Siemens Spares. Setting up security in STEP 7. Professional SIMATIC NET. Industrial Ethernet Security Setting up security in STEP 7 Professional

Size: px

Start display at page:

Download "Siemens Spares. Setting up security in STEP 7. Professional SIMATIC NET. Industrial Ethernet Security Setting up security in STEP 7 Professional"

Shanon Wilkinson
5 years ago
Views:

Setting up security in STEP 7 Professional SIMATIC NET Industrial Ethernet Security Setting up security in STEP 7 Professional Preface 1 User interface

1 Setting up security in STEP 7 Professional SIMATIC NET Industrial Ethernet Security Setting up security in STEP 7 Professional Preface 1 User interface and menu commands 2 Basic configuration 3 Firewall in advanced mode 4 VPN for network linking 5 Getting Started Siemens Spares 09/2014 C79000-G8976-C379-01

2 Legal information Warning notice system This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are graded according to the degree of danger. DANGER indicates that death or severe personal injury will result if proper precautions are not taken. WARNING indicates that death or severe personal injury may result if proper precautions are not taken. CAUTION indicates that minor personal injury can result if proper precautions are not taken. NOTICE indicates that property damage can result if proper precautions are not taken. If more than one degree of danger is present, the warning notice representing the highest degree of danger will be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to property damage. Qualified Personnel The product/system described in this documentation may be operated only by personnel qualified for the specific task in accordance with the relevant documentation, in particular its warning notices and safety instructions. Qualified personnel are those who, based on their training and experience, are capable of identifying risks and avoiding potential hazards when working with these products/systems. Proper use of Siemens products Note the following: Trademarks WARNING Siemens products may only be used for the applications described in the catalog and in the relevant technical documentation. If products and components from other manufacturers are used, these must be recommended or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and maintenance are required to ensure that the products operate safely and without any problems. The permissible ambient conditions must be complied with. The information in the relevant documentation must be observed. All names identified by are registered trademarks of Siemens AG. The remaining trademarks in this publication may be trademarks whose use by third parties for their own purposes could violate the rights of the owner. Disclaimer of Liability We have reviewed the contents of this publication to ensure consistency with the hardware and software described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the information in this publication is reviewed regularly and any necessary corrections are included in subsequent editions. Siemens AG Industry Sector Postfach NÜRNBERG GERMANY C79000-G8976-C P 09/2014 Subject to change Copyright Siemens AG All rights reserved

3 Table of contents 1 Preface User interface and menu commands User interface and menu commands Basic configuration Configuring IP addresses for SCALANCE S Overview Set up SCALANCE S and the network Making IP settings for the PC Creating a project and security module Creating the security project Assigning IP addresses Downloading the configuration to SCALANCE S Configuring IP addresses for a CP Overview Making IP settings for the PC Creating a project and security module Creating the security project Assigning IP addresses Downloading the configuration to the security module Firewall in advanced mode Global rule sets Overview Make the IP settings for the PCs Configuring the local firewall Configuring global firewall rule sets Downloading the configuration to the security module Testing firewall function Firewall rules for connections Overview Make the IP settings for the PCs Configuring the local firewall Configuring connection firewall rules Downloading the configuration to the security module Testing firewall function User-specific firewall Overview Make the IP settings for the PCs Configuring the local firewall Creating remote access users Configuring user-specific firewall rule sets Downloading the configuration to the security module Activating a user-specific firewall rule set Siemens Spares Getting Started, 09/2014, C79000-G8976-C

4 Table of contents Testing firewall function NAT Overview Making IP settings for the PC Configuring destination NAT and local firewall Downloading the configuration to the security module Testing NAT function VPN for network linking VPN tunnel in the LAN between all security products Overview Make the IP settings for the PCs Creating SOFTNET Security Client module Configuring a VPN group Saving the SOFTNET Security Client configuration Downloading the configuration to the security module Set up a tunnel with the SOFTNET Security Client Testing the tunnel VPN tunnel SOFTNET Security Client and CPs or SCALANCE S Overview Make the IP settings for the PCs Creating SOFTNET Security Client module Configuring a VPN group Configuring VPN properties of the security module Saving the SOFTNET Security Client configuration Downloading the configuration to the security module Set up a tunnel with the SOFTNET Security Client Testing the tunnel VPN with SOFTNET Security Client and SCALANCE S as user-specific firewall Overview Make the IP settings for the PCs Creating SOFTNET Security Client module Configuring a VPN group Configuring VPN properties of the security module Configuring the local firewall Creating remote access users Configuring user-specific firewall rule sets Saving the SOFTNET Security Client configuration Downloading the configuration to the security module Set up a tunnel with the SOFTNET Security Client Activating a user-specific firewall rule set Testing the tunnel and firewall function Getting Started, 09/2014, C79000-G8976-C379-01

5 Preface 1 Getting results fast with Getting Started Based on simple test networks, you will learn how to handle the security modules and the STEP 7 Professional configuration tool. You will soon see that you can implement the security functions of security modules in the network without any great project engineering effort. Based on a variety of security examples, you will be able to implement the basic functions of the security modules and the SOFTNET Security Client. IP settings for the Examples Note The IP settings in the examples are freely selected and do not cause any conflicts in the isolated test network. In a real network, you would need to adapt these IP settings to avoid possible address conflicts. Validity of this Getting Started Configuration software: STEP 7 Professional V13 Products: SCALANCE S SCALANCE S602, order number: 6GK BA10-2AA3 SCALANCE S612, order number: 6GK BA10-2AA3 SCALANCE S623, order number: 6GK BA10-2AA3 SCALANCE S627-2M, order number: 6GK BA10-2AA3 CPs CP Advanced GX31 as of V3.0, order number: 6GK GX31-0XE0 CP Advanced GX30 as of V3.0, order number: 6GK GX30-0XE0 CP as of V1.1, order number: 6GK AX00-0XE0 CP , order number: 6GK BX30-0XE0 VPN client software SOFTNET Security Client as of V4.0, order number: 6GK VW04-0AA0 Siemens Spares Getting Started, 09/2014, C79000-G8976-C

6 Preface Windows: All the examples are implemented with Windows 7. For this reason, the path information of Windows 7 is also described. General terminology "security modules" In this documentation, the following products are grouped together under the term "security module": SCALANCE S602 / SCALANCE S612 / SCALANCE S623 / SCALANCE S627-2M / CP Advanced GX31 / CP Advanced GX30 / CP / CP The CPs Advanced GX31 and Advanced GX30 are called "CP x43-1 Adv.". The CPs and are called "CP 1x43-1". General use of the term "STEP 7" The configuration of the security functions used in this manual is supported as of STEP 7 Professional V13. In the rest of the document this is simply called "STEP 7". Use of the terms "interface" and "port" In this documentation, the ports of security modules are named as follows: "External interface": The external port of the SCALANCE S602 / S612 / S623 or an external port of the SCALANCE S627-2M "Ethernet interface": The external port of the CP x43-1 Adv. / CP 1x43-1 "Internal interface": The internal port of the SCALANCE S602 / S612 / S623 or an internal port of the SCALANCE S627-2M "PROFINET interface": The internal port of the CP 43-1 Adv. "DMZ interface": The DMZ port of the SCALANCE S623 / S627-2M The term "port" itself is used when the focus of interest is a special port of an interface. IP addresses of the security modules in the configuration examples When downloading a configuration to a security module, the IP address via which the interface can currently be reached must always be specified. In the configuration examples in this manual, it is assumed that the IP addresses of the configuration are identical to the current IP addresses of the security modules. If you want to know more You will find further information on the topic of "Industrial Ethernet Security" in the information system of STEP 7 (online help). The information system of STEP 7 also supports you during configuration and programming of your automation system. You will find hardware descriptions and installation instructions in the documents relating to the individual modules. 6 Getting Started, 09/2014, C79000-G8976-C379-01

7 Preface Security information Siemens provides products and solutions with industrial security functions that support the secure operation of plants, solutions, machines, equipment and/or networks. They are important components in a holistic industrial security concept. With this in mind, Siemens products and solutions undergo continuous development. Siemens recommends strongly that you regularly check for product updates. For the secure operation of Siemens products and solutions, it is necessary to take suitable preventive action (e.g. cell protection concept) and integrate each component into a holistic, state-of-the-art industrial security concept. Third-party products that may be in use should also be considered. For more information about industrial security, visit To stay informed about product updates as they occur, sign up for a product-specific newsletter. For more information, visit Siemens Spares Getting Started, 09/2014, C79000-G8976-C

8 Preface 8 Getting Started, 09/2014, C79000-G8976-C379-01

9 User interface and menu commands User interface and menu commands User interface for security functions in STEP 7 Siemens Spares Getting Started, 09/2014, C79000-G8976-C

User interface and menu commands 2.1 User interface and menu commands 1 Global security settings The global security settings are located in the project navigation.

10 User interface and menu commands 2.1 User interface and menu commands 1 Global security settings The global security settings are located in the project navigation. These security settings can be configured independently of the module and subsequently assigned to individual security modules as required. If the first security module to be configured is a CP, the global security settings are only displayed when the security functions have been enabled in the local security settings of the CP. If the first security module to be configured is a SCALANCE S module, the global security settings are displayed after logging in to the security project. The following main folders and entries are available in the global security settings: User login For the security configuration within a project, there is a separate user management. Log in to the security configuration using the "User login" entry. The first time that there is a login to the security configuration, a user with the system-defined role "Administrator" is created automatically. You can create further users in the security configuration in the user management. User administration In user administration, you can create users, define rights for roles and assign these roles to users. Certificate manager In the certificate manager, you see an overview of all the certificates used in the project. You can, for example, import new certificates as well as export, modify or replace existing certificates. Firewall Under the "Firewall" entry, you can define global IP and MAC firewall rule sets and user-specific IP rule sets (SCALANCE S modules only) and assign security modules. IP and MAC service definitions are used to define the IP and MAC firewall rules compactly and clearly. VPN groups All created VPN groups are contained in this folder. You can create new VPN groups here and assign security modules to these VPN groups. You can also adapt VPN group properties of VPN groups that have already been created. NTP Here, you can create NTP servers and assign them to one or more security modules. This ensures that time synchronization is performed through the assigned NTP server. Unsecured NTP servers can only be configured in the local security settings. 10 Getting Started, 09/2014, C79000-G8976-C379-01

11 User interface and menu commands 2.1 User interface and menu commands 2 Working area with security module 3 Once you have selected a security module in the work area, you can configure its local security settings in "Properties" > "General". If the selected security module is in a VPN group, related information is displayed in the VPN tab. VPN tab This tab displays information about all the VPN groups to which the security module that was selected in the working area belongs. Information about the respective participants of a VPN group can be displayed and hidden. Siemens Spares Getting Started, 09/2014, C79000-G8976-C

User interface and menu commands 2.1 User interface and menu commands 4 Local security settings Local security settings are configured for a specific security module.

12 User interface and menu commands 2.1 User interface and menu commands 4 Local security settings Local security settings are configured for a specific security module. After a security module has been selected in the working area, its local security settings are available in the inspector window under "Properties" > "General". Note for CPs: Before local security settings can be configured for CPs, these must first be enabled. To do this, log in to your security project and then in the Inspector window, select the "Activate security features" check box in the "Properties" > General" tab, "Security" entry. The local security settings are then displayed below the "Security" entry. When the check box is selected, the following settings (assuming they were enabled) are migrated automatically to the local security settings: CP x43-1 Adv.: SNMP FTP configuration Time-of-day synchronization Web server Entries of IP access lists CP : SNMP FTP configuration Time-of-day synchronization CP : SNMP Time-of-day synchronization Additional security functions are also available such as NTP (secure), SNMPv3, FTPS. In addition, firewall rules that enable a connection to be established are created automatically for configured connections. Log settings are available to record blocked packets. Secure and non-secure configuration areas The user interface can be divided into secure and non-secure configuration areas. The secure areas are areas in which configuration is possible only after logging in to the security configuration. These areas are encrypted and therefore only accessible to persons 12 Getting Started, 09/2014, C79000-G8976-C379-01

13 User interface and menu commands 2.1 User interface and menu commands authorized in the user management even if the project is accessible to a wider circle of people. Functions from the non-secure areas, on the other hand, can be configured without logging in to the security configuration. The correctness of the settings must be checked before downloading the project to the plant components if a wider circle of people can make modifications to the project. Below, you will find a list of the configuration areas of the user interface showing which areas are secure and which are non-secure. To some extent, this depends on the security module for which the configuration is created. All settings from the global security settings are secure. Secure and non-secure configuration areas for SCALANCE S modules: All the settings for the interfaces and ports, in particular IP addresses, are non-secure. The settings under the entry "General" in the local security settings are non-secure. Higher-level settings (e.g. MRP settings such as MRP manager etc.) that are not configured on the security module itself but may affect the security module are not secure. This does not relate to the global security settings. The other settings are protected. Secure and non-secure configuration areas for CP Advanced, CP Advanced, CP , CP BX30: All settings outside the "Security" entry are non-secure. Higher-level settings (e.g. MRP settings such as MRP manager, PROFINET settings, connections etc.) that are not configured on the security module itself but may affect the security module are non-secure. This does not relate to the global security settings. All the settings for the interfaces and ports, in particular IP addresses, are non-secure. All settings below the "Security" entry are secure. Siemens Spares Getting Started, 09/2014, C79000-G8976-C

14 User interface and menu commands 2.1 User interface and menu commands 14 Getting Started, 09/2014, C79000-G8976-C379-01

15 Basic configuration Configuring IP addresses for SCALANCE S Overview Overview In this example, IP addresses are configured in STEP 7 for a SCALANCE S module that has the factory settings. Then, the configuration is downloaded to the security module via the external interface. Required devices/components: Use the following components to set up the network: 1 x SCALANCE S (additional option: a suitably installed DIN rail with fittings) 1 x 24 V power supply with cable connector and terminal block plug 1 x PC on which the STEP 7 configuration tool is installed The required network cable, TP cable (twisted pair) complying with the IE FC RJ-45 standard for Industrial Ethernet Requirement To be able to work through this example, the following requirements must be met: The SCALANCE S module has the factory-settings. You can restore this status by pressing the Reset button on the SCALANCE S and holding it down for at least 5 seconds. For further information on the Reset button of the SCALANCE S, refer to the section "4.3 Reset button - resetting the configuration to the factory settings" in the manual "SIMATIC NET Industrial Ethernet Security - SCALANCE S V4". Siemens Spares Getting Started, 09/2014, C79000-G8976-C

