background image

Glossary 

 

SINAUT MD741-1 

140 

C79000-G8976-C236-05  

CIDR 

Classless Inter-Domain Routing 
IP netmasks and CIDR are notations for grouping a number of IP 
addresses into an address space. Thus a range of contiguous 
addresses is treated as a network. 
The CIDR method reduces, for example the routing tables stored in 
routers by means of a postfix in the IP address. This postfix can be 
used to designate a network together with its subnetworks. This 
method is described in RFC 1518.  
In order to specify a range of IP addresses to the SINAUT MD741-1, or 
when configuring the firewall, it may be necessary to specify the 
address space in the CIDR notation. The following table shows the IP 
netmask on the left-hand side, and to the far right the corresponding 
CIDR notation. 

 

 

 

IP netmask                binary 

                                                           CIDR 

 
255.255.255.255 11111111 11111111 11111111 11111111 32 
255.255.255.254 11111111 11111111 11111111 11111110 31 
255.255.255.252 11111111 11111111 11111111 11111100 30 
255.255.255.248 11111111 11111111 11111111 11111000 29 
255.255.255.240 11111111 11111111 11111111 11110000 28 
255.255.255.224 11111111 11111111 11111111 11100000 27 
255.255.255.192 11111111 11111111 11111111 11000000 26 
255.255.255.128 11111111 11111111 11111111 10000000 25 
 
255.255.255.0   11111111 11111111 11111111 00000000 24 
255.255.254.0   11111111 11111111 11111110 00000000 23 
255.255.252.0   11111111 11111111 11111100 00000000 22 
255.255.248.0   11111111 11111111 11111000 00000000 21 
255.255.240.0   11111111 11111111 11110000 00000000 20 
255.255.224.0   11111111 11111111 11100000 00000000 19 
255.255.192.0   11111111 11111111 11000000 00000000 18 
255.255.128.0   11111111 11111111 10000000 00000000 17 
 
255.255.0.0     11111111 11111111 00000000 00000000 16 
255.254.0.0     11111111 11111110 00000000 00000000 15 
255.252.0.0     11111111 11111100 00000000 00000000 14 
255.248.0.0     11111111 11111000 00000000 00000000 13 
255.240.0.0     11111111 11110000 00000000 00000000 12 
255.224.0.0     11111111 11100000 00000000 00000000 11 
255.192.0.0     11111111 11000000 00000000 00000000 10 
255.128.0.0     11111111 10000000 00000000 00000000 9 
 
255.0.0.0       11111111 00000000 00000000 00000000 8 
254.0.0.0       11111110 00000000 00000000 00000000 7 
252.0.0.0       11111100 00000000 00000000 00000000 6 
248.0.0.0       11111000 00000000 00000000 00000000 5 
240.0.0.0       11110000 00000000 00000000 00000000 4 
224.0.0.0       11100000 00000000 00000000 00000000 3 
192.0.0.0       11000000 00000000 00000000 00000000 2 
128.0.0.0       10000000 00000000 00000000 00000000 1 
 
0.0.0.0         00000000 00000000 00000000 00000000 0

 

 
Example: 192.168.1.0 / 255.255.255.0 corresponds to CIDR: 
192.168.1.0/24 
 

 

Summary of Contents for SINAUT MD741-1

Page 1: ...ons and functions 1 Setup 2 Configuration 3 Local interface 4 External interface 5 Security functions 6 VPN connection 7 Remote access 8 Status log and diagnosis 9 Additional functions 10 Technical Data 11 Applied Standards and Approvals 12 Glossary C79000 G8976 C236 05 Release 01 2013 ...

Page 2: ...ith the relevant documentation for the specific task in particular its warning notices and safety instructions Qualified personnel are those who based on their training and experience are capable of identifying risks and avoiding potential hazards when working with these products systems Prescribed Usage Note the following Warning Siemens products may only be used for the applications described in...

Page 3: ...e must be opened Before opening the device disconnect it from the supply voltage Static charges can damage the device when it is open Discharge the electric static of your body before opening the device To do so touch an earthed surface e g the metal casing of the switch cabinet Please pay regard to section 2 7 of this system manual Handling cables Never pull a cable connector out of a socket by i...

Page 4: ...xternal antenna Caution When installing an antenna outdoors it is essential that the antenna is fitted correctly by a qualified person When the antenna is installed outdoors it must be earthed for lightning protection The outdoor antennas shield must be reliable connective to protective earth The installation shall be done according the national installation codes For US this is the National Elect...

Page 5: ...keeping the connection alive are also subject to charge Firmware with Open Source GPL LGPL The firmware of the SINAUT MD741 1 includes open Source Software under terms of GPL LGPL According to section 3b of GPL and of section 6b of LGPL we provide you the source code Please write to s_opsource gmx net s_opsource gmx de Please enter Open Source MD741 as subject of your e mail that we can filter you...

Page 6: ...tware must display the following acknowledgement This product includes software developed by the University of California Berkeley and its contributors 4 Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS AS IS A...

Page 7: ...owing product GPRS GSM Modem SINAUT MD741 1 Firmware version 1 316 Hardware product version 2 x Order number 6NH9741 1AA00 Intended purpose E GPRS VPN Router for industrial application Online Support In addition to our product documentation the comprehensive online information platform supports you in all aspects of our Service Support at any time and from any location in the world You will find t...

Page 8: ...courses we also offer a combination of various training media and sequences You can for example use self study programs on CD ROM or on the Internet as preparation or to consolidate training You will find detailed information on our training curriculum and how to contact our customer consultants at the following Internet address www siemens com sitrain Siemens documentation You will find the order...

Page 9: ...ts You will find the latest version of this documentation under the entry ID 22550242 Alternatively you will find the SIMATIC NET manuals on the Internet pages of Siemens Customer Support for automation http support automation siemens com WW view en 10805878 Browse to the designated product group and set the following filter settings Entry list Entry type Manuals ...

Page 10: ...nfiguration connection 28 3 4 Start page of the Web user interface 31 3 5 Language selection 35 3 6 Configuration procedure 36 3 7 Configuration Profiles 37 3 8 Changing the password 38 3 9 Reboot 40 3 10 Load factory settings 41 4 Local interface 43 4 1 IP addresses of the local interface 43 4 2 DHCP server to local network 45 4 3 DNS to local network 47 4 4 Local hostname 49 4 5 System Time NTP ...

Page 11: ...tatus of the VPN connections 106 8 Remote access 107 8 1 HTTPS remote access 107 8 2 SSH remote access 109 8 3 Remote access via dial in connection 111 9 Status log and diagnosis 114 9 1 Log 114 9 2 Remote logging 117 9 3 Snapshot 118 9 4 Hardware information 120 9 5 Software information 120 10 Additional functions 121 10 1 Service Center 121 10 2 Alarm SMS 121 10 3 SMS Messaging from the local ne...

