Siemens SCALANCE S623 Скачать руководство пользователя страница 36

Страница: 36 / 168

Advanced Firewall

•

Select the “Firewall” tab

•

Expand the firewall rule created by SCT with the following

Destination IP address: 192.168.10.2

•

Select the “Logging” check box

•

Confirm with

“OK”

4. Configuring the firewall

Содержание SCALANCE S623

Страница 1: ...Siemens Scalance S623 ...

Страница 2: ...w Basic Configuration Standard mode Firewall Advanced Firewall Password Management Advanced Password Management VPN with PreShared Key VPN with Certificates Gateway to Gateway VPN VPN with User Authentication ...

Страница 3: ...Technology Overview User Authentication o On device o Connection with RADIUS server VPN o IPsec end to end ...

Страница 4: ...Necessary Software Siemens Security Configuration Tool Siemens SOFTNET Security Client Siemens Automation License Manager Optional Siemens Primary Setup Tool ...

Страница 5: ...Basic Configuration In this example we set the IP addresses of all 3 interfaces on the Scalance 623 This will demonstrate configuration steps that will be reused in every following example ...

Страница 6: ...Basic Configuration 1 Setting up the network 2 Making IP settings for the PC 3 Creating a project and security module 4 Downloading the configuration to the security module ...

Страница 7: ...ace of the Scalance to the PC Scalance interfaces o External network Red marking unprotected network area o Internal network Green marking network protected by Scalance o DMZ port Yellow marking unprotected or protected network 1 Setting up the network ...

Страница 8: ...Basic Configuration Open Control Panel Start Control Panel Open Network and Sharing Center 2 Making IP settings for the PC PC IP address Subnet mask PC 192 168 10 2 255 255 255 0 ...

Страница 9: ...on Select Change adapter settings Open the Local Area Connection Properties Doubleclick Local Area Connection then click Properties 2 Making IP settings for the PC PC IP address Subnet mask PC 192 168 10 2 255 255 255 0 ...

Страница 10: ...perties button Select Use the following IP Enter the values from the table in the relevant boxes Close the dialogs with Ok and close Control Panel 2 Making IP settings for the PC PC IP address Subnet mask PC 192 168 10 2 255 255 255 0 ...

Страница 11: ...Configuration Start the Security Configuration Tool Select the Project New menu command Create a new user This user is assigned the administrator role Confirm with OK 3 Creating a project and security module ...

Страница 12: ...sic Configuration In the Product type Module and Firmware release areas select the following options o Product type Scalance S o Module S623 o Firmware release V4 3 Creating a project and security module ...

Страница 13: ...Basic Configuration In the Configuration area enter the MAC address The MAC address is printed on the front of the SCALANCE 3 Creating a project and security module ...

Страница 14: ...rnal IP address 192 168 10 1 and the external subnet mask 255 255 255 0 From the drop down list select the Routing Mode Enter the internal IP address 192 168 9 1 and the internal subnet mask 255 255 255 0 Confirm with OK 3 Creating a project and security module ...

Страница 15: ...lect the Edit Properties menu command Interfaces tab Select the Activate Interface check box in the DMZ port X3 area Enter the IP address 192 168 8 1 and the subnet mask 255 255 255 0 for the DMZ interface Confirm with OK 3 Creating a project and security module ...

Страница 16: ...elect the Project Save menu command Select the security module in the content area Select the Transfer To module s menu command Start the download with the Start button 4 Downloading the configuration to the security module ...

Страница 17: ...the Scalance is restarted automatically and the configuration activated The Scalance is now in productive operation Configurations can be download via all interfaces The configured IP addresses can be modified 4 Downloading the configuration to the security module ...

Страница 18: ...Standard mode Firewall In this example the firewall will be configured to allow IP traffic to only be initiated by the internal network ...

Страница 19: ...etting up the network 2 Making IP settings for the PCs 3 Creating a project and security module 6 Testing the firewall function ping test logging 4 Configuring the firewall 5 Downloading the configuration to the security module ...

Страница 20: ...actory settings by pressing the Reset button and holding it down for at least 5 seconds Connect the PC with the Security Configuration Tool PC1 to the external network interface Connect PC2 to the internal network interface 1 Setting up the network ...

Страница 21: ... Set the IP addresses of the PCs as in the table above Standard mode Firewall 2 Making IP settings for the PCs PC IP address Subnet mask PC1 192 168 10 2 255 255 255 0 PC2 192 168 10 3 255 255 255 0 ...

