Siemens Network Router Version: 1.2 User Manual
LISE-MEITNER-ALLEE 4
D - 44801 Bochum
TELEFON +49 (0) 234/43 87 02-09
TELEFAX +49 (0) 234/43 87 02-11
E-Mail info@escrypt.com
INTERNE T www.esc rypt co m
Security Evaluation of the
Siemens Scalance S 612/613 Security Module
escrypt GmbH – Embedded Security
http://www.escrypt.com
Version: 1.2
Date: 19-Aug-05
█ escrypt GmbH
GESCHÄFTSFÜHRER: WILLI MANNHEIMS; PROF. DR.- ING. CHRISTOF PAAR
HANDELSREGISTER: AMTSGERICHT BOCHUM NR. 7877 · ST- NR. 350/5714/0765
SPARKASSE KREFELD · KONTO 12 039 · BLZ 320 500 00
Index
Index
1 Introduction........................................................................................................4
2 Security Services...............................................................................................6
2.1 Assumptions..............................................................................................6
2.2 System.......................................................................................................6
2.2.1 Firewall...............................................................................................6
2.2.2 VPN....................................................................................................7
2.2.3 Removable Media (C-Plug)................................................................8
2.2.4 Firmware Update................................................................................9
2.3 Configuration Management .......................................................................9
2.3.1 First Initiation....................................................................................10
2.3.2 User Management:...........................................................................10
2.3.3 Learning ...........................................................................................10
2.4 Key Management ....................................................................................11
3 Security Analysis.............................................................................................12
3.1 Network and Protocol Analysis................................................................12
3.1.1 VPN..................................................................................................12
3.1.2 Firewall.............................................................................................13
3.1.3 Firmware Update..............................................................................14
3.1.4 Operating System.............................................................................14
3.1.5 Web Server ......................................................................................14
3.1.6 Time Synchronization and Logging ..................................................15
3.2 Configuration...........................................................................................15
3.2.1 Configuration Files............................................................................16
3.2.2 Bridge...............................................................................................16
4 Summary.........................................................................................................17
5 References......................................................................................................18
19-Aug-05 escrypt GmbH 2
Executive Summary
Executive Summary
The Scalance S 612/S 613 is a security module to protect the communication
between automation networks and to avoid attacks to the networks. The security
module provides the functionality of a firewall and a virtual private network (VPN).
The system is based on the operating system VxWorks and the firewall and VPN
from OpenBSD, the web server and the packet filter for layer 2 were developed by
Siemens.
Reliability and robustness are the crucial aspects for an automation network. The
network must remain running even in the case of failures. The aspect of data
security immediately follows in importance. Security and reliability sometimes
induce different objectives and get in the way of each other. These aspects were
incorporated in the standard configuration. Nonetheless the security module allows
a secure configuration. The device can be installed without changing the existing
network.
The security module fulfils its task well and fully protects an automation network.
The simplicity of the configuration is to be emphasized where the security does not
suffer. The device is built in an extremely robust manner and meets the special
demands of automation networks in an excellent way. In total, the Scalance
module provides a higher quality than most other security modules (also outside of
the industrialization engineering branch).
19-Aug-05 escrypt GmbH 3
1. Introduction
1 Introduction
The Siemens Scalance S 613 is a security module which protects the
communication between automation networks. It provides authentication, data
integrity and confidentiality and protects against data theft and data manipulation.
In automation engineering more and more components are being connected. The
connection with the Office IT world offers possibilities to use known technologies
from the office field for automation networks which arises threats by attacks from
the external network. The protection of the automation networks is necessary in
order to be resistant against malicious attacks from the external network. Figure 1
clarifies this circumstance.
Unlike the office-world, where standardized schemes such as SSL, TLS, and IPsec
are applied, there are no standards providing data security of automation networks
yet. The analyzed security module protects individual components and entire
networks against data theft and manipulation by implementing a firewall and a
virtual private network (VPN).
Figure 1: External network < -> internal network
19-Aug-05 escrypt GmbH 4
1. Introduction
Automation networks demand for a variety of security goals such that only basic
default-rules are preset. Nonetheless, these default rules provide a secure
configuration. The security modules are supposed to be easy to configure and
handle, also by non IT-experts. The security module can still be precisely
configured according to the user’s requirements. With expert knowledge the
configuration can be set manually in the advanced modus. The module can be
installed to an existing automation network without having to change the network
topology or having to configure new network nodes.
The configuration is set on a PC. It is possible to configure several security
modules at the same time over the network. For the replacement of broken devices
the configuration data can be stored on a removable media, the so-called C-Plug. If
a broken module has to be replaced only the removable media needs to be put in
the new module such that it starts working based on a secure configuration
immediately.
The module is based on the operating system VxWorks of WindRiver. Some
components such as packet filter and IPsec were used from OpenBSD, often
quoted as the „most secure operating system”. MiniWeb, a development of
Siemens, is used as a HTTPs server to provide a secure communication channel
for the configuration data between the configuration PC and the security modules.
MiniWeb is based on OpenSSL, it uses RC4, 3DES and provides key lengths of up
to 2048 bit.
Security modules can be combined in groups so that all modules of a group can
communicate with each other through IPsec tunnels. The internal network nodes of
a module and also of other modules can be automatically found without the need to
configure them manually. The Scalance S 612 can protect a network of up to 32
internal nodes. The Scalance S 613 protects up to 64 internal nodes and has an
extended temperature range of -20 ° to +70°. The computer software SOFTNET
Security Client provides a secure IP-based access from a PC to subnets. The
SOFTNET Security Client automatically enables a PC to communicate through a
secure tunnel with a security module. The security modules are supplied by a
redundant voltage supply of 24 Volts of DC voltage.
19-Aug-05 escrypt GmbH 5
2. Security Services
2 Security Services
The security module has two Ethernet interfaces, one to the internal network which
is protected, and the other one to the external network. The interfaces are easily
recognizable by a color marker in green and red color. The processor is an Intel
IXP425, it supports AES, SHA-1, MD5, DES and 3DES in hardware. RSA is
implemented in software.
2.1 Assumptions
Assumptions were made for the security module in a way to suffice the special
needs of automation networks. The internal network is assumed to be confidential.
It is assumed that the authorized users are trustworthy and are trained in order to
operate the module correctly. However, the configuration is supposed to be as
simple as possibly.
Furthermore, it is assumed that the module is physically secure. The module only
provides a basic protection if an attacker has physical hand on the device and can
exchange the device with a manipulated device or exchange the removable media.
There is no content filter available in the security module. For the protection
against malicious contents such as viruses and Trojan horses, etc. a virus scanner
and/or content filter must be added.
To keep the automation network running the reliability and robustness are at first
place even before the security aspects. Hence, with respect to security restrictions
were accepted in some default settings.
2.2 System
The security module is based on a firewall and a virtual private network (VPN). The
firewall works as a packet filter and the VPN is based on IPsec. SSL is only used to
protect the communication for configuration of the Scalance devices. The device
incorporates a bridge that enables installing the security device without having to
change any settings in the existing network regarding the IP addresses, subnet
masks, and routers.
2.2.1 Firewall
In order to protect the internal network, only communication channels between
devices from the external network and the internal network that are defined in
advance are allowed. This task is carried out by a packet filter working on layer 2
19-Aug-05 escrypt GmbH 6
Loading...