Page 12: ...e stations are connected The SINAUT MD741 1 can establish a VPN Virtual Private Network between a locally connected application a network and an external network and can protect this connection against access by third parties through the use of IPsec Internet Protocol Security In order to perform these tasks in the scenarios described the device combines the following functions EDGE modem for flex...

Page 13: ...Central Station APN E GPRS INTERNET MD741 1 DSL Modem VPN Router Central Station ST7cc MD741 1 VPN Tunnel VPN Tunnel TIM Logical connection TIM CPU TIM CPU Figure 1 2 Connection between two CPUs Configuration The device can be configured via a Web user interface that can simply be displayed using a Web browser It can be accessed by means of the following the local interface EGPRS GPRS CSD Circuit ...

Page 14: ... as VPN tunnel protocol IPsec 3DES encryption with 168 bits IPsec AES encryption with 128 192 and 256 bits Packet authentication MD5 and SHA 1 Internet Key Exchange IKE with main mode and aggressive mode Authentication by pre shared key PSK X 509v3 certificate and CA Dead peer detection DPD Firewall functions The SINAUT MD741 1 provides the following firewall functions in order to protect the loca...

Page 15: ...nctions The SINAUT MD741 1 provides the following additional functions DNS cache DHCP server NTP Remote logging In Port Web user interface for configuration Sending alarm SMS SSH console for configuration DynDNS client Dial in data connection for maintenance and remote configuration ...

Page 16: ...evice EXPLOSION HAZARD DO NOT CONNECT OR DISCONNECT EQUIPMENT WHEN A FLAMMABLE OR COMBUSTIBLE ATMOSPHERE IS PRESENT Warning Replacing components EXPLOSION HAZARD SUBSTITUTION OF COMPONENTS MAY IMPAIR SUITABILITY FOR CLASS I DIVISION 2 OR ZONE 2 General notices on use in hazardous areas according to ATEX Warning Requirements for the cabinet enclosure When used in hazardous environments correspondin...

Page 17: ...741 1 in the following steps Step Chapter 1 First familiarise yourself with the preconditions for operation of the SINAUT MD741 1 2 3 2 Read the safety instructions and other instructions at the beginning of this document very carefully and be sure to follow them 3 Familiarise yourself with the control elements connections and operating state indicators of the SINAUT MD741 1 2 4 2 7 4 Connect a PC...

Page 18: ...e Chapter 2 7 Power supply A power supply with a voltage between 12 VDC and 30 VDC that can provide sufficient current See Chapter 2 7 SIM card A SIM card from the chosen GSM network operator PIN The PIN for the SIM card EGPRS GPRS activation The SIM card must be activated by your GSM network operator for the services EGPRS or GPRS The EGPRS GPRS access data must be known Access Point Name APN Use...

Page 19: ...t function 6 10 100 Base T RJ45 jack for connecting the local network 7 Operating state indicators Power LAN VPN Figure 2 1 Operating elements 2 5 Service button SET On the front side of the SINAUT MD741 1 there is a small hole see B which is SET marked and has a button behind it Use a pointed object e g a straightened out paperclip to press this button If you press the button for longer than 5 se...

Page 20: ...signal strength CSQ 18 OFF No connection Flashing quickly Service call via CSD active ON with brief interruptions GPRS connection active C Connect ON EGPRS connection active Light up in sequence quickly Booting Light up in sequence slowly Update S Q C together Flashing quickly in unison Error Meaning of the LEDs on the right hand side of the device LED State Meaning ON Device switched on operating...

Page 21: ...A antenna jack The SINAUT MD741 1 has an antenna jack of the type SMA for connecting the antenna The antenna that is used should have an impedance of about 50 ohms It must be matched for GSM 900MHz and DCS 1800MHz or GSM 850 MHz and PCS 1900 MHz depending on which frequency bands your GSM network operator uses In Europe and China GSM 900MHz and DCS 1800MHz are used in the USA GSM 850 MHz and PCS 1...

Page 22: ...w terminals for power supply Power supply Figure 2 2 Screw terminals The SINAUT MD741 1 operates with direct current of from DC 12 30 V nominally DC 24 V This power supply is connected at the screw terminals on the left hand side of the device Connect the positive supply voltage to one or both screw terminals marked 24V and the negative supply voltage to one or both screw terminals marked 0V The r...

Page 23: ... SINAUT MD741 1 completely from the power supply 2 The drawer for the SIM card is located on the back of the device Right next to the drawer for the SIM card in the housing aperture there is a small yellow button Press on this button with a pointed object for example a pencil When the button is pressed the SIM card drawer comes out of the housing 3 Place the SIM card in the drawer so that its gold...

Page 24: ...et can be found at the rear of the device Figure 2 4 Top rail mounting Installation 1 Fit the upper part of the locking mechanism of the device on to the DIN rail 2 Press the device down against the DIN rail until the spring catch locks in place Uninstalling 1 Using a screwdriver pull down the spring catch on the rear of the device 2 Remove the device from the DIN rail ...

Page 25: ...n PC that you use to carry out configuration must be either connected directly to the Ethernet jack of the SINAUT MD741 1 via a network cable or it must have direct access to the SINAUT MD741 1 via the local network The network adapter of the computer Admin PC that you use to carry out configuration must have the following TCP IP configuration IP address 192 168 1 2 Subnet mask 255 255 255 0 Inste...

Page 26: ...ties by clicking on the corresponding button The window Properties of Internet Protocol TCP IP appears see illustration below Note The path leading to the dialog box Properties of LAN Connection depends on your Windows settings If you are not able to find this dialog box search in the Windows Help function for LAN Connection or Properties of Internet Protocol TCP IP Figure 3 1 Properties of Window...

Page 27: ...or The local IP address of the SINAUT MD741 1 as long as it is configured for breaking out host names into IP addresses see Chapter 4 3 Factory settings To define the domain name server in the TCP IP configuration of your network adapter proceed as described above 3 2 Allowed characters for user name passwords and other inputs For user names passwords host names APN and PIN the following ASCII chr...

Page 28: ... launched In MS Internet Explorer make this setting as follows Menu Tools Internet Options tab Connections Under Dial up and VPN Settings make sure that Never dial a connection is activated Calling up the start page of the SINAUT MD741 1 1 In the address line of the browser enter the address of the SINAUT MD741 1 in full In the factory settings this is https 192 168 1 1 Result A security message a...

Page 29: ...IEMENS AG The Web user interface is addressed via an IP address and not using a name which is why the name specified in the security certificate is not the same as the one in the certificate Entering the user name and password 3 You will be asked to enter the user name and the password Figure 3 3 Enter user name and password The factory settings are User name admin Password sinaut Note You should ...

Page 30: ... does not appear within the specified time period check the cable the connections and the network card Make sure that the browser does not use a proxy server In MS Internet Explorer Version 7 0 make these settings as follows Menu Tools Internet Options tab Connections Under LAN Settings click on the Settings button then in the dialog box Settings for local network LAN make sure that under Proxy Se...