Страница 22: ...rewall Create a new project In the Configuration area enter the MAC address Enter the external IP address 192 168 10 1 and the external subnet mask 255 255 255 0 Confirm with OK 3 Creating a project and security module ...

Страница 23: ...Edit Properties menu command Select the Firewall tab in the displayed dialog Activate the settings shown in the picture Result IP traffic is only initiated from the internal network Logging is selected to record data traffic Close with OK Save the project 4 Configuring the firewall ...

Страница 24: ...Standard mode Firewall Transfer the configuration to the security module 5 Downloading the configuration to the security module ...

Страница 25: ... Firewall Open the command prompt on PC2 Start All programs Accessories Command Prompt Enter the ping command from PC2 to PC1 ping 192 168 10 2 All packets reach PC1 6 Testing the firewall function ping test logging ...

Страница 26: ...Standard mode Firewall Open the command prompt on PC1 Enter the ping command from PC1 to PC2 ping 192 168 10 3 All packets are blocked at Scalance 6 Testing the firewall function ping test logging ...

Страница 27: ...ndard mode Firewall In the SCT change to online mode by selecting the menu option View Online Select Edit View Diagnostics Select the Packet filter log tab 6 Testing the firewall function ping test logging ...

Страница 28: ...Standard mode Firewall Click the Start reading button Acknowledge with OK Log entries are read and displayed here 6 Testing the firewall function ping test logging ...

Страница 29: ...figured to allow IP traffic from PC2 to PC1 The packets are forwarded to the outside with an IP address translated to the IP address of the security module and a dynamically assigned port number Only replies to these packets can enter the internal network ...

Страница 30: ...ting up the network 2 Making IP settings for the PCs 3 Creating a project and security module 6 Testing the firewall function ping test logging 4 Configuring the firewall 5 Downloading the configuration to the security module ...

Страница 31: ...eset the Scalance to factory settings by pressing the Reset button and holding it down for at least 5 seconds Connect the PC with the Security Configuration Tool PC1 to the external network interface Connect PC2 to the internal network interface ...

Страница 32: ...tings for the PCs Advanced Firewall Set the IP addresses of the PCs as in the table above PC IP address Subnet mask Default Gateway PC1 192 168 10 2 255 255 255 0 192 168 10 1 PC2 192 168 9 2 255 255 255 0 192 168 9 1 ...

Страница 33: ...ate a new project In the Configuration area enter the MAC address Enter the external IP address 192 168 10 1 and the external subnet mask 255 255 255 0 Select the Routing mode Enter the internal IP address 192 168 9 1 and subnet mask 255 255 255 0 Confirm with OK ...

Страница 34: ...iguration view to advance mode with the menu command View Advanced Mode Select the module in the content area Select the Edit Properties menu command Go to the NAT NAPT tab 4 Configuring the firewall Advanced Firewall ...

Страница 35: ...box Click the Add button in the NAT input area Configure the NAT rule with the following parameters o Action Source NAT o From Internal o To External o Source IP address o Source translation 192 168 10 1 Confirm with Apply 4 Configuring the firewall ...

Страница 36: ...nced Firewall Select the Firewall tab Expand the firewall rule created by SCT with the following o Destination IP address 192 168 10 2 Select the Logging check box Confirm with OK 4 Configuring the firewall ...

Страница 37: ...Advanced Firewall Transfer the configuration to the security module 5 Downloading the configuration to the security module ...

Страница 38: ...Advanced Firewall Open the command prompt on PC2 Enter the ping command from PC2 to PC1 ping 192 168 10 2 All packets reach PC1 6 Testing the firewall function ping test logging ...

Страница 39: ... to online mode in the SCT with the View Online menu command Select the module in the content area and the menu command Edit Online diagnostics Go to the Packet filter log tab 6 Testing the firewall function ping test logging ...

Страница 40: ...Advanced Firewall Click Start reading Confirm the dialog with OK 6 Testing the firewall function ping test logging ...

Страница 41: ...User Management In this example only a specific user is allowed to access PC2 in the internal network from PC1 in the external network For other users access is blocked ...

Страница 42: ... for the PCs 3 Creating a project and security module 8 Testing the firewall function ping test 6 Downloading the configuration to the security module 7 Logging in on the Web page 4 Creating remote access users 5 Setting and assigning a user specific IP rule set ...

