manualshive.com logo in svg

Pilz 311502, Руководство по эксплуатации, Страница: 11 / 51

Поделиться
Скачать
Pilz 311502 Скачать руководство пользователя страница 11

Security

Operating Manual PCOM sec br2
1004534-EN-04

| 11

3.4

Commissioning

}

Before commissioning, create the environment described in the chapter 

Operating

environment [

 10]

.

}

For the VPN and HTTPS protocols, the device requires an encrypted key that is created
during commissioning. To exclude an attack during commissioning, please follow the in-

structions in the chapter 

Establish connection to SecurityBridge [

 22]

.

}

Change the default password for the user account "admin".

3.5

User accounts

}

Assign only safe passwords. Criteria for a safe password:

– The password should have at least 8 characters.

– The password should contain upper and lower case characters, as well as special

characters and numbers.

– If possible, the password should not be available in dictionaries.

– The password should not be made up of standard variants and repetitions or key-

board patterns (so not: 1234abcd).

– Use a password manager for optimum management of complex passwords.

– When assigning the password, please note that language-dependent characters may

not be available in all the keyboard languages.

}

Make sure you regularly change the passwords of the user accounts on the system and/
or ask the users to change their passwords themselves.

}

Retain the passwords safely and train the personnel to deal with Phishing and Social En-
gineering attacks.

}

Strictly separate the user accounts for the product administration and the access to the
systems in the protected network.

}

Make the users aware of the responsible use of their access data.

3.6

Operation

Please note the following measures when operation the device:

}

The computers used to monitor the system must be secured to the general best practice
rules for security.

}

As soon as possible, install firmware updates that Pilz provides for the device.

}

Make sure you regularly check the event log of the product for security-relevant entries. A
list of security-relevant entries can be found in chapter 

Security-relevant log

messages [

 49]

.

}

Wherever possible, forward the entries of the event log to a log server (see chapter 

Man-

age logging [

 31]

). This ensures that the entries will be available for a longer period

of time, and that it is made more difficult for an attacker to delete entries.

}

Regular safety updates for the operating system and the installed applications must be
run on the computer that uses the VPN client.

Содержание 311502

Страница 1: ...PCOM sec br2 Operating Manual 1004534 EN 04...

Страница 2: ...KG Copies may be made for internal purposes Suggestions and comments for improving this documentation will be gratefully received Pilz PIT PMI PNOZ Primo PSEN PSS PVIS SafetyBUS p SafetyEYE SafetyNET...

Страница 3: ...10 3 4 Commissioning 11 3 5 User accounts 11 3 6 Operation 11 3 7 Decommissioning 12 4 Overview 13 4 1 Unit features 13 4 2 Front view 14 5 Function description 15 5 1 Block diagram 16 5 2 VPN tunnel...

Страница 4: ...client 33 9 2 Create new client connection 33 9 3 Log in to client 34 9 4 Authentication procedure 34 10 Firmware update 37 11 Operation 38 11 1 LED indicators 38 11 2 Recovery 39 11 3 Error mode 40...

Страница 5: ...t is particularly important is identified as follows DANGER This warning must be heeded It warns of a hazardous situation that poses an immediate threat of serious injury and death and indicates preve...

Страница 6: ...s if possible Pilz can charge a fee for the data medium and for sending The request for the source code must be received 3 years at the latest after the receipt of the relevant GPL or LPGL Irrespectiv...

Страница 7: ...other environments If installed in other environments measures should be taken to comply with the applicable standards and directives for the respective installation site with regard to in terference...

Страница 8: ...ll be rendered invalid if The product was used contrary to the purpose for which it is intended Damage can be attributed to not having followed the guidelines in the manual Operating personnel are not...

Страница 9: ...y security problems of the SecurityBridge to the following E mail ad dress security pilz de 3 2 Defense in depth Defense in depth is a security design concept Several different security measures to pr...

Страница 10: ...n depth concept provided the product has to be arranged in the network as shown in the figure Network overview The chapter Network data 48 de scribes the network protocols that the product uses to com...