16 Basic configuration 3.1 Configuring IP addresses for SCALANCE S Overview of the next steps: Set up SCALANCE S and the network Follow the steps outlined below: 1. First unpack the SCALANCE S and check that it is undamaged. 2. Connect the power supply to the SCALANCE S. Result: After connecting the power, the Fault LED (F) is lit yellow. WARNING Use safety extra-low voltage only The SCALANCE S device is designed for operation with safety extra-low voltage. This means that only safety extra-low voltages (SELV) complying with IEC950/EN60950/ VDE0805 can be connected to the power supply terminals. The power supply unit to supply the SCALANCE S must comply with NEC Class 2 (voltage range V, current requirement approx. 250 ma). 16 Getting Started, 09/2014, C79000-G8976-C379-01

17 Basic configuration 3.1 Configuring IP addresses for SCALANCE S 3. Establish the physical network connection by connecting the external interface of the SCALANCE S to the PC. 4. Turn on the PC. Note The Ethernet interfaces are handled differently by the SCALANCE S and must not be swapped over when connecting to the communication network: Interface X1 - external network Red marking = unprotected network area; Interface X2 - internal network Green marking = network protected by SCALANCE S; Only for SCALANCE S623 and SCALANCE S627-2M: Interface X3 - DMZ port (universal network interface) Yellow marking = unprotected network area or network area protected by SCALANCE S. If the interfaces are swapped over, the device loses its protective function Making IP settings for the PC The following IP address settings are made for the PC: PC IP address Subnet mask PC Follow the steps outlined below: 1. On the PC, open the Control Panel with the menu command "Start" > "Control Panel". 2. Click the "Network and Internet" icon > "Network and Sharing Center" and select the "Change adapter settings" option in the navigation menu on the left. 3. Double-click on the required network connection. 4. In the "Status of [network]" dialog, click the "Properties" button. 5. Confirm the Windows prompt with "Yes". 6. Make sure that the option "Internet Protocol Version 4 (TCP/IPv4)" is enabled and double-click on it. Siemens Spares Getting Started, 09/2014, C79000-G8976-C

18 Basic configuration 3.1 Configuring IP addresses for SCALANCE S 7. In the "Internet Protocol Version 4 (TCP/IPv4) Properties" dialog, select the "Use the following IP address" radio button. 8. Enter the values assigned to the PC from the table "Making IP settings for the PC" in the relevant boxes. 9. Close the dialogs with "OK" and close the Control Panel Creating a project and security module Creating a new project: 1. Install and start the STEP 7 configuration tool on PC1. 2. Select the menu item "Create new project". 3. In the dialog that follows, assign a project name for your project, if necessary change the storage path and confirm the dialog with "Create". Result: A new STEP 7 is created and opened in the Portal view. 18 Getting Started, 09/2014, C79000-G8976-C379-01

19 Basic configuration 3.1 Configuring IP addresses for SCALANCE S Creating a new security module 1. Change to the project view with the "Open the project view". menu item. 2. In the Project tree, double-click on the "Devices & networks" menu item. Result: The network view opens. 3. Open the "Hardware catalog" and drag the relevant security module to add it to the network view. Make sure that the firmware version is correct; this can be adapted in the "Information" area. You will find the security module by navigating as follows in the "Hardware catalog": Security module Navigation in the hardware catalog SCALANCE S "Network components" > "Industrial Security" > "SCALANCE S" Creating the security project Follow the steps below: 1. Change to the device view. 2. Select the security module so that you can configure the properties. 3. In the Inspector window, "General" tab, select the menu item "Security properties". 4. In the dialog that follows click "User login". 5. Create a new user with user name and the corresponding password. The "administrator" role is assigned to the user automatically. 6. Confirm your entries with "Log in". Result: The security project has been created. All the security settings you make from now on will be stored in the project encrypted and can only be edited or viewed with the user and password you have created Assigning IP addresses Assigning the external IP address: 1. Select the menu "Online" > "Accessible devices". 2. From the "Type of the PG/PC interface" drop-down list, select the entry "PN/IE". 3. Select the network adapter via which you are connected to the security module. 4. If the MAC address of the SCALANCE S is displayed, select the corresponding entry in the table and click the "Show" button. Result: The SCALANCE S is displayed in the project tree in the "Online access" menu below the selected network adapter: Siemens Spares Getting Started, 09/2014, C79000-G8976-C

Basic configuration 3.1 Configuring IP addresses for SCALANCE S 5. Double-click on "Online & Diagnostics". 6. In the window that follows, select the "Functions" > "Assign IP address" menu. 7.

20 Basic configuration 3.1 Configuring IP addresses for SCALANCE S 5. Double-click on "Online & Diagnostics". 6. In the window that follows, select the "Functions" > "Assign IP address" menu. 7. Enter the external IP address ( ) and the external subnet mask ( ). 8. Click the "Assign IP address" button. Configuring IP addresses for the internal interface and the DMZ interface: 1. In the Inspector window, "General" tab, check whether "Routing mode" is enabled under "Mode". 2. Enter the following IP addresses: Interface IP address Subnet mask External interface [P1] red Internal interface [P2] green Only for S623 or S627-2M: DMZ interface [P3] yellow For each address, click the "Add new subnet" button in the "Interface networked with" box. Result: The IP addresses have been assigned and the interfaces networked. 20 Getting Started, 09/2014, C79000-G8976-C379-01

21 Basic configuration 3.1 Configuring IP addresses for SCALANCE S Downloading the configuration to SCALANCE S Follow the steps below: 1. Select the security module in the project tree. 2. Select the menu command "Online" > "Download to device". 3. In the next window, select the "Type of the PG/PC interface" and the "PG/PC interface". 4. In the "Connection to interface/subnet" drop-down list, select the entry "Try all interfaces". With SCALANCE S modules, the HTTPS protocol is used for the download. 5. Click the "Start search" button. Result: The security module is displayed in the "Compatible devices in target subnet" list. 6. Select the security module in the list and click the "Load" button. 7. After the check, click the "Load" button in the next dialog. Result: The configuration is downloaded to the security module. 8. If the download was completed free of error, click the "Finish" button. Siemens Spares Getting Started, 09/2014, C79000-G8976-C

22 Basic configuration 3.2 Configuring IP addresses for a CP Result: The security module restarts automatically and the downloaded configuration is activated. Result: SCALANCE S in productive operation The SCALANCE S is now in productive operation. This mode is indicated by the Fault display being lit green. You can now download configurations via all interfaces. The basic configuration is completed. 3.2 Configuring IP addresses for a CP Overview Overview In this example, IP addresses are configured in STEP 7 for one of the following CPs. Following this, the configuration is downloaded to the station via the security module. CP CP CP Advanced CP Advanced Requirement To be able to work through this example, the following requirements must be met: The STEP 7 configuration tool is installed on a PC and a station with a CPU has already been created. The memory card of the CPU is empty. The CPU memory has been reset. The CPU has a valid time of day and forwards this via the backplane bus. You will find more detailed information on the precise procedure in the relevant device manual and in the information system (online help) of STEP Getting Started, 09/2014, C79000-G8976-C379-01

23 Basic configuration 3.2 Configuring IP addresses for a CP Overview of the next steps: Making IP settings for the PC The following IP address settings are made for the PC: PC IP address Subnet mask PC Follow the steps outlined below: 1. On the PC, open the Control Panel with the menu command "Start" > "Control Panel". 2. Click the "Network and Internet" icon > "Network and Sharing Center" and select the "Change adapter settings" option in the navigation menu on the left. 3. Double-click on the required network connection. 4. In the "Status of [network]" dialog, click the "Properties" button. 5. Confirm the Windows prompt with "Yes". 6. Make sure that the option "Internet Protocol Version 4 (TCP/IPv4)" is enabled and double-click on it. Siemens Spares Getting Started, 09/2014, C79000-G8976-C

24 Basic configuration 3.2 Configuring IP addresses for a CP 7. In the "Internet Protocol Version 4 (TCP/IPv4) Properties" dialog, select the "Use the following IP address" radio button. 8. Enter the values assigned to the PC from the table "Making IP settings for the PC" in the relevant boxes. 9. Close the dialogs with "OK" and close the Control Panel Creating a project and security module Creating a new project: 1. Install and start the STEP 7 configuration tool on PC1. 2. Select the menu item "Create new project". 3. In the dialog that follows, assign a project name for your project, if necessary change the storage path and confirm the dialog with "Create". Result: A new STEP 7 is created and opened in the Portal view. 24 Getting Started, 09/2014, C79000-G8976-C379-01

25 Basic configuration 3.2 Configuring IP addresses for a CP Creating a new security module 1. Change to the project view with the "Open the project view". menu item. 2. In the Project tree, double-click on the "Devices & networks" menu item. Result: The network view opens. 3. Open the "Hardware catalog" and drag the relevant security module to add it to the network view. Make sure that the firmware version is correct; this can be adapted in the "Information" area. You will find the security module by navigating as follows in the "Hardware catalog": Security module Navigation in the hardware catalog CP Advanced "Controller" >"SIMATIC S7-300" > "Communications modules" > "PROFINET/Ethernet" > "CP Advanced-IT" CP 443- Advanced "Controller" >"SIMATIC S7-400" > "Communications modules" > "PROFINET/Ethernet" > "CP Advanced-IT" CP "Controller" > "SIMATIC S7-1200" > "Communications modules" > "Industrial Remote Control" > "CP " CP "Controller" > "SIMATIC S7-1500" > "Communications modules" > "PROFINET/Ethernet" > "CP " Creating the security project Follow the steps below: 1. Change to the device view. 2. Select the security module so that you can configure the properties. 3. In the Inspector window, "General" tab, select the menu item "Security > Security properties". 4. In the dialog that follows click "User login". 5. Create a new user with user name and the corresponding password. The "administrator" role is assigned to the user automatically. 6. Confirm your entries with "Log in". 7. Change to the network view and select the security module. 8. Under "Security", select the "Activate security features" check box. Result: The security project has been created. All the security settings you make from now on will be stored in the project encrypted and can only be edited or viewed with the user and password you have created. Siemens Spares Getting Started, 09/2014, C79000-G8976-C

26 Basic configuration 3.2 Configuring IP addresses for a CP Assigning IP addresses Assigning the external IP address: 1. Select the menu "Online" > "Accessible devices". 2. From the "Type of the PG/PC interface" drop-down list, select the entry "PN/IE". 3. Select the network adapter via which you are connected to the security module. 4. If the MAC address of the CP is displayed, select the corresponding entry in the table and click the "Show" button. Result: The CP is displayed in the project tree in the "Online access" menu below the selected network adapter. 5. Click on "Online & Diagnostics". 6. In the window that follows, select the "Functions" > "Assign IP address" menu. 7. Enter the external IP address ( ) and the external subnet mask ( ). 8. Click the "Assign IP address" button. 9. For each address, click the "Add new subnet" button in the "Interface networked with" box. Result: The IP addresses have been assigned and the interfaces networked. Configuring IP addresses for the internal interface: 1. Enter the following IP addresses in the Inspector window "General tab: Security module IP address Subnet mask CP 1x43-1 Ethernet interface [X1]: CP x43-1 Adv. Ethernet interface [X1]: PROFINET interface [X2]: For each address, click the "Add new subnet" button in the "Interface networked with" box. Result: The IP addresses have been assigned and the interfaces networked Downloading the configuration to the security module Follow the steps below: 1. Select the security module in the project tree. 2. Select the menu command "Online" > "Download to device". 3. In the next window, select the "Type of the PG/PC interface" and the "PG/PC interface". 26 Getting Started, 09/2014, C79000-G8976-C379-01

27 Basic configuration 3.2 Configuring IP addresses for a CP 4. In the "Connection to interface/subnet" drop-down list, select the entry "Try all interfaces". For CPs, the S7 protocol is used for the download. 5. Click the "Start search" button. Result: The security module is displayed in the "Compatible devices in target subnet" list. 6. Select the security module in the list and click the "Load" button. 7. After the check, click the "Load" button in the next dialog. Result: The configuration is downloaded to the security module. 8. If the download was completed free of error, click the "Finish" button. Result: The security module restarts automatically and the downloaded configuration is activated. Result: Security module in productive mode The security module is now in productive operation. You can now download configurations via all interfaces. The basic configuration is complete. Siemens Spares Getting Started, 09/2014, C79000-G8976-C

28 Basic configuration 3.2 Configuring IP addresses for a CP 28 Getting Started, 09/2014, C79000-G8976-C379-01

29 Firewall in advanced mode Global rule sets Overview In this example you configure the advanced firewall and use the function of the global rule sets. By making the settings in the firewall of the security module, you restrict configuration and diagnostics of the controllers using the S7 protocol to the IP address of PC1 and therefore make this possible from the external network. In addition to this, all nodes from the external network can use the HTTPS protocol for communication. This allows security diagnostics of the security modules or, depending on the test setup, communication with Web servers in the internal network. With the global rule sets, denied access attempts to the security module or the internal network are logged. Setting up the test network for SCALANCE S, CP x43-1 Adv. Siemens Spares Getting Started, 09/2014, C79000-G8976-C

30 Firewall in advanced mode 4.1 Global rule sets Internal network - connection to the internal interface of the security module In the internal network in the test setup, the network node is implemented by a SIMATIC S7 station with an integrated Web server that supports the HTTPS protocol. The station is connected to the internal interface of the security module. Station1: Represents a node in the internal network Security module - A security module for protection of the internal network can be: SCALANCE S CP Advanced in a SIMATIC S7-300 station CP Advanced in a SIMATIC S7-400 station External network - connection to the external interface of the security module The public, external network is connected to the external interface of the security module. PC1: PC with configuration software STEP 7 Setup of the test network CP 1x43-1 Station - one of the following stations with security module: CP in a SIMATIC S station CP in a SIMATIC S station External network - connection to the external interface of the security module The public, external network is connected to the external interface of the security module. PC1: PC with configuration software STEP 7 30 Getting Started, 09/2014, C79000-G8976-C379-01

Firewall in advanced mode 4.1 Global rule sets Requirement: To be able to work through the example, the following requirements must be met: The STEP 7 configuration software is installed on PC1.

