manualshive.com logo in svg

Pilz 311502, Operating Manual, Page: 9 / 51

Share
Download
Pilz 311502 Operating Manual Download Page 9

Security

Operating Manual PCOM sec br2
1004534-EN-04

| 9

3

Security

3.1

General guidelines

}

Please refer to the chapter 

Operating environment [

 10]

. The product is not designed

for connecting a network to the internet.

}

Perform a risk analysis and plan the security measures carefully. If necessary, seek ad-
vice from Pilz Customer Support.

}

Please note that the product forwards ICMP Echo Request and Response packages
(ping) and ARP requests and responses between the unprotected and the protected net-
work, independent of the configuration. However, the device limits the number of pack-
ages to make flooding attacks more difficult.

}

Please report any security problems of the SecurityBridge to the following E-mail ad-
dress: [email protected]

3.2

Defense in depth

Defense in depth is a security design concept. Several different security measures to pro-
tect from attacks are arranged in series and/or in layers. An attack is made difficult because
the attacker has to circumvent different security measures one after the other. This concept
can be illustrated as follows:

Company Firewall

Production Network Firewall

SecurityBridge

PNOZmulti

PSS 4000

Fig.: DefenseInDepth

The product PCOM sec br2 secures the devices in the protected network from network-
based attacks and/or unauthorised access via the network. The product is the last layer in
the Defense in depth concept. To efficiently implement the concept, the measures de-

scribed in the chapter 

Operating environment [

 10]

 must be noted.

Summary of Contents for 311502

Page 1: ...PCOM sec br2 Operating Manual 1004534 EN 04...

Page 2: ...KG Copies may be made for internal purposes Suggestions and comments for improving this documentation will be gratefully received Pilz PIT PMI PNOZ Primo PSEN PSS PVIS SafetyBUS p SafetyEYE SafetyNET...

Page 3: ...10 3 4 Commissioning 11 3 5 User accounts 11 3 6 Operation 11 3 7 Decommissioning 12 4 Overview 13 4 1 Unit features 13 4 2 Front view 14 5 Function description 15 5 1 Block diagram 16 5 2 VPN tunnel...

Page 4: ...client 33 9 2 Create new client connection 33 9 3 Log in to client 34 9 4 Authentication procedure 34 10 Firmware update 37 11 Operation 38 11 1 LED indicators 38 11 2 Recovery 39 11 3 Error mode 40...

Page 5: ...t is particularly important is identified as follows DANGER This warning must be heeded It warns of a hazardous situation that poses an immediate threat of serious injury and death and indicates preve...

Page 6: ...s if possible Pilz can charge a fee for the data medium and for sending The request for the source code must be received 3 years at the latest after the receipt of the relevant GPL or LPGL Irrespectiv...

Page 7: ...other environments If installed in other environments measures should be taken to comply with the applicable standards and directives for the respective installation site with regard to in terference...

Page 8: ...ll be rendered invalid if The product was used contrary to the purpose for which it is intended Damage can be attributed to not having followed the guidelines in the manual Operating personnel are not...

Page 9: ...y security problems of the SecurityBridge to the following E mail ad dress security pilz de 3 2 Defense in depth Defense in depth is a security design concept Several different security measures to pr...

Page 10: ...n depth concept provided the product has to be arranged in the network as shown in the figure Network overview The chapter Network data 48 de scribes the network protocols that the product uses to com...

Page 11: ...Make sure you regularly change the passwords of the user accounts on the system and or ask the users to change their passwords themselves Retain the passwords safely and train the personnel to deal wi...

Page 12: ...Unless otherwise documented you should ensure that all the files created by the Secur ityBridge can only be used by authorised users 3 7 Decommissioning Make sure that the SecurityBridge is safely dec...

Page 13: ...face VPN server to build a VPN tunnel for safe transfer of data Forwarding rules for IP connections and fieldbuses Bypass mode temporary deactivation of security functions for diagnostic purposes Setu...

Page 14: ...XXXXXX XXXXXX XX Firmware XXXX Fig PCOM sec br2 Legend X1 Network Ethernet port for connecting the configuration PC X2 Device Ethernet port for connecting to the protected system X3 24 V 0 V Peripher...

Page 15: ...mpany network Fig Overview The SecurityBridge is used with in the company network to prevent unauthorised access to downstream devices in a protected network The access from the client PC to the devic...

Page 16: ...uration PC This enables tap proof manip ulation proof data transfer between the client PC and SecurityBridge Only the VPN client from Pilz is supported Up to 5 client connections can exist simultaneou...

Page 17: ...there is at least one VPN Client connected If there is a 0 signal at the output then no VPN Client is connected BYPASS Bypass mode is signalled via the digital output If there is a 1 signal at the ou...

Page 18: ...event of an ambient temperature of over 45 C note that the temperature of the connected USB memory could rise to over 70 C Using the USB memory An inserted USB stick can be formatted and incorporated...

Page 19: ...g rail in an upright position so that the earthing springs on the device are pressed on to the mounting rail The ambient temperature of the devices in the control cabinet must not exceed the figure st...

Page 20: ...put must be a max of 30 m The supply of the module and the supply of the SC outputs are galvanically isolated Module supply Polarity protection Overvoltage protection Protect the supply voltage as fol...

Page 21: ...X1 network port Connection to the unprotected network company network Ethernet interface X2 device port Connection to the protected network Supported Internet protocol IPv4 Supported functions Autoneg...