Страница 11: ...Make sure you regularly change the passwords of the user accounts on the system and or ask the users to change their passwords themselves Retain the passwords safely and train the personnel to deal wi...

Страница 12: ...Unless otherwise documented you should ensure that all the files created by the Secur ityBridge can only be used by authorised users 3 7 Decommissioning Make sure that the SecurityBridge is safely dec...

Страница 13: ...face VPN server to build a VPN tunnel for safe transfer of data Forwarding rules for IP connections and fieldbuses Bypass mode temporary deactivation of security functions for diagnostic purposes Setu...

Страница 14: ...XXXXXX XXXXXX XX Firmware XXXX Fig PCOM sec br2 Legend X1 Network Ethernet port for connecting the configuration PC X2 Device Ethernet port for connecting to the protected system X3 24 V 0 V Peripher...

Страница 15: ...mpany network Fig Overview The SecurityBridge is used with in the company network to prevent unauthorised access to downstream devices in a protected network The access from the client PC to the devic...

Страница 16: ...uration PC This enables tap proof manip ulation proof data transfer between the client PC and SecurityBridge Only the VPN client from Pilz is supported Up to 5 client connections can exist simultaneou...

Страница 17: ...there is at least one VPN Client connected If there is a 0 signal at the output then no VPN Client is connected BYPASS Bypass mode is signalled via the digital output If there is a 1 signal at the ou...

Страница 18: ...event of an ambient temperature of over 45 C note that the temperature of the connected USB memory could rise to over 70 C Using the USB memory An inserted USB stick can be formatted and incorporated...

Страница 19: ...g rail in an upright position so that the earthing springs on the device are pressed on to the mounting rail The ambient temperature of the devices in the control cabinet must not exceed the figure st...

Страница 20: ...put must be a max of 30 m The supply of the module and the supply of the SC outputs are galvanically isolated Module supply Polarity protection Overvoltage protection Protect the supply voltage as fol...

Страница 21: ...X1 network port Connection to the unprotected network company network Ethernet interface X2 device port Connection to the protected network Supported Internet protocol IPv4 Supported functions Autoneg...

Страница 22: ...a a standard browser The following web browsers will always be supported Internet Explorer IE from Version 9 Microsoft Edge Mozilla Firefox from Version 23 7 0 Google Chrome from Version 27 Safari fro...

Страница 23: ...e password see Security 9 6 Change network settings To access the SecurityBridge PCOM sec br2 from the company network change the network settings of the SecurityBridge The settings are adapted in the...

Страница 24: ...r RADIUS System permissions Administration User can perform administrative functions on the Se curityBridge However he has no access to the pro tected system PNOZmulti PSS 4000 1 User management User...

Страница 25: ...owing actions can then be delegated List users Create new user Change user data 8 3 3 Create user A user account must be created for each user who wants to access the protected system via VPN client o...

Страница 26: ...d in the Security Bridge for the RADIUS server are accepted INFORMATION Via the RADIUS server a user can either be assigned to a user group or be assigned one or more permissions If you attempt to ass...

Страница 27: ...of 5 OPC servers can be created 4 OPC servers for the product range PSS 4000 and 1 OPC server for the product range PVIS Create Generic Devices Generic Devices are all devices with a network interface...

Страница 28: ...n the protected network A maximum of 25 rules administrative rules and forward ing rules can be defined per device Administrative access rules The system allows the definition of administrative access...

Страница 29: ...secure the configuration 31 Certificate download You can download the CA certificate and server certificate from the user interface to your PC You can import the CA certificate into the browser PC see...

Страница 30: ...n automatically download the certificate The download is secured by a passphrase Further information on the password policy can be found in the Online Help on the SecurityBridge Generate certificates...

Страница 31: ...ed The status is displayed on the user interface and on the device via a configurable LED CAUTION Loss of security when bypass mode is activated The security functions are deactivated in bypass mode M...

