Safety instructions
1.4 Security recommendations
SCALANCE X-300
20
Operating Instructions, 05/2016, A5E01113043-20
Software (security functions)
●
Keep the software up to date. Check regularly for security updates of the product.
You will find information on this on the Internet pages "Industrial Security"
●
Inform yourself regularly about security advisories and bulletins published by Siemens
productCERT.
●
Only activate protocols that you really require to use the device.
●
Restrict access to the device with a firewall or rules in an access control list (ACL -
Access Control List).
●
Restrict access to the management of the device with rules in an access control list
(ACL).
●
The option of VLAN structuring provides good protection against DoS attacks and
unauthorized access. Check whether this is practical or useful in your environment.
●
Enable logging functions. Use the central logging function to log changes and access
attempts centrally. Check the logging information regularly.
●
Configure a Syslog server to forward all logs to a central location.
See also
www.siemens.com/industrialsecurity (
http://www.siemens.com/industrialsecurity
Passwords
●
Define rules for the use of devices and assignment of passwords.
●
Regularly update passwords and keys to increase security.
●
Change all default passwords for users before you operate the device.
●
Only use passwords with a high password strength. Avoid weak passwords for example
password1, 123456789, abcdefgh.
●
Make sure that all passwords are protected and inaccessible to unauthorized personnel.
●
Do not use the same password for different users and systems or after it has expired.
Keys and certificates
This section deals with the security keys and certificates you require to set up SSL.
●
We strongly recommend that you create your own SSL certificates and make them
available.
There are preset certificates and keys on the device. The preset and automatically
created SSL certificates are self-signed. We recommend that you use SSL certificates
signed either by a reliable external or by an internal certification authority.
The device has an interface via which you can import the certificates and keys.
●
Use the certification authority including key revocation and management to sign the
certificates.