31 Firewall in advanced mode 4.1 Global rule sets Requirement: To be able to work through the example, the following requirements must be met: The STEP 7 configuration software is installed on PC1. Only for CP x43-1 Adv. and SCALANCE S: A SIMATIC S7 station with integrated Web server that supports the HTTPS protocol exists as a node in the internal network with the following settings: Controller IP address Subnet mask Default gateway Controller A STEP 7 project has already been created with one of the following settings and downloaded to the security module or the controller (for more detailed information on the precise procedure, refer to the section Basic configuration (Page 15)): Security module IP address Subnet mask SCALANCE S External interface [P1] red: Internal interface [P2] green: CP 1x43-1 Ethernet interface [X1]: CP x43-1 Adv. Ethernet interface [X1]: PROFINET interface [X2]: The project with the "basic configuration" of the security module is open on PC1. Figure 4-1 IP settings of the basic configuration You have logged in with your security login in the project tree with the "Global security settings" > "User login" menu. Siemens Spares Getting Started, 09/2014, C79000-G8976-C

32 Firewall in advanced mode 4.1 Global rule sets Overview of the next steps: Make the IP settings for the PCs For the test, PC1 is given the following IP address setting: PC IP address Subnet mask Default gateway PC Follow the steps below for PC1: 1. On the PC, open the Control Panel with the menu command "Start" > "Control Panel". 2. Click the "Network and Internet" icon > "Network and Sharing Center" and select the "Change adapter settings" option in the navigation menu on the left. 3. Double-click on the required network connection. 4. In the "Status of [network]"" dialog, click the "Properties" button. 5. Confirm the Windows prompt with "Yes". 6. Make sure that the option "Internet Protocol Version 4 (TCP/IPv4)" is enabled and double-click on it. 32 Getting Started, 09/2014, C79000-G8976-C379-01

33 Firewall in advanced mode 4.1 Global rule sets 7. In the "Internet Protocol Version 4 (TCP/IPv4) Properties" dialog, select the "Use the following IP address" radio button. 8. Now enter the values assigned to the PC from the table "Make the IP settings for the PCs" in the relevant boxes. 9. Close the dialogs with "OK" and close the Control Panel Configuring the local firewall Follow the steps below: 1. Change to the device view and select the security module. Result: The properties of the security module become configurable. 2. For a CP: Select the "Security" menu item and then the "Activate security features" check box. Result: The security functions of the module are shown below the "Security" entry and can be configured. Siemens Spares Getting Started, 09/2014, C79000-G8976-C

34 Firewall in advanced mode 4.1 Global rule sets 3. Select the "Firewall" menu item. 4. In the "General" box, enable the "Activate firewall" option. 5. Enable the "Activate firewall in advanced mode" function. Confirm the prompt with "Yes". Result: The firewall of the security module is switched to the advanced mode. You can now configure firewall rules that filter for IP addresses and services. Switching back to the standard mode of the firewall is not possible. 6. Select the "IP rules" menu and add the following firewall rules depending on the security module you are using: Security module Action From To 1) Source IP address Destination IP address Service SCALANCE S Allow External Internal S7 Allow External Internal - - HTTPS CP 1x43-1 Allow External Station S7 Allow External Station - - Security diagnostics CP x43-1 Allow External Any S7 Allow External Any - - HTTPS 1) Due to the "Stateful inspection" function of the firewall, the response frames are allowed automatically and do not need to be allowed specifically. Result: The local firewall rules are displayed in the list: Figure 4-2 Local IP rules in advanced firewall mode 34 Getting Started, 09/2014, C79000-G8976-C379-01

Firewall in advanced mode 4.1 Global rule sets 4.1.4 Configuring global firewall rule sets Follow the steps below: 1.

35 Firewall in advanced mode 4.1 Global rule sets Configuring global firewall rule sets Follow the steps below: 1. In the project tree, double-click on the entry "Global security settings" > "Firewall" > "Global firewall rule sets" > "IP rule sets" > "Add new IP rule set". Result: A global IP rule set is created. 2. Enter any name and a description for the IP rule set. In this example: Name: IP rule set 1 Description: Logging denied accesses 3. Add the following firewall rules to the list: Action From To Source IP address Destination IP address Service Drop External Internal - - All Drop External Station - - All Drop External Any - - All Logging Result: A new global firewall rule set is created. You can assign the global firewall rule set to every security module without needing to create these rules separately for each security module. Figure 4-3 Global IP rule set 4. In the project tree, double-click on the entry "Global security settings" > "Firewall" > "Global firewall rule sets" > "IP rule sets" > "Assign module to a firewall rule set". 5. Select the created rule set from the "Rule set " drop-down list. 6. Select the security module being used in the Available modules list. Siemens Spares Getting Started, 09/2014, C79000-G8976-C

36 Firewall in advanced mode 4.1 Global rule sets 7. With the "<<" button, move it to "Assigned modules" list. Figure 4-4 Assigning a global rule set Result: The global firewall rule set has been inserted in the local firewall of the security module 8. To check this, go to the Inspector window and open the menu "Properties" > "Firewall" > "IP rules". Figure 4-5 Displaying a global rule set 36 Getting Started, 09/2014, C79000-G8976-C379-01

37 Firewall in advanced mode 4.1 Global rule sets Result: The global firewall rule set has been added to the list after the last local firewall rule. Depending on the security module you are using, only the firewall rules from the global firewall rule set will be adopted if these are valid for the security module. You can see the resulting firewall rules in the following table: Security module Action From To Source IP address Destination IP address Service Logging CP 1x43-1 Drop External Station - - All CP x43-1 Adv. Drop External Station - - All Drop External Any - - All SCALANCE S602/S612 Drop External Internal - - All Downloading the configuration to the security module Follow the steps below: 1. Select the security module in the project tree. 2. Select the menu command "Online" > "Download to device". 3. In the next window, select the "Type of the PG/PC interface" and the "PG/PC interface". Siemens Spares Getting Started, 09/2014, C79000-G8976-C

38 Firewall in advanced mode 4.1 Global rule sets 4. Select the "Connection to interface/subnet" via which you are connected to the security module. For CPs, the S7 protocol is used for the download, for SCALANCE S the HTTPS protocol. Figure 4-6 Downloading to the security module 5. Click the "Start search" button. Result: The security module is displayed in the "Compatible devices in target subnet" list. 6. Select the security module in the list and click the "Load" button. 7. After the check, click the "Load" button in the next dialog. Result: The configuration is downloaded to the security module. 8. If the download was completed free of error, click the "Finish" button. Result: The security module restarts automatically and the downloaded configuration is activated. 38 Getting Started, 09/2014, C79000-G8976-C379-01

39 Firewall in advanced mode 4.1 Global rule sets Result: Security module in productive mode The configuration is complete. The security module protects the station in which the security module is located or Station1 in the internal network of the security module (if it exists). Incoming S7 data traffic is permitted only from PC1 and HTTPS communication for diagnostics of the security module is allowed for every node from the external network. Every blocked access attempt is logged Testing firewall function How can you test the configured function? The function tests are performed with PC1 on which a Web browser is installed. So that the denied access attempts are recorded and displayed by the firewall, use the packet filter logging function. Test phase 1 - PC1: S7 diagnostics and configuration of the station Now test the function of the S7 firewall rule for PC1 from external: 1. Open the project for configuration and diagnostics of the station: for CP x43-1 Adv. and SCALANCE S: the project for Station1 from the internal network for CP 1x43-1 (as an alternative also possible for station1 with CP x43-1 Adv.): the project for the station in which the security module is located 2. Select the station in the project tree. 3. Select the menu command "Online" > "Connect online". Result: Diagnostics and downloading of a configuration are possible using the S7 protocol. Siemens Spares Getting Started, 09/2014, C79000-G8976-C

40 Firewall in advanced mode 4.1 Global rule sets Figure 4-7 S7 diagnostics and configuration of the station Test phase 2 - PC1: HTTPS access to the Web server of the station Now test the function of the HTTPS firewall rule for all nodes from the external network as follows: Open a standard Web browser on PC1 and enter the following URL: for CP x43-1 Adv. and SCALANCE S: " for CP 1x43-1 (as an alternative also possible for station1 with CP x43-1 Adv.): " Result: Access to the Web server using the HTTPS protocol is possible. 40 Getting Started, 09/2014, C79000-G8976-C379-01

41 Firewall in advanced mode 4.1 Global rule sets Figure 4-8 HTTPS access to the Web server of the station Test phase 3 PC1 with modified IP address: S7 diagnostics and configuration of the station By changing the IP address of PC1 in this test phase, an unauthorized access attempt will be simulated. To do this, change the IP address from " " to " " as explained in the section "Make the IP settings for the PCs (Page 32)". Now test the function of the S7 firewall rule for PC1 from external with the modified IP address as follows: 1. Open the project for configuration and diagnostics of the station: for CP x43-1 Adv. and SCALANCE S: the project for Station1 from the internal network for CP 1x43-1 (as an alternative also possible for station1 with CP x43-1 Adv.): the project for the station in which the security module is located 2. Select the station in the project tree. 3. Select the menu command "Online" > "Connect online". Result: Diagnostics and downloading of a configuration are not possible using the S7 protocol. The time for the connection attempt expires and no connection can be established to the station. Siemens Spares Getting Started, 09/2014, C79000-G8976-C

42 Firewall in advanced mode 4.1 Global rule sets Figure 4-9 S7 diagnostics and configuration of the station Test phase 4 PC1 with modified IP address: HTTPS access to the Web server of the station By changing the IP address of PC1 in this test phase, an access attempt by another PC will be simulated. In keeping with test phase 3, here instead of the IP address " ", PC1 has the IP address " ". Open a standard Web browser on PC1 and enter the following URL: for CP x43-1 Adv. and SCALANCE S: " for CP 1x43-1 (as an alternative also possible for station1 with CP x43-1 Adv.): " Result: Access to the Web server using the HTTPS protocol is possible. Figure 4-10 HTTPS access to the Web server of the security module Test phase 5 - PC1: S7 diagnostics and configuration of the station As explained in the section "Make the IP settings for the PCs (Page 32)", change the IP address of PC1 from " " back to " ". 42 Getting Started, 09/2014, C79000-G8976-C379-01

43 Firewall in advanced mode 4.1 Global rule sets Now test the function of the packet filter logging of the firewall rules you activated in the global firewall rules as follows: 1. Open the project for configuration and diagnostics of the station. 2. To log in to the project, enter your login in the project tree using "Global security settings" > "User login". 3. Select the security module in the project tree. 4. Select the menu command "Online" > "Online & Diagnostics". 5. For CPs: In the "Diagnostics" > "Security" > "Status" menu, click the "Connect online" button. Figure 4-11 Connecting to the security module online Result: The "Online access" dialog opens. As "Type of the PG/PC interface", the "HTTPS" protocol is preset. 6. Select the "PG/PC interface" and the "Connection to interface/subnet via which you are connected to the security module. Siemens Spares Getting Started, 09/2014, C79000-G8976-C

44 Firewall in advanced mode 4.1 Global rule sets 7. Click the "Connect online" button. Result: The online connection to the security module is established and security diagnostics with HTTPS is possible. Figure 4-12 Running security diagnostics with HTTPS 8. In the "Diagnostics" > "Packet filter log" menu, click the "Start reading" button. Result: The unauthorized connection attempts from test phase 3 were recorded in the packet filter log and will be displayed as follows: Figure 4-13 Display of the unauthorized connection attempts 44 Getting Started, 09/2014, C79000-G8976-C379-01

Firewall in advanced mode 4.2 Firewall rules for connections 4.2 Firewall rules for connections 4.2.1 Overview In this example, you configure the advanced firewall.

45 Firewall in advanced mode 4.2 Firewall rules for connections 4.2 Firewall rules for connections Overview In this example, you configure the advanced firewall. With the settings made in the firewall of the security module, the connections configured via the CPs are allowed in the firewall and restricted to the services used. The configuration and diagnostics of the controllers using the S7 protocol are restricted in the firewall to the IP address of PC1 and therefore allowed from the external network. In addition to this, all nodes from the external network can use the HTTPS protocol for communication. This allows security diagnostics of the security modules. Denied attempts to access the security module or the station are logged. Setting up the test network Siemens Spares Getting Started, 09/2014, C79000-G8976-C

46 Firewall in advanced mode 4.2 Firewall rules for connections Station1 - one of the following stations with security module: SIMATIC S7-300 where CP Advanced SIMATIC S7-400 where CP Advanced SIMATIC S where CP SIMATIC S where CP External network - connection to the external interface of the security module The public, external network is connected to the external interface of the security module. Switch: Switch to network the connection partners and PC1 with each other. PC1: PC with configuration software STEP 7 Active partner station (Station2): Partner station that actively establishes the connections to Station1 Passive partner station (Station3): Partner station that accepts active connections from Station1 Requirement: To be able to work through the example, the following requirements must be met: The STEP 7 configuration software is installed on PC1. A STEP 7 project has already been created with one of the following settings and downloaded to the security module or the controller (for more detailed information on the precise procedure, refer to the section Basic configuration (Page 15)): Security module IP address Subnet mask CP 1x43-1 Ethernet interface [X1]: CP x43-1 Adv. Ethernet interface [X1]: PROFINET interface [X2]: In the STEP 7 project, communications connections were configured via the CP. The type and number of communications connections are irrelevant. In this example, the following communications connections of the CP to the partner stations were configured: Connection type Connection establishment Partner station Partner address S7 connection passive active_partner_station S7 connection active passive_partner_station Getting Started, 09/2014, C79000-G8976-C379-01

47 Firewall in advanced mode 4.2 Firewall rules for connections The project with the "basic configuration" of the security module is open on PC1. Figure 4-14 IP settings of the basic configuration You have logged in with your security login in the project tree with the "Global security settings" > "User login" menu. Overview of the next steps: Make the IP settings for the PCs For the test, PC1 is given the following IP address setting: PC IP address Subnet mask Default gateway PC Siemens Spares Getting Started, 09/2014, C79000-G8976-C

48 Firewall in advanced mode 4.2 Firewall rules for connections Follow the steps below for PC1: 1. On the PC, open the Control Panel with the menu command "Start" > "Control Panel". 2. Click the "Network and Internet" icon > "Network and Sharing Center" and select the "Change adapter settings" option in the navigation menu on the left. 3. Double-click on the required network connection. 4. In the "Status of [network]"" dialog, click the "Properties" button. 5. Confirm the Windows prompt with "Yes". 6. Make sure that the option "Internet Protocol Version 4 (TCP/IPv4)" is enabled and double-click on it. 7. In the "Internet Protocol Version 4 (TCP/IPv4) Properties" dialog, select the "Use the following IP address" radio button. 8. Now enter the values assigned to the PC from the table "Make the IP settings for the PCs" in the relevant boxes. 9. Close the dialogs with "OK" and close the Control Panel. 48 Getting Started, 09/2014, C79000-G8976-C379-01

Firewall in advanced mode 4.2 Firewall rules for connections 4.2.3 Configuring the local firewall Follow the steps below: 1. Change to the device view and select the security module.

