2-19
2.4 Variants (small, standard, multi-unit configuration) ............................................................... 2-21
2.4.1 Small system............................................................................................................ 2-21
2.4.2 Standard system ...................................................................................................... 2-21
2.4.3 multi-unit system ...................................................................................................... 2-23
2.5 Software ............................................................................................................................... 2-24
2.5.1 Software architecture ............................................................................................... 2-24
2.5.1.1 Software component categories............................................................... 2-24
2.6 Crossover to the "outside world" ........................................................................................... 2-26
3 Coarse/overriding security concept ................................................................................................ 3-27
3.1 Security cells......................................................................................................................... 3-27
3.2 Communication rule: Everything is prohibited unless explicitly permitted.............................. 3-28
3.3 "Reinforcing" the Thin Clients of the Control systems ........................................................... 3-28
3.4 Thin Clients outside the security cell "Control system".......................................................... 3-29
4 Scenarios for Remote Service Access ........................................................................................... 4-30
4.1 General observations on Remote Service............................................................................. 4-30
4.1.1 Comparison of external Terminal Servers and combined Thin Clients / terminal
servers ..................................................................................................................... 4-30
4.1.2 File transfer using RDP and SSH............................................................................. 4-30
4.2 Service access to SPPA-T3000 ............................................................................................ 4-31
4.2.1 Service access to SPPA-T3000 via Customer Access Gateway (CAG) ................... 4-32
4.2.1.1 Service access via CAG through dial-up connection (ISDN or POTS*)
or internet................................................................................................. 4-32
4.2.2 Service access via Customer Owned Gateway (COG) ............................................ 4-38
4.2.2.1 Service access through COG via dial-up connection (ISDN).................... 4-38
4.2.2.2 Service access through COG via internet VPN connection ...................... 4-38
4.3 Connection of SPPA-T3000 to an intranet ............................................................................ 4-44
4.3.1 Thin Client in the intranet with access to SPPA-T3000 ............................................ 4-45
4.4 SPPA-T3000 connection to the internet ................................................................................ 4-49
4.4.1 Thin Client in the internet ......................................................................................... 4-49
T3000 Security Manual V1.0.3 1-2 24.01.2008
© Siemens AG 2007 All Rights Reserved
Siemens AG

4.5 Wireless Thin Clients in the control station and power station .............................................. 4-51
4.5.1 Administration of the wireless Access Point ............................................................. 4-53
4.6 Third party system connection via OPC ................................................................................ 4-54
4.6.1 OPC server/client system in the client intranet ......................................................... 4-55
4.6.2 OPC server/client system in the DMZ with access by external PI system in the
client intranet............................................................................................................ 4-57
4.7 Third party system connection via Modbus ........................................................................... 4-58
4.7.1 Modbus TCP connection via CM104........................................................................ 4-58
5 Annexes ......................................................................................................................................... 5-60
5.1 VPN details for Remote Service Access via cRSP................................................................ 5-60
5.1.1 IPSec details on establishing a VPN tunnel via the internet to the cRSP ................. 5-61
5.1.2 Configuration of the Cisco VPN client software ........................................................ 5-62
5.2 Applications and ports for the communication with SPPA-T3000.......................................... 5-63
5.3 Sample loading times for a workbench via DSL.................................................................... 5-64
6 Glossary ......................................................................................................................................... 6-65

T3000 Security Manual V1.0.3 1-3 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

1 Introduction
1.1 Purpose of the document
The T3000 Security Manual contains information, notes and guidelines for the planning and
implementation of external access to T3000 systems.

It describes standards of a binding nature which ensure a high degree of security for the T3000 systems
and the related plant operation.

Some exemplary typical scenarios of the connection of external clients to T3000 systems are illustrated
and dealt with in detail.

The T3000 Security Manual includes:


• the information source for distributors and clients who want to know "how security is implemented
in the T3000"
• guide for planning and project design
• reference for implementation
• instruction for the network administration

The aim is to establish a common basis for the cooperation of network administrators of company
networks and of automation networks.

1.2 Target group


The T3000 Security Manual is aimed at
Clients
Distributors
Planners
Network administrators

1.3 Required knowledge


The information contained in the T3000 Security Manual is at times very specific. Therefore, some
knowledge of network administration would be an advantage.

T3000 Security Manual V1.0.3 1-4 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

2 T3000 introduction; approx. 10 pages

2.1 Standard architecture

The SPPA-T3000 standard architecture is formed from 3 functional levels connected via networks.

• Presentation Tier
• Processing Tier
• Data Tier

Functional levels Hardware

Bild 1 SPPA-T3000 levels

T3000 Security Manual V1.0.3 2-5 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

2.2 Components of SPPA-T3000 (Thin Client, Application Server, Automation


Server S7, Automation Server CM, Time Server, Firewalls, Router for Multi-
Unit, Switches)

Overview

User Interfaces

• Thin Clients with web browser


• Standard PCs, workstations, notebooks

Power server

• Application Server
o ft server
o non tf server
• Automation Servers
o S7
o CM104

Process Interfaces

• I/O modules
• Special I/O modules

Networks switch switch

switch switch

• Ethernet network with TCP/IP


• PROFIBUS DP fieldbus

Additional systems • Time server


• Router
• Firewalls

T3000 Security Manual V1.0.3 2-6 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

2.2.1 User interfaces - Thin Clients

Thin Clients form the interface between users and the functions of SPPA-T3000. In principle every
computer with a web browser can access the web applications via the local network, an intranet or via the
internet. No particular applications need to be installed on the desktop system for this purpose.

Benefit

• Existing IT infrastructure can be used


• Easy workstation configuration for
process control applications
• No engineering or process data are
stored on the Thin Client
• Only a single input device (mouse,
keyboard) for up to four monitors

2.2.2 Power server – Application Server

Stratus ft Application Server 4300 (Aria)


High available online maintainable Application
Server

• Standard operating system (Microsoft


Window Server)
• High Performance Server (Dual Intel Xenon
Processor)
• Dual module redundancy (DMR)

T3000 Security Manual V1.0.3 2-7 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

non-ft Application Server


Cost-effective standard server solution

• New 64 bit Intel® Dual Xeon™ EM64T and


up to 2 MB SLC for highest performance
capability
• High data availability due to its fast, fail-safe
RAID1 system and other redundant
components
• e.g. Fujitsu Siemens PRIMERGY TX300 S2
Server

2.2.3 Power server – Automation Server S7

Scalable controllers
Scalable automation performance to project
needs

• CPU 414 / 414H (1.4 MB RAM)


• CPU 416 (5.6 MB RAM)
• CPU 417 / 417H / 417FH (20 MB RAM)

• Robust (fan-free operation, replaceable


online, designed for demanding industrial
environments)
• Reliable, stable, high availability (even
without redundancy)

Automation Server (CPU 417) for fail-safe and


non-fail-safe applications
Reduced spare part diversity and simple
maintenance

• Redundant master systems S7-400H in


divided sub-rack with redundancy connection

T3000 Security Manual V1.0.3 2-8 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

2.2.4 Power server – Automation Server CM104

Automation Server CM104


Data exchange between SPPA-T3000 and 3rd
party systems

• Scalable in performance and signal number


(500 to 5000 signals)
• Various physical interfaces (RS232, RS...,
Ethernet...)
• One-channel and redundant connection of
3rd party PLC/PLS to SPPA-T3000

2.2.5 Time server

Time server
Distribution of time information via the network

• Redundant use
• Highest precision using GPS time

2.2.6 Process interfaces

Standard I/Os
• ET200M
• ET200M fail-safe

Special I/Os
• Functional modules FUM
• Front-end modules AddFEM

T3000 Security Manual V1.0.3 2-9 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

2.2.7 Network components

2.2.7.1 Ethernet components

Application and Automation Highway


Redundant rings with fast 1 failure tolerance

Optical and electric switch modules

• Layer 2 switching
• 10/100 Mbit/s
• Ring topology
• Up to 150 km, 50 OSM per network
• Max. 3000 m between two OSMs
• High availability through fast redundancy
switching (complete transfer in 0.3)

SCALANCE (from release 4)

• Layer 2 (X20x) or Layer 3 switching (X-4xx)


• 10/100 Mbit/s
• Ring topology
• Modular/non-modular

2.2.7.2 Profibus
Process integration withProfibus DP
Flexible and fast fieldbus
Profibus OLM

• redundant design possible


• Transmission rate up to 12 Mbit/s

T3000 Security Manual V1.0.3 2-10 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

2.2.7.3 Routers and firewalls


These components are differentiated as:

• Router to connect SPPA-T3000 Multi-Unit systems


• Internal firewall
• External firewall

Connections in multi-unit systems


Operation of several units via a single interface
Hischmann Mach 3001
• 10/100 Mbit/s
• Combined routing and wwitching
• Modular design

Internal firewalls to access theT3000 security


cell
The gate keepers to the world of SPPA-T3000
Hirschmann Eagle
• Compact LAN to LAN firewall
• Stateful inspection firewall
• Packet filtering
• Multipoint VPN
• Virus protection

Cisco Router Series 2800


• Multiple port router with firewall
• Connection of third party networks, e.g. office
LAN
• Stateful inspection firewall
• Packet filtering
• Multipoint VPN

T3000 Security Manual V1.0.3 2-11 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

External firewall
Customer access gateway
Fast and safe service access

Cisco Router Series 1800 und 800


• Stateful inspection firewall
• Packet filtering
• Multipoint VPN

Connection via or
• ISDN
• Analog
• DSL
• LAN

2.3 Networks (Application Highway, Automation Highway, Backbone Highway,


DMZ)

The networks for T3000 are based on Ethernet standards and are used to connect the various SPPA-
T3000 system components. The are divided into:

• Application Highway
• Automation Highway
• Backbones (application and automation backbone)
• DMZ network

The standard topology of SPPA-T3000 consists of separate application and Automation Highways, a
DMZ network for remote access and an optional backbone for multi-unit systems. In small SPPA-T3000
systems the application and Automation Highway can be combined into a network.