Page 31: ...D741 1 appears Figure 3 4 Overview Note Use the Refresh function of the Web browser to update the displayed values Current system time Shows the current system time of the SINAUT MD741 1 in the format Year Month Day Hours Minutes Connected since With the date and time of day this shows the time since the current wireless connection was established External hostname Shows the hostname e g md741 myd...

Page 32: ...hough the connection quality is not adequate to transfer data For this reason we recommend that you use the connection monitoring For more detailed information refer to the section Checking the connection Connection monitoring see Chapter 5 4 Signal strength CSQ dbm The bar display and the number above it indicate the strength of the GSM signal as a CSQ value CSQ 0 No connection to the GSM network...

Page 33: ...is not activated DynDNS Shows whether or not a DynDNS service is activated The service is activated The service is not activated You will find information indicating whether or not the logon with a DNS service was successful in the log Remote access HTTPS Shows whether remote access to the Web user interface of the SINAUT MD741 1 via the wireless network is permitted For more detailed information ...

Page 34: ...nnection to the mobile wireless network in the last 24 hours Bytes sent and bytes received on this connection These entries show the number of bytes that have been sent or received during the current connection to the mobile wireless network The counters are reset when a new connection is established Note These figures serve only as a general indication of the data volume and can differ significan...

Page 35: ...he volume supervision was set Firmware version This shows the version number of the currently installed firmware of the SINAUT MD741 1 3 5 Language selection The Web user interface of the SINAUT MD741 1 supports English and German language Figure 3 5 Language selection Automatic The SINAUT MD741 1 selects the language of the Web user interface in accordance to the selected language of the used Web...

Page 36: ...on the page concerned or use Reset to delete the current entry which has not been saved 3 Use Save to confirm the entries so that they are accepted by the device Figure 3 6 Configuration Note Depending on how you configure the SINAUT MD741 1 you may then have to adapt the network interface of the locally connected computer or network accordingly When entering IP addresses always enter the IP addre...

Page 37: ...ime Figure 3 8 Maintenance Configurations Profiles Upload Profile Loads to the SINAUT MD741 1 a configuration profile that was created before and saved on the Admin PC Files with configuration profiles have the file extension epr Browse can be used to search the Admin PC for configuration profiles Submit loads the configuration profile to the SINAUT MD741 1 It will then be shown in the table of sa...

Page 38: ...n The SINAUT MD741 1 adopts the settings from the selected configuration profile and continues to work with it Download button Dialog for saving the configuration profile of the SINAUT MD741 1 on the Admin PC Delete button The configuration profile is deleted Default configuration The Standard configuration profile contains the factory settings The profile cannot be saved or deleted 3 8 Changing t...

Page 39: ...gs are general knowledge and does not provide sufficient protection Note The user name for the SSH access is different from the user name for the Web Interface User name root cannot be changed The password for the SSH access is the same as for the Web Interface New access password with confirmation To change the password enter the new password you have selected in New access password and confirm t...

Page 40: ...AUT MD741 1 continues to work using these settings after the reboot Figure 3 10 Maintenance Reboot Reboot now A reboot will be executed immediately if you press the Reboot button Enable daily reboot The reboot is carried out automatically once a day if you switch the function on with Yes Specify the Time of the daily reboot The reboot will be carried out at the specified system time Existing conne...

Page 41: ...archived log files Service button SET The load of the factory settings can also be activated by pushing the service button see chapter 2 5 Effects of resetting to factory settings Notice Deleting data Note the following effects before you reset the device to the factory settings The device is reset to the factory settings and runs a restart This may take several minutes All the configuration data ...

Page 42: ... the entire data you have entered you can save this in a configuration profile store it externally and load it again after resetting to factory settings For information on this refer to section 3 7 As an alternative Resetting to the default configuration If you do not want to delete created configuration profiles certificates and log files instead of resetting to factory settings you also have the...

Page 43: ... applications are network components in the local network for example a programmable controller a machine with an Ethernet interface for remote monitoring or a notebook or desktop PC or the Admin PC Configure the local interface and the related functions according to the your requirements and the advices in this chapter 4 1 IP addresses of the local interface This is where the IP addresses and the...

Page 44: ...ask Figure 4 2 Local interface You can define additional addresses at which the SINAUT MD741 1 can be reached by local applications This is useful for example when the local network is subdivided into subnetworks Then multiple local applications from different subnetworks can reach the SINAUT MD741 1 under various addresses New Adds additional IP addresses and netmasks which you can then modify in...

Page 45: ... IP addresses netmasks the gateway and the DNS server This is only possible if the setting for obtaining the IP address and the configuration parameter automatically via DHCP is activated for the local applications MD741 1 PC with Web browser Local application Local application Local application IP addresses and so forth Figure 4 3 DHCP function on local interface Figure 4 4 Local Network Basic Se...

Page 46: ...he MAC addresses of the local application under Static Leases Range start Specifies the first address of the dynamic address pool Range end Specifies the last address of the dynamic address pool List of static assignments In Static Leases of the IP addresses you can assign corresponding IP addresses to the MAC addresses of local applications If a local application requests assignment of an IP addr...

Page 47: ... domain name server DNS then the SINAUT MD741 1 answers the DNS queries from its cache If it does not know the corresponding IP address for a domain address then the SINAUT MD741 1 forwards the query to an external domain name server DNS APN E GPRS INTERNET MD741 1 Local application Router Firewall Remote network DNS query by MD741 1 DNS of the network provider DNS in the Internet Private DNS DNS ...

Page 48: ...shed to EGPRS or GPRS the network operator automatically communicates one or more DNS addresses These are then used User defined As the user you select your preferred DNS The DNSes can be connected to the Internet or it can be a private DNS in your network User name server If you have selected the option User defined then enter the IP address of the selected DNS as the Server IP Address New can be...

Page 49: ...urity concept of the SINAUT MD741 1 requires the creation of an outgoing firewall rule for each local application that is to use this hostname function See Chapter6 1 If you do not use DHCP see Chapter 4 2 then identical search paths have to be entered manually in the SINAUT MD741 1 and in the local applications If you do use DHCP the local applications received the search path entered in the SINA...

Page 50: ...r all log entries and serves as a time basis for all time controlled functions Select the year month day hour and minute Local timezone region The NTP time servers communicate the UTC Universal Time Coordinated To specify the time zone select a city near the location near where the SINAUT MD741 1 will be operating The time in this time zone will then be used as the system time Activate NTP synchro...

Page 51: ...t the SINAUT MD741 1 waits until the next synchronization Notice Synchronization of the system time via NTP creates additional data traffic on the EGPRS or GPRS interfaces This may result in additional costs depending on your user agreement with the GSM network operator Serve system time to local network The SINAUT MD741 1 can serve itself as an NTP time server for the applications that are connec...