49 Firewall in advanced mode 4.2 Firewall rules for connections Configuring the local firewall Follow the steps below: 1. Change to the device view and select the security module. Result: The properties of the security module become configurable. 2. Select the "Security" menu item and then the "Activate security features" check box. Result: The security functions of the module are shown below the "Security" entry and can be configured. 3. Select the "Firewall" menu item. 4. In the "General" box, enable the "Activate firewall" option. 5. Enable the "Activate firewall in advanced mode" function. Confirm the prompt with "Yes". Result: The firewall of the security module is switched to the advanced mode. You can now configure firewall rules that filter for IP addresses and services. Switching back to the standard modem firewall is not possible. 6. Select the "IP rules" menu and add the following firewall rules depending on the security module you are using: Security module Action From To Source IP address Destination IP address Service CP 1x43-1 Allow External Station S7 Allow External Station - - Security diagnostics Drop External Station - - All CP x43-1 Adv. Allow External Station S7 Allow External Station - - HTTPS Drop External Station - - All Result: The local firewall rules are displayed in the list: Logging Figure 4-15 Local IP rules in advanced firewall mode Siemens Spares Getting Started, 09/2014, C79000-G8976-C

Firewall in advanced mode 4.2 Firewall rules for connections 4.2.4 Configuring connection firewall rules Follow the steps below: 1. Click the "Update connection rules" button.

50 Firewall in advanced mode 4.2 Firewall rules for connections Configuring connection firewall rules Follow the steps below: 1. Click the "Update connection rules" button. Result: The firewall rules for the active and passive connection to the station are automatically added at the start of the list of IP rules. Figure 4-16 Configuring connection firewall rules According to the connection establishment, only the direction in which the connection is established is opened in the firewall. Due to the "Stateful inspection" function of the firewall, the response frames are allowed automatically and do not need to be allowed specifically. The additional Drop firewall rule prevents connections being established in the opposite direction. In the following table, you will find the firewall rules that result for connection establishment depending on the configured direction: Connection establishment Action From To Source IP address Destination IP address passive Allow External Station Drop Station External active Drop External Station Allow Station External Restrict the connection firewall rules to the protocol being used. In this example, S7 connections were configured; the S7 protocol therefore needs to be used. Result: Only S7 connections to the partner station can pass through the firewall. Result: The firewall is now completely configured Connection firewall rules are automatically inserted at the start of the firewall list and cannot be moved. Settings such as service, bandwidth or logging can be adapted. The "Source IP address" and "Destination IP address" boxes have default values and cannot be changed since the information is taken from the connection configuration. The configuration of the firewall is completed. 50 Getting Started, 09/2014, C79000-G8976-C379-01

Firewall in advanced mode 4.2 Firewall rules for connections 4.2.5 Downloading the configuration to the security module Follow the steps below: 1. Select the security module in the project tree. 2.

51 Firewall in advanced mode 4.2 Firewall rules for connections Downloading the configuration to the security module Follow the steps below: 1. Select the security module in the project tree. 2. Select the menu command "Online" > "Download to device". 3. In the next window, select the "Type of the PG/PC interface" and the "PG/PC interface". 4. Select the "Connection to interface/subnet" via which you are connected to the security module. For CPs, the S7 protocol is used for the download. 5. Click the "Start search" button. Result: The security module is displayed in the "Compatible devices in target subnet" list. 6. Select the security module in the list and click the "Load" button. 7. After the check, click the "Load" button in the next dialog. Result: The configuration is downloaded to the security module. 8. If the download was completed free of error, click the "Finish" button. Siemens Spares Getting Started, 09/2014, C79000-G8976-C

52 Firewall in advanced mode 4.2 Firewall rules for connections Result: The security module restarts automatically and the downloaded configuration is activated. Result: Security module in productive mode The configuration is complete. The security module protects the station in which the security module is located. S7 connections to the partner stations are allowed. Incoming S7 data traffic is permitted only from PC1 and HTTPS communication for diagnostics of the security module is allowed for every node from the external network. Every blocked access attempt is logged Testing firewall function How can you test the configured function? The function tests are performed with PC1 on which a Web browser is installed. So that the denied access attempts are recorded and displayed by the firewall, use the packet filter logging function. Test phase 1 - PC1: S7 diagnostics and configuration of the station Now test the function of the S7 firewall rule for PC1 from external: 1. Open the project for configuration and diagnostics of the station. 2. Select the station in the project tree. 52 Getting Started, 09/2014, C79000-G8976-C379-01

53 Firewall in advanced mode 4.2 Firewall rules for connections 3. Select the menu command "Online" > "Connect online". Result: Diagnostics and downloading of a configuration are possible using the S7 protocol. Figure 4-17 Uploading S7 diagnostics 4. Select the security module in the project tree. 5. Select the menu command "Online" > "Connect online". 6. Start special diagnostics in the "Functions" > "Special diagnostics" menu. Result: NCM S7 diagnostics for CPs starts and sets up a connection to the CP. 7. In the "Connections" > "S7 connections" menu, you can check the connection status for the connections that have been set up. Result: The S7 connections are established and ready for communication. Siemens Spares Getting Started, 09/2014, C79000-G8976-C

54 Firewall in advanced mode 4.2 Firewall rules for connections Test phase 2 - PC1: HTTPS access to the Web server of the station Now test the function of the HTTPS firewall rule for all nodes from the external network as follows: Open a standard Web browser on PC1 and enter the following URL: " Result: Access to the Web server using the HTTPS protocol is possible. Test phase 3 PC1 with modified IP address: S7 diagnostics and configuration of the station By changing the IP address of PC1 in this test phase, an unauthorized access attempt will be simulated. To do this, change the IP address from " " to " " as explained in the section "Make the IP settings for the PCs (Page 47)". Now test the function of the S7 firewall rule for PC1 from external with the modified IP address as follows: 1. Open the project for configuration and diagnostics of the station. 2. Select the station in the project tree. 3. Select the menu command "Online" > "Connect online". Result: Diagnostics and downloading of a configuration are not possible using the S7 protocol. The time for the connection attempt expires and no connection can be established to the station. 54 Getting Started, 09/2014, C79000-G8976-C379-01

55 Firewall in advanced mode 4.2 Firewall rules for connections Figure 4-18 S7 diagnostics and configuration of the station Test phase 4 PC1 with modified IP address: HTTPS access to the Web server of the station By changing the IP address of PC1 in this test phase, an access attempt by another PC will be simulated. In keeping with test phase 3, here instead of the IP address " ", PC1 has the IP address " ". Open a standard Web browser on PC1 and enter the following URL: " Result: Access to the Web server using the HTTPS protocol is possible. Test phase 5 - PC1: S7 diagnostics and configuration of the station As explained in the section "Make the IP settings for the PCs (Page 47)", change the IP address of PC1 from " " back to " ". Now test the function of the packet filter logging of the firewall rules you activated in the global firewall rules as follows: 1. Open the project for configuration and diagnostics of the station. 2. To log in to the project, enter your login in the project tree using "Global security settings" > "User login". Siemens Spares Getting Started, 09/2014, C79000-G8976-C

56 Firewall in advanced mode 4.2 Firewall rules for connections 3. Select the security module in the project tree. 4. Select the menu command "Online" > "Online & Diagnostics". 5. In the "Diagnostics" > "Security" > "Status" menu, click the "Connect online" button. Figure 4-19 Connecting to the security module online Result: The "Online access" dialog opens. As "Type of the PG/PC interface", the "HTTPS" protocol is preset. 6. Select the "PG/PC interface" and the "Connection to interface/subnet via which you are connected to the security module. 56 Getting Started, 09/2014, C79000-G8976-C379-01

In the "Diagnostics" > "Packet filter log" menu, click the "Start reading" button.

57 Firewall in advanced mode 4.2 Firewall rules for connections 7. Click the "Connect online" button. Result: The online connection to the security module is established and security diagnostics with HTTPS is possible. 8. In the "Diagnostics" > "Packet filter log" menu, click the "Start reading" button. Result: The unauthorized connection attempts from test phase 3 were recorded in the packet filter log and will be displayed as follows: Siemens Spares Getting Started, 09/2014, C79000-G8976-C

58 Firewall in advanced mode 4.3 User-specific firewall 4.3 User-specific firewall Overview In this example you configure the advanced firewall and use the function of the user-specific rule sets. By making these settings in the firewall of the security module, you restrict configuration and diagnostics of the station in the internal network using the S7 protocol to one user making the station accessible only for this one user from the external network. In addition to this, all nodes from the external network can use the HTTPS protocol for communication. This allows security diagnostics of the security modules and communication with Web servers in the internal network. Denied attempts to access the security module or the station are logged. Setting up the test network Internal network - connection to the internal interface of the security module In the internal network in the test setup, the network node is implemented by a SIMATIC S7 station with an integrated Web server that supports the HTTPS protocol. The station is connected to the internal interface of the security module. Station1: Represents a node in the internal network Security module - A security module for protection of the internal network can be: SCALANCE S 58 Getting Started, 09/2014, C79000-G8976-C379-01

59 Firewall in advanced mode 4.3 User-specific firewall External network - connection to the external interface of the security module The public, external network is connected to the external interface of the security module. PC1: PC with configuration software STEP 7 Requirement: To be able to work through the example, the following requirements must be met: The STEP 7 configuration software is installed on PC1. A SIMATIC S7 station with integrated Web server that supports the HTTPS protocol exists as a node in the internal network with the following settings: Controller IP address Subnet mask Default gateway Controller A STEP 7 project has already been created with the following settings and downloaded to the security module or the controller (for more detailed information on the precise procedure, refer to the section Basic configuration (Page 15)): Security module IP address Subnet mask SCALANCE S External interface [P1] red: Internal interface [P2] green: The project with the "basic configuration" of the security module is open on PC1. Figure 4-20 IP settings You have logged in with your security login in the project tree with the "Global security settings" > "User login" menu Make the IP settings for the PCs For the test, PC1 is given the following IP address setting: PC IP address Subnet mask Default gateway PC Siemens Spares Getting Started, 09/2014, C79000-G8976-C

60 Firewall in advanced mode 4.3 User-specific firewall Follow the steps below for PC1: 1. On the PC, open the Control Panel with the menu command "Start" > "Control Panel". 2. Click the "Network and Internet" icon > "Network and Sharing Center" and select the "Change adapter settings" option in the navigation menu on the left. 3. Double-click on the required network connection. 4. In the "Status of [network]"" dialog, click the "Properties" button. 5. Confirm the Windows prompt with "Yes". 6. Make sure that the option "Internet Protocol Version 4 (TCP/IPv4)" is enabled and double-click on it. 7. In the "Internet Protocol Version 4 (TCP/IPv4) Properties" dialog, select the "Use the following IP address" radio button. 8. Now enter the values assigned to the PC from the table "Make the IP settings for the PCs" in the relevant boxes. 9. Close the dialogs with "OK" and close the Control Panel. 60 Getting Started, 09/2014, C79000-G8976-C379-01

61 Firewall in advanced mode 4.3 User-specific firewall Configuring the local firewall Follow the steps below: 1. Change to the device view and select the security module. Result: The properties of the security module become configurable. 2. Select the "Firewall" menu item. 3. In the "General" box, enable the "Activate firewall" option. 4. Enable the "Activate firewall in advanced mode" function. Confirm the prompt with "Yes". Result: The firewall of the security module is switched to the advanced mode. You can now configure firewall rules that filter for IP addresses and services. Switching back to the standard modem firewall is not possible. 5. Select the "IP rules" menu and add the following firewall rules: Action From To Source IP address Destination IP address Service Logging Allow External Internal - - HTTPS Drop External Internal - - All Result: The local firewall rules are displayed in the list: Creating remote access users Follow the steps below: 1. In the project tree, double-click on the entry "Global security settings" > "User management". 2. Create a new user and password with the following settings: User name: remote Role: Remote access Password: <freely selectable> Siemens Spares Getting Started, 09/2014, C79000-G8976-C

62 Firewall in advanced mode 4.3 User-specific firewall Figure 4-21 Creating remote access users Configuring user-specific firewall rule sets Follow the steps below: 1. In the project tree, double-click on the entry "Global security settings" > "Firewall" > "Global firewall rule sets" > "IP rule sets" > "Add new IP rule set". Result: A global IP rule set is created. 2. Enter any name and a description for the IP rule set. In this example: Name: User-specific IP rule set 1 Description: Access using S7 protocol 3. Add the following firewall rules to the list: Action From To Source IP address Destination IP address Service Logging Allow External Internal S7 Result: A user-specific IP rule set is created: Figure 4-22 User-specific IP rule set 4. Change from the "User-specific IP rule set" view to the "User" view. Assign a user to the rule set who will have the right to activate the rule set. 5. Select the remote user in the "Available users" list. 62 Getting Started, 09/2014, C79000-G8976-C379-01

63 Firewall in advanced mode 4.3 User-specific firewall 6. With the "<<" button, move the user to "Assigned users" list. Figure 4-23 Assigning remote access user 7. In the project tree, double-click on the entry "Global security settings" > "Firewall" > "User-specific IP rule sets" > "Assign user-specific IP rule set". 8. Select the created rule set from the "Rule set " drop-down list. 9. Select the security module being used in the Available modules list. Siemens Spares Getting Started, 09/2014, C79000-G8976-C