2.3.1 Standard network topology for application and Automation Highways


The network of the Application Highway and the Automation Highway is designed as 1-fault tolerant ring.
For the ring installation the proven 2 layer switch modules from the industrial Ethernet product range of
the Siemens division A&D are used.
The switch modules were developed specifically for industrial use and have the corresponding
characteristics for flexible network structures, high data throughput and availability.

The ring offers a 1 failure tolerance, i.e. if a network component in the ring fails or the ring cabling is
interrupted, all connected system components remain accessible. (Exceptions are single systems e.g.
Thin Clients, printers or gateways in case of a network component failure.)

T3000 Security Manual V1.0.3 2-12 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

Bild 2 Ring structure

2.3.1.1 Redundancy manager (RM)


Networks on Ethernet basis usually have a bus, tree or star topology.
For the current ring structure a redundancy manager is required. The redundancy manager is a specially
configured switch module which converts the physically closed ring structure into a virtual bus structure
and monitors the ring for interruptions. For this purpose port 8 of the RM is deactivated, for sending and
receiving user data. In the RM the ring structure is "open".
For every separate ring a separate RM is mandatory.
The ring is monitored via ring test telegrams which are sent by the redundancy manager into the ring in
both directions, including port 8.

Bild 3 Test telegram flow in the ring

T3000 Security Manual V1.0.3 2-13 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

An interruption in the ring exists if at least one of the two ring test telegram currents is interrupted. The
RM then re-activates its port 8 for user data and the 2 bus segments resulting from the interruptions are
reconnected. A ring interruption is rectified for <= 50 switch modules in the ring within 0.3 sec in the
manner described above.

Bild 4 RM activation

The ring test telegram currents remain interrupted until the ring structure has been restored. When both
ring test telegram currents are received the RM re-"opens" the closed ring structure and the standard
topology is restored.

2.3.1.2 Observer (for OSM/ESM)


The redundancy manager is an vital ring component. A RM malfunction, e.g. activating port 8 without
interruption in the ring structure, would result in a significant increase in the bus load in the ring. The
performance of the affected network would be reduced considerably.
For this reason a monitoring function for the redundancy manager is provided: the observer.
The observer monitors the function of the RM and can open the ring on its behalf during a malfunction
causing the improper closing of the ring.

T3000 Security Manual V1.0.3 2-14 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

2.3.2 Application Highway


The Application Highway connects the components of the display level. It enables the communication
between the Thin Clients, network printers, Application Servers, backbone (for multi-unit) and internal
firewall.
The Application Highway is designed as a 1-fault tolerant ring.
All operationally relevant components are designed redundant in their communication interfaces and
CPUs or exist in multiples. Connection to the Application Highway is made in such a way, that no
component of a system redundancy may be connected to the same network component. This ensures
that the communication can continue via the remaining connection even when a network component fails.
Multiple non-redundant systems (e.g. Thin Clients) are distributed over different network components for
connection purposes. Non-redundant systems which exist only once (e.g. internal firewall) can be
plugged over onto a different network component should a component fail.

Systems at the Application Highway

System Redundant Notes


design
Application Server yes
Thin Clients no multiple existence
Printer no multiple existence
internal firewall no
Connection to the backbone yes optional for multi-unit
router

EAGLE
x

1 2
P FAULT
STATUS
LS/DA
1 2 V.24
R

IP ADDRESS
k
1

Aufkleber MAC-Adresse
2

FAULT

+24V*
+24V

0V
0V
V.24

Bild 5 System connection to the Application Highway

T3000 Security Manual V1.0.3 2-15 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

2.3.3 Automation Highway


The Automation Highway connects the components of the processing level. It enables the communication
between Automation Servers, Application Servers, time servers and backbone (for multi-unit).
The Automation Highway is designed as a 1-fault tolerant ring.
All operationally relevant components are designed redundant in their communication interfaces and
CPUs. Connection to the Automation Highway is made in such a way that no component of a system
redundancy may be connected to the same network component. This ensures that the communication
can continue via the remaining connection even when a network component fails. Multiple non-redundant
systems (e.g. 2 time servers) are connected as the redundant systems to different network components.
Non-redundant systems which exist only once (e.g. CM104) can be plugged over onto a different network
component should a component fail.

Systems at the Automation Highway

System Redundant Notes


design
Application Server yes
Automation Server S7 yes
Automation Server CM104 yes/no
Time server no exists twice
Connection to the backbone yes optional for multi-unit
router

* For multi-unit systems with backbone the time servers are connected to the automation backbone

Bild 6 System connection to the Automation Highway

T3000 Security Manual V1.0.3 2-16 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

2.3.4 Backbone highways


In multi-unit systems the multi-unit design of SPPA-T3000 allows for the operation of multiple units via the
same interface. Joint system screens, message overviews and homogeneous engineering via the
workbench can be implemented for up to 10 units.

This requires a connection of the individual system networks via 2 backbone highways.
• Application backbone
• Automation backbone
The backbone highways consist of a virtually divided redundant router to which the individual system
networks are connected also with redundancy.

EAGLE
x

1 2
P FAULT
STATUS
LS/DA
1 2 V.24
R

IP ADDRESS
k
1

Aufkleber MAC-Adresse
2

FAULT

+24V*
+24V

0V
0V
V.24

Bild 7 Basic structure of the backbone highway

* Master connection
** Standby connection

T3000 Security Manual V1.0.3 2-17 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

Hirschmann Router 1 Inside


Firewall
EAGLE
x
M-ROUTER M-FAST 8TP M-FAST 8TP M-FAST 8TP
1 2
P FAULT
STATUS
LS/DA
1 2 V.24
1 3 5 7 1 3 5 7 1 3 5 7 R

LS/DA LS/DA LS/DA


7 8 7 8

IP ADDRESS
7 8 k
5 6 5 6 5 6
1

3 4 3 4 3 4

1 2 1 2 1 2
2

2 4 6 8 2 4 6 8 2 4 6 8 g

Aufkleber MAC-Adres se
2

FAULT

+24V*
+24V

0V
0V
V.24

Unit 1 Unit 2

Application Highway Application Highway

Redundant Router Coupling


Automation Highway
Automation Highway

M-ROUTER M-FAST 8TP M-FAST 8TP M-FAST 8TP

1 3 5 7 1 3 5 7 1 3 5 7
LS/DA LS/DA LS/DA
7 8 7 8 7 8

5 6 5 6 5 6

3 4 3 4 3 4

1 2 1 2 1 2

2 4 6 8 2 4 6 8 2 4 6 8

Hirschmann Router 2

Bild 8 Cablikng of e.g. 2 units

2.3.5 The DMZ network

The DMZ network is a network segment which must be used for external access to the SPPA T3000
system. External access, e.g. remote service or the connection to an office network, are protected by a 1
or 2 stage firewall (inside and outside firewall) and, if necessary, decoupled via proxy systems.
When using proxies there is no direct access to the SPPA-T3000 system.

The following might be present in the DMZ network:


• Terminal server; access for remote service and/or office user to SPPA-T3000

Future additions to the system will include e.g.


• OPC server/client; connection/disconnection of process data
• WIN TS; turbine diagnosis
• .......

T3000 Security Manual V1.0.3 2-18 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

2.3.5.1 DMZ sample variants in detail

Only remote service access via Customer Access Gateway (CAG) via Terminal Server

SPPA-T3000 DMZ-Net
Control System CAG mit
Firewall Firewall
inside outside

WAN

Application
Server

Terminal Server

Automation-
Server

Bild 9 DMZ-Net with remote service access via TS

SPPA-T3000 DMZ-Net
Control System CAG mit
Firewall Firewall
inside outside

WAN

Application
Server Terminal Server

OPC Server/Client
(optional)

WIN TS
Automation- (optional)
Server

Bild 10 DMZ-Net with remote service access and optional systems

T3000 Security Manual V1.0.3 2-19 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

Bild 11 DMZ-Net with remote service access, intranet and optional systems

The following firewall HW is used:

Customer Access Gateway (Outside Firewall)


• Cisco 1800 Series

Inside Firewall
• Hirschmann Eagle mGuard

T3000 Security Manual V1.0.3 2-20 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

2.4 Variants (small, standard, multi-unit configuration)

Due to the universal scalability of SPPA-T3000 the system can be used for diverse system sizes.
From the "small" HKW via the "standard" GuD system to the multi-unit large power station.
SPPA-T3000 - one System fits all!