Страница 43: ...set the Scalance to factory settings by pressing the Reset button and holding it down for at least 5 seconds Connect the PC with the Security Configuration Tool PC1 to the external network interface Connect PC2 to the internal network interface ...

Страница 44: ...ttings for the PCs User Management Set the IP addresses of the PCs as in the table above PC IP address Subnet mask Default Gateway PC1 192 168 10 2 255 255 255 0 192 168 10 1 PC2 192 168 9 2 255 255 255 0 192 168 9 1 ...

Страница 45: ...te a new project In the Configuration area enter the MAC address Enter the external IP address 192 168 10 1 and the external subnet mask 255 255 255 0 Select the Routing mode Enter the internal IP address 192 168 9 1 and subnet mask 255 255 255 0 Confirm with OK ...

Страница 46: ...User Management Select the Options User management menu command Click the Add button in the User tab Create a new user with the settings in the figure Confirm with OK 4 Creating remote access users ...

Страница 47: ...e configuration to advanced mode via View Advanced Mode Select the User specific IP rule sets object in the navigation panel Select the Add rule set entry in the shortcut menu 5 Setting and assigning a user specific IP rule set ...

Страница 48: ...ement Enter a rule in the dialog as shown below From the Available users and roles list select the Remote user entry and click the Assign button Confirm with OK 5 Setting and assigning a user specific IP rule set ...

Страница 49: ... module in the navigation panel and drag it to the newly created user specific IP rule set The assignment can be checked by opening the module properties and selecting the Firewall tab 5 Setting and assigning a user specific IP rule set ...

Страница 50: ...User Management 5 Setting and assigning a user specific IP rule set ...

Страница 51: ...User Management Expand rule set shows the user specific rule in detail 5 Setting and assigning a user specific IP rule set ...

Страница 52: ...User Management Transfer the configuration to the security module 6 Downloading the configuration to the security module ...

Страница 53: ...User Management In the Web browser of PC1 enter the address https 192 168 10 1 7 Logging in on the Web page ...

Страница 54: ...User Management If the web page does not show the login fields try changing the language in the upper right corner 7 Logging in on the Web page ...

Страница 55: ...User Management Enter the user name Remote and corresponding password and click the Log in button 7 Logging in on the Web page ...

Страница 56: ...User Management The defined IP rule set is enabled for the Remote user 7 Logging in on the Web page ...

Страница 57: ...User Management Open the command prompt on PC1 Enter the ping command from PC1 to PC2 ping 192 168 9 2 All packets reach PC2 8 Testing the firewall function ping test ...

Страница 58: ...xample a RADIUS server is set up to manage user accounts Only users that can authenticate to the RADIUS server can access the internal network from the external network Radius server DMZ network External network Internal network PC2 PC1 ...

Страница 59: ...e PCs 3 Creating a project and security module 9 Testing the firewall function ping test 7 Downloading the configuration to the security module 8 Logging in on the Web page 4 Setting up the RADIUS server 6 Linking the RADIUS server and security module 5 Configuring the firewall ...

Страница 60: ...button and holding it down for at least 5 seconds Connect the PC with the Security Configuration Tool PC1 to the external network interface Connect PC2 to the internal network interface Connect the Linux PC that will be used as RADIUS server to the DMZ interface 1 Setting up the network ...

Страница 61: ... above The IP address of the Linux PC is preset to the correct value 2 Making IP settings for the PCs PC IP address Subnet mask Default Gateway PC1 192 168 10 2 255 255 255 0 192 168 10 1 PC2 192 168 9 2 255 255 255 0 192 168 9 1 RADIUS 192 168 8 2 255 255 255 0 192 168 8 1 ...

Страница 62: ...ess Enter the external IP address 192 168 10 1 and the external subnet mask 255 255 255 0 Select the Routing mode Enter the internal IP address 192 168 9 1 and subnet mask 255 255 255 0 Confirm with OK Advanced User Management 3 Creating a project and security module ...

Страница 63: ...le Select the security module created and select the Edit Properties menu command Interfaces tab Select the Activate Interface check box in the DMZ port X3 area Enter the IP address 192 168 8 1 and the subnet mask 255 255 255 0 for the DMZ interface Confirm with OK ...

Страница 64: ...Management On the Linux PC open the Web browser and go to http freeradius org download html Download version 3 0 9 of the RADIUS server Open the Terminal Open the Dash and type terminal 4 Setting up the RADIUS server ...