Page 52: ...To define an additional route to a subnetwork click on New Specify the following the IP address of the subnetwork network and also the IP address of the gateway via which the subnet is connected You can define any desired number of internal routes To delete an internal route click on Delete Factory settings The factory settings for the SINAUT MD741 1 are as follows Additional internal routes Defau...

Page 53: ... Admin PC and much more Configure the external interface and the related functions according to the your requirements and the advices in this chapter 5 1 Access parameters to EGPRS GPRS The SINAUT MD741 1 uses EGPRS or GPRS for communication with the external network For access to the services EGPRS and GPRS and to the underlying GSM wireless network access parameters are necessary which you will ...

Page 54: ...e Automatically PIN Enter the PIN for your SIM card here You will receive the PIN from your network operator The SINAUT MD741 1 also works with SIM cards that have no PIN in this case enter NONE In this case the input box is left empty Note If no entry is made the input box for the PIN is shown with a red outline after saving A green dot with a white check mark beside the input box indicates that ...

Page 55: ... on with a different network if the specified GSM network is unreachable Select one of the two options from the drop down list To specify an additional NTP server click the New button Yes The device automatically logs on with an available network No The device does not automatically log on with an available network Authentication method From the drop down list select a method according to which th...

Page 56: ...nly for the provider selection Automatic Here enter the identification number Net ID of the network provider Each GSM GPRS network provider has an assigned identification number that is unique worldwide known as the Public Land Mobile Network PLMN PLMN is made up of MCC and MNC You will find the Net ID in the documentation provided by your GSM GPRS network provider or on the provider s Internet pa...

Page 57: ...tings The factory settings of the SINAUT MD741 1 are as follows Provider selection mode Manual Provider selection mode manual PIN NONE APN NONE User guest Password guest Provider selection mode Automatic 1st provider T Mobile PLMN ID 26201 APN internet t mobile User name guest Password guest 2nd provider Vodafone PLMN ID 26202 APN web vodafone de User name guest Password guest 3rd provider Eplus P...

Page 58: ...ion mode This function makes it easier to test the signal strength in various antenna positions The information on the Installation Mode page is refreshed at intervals of a few seconds This provides you with fast information about the signal quality at the test positions so that you can identify the optimum position Note Reboot when enabling and disabling If you enable or disable the Installation ...

Page 59: ...eighboring wireless cells In this area of the page you will find information that relates to the neighboring available mobile wireless cells Information about the wireless cell Signal strength The bar display indicates the strength of the GSM signal The numbers above the bar display indicate the CSQ value of the signal The dBm value is shown in brackets after the CSQ value ID of the wireless cell ...

Page 60: ... under the Overview entry The SINAUT MD741 1 can send SMS messages automatically as soon as 80 and 100 of the specified data volume are reached In the factory settings the volume monitoring is deactivated Note The data volume per month calculated here can significantly differ from the billing of themobile wireless provider due to block rounding and different billing periods Figure 5 3 External Net...

Page 61: ... a warning SMS message as soon as 80 of the data volume has been reached make the following settings 1 Enable the SMS function by selecting the Yes option from the drop down list 2 Enter the call number of a subscriber that can receive the SMS messages 3 If necessary change the message text from the factory settings 4 Then click the Save button Send SMS when 100 of the max data volume is reached I...

Page 62: ...eached 5 4 EGPRS GPRS Connection Monitoring With the function Connection Check the SINAUT MD741 1 checks its connection to EGPRS or GPRS and to the connected external networks such as the Internet or an intranet To do this the SINAUT MD741 1 sends ping packets ICMPs to up to four remote stations target hosts at regular intervals This takes place independently of the user data connections If after ...

Page 63: ...g Figure 5 4 Connection Monitoring Notice Sending ping packets ICMPs increases the amount of data sent and received via EGPRS or GPRS This can lead to increased costs Figure 5 5 External Network Advanced Settings Checking the connection Enable connection check Yes activates the function Destination Hosts Host name Select up to four remote stations that the SINAUT MD741 1 can ping The remote statio...

Page 64: ... answer i e for none of four pinged remote stations to answer before the specified action is carried out Activity on faulty connection Renew Connection The SINAUT MD741 1 re establishes the connection to EGPRS or GPRS if the ping packets sent were not answered Reboot MD741 1 The SINAUT MD741 1 carries out a reboot if the ping packets sent were not answered Factory settings The factory settings for...

Page 65: ...e SINAUT MD741 1 on to a DynDNS service you also can reach the SINAUT MD741 1 from external network under a hostname e g mySINAUT dyndns org For more information on DynDNS see the Glossary APN E GPRS INTERNET MD741 1 Local application Router Firewall External network User data connection DynDNS INFO IP address hostname Question IP for the hostname Response IP Figure 5 6 DynDNS Function Figure 5 7 ...

Page 66: ...uest Password guest Host name myname dyndns org 5 6 SRS Siemens Remote Service Note Using the services provided by the SIMATIC Remote Support Services remote access to machines and plants is available To use the services additional service agreements are necessary and certain constraints must be kept to If you are interested in the Siemens Remote Service speak to your local Siemens contact If the ...

Page 67: ...ice select No Interval for updating seconds Enter the interval in seconds at which the assigned IP address of the SINAUT MD741 1 is transferred to the selected destination server Siemens Remote Service Accounts Here enter the destination address and access data of one or more destination servers Destination address Enter the IP address of the destination server Group Enter the group name User name...

Page 68: ...twork Address Translation With NAT for outgoing frames the device can change the specified sender IP addresses from its internal network to its own external address This NAT technology is used if the internal addresses cannot or should not be forwarded externally for example because a private address range such as 192 168 x x is used or because the local network structure should remain hidden This...

Page 69: ... following options are available Yes The NAT function is enabled No The NAT function is disabled Use NAT for the following networks In the input box enter the networks for which NAT will be used Enter an address range in the CIDR notation Factory settings Use NAT for the external network Yes turned on IP address range CIDR notation 0 0 0 0 0 ...

Page 70: ...rewall rules for a connection One rule for the query direction from the source to the destination and a second rule for the query direction from the destination to the source It is different for a SINAUT MD741 1 with a stateful inspection firewall Here a firewall rule is only created for the query direction from the source to the destination The firewall rule for the response direction from the de...

Page 71: ... firewall rule that you can then fill out Delete Removes firewall rules that have been created Protocol Select the protocol for which this rule will be valid The following selections are available TCP UDP ICMP If you select All the rule is valid for all three protocols From IP address Enter the IP address of the external remote station that is allowed to send IP packets to the local network Do thi...

Page 72: ...utgoing The Firewall Rules Outgoing are used to define how to handle IP packets that are received from the local network The source is an application in the local network The destination is an external remote station e g on the Internet or in a private network In the factory settings no outgoing firewall rule is set initially i e no IP packets can go through New Adds an additional firewall rule th...