64 Firewall in advanced mode 4.3 User-specific firewall 10.With the "<<" button, move it to "Assigned modules" list. Result: The user-specific firewall rule set has been inserted in the local firewall of the security module. Figure 4-24 Assigning a user-specific IP rule set to a module 11.To check this, go to the Inspector window and open the menu "Properties" > "Firewall" > "IP rules". Result: The user-specific firewall rule set has been added to the list before the local firewall rules. The firewall configuration is complete. Figure 4-25 Displaying a user-specific rule set 64 Getting Started, 09/2014, C79000-G8976-C379-01

65 Firewall in advanced mode 4.3 User-specific firewall Downloading the configuration to the security module Follow the steps below: 1. Select the security module in the project tree. 2. Select the menu command "Online" > "Download to device". 3. In the next window, select the "Type of the PG/PC interface" and the "PG/PC interface". 4. Select the "Connection to interface/subnet" via which you are connected to the security module. With SCALANCE S, the HTTPS protocol is used for the download. Figure 4-26 Downloading to the security module 5. Click the "Start search" button. Result: The security module is displayed in the "Compatible devices in target subnet" list. 6. Select the security module in the list and click the "Load" button. Siemens Spares Getting Started, 09/2014, C79000-G8976-C

66 Firewall in advanced mode 4.3 User-specific firewall 7. After the check, click the "Load" button in the next dialog. Result: The configuration is downloaded to the security module 8. If the download was completed free of error, click the "Finish" button. Result: The security module restarts automatically and the downloaded configuration is activated. Result: Security module in productive mode The configuration is complete. The security module protects the station in the internal network. S7 communication for configuration and diagnostics of the station in the internal network is only possible after successful authentication with the user-specific firewall of the security module. HTTPS communication for diagnostics of the station in the internal network is allowed for every node from the external network. Every blocked access attempt is logged Activating a user-specific firewall rule set 1. Open a standard Web browser on PC1 and enter the following URL: " 2. In the following window, enter the user name "remote" and the corresponding password. 3. Click the "Login" button. Result: The defined firewall rule set is enabled for the "remote" user. Access to the station in the internal network of the security module using the S7 protocol of PC1 in the external network is permitted for 30 minutes. 66 Getting Started, 09/2014, C79000-G8976-C379-01

67 Firewall in advanced mode 4.3 User-specific firewall Testing firewall function How can you test the configured function? The function tests are performed with PC1 on which a Web browser is installed. So that the denied access attempts are recorded and displayed by the firewall, use the packet filter logging function. Test phase 1 - PC1: S7 diagnostics and configuration of the station Now test the function of the S7 firewall rule for PC1 from external as follows: 1. Activate the user-specific firewall rule set as described in the section "Activating a userspecific firewall rule set (Page 66)": 2. Open the project for configuration and diagnostics of the station in the internal network. 3. Select the station in the project tree. Siemens Spares Getting Started, 09/2014, C79000-G8976-C

68 Firewall in advanced mode 4.3 User-specific firewall 4. Select the menu command "Online" > "Connect online". Result: Diagnostics and downloading of a configuration are possible using the S7 protocol. Figure 4-27 S7 diagnostics and configuration of the station 5. Deactivate the user-specific firewall rule set by clicking the "Logout" button in the Web browser. 6. As described in points 2-4, try to reach the station again using the S7 protocol. Result: Diagnostics and downloading of a configuration are not possible using the S7 protocol. The time for the connection attempt expires and no connection can be established to the station. 68 Getting Started, 09/2014, C79000-G8976-C379-01

69 Firewall in advanced mode 4.3 User-specific firewall Figure 4-28 S7 diagnostics and configuration of the station Test phase 2 - PC1: HTTPS access to the Web server of the station Now test the function of the HTTPS firewall rule for all nodes from the external network as follows: Open a standard Web browser on PC1 and enter the following URL: " Result: Access to the Web server using the HTTPS protocol is possible. Test phase 3 - diagnostics of denied access attempts with packet filter logging Now test the function of the packet filter logging of the firewall rules you activated in the global firewall rules as follows: 1. Open the project for configuration and diagnostics of the station. 2. To log in to the project, enter your login in the project tree using "Global security settings" > "User login". 3. Select the security module in the project tree. Siemens Spares Getting Started, 09/2014, C79000-G8976-C

Firewall in advanced mode 4.3 User-specific firewall 4. Select the menu command "Online" > "Online & Diagnostics". Result: The "Online access" dialog opens.

70 Firewall in advanced mode 4.3 User-specific firewall 4. Select the menu command "Online" > "Online & Diagnostics". Result: The "Online access" dialog opens. As "Type of the PG/PC interface", the "HTTPS" protocol is preset. 5. Select the "PG/PC interface" and the "Connection to interface/subnet via which you are connected to the security module. 6. Click the "Connect online" button. Result: The online connection to the security module is established and security diagnostics with HTTPS is possible. 7. In the "Diagnostics" > "Packet filter log" menu, click the "Start reading" button. Result: The unauthorized connection attempts from test phase 1 were recorded in the packet filter log and will be displayed as follows: Figure 4-29 Display of the unauthorized connection attempts 70 Getting Started, 09/2014, C79000-G8976-C379-01

Firewall in advanced mode 4.4 NAT 4.4 NAT 4.4.1 Overview In this example, you configure NAT function and the advanced firewall.

71 Firewall in advanced mode 4.4 NAT 4.4 NAT Overview In this example, you configure NAT function and the advanced firewall. With the configuration, Station1 is reachable via an NAT IP address that belongs to the external subnet. Only Station1 from the internal network will be reachable for PC1 from the external network. Other nodes from the internal subnet cannot be reached. By making the settings in the firewall of the security module, you restrict configuration of the controller Station1 using the S7 protocol to the IP address of PC1 and therefore make this possible from the external network. In addition to this, all nodes from the external network can use the HTTPS protocol for communication. This allows security diagnostics of the security modules or also communication with Web servers in the internal network. Denied attempts to access the security module or the station are logged. Setting up the test network Siemens Spares Getting Started, 09/2014, C79000-G8976-C

72 Firewall in advanced mode 4.4 NAT Internal network - connection to the internal interface of the security module In the internal network in the test setup, the network node is implemented by a SIMATIC S7 station with an integrated Web server that supports the HTTPS protocol. Station1: Represents a node in the internal network Security module - A security module for protection of the internal network can be: SCALANCE S CP Advanced in a SIMATIC S7-300 station CP Advanced in a SIMATIC S7-400 station External network - connection to the external interface of the security module The public, external network is connected to the external interface of the security module. PC1: PC with configuration software STEP 7 Requirement: To be able to work through the example, the following requirements must be met: The STEP 7 configuration software is installed on PC1. A SIMATIC S7 station with integrated Web server that supports the HTTPS protocol exists as a node in the internal network with the following settings: Controller IP address Subnet mask Default gateway Controller A STEP 7 project has already been created with one of the following settings and downloaded to the security module or the controller (for more detailed information on the precise procedure, refer to the section Basic configuration (Page 15)): Security module IP address Subnet mask SCALANCE S External interface [P1] red: Internal interface [P2] green: CP x43-1 Adv. Ethernet interface [X1]: PROFINET interface [X2]: Getting Started, 09/2014, C79000-G8976-C379-01

73 Firewall in advanced mode 4.4 NAT The project with the "basic configuration" of the security module is open on PC1. Figure 4-30 IP settings of the basic configuration You have logged in with your security login in the project tree with the "Global security settings" > "User login" menu. Overview of the next steps: Making IP settings for the PC The following IP address settings are made for the PC: PC IP address Subnet mask PC Follow the steps outlined below: 1. On the PC, open the Control Panel with the menu command "Start" > "Control Panel". 2. Click the "Network and Internet" icon > "Network and Sharing Center" and select the "Change adapter settings" option in the navigation menu on the left. 3. Double-click on the required network connection. 4. In the "Status of [network]" dialog, click the "Properties" button. 5. Confirm the Windows prompt with "Yes". Siemens Spares Getting Started, 09/2014, C79000-G8976-C

74 Firewall in advanced mode 4.4 NAT 6. Make sure that the option "Internet Protocol Version 4 (TCP/IPv4)" is enabled and double-click on it. 7. In the "Internet Protocol Version 4 (TCP/IPv4) Properties" dialog, select the "Use the following IP address" radio button. 8. Enter the values assigned to the PC from the table "Making IP settings for the PC" in the relevant boxes. 9. Close the dialogs with "OK" and close the Control Panel. 74 Getting Started, 09/2014, C79000-G8976-C379-01

Firewall in advanced mode 4.4 NAT 4.4.3 Configuring destination NAT and local firewall Follow the steps below: 1. Change to the device view and select the security module.

75 Firewall in advanced mode 4.4 NAT Configuring destination NAT and local firewall Follow the steps below: 1. Change to the device view and select the security module. Result: The properties of the security module become configurable. 2. For a CP: Select the "Security" menu item and then the "Activate security features" check box. Result: The security functions of the module are shown below the "Security" entry and can be configured. 3. Select the "NAT/NAPT" menu item. 4. Select the "Activate NAT" function and add the following NAT rules: Action From To Source IP address Source translation Destination IP address Destination translation Destination NAT External Internal Destination NAT External Internal Result: The following NAT rule sets will be created: Figure 4-31 NAT rules 5. In the "General" box, enable the "Activate firewall" option. Siemens Spares Getting Started, 09/2014, C79000-G8976-C

76 Firewall in advanced mode 4.4 NAT 6. Enable the "Activate firewall in advanced mode" function. Confirm the prompt with "Yes". Result: The firewall of the security module is switched to the advanced mode. You can now configure firewall rules that filter for IP addresses and services. Switching back to the standard mode of the firewall is not possible. 7. Select the "IP rules" menu. Result: The previously inserted NAT rules have automatically generated two firewall rules to which you can now add additional IP addresses and services. The expanded firewall rules then filter based on the specified IP addresses and services. Expand the two NAT firewall rules and add a logging rule at the end according to the following table: Security module Action From To Source IP address Destination IP address Service Logging SCALANCE S NAT_1 Allow External Internal S7 NAT_2 Allow External Internal HTTPS Drop External Internal - - All CP x43-1 Adv. NAT_1 Drop External Station S7 Allow External Any S7 NAT_2 Drop External Station HTTPS Allow External Any HTTPS Drop External Any - - All Result: The local firewall rules are displayed in the list: Figure 4-32 Local IP rules in advanced firewall mode 76 Getting Started, 09/2014, C79000-G8976-C379-01

77 Firewall in advanced mode 4.4 NAT Downloading the configuration to the security module Follow the steps below: 1. Select the security module in the project tree. 2. Select the menu command "Online" > "Download to device". 3. In the next window, select the "Type of the PG/PC interface" and the "PG/PC interface". 4. Select the "Connection to interface/subnet" via which you are connected to the security module. For CPs, the S7 protocol is used for the download, for SCALANCE S the HTTPS protocol. Figure 4-33 Downloading to the security module 5. Click the "Start search" button. Result: The security module is displayed in the "Compatible devices in target subnet" list. 6. Select the security module in the list and click the "Load" button. Siemens Spares Getting Started, 09/2014, C79000-G8976-C

78 Firewall in advanced mode 4.4 NAT 7. After the check, click the "Load" button in the next dialog. Result: The configuration is downloaded to the security module. 8. If the download was completed free of error, click the "Finish" button. Result: The security module restarts automatically and the downloaded configuration is activated. Result: Security module in productive mode The configuration is complete. The security module protects the station in which the security module is located or Station1 in the internal network of the security module (if it exists). Incoming S7 data traffic to Station1 is only permitted from PC1 and uses the NAT IP address of the security module. The HTTPS communication for diagnostics of Station1 is permitted for every node from the external network via the NAT IP address Every blocked access attempt is logged Testing NAT function How can you test the configured function? The function tests are performed with PC1 on which a Web browser is installed. So that the denied access attempts are recorded and displayed by the firewall, use the packet filter logging function. Test phase 1 - PC1: S7 diagnostics and configuration of the station Now test the function of the S7 NAT firewall rule for PC1 from external as follows: 1. Open the project for configuration and diagnostics of the station in the internal network. 2. Select the station in the project tree. 3. Select the menu command "Online" > "Download to device". 78 Getting Started, 09/2014, C79000-G8976-C379-01

Firewall in advanced mode 4.4 NAT 4. In the "Compatible devices in target subnet" list, enter the NAT IP address "192.168.10.10" in the Access address box.

79 Firewall in advanced mode 4.4 NAT 4. In the "Compatible devices in target subnet" list, enter the NAT IP address " " in the Access address box. Confirm the input by clicking on a point outside the row. Result: The NAT IP address is defined as the access address to Station1. 5. Click the "Load" button. 6. In the "Load preview" dialog, click the "Load" button. Result: The configuration is downloaded to the security module. 7. Click the "Finish" button to complete the download and to restart Station1. Result: Diagnostics and downloading configuration data via the NAT IP address are possible using the S7 protocol. Test phase 2 - PC1: HTTPS access to the Web server of the station Now test the function of the HTTPS firewall rule for all nodes from the external network as follows: Open a standard Web browser on PC1 and enter the following URL: " Result: Access to the Web server via the NAT IP address using the HTTPS protocol is possible. Siemens Spares Getting Started, 09/2014, C79000-G8976-C

80 Firewall in advanced mode 4.4 NAT Test phase 3 PC1 with modified IP address: S7 diagnostics and configuration of the station By changing the IP address of PC1 in this test phase, an unauthorized access attempt will be simulated. To do this, change the IP address from " " to " " as explained in the section "Making IP settings for the PC (Page 73)". Now test the function of the S7 NAT firewall rule for PC1 from external with the modified IP address as follows: 1. Open the project for configuration and diagnostics of the station. 2. Select the station in the project tree. 3. Select the menu command "Online" > "Download to device". 4. In the "Compatible devices in target subnet" list, enter the NAT IP address " " in the Access address box. Confirm the input by clicking on a point outside the row. Result: The NAT IP address cannot be reached. Diagnostics and downloading of a configuration are not possible using the S7 protocol. The time for the connection attempt expires and no connection can be established to the station. 80 Getting Started, 09/2014, C79000-G8976-C379-01

81 Firewall in advanced mode 4.4 NAT Figure 4-34 S7 diagnostics and configuration of the station Siemens Spares Getting Started, 09/2014, C79000-G8976-C

82 Firewall in advanced mode 4.4 NAT Test phase 4 PC1 with modified IP address: HTTPS access to the Web server of the station By changing the IP address of PC1 in this test phase, an access attempt by another PC will be simulated. In keeping with test phase 3, here instead of the IP address " ", PC1 has the IP address " ". Open a standard Web browser on PC1 and enter the following URL: " Result: Access to the Web server via the NAT IP address using the HTTPS protocol is possible. Test phase 5 - PC1: S7 diagnostics and configuration of the station As explained in the section "Making IP settings for the PC (Page 73)", change the IP address of PC1 from " " back to " ". Now test the function of the packet filter logging of the firewall rules you activated in the global firewall rules as follows: 1. Open the project for configuration and diagnostics of the station. 2. To log in to the project, enter your login in the project tree using "Global security settings" > "User login". 3. Select the security module in the project tree. 4. Select the menu command "Online" > "Online & Diagnostics". 82 Getting Started, 09/2014, C79000-G8976-C379-01

Firewall in advanced mode 4.4 NAT 5. For CPs: In the "Diagnostics" > "Security" > "Status" menu, click the "Connect online" button. Result: The "Online access" dialog opens.