2.4.1 Small system


Application and Automation Highway

An SPPA-T3000 small system typically includes


• up to 5 Thin Clients
• 1 Application Server
• 2 parallel message printers
• a number of network printers in accordance with theSIMATIC network limit
• up to 3 Automation Servers
• up to 2500 3rd party I/Os (OPC or M/90) *
• *or up to 2 Automation Servers and up to 5000 3rd party I/Os
• *or 1 Automation Server and up to 7500 3rd party I/Os
• up to 15% network load

With this system size the network is designed as a combined application/Automation Highway. A 1-fault
tolerant ring is implemented which can be adapted ideally to the system size of the SPPA-T3000. This
allows for the hardware costs of the network to be kept to a minimum.

EAGLE
x

1 2
P FAULT
STATUS
LS/DA
1 2 V.24
R

IP ADDRESS
k
1

Aufkleber MAC-Adresse
2

FAULT

+24V*
+24V

0V
0V
V.24

Bild 12 Typical SPPA T300 small system

However, the disadvantages of this structure should also be mentioned


• A conversion of the joint network structure into a separate one requires at least a partial switching
off of systems and thus a temporary removal of redundancy.
• The load at the joint network can temporarily be higher than that of a separate network and
thereby cause an increase in response times

2.4.2 Standard system


Separate application and Automation Highway

T3000 Security Manual V1.0.3 2-21 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

A SPPA-T3000 standard system typically includes


• up to 5 Thin Clients
• up to 2 Application Servers
• up to 2 parallel message printers
• a number of network printers in accordance with theSIMATIC network limit
• up to 25 Automation Servers
• up to 10,000 3rd party I/Os (OPC or M/90) *
• *or up to 20 Automation Servers and up to 22,5000 3rd party I/Os
• up to 15% network load

The SPPA-T3000 standard system has one separate application and Automation Highway each. These
are each designed as 1-fault tolerant ring.

EAGLE
x

1 2
P FAULT
STATUS
LS/DA
1 2 V.24
R

IP ADDRESS
k
1

Aufkleber MAC-Adresse
2

FAULT

+24V*
+24V

0V
0V
V.24

Bild 13 Typical SPPA T300 standard system

T3000 Security Manual V1.0.3 2-22 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

2.4.3 multi-unit system

An SPPA-T3000 standard system typically includes


• up to 10 units, with a unit representing a SPPA-T3000 standard system without the 2 time servers
• up to 200 Thin Clients, up to 20 per unit
• up to 20 Application Servers, up to 2 per block
• up to 2 parallel message printers
• a number of network printers in accordance with theSIMATIC network limit
• up to 250 Automation Servers, up to 25 per unit
• up to 10,000 3rd party I/Os (OPC or M/90)
• up to 15% network load

Several SPPA-T3000 standard systems with separate application and Automation Highways connected
via an additional backbone network. The system networks are always connected redundantly to both
backbone routers. This ensures the accessibility of the system networks even where one (1) hardware
fault is present.

EAGLE
x

1 2
P FAULT
STATUS
LS/DA
1 2 V.24
R

IP ADD RESS
k
1

Aufkleber MAC-Adresse
2

FAULT

+24V*
+24V

0V
0V
V.24

M-ROUTER M-FAST 8TP M-FAST 8TP M-FAST 8TP

1 3 5 7 1 3 5 7 1 3 5 7
LS/DA LS/DA LS/DA
7 8 7 8 7 8

5 6 5 6 5 6

3 4 3 4 3 4

1 2 1 2 1 2

2 4 6 8 2 4 6 8 2 4 6 8

M-ROUTER M-FAST 8TP M-FAST 8TP M-FAST 8TP

1 3 5 7 1 3 5 7 1 3 5 7
LS/DA LS/DA LS/DA
7 8 7 8 7 8

5 6 5 6 5 6
3 4 3 4 3 4

1 2 1 2 1 2

2 4 6 8 2 4 6 8 2 4 6 8

Bild 14 3 units connected via backbones

T3000 Security Manual V1.0.3 2-23 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

2.5 Software
During the development of SPPA-T3000 the following user requirements were considered from the
outset:

• Ease of use
• Flexibility in application
• Reliability during operation
• Scalability
• Openness
• Security

2.5.1 Software architecture

The SPPA-T3000 software architecture is based on software components The functional modules for
automation are represented by individual components providing standardized interfaces. These
components not only represent the standard AS (automation system) functions but also functionalities for
control/monitoring alarms, engineering and diagnosis. The traditional division into AS, HMI, ES and DS
thus becomes obsolete.
HMI, engineering, diagnosis etc. are merely different views of the system.

2.5.1.1 Software component categories


SPPA-T3000 implements different software component categories.

Project Container
Central data manager for engineering and
process data

Saves and organizes


• Project structure
• Hardware topology
• System screens
• Engineering views
• Complete documentation

Manages and guarantees


• Storage
• ECS (Embedded Component Services)
types and instances
• Change management

T3000 Security Manual V1.0.3 2-24 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

Runtime container
Management and execution

• Automation functions including


processing functions
• Hardware proxies
• Management proxies
• Connections between the two
• Scheduling
• Deterministic cycle time
• Execution management

Process automation functions run on


Automation Servers (CPU), the non-real-time
information functions are realized on
Application Servers

Automation functions
Components with standardized interfaces

Offers the following main functions


• Automating tasks e.g. drives, controls,
adjustments, calculations and processing
functions
• User interface
• Message management
• Diagnosis interface
• Engineering interface
• Execution management

Connection to other automation functions via


LT input and output (LT IN/OUT)

Hardware proxy
Represents an I/O module

• Ensures the integration of the raw input


data to/from the LT interface (LT IN/OUT)
• Monitors field devices
• Collects diagnosis information about field
devices

• Integration and data conversion between


raw data and LT interface configurable
by the user
• Implements communication protocol with
a field device

Management proxy
Coordination of all software components and
services

Provides the following main functions


• SPPA-T3000 system services
T3000 Security Manual V1.0.3 2-25 24.01.2008
© Siemens AG 2007 All Rights Reserved
Siemens AG

• Operating System
• Server components
• Network communication
• Field device communication

Connects to other automation functions or


proxies via I&C input and output

2.6 Crossover to the "outside world"

As already described in the previous chapters the SPPA-T3000 system includes 3 functional levels:
• Presentation Tier
• Processing Tier
• Data Tier
Combined the systems of these levels form the control system.
Access by external systems to the control system is subject to strict rules which are described in more
detail in the following chapters.
"External" or "outside world" includes all systems which are not part of the control system but are to have
access to it. Access by these systems can be via:

• DMZ network (optional)


• Client intranet
• Internet
• Dial-in

Client Intranet

SPPA-T3000
Control System

Firewall

Dial-in
or
Internet

Application
Server
Terminal Server
(optional)

OPC Server/Client
(optional)

Automation- WIN TS
Server (optional)

Bild 15 Crossover to "external"

T3000 Security Manual V1.0.3 2-26 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

Access to the security cell "Control system" from outside always takes place via at least one firewall
system. If a DMZ network is present the crossover to the outside is implemented via additional firewalls
and router/firewall combinations.

Client Intranet

SPPA-T3000 DMZ-Net
Control System
Firewall Firewall
inside outside

Dial-in
or
Internet

Application
Server Terminal Server

OPC Server/Client
(optional)

WIN TS
Automation- (optional)
Server

Bild 16 Crossover to "external" with DMZ network

The framework conditions necessary for the DMZ network could be: e.g.
• Project requirements
• Client security policy

3 Coarse/overriding security concept


The SPPA-T3000 security concept includes the following sub-areas
• Security cells and access points
• Secured network access to the security cells
• Network management
• Computer, user and access right management
• Time synchronization

3.1 Security cells


A basic idea of the SPPA-T3000 security concept is based on security cells with different security levels.
The cells can be structured hierarchically and the security levels can be reduced from the inside to the
outside from "secure" to "not secure".

Rules for the division into security cells


• Partial systems which can be operated for some time without being connected to the remainder
of the system
• Direct connection of all components (e.g. no leased lines)
• Separation in space
• Defined access to or from
T3000 Security Manual V1.0.3 3-27 24.01.2008
© Siemens AG 2007 All Rights Reserved
Siemens AG

• Access only after check, logging and monitoring


• Access only for trusted individuals with appropriate training

The inner cells consist of the application and Automation Servers; the next cell includes the Thin Clients.
Together they then form the security cell of the "Control system".
All other cells outside the control systems are considered as less secure.

External Thin
DMZ Net Intranet Client
Control System

Application
Internet

Automation

Field

The optional security cell DMZ Net is switched between the security cell Control system and the non-
secure cell intranet/internet. All access to the security cell Control system is then directed via the security
cell DMZ Net. The DMZ Net contains systems which communicate externally and internally.

3.2 Communication rule: Everything is prohibited unless explicitly permitted

For access to the security cells Control system and optional DMZ Net a restrictive basic approach is
used:
Everything is prohibited unless explicitly permitted!

In the firewalls of the optional DMZ Net and the Control system the source and target address and the
communication port used are checked. In future, application level firewalls may also be used.

3.3 "Reinforcing" the Thin Clients of the Control systems


The Thin Clients in the security cell "Control system" provide the operator workstations. This "physical
contact" between man and system implies an increased security risk. For this reason the Thin Clients are
specifically configured and locked for functions which are not required for normal control operation. This
ensures that the Thin Client is not modified in a way which could affect the think client itself or other
systems in the Control system.
Only "reinforced" Thin Clients may be used in the security cell "Control system".