Page 73: ...this by specifying the port number is only evaluated for the protocols TCP and UDP Action Select how outgoing IP packets are to be handled Accept The data packets can go through Reject The data packets are rejected and the sender receives a corresponding message Drop The data packets are discarded without any feedback to the sender Firewall Rules incoming outgoing Log For each individual firewall ...

Page 74: ...dress 0 0 0 0 0 To port Any Action Accept Log No switched off Log entries for unknown outgoing connection attempts No switched off Outgoing firewall Firewall Rules outgoing Everything blocked Protocol All From IP address 0 0 0 0 0 From port Any To IP address 0 0 0 0 0 To port Any Action Accept Log No switched off Log entries for unknown outgoing connection attempts No switched off ...

Page 75: ...rded to the internal network to a specific computer and to a specific port of that computer This means that the IP address and port number in the header of incoming data packets are modified This process is also called Destination NAT or Port Forwarding Note In order for incoming data packets to be forwarded to the defined IP address in the local network a corresponding incoming firewall rule must...

Page 76: ...work to which the incoming data packets should be forwarded Log For each port forwarding rule you can define whether the event should be logged when the rule takes effect set Log to Yes or not set Log to No factory settings The log is kept in the firewall log see Chapter 6 4 Factory settings The factory settings for the SINAUT MD741 1 are as follows Forwarding Rules Protocol All Arrives at port 80...

Page 77: ...imum number of new outgoing ping packets per second set the upper limits The settings see illustration have been selected so that they will in practice never be reached in normal use In the event of an attack however they can be reached very easily which means that the limitations constitute additional protection If your operating environment contains special requirements then you can change the v...

Page 78: ...the SINAUT MD741 1 are as follows Maximum number of new incoming TCP connections per second 25 Maximum number of new outgoing TCP connections per second 75 Maximum number of new incoming ping packets per second 3 Maximum number of new outgoing ping packets per second 5 External ICMP to the MD741 1 Drop ...

Page 79: ...6 4 Firewall Log The application of individual firewall rules is recorded in the firewall log To do this the LOG function must be activated for the various firewall functions Figure 6 4 Security Firewall Log Note The firewall log is lost in the event of a reboot ...

Page 80: ...D741 1 can accept up to 10 VPN connections from partners with an unknown address These partners can for example be mobile partners that obtain their IP address dynamically In addition to this VPN connections can also be operated in standard mode The VPN connection must be established by the partner In Roadwarrior mode the SINAUT MD741 1 can only accept VPN connections but cannot establish them act...

Page 81: ...section 7 4 With CA certificate the key is exchanged between the SINAUT MD741 1 and VPN gateway of the remote station via the data connection when the VPN connection is established Here there is no manual exchange of key files Pre shared Key PSK This method is supported in the main by older IPsec implementations Here the authentication is made with a previously agreed character string To achieve a...

Page 82: ...ocal network With the SINAUT MD741 1 the network addresses of the frames are changed For each VPN connection and for both connection directions you can specify individually whether or not the 1 1 NAT function is enabled You can make the relevant settings on the IPsec VPN Edit connection page IKE Abbreviations acronyms IKE Internet Key Exchange SA Security Association ISAKMP Internet Security Assoc...

Page 83: ...rough This means that it may be necessary to encapsulate the IPsec frames in UDP packets to be able to pass through the NAT router Dead peer detection If the remote station supports the Dead Peer Detection protocol DPD the partners can recognize whether the IPsec connection is still valid or needs to be re established Without DPD and depending on the configuration it may be necessary to wait until...

Page 84: ...s 2000 High Encryption Pack or at least service pack 2 must be installed If the remote station is downstream from a NAT router the remote station must support NAT T Or the NAT router must know the IPsec protocol IPsec VPN passthrough 7 2 VPN Roadwarrior Mode The Roadwarrior Mode makes it possible for the SINAUT MD741 1 to accept a VPN connection initiated by a remote station with an unknown IP add...

Page 85: ...certificate from the following drop down list See also section 7 4 Pre shared key With this option you enter the pre shared key that needs to be known by the communications partner With self selected keys you can enter a character string consisting of up to 30 upper and lowercase letters or numbers Partner certificate If you have selected X 509 partner certificate as the authentication method then...

Page 86: ... of the remote station which encryption method will be used for the ISAKMP SA and the IPsec SA The SINAUT MD741 1 supports the following methods 3DES 168 AES 128 AES 192 AES 256 3DES 168 is a commonly used method and is therefore set as the default The method can be defined differently for ISAKMP SA and IPsec SA Note The more bits in the encryption algorithm indicated by the appended number the mo...

Page 87: ...ed Key is used Aggressive mode must be set in Roadwarrior mode ISAKMP SA lifetime IPsec SA lifetime The keys for an IPsec connection are renewed at certain intervals in order to increase the effort required to attack an IPsec connection Specify the lifetime in seconds of the keys agreed on for the ISAKMP SA and IPsec SA The lifetime can be defined differently for ISAKMP SA and IPsec SA NAT T There...

Page 88: ...transmission of user data the SINAUT MD741 1 detects if the connection is lost in which case it waits for the connection to be re established by the remote stations No Dead peer detection is switched off Delay after DPD query seconds Time period in seconds after which DPD requests will be sent These requests test whether the remote station is still available Timeout after DPD query seconds Time pe...

Page 89: ...de Main ISAKMP SA lifetime seconds 86400 IPsec SA lifetime seconds 86400 NAT T On Enable Dead Peer Detection Yes Delay after DPD query seconds 150 Timeout after DPD query seconds 60 DPD maximum number of unsuccessful attempts 5 7 3 IPsec VPN Standard Mode The VPN connections already created are shown You can enable Enabled Yes or disable Enabled No each individual connection You can use New to add...

Page 90: ...tion a connection name here Address of VPN gateway of the partner Specify the address of the remote station here either as a hostname e g myadress com or as an IP address APN E GPRS INTERNET MD741 1 VPN gateway Local network Remote network Local application Admin PC Local application Admin PC External remote stations VPN tunnel Address of the remote network Figure 7 5 Address of the remote host ...

Page 91: ... enter a character string consisting of up to 30 upper and lowercase letters or numbers Partner certificate In the drop down list you will find the certificates of the remote station that have already been loaded on the SINAUT MD741 1 Select the certificate for the VPN connection ID of the partner Enter the ID of the remote station in the input box or leave the setting NONE Local ID Enter the loca...

Page 92: ...s for frames that are sent to a remote network Local net address Enter the IP address of the local network for example 123 123 123 123 in the box The local network can also be a single computer Local subnet mask Enter the subnet mask of the local network for example 255 255 255 0 in the box The local network can also be a single computer Enable 1 1 NAT for the local network Select one of the follo...