83 Firewall in advanced mode 4.4 NAT 5. For CPs: In the "Diagnostics" > "Security" > "Status" menu, click the "Connect online" button. Result: The "Online access" dialog opens. As "Type of the PG/PC interface", the "HTTPS" protocol is preset. Figure 4-35 Connecting to the security module online 6. Select the "PG/PC interface" and the "Connection to interface/subnet via which you are connected to the security module. Siemens Spares Getting Started, 09/2014, C79000-G8976-C

84 Firewall in advanced mode 4.4 NAT 7. Click the "Connect online" button. Result: The online connection to the security module is established and security diagnostics with HTTPS is possible. Figure 4-36 Running security diagnostics with HTTPS 8. In the "Diagnostics" > "Packet filter log" menu, click the "Start reading" button. Result: The unauthorized connection attempts from test phase 3 were recorded in the packet filter log and will be displayed as follows: 84 Getting Started, 09/2014, C79000-G8976-C379-01

85 Firewall in advanced mode 4.4 NAT Figure 4-37 Display of the unauthorized connection attempts Siemens Spares Getting Started, 09/2014, C79000-G8976-C

86 Firewall in advanced mode 4.4 NAT 86 Getting Started, 09/2014, C79000-G8976-C379-01

VPN for network linking 5 5.1 VPN tunnel in the LAN between all security products 5.1.1 Overview In this example the VPN tunnel function will be configured.

87 VPN for network linking VPN tunnel in the LAN between all security products Overview In this example the VPN tunnel function will be configured. In this example, the security modules form the tunnel endpoints via a local network. With this configuration, IP traffic is possible only over the established VPN tunnel connections between the authorized partners. Setting up the test network Siemens Spares Getting Started, 09/2014, C79000-G8976-C

88 VPN for network linking 5.1 VPN tunnel in the LAN between all security products Internal network - connection to the internal interface of the security module In the internal network in the test setup, the network node is implemented by a SIMATIC S7 station with an integrated Web server that supports the HTTPS protocol. The station is connected to the internal interface of the security module. Station1: Represents a node in the internal network PC2: Is used to test the tunnel function with S7 diagnostics and for configuration of Station1. Security module 1- A security module for protection of the internal network can be: SCALANCE S (not S602) CP Advanced in a SIMATIC S7-300 station CP Advanced in a SIMATIC S7-400 station Station2 with security module 2 - One of the following stations with security module: CP in a SIMATIC S station CP in a SIMATIC S station External network - attachment to the external interface of the security module The external network is represented by a switch to which the external interfaces of all security modules are connected. If there are only two security modules to connect, these can also be connected directly via the external interface. PC1: PC with configuration software STEP 7 and SOFTNET Security Client Requirement: To be able to work through the example, the following requirements must be met: The STEP 7 configuration software and the SOFTNET Security Client are installed on PC1. Only for CP x43-1 Adv. and SCALANCE S: A SIMATIC S7 station with integrated Web server that supports the HTTPS protocol exists as a node in the internal network with the following settings: Controller IP address Subnet mask Default gateway Controller A STEP 7 project has already been created with the following settings and downloaded to the security module or the controller (for more detailed information on the precise procedure, refer to the section Basic configuration (Page 15)): Security module IP address Subnet mask SCALANCE S External interface [P1] red: Internal interface [P2] green: CP 1x43-1 Ethernet interface [X1]: CP x43-1 Adv. Ethernet interface [X1]: PROFINET interface [X2]: Getting Started, 09/2014, C79000-G8976-C379-01

VPN for network linking 5.1 VPN tunnel in the LAN between all security products The project with the "basic configuration" of the security module is open on PC1.

89 VPN for network linking 5.1 VPN tunnel in the LAN between all security products The project with the "basic configuration" of the security module is open on PC1. Figure 5-1 IP settings of the basic configuration You have logged in with your security login in the project tree with the "Global security settings" > "User login" menu. Overview of the next steps: Make the IP settings for the PCs For the test, PC1 is given the following IP address setting: PC IP address Subnet mask Default gateway PC Siemens Spares Getting Started, 09/2014, C79000-G8976-C

90 VPN for network linking 5.1 VPN tunnel in the LAN between all security products Follow these steps: 1. On PC1, open the Control Panel with the menu command "Start" > "Control Panel". 2. Click the "Network and Internet" icon > "Network and Sharing Center" and select the "Change Adapter Settings" option in the navigation menu on the left. 3. Double-click on the required network connection. 4. In the "Status of [network]" dialog, click the "Properties" button. 5. Confirm the Windows prompt with "Yes". 6. Make sure that the option "Internet Protocol Version 4 (TCP/IPv4)" is enabled and double-click on it. 7. In the "Internet Protocol Version 4 (TCP/IPv4) Properties" dialog, select the "Use the following IP address" radio button. 8. Now enter the values assigned to the PC from the table "Making the IP settings for the PCs" in the relevant boxes. 90 Getting Started, 09/2014, C79000-G8976-C379-01

91 VPN for network linking 5.1 VPN tunnel in the LAN between all security products 9. Close the dialogs with "OK" and close the Control Panel. 10.Repeat the steps listed above on PC2 and assign the following network parameters: IP address: Subnet mask: Default gateway: Note To be able to communicate within the various internal networks of the security modules, you need to set explicit routes on the PC. To do this, use the "route add" function in the command prompt Creating SOFTNET Security Client module Creating a new security module 1. Change to the project view with the "Open the project view". menu item. 2. In the Project tree, double-click on the "Devices & networks" menu item. Result: The network view opens. 3. Open the "Hardware catalog" and drag the relevant security module to add it to the network view. You will find the security module by navigating as follows in the "Hardware catalog": Security module SOFTNET Security Client Navigation in the hardware catalog "PC systems" > "Softnet Security Client" Configuring a VPN group The SOFTNET Security Client and the security modules can establish a VPN tunnel for secure communication if they are assigned to the same group in the project. Follow the steps below: 1. In the project tree, double-click on the entry "Global security settings" > "VPN groups" > "Add new VPN group". Result: A VPN group is created. 2. In the project tree, double-click on the entry "Global security settings" > "VPN groups" > "Assign module to a VPN group". 3. Select the created VPN group from the "VPN " drop-down list. Siemens Spares Getting Started, 09/2014, C79000-G8976-C

92 VPN for network linking 5.1 VPN tunnel in the LAN between all security products 4. Select the SOFTNET Security Client module and the security module being used in the Available modules list. 5. With the "<<" button, move this to the "Assigned modules" list. Result: The security modules were added to the VPN group. Figure 5-2 VPN assignment 6. To check this, open the "VPN" tab in the network view. Figure 5-3 Displaying VPN membership 7. Double-click on the newly created VPN group in the project tree. 8. In the Inspector window, select the "Advanced settings phase 1" menu item and change the "SA lifetime" to the value "2879". 9. In the Inspector window, select the "Advanced settings phase 2" menu item and change the "SA lifetime" to the value "2879". 92 Getting Started, 09/2014, C79000-G8976-C379-01

93 VPN for network linking 5.1 VPN tunnel in the LAN between all security products Saving the SOFTNET Security Client configuration Follow the steps below: 1. Select the SOFTNET Security Client in the project tree. 2. Select the "Edit" > "Compile" menu command and assign a password for the private key of the certificate. Result: The configuration file "Projectname.SSC-Modulename.dat" and the certificates are stored in the "Path to the SSC configuration files". You can adapt the path in the properties of the SOFTNET Security Client module Downloading the configuration to the security module Follow the steps below: 1. Select the security module in the project tree. 2. Select the menu command "Online" > "Download to device". 3. In the next window, select the "Type of the PG/PC interface" and the "PG/PC interface". Siemens Spares Getting Started, 09/2014, C79000-G8976-C

94 VPN for network linking 5.1 VPN tunnel in the LAN between all security products 4. Select the "Connection to interface/subnet" via which you are connected to the security module. For CPs, the S7 protocol is used for the download, for SCALANCE S the HTTPS protocol. Figure 5-4 Downloading to the security module 5. Click the "Start search" button. Result: The security module is displayed in the "Compatible devices in target subnet" list. 6. Select the security module in the list and click the "Load" button. 7. After the check, click the "Load" button in the next dialog. Result: The configuration is downloaded to the security module. 8. If the download was completed free of error, click the "Finish" button. Result: The security module restarts automatically and the downloaded configuration is activated. Perform the steps listed above for all existing security modules. 94 Getting Started, 09/2014, C79000-G8976-C379-01

95 VPN for network linking 5.1 VPN tunnel in the LAN between all security products Result: Security module in productive mode The configuration is complete. The security module protects the station in which the security module is located or Station1 in the internal network of the security module (if it exists). The communication with the station or to the station in internal network can now only be encrypted and via the VPN tunnel Set up a tunnel with the SOFTNET Security Client Follow the steps outlined below: 1. Start the SOFTNET Security Client on PC1. 2. Click the "Load Configuration" button, change to your project folder and load the "Projectname.SSC-Modulename.dat" configuration file. 3. Enter the password for the private key of the certificate and confirm with "Next". 4. You will now be asked whether the tunnel connections for all internal nodes should be activated. Click the "Yes" button in this dialog. 5. Click the "Tunnel Overview" button. Result: Active tunnel connection The tunnel between the security module and the SOFTNET Security Client was established. This status is indicated by the green circle beside the "S612" entry. In the Logging Console of the Tunnel Overview, among other things information on the sequence of executed connection attempts is displayed. Siemens Spares Getting Started, 09/2014, C79000-G8976-C

96 VPN for network linking 5.1 VPN tunnel in the LAN between all security products The configuration is complete. The security module and the SOFTNET Security Client have established a communication tunnel over which network nodes can communicate securely with PC2 from within the internal network Testing the tunnel How can you test the configured function? The function tests are performed with PC1. Test phase 1 can also be performed analogously with PC2. 96 Getting Started, 09/2014, C79000-G8976-C379-01

97 VPN for network linking 5.1 VPN tunnel in the LAN between all security products Test phase 1 - PC1: S7 diagnostics and configuration of the station Now test the function of the S7 firewall rule for PC1 from external: 1. Open the project for configuration and diagnostics of the station: for CP x43-1 Adv. and SCALANCE S: the project for Station1 from the internal network for CP 1x43-1 (as an alternative also possible for station1 with CP x43-1 Adv.): the project for the station in which the security module is located 2. Select the station in the project tree. 3. Select the menu command "Online" > "Connect online". Figure 5-5 S7 diagnostics and configuration of the station Siemens Spares Getting Started, 09/2014, C79000-G8976-C

98 VPN for network linking 5.1 VPN tunnel in the LAN between all security products Result: Diagnostics and downloading of a configuration are possible using the S7 protocol. Since no other communication has been explicitly allowed in the firewall, these packets must have been transported through the VPN tunnel. Test phase 2 - PC1: S7 diagnostics and configuration of the station Now repeat the test for the function with the terminated tunnel connection for PC1 from external as follows: 1. Close the tunnel overview in the SOFTNET Security Client. 2. Click the "Enable" button. 3. Confirm the next dialog with "OK". Result: The tunnel connection to the security module is terminated. 4. Open the project for configuration and diagnostics of the station: for CP x43-1 Adv. and SCALANCE S: the project for Station1 from the internal network for CP 1x43-1 (as an alternative also possible for station1 with CP x43-1 Adv.): the project for the station in which the security module is located 5. Select the station in the project tree. 6. Select the menu command "Online" > "Connect online". Result: Diagnostics and downloading of a configuration are not possible using the S7 protocol. Since no other communication has been explicitly allowed in the firewall, these packets cannot reach the station without a VPN tunnel. 98 Getting Started, 09/2014, C79000-G8976-C379-01

VPN for network linking 5.2 VPN tunnel SOFTNET Security Client and CPs or SCALANCE S 5.2 VPN tunnel SOFTNET Security Client and CPs or SCALANCE S 5.2.1 Overview In this example, you configure the VPN tunnel function.