A Thin Client is "reinforced" for operation in the security cell "Control system" on 3 levels:

Hardware
T3000 Security Manual V1.0.3 3-28 24.01.2008
© Siemens AG 2007 All Rights Reserved
Siemens AG

• Disabling initegrated drives and interfaces


• Locked installation location of the Thin Client hardware. Only monitor, keyboard and mouse are
accessible to the operator.

Firmware
• Setup of a BIOS password

Software
Strict limitation of the Thin Client functionality ("locking") for the user "operator" e.g.

• Automatic start of the web browser with login screen for the control technology application.
• No starting of other websites.
• No installation of additional software possible
• No starting of other applications
• No login possible under different user names
• No autostart of any drives present (e.g. CD ROM).
• No access to external drives and USB memories
• No icons, no start button, no task manager, no explorer

Note: The above limitations do not apply to the user "administrator".

3.4 Thin Clients outside the security cell "Control system"


Thin Clients outside the security cell "Control system", e.g. in the client intranet, pose a security risk. In
addition to the access restrictions to the security cell "Control systems" external Thin Clients must meet
the minimum requirements below;
• Recognized anti-virus program with current signatures installed
• All relevant security updates of the manufacturers have been installed
• Only trusted standard software has been installed on this Thin Client

T3000 Security Manual V1.0.3 3-29 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

4 Scenarios for Remote Service Access


The following chapters describe various typical connection scenarios with SPPA-T3000.

4.1 General observations on Remote Service

For external service access via WAN or internet, the access must always be via a Terminal Server (TS)
using Microsoft Terminal Services (MS-TS).Access cannot gained direct via the Application Server(s).
The Terminal Server is either a Thin Client at the Application Highway or a server in the DMZ. In the case
of a Thin Client as Terminal Server only a remote session is possible; the local session must be logged
out.
If more than one terminal session is to be allowed at the Terminal Server, a standard server HW and
server operating system must be used.
The only exception to this rule are the applications on SSH basis Secure Shell, SFTP and SCP, which for
exclusively service purposes, may also run direct on the Application Server and Thin Clients.

4.1.1 Comparison of external Terminal Servers and combined Thin Clients /


terminal servers

Property external Terminal Server combined TC / TS


Location outside the Security Cell Control inside the Security Cell Control System
System
Security secure, because it is outside the less secure, because it is inside the
Security Cell Control System Security Cell Control System
Number of sessions several; dependent on computing 1 session, either local or remote
power
Number of several; dependent on computing 1
workbenches to be power
connected

4.1.2 File transfer using RDP and SSH

File transfer is an important application between the service center and the Control system. Diagnosis
data, patches, virus pattern updates etc. are frequently transferred in both directions.
Microsoft Terminal Services (MS-TS) is one of the main service applications and also offers a file transfer
option. Resources, e.g. the client drives, are connected to the server. When using the cRSP the MS-TS
client runs on CAT clients in the intranet. When using the drive connection via MS-TS all network drives
and any inserted USB drives at the CAT client would be connected to the server. This situation cannot be
modified administratively and poses a high security risk for the server. For this reason the connection of
drives via MS-TS is prohibited.

As an alternative the file transfer via SSH is used. On Application Servers and Thin Clients an SSH
program will be installed or enabled in future.

SSH File Transfer Protocol (SFTP) permits the secure data transfer and data access on remote
systems.
Secure Copy or SCP ensures the confidentiality, integrity and authenticity of the transferred data. For
this the SSH uses.

T3000 Security Manual V1.0.3 4-30 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

4.2 Service access to SPPA-T3000

SPPA-T3000 Service centers rely on the remote service for the fast analysis and correction of faults.
Remote Service implies a temporary data connection between the service center and the SPPA-T3000
system. The system can be connected to the service center via dial-up (ISDN or analog) or over the
internet.
There are 2 cases:
a.) A dedicated service access for SPPA-T3000, Customer Access Gateway (CAG)
b.) A service access provided by the client, Customer Owned Gateway (COG)

In both cases a connection from the Siemens-wide Common Remote Service Platform (cRSP) to the
system is made when required. The cRSP is a centralized infrastructure permitting connections to
systems with Siemens technology globally via 3 access points.

Bild 17 cRSP structure

T3000 Security Manual V1.0.3 4-31 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

4.2.1 Service access to SPPA-T3000 via Customer Access Gateway (CAG)


A CAG is a router with firewall, security features and at least one WAN and one LAN interface. The WAN
access can be configured for dial-up or internet connection.

4.2.1.1 Service access via CAG through dial-up connection (ISDN or POTS*) or internet
* Plain Old Telephone Service = analog connection

Dial-up connections
• For dial-up connections the service access methods are as follows
• ISDN 64kBit/s
• POTS: typically 33.6kBit/s, often less

In dial-up connections IPSec (IP Security) must be used if there are no significant reasons* against it.
*) e.g. legal reasons, country-specific reasons.

Internet connections
In an internet connection as service access the bandwidth depends on the selected tariff.
Recommendations for minimum bandwidth:
• 192kBit/s upstream
• 2000kBit/s downstream

The internet access should preferably be available via a fixed IP address.


In future dynamic IP addresses should also be supported.

A connection between cRSP and the system over the internet uses public resources; therefore
mechanisms for the security of the transferred data are mandatory:
• A VPN tunnel is only established after successful authentication.
• Authentication is encrypted.
• In the VPN tunnel the data packages are encrypted using 3DES* encryption.
* In export-critical countries also only with DES

Note:
The Siemens remote service access is only intended for the service via cRSP. The specific setup of the
access does not permit any other use.

T3000 Security Manual V1.0.3 4-32 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

Service Access via dial-up or internet connection through combined CAG/firewalls System on
TC/TS

Bild 18 Service Access via dial-up or internet connection on Thin Client/Terminal Server

Communication relationships between cRSP, TC/TS and Appl. Server


Permissions required in the CAG/Firewall System

Application Connection Source IP Target IP Protocol/


direction target port
Terminal session cRSP -> TC/TS 194.138.39.24 TC/TS IP RDP
MS-TS 194.138.243.178 TCP 3389
129.73.116.92
Secure Shell cRSP -> TC/TS 194.138.39.24 TC/TS IP SSH
SSH cRSP -> TCs 194.138.243.178 TC IPs TCP 22
cRSP -> Appl. 129.73.116.92 Appl. server IP
Server

T3000 Security Manual V1.0.3 4-33 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

TC/TS: Combined Thin Client / terminal serverService Access via dial-up or internet connection on
Terminal Server in the DMZ

Bild 19 Service access via dial-up or internet connection on terminal server in the DMZ

Communication relationships between cRSP, TS in the DMZ, and Control System


Permissions required in the CAG "outside firewall":

Application Connection Source IP Target IP Protocol/


direction target port
Terminal session cRSP -> Terminal 194.138.39.24 Terminal Server IP RDP
MS-TS Server 194.138.243.178 TCP 3389
129.73.116.92
Secure Shell cRSP -> Terminal 194.138.39.24 Terminal Server IP SSH
SSH Server 194.138.243.178 TCP 22
cRSP -> Appl. 129.73.116.92 Appl. server IP
server
cRSP -> TC TC IPs

Communication relationships between TS in the DMZ, cRSP, and Control System


Permissions required at the "inside firewall", the access to the security cell "Control System"

Application Connection Source IP Target IP Protocol/


direction target port
Terminal session Terminal Server-> Terminal Server IP Appl. server IP RDP
MS-TS Appl. server TCP 3389

Terminal session Terminal Server-> Terminal Server IP Thin Client IPs RDP
MS-TS Thin Clients TCP 3389
Workbench Terminal Server-> Terminal Server IP Appl. server IP HTTPS
connection Appl. Servers TCP 443
Remote Diagnostic Terminal Server-> Terminal Server IP Appl. server IP HTTP
View HTTP Appl. server TCP 8080
Secure Shell Terminal Server-> Terminal Server IP Appl. server IP SSH
SSH Appl. server TCP 22
cRSP-> Appl. 194.138.39.24 Appl. server IP
server 194.138.243.178
cRSP -> TCs 129.73.116.92 TC IPs
T3000 Security Manual V1.0.3 4-34 24.01.2008
© Siemens AG 2007 All Rights Reserved
Siemens AG

Service Access via dial-up or internet connection through combined CAG/Firewall system on Thin
Client/Terminal Server and WIN TS

Bild 20 Service Access via dial-up or internet connection on TC/TS and WIN TS

Communication relationships between cRSP, TC/TS, WIN TS, and Control System
Permissions required in the CAG/Firewall System

Application Connection Source IP Target IP Protocol/


direction target port
Terminal session cRSP -> TC/TS 194.138.39.24 TC/TS IP RDP
MS-TS 194.138.243.178 TCP 3389
129.73.116.92
Secure Shell cRSP -> TC/TS 194.138.39.24 TC/TS IP SSH
SSH cRSP -> TCs 194.138.243.178 TC IPs TCP 22
cRSP -> Appl. 129.73.116.92 Appl. server IP
server
Remote Service cRSP -> WIN-TS 194.138.39.24 WIN-TS RSB IP HTTP
Board RSB 194.138.243.178 TCP 80
129.73.116.92 HTTPS
TCP 443
File Transfer WIN-TS <-> cRSP WIN-TS IP 194.138.39.19 FTP
FTP 129.73.116.91 TCP 20 + 21
WIN TS OPC WIN TS<-> Appl, WIN-TS IP App.Server IP Tunneler
Connection via Server TCP 21379
OPC Tunnel