Page 93: ...ion establishment itself Firewall rules for VPN tunnel If you click the Edit button beside this entry the mask appears in which you specify firewall rules for incoming and outgoing messages You will find more information on this topic in the section 7 5 VPN Standard Mode Edit IKE Here you can define the properties of the VPN connection according to your requirements and what you have agreed with t...

Page 94: ...ber the more secure it is The method AES 256 is therefore considered the most secure However the longer the key the more time the encryption process takes and the more computing power is required ISAKMP SA hash IPsec SA hash Agree with the administrator of the remote station which method will be used for computing checksums hashes during the ISAKMP phase and the IPsec phase The following selection...

Page 95: ...r the key exchange Select one of the three following options from the drop down list DH 1 768 DH 2 1024 DH 5 1536 NAT T There may be a NAT router between the SINAUT MD741 1 and the VPN gateway of the remote network Not all NAT routers allow IPsec data packets to go through It may therefore be necessary to encapsulate the IPsec data packets in UDP packets so that they can go through the NAT router ...

Page 96: ...three input boxes appear Delay after DPD query seconds Enter a period in seconds in the input box after which DPD queries are sent These queries test whether or not the remote station is still available Timeout after DPD query seconds Enter a length of time in seconds in the input box If there is no response to the DPD queries the connection to the remote station is declared to be invalid after th...

Page 97: ...1 Local subnet subnet mask 255 255 255 0 ISAKMP SA encryption 3DES 168 IPsec SA encryption 3DES 168 ISAKMP SA hash MD5 IPsec SA hash MD5 DH PFS group DH 2 1024 ISAKMP SA mode Main ISAKMP SA lifetime seconds 86400 IPsec SA lifetime seconds 86400 NAT T On Enable Dead Peer Detection Yes Delay after DPD query seconds 150 Timeout after DPD query seconds 60 DPD maximum number of unsuccessful attempts 5 ...

Page 98: ... be saved on the Admin PC A remote certificate is only required for the authentication method with X 509 certificate Upload PKCS12 file p12 Here load the certificate file PKCS12 file with the file extension p12 into the SINAUT MD741 1 To do this the certificate file must be saved on the Admin PC Caution If there is already a certificate file in the device then it must be deleted before loading a n...

Page 99: ...le is shown here A white check mark on a green dot indicates that the corresponding component of the certificate file is present a white cross on a red dot indicates that the corresponding component is missing or that the wrong password was entered 7 5 Firewall rules for VPN tunnel The user interface for setting up the firewall rules for VPN tunnels can be found under IPsec VPN Connections Figure ...

Page 100: ...hus data traffic over this connection is not limited by default It is possible however to create firewall rules for the VPN connection To set up firewall rules for the VPN connection proceed in the same way as for setting up the packet filter function of the general firewall see Chapter 6 1 However the rules defined here apply only to the specific VPN connection Factory settings The factory settin...

Page 101: ...ns target hosts This is made independently from payload data For each VPN connection an own supervision can be configured If the SINAUT MD741 1 receives the answer for the ping packet from at least one addressed remote station the VPN connection is still operational MD 741 1 Target hosts VPN connection Ping Answer Ping Answer Client IP H ost IP Figure 7 11 VPN connection supervision Note Do not pi...

Page 102: ...r determines the time interval to send ping packets through the supervised VPN connection VPN tunnel The value shall be given in minutes Waiting time before repetition minutes This parameter determines the delay a ping packet is repeated after a failed ping check ping packet not answered The value shall be given in minutes Number of unsuccessful connection checks up to restarting the VPN client Th...

Page 103: ...checks up to restarting the VPN client 3 7 7 Advanced settings for VPN connections Setting special timeouts and intervals for VPN connections Figure 7 12 IPsec VPN Advanced Settings Keepalive interval for NAT T seconds If NAT T is enabled then keepalive data packets will be sent periodically by the SINAUT MD741 1 through the VPN connection The purpose of this is to prevent a NAT router between the...

Page 104: ...1 1 Enter the number of unsuccessfull retries being performed before the SINAUT MD741 1 restart its VPN client before trying again the connection setup Maximum number of connection establishment attempts after restarting the VPN client until the next device restart If the establishment of a VPN connection fails the connection setup will be retried by the SINAUT MD741 1 Enter the number of unsucces...

Page 105: ...sting VPN connections will be interrupted Select one of the two options Yes The device is restarted as soon as DPD is detected No The device is not restarted following DPD Factory settings The factory settings for the SINAUT MD741 1 are as follows Keepalive interval for NAT T seconds 60 Phase 1 timeout seconds 15 Phase 2 timeout seconds 10 Maximum number of connection establishment attempts up to ...

Page 106: ...nnections A white check mark on a green dot indicates that the specific Security Association SA has been successfully established A white cross on a red dot indicates that the Security Association does not exist Number of VPN connection attempts 24 h This entry shows how often in the last 24 hours there was an attempt to establish a VPN connection Download VPN protocol This function can be used to...

Page 107: ...m an external network via EGPRS GPRS or CSD Configuration of the SINAUT MD741 1 via the HTTPS remote access then takes place exactly like configuration via a Web browser via the local interface see chapter 3 Figure 8 1 Access HTTPS remote access Enable HTTPS remote access Yes Access to the Web user interface of the SINAUT MD741 1 from the external network via HTTPS is allowed No Access via HTTPS i...

Page 108: ... fill out Delete Removes a firewall rule for HTTPS remote access that has been created From IP address External Specify here the address es of the computer s for which remote access is allowed You have the following options IP address or address range 0 0 0 0 0 means all addresses To specify a range use the CIDR notation see the Glossary Action Define how access to the specified HTTPS port will be...

Page 109: ...ccess to the file system of the SINAUT MD741 1 from an external network via EGPRS GPRS or CSD To do this a connection must be established using an SSH capable program from the external remote station to the SINAUT MD741 1 Use the SSH remote access only if you are familiar with the LINUX file system In the factory settings this option is deactivated Figure 8 2 Access SSHs Caution Via SSH remote acc...

Page 110: ...2222 has been defined for the remote access then this port number must be specified in the SSH client e g PUTTY at the external remote station ssh p 22222 192 144 112 5 Firewall rules for SSH remote access New Adds a new firewall rule for SSH remote access that you can then fill out Delete Removes a firewall rule for SSH remote access that has been created From IP address Specify here the address ...

Page 111: ...ings The factory settings for the SINAUT MD741 1 are as follows Enable SSH remote access No switched off Port for SSH remote access 22 Default for new rules From IP External 0 0 0 0 0 Action Accept Log No switched off 8 3 Remote access via dial in connection The CSD dial in access makes it possible to access the Web user interface of the SINAUT MD741 1 via a dial in data connection CSD Circuit Swi...