99 VPN for network linking 5.2 VPN tunnel SOFTNET Security Client and CPs or SCALANCE S 5.2 VPN tunnel SOFTNET Security Client and CPs or SCALANCE S Overview In this example, you configure the VPN tunnel function. In this example, the SOFTNET Security Client and a security module form the two tunnel endpoints for the secure tunnel connection via a public network. With this configuration, IP traffic is possible only over the established VPN tunnel connection between the two authorized partners. Setting up the test network for SCALANCE S, CP x43-1 Adv. Internal network - connection to the internal interface of the security module In the internal network in the test setup, the network node is implemented by a SIMATIC S7-Station with an integrated Web server that supports the HTTPS protocol. The station is connected to the internal interface of the security module. Station1: Represents a node in the internal network Security module - A security module for protection of the internal network can be: SCALANCE S (not S602) CP Advanced in a SIMATIC S7-300 station CP Advanced in a SIMATIC S7-400 station External network - connection to the external interface of the security module The public, external network is connected to the external interface of the security module. PC1: PC with configuration software STEP 7 and SOFTNET Security Client Siemens Spares Getting Started, 09/2014, C79000-G8976-C

100 VPN for network linking 5.2 VPN tunnel SOFTNET Security Client and CPs or SCALANCE S Setup of the test network CP 1x43-1 Station - one of the following stations with security module: CP in a SIMATIC S station CP in a SIMATIC S station External network - connection to the external interface of the security module The public, external network is connected to the external interface of the security module. PC1: PC with configuration software STEP 7 and SOFTNET Security Client software Requirement: To be able to work through the example, the following requirements must be met: The STEP 7 configuration software is installed on PC1. Only for CP x43-1 Adv. and SCALANCE S: A SIMATIC S7 station with integrated Web server that supports the HTTPS protocol exists as a node in the internal network with the following settings: Controller IP address Subnet mask Default gateway Controller A STEP 7 project has already been created with one of the following settings and downloaded to the security module or the controller (for more detailed information on the precise procedure, refer to the section Basic configuration (Page 15)): Security module IP address Subnet mask SCALANCE S External interface [P1] red: Internal interface [P2] green: Getting Started, 09/2014, C79000-G8976-C379-01

VPN for network linking 5.2 VPN tunnel SOFTNET Security Client and CPs or SCALANCE S Security module IP address Subnet mask CP 1x43-1 Ethernet interface [X1]: 192.168.10.1 255.255.255.0 CP x43-1 Adv.

101 VPN for network linking 5.2 VPN tunnel SOFTNET Security Client and CPs or SCALANCE S Security module IP address Subnet mask CP 1x43-1 Ethernet interface [X1]: CP x43-1 Adv. Ethernet interface [X1]: PROFINET interface [X2]: The project with the "basic configuration" of the security module is open on PC1. You have logged in with your security login in the project tree with the "Global security settings" > "User login" menu. Overview of the next steps: Make the IP settings for the PCs For the test, PC1 is given the following IP address setting: PC IP address Subnet mask Default gateway PC Siemens Spares Getting Started, 09/2014, C79000-G8976-C

102 VPN for network linking 5.2 VPN tunnel SOFTNET Security Client and CPs or SCALANCE S Follow the steps below for PC1: 1. On the PC, open the Control Panel with the menu command "Start" > "Control Panel". 2. Click the "Network and Internet" icon > "Network and Sharing Center" and select the "Change adapter settings" option in the navigation menu on the left. 3. Double-click on the required network connection. 4. In the "Status of [network]"" dialog, click the "Properties" button. 5. Confirm the Windows prompt with "Yes". 6. Make sure that the option "Internet Protocol Version 4 (TCP/IPv4)" is enabled and double-click on it. 7. In the "Internet Protocol Version 4 (TCP/IPv4) Properties" dialog, select the "Use the following IP address" radio button. 8. Now enter the values assigned to the PC from the table "Make the IP settings for the PCs" in the relevant boxes. 9. Close the dialogs with "OK" and close the Control Panel. 102 Getting Started, 09/2014, C79000-G8976-C379-01

103 VPN for network linking 5.2 VPN tunnel SOFTNET Security Client and CPs or SCALANCE S Creating SOFTNET Security Client module Creating a new security module 1. Change to the project view with the "Open the project view". menu item. 2. In the Project tree, double-click on the "Devices & networks" menu item. Result: The network view opens. 3. Open the "Hardware catalog" and drag the relevant security module to add it to the network view. You will find the security module by navigating as follows in the "Hardware catalog": Security module SOFTNET Security Client Navigation in the hardware catalog "PC systems" > "Softnet Security Client" Configuring a VPN group The SOFTNET Security Client and a security module can establish a VPN tunnel for secure communication when they are assigned to the same VPN group in the project. Follow the steps below: 1. In the project tree, double-click on the entry "Global security settings" > "VPN groups" > "Add new VPN group". Result: A VPN group is created. 2. In the project tree, double-click on the entry "Global security settings" > "VPN groups" > "Assign module to a VPN group". 3. Select the created VPN group from the "VPN " drop-down list. 4. Select the created SOFTNET Security Client module and the security module being used in the Available modules list. Siemens Spares Getting Started, 09/2014, C79000-G8976-C

Double-click on the newly created VPN group in the project tree. 8.

104 VPN for network linking 5.2 VPN tunnel SOFTNET Security Client and CPs or SCALANCE S 5. With the "<<" button, move this to the "Assigned modules" list. Result: The security modules were added to the VPN group. 6. To check this, open the "VPN" tab in the network view. Figure 5-6 Displaying VPN membership 7. Double-click on the newly created VPN group in the project tree. 8. In the Inspector window, select the "Advanced settings phase 1" menu item and change the "SA lifetime" to the value "2879". 9. In the Inspector window, select the "Advanced settings phase 2" menu item and change the "SA lifetime" to the value "2879". 104 Getting Started, 09/2014, C79000-G8976-C379-01

105 VPN for network linking 5.2 VPN tunnel SOFTNET Security Client and CPs or SCALANCE S Configuring VPN properties of the security module Follow the steps below: 1. Change to the device view and select the security module. Result: The properties of the security module become configurable. 2. Select the "VPN" menu item. 3. Change the entry from "Permission to initiate connection establishment" to "Waiting for partner (responder)". Note Result: The security module waits for a VPN connection to be established by the client (SSC). If a WAN is used as an external public network, enter an IP address from the internal subnet of your DSL router as "IP address ext.". As the standard router, the internal IP address of the DSL router must be entered. Enter the public IP address assigned by the provider in the "VPN" tab of the module properties in "WAN IP address / FQDN". If you use a DSL router as Internet gateway, the following ports of the router must be forwarded to the external IP address of the security module: Port 500 (ISAKMP) Port 4500 (NAT-T) Saving the SOFTNET Security Client configuration Follow the steps below: 1. Select the SOFTNET Security Client in the project tree. 2. Select the "Edit" > "Compile" menu command and assign a password for the private key of the certificate. Result: The configuration file "Projectname.SSC-Modulename.dat" and the certificates are stored in the "Path to the SSC configuration files". You can adapt the path in the properties of the SOFTNET Security Client module Downloading the configuration to the security module Follow the steps below: 1. Select the security module in the project tree. 2. Select the menu command "Online" > "Download to device". Siemens Spares Getting Started, 09/2014, C79000-G8976-C

106 VPN for network linking 5.2 VPN tunnel SOFTNET Security Client and CPs or SCALANCE S 3. In the next window, select the "Type of the PG/PC interface" and the "PG/PC interface". 4. Select the "Connection to interface/subnet" via which you are connected to the security module. For CPs, the S7 protocol is used for the download, for SCALANCE S the HTTPS protocol. Figure 5-7 Downloading to the security module 5. Click the "Start search" button. Result: The security module is displayed in the "Compatible devices in target subnet" list. 6. Select the security module in the list and click the "Load" button. 7. After the check, click the "Load" button in the next dialog. Result: The configuration is downloaded to the security module. 8. If the download was completed free of error, click the "Finish" button. Result: The security module restarts automatically and the downloaded configuration is activated. 106 Getting Started, 09/2014, C79000-G8976-C379-01

107 VPN for network linking 5.2 VPN tunnel SOFTNET Security Client and CPs or SCALANCE S Result: Security module in productive mode The configuration is complete. The security module protects the station in which the security module is located or Station1 in the internal network of the security module (if it exists). The communication with the station or to the station in internal network can now only be encrypted and via the VPN tunnel Set up a tunnel with the SOFTNET Security Client Follow the steps outlined below: 1. Start the SOFTNET Security Client on PC1. 2. Click the "Load Configuration" button, change to your project folder and load the "Projectname.SSC-Modulename.dat" configuration file. 3. Enter the password for the private key of the certificate and confirm with "Next". 4. You will now be asked whether the tunnel connections for all internal nodes should be activated. Click the "Yes" button in this dialog. 5. Click the "Tunnel Overview" button. Result: Active tunnel connection The tunnel between the security module and the SOFTNET Security Client was established. This status is indicated by the green circle beside the "S612" entry. In the Logging Console of the Tunnel Overview, among other things information on the sequence of executed connection attempts is displayed. Siemens Spares Getting Started, 09/2014, C79000-G8976-C

108 VPN for network linking 5.2 VPN tunnel SOFTNET Security Client and CPs or SCALANCE S The configuration is complete. The security module and the SOFTNET Security Client have established a communication tunnel over which network nodes can communicate securely with PC2 from within the internal network Testing the tunnel How can you test the configured function? The function tests are performed with PC Getting Started, 09/2014, C79000-G8976-C379-01

109 VPN for network linking 5.2 VPN tunnel SOFTNET Security Client and CPs or SCALANCE S Test phase 1 - PC1: S7 diagnostics and configuration of the station Now test the function of the S7 firewall rule for PC1 from external as follows: 1. Open the project for configuration and diagnostics of the station: for CP x43-1 Adv. and SCALANCE S: the project for Station1 from the internal network for CP 1x43-1 (as an alternative also possible for station1 with CP x43-1 Adv.): the project for the station in which the security module is located 2. Select the station in the project tree. 3. Select the menu command "Online" > "Connect online". Figure 5-8 S7 diagnostics and configuration of the station Siemens Spares Getting Started, 09/2014, C79000-G8976-C

VPN for network linking 5.2 VPN tunnel SOFTNET Security Client and CPs or SCALANCE S Result: Diagnostics and downloading of a configuration are possible using the S7 protocol.

110 VPN for network linking 5.2 VPN tunnel SOFTNET Security Client and CPs or SCALANCE S Result: Diagnostics and downloading of a configuration are possible using the S7 protocol. Since no other communication has been explicitly allowed in the firewall, these packets must have been transported through the VPN tunnel. Test phase 2 - PC1: S7 diagnostics and configuration of the station Now repeat the test for the function with the terminated tunnel connection for PC1 from external as follows: 1. Close the tunnel overview in the SOFTNET Security Client. 2. Click the "Enable" button. 3. Confirm the next dialog with "OK". Result: The tunnel connection to the security module is terminated. 4. Open the project for configuration and diagnostics of the station: for CP x43-1 Adv. and SCALANCE S: the project for Station1 from the internal network for CP 1x43-1 (also possible as an alternative to Station 1 with CP x43-1 Adv.): the project for the station in which the security module is located 5. Select the station in the project tree. 6. Select the menu command "Online" > "Connect online". Result: Diagnostics and downloading of a configuration are not possible using the S7 protocol. Since no other communication has been explicitly allowed in the firewall, these packets cannot reach the station without a VPN tunnel. 110 Getting Started, 09/2014, C79000-G8976-C379-01

VPN for network linking 5.3 VPN with SOFTNET Security Client and SCALANCE S as user-specific firewall 5.3 VPN with SOFTNET Security Client and SCALANCE S as userspecific firewall 5.3.1 Overview In this example, you configure the VPN tunnel function.

111 VPN for network linking 5.3 VPN with SOFTNET Security Client and SCALANCE S as user-specific firewall 5.3 VPN with SOFTNET Security Client and SCALANCE S as userspecific firewall Overview In this example, you configure the VPN tunnel function. In this example, the SOFTNET Security Client and a security module form the two tunnel endpoints for the secure tunnel connection via a public network. With this configuration, IP traffic is possible only over the established VPN tunnel connection between the two authorized partners. In this example you also configure the advanced firewall and use the function of the userspecific rule sets. By making these settings in the firewall of the security module, you restrict configuration and diagnostics of the station in the internal network using the S7 protocol to one user making the station accessible only for this one user via the VPN tunnel connection that has been set up. In addition to this, all nodes can use the HTTPS protocol for communication via the tunnel connection. This allows security diagnostics of the security modules and communication with Web servers in the internal network. Denied attempts to access the security module or the station are logged. Setting up the test network Siemens Spares Getting Started, 09/2014, C79000-G8976-C

112 VPN for network linking 5.3 VPN with SOFTNET Security Client and SCALANCE S as user-specific firewall Internal network - connection to the internal interface of the security module In the internal network in the test setup, the network node is implemented by a device with an integrated Web server that supports the HTTPS protocol. The device is connected to the internal interface of the security module. Station1: Represents a node in the internal network Security module - A security module for protection of the internal network can be: SCALANCE S (not S602) External network - connection to the external interface of the security module The public, external network is connected to the external interface of the security module. PC1: PC with configuration software STEP 7 and SOFTNET Security Client Requirement: To be able to work through the example, the following requirements must be met: The STEP 7 configuration software is installed on PC1. A SIMATIC S7 station with integrated Web server that supports the HTTPS protocol exists as a node in the internal network with the following settings: Controller IP address Subnet mask Default gateway Controller A STEP 7 project has already been created with the following settings and downloaded to the security module or the controller (for more detailed information on the precise procedure, refer to the section Basic configuration (Page 15)): Security module IP address Subnet mask SCALANCE S External interface [P1] red: Internal interface [P2] green: The project with the "basic configuration" of the security module is open on PC1. Figure 5-9 IP settings of the basic configuration You have logged in with your security login in the project tree with the "Global security settings" > "User login" menu. 112 Getting Started, 09/2014, C79000-G8976-C379-01

113 VPN for network linking 5.3 VPN with SOFTNET Security Client and SCALANCE S as user-specific firewall Overview of the next steps: Make the IP settings for the PCs For the test, PC1 is given the following IP address setting: PC IP address Subnet mask Default gateway PC Follow the steps below for PC1: 1. On the PC, open the Control Panel with the menu command "Start" > "Control Panel". 2. Click the "Network and Internet" icon > "Network and Sharing Center" and select the "Change adapter settings" option in the navigation menu on the left. 3. Double-click on the required network connection. 4. In the "Status of [network]"" dialog, click the "Properties" button. 5. Confirm the Windows prompt with "Yes". 6. Make sure that the option "Internet Protocol Version 4 (TCP/IPv4)" is enabled and double-click on it. Siemens Spares Getting Started, 09/2014, C79000-G8976-C