TC/TS: Combined Thin Client / Terminal Server

T3000 Security Manual V1.0.3 4-35 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

Service Access via dial-up or internet connection through CAG, Terminal Server and WIN TS in
the DMZ

Siemens
cRSP Access
SPPA-T3000 Server
DMZ-Net
Control System
CAG with
Firewall inside Firewall outside

VPN Tunnel Data


Service
Internet or
Dial up lines
via VPN

Application
Server

Terminal Server

WIN TS
Automation- (optional)
Server

Bild 21 Service Access via dial-up or internet connection, TS and WIN TS in the DMZ

Communication relationships between cRSP, TS, and WIN TS in the DMZ and Control System
Permissions required in the CAG "outside firewall"

Application Connection Source IP Target IP Protocol/


direction target port
Terminal session cRSP -> Terminal 194.138.39.24 Terminal Server IP RDP
MS-TS Server 194.138.243.178 TCP 3389
129.73.116.92
Secure Shell cRSP -> Terminal 194.138.39.24 Terminal Server IP RDP
SSH Server 194.138.243.178 TCP 22
cRSP -> Appl. 129.73.116.92 Appl. server IP
server
cRSP -> TCs TC IPs
Remote Control cRSP -> WIN-TS 194.138.39.24 WIN-TS IP VNC
VNC 194.138.243.178 TCP 5800
129.73.116.92
Remote Service cRSP -> WIN-TS 194.138.39.24 WIN-TS RSB IP HTTP(S)
Board RSB 194.138.243.178 TCP 80
129.73.116.92 TCP 443
File Transfer WIN-TS <-> cRSP WIN-TS IP 194.138.39.19 FTP
129.73.116.91 TCP 20 + 21

T3000 Security Manual V1.0.3 4-36 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

Communication relationships between TS and WIN TS in the DMZ, cRSP, and Control System
Permissions required at the "inside firewall", the access to the security cell "Control System"

Application Connection Source IP Target IP Protocol/


direction target port
Terminal session Terminal Server-> Terminal Server IP App.Server IP RDP
MS-TS Appl. server TCP 3389

Terminal session Terminal Server-> Terminal Server IP Thin Client IPs RDP
MS-TS Thin Clients TCP 3389
Workbench Terminal Server-> Terminal Server IP Appl. server IP TCP 443
connection Appl. server
Diagnostic View Terminal Server-> Terminal Server IP Appl. server IP HTTP
HTTP connection Appl. Servers TCP 8080
Secure Shell Terminal Server-> Terminal Server IP Appl. server IP SSH
SSH Appl. server TCP 22
cRSP -> Appl. 194.138.39.24 TC IPs
Servers 194.138.243.178
cRSP -> TCs 129.73.116.92
WIN TS OPC WIN TS<-> Appl, WIN-TS IP Appl. server IP OPC Tunneler
Connection via Server TCP 21379
OPC Tunnel

T3000 Security Manual V1.0.3 4-37 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

4.2.2 Service access via Customer Owned Gateway (COG)

If the client provides a service access this is a Customer Owned Gateway (COG).
Where a COG exists, the connection is not made direct from the cRSP to the CAG and the DMZ of the
SPPA-T3000 system but to the client gateway. After authentication the data is transferred from the cRSP
over the client network to the gateway at the DMZ.
With regard to the communication relationships there is little change compared to access through a CAG.
The client must at his access gateway and in his network enable the protocols required by the service.

4.2.2.1 Service access through COG via dial-up connection (ISDN)


For a COG with ISDN Dial-in the security policy of the client usually determines whether IPSec encryption
is to be applied to the dial-up connection or not. As far as the standard for SPPA-T3000 is concerned,
IPSec (IP Security) must be used unless there are significant reasons* against it.
*) e.g. legal reasons, country-specific reasons.
However, technical reasons at the COG may also prevent the use of IPSec. In this case the use of
alternatives must be checked.

For external access via WAN or internet the access may not be direct to the Application Server(s) but
must always be via a Terminal Server (TS) using Microsoft Terminal Services (MS-TS). See chapter 4.1

Optional additional systems, e.g. WIN-TS are also connected at least via the T3000 firewall or are within
the optional DMZ. This means they can also be accessed externally through the COG.

4.2.2.2 Service access through COG via internet VPN connection


If the client provides an internet access as service access point, establishing a VPN tunnel is mandatory.
A connection between cRSP and the system over the internet uses public resources; therefore
mechanisms for the security of the transferred data are mandatory:
• A VPN tunnel is only established after successful authentication.
• Authentication is encrypted.
• In the VPN tunnel the data packages are encrypted using 3DES* encryption.
* In export critical countries potentially with DES

For the external access via internet the same conditions as for dial-up connections apply.

T3000 Security Manual V1.0.3 4-38 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

Service Access through COG, TS in the DMZ


(Only permitted with RDP encryption)

Bild 22 Service Access through COG and client intranet on TS in the DMZ

Note:
This variant is only permitted with RDP encryption. Encryption must be enabled at the Terminal Server.

Communication relationships between cRSP, COG, and TC/TS


Permissions required in the firewall of the Customer Owned Gateways, in the client intranet and in the
SPPA-T3000 firewall

Application Connection Source IP Target IP Protocol/


direction target port
Terminal session cRSP -> TS 194.138.39.24 TS IP RDP
MS-TS 194.138.243.178 TCP 3389
encrypted 129.73.116.92
Workbench Terminal Server-> Terminal Server IP Appl. server IP HTTPS
connection Appl. server TCP 443
Secure Shell cRSP -> TS 194.138.39.24 TS IP SSH
SSH cRSP -> TCs 194.138.243.178 TC IPs TCP 22
cRSP -> Appl. 129.73.116.92 Appl. server IP
server

T3000 Security Manual V1.0.3 4-39 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

Service Access through COG, Thin Client as Terminal Server

Siemens
cRSP Access
Client Server
Intranet

COG
VPN Tunnel Data
Service
Internet or
Dial up lines
Client Firewall via VPN

SPPA-T3000
Control System
TC/TS
Firewall

Application
Server

Automation-
Server

Bild 23 Service Access via dial-up or internet connection on Thin Client/Terminal Server

Communication relationships between cRSP, COG, and TC/TS


Permissions required in the firewall of the Customer Owned Gateways in the client intranet and in the
SPPA-T3000 firewall

Application Connection Source IP Target IP Protocol/


direction target port
Terminal session cRSP -> TC/TS 194.138.39.24 TC/TS IP RDP
MS-TS 194.138.243.178 TCP 3389
129.73.116.92
Secure Shell cRSP -> TC/TS 194.138.39.24 TC/TS IP SSH
SSH cRSP -> TCs 194.138.243.178 TC IPs TCP 22
cRSP -> Appl. 129.73.116.92 Appl. Server IP
server

T3000 Security Manual V1.0.3 4-40 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

Service Access through COG, Thin Client as Terminal Server and optional WIN TS

Bild 24 Service Access via dial-up or internet connection on TC/TS and optional WIN TS

Communication relationships between cRSP, COG, Thin Client/Terminal Server, and optional WIN
TS
Permissions required in the firewall of the Customer Owned Gateways, in the client intranet and in the
T3000 firewall

Application Connection Source IP Target IP Protocol/


direction target port
Terminal session cRSP -> TC/TS 194.138.39.24 TC/TS IP RDP
MS-TS 194.138.243.178 TCP 3389
129.73.116.92
Secure Shell cRSP -> TC/TS 194.138.39.24 TC/TS IP SSH
SSH cRSP -> TCs 194.138.243.178 TC IPs TCP 22
cRSP -> Appl. 129.73.116.92 Appl. server IP
server
Remote Control cRSP -> WIN-TS 194.138.39.24 WIN-TS IP VNC
VNC 194.138.243.178 TCP 5800
129.73.116.92
Remote Service cRSP -> WIN-TS 194.138.39.24 WIN-TS RSB IP HTTP, HTTPS
Board RSB 194.138.243.178 TCP 80
129.73.116.92 TCP 443
File Transfer WIN-TS <-> cRSP WIN-TS IP 194.138.39.19 FTP
FTP 129.73.116.91 TCP 20 + 21

T3000 Security Manual V1.0.3 4-41 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

Communication relationships between SPPA-T3000 Application Server and optional WIN TS


Permissions required in the T3000 firewall

Application Connection Source IP Target IP Protocol/


direction target port
WIN TS OPC WIN TS -> Appl. WIN-TS IP Appl.Server IP OPC Tunneler
Connection via server TCP 21379
OPC Tunnel

Service Access through COG, Terminal Server and optional WIN TS in the DMZ

Bild 25 Service Access via dial-up or internet connection on TS and optional WIN TS in the DMZ

T3000 Security Manual V1.0.3 4-42 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

Communication relationships between cRSP and COG and the DMZ Net
Permissions required in the firewall of the Customer Owned Gateway and the inside firewall in the DMZ
Net