Страница 65: ...nced User Management Go to the Downloads map cd Downloads Unpack the RADIUS server tar zxvf freeradius server 3 0 9 tar gz Enter the newly made map cd freeradius server 3 0 9 4 Setting up the RADIUS server ...

Страница 66: ...Advanced User Management Install the server with the following commands configure make sudo make install The password is TBD 4 Setting up the RADIUS server ...

Страница 67: ... next step is to configure the clients of the server Open the file explorer with gksudo nautilus Enter the sudo password in the following prompt Using Nautilus browse to Computer usr local etc raddb 4 Setting up the RADIUS server ...

Страница 68: ...Advanced User Management Open clients conf and add a new client as in the image Save and close the window Open users and add the following users Save and close the window 4 Setting up the RADIUS server ...

Страница 69: ...nstalled and configured run sudo radiusd X to start the server in debug mode If this error shows up check the OpenSSL version with openssl version a This command should show the following date built on Thu Jun 11 4 Setting up the RADIUS server ...

Страница 70: ... the following command sudo apt get update sudo apt get upgrade If OpenSSL is correctly updated open radius conf and change the allow_vulnerable_openssl parameter to yes Save and close the window Try starting the server again with sudo radiusd X 4 Setting up the RADIUS server ...

Страница 71: ...ed User Management Enter Advanced mode in the Security Configuration Tool Use the menu command Options User Management Create a new user with the following settings Confirm with OK 5 Configuring the firewall ...

Страница 72: ...Advanced User Management Select the User specific IP rule sets in the navigation window Select the Add rule set option in the shortcut menu 5 Configuring the firewall ...

Страница 73: ...Advanced User Management Enter a rule in the dialog as shown below 5 Configuring the firewall ...

Страница 74: ...d User Management From the Available users and roles list select the radius user entry and click the Assign button then select the radius role entry and click Assign Confirm with OK 5 Configuring the firewall ...

Страница 75: ...lect the security module in the navigation panel and drag it to the newly created user specific IP rule set The assignment can be checked by opening the module properties and selecting the Firewall tab 5 Configuring the firewall ...

Страница 76: ...Advanced User Management Select the menu option Options Configuration of the RADIUS server Click the Add button in the dialog 6 Linking the RADIUS server and security module ...

Страница 77: ...Management Define the server with the following values o IP address FQDN 192 186 8 2 o Shared secret SiemensSecret o Repeat shared secret SiemensSecret Confirm with OK 6 Linking the RADIUS server and security module ...

Страница 78: ...ent Open the SCALANCE S module properties and go to the RADIUS tab Check the Enable RADIUS authentication box Click the Add button This adds the newly configured RADIUS server 6 Linking the RADIUS server and security module ...

Страница 79: ...Advanced User Management In the RADIUS setting area check the Allow RADIUS authentication of non configured users box Confirm with OK 6 Linking the RADIUS server and security module ...

Страница 80: ...Advanced User Management Transfer the configuration to the SCALANCE S module 7 Downloading the configuration to the security module ...

Страница 81: ...Advanced User Management In the Web browser of PC1 enter the address https 192 168 10 1 8 Logging in on the Web page ...

Страница 82: ...Advanced User Management If the web page does not show the login fields try changing the language in the upper right corner 8 Logging in on the Web page ...

Страница 83: ...Advanced User Management Enter the user name radius and corresponding password and click the Log in button 8 Logging in on the Web page ...

Страница 84: ...Advanced User Management The defined IP rule set is enabled for the radius user 8 Logging in on the Web page ...

Страница 85: ...Advanced User Management Now click the Log out button Enter the user name radius2 and corresponding password and click the Log in button 8 Logging in on the Web page ...

Страница 86: ...Advanced User Management The defined IP rule set for the radius role is enabled Users that are not defined on the module can log in 8 Logging in on the Web page ...

Страница 87: ...Advanced User Management Open the command prompt on PC1 Enter the ping command from PC1 to PC2 ping 192 168 9 2 All packets reach PC2 9 Testing the firewall function ping test ...

Страница 88: ... example a VPN tunnel is configured between a security module and the SOFTNET Security Client With this configuration IP traffic is possible only over the established VPN tunnel connection between the two authorized partners PC3 PC1 ...

Страница 89: ... for the PCs 3 Creating a project and security module 6 Setting up a tunnel with the SOFTNET Security Client 7 Test the tunnel function 4 Configuring a VPN group 5 Downloading the configuration to the security module and saving the SOFTNET Security Client configuration ...

