Security for Network Components – Security Integrated
Industrial communication is a key factor for your corporate success – as long as the network is protected. As your partner, we therefore offer you security modules and software as well as components with “Security Integrated”: communication modules featuring special security functions such as firewall and VPN functionality in addition to their communication functions.
The following Security Integrated modules are available:
SCALANCE S security modules, e.g., S623 with an additional DMZ (demilitarized zone) port that opens a separate and, if required, restricted network access point for service purposes (e.g., for remote maintenance over the Internet).
SOFTNET Security Client software that enables access via the Internet or a company intranet to automation cells or PCs protected by SCALANCE S or a component with Security Integrated.
Protection of SIMATIC S7-300, S7-400 and S7-1500 controllers by CP 343-1 Advanced, CP 443-1 Advanced and CP 1543-1 communications processors, which contain both firewall and VPN (virtual private network) functionality (CP 1543-1 from STEP7 V12 SP1) to protect against unauthorized access and the data transmission against espionage and manipulation.
The CP 1628 communications processor protects industrial PCs with firewall and VPN – for secure communication without special operating system settings. In this manner, computers equipped with the module can be connected to protected cells.
SCALANCE M875 UMTS router for secure access to plant sections via the UMTS mobile network.
Security modules that allow or exclude data communication between interconnected networks according to specified security restrictions. Firewall rules can be configured for this. It is thus possible to specify that only a particular PC may access a given controller, for example.
Virtual private networks (VPN)
A VPN tunnel connects two or more network nodes (e.g., security modules) and the network segments behind them. Encrypting the data within this tunnel makes it impossible for third parties to listen in on or falsify the data when it is transmitted over an insecure network (e.g., the Internet). When teamed up with IPSec, VPNs also reduce the potential threat when “outside computers” are temporarily connected for service and support purposes.
Virtual LANs (VLAN)
The special feature of a VLAN: devices can be assigned by configuration to a device group, irrespective of their spatial location. In doing so, several of these device groups share a single physical network infrastructure. The result is several "virtual networks" on the same physical network. Data communication takes place only within a VLAN.
The access control function allows individual ports to be blocked for unknown nodes. If the access control function is enabled on a port, packets arriving from unknown MAC addresses are discarded immediately. Any packets arriving from known nodes are accepted.
RADIUS: Authentication over an external server
The concept of RADIUS is based on an external authentication server. An end device can only access the network after the Industrial Ethernet switch has verified the logon data of the device with the authentication server. Both the end device and the authentication server must support the EAP protocol (Extensive Authentication Protocol).