Application Connection Source IP Target IP Protocol/


direction target port
Terminal session cRSP -> Terminal 194.138.39.24 TS IP RDP
MS-TS Server 194.138.243.178 TCP 3389
129.73.116.92
Secure Shell cRSP -> Terminal 194.138.39.24 TS IP SSH
SSH Server 194.138.243.178 TCP 22
cRSP -> TCs 129.73.116.92 TC IPs
cRSP -> Appl. Appl. server IP
server
Remote Control cRSP -> WIN-TS 194.138.39.24 WIN-TS IP VNC
VNC 194.138.243.178 TCP 5800
129.73.116.92
Remote Service cRSP -> WIN-TS 194.138.39.24 WIN-TS RSB IP HTTP, HTTPS
Board RSB 194.138.243.178 TCP 80
129.73.116.92 TCP 443
File Transfer WIN-TS <-> cRSP WIN-TS IP 194.138.39.19 FTP
FTP 129.73.116.91 TCP 20 + 21

Communication relationships between DMZ systems and Control System


Permissions required at the "inside firewall", the access to the security cell "Control System"

Application Connection Source IP Target IP Protocol/


direction target port
Workbench Terminal Server-> TS IP Appl. server IP HTTPS
HTTPS connection Appl. server TCP 443
Diagnostic View Terminal Server-> TS IP Appl. server IP HTTP
HTTP connection Appl. Servers TCP 8080

Secure Shell Terminal Server-> TS IP Appl. server IP SSH


SSH Appl. server 194.138.39.24 TCP 22
cRSP -> TCs 194.138.243.178 TC IPs
cRSP -> Appl. 129.73.116.92
server
WIN TS OPC WIN TS -> Appl. WIN-TS IP Appl. server IP OPC Tunneler
Connection via server TCP 21379
OPC Tunnel

T3000 Security Manual V1.0.3 4-43 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

4.3 Connection of SPPA-T3000 to an intranet


The connection to an existing client intranet must always be via the inside firewall. In this case it is
designed as a router/firewall. On the inside firewall the rules for limiting the data traffic from the client
intranet are parameterized. Access from the client intranet direct e.g. by Thin Clients (TC), by Remote
Service through COG or a combination of both is possible. Besides the firewall function the router also
enables the resolution of address conflicts between the client intranet and SPPA-T3000 through NAT (Net
Address Translation).

Client
Intranet

COG

Client
Firewall

SPPA-T3000
Control System
Router with
Firewall inside

DMZ-Net

Application
Server

Terminal Server

WIN TS
Automation- (optional)
Server

Bild 26 Connection of SPPA-T3000 to a client intranet

The details for remote access through COG and client intranet have already been covered in previous
chapters (see chapter 4.1). The following describes in detail additional rules for access of Thin Clients
from within the client intranet.

T3000 Security Manual V1.0.3 4-44 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

4.3.1 Thin Client in the intranet with access to SPPA-T3000


The client intranet is considered an "untrusted area". Access by Thin Clients from within the client intranet
must therefore be secured separately.
A Thin Client can have access to the SPPA-T3000 Application Server via a Terminal Server in the DMZ.

Bild 27 Connection of a Thin Client in the intranet to SPPA-T3000

T3000 Security Manual V1.0.3 4-45 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

Communication relationships via the client firewall


Permissions required in the client firewall

Application Connection Source IP Target IP Protocol/


direction target port
Terminal session TC -> Terminal TC IP TS IP RDP
MS-TS Server TCP 3389

Communication relationships between TS in the DMZ and Control System


Permissions required at the "inside firewall", the access to the security cell "Control System"

Application Connection Source IP Target IP Protocol/


direction target port
Workbench Terminal Server-> TS IP Appl.Server IP HTTPS
connection Appl. server TCP 443
RMI registry Terminal Server-> TS IP Appl.Server IP RMI
Appl. server TCP 1099
RMI Terminal Server-> TS IP Appl.Server IP RMI
communication Appl. server TCP 50000-50050
RMI to Appl. Server -> Appl.Server IP TS IP RMI
Workbench* Terminal Server TCP 50000-50009
* outgoing connection

T3000 Security Manual V1.0.3 4-46 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

Option: Thin Client access via VPN Client Connection

The Thin Client in the client intranet must first establish a VPN connection (VPN tunnel) to the inside
firewall (router/firewall) in the DMZ. The inside firewall acts as VPN gateway.
The HTTPS and RMI connections are then channeled through this protected tunnel.
The Thin Client in the client intranet must meet the requirements in chapter 3.5.

Conditions for the establishment of a VPN tunnel between TC and inside firewall:
• TC: VPN Client Software (Cisco VPN Client) installed and configured, for
configuring the Cisco VPN Client see "appendix"
• Inside firewall: Configuration as VPN gateway

Bild 28 Connection of a Thin Client in the client intranet to SPPA-T3000 via VPN Client Connection

T3000 Security Manual V1.0.3 4-47 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

Communication relationships via the client firewall


Permissions required in the client firewall

Application Connection Source IP Target IP Protocol/


direction target port
Establishment of TC-> VPN TC IP VPN gateway on ISAKMP
VPN connection, Gateway the inside firewall UDP 500
key management
IPSEC NAT TC-> VPN TC IP VPN gateway on UDP 10000
Transparency Gateway the inside firewall
IPSEC Tunnel TC-> VPN TC IP VPN gateway on ESP
Encapsulation Gateway the inside firewall

Communication relationships between TC in the client intranet and the VPN gateway in the inside
firewall
Permissions required at the inside firewall, the access to the security cell "Control System"
The communication here is divided into 2 parts:
1. Establishing the tunnel
2. Application communication

Re 1, establishing the tunnel

Application Connection Source IP Target IP Protocol/


direction target port
Establishment of TC-> VPN TC IP VPN gateway on ISAKMP
VPN connection, Gateway the inside firewall UDP 500
key management
IPSEC NAT TC-> VPN TC IP VPN gateway on UDP 10000
Transparency Gateway the inside firewall
IPSEC Tunnel TC-> VPN TC IP VPN gateway on ESP
Encapsulation Gateway the inside firewall

Re 2, application communication

Application Connection Source IP Target IP Protocol/


direction target port
Workbench TC-> Appl. server VPN-Client IP of Appl.Server IP HTTPS
HTTPS connection the TC* TCP 443
RMI reg TC-> Appl. server VPN-Client IP of Appl.Server IP RMI
the TC* TCP 1099
RMI com. TC-> Appl. server VPN-Client IP of Appl.Server IP RMI
the TC* TCP 50001-50050
RMI to Appl. server -> TC Appl.Server IP VPN-Client IP of RMI
Workbench** the TC* TCP 50000-50001
***
* allocated by the VPN gateway
** outgoing connection
*** Expandable up to 50009 if required (e.g. multi-unit)

T3000 Security Manual V1.0.3 4-48 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

4.4 SPPA-T3000 connection to the internet

The connection of SPPA-T3000 to the internet may be required for the following reasons:
• Access for client personnel
• Access for third parties

The use of the internet by Siemens remote service has already been covered in chapter 4.1. This also
defined that the internet access via Customer Access Gateway CAG (the internet is connected direct to
the DMZ Net via CAG) can only be used for service via cRSP.
The information above determines that access by client personnel and third parties to the SPPA-T3000
must be carried out via a separate internet access.

A connection over the internet uses public resources; therefore mechanisms for the security of the
transferred data are mandatory:
• A VPN tunnel is only established after successful authentication.
• Authentication is encrypted.
• In the VPN tunnel the data packages are encrypted using 3DES* encryption.

4.4.1 Thin Client in the internet

In addition to the Remote Service via the internet it may be necessary also to connect individual Thin
Clients over the internet to SPPA-T3000, e.g. client personnel from home.
The client must provide the corresponding access for this purpose. This gateway forms the access point
for individual systems via internet or dial-in.
The internet is considered an "untrusted area". Therefore, access by TC from the internet must be
especially secure. The TC in the internet must first establish a VPN connection (VPN tunnel) to the client
gateway. Protected by this VPN tunnel a MS-TS connection to the Terminal Server in the DMZ can be
made. No direct access to SPPA-T3000 systems from the internet is permitted.

The Thin Client in the internet must meet a minimum of the following requirements:
• Recognized anti-virus program with current signatures installed
• All relevant security updates of the manufacturers have been installed
• Only trusted standard software has been installed on this Thin Client

T3000 Security Manual V1.0.3 4-49 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

Bild 29 Connection of TC in the internet to SPPA-T3000 via VPN tunnel and TS

The communication is divided into 2 parts:


1. Establishment of the VPN tunnels as client responsibility
2. Establishment of the MS-TS connection to the Terminal Server in the DMZ Net of SPPA-T3000;
RDP encryption must be enabled at the Terminal Server

Communication relationships between TC in the internet and TS in the DMZ net


Permissions required in the VPN gateway/firewall of the client and the inside firewall in the DMZ Net

Application Connection Source IP Target IP Protocol/


direction target port
Terminal session TC -> Terminal VPN-Client IP of TS IP RDP
MS-TS Server the TC* TCP 3389
encrypted

Communication relationships between TS in the DMZ-Net and Control System


Permissions required at the inside firewall, the access to the security cell "Control System"

Application Connection Source IP Target IP Protocol/


direction target port
Workbench Terminal Server-> TS IP Appl.Server IP HTTPS
connection Appl. server TCP 443
HTTPS

* allocated by the VPN gateway

T3000 Security Manual V1.0.3 4-50 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

4.5 Wireless Thin Clients in the control station and power station

Wireless networks in power stations permit greater independence and flexibility during commissioning,
service and operation of the plant.
Via wireless Thin Clients the SPPA-T3000 control and monitoring interface is available at any location
within wireless reach.
The wireless connection is considered an "untrusted area". Therefore, access by wireless Thin Clients
must be specially secured.
Note: For the security mechanisms described the export and country-specific restrictions on encryption
methods and the length of keys must be taken into account.