Страница 90: ...ton and holding it down for at least 5 seconds Connect the switch to the external network interface Connect the PC with the Security Configuration Tool PC1 and the PC with the SOFTNET Security Client PC2 to the switch Connect PC3 to the internal network interface 1 Setting up the network ...

Страница 91: ...ngs for the PCs Set the IP addresses of the PCs as in the table above PC IP address Subnet mask Default Gateway PC1 192 168 10 2 255 255 255 0 192 168 10 1 PC2 192 168 10 3 255 255 255 0 192 168 10 1 PC3 192 168 9 2 255 255 255 0 192 168 9 1 ...

Страница 92: ...ress Enter the external IP address 192 168 10 1 and the external subnet mask 255 255 255 0 Select the Routing mode Enter the internal IP address 192 168 9 1 and subnet mask 255 255 255 0 Confirm with OK VPN with Preshared Key 3 Creating a project and security module ...

Страница 93: ...d Key Use the Insert Module menu command with the following parameters o Product type SOFTNET configuration o Module SOFTNET Security Client o Firmware release V4 Confirm with OK 3 Creating a project and security module ...

Страница 94: ...mmand In the navigation panel click the All modules entry Drag the Scalance S Module to the VPN group Group1 in the navigation panel The module is now assigned to the VPN group The color of the key symbol changes to blue VPN with Preshared Key 4 Configuring a VPN group ...

Страница 95: ...Drag the SOFTNET Security Client module to the VPN group Group1 in the navigation panel The module is now assigned to the VPN group The color of the key symbol changes to blue Activate Advanced Mode 4 Configuring a VPN group ...

Страница 96: ...hared Key Select the VPN group Group1 in the Navigation windows and select the menu command Edit Properties Select the Preshared key option in the Authentication method area Confirm with OK 4 Configuring a VPN group ...

Страница 97: ...ed Key Save the project Use the menu command Transfer To all modules Start the download with the Start button 5 Downloading the configuration to the security module and saving the SOFTNET Security Client configuration ...

Страница 98: ...red Key Save the configuration file projectname Module2 dat in your project folder Confirm the popup with OK 5 Downloading the configuration to the security module and saving the SOFTNET Security Client configuration ...

Страница 99: ... Open the SOFTNET Security Client on PC2 Select Load Configuration and browse to where projectname Module2 dat has been saved Open the configuration with the Open button 6 Setting up a tunnel with the SOFTNET Security Client ...

Страница 100: ...ith Preshared Key Loading a new configuration will delete any previous configurations When the dialog above pops up select deleted and confirm with Next 6 Setting up a tunnel with the SOFTNET Security Client ...

Страница 101: ...VPN with Preshared Key The VPN tunnel can now be opened by clicking the Enable button 6 Setting up a tunnel with the SOFTNET Security Client ...

Страница 102: ...VPN with Preshared Key Tunnel Overview shows the status of the tunnel The green circle shows that the tunnel has been established 6 Setting up a tunnel with the SOFTNET Security Client ...

Страница 103: ...not get set up check whether the Windows Firewall has been enabled Open the Control Panel Windows Firewall If the firewall is not enabled click Turn Windows Firewall on or off and enable it 6 Setting up a tunnel with the SOFTNET Security Client ...

Страница 104: ... the Logging Console the sequence of executed connection attempts is displayed The SCALANCE S module and the SOFTNET Security Client have established a communication tunnel 6 Setting up a tunnel with the SOFTNET Security Client ...

Страница 105: ...VPN with Preshared Key Open the command prompt on PC2 Enter the ping command from PC2 to PC3 ping 192 168 9 2 All packets reach PC3 through the tunnel 7 Test the tunnel function ...

Страница 106: ...ared Key Open the command prompt on PC1 Enter the ping command from PC1 to PC3 ping 192 168 9 2 The packets cannot reach PC3 since there is no tunnel communication between these two devices 7 Test the tunnel function ...

Страница 107: ...VPN with Certificates In this example a VPN tunnel is configured between a security module and the SOFTNET Security Client The endpoints authenticate using certificates PC3 PC1 ...

Страница 108: ... for the PCs 3 Creating a project and security module 6 Setting up a tunnel with the SOFTNET Security Client 7 Test the tunnel function 4 Configuring a VPN group 5 Downloading the configuration to the security module and saving the SOFTNET Security Client configuration ...