114 VPN for network linking 5.3 VPN with SOFTNET Security Client and SCALANCE S as user-specific firewall 7. In the "Internet Protocol Version 4 (TCP/IPv4) Properties" dialog, select the "Use the following IP address" radio button. 8. Now enter the values assigned to the PC from the table "Make the IP settings for the PCs" in the relevant boxes. 9. Close the dialogs with "OK" and close the Control Panel. 114 Getting Started, 09/2014, C79000-G8976-C379-01

115 VPN for network linking 5.3 VPN with SOFTNET Security Client and SCALANCE S as user-specific firewall Creating SOFTNET Security Client module Creating a new security module 1. Change to the project view with the "Open the project view". menu item. 2. In the Project tree, double-click on the "Devices & networks" menu item. Result: The network view opens. 3. Open the "Hardware catalog" and drag the relevant security module to add it to the network view. You will find the security module by navigating as follows in the "Hardware catalog": Security module SOFTNET Security Client Navigation in the hardware catalog "PC systems" > "Softnet Security Client" Configuring a VPN group The SOFTNET Security Client and a SCALANCE S can establish a VPN tunnel for secure communication if they are assigned to the same VPN group in the project. Follow the steps below: 1. In the project tree, double-click on the entry "Global security settings" > "VPN groups" > "Add new VPN group". Result: A VPN group is created. 2. In the project tree, double-click on the entry "Global security settings" > "VPN groups" > "Assign module to a VPN group". 3. Select the created VPN group from the "VPN " drop-down list. 4. Select the SOFTNET Security Client module and the security module being used in the Available modules list. Siemens Spares Getting Started, 09/2014, C79000-G8976-C

116 VPN for network linking 5.3 VPN with SOFTNET Security Client and SCALANCE S as user-specific firewall 5. With the "<<" button, move these to the "Assigned modules" list. Result: The security modules were added to the VPN group. 6. To check this, open the "VPN" tab in the network view. 7. Double-click on the newly created VPN group in the project tree. 8. In the Inspector window, select the "Advanced settings phase 1" menu item and change the "SA lifetime" to the value "2879". 9. In the Inspector window, select the "Advanced settings phase 2" menu item and change the "SA lifetime" to the value "2879". 116 Getting Started, 09/2014, C79000-G8976-C379-01

117 VPN for network linking 5.3 VPN with SOFTNET Security Client and SCALANCE S as user-specific firewall Configuring VPN properties of the security module Follow the steps below: 1. Change to the device view and select the security module. Result: The properties of the security module become configurable. 2. Select the "VPN" menu item. 3. Change the entry from "Permission to initiate connection establishment" to "Waiting for partner (responder)". Note Result: The security module waits for a VPN connection to be established by the client (SSC). If a WAN is used as an external public network, enter an IP address from the internal subnet of your DSL router as "IP address ext.". As the standard router, the internal IP address of the DSL router must be entered. Enter the public IP address assigned by the provider in the "VPN" tab of the module properties in "WAN IP address / FQDN". If you use a DSL router as Internet gateway, the following ports of the router must be forwarded to the external IP address of the security module: Port 500 (ISAKMP) Port 4500 (NAT-T) Configuring the local firewall Follow the steps below: 1. Change to the device view and select the security module. Result: The properties of the security module become configurable. 2. Select the "Firewall" menu item. 3. In the "General" box, enable the "Activate firewall" option. Siemens Spares Getting Started, 09/2014, C79000-G8976-C

VPN for network linking 5.3 VPN with SOFTNET Security Client and SCALANCE S as user-specific firewall 4. Enable the "Activate firewall in advanced mode" function. Confirm the prompt with "Yes".

118 VPN for network linking 5.3 VPN with SOFTNET Security Client and SCALANCE S as user-specific firewall 4. Enable the "Activate firewall in advanced mode" function. Confirm the prompt with "Yes". Result: The firewall of the security module is switched to the advanced mode. You can now configure firewall rules that filter for IP addresses and services. Switching back to the standard mode of the firewall is not possible. 5. Select the "IP rules" menu and add the following firewall rules depending on the security module you are using: Action From To Source IP address Destination Service Logging IP address Allow Tunnel Internal - - HTTPS Drop Tunnel Internal - - All Result: The local firewall rules are displayed in the list: Figure 5-10 Local IP rules in advanced firewall mode Creating remote access users Follow the steps below: 1. In the project tree, double-click on the entry "Global security settings" > "User management". 2. Create a new user and password with the following settings: User name: remote Role: Remote access Password: <freely selectable> 118 Getting Started, 09/2014, C79000-G8976-C379-01

VPN for network linking 5.3 VPN with SOFTNET Security Client and SCALANCE S as user-specific firewall Figure 5-11 Creating remote access users 5.3.8 Configuring user-specific firewall rule sets Follow the steps below: 1.

119 VPN for network linking 5.3 VPN with SOFTNET Security Client and SCALANCE S as user-specific firewall Figure 5-11 Creating remote access users Configuring user-specific firewall rule sets Follow the steps below: 1. In the project tree, double-click on the entry "Global security settings" > "Firewall" > "Global firewall rule sets" > "IP rule sets" > "Add new IP rule set". Result: A global IP rule set is created. 2. Enter any name and a description for the IP rule set. In this example: Name: User-specific IP rule set 1 Description: Access using S7 protocol 3. Add the following firewall rule to the list: Action From To Source IP address Destination IP address Service Allow Tunnel Internal S7 Result: A user-specific IP rule set is created. Logging Figure 5-12 User-specific IP rule set 4. Change from the "User-specific IP rule set" view to the "User" view. Assign a user to the rule set who will have the right to activate the rule set. 5. Select the remote user in the "Available users" list. Siemens Spares Getting Started, 09/2014, C79000-G8976-C

VPN for network linking 5.3 VPN with SOFTNET Security Client and SCALANCE S as user-specific firewall 6. With the "<<" button, move the user to "Assigned users" list. 7.

120 VPN for network linking 5.3 VPN with SOFTNET Security Client and SCALANCE S as user-specific firewall 6. With the "<<" button, move the user to "Assigned users" list. 7. In the project tree, double-click on the entry "Global security settings" > "Firewall" > "User-specific IP rule sets" > "Assign user-specific IP rule set". 8. Select the created rule set from the "Rule set " drop-down list. 9. Select the security module being used in the Available modules list. 120 Getting Started, 09/2014, C79000-G8976-C379-01

VPN for network linking 5.3 VPN with SOFTNET Security Client and SCALANCE S as user-specific firewall 10.With the "<<" button, move it to "Assigned modules" list.

121 VPN for network linking 5.3 VPN with SOFTNET Security Client and SCALANCE S as user-specific firewall 10.With the "<<" button, move it to "Assigned modules" list. Result: The user-specific firewall rule set has been inserted in the local firewall of the security module. Figure 5-13 Assigning a user-specific IP rule set to a module 11.To check this, go to the Inspector window and open the menu "Properties" > "Firewall" > "IP rules". Result: The user-specific firewall rule set has been added to the list before the local firewall rules. The firewall configuration is therefore complete. Figure 5-14 Displaying a user-specific rule set Siemens Spares Getting Started, 09/2014, C79000-G8976-C

122 VPN for network linking 5.3 VPN with SOFTNET Security Client and SCALANCE S as user-specific firewall Saving the SOFTNET Security Client configuration Follow the steps below: 1. Select the SOFTNET Security Client in the project tree. 2. Select the "Edit" > "Compile" menu command and assign a password for the private key of the certificate. Result: The configuration file "Projectname.SSC-Modulename.dat" and the certificates are stored in the "Path to the SSC configuration files". You can adapt the path in the properties of the SOFTNET Security Client module Downloading the configuration to the security module Follow the steps below: 1. Select the security module in the project tree. 2. Select the menu command "Online" > "Download to device". 3. In the next window, select the "Type of the PG/PC interface" and the "PG/PC interface". 122 Getting Started, 09/2014, C79000-G8976-C379-01

123 VPN for network linking 5.3 VPN with SOFTNET Security Client and SCALANCE S as user-specific firewall 4. Select the "Connection to interface/subnet" via which you are connected to the security module. With SCALANCE S, the HTTPS protocol is used for the download. 5. Click the "Start search" button. Result: The security module is displayed in the "Compatible devices in target subnet" list. 6. Select the security module in the list and click the "Load" button. 7. After the check, click the "Load" button in the next dialog. Result: The configuration is downloaded to the security module. 8. If the download was completed free of error, click the "Finish" button. Result: The security module restarts automatically and the downloaded configuration is activated. Result: Security module in productive mode The configuration is complete. The security module protects Station1 in the internal network of the security module (if this exists). Siemens Spares Getting Started, 09/2014, C79000-G8976-C

124 VPN for network linking 5.3 VPN with SOFTNET Security Client and SCALANCE S as user-specific firewall The communication with the station or to the station in internal network can now only be encrypted and via the VPN tunnel Set up a tunnel with the SOFTNET Security Client Follow the steps outlined below: 1. Start the SOFTNET Security Client on PC1. 2. Click the "Load Configuration" button, change to your project folder and load the "Projectname.SSC-Modulename.dat" configuration file. 3. Enter the password for the private key of the certificate and confirm with "Next". 4. You will now be asked whether the tunnel connections for all internal nodes should be activated. Click the "Yes" button in this dialog. 5. Click the "Tunnel Overview" button. Result: Active tunnel connection The tunnel between the security module and the SOFTNET Security Client was established. This status is indicated by the green circle beside the "S612" entry. In the Logging Console of the Tunnel Overview, among other things information on the sequence of executed connection attempts is displayed. 124 Getting Started, 09/2014, C79000-G8976-C379-01

125 VPN for network linking 5.3 VPN with SOFTNET Security Client and SCALANCE S as user-specific firewall The configuration is complete. The security module and the SOFTNET Security Client have established a communication tunnel over which network nodes can communicate securely with PC2 from within the internal network. Siemens Spares Getting Started, 09/2014, C79000-G8976-C

VPN for network linking 5.3 VPN with SOFTNET Security Client and SCALANCE S as user-specific firewall 5.3.12 Activating a user-specific firewall rule set 1.

126 VPN for network linking 5.3 VPN with SOFTNET Security Client and SCALANCE S as user-specific firewall Activating a user-specific firewall rule set 1. Open a standard Web browser on PC1 and enter the following URL: " 2. In the following window, enter the user name "remote" and the corresponding password. 3. Click the "Login" button. Result: The defined firewall rule set is enabled for the "remote" user. Access to the station in the internal network of the security module using the S7 protocol of PC1 in the external network is permitted for 30 minutes. 126 Getting Started, 09/2014, C79000-G8976-C379-01

127 VPN for network linking 5.3 VPN with SOFTNET Security Client and SCALANCE S as user-specific firewall Testing the tunnel and firewall function How can you test the configured function? The function tests are performed with PC1 on which a Web browser is installed. So that the denied access attempts are recorded and displayed by the firewall, use the packet filter logging function. Test phase 1 - PC1: S7 diagnostics and configuration of the station Now test the function of the S7 firewall rule for PC1 from external: 1. Activate the user-specific firewall rule set as described in the section "Activating a userspecific firewall rule set (Page 126)": 2. Open the project for configuration and diagnostics of the station in the internal network: 3. Select the station in the project tree. Siemens Spares Getting Started, 09/2014, C79000-G8976-C

VPN for network linking 5.3 VPN with SOFTNET Security Client and SCALANCE S as user-specific firewall 4. Select the menu command "Online" > "Connect online".

128 VPN for network linking 5.3 VPN with SOFTNET Security Client and SCALANCE S as user-specific firewall 4. Select the menu command "Online" > "Connect online". Result: Diagnostics and downloading of a configuration are possible using the S7 protocol. Since no other communication other than via the VPN tunnel was allowed explicitly in the firewall, these packets must have been transported through the VPN tunnel. 5. Deactivate the user-specific firewall rule set by clicking the "Logout" button in the Web browser. 6. As described in points 2-4, try to reach the station again using the S7 protocol. Result: Diagnostics and downloading of a configuration are not possible using the S7 protocol. The time for the connection attempt expires and no connection can be established to the station. 128 Getting Started, 09/2014, C79000-G8976-C379-01

129 VPN for network linking 5.3 VPN with SOFTNET Security Client and SCALANCE S as user-specific firewall Test phase 2 - PC1: HTTPS access to the Web server of the station Now test the function of the HTTPS firewall rule for all nodes from the external network as follows: Open a standard Web browser on PC1 and enter the following URL: " Result: Access to the Web server using the HTTPS protocol is possible. Test phase 3 - diagnostics of denied access attempts with packet filter logging Now test the function of the packet filter logging of the firewall rules you activated in the global firewall rules as follows: 1. Open the project for configuration and diagnostics of the station. 2. Enter your login in the project tree with "Global security settings" >"User login" to log in to the project. 3. Select the security module in the project tree. 4. Select the menu command "Online" > "Online & Diagnostics". Result: The "Online access" dialog opens. As "Type of the PG/PC interface", the "HTTPS" protocol is preset. Siemens Spares Getting Started, 09/2014, C79000-G8976-C

130 VPN for network linking 5.3 VPN with SOFTNET Security Client and SCALANCE S as user-specific firewall 5. Select the "PG/PC interface" and the "Connection to interface/subnet via which you are connected to the security module. 6. Click the "Connect online" button. Result: The online connection to the security module is established and security diagnostics with HTTPS is possible. 7. In the "Diagnostics" > "Packet filter log" menu, click the "Start reading" button. Result: The unauthorized connection attempts from test phase 1 were recorded in the packet filter log and will be displayed as follows: Figure 5-15 Display of the unauthorized connection attempts 130 Getting Started, 09/2014, C79000-G8976-C379-01

Setting up securityglobal FW Rulesets SIMATIC NET. Industrial Ethernet Security Setting up security. Preface. Firewall in standard mode

Setting up securityglobal FW Rulesets SIMATIC NET. Industrial Ethernet Security Setting up security. Preface. Firewall in standard mode Global FW Rulesets SIMATIC NET Industrial Ethernet Security Preface 1 Firewall in standard mode 2 Firewall in advanced mode 3 Configuring a VPN tunnel 4 Configuring remote access via a VPN tunnel 5 Getting