Protection takes place in 2 stages:

1. Security mechanisms in the wireless route, i.e. between wireless access point and wireless
client through:

Hidden SSID (Service Set Identifier, wireless network identifier).


The SSID is then not visible to other devices. Only wireless Thin Clients which have the same network
name configured as the access point can connect to the wirless network.

Authentication and encryption:


Recommendation: WPA-PSK
Here a fixed key (Pre-Shared Key) is saved in each client and access point and used for authentication
and subsequent encryption. As secure encryption methods AES or TKIP should be used.
Note: The key should have the maximum length possible. It should be selected as complex (e.g.
consisting of random numbers, letters (upper/lower case), few repetitions and special characters). If a
device is lost or the key becomes public, the key must be changed on all devices for security reasons.

Definition of permitted wireless Thin Clients


The wireless Thin Clients with access permission must be entered at the wireless access point with the
MAC addresses.

2. Securing the complete communication path between the wireless Thin Client and the inside
firewall through a VPN connection.

For the communication between a wireless Thin Client and SPPA-T3000 a VPN connection (VPN tunnel)
to the inside firewall (router/firewall) in the DMZ must be established. The inside firewall acts as VPN
gateway.
The HTTPS and potentially RMI connections are then channeled through this protected tunnel.

Conditions for the establishment of a VPN tunnel between wireless Thin Client and inside firewall:
• Wireless Thin Client: VPN Client Software (Cisco VPN Client) installed and
configured, for configuring the Cisco VPN Client see
"appendix"
• Inside firewall: Configuration as VPN gateway

T3000 Security Manual V1.0.3 4-51 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

Bild 30 Connection of wireless Thin Clients to SPPA-T3000 via WLAN and VPN tunnel

Communication relationships between wireless Thin Client (wTC) and the VPN gateway in the
inside firewall
Permissions required at the inside firewall, the access to the security cell "Control System"
The communication here is divided into 2 parts:
1. Establishing the tunnel
2. Communication by the application(s)

Re 1, establishing the tunnel

Application Connection Source IP Target IP Protocol/


direction target port
Establishment of wTC-> VPN wTC IP VPN gateway on ISAKMP
VPN connection, Gateway the inside firewall UDP 500
key management
IPSEC NAT wTC-> VPN wTC IP VPN gateway on UDP 10000
Transparency Gateway the inside firewall
IPSEC Tunnel wTC-> VPN wTC IP VPN gateway on ESP
Encapsulation Gateway the inside firewall

T3000 Security Manual V1.0.3 4-52 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

Re 2, application communication
Application Connection Source IP Target IP Protocol/
direction target port
Terminal session wTC -> Terminal VPN-Client IP of TS IP RDP
Server the TC* TCP 3389
Workbench Terminal Server -> TS IP Appl.Server IP HTTPS
HTTPS connection Appl. server TCP 443
RMI reg Terminal Server -> TS IP Appl.Server IP RMI
Appl. server TCP 1099
RMI com. Terminal Server -> TS IP Appl.Server IP RMI
Appl. server TCP 50001-50050
RMI to Appl. server -> Appl.Server IP TS IP TCP 50000+50009
Workbench** Terminal Server
* allocated by the VPN gateway
** outgoing connection

4.5.1 Administration of the wireless Access Point

Access rights to the wireless Access Point:


Defining the systems by MAC address which may have access to the wireless Access Point (e.g. for
administration) from within the LAN. The wireless Thin Clients must not have access to the wireless
Access Points.

T3000 Security Manual V1.0.3 4-53 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

4.6 Third party system connection via OPC


OPC Openness, Productivity, Collaboration (formerly: OLE for Process Control)

OPC is a standardized software interface which enables applications by different manufacturers to


exchange data based on the client/server principle.

Bild 31 Principle of the OPC connection

For the communication between the applications OPC currently, mainly uses the DCOM technology
(Distributed Component Object Model).
The result of using DCOM would be:
• DCOM has to be configured
• An unpredictable number of TCP/UDP connections would be opened.

The 2nd point in particular would represent a serious security problem, because it would no longer make
a static firewall configuration possible.

The solution to the problem is in the use of an "OPC tunnelers" e.g. by Matrikon Inc., which reduces the
OPC communication between client and server to one (1) TCP connection.

The target port TCP 21379 has been defined for the tunneler.

Bild 32 OPC connection via an OPC tunnel

T3000 Security Manual V1.0.3 4-54 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

If the external OPC server is located in an insecure environment, e.g. in the client intranet, a VPN
connection is required in addition between the OPC server and the VPN gateway on the inside firewall

Bild 33 OPC connection via OPC and VPN tunnel

4.6.1 OPC server/client system in the client intranet

Here a VPN tunnel between the OPC system in the client intranet and the VPN gateway in the inside
firewall is mandated.
OPC Server/Client
via OPC- and VPN Tunnel Client
Intranet

VPN Client
Connection Client
Firewall

OPC Tunnel
SPPA-T3000 with OPC
Control System Connection
Router with
Firewall inside +
VPN Gateway

DMZ-Net

Application
Server with
OPC

Terminal Server

WIN TS
Automation- (optional)
Server

Bild 34 OPC connection via OPC and VPN tunnel

T3000 Security Manual V1.0.3 4-55 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

Communication relationships in the client firewall


Permissions required in the client firewall

Application Connection source IP Target IP Protocol/


direction target port
Establishment of OPC-> VPN OPC IP VPN gateway on ISAKMP
VPN connection, Gateway the inside firewall UDP 500
key management
IPSEC NAT OPC-> VPN OPC IP VPN gateway on UDP 10000
Transparency Gateway the inside firewall
IPSEC Tunnel OPC-> VPN OPC IP VPN gateway on ESP
Encapsulation Gateway the inside firewall

Communication relationships between OPC server/client in the client intranet and the VPN
gateway in the inside firewall
Settings in the inside firewall, the access to the security cell "Control System"
The communication here is divided into 2 parts:
1 establishing the tunnel
2 communication by the application

Re 1, establishing the tunnel

Application Connection Source IP Target IP Protocol/


direction target port
Establishment of OPC-> VPN OPC IP VPN gateway on ISAKMP
VPN connection, Gateway the inside firewall UDP 500
key management
IPSEC NAT OPC-> VPN OPC IP VPN gateway on UDP 10000
Transparency Gateway the inside firewall
IPSEC Tunnel OPC-> VPN OPC IP VPN gateway on ESP
Encapsulation Gateway the inside firewall

Re 2, communication in the OPC tunnel

Application Connection Source IP Target IP Protocol/


direction target port
OPC Tunnel OPC-> Appl. VPN-Client IP of Appl.Server IP TCP 21379
server the OPC*
* allocated by the VPN gateway

T3000 Security Manual V1.0.3 4-56 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

4.6.2 OPC server/client system in the DMZ with access by external PI system in
the client intranet

Here the OPC system is located within the DMZ, access is e.g. via a PI system in the intranet.

Client System e.g. Client


PI Server Intranet

Client
Firewall

SPPA-T3000
Control System
Router with
Firewall inside +
VPN Gateway

DMZ-Net

OPC
Application
Server
with OPC

Terminal Server

WIN TS
Automation- (optional)
Server

Bild 35 PI server in the client intranet and OPC connection through an OPC tunnel

Communication relationships via the client firewall


Permissions required in the client firewall

Application Connection Source IP Target IP Protocol/


direction target port
PI to OPC PI -> OPC System PI IP OPC IP TCP 5450
connection
PI to OPC PI -> OPC System PI IP OPC IP RDP
connection TCP 3389

T3000 Security Manual V1.0.3 4-57 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

Communication relationships via the inside firewall


Permissions required in the inside firewall

Application Connection Source IP Target IP Protocol/


direction target port
OPC Tunnel OPC-> Appl. OPC IP Appl.Server IP TCP 21379
server

4.7 Third party system connection via Modbus

SPPA-T3000 provides the option to control and monitor 3rd party PLC / PLS

Various protocols and interfaces have been implemented.

Protocols
• MODBUS
• CS275
• IEC 60870-5

Interfaces
• Ethernet
• RS 232, 422, 482

In the present version of the SPPA-T3000 Security Manual only the Modbus connection via CM 104 is
initially described. Other connections will follow.

4.7.1 Modbus TCP connection via CM104

A CM104 can be used as a Modbus gateway. The advantages are:

• high availability (redundant configuration of CM104 possible)


• decentralized structure

The Modbus CM is connected to the Automation Highway. If the access by the 3rd party Modbus system
is implemented via an unsecured network, a firewall is required for modbus communication.