Страница 109: ...ton and holding it down for at least 5 seconds Connect the switch to the external network interface Connect the PC with the Security Configuration Tool PC1 and the PC with the SOFTNET Security Client PC2 to the switch Connect PC3 to the internal network interface 1 Setting up the network ...

Страница 110: ...ngs for the PCs Set the IP addresses of the PCs as in the table above PC IP address Subnet mask Default Gateway PC1 192 168 10 2 255 255 255 0 192 168 10 1 PC2 192 168 10 3 255 255 255 0 192 168 10 1 PC3 192 168 9 2 255 255 255 0 192 168 9 1 ...

Страница 111: ...dress Enter the external IP address 192 168 10 1 and the external subnet mask 255 255 255 0 Select the Routing mode Enter the internal IP address 192 168 9 1 and subnet mask 255 255 255 0 Confirm with OK VPN with Certificates 3 Creating a project and security module ...

Страница 112: ...ates Use the Insert Module menu command with the following parameters o Product type SOFTNET configuration o Module SOFTNET Security Client o Firmware release V4 Confirm with OK 3 Creating a project and security module ...

Страница 113: ...ommand In the navigation panel click the All modules entry Drag the Scalance S Module to the VPN group Group1 in the navigation panel The module is now assigned to the VPN group The color of the key symbol changes to blue VPN with Certificates 4 Configuring a VPN group ...

Страница 114: ...Drag the SOFTNET Security Client module to the VPN group Group1 in the navigation panel The module is now assigned to the VPN group The color of the key symbol changes to blue Activate Advanced Mode 4 Configuring a VPN group ...

Страница 115: ...tificates Select the VPN group Group1 in the Navigation windows and select the menu command Edit Properties Select the Certificate option in the Authentication method area Confirm with OK 4 Configuring a VPN group ...

Страница 116: ...icates Save the project Use the menu command Transfer To all modules Start the download with the Start button 5 Downloading the configuration to the security module and saving the SOFTNET Security Client configuration ...

Страница 117: ...nfiguration file projectname Module2 dat in your project folder Assign a password to the certificate Confirm the popup with OK 5 Downloading the configuration to the security module and saving the SOFTNET Security Client configuration ...

Страница 118: ...Open the SOFTNET Security Client on PC2 Select Load Configuration and browse to where projectname Module2 dat has been saved Open the configuration with the Open button 6 Setting up a tunnel with the SOFTNET Security Client ...

Страница 119: ...ith Certificates Loading a new configuration will delete any previous configurations When the dialog above pops up select deleted and confirm with Next 6 Setting up a tunnel with the SOFTNET Security Client ...

Страница 120: ...VPN with Certificates The VPN tunnel can now be opened by clicking the Enable button Enter the certificate password in the dialog 6 Setting up a tunnel with the SOFTNET Security Client ...

Страница 121: ...VPN with Certificates Tunnel Overview shows the status of the tunnel The green circle shows that the tunnel has been established 6 Setting up a tunnel with the SOFTNET Security Client ...

Страница 122: ...ot get set up check whether the Windows Firewall has been enabled Open the Control Panel Windows Firewall If the firewall is not enabled click Turn Windows Firewall on or off and enable it 6 Setting up a tunnel with the SOFTNET Security Client ...

Страница 123: ...the Logging Console the sequence of executed connection attempts is displayed The SCALANCE S module and the SOFTNET Security Client have established a communication tunnel 6 Setting up a tunnel with the SOFTNET Security Client ...

Страница 124: ...VPN with Certificates Open the command prompt on PC2 Enter the ping command from PC2 to PC3 ping 192 168 9 2 All packets reach PC3 through the tunnel 7 Test the tunnel function ...

Страница 125: ...ficates Open the command prompt on PC2 Enter the ping command from PC2 to PC3 ping 192 168 9 2 The packets cannot reach PC3 since there is no tunnel communication between these two devices 7 Test the tunnel function ...

Страница 126: ...o Gateway with VPN In this example a VPN tunnel is set up between two security modules With this configuration IP traffic is possible only over the established tunnel connections with authorized partners PC3 PC1 ...

Страница 127: ... VPN 1 Setting up the network 2 Making IP settings for the PCs 3 Creating a project and security module 6 Testing the tunnel function ping test 4 Configuring a VPN group 5 Downloading the configuration to the security module ...

Страница 128: ...t the PC with the Security Configuration Tool PC1 to the switch Connect both SCALANCE S modules to the switch through their external interface Connect PC2 and PC3 to the internal interface of a SCALANCE S module 1 Setting up the network ...