Page 22: ...a a standard browser The following web browsers will always be supported Internet Explorer IE from Version 9 Microsoft Edge Mozilla Firefox from Version 23 7 0 Google Chrome from Version 27 Safari fro...

Page 23: ...e password see Security 9 6 Change network settings To access the SecurityBridge PCOM sec br2 from the company network change the network settings of the SecurityBridge The settings are adapted in the...

Page 24: ...r RADIUS System permissions Administration User can perform administrative functions on the Se curityBridge However he has no access to the pro tected system PNOZmulti PSS 4000 1 User management User...

Page 25: ...owing actions can then be delegated List users Create new user Change user data 8 3 3 Create user A user account must be created for each user who wants to access the protected system via VPN client o...

Page 26: ...d in the Security Bridge for the RADIUS server are accepted INFORMATION Via the RADIUS server a user can either be assigned to a user group or be assigned one or more permissions If you attempt to ass...

Page 27: ...of 5 OPC servers can be created 4 OPC servers for the product range PSS 4000 and 1 OPC server for the product range PVIS Create Generic Devices Generic Devices are all devices with a network interface...

Page 28: ...n the protected network A maximum of 25 rules administrative rules and forward ing rules can be defined per device Administrative access rules The system allows the definition of administrative access...

Page 29: ...secure the configuration 31 Certificate download You can download the CA certificate and server certificate from the user interface to your PC You can import the CA certificate into the browser PC see...

Page 30: ...n automatically download the certificate The download is secured by a passphrase Further information on the password policy can be found in the Online Help on the SecurityBridge Generate certificates...

Page 31: ...ed The status is displayed on the user interface and on the device via a configurable LED CAUTION Loss of security when bypass mode is activated The security functions are deactivated in bypass mode M...

Page 32: ...the configuration is loaded automatic ally When you saved a configuration on the computer the configuration can be restored by uploading the backup file to the user interface If you did not generate...

Page 33: ...rsion 9 2 Create new client connection To create a connection to SecurityBridge for the first time a new client connection has to be created Proceed as follows 1 Start the VPN client by clicking All p...

Page 34: ...entials must be created on the user interface of the SecurityBridge a Open the VPN client click Connect select a connection and enter your user name and your password 9 4 Authentication procedure Duri...

Page 35: ...ind user name in the user management Found No No No No No Ye s Ye s Ye s Ye s Ye s Ye s RADIUS server configured Authentication via RADIUS server Successful Check Setup mode User permitted Check passw...

Page 36: ...ocedure via the RADIUS server Request to the primary RADIUS server Request to the secondary RADIUS server Authentication successful Check group or permissions from the response Authentication failed V...

Page 37: ...ce The firmware can only be updated by users with Administration permission The update packet is digitally signed to prevent manipulation An update packet can be downloaded to the device from the down...

Page 38: ...n Green No error present Red One or more recoverable errors on the Security Bridge for more information see event log Red One or more internal errors on the SecurityBridge for more information see eve...

Page 39: ...e Meaning No network connection Green Network connection exists 11 2 Recovery If you experience problems with the configuration a failed firmware update or any other situation in which the system is n...

Page 40: ...r interface opens in Recovery mode This interface is only available in English 7 To restore the system you can choose between the following options Firmware Recovery The firmware is reset and restored...

Page 41: ...e deleted from the device Proceed as follows Reset the configuration to the factory settings as described in the chapter Recovery 39 Switch off the SecurityBridge If you used an USB memory remove the...

Page 42: ...er net interfaces at the base unit The project is changed via this connection and transferred to the PNOZmulti This connection is protected The PNOZmulti base unit is in the protec ted network Access...

Page 43: ...pening contact of the key switch to the input I0 protected connection unprotected connection PAS4000 or PNOZmulti Configurator Key switch PNOZmulti PSS 4000 VPN tunnel Input I0 or 24 VDC SecurityBridg...

Page 44: ...tablish connection to SecurityBridge 22 2 Create user 25 3 Create device 27 4 Forwarding rules for PSS 4000 27 Here you have to configure the forwarding rule for the communication of both PSS 4000 in...

Page 45: ...5 5 W Status indicator LED Inputs Number 1 Voltage at inputs 24 V DC Input type in accordance with EN 61131 2 3 Input current at rated voltage 10 mA Semiconductor outputs Number 1 Voltage 24 V Curren...

Page 46: ...ccordance with the standard EN 61131 2 Overvoltage category II Pollution degree 2 Rated insulation voltage 30 V Protection type In accordance with the standard EN 60529 Housing IP20 Terminals IP20 Mou...

Page 47: ...r cross section with spring loaded terminals Flexible with without crimp connector 0 2 2 5 mm 24 12 AWG Spring loaded terminals Terminal points per connec tion 2 Stripping length with spring loaded te...

Page 48: ...ser name and pass word The server is au thenticated via X 509 certificate VPN Web Service HTTP In TCP 4080 Yes Def Active Critical services are only accessible via the VPN tunnel NTP Server NTP In UDP...

Page 49: ...rc 701 Device name IP address ip The device s MAC address was changed to mac 702 Device name IP address ip Device is not active 1000 The start configuration was reset and the logging events were delet...

Page 50: ...e Features Order no PCOM sec br2 Module for secure authentication and communication with PNOZmulti 2 and PSS 4000 311 502 16 2 Accessories Connection terminals Product type Features Order no Set4 Spri...

Page 51: ...XXXX en 0X 2021 01 Printed in Germany Pilz GmbH Co KG 2021 Support Technical support is available from Pilz round the clock Pilz develops environmentally friendly products using ecological materials a...

Reviews:

No comments