Страница 32: ...the configuration is loaded automatic ally When you saved a configuration on the computer the configuration can be restored by uploading the backup file to the user interface If you did not generate...

Страница 33: ...rsion 9 2 Create new client connection To create a connection to SecurityBridge for the first time a new client connection has to be created Proceed as follows 1 Start the VPN client by clicking All p...

Страница 34: ...entials must be created on the user interface of the SecurityBridge a Open the VPN client click Connect select a connection and enter your user name and your password 9 4 Authentication procedure Duri...

Страница 35: ...ind user name in the user management Found No No No No No Ye s Ye s Ye s Ye s Ye s Ye s RADIUS server configured Authentication via RADIUS server Successful Check Setup mode User permitted Check passw...

Страница 36: ...ocedure via the RADIUS server Request to the primary RADIUS server Request to the secondary RADIUS server Authentication successful Check group or permissions from the response Authentication failed V...

Страница 37: ...ce The firmware can only be updated by users with Administration permission The update packet is digitally signed to prevent manipulation An update packet can be downloaded to the device from the down...

Страница 38: ...n Green No error present Red One or more recoverable errors on the Security Bridge for more information see event log Red One or more internal errors on the SecurityBridge for more information see eve...

Страница 39: ...e Meaning No network connection Green Network connection exists 11 2 Recovery If you experience problems with the configuration a failed firmware update or any other situation in which the system is n...

Страница 40: ...r interface opens in Recovery mode This interface is only available in English 7 To restore the system you can choose between the following options Firmware Recovery The firmware is reset and restored...

Страница 41: ...e deleted from the device Proceed as follows Reset the configuration to the factory settings as described in the chapter Recovery 39 Switch off the SecurityBridge If you used an USB memory remove the...

Страница 42: ...er net interfaces at the base unit The project is changed via this connection and transferred to the PNOZmulti This connection is protected The PNOZmulti base unit is in the protec ted network Access...

Страница 43: ...pening contact of the key switch to the input I0 protected connection unprotected connection PAS4000 or PNOZmulti Configurator Key switch PNOZmulti PSS 4000 VPN tunnel Input I0 or 24 VDC SecurityBridg...

Страница 44: ...tablish connection to SecurityBridge 22 2 Create user 25 3 Create device 27 4 Forwarding rules for PSS 4000 27 Here you have to configure the forwarding rule for the communication of both PSS 4000 in...

Страница 45: ...5 5 W Status indicator LED Inputs Number 1 Voltage at inputs 24 V DC Input type in accordance with EN 61131 2 3 Input current at rated voltage 10 mA Semiconductor outputs Number 1 Voltage 24 V Curren...

Страница 46: ...ccordance with the standard EN 61131 2 Overvoltage category II Pollution degree 2 Rated insulation voltage 30 V Protection type In accordance with the standard EN 60529 Housing IP20 Terminals IP20 Mou...

Страница 47: ...r cross section with spring loaded terminals Flexible with without crimp connector 0 2 2 5 mm 24 12 AWG Spring loaded terminals Terminal points per connec tion 2 Stripping length with spring loaded te...

Страница 48: ...ser name and pass word The server is au thenticated via X 509 certificate VPN Web Service HTTP In TCP 4080 Yes Def Active Critical services are only accessible via the VPN tunnel NTP Server NTP In UDP...

Страница 49: ...rc 701 Device name IP address ip The device s MAC address was changed to mac 702 Device name IP address ip Device is not active 1000 The start configuration was reset and the logging events were delet...

Страница 50: ...e Features Order no PCOM sec br2 Module for secure authentication and communication with PNOZmulti 2 and PSS 4000 311 502 16 2 Accessories Connection terminals Product type Features Order no Set4 Spri...

Страница 51: ...XXXX en 0X 2021 01 Printed in Germany Pilz GmbH Co KG 2021 Support Technical support is available from Pilz round the clock Pilz develops environmentally friendly products using ecological materials a...

Отзывы:

Нет отзывов