Страница 129: ...teway with VPN Set the IP addresses of the PCs as in the table above 2 Making IP settings for the PCs PC IP address Subnet mask PC1 192 168 10 2 255 255 0 0 PC2 192 168 10 3 255 255 0 0 PC3 192 168 10 4 255 255 0 0 ...

Страница 130: ...ct In the Configuration area enter the MAC address Enter the external IP address 192 168 10 201 and the external subnet mask 255 255 0 0 Confirm with OK Gateway to Gateway with VPN 3 Creating a project and security module ...

Страница 131: ... Module Select the same options as for the previous module but with the following address parameters o MAC address MAC address of the module o IP address ext 192 186 10 202 o Subnet mask ext 255 255 0 0 Confirm with OK 3 Creating a project and security module ...

Страница 132: ...and In the navigation panel click the All modules entry Drag the SCALANCE S Module to the VPN group Group1 in the navigation panel The module is now assigned to the VPN group The color of the key symbol changes to blue Gateway to Gateway with VPN 4 Configuring a VPN group ...

Страница 133: ...Gateway with VPN Drag the second SCALANCE S module to the VPN group Group1 in the navigation panel The module is now assigned to the VPN group The color of the key symbol changes to blue 4 Configuring a VPN group ...

Страница 134: ...Gateway to Gateway with VPN Save the project Use the menu command Transfer To all modules Start the download with the Start button 5 Downloading the configuration to the security module ...

Страница 135: ...Gateway to Gateway with VPN Open the command prompt on PC2 Enter the ping command from PC2 to PC3 ping 192 168 10 4 All packets reach PC3 through the tunnel 6 Testing the tunnel function ping test ...

Страница 136: ...VPN Open the command prompt on PC1 Enter the ping command from PC1 to PC3 ping 192 168 10 4 The packets cannot reach PC3 since there is no tunnel communication between these two devices 6 Testing the tunnel function ping test ...

Страница 137: ... security module using the SOFTNET Security Client The firewall is configured so that the access from PC1 in the external network to PC2 in the internal network is possible for a specific user only who needs to log in at the RADIUS server DMZ RADIUS server PC2 PC1 with SOFTNET Security Client ...

Страница 138: ...ting up a tunnel with the SOFTNET Security Client 9 Logging in on the Web page 4 Configuring a RADIUS server 7 Downloading the configuration to the security module and saving the SOFTNET Security Client configuration 10 Testing the firewall function ping test 5 Configuring the firewall 6 Linking the RADIUS server and security module ...

Страница 139: ...t button and holding it down for at least 5 seconds Connect the PC with the Security Configuration Tool PC1 to the external network interface Connect PC2 to the internal network interface Connect the Linux PC that will be used as RADIUS server to the DMZ interface 1 Setting up the network ...

Страница 140: ...le above The IP address of the Linux PC is preset to the correct value 2 Making IP settings for the PCs PC IP address Subnet mask Default Gateway PC1 192 168 10 2 255 255 255 0 192 168 10 1 PC2 192 168 9 2 255 255 255 0 192 168 9 1 RADIUS 192 168 8 2 255 255 255 0 192 168 8 1 ...

Страница 141: ...s Enter the external IP address 192 168 10 1 and the external subnet mask 255 255 255 0 Select the Routing mode Enter the internal IP address 192 168 9 1 and subnet mask 255 255 255 0 Confirm with OK VPN with User Authentication 3 Creating a project and security module ...

Страница 142: ...dule Select the security module created and select the Edit Properties menu command Interfaces tab Select the Activate Interface check box in the DMZ port X3 area Enter the IP address 192 168 8 1 and the subnet mask 255 255 255 0 for the DMZ interface Confirm with OK ...

Страница 143: ...tication Use the Insert Module menu command with the following parameters o Product type SOFTNET configuration o Module SOFTNET Security Client o Firmware release V4 Confirm with OK 3 Creating a project and security module ...

Страница 144: ...VPN with User Authentication We ll use the previously configured RADIUS server for this example 4 Configuring a RADIUS server ...

Страница 145: ... the Insert Group menu command In the navigation panel click the All modules entry Drag the SCALANCE S Module to the VPN group Group1 in the navigation panel The module is now assigned to the VPN group The color of the key symbol changes to blue 5 Configuring the firewall ...

Страница 146: ...on Drag the SOFTNET Security Client module to the VPN group Group1 in the navigation panel The module is now assigned to the VPN group The color of the key symbol changes to blue Activate Advanced Mode 5 Configuring the firewall ...