T3000 Security Manual V1.0.3 4-58 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

SPPA-T3000 Router/
Control System inside 3rd Party Plant Area
DMZ-Net
switch Firewall

switch switch

Application
Server

Terminal
Server

switch switch
WIN TS
(optional)
switch switch Firewall
(optional)

EAGLE
x

1 2
P FAULT
STATUS
LS/DA
1 2 V.24
R

IP ADDRESS
k
1

g
LAN

Aufkleber MAC-Adresse
2

FAULT
Automation CM104

+24V*
+24V
Automation

0V
0V
V.24

Modbus TCP
Server 1 Server 25 Connection

Communication relationships via the optional Modbus firewall *


* mandated for the connection via an unsecured network to the 3rd party Modbus system

Permissions required in the Modbus firewall

Application Connection Source IP Target IP Protocol/


direction target port
Modbus protocol 3rd party system 3rd party IP CM104 IP Modbus TCP
-> CM104 TCP 502

T3000 Security Manual V1.0.3 4-59 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

5 Annexes

5.1 VPN details for Remote Service Access via cRSP

cRSP is based on 3 distributed locations globally.

Fuerth (Europe)
Newark/CA (America)
Singapore (Asia)

Each location has a cRSP infrastructure and specific IP addresses.

Fuerth
dial-up IP internet IP local DMZ access server FTP Server
169.254.0.3 194.138.39.1 194.138.39.0/27 194.138.39.24 194.138.39.19

Singapore
dial-up IP internet IP local DMZ access server FTP Server
194.138.243.169 194.138.240.3 194.138.243.176/29 194.138.243.178 -

Newark (CA)
dial-up IP internet IP local DMZ access server FTP Server
129.73.116.86 129.46.135.193 129.73.116.88/29 129.73.116.92 129.73.116.91

T3000 Security Manual V1.0.3 5-60 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

5.1.1 IPSec details on establishing a VPN tunnel via the internet to the cRSP

Internet IPs cRSP side Internet IP plant side


194.138.39.1 fixed IP for COG
194.138.240.3 fixed or dynamic IP for CAG
129.46.135.193

Parameters for establishing the tunnel and

IKE parameters Options Recommendation for cRSP


Authentication MD5 SHA1
SHA1
Encryption * DES 3DES
3DES
Key exchange security Diffie-Hellman 768Bit Diffie-Hellman 1024 Bit
Diffie-Hellman 1024 Bit
Diffie-Hellman 1536 Bit
* observe country-specific restrictions and export regulations!

Tunnel parameters Options Recommendation for cRSP


AH Authentication none none
MD5
SHA1
ESP Authentication none SHA1
MD5
SHA1
ESP Encryption* none 3DES
DES
3DES
PFS none none
Diffie-Hellman 768Bit
Diffie-Hellman 1024 Bit
Diffie-Hellman 1536 Bit
Shared Secret - At least 12 a/n characters

* observe country-specific restrictions and export regulations!

Note: The current version of cRSP only supports Shared Secret, not certificates.

T3000 Security Manual V1.0.3 5-61 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

5.1.2 Configuration of the Cisco VPN client software

IPSec parameters in the Cisco VPN gateway

IPSec parameters
Authentication algorithm: ESP/MD5/HMAC-128
Encryption algorithm: 3DES-168
Encapsulation mode: Tunnel
Perfect Forward Secrecy: Disabled
Lifetime Measurement: Time
Data Lifetime: 10000kB
Time Lifetime: 28800sec

IKE Parameters:
Negotiation Mode: Main
Digital Certificate: none
IKE Proposal: IKE-3DES-MD5

The following table shows the required ports and protocols.

Service Protocol Number Source Port Destination Port


ISAKMP/IPSEC Key Management 17 (UDP) 500 500
IPSEC Tunnel Encapsulation 50 (ESP) N/A N/A
IPSEC NAT Transparency 17 (UDP) 10000 (default) 10000 (default)

T3000 Security Manual V1.0.3 5-62 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

5.2 Applications and ports for the communication with SPPA-T3000

A port is an address component to allocate data to the correct services (protocols). This concept is
implemented e.g. in TCP and UDP .
Port ranges:
• Port numbers between 0 and 1023 are permanently allocated to specific applications
• Port numbers between 1024 and 49151 are "registered ports" of specific application
manufacturers
• Port numbers between 49152 and 65535 are private ports which can be used variably

For security reasons the communication to the security cell Control system must be reduced to the
absolute necessary minimum.
Depending on the design, with or without DMZ Net, this is implemented using 1 or 2 firewalls.
Where a DMZ Net exists there is an inside firewall at the security cell Control system and an outside
firewall at the remote access point (Customer Access Gateway). If the client intranet is connected, this
access also terminates at the inside firewall of the Control system.

The following applications and communication ports are currently provided for SPPA-T3000.

Application Connection direction Target port(s) Comments


HTTPS TC -> Appl. server TCP 443
TS -> Appl. server
Remote Diagnostic TC -> Appl. server TCP 8080
View TS -> Appl Server
SSH TC -> Appl. server TCP 22
TS -> Appl. server
cRSP -> Appl. server
cRSP -> TC/TS
cRSP -> TC
OPC Tunnel OPC* <-> OPC* TCP 21379 *Client/server connection
MS-TS RDP TC -> Terminal Server TCP 3389

RMI reg TC -> App. Server TCP 1099


TS -> App. Server
RMI com. TC -> App. Server TCP 50001-50050
TS -> App. Server
RMI to Workbench App. Server -> TCP 50000 – 50001 expandable if required
external TC

App. Server -> TCP 50000 – 50009


external TS
RMI to Workbench App. Server -> TCP 50000 – 50009 expandable if required
external TS
SMTP App. Server -> TCP 25 and TCP 587 optional
Mailserver

* OPC Server/Client

TC: Thin Client


TS Terminal Server
TC/TS: Combined Thin Client / Terminal Server

All other ports must be blocked.

T3000 Security Manual V1.0.3 5-63 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

5.3 Sample loading times for a workbench via DSL

Connecting a workbench (approx. 20MB transfer) to a TC takes approx.:

Loading times (download only)

sec. for
Modem (28.8 Kbps) 1 hours 32 min. 35 20 megabyte
approx.
sec. for
Modem (56 Kbps) 0 hours 47 min. 37 20 megabyte
approx.
sec. for
1 channel ISDN (64 Kbps) 0 hours 41 min. 40 20 megabyte
approx.
sec. for
2 channel ISDN (128 Kbps) 0 hours 20 min. 49 20 megabyte
approx.
sec. for
DSL-768 (768 Kbps, outdated) 0 hours 3 min. 28 20 megabyte
approx.
min sec. for
DSL 1000 (1024 kbps) 0 hours 2 36 20 megabyte
. approx.
sec. for
DSL-1500 (1536 Kbps, outdated) 0 hours 1 min. 44 20 megabyte
approx.
min sec. for
DSL 2000 (2048 kbps) 0 hours 1 18 20 megabyte
. approx.
min sec. for
DSL 3000 (3072 kbps) 0 hours 0 52 20 megabyte
. approx.
min sec. for
DSL 6000 (6016 kbps) 0 hours 0 26 20 megabyte
. approx.
min sec. for
DSL 16,000 (16000 kbps) 0 hours 0 10 20 megabyte
. approx.

Approx. 15% must be added to the times due to IPSec.

T3000 Security Manual V1.0.3 5-64 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

6 Glossary
AES Advanced Encryption Standard Encryption based on the Rijndael algorithm

AH Authentication Header H Authentication authenticates the whole IP


packet including the outer (gateway) IP
address
cRSP Common Remote Service Platform Siemens-wide Remote Service Platform

CAG Customer access gateway Service access point in accordance with the
cRSP standard
COG Customer Owned Gateway Service access point provided by the client
DCOM Distributed Component Object Model a protocol defined by Microsoft to allow
program components to communicate via a
network
DMZ Demilitarized Zone Computer network with access options
controlled by security technology
ESP Encapsulating Security Payload ESP authentication authenticates the inner IP
header (e.g. of the external system) but not the
outer IP header.
https Hyper Text Transfer Protocol Encryption and for the authentication of the
(Secure) communication between Web server and
Browser
IP Internet protocol prevalent network protocol

IPSec Internet Protocol Sercurity provides a security architecture for the


communication via IP networks
MAC Media Access Control the hardware address of each individual
network adapter
NAT Net Address Translation Method to replace address information in data
packages in an automated and transparent
fashion.
OPC Openess, Productivity, Collaboration a standardized interface which permits the data
(in the past: OLE for Process Control) exchange between applications of different
manufacturers
PFS Perfect Forward Secrecy: it is impossible to deduct keys used earlier or
later from an exposed key
PSK Preshared Key Encryption method in which the keys must be
known to both nodes prior to communication
RT Run Time Runtime describes the time period during
which a program is executed by a computer
SSID Service Set Identifier Identification of a wireless network

TC Thin Client End device or terminal of a network whose


functionality is limited to input and output
TKIP Temporal Key Integrity Protocol Method for the cyclical replacement of keys in
WLAN
TS Terminal server Computer, emulating several terminals

T3000 Security Manual V1.0.3 6-65 24.01.2008


© Siemens AG 2007 All Rights Reserved
Siemens AG

VLAN Virtual Local Area Network a virtual local network within a physical network
VPN Virtual Private Network facilitates the secure transmission via an
unsecured network
WPA Wi-Fi Protected Access an encryption method for a wireless LAN
wTC Wireless Thin Client Thin Client connected via a wireless network
infrastructure

T3000 Security Manual V1.0.3 6-66 24.01.2008


© Siemens AG 2007 All Rights Reserved

You might also like