Chapter 1
Introduction
RUGGEDCOM ROX II
CLI User Guide
8
Security Recommendations
• If a firewall is required, configure and start the firewall before connecting the device to a public network. Make
sure the firewall is configured to accept connections from a specific domain. For more information, refer to
Section 6.9, “Managing Firewalls”
• Modbus is deactivated by default in RUGGEDCOM ROX II. If Modbus is required, make sure to follow the security
recommendations outlined in this CLI User Guide and configure the environment according to defense-in-depth
best practices.
• Configure secure remote system logging to forward all logs to a central location. For more information, refer to
• Configuration files are provided in either NETCONF or CLI format for ease of use. Make sure configuration files
are properly protected when they exist outside of the device. For instance, encrypt the files, store them in a
secure place, and do not transfer them via insecure communication channels.
• It is highly recommended that critical applications be limited to private networks, or at least be accessible only
through secure services, such as IPsec. Connecting a RUGGEDCOM ROX II device to the Internet is possible.
However, the utmost care should be taken to protect the device and the network behind it using secure means
such as firewall and IPsec. For more information about configuring firewalls and IPsec, refer to
Section 12.8, “Managing IPsec Tunnels”
.
• Management of the certificates and keys is the responsibility of the device owner. Consider using RSA key sizes
of 2048 bits in length for increased cryptographic strength. Before returning the device to Siemens Canada Ltd
for repair, replace the current certificates and keys with temporary
throwaway
certificates and keys that can be
destroyed upon the device's return.
• Be aware of any non-secure protocols enabled on the device. While some protocols, such as HTTPS, SSH and
802.1x, are secure, others, such as Telnet and RSTP, were not designed for this purpose. Appropriate safeguards
against non-secure protocols should be taken to prevent unauthorized access to the device/network.
• Make sure the device is fully decommissioned before taking the device out of service. For more information,
Section 4.7, “Decommissioning the Device”
.
• Configure port security features on access ports to prevent an unauthorized third-party from physically
connecting to the device. For more information, refer to
Section 6.6.2, “Configuring Port Security”
Hardware/Software
CAUTION!
Configuration hazard – risk of data corruption. Maintenance mode is provided for troubleshooting
purposes and should only be used by Siemens Canada Ltd technicians. As such, this mode is not fully
documented. Misuse of this maintenance mode commands can corrupt the operational state of the
device and render it inaccessible.
• Make sure the latest firmware version is installed, including all security-related patches. For the latest
information on security patches for Siemens products, visit the
www.siemens.com/global/en/home/company/topic-areas/future-of-manufacturing/industrial-security.html]
or the
ProductCERT Security Advisories website
[http://www.siemens.com/innovation/en/technology-focus/
siemens-cert/cert-security-advisories.htm]. Updates to Siemens Product Security Advisories can be obtained
by subscribing to the RSS feed on the Siemens ProductCERT Security Advisories website, or by following
@ProductCert on Twitter.
• Only enable the services that will be used on the device, including physical ports. Unused physical ports could
potentially be used to gain access to the network behind the device.
• Use the latest Web browser version compatible with RUGGEDCOM ROX II to make sure the most secure
Transport Layer Security (TLS) versions and ciphers available are employed. Additionally, 1/n-1 record splitting
is enabled in the latest Web browser versions of Mozilla Firefox, Google Chrome and Internet Explorer, and
Содержание RUGGEDCOM ROX II
Страница 2: ...RUGGEDCOM ROX II CLI User Guide ii ...
Страница 4: ...RUGGEDCOM ROX II CLI User Guide iv ...
Страница 39: ...RUGGEDCOM ROX II CLI User Guide Table of Contents xxxix 19 5 VLANs 752 ...
Страница 40: ...Table of Contents RUGGEDCOM ROX II CLI User Guide xl ...
Страница 46: ...Preface RUGGEDCOM ROX II CLI User Guide xlvi Customer Support ...
Страница 96: ...Chapter 2 Using RUGGEDCOM ROX II RUGGEDCOM ROX II CLI User Guide 50 Accessing Maintenance Mode ...
Страница 170: ...Chapter 5 System Administration RUGGEDCOM ROX II CLI User Guide 124 Deleting a Scheduled Job ...
Страница 256: ...Chapter 6 Security RUGGEDCOM ROX II CLI User Guide 210 Enabling Disabling a Firewall ...
Страница 402: ...Chapter 11 Wireless RUGGEDCOM ROX II CLI User Guide 356 Managing Cellular Modem Profiles ...
Страница 646: ...Chapter 13 Unicast and Multicast Routing RUGGEDCOM ROX II CLI User Guide 600 Deleting a Multicast Group Prefix ...
Страница 732: ...Chapter 15 Network Discovery and Management RUGGEDCOM ROX II CLI User Guide 686 Viewing NETCONF Statistics ...
Страница 790: ...Chapter 17 Time Services RUGGEDCOM ROX II CLI User Guide 744 Deleting a Broadcast Multicast Address ...