Страница 147: ...VPN with User Authentication Use the menu command Options User Management Create a new user with the following settings Confirm with OK 5 Configuring the firewall ...

Страница 148: ...VPN with User Authentication Select the User specific IP rule sets in the navigation window Select the Add rule set option in the shortcut menu 5 Configuring the firewall ...

Страница 149: ...VPN with User Authentication Enter a rule in the dialog as shown below 5 Configuring the firewall ...

Страница 150: ...User Authentication From the Available users and roles list select the radius user entry and click the Assign button then select the radius role entry and click Assign Confirm with OK 5 Configuring the firewall ...

Страница 151: ...Select the security module in the navigation panel and drag it to the newly created user specific IP rule set The assignment can be checked by opening the module properties and selecting the Firewall tab 5 Configuring the firewall ...

Страница 152: ...VPN with User Authentication Open the properties of the SCALANCE module and go to the Firewall tab Add a firewall rule as in the image Confirm with OK 5 Configuring the firewall ...

Страница 153: ...VPN with User Authentication Select the menu option Options Configuration of the RADIUS server Click the Add button in the dialog 6 Linking the RADIUS server and security module ...

Страница 154: ...thentication Define the server with the following values o IP address FQDN 192 186 8 2 o Shared secret SiemensSecret o Repeat shared secret SiemensSecret Confirm with OK 6 Linking the RADIUS server and security module ...

Страница 155: ...ation Open the SCALANCE S module properties and go to the RADIUS tab Check the Enable RADIUS authentication box Click the Add button This adds the newly configured RADIUS server 6 Linking the RADIUS server and security module ...

Страница 156: ...VPN with User Authentication In the RADIUS setting area check the Allow RADIUS authentication of non configured users box Confirm with OK 6 Linking the RADIUS server and security module ...

Страница 157: ...ntication Save the project Use the menu command Transfer To all modules Start the download with the Start button 7 Downloading the configuration to the security module and saving the SOFTNET Security Client configuration ...

Страница 158: ...e configuration file projectname Module2 dat in your project folder Assign a password to the certificate Confirm the popup with OK 7 Downloading the configuration to the security module and saving the SOFTNET Security Client configuration ...

Страница 159: ...ion Open the SOFTNET Security Client on PC2 Select Load Configuration and browse to where projectname Module2 dat has been saved Open the configuration with the Open button 8 Setting up a tunnel with the SOFTNET Security Client ...

Страница 160: ... User Authentication Loading a new configuration will delete any previous configurations When the dialog above pops up select deleted and confirm with Next 8 Setting up a tunnel with the SOFTNET Security Client ...

Страница 161: ...VPN with User Authentication The VPN tunnel can now be opened by clicking the Enable button Enter the certificate password in the dialog 8 Setting up a tunnel with the SOFTNET Security Client ...

Страница 162: ...VPN with User Authentication Tunnel Overview shows the status of the tunnel The green circle shows that the tunnel has been established 8 Setting up a tunnel with the SOFTNET Security Client ...

Страница 163: ...es not get set up check whether the Windows Firewall has been enabled Open the Control Panel Windows Firewall If the firewall is not enabled click Turn Windows Firewall on or off and enable it 6 Setting up a tunnel with the SOFTNET Security Client ...

Страница 164: ...VPN with User Authentication In the Web browser of PC1 enter the address https 192 168 10 1 9 Logging in on the Web page ...

Страница 165: ...VPN with User Authentication If the web page does not show the login fields try changing the language in the upper right corner 9 Logging in on the Web page ...

Страница 166: ...VPN with User Authentication Enter the user name radius and corresponding password and click the Log in button 9 Logging in on the Web page ...

Страница 167: ...VPN with User Authentication The defined IP rule set is enabled for the radius user 9 Logging in on the Web page ...

Страница 168: ...VPN with User Authentication Open the command prompt on PC1 Enter the ping command from PC1 to PC2 ping 192 168 9 2 All packets reach PC2 through the tunnel 10 Testing the firewall function ping test ...

Результаты поиска

Содержание SCALANCE S623

Отзывы:

Похожие инструкции для SCALANCE S623

Бренды по названию

Популярные бренды

Siemens SCALANCE S623, Руководство пользователя

Результаты поиска

Содержание SCALANCE S623

Отзывы:

Похожие инструкции для SCALANCE S623

Бренды по названию

Популярные бренды