Page 112: ... same username and the same password must be entered in the PPP client Permitted call numbers CLIP check Specify the call number of the telephone connection from which the dial in data connection is established The telephone connection must support Calling Line Identification Presentation CLIP and this function must be activated The call number entered in the SINAUT MD741 1 must be exactly the sam...

Page 113: ... SINAUT MD741 1 C79000 G8976 C236 05 113 Factory settings The factory settings for the SINAUT MD741 1 are as follows Enable CSD dial in No switched off PPP user name service PPP password service Permitted call numbers ...

Page 114: ...ges to the configuration Establishing of connections Interruption of connections Signal strength and operating messages The log is saved to the log archive of the SINAUT MD741 1 when a file size 1 MByte is reached but after 24 hours at the latest Download current log Download the current log is loaded to the Admin PC You can select the directory to save the file to and can view the file there ...

Page 115: ...rectory to save the files to and can view the files there Example Entries in log Column A Time stamp Column B Product number Column C Signal quality CSQ value Column D GSM login status STAT Function not activated yet STAT 1 Logged in to home network STAT 2 Not logged in searching for network STAT 3 Login rejected STAT 5 Logged in to third party network roaming ...

Page 116: ...d operating status for Hotline Column G Category of the log report for Hotline Column H Internal source of the log report for Hotline Column I Internal report number for Hotline Column J Log report in plain text Columns K P Additional information on the plain text report such as Cell ID identification number of the active GSM cell Software version TXS RXS IP packets transmitted in the current conn...

Page 117: ...he SINAUT MD741 1 If the transfer fails the SINAUT MD741 1 tries once again to transfer the data after 24 hours Figure 9 2 Maintenance Remote Logging Enable remote logging FTP upload Yes activates the function Time Specifies the daily time when the log files will be transmitted to the FTP server FTP Server Specifies the address of the FTP server to which the log files are to be transferred The add...

Page 118: ... 3 Snapshot This function is used for support purposes The service snapshot downloads important log files and current device settings that could be important for fault diagnosis and saves them in a file If you contact our Hotline in the event of a problem with the SINAUT MD741 1 in many cases they will ask you for the snapshot file Note This file contains the access parameters for EGPRS and GPRS a...

Page 119: ...2237 tgz Advanced diagnostics Only Activate the Advanced diagnosis if asked to do so by our Hotline In operation with advanced diagnosis information is written to the diagnosis logs much more often Some additional information is also saved This is useful for systematic troubleshooting Note When advanced diagnosis is active the frequent write access to the non volatile memory of the SINAUT MD741 1 ...

Page 120: ...information is often needed in the event of queries to our Hotline Figure 9 4 Maintenance Hardware info 9 5 Software information Shows important information for software identification This information is often needed in the event of queries to our Hotline Planned updates are additionally shown See also Chapter 10 4 Figure 9 5 Maintenance Software info ...

Page 121: ... service center SMSC here If there is no entry made here the default SMSC of your network provider will be used 10 2 Alarm SMS The SINAUT MD741 1 can transmit short alarm messages using the SMS Short M SINAUT MD741 1essage Service of the GSM network The sending of an alarm SMS message can be triggered by the following event Event 1 No GPRS connection For the event you can specify a separate call n...

Page 122: ...1 then transmits an alarm message Settings Enable With Yes the alarm message is sent if the event occurs with No it is not Call number Here enter the call number of the end device to which the alarm message will be sent using SMS The end device must support reception of SMS messages via GSM or fixed network Text Here enter the text that will be sent as an alarm message Factory settings The factory...

Page 123: ...a this TCP IP connection the application transfers the text of the SMS to the SINAUT MD741 1 that packs the text in an SMS message and sends it Frame format for the SMS message The text must be transferred in a frame via the TCP IP connection to the SINAUT MD741 1 The frame must have the following format Username Password CommandCode Seq Num Callnumber Message Example user password 105 01 00494346...

Page 124: ...itted Message SMS text with a maximum of 160 characters The following forbidden characters must not occur in the SMS text Separator for the first command level Separator for the second command level Identifies the end of the message Enable sending SMS from local network Select Yes to be able to send SMS messages from the local network Select No if you do not want to send SMS messages from the loca...

Page 125: ... by specifying the IP address or an IP range for the partner station 0 0 0 0 means all addresses To specify a range use the CIDR notation see Glossary Action The drop down list below Action relates to the TCP IP connection of the IP address shown to the left beside the drop down list The following three options are available Accept Enables the TCP IP connection for sending SMS messages Reject The ...

Page 126: ...ate function can be used to load new operating software to the SINAUT MD741 1 and activate this software In an immediate update the new software will be unzipped This process can take several minutes After that the actual update process begins which is indicated by the LEDs lighting up in sequence The settings of the SINAUT MD741 1 will be accepted insofar as the settings still have the same effec...

Page 127: ... have been loaded already Define the ime for firmware update If you want to have the update carried out with time control specify the time when the new operating software is to be activated Specify the Year Month Day Hour Minute Select update file Use Browse to select the file which includes the new operating software for example MD741_v1 024 v1 027 tgz Load the firmware to the device with Open Su...

Page 128: ...chemes CS 1 CS 2 CS 3 CS 4 GSM Module EGPRS EDGE Quad band EDGE EGPRS Multislot Class 12 Mobile Station Class B Modulation and Coding Scheme MCS 1 9 GPRS Multislot Class 12 Full PBCCH support Mobile Station Class B Coding Scheme 1 4 EDGE GPRS During the data transmission via EGPRS or GPRS the device automatically selects from the following classes from EGPRS Multislot Class 12 4Tx slots to EGPRS M...

Page 129: ...C Air humidity 0 95 non condensing Housing Design Top hat rail housing Material Plastic Protection class IP20 Dimensions 114 mm x 45 mm x 99 mm Weight approx 280g DE CE Yes GSM EGPRS module Conforms to GCF PTCRB Environment The device complies with the European Directives RoHS and WEEE Input voltage 12 30 V DC 24 V DC nominal Input Current 510 230 mA DC Power input 4 4 W typical at 12 V 4 0 W typi...

Page 130: ...lity 1 Continuous data transfer with medium signal quality 2 Burst Operating mode V mA mA mA mA 12 174 315 263 1000 24 97 168 137 450 GSM CSD 30 82 137 116 360 12 174 365 282 1260 24 97 182 147 550 EGPRS GPRS 30 82 150 121 420 1 Measured at GSM900 Power Level 5 33dBm transmitting power 2 Measured at GSM900 Power Level 10 23dBm transmitting power 3 USB port not used ...

Page 131: ...ognition of their conformity Directive 2006 95 EC LVD of the European Parliament and of the Council of 12 December 2006 on the harmonization of the laws of Member States relating to electrical equipment designed for use within certain voltage limits Directive 2004 108 EC EMC of the European Parliament and of the Council of 15 December 2004 on the approximation of the laws of the Member States rela...

Page 132: ...ion of conformity Search item s name of the module Directive 1999 5 EC R TTE Applied standards EN301 511 v 9 0 2 3GPP TS 51 010 1 v 5 10 0 Classification Telecommunication equipment Radio equipment Device class 1 Directive 2006 95 EC LVD Applied standards EN 60950 2006 Directive 2004 108 EC EMC Applied standards EN55022 2006 Limit A EN55024 1998 A1 2001 A2 2003 EN61000 6 2 2001 Warning The SINAUT ...

Page 133: ...ed in an Enclosure which maintains an ingress protection rating of IP54 meets the enclosure requirements of EN60079 0 and is only accessible with the use of a tool 2 The USB X1 port shall not be used 3 On installation the SINAUT MD741 1 shall be provided with supply transient protection external to the apparatus such that the voltage at the supply terminals of the SINAUT MD741 1 shall not exceed 4...

Page 134: ...ber 3611 Classification Class I Division 2 Group A B C D Temperature class T4 Ambient temperature range 20 C 60 C Class I Zone 2 Group IIC 135 C maximum surface temperature Ambient temperature range 20 C 60 C You can download the FM marking by follow the link http support automation siemens com WW view en 35029750 UL CSA Certification Marking Applied standards UL 60950 1st edition CSA C22 2 No 609...

Page 135: ...tions However there is no guarantee that interference will not occur in a particular installation If this equipment does cause harmful interference to radio or television reception which can be determined by turning the equipment off and on the user is encouraged to try to correct the interference by one or more of the following measures Reorient or relocate the receiving antenna Increase the sepa...

Page 136: ... ID QIRMC75 GSM Module This device contains GSM GPRS Class12 and EGPRS Class 10 functions in the 900 and 1800 MHz Band which are not operational in U S Territories This device is to be used only for mobile and fixed applications The antenna s used for this transmitter must be installed to provide a separation distance of at least 20cm from all persons and must not be co located or operating in con...

Page 137: ...sed the NIST short listed five the algorithms MARS RC6 Rijndael Serpent and Twofish In October 2000 the encryption algorithm chosen was Rijndael APN Access Point Name Trans network connections e g from a GPRS network to the Internet are created in the GPRS network via so called APNs E GPRS Public INTERNET MD741 1 Local application Private INTRANET APN public APN private An end device that wants to...

Page 138: ...rnal 192 168 27 254 Netmask 255 255 255 0 Network A Network address 192 168 11 0 24 Netmask 255 255 255 0 Network B Network address 192 168 15 0 24 Netmask 255 255 255 0 Network C Network address 192 168 27 0 24 Netmask 255 255 255 0 MD741 1 internal address 192 168 11 1 MD741 1 external address assigned by provider e g 80 81 192 37 Additional internal routes Network A is connected to the SINAUT M...

Page 139: ...digital signature Asymmetrical encryption methods such as RSA are however slow and vulnerable to certain attacks which is why they are often combined with a symmetrical method symmetrical encryption On the other hand concepts are also possible which avoid the complex administration of symmetrical keys Network A Computer A1 A2 A3 A4 A5 IP address 192 168 11 3 192 168 11 4 192 168 11 5 192 168 11 6 ...

Page 140: ...5 128 11111111 11111111 11111111 10000000 25 255 255 255 0 11111111 11111111 11111111 00000000 24 255 255 254 0 11111111 11111111 11111110 00000000 23 255 255 252 0 11111111 11111111 11111100 00000000 22 255 255 248 0 11111111 11111111 11111000 00000000 21 255 255 240 0 11111111 11111111 11110000 00000000 20 255 255 224 0 11111111 11111111 11100000 00000000 19 255 255 192 0 11111111 11111111 11000...

Page 141: ...ar to a telephone call over a public telephone network User 1 dials the telephone number of user 2 The network signals to user 2 that there is a call user 2 accepts the call and the network establishes the connection until one of the users terminates the connection again In a GSM network this service is called CSD and allows data transmission at 9600 bit s or 14400 bit s with transmission being ei...

Page 142: ...nology NIST as the standard for American government institutions As this was the first standardized encryption algorithm of all it quickly established itself in industry and hence outside the USA DES works with a key length of 56 bits which is no longer considered secure due to the increase in computing power since 1977 3DES is a variant of DES It works with 3 times larger keys i e 168 bits long I...

Page 143: ...ynamicDNS provider which IP address the computer has at the moment Its domain name server registers the current hostname IP address assignment and reports this to other domain name servers in the Internet If now an external computer wants to establish a connection with a local computer which is registered with the DynamicDNS provider the external computer uses the hostname of the local computer as...

Page 144: ... and in encrypted form IP address Every host or router on the Internet an intranet has a unique IP address IP Internet Protocol The IP address is 32 bits 4 bytes long and is written as 4 numbers each in the range from 0 to 255 which are separated from each other by dots An IP address has 2 parts the network address and the host address All hosts of a network have the same network address but diffe...

Page 145: ...h the tunnel i e during transmission via a public network NAT Network Address Translation In Network Address Translation NAT often also referred to as IP Masquerading an entire network is hidden behind a single device the NAT router This device is usually a router The internal computers in the local network remain hidden with their IP addresses when they communicate to the outside via the NAT rout...

Page 146: ...ossible to take the 3rd byte which was actually intended for host addressing and use it now for subnet addressing Arithmetically that means that 256 subnets with 256 hosts each could be created Port number The Port Number field is a 2 byte field in UDP and TCP headers The assignment of port numbers serves to identify various data flows that are processed simultaneously by UDP TCP The entire data e...

Page 147: ...its digital signature A certificate is created An X 509 certificate makes a connection between an identity in the form of an X 500 Distinguished Name DN and a public key This connection is authenticated by the digital signature of an X 509 Certification Authority CA The signature an encryption with the signature key can be checked with the private key issued by the CA to the certificate holder Pro...

Page 148: ...the destination to the source It is different with a stateful inspection firewall Here a firewall rule is only created for the query direction from the source to the destination The firewall rule for the response direction from the destination to the source results from analysis of the data previously sent The firewall rule for the responses is closed again after the responses are received or afte...

Page 149: ...al protocols are based on UDP and TCP such as HTTP Hyper Text Transfer Protocol HTTPS Secure Hyper Text Transfer Protocol SMTP Simple Mail Transfer Protocol POP3 Post Office Protocol Version 3 DNS Domain Name Service ICMP builds on IP and contains control messages SMTP is an e mail protocol based on TCP IKE is an IPsec protocol based on UDP ESP is IPsec protocol based on IP On a Windows PC WINSOCK...

Page 150: ...and the signature of the CA The signature is created as follows from the bit sequence of the public key the data on its owner and other data the CA creates an individual bit sequence which can be up to 160 bits long the HASH value This is encrypted by the CA using its private key and added to the certificate Encryption with the CA s private key is proof of authenticity i e the encrypted HASH chara...

Reviews: