ICS Security Guide to Hirschmann Switches
Contents
1. Action Default Recommended Available in Further information setting setting SW version Activate Off On L2B No VRRP HiVRRP LOE No L2P No L3E Yes GUI L3E VRRP HiVRRP Configuration CLI L3E ip vrrp L3P Yes GUI L3P VRRP HiVRRP Configuration CLI L3P ip vrrp Activate noAuthentic simpleTextPassw L2B No authentication on ation ord L2E No interface in wizard L2P No L3E Yes GUI L3E VRRP HiVRRP Configuration CLI L3E ip vrrp authentication L3P Yes GUI L3P VRRP HiVRRP Configuration CLI L3P ip vrrp authentication Enter key in lt empty gt Secure password L2B No wizard of 16 characters oF No L2P No L3E Yes GUI L3E VRRP HiVRRP Configuration CLI L3E ip vrrp authentication L3P Yes GUI L3P VRRP HiVRRP Configuration CLI L3P ip vrrp authentication ICS Security Guide Classic Switch Software Release 1 01 09 2015 107 Secure Configuration 4 5 Service Level Management Network Quality Activate RAM self test The RAM self test tests the RAM of the switch during the booting procedure for possible errors and can thus prevent errors during operation Action Default Recommended Available in Further information setting setting SW version RAM test On On L2B Yes GUI L2B Selftest CLI L2B selftest L2E Yes GUI L2E Selftest CLI L2E selftest ramtest L2P Yes GUI L2P Selftest CLI L2P selftest ramtest L3E Yes GUI L3E Selftest CLI L3E selftest ramtest L3P Yes GUI L3P Selftest CLI L3P2. Set up network as ring structure With its redundancy protocols the ring structure provides greater reliability in high availability networks Therefore set up the network as a ring Action Default Recommended Available in Further information setting setting SW version Set up the None None L2B Yes GUIL2B Ring Redundancy network as a ring CLI L2B HIPER Ring structure L2E Yes GUIL2E Ring Redundancy CLI L2E HIPER Ring L2P Yes GUIL2P Ring Redundancy CLI L2P HIPER Ring L3E Yes GUI L3E Ring Redundancy CLI L3E HIPER Ring L3P Yes GUIL3P Ring Redundancy CLI L3P HIPER Ring Activate HIPER Ring protocol The HIPER Ring protocol supports high availability in networks with a ring shaped structure It also offers defined switching times and comprehensive logging and alarm options when a section fails HIPER Ring is a protocol developed by Hirschmann that has stood the test of time very well in practice over many years Note Either HIPER Ring or MRP can be used ICS Security Guide Classic Switch Software Release 1 01 09 2015 95 Secure Configuration 4 5 Service Level Management Network Quality Action Default Recommended Available in Further information setting setting SW version Activate On On L2B Yes Configure GUI L2B HIPER HIPER Ring Ring protocol CLI L2B hiper ring L2E Yes Configure GUI L2E HIPER Ring CLI L2E hiper ring L2P Yes Configure GUI L2P HIPER Ring CLI L2P hiper
3. HIRSCHMANN A BELDEN BRAND ICS Security Guide to Hirschmann Switches Be certain Availability Integrity and Confidentiality E E Switch Family Belden Classic Switch Software The naming of copyrighted trademarks in this manual even when not specially indicated should not be taken to mean that these names may be considered as free in the sense of the trademark and tradename protection law and hence that they may be freely used by anyone 2015 Hirschmann Automation and Control GmbH Manuals and software are protected by copyright All rights reserved The copying reproduction translation conversion into any electronic medium or machine scannable form is not permitted either in whole or in part An exception is the preparation of a backup copy of the software for your own use For devices with embedded software the end user license agreement on the enclosed CD DVD applies The performance features described here are binding only if they have been expressly agreed when the contract was made This document was produced by Hirschmann Automation and Control GmbH according to the best of the company s knowledge Hirschmann reserves the right to change the contents of this document without prior notice Hirschmann can give no guarantee in respect of the correctness or accuracy of the information in this document Hirschmann can accept no responsibility for damages resulting from the use of the network com
4. Possible negative effects Availability When connected devices are replaced e g in a service situation the MAC address changes and the device does not get a network connection until the switch port has been reconfigured Known limitations In many systems the MAC address can be changed manually to break through the protection A maximum of 10 addresses can be configured at a time via the CLI A total of 50 addresses are possible via individual Add Delete commands Configuration of IP based port security To prevent undesired devices from connecting to the network the switches allow you to permit specific devices for each port based on their IP addresses Action Default Recommended Available in Further information setting setting SW version Configuration No IP IP addresses that L2B No of IP based addresses are to be permitted 2E Yes GUI L2E Port Security port security defined at the switch port CLI L2E port sec allowed ip L2P Yes GUI L2P Port Security CLI L2P port sec allowed ip L3E Yes GUI L3E Port Security CLI L3E port sec allowed ip L3P Yes GUI L3P Port Security CLI L3P port sec allowed ip Known limitations Filtering based on IP addresses provides little protection in most cases A maximum of 10 IP addresses can be configured per port ICS Security Guide Classic Switch Software 102 Release 1 01 09 2015 Secure Configuration 4 5 Service Level Management Network Quality Config
5. Secure Configuration 4 Secure Configuration ICS Security Guide Classic Switch Software Release 1 01 09 2015 27 Secure Configuration 4 1 Starting Up 4 1 Starting Up 4 1 1 Threats In the state on delivery your device is prepared for a simple start For the secure operation of the switch further configuration settings are also required The installation application case involves the following threats O Manipulation of the configuration O Reading out of the configuration O Limitation of the availability 4 1 2 Security Quick Check for Starting Up Do you require If necessary If not necessary DHCP Activate DHCP Client Deactivate DHCP Client BOOTP Activate BOOTP Deactivate BOOTP PROFINET Activate PROFINET Deactivate PROFINET EtherNet IP Activate EtherNet IP Deactivate EtherNet IP LLDP Activate LLDP Deactivate LLDP AutoConfiguration Do not skip ACA when booting Skip ACA when booting Adapter ACA Basic principle The measures follow the minimal principle in order to reduce the system load of the switch and its area of attack Generally you should deactivate services not required General measures Read access for HiDiscovery Change the default access Deactivate password sync ICS Security Guide Classic Switch Software 28 Release 1 01 09 2015 Secure Configuration 4 1 Starting Up 4 1 3 Measures Activate DHCP Client The switch can dynamically receive
6. function See Deactivate password sync on page 37 Action Default setting Recommended Available Further information setting Set User Secure L2B Yes GUI L2B password SNMP password admin private password of 16 v3 access user public characters CLI L2B users passwd L2E Yes GUI L2E password SNMP v3 access CLI L2E users passwd L2P Yes GUI L2P password SNMP v3 access CLI L2P users passwd L3E Yes GUI L3E password SNMP v3 access CLI L3E users passwd L3P Yes GUI L3P password SNMP v3 access CLI L3P users passwd 36 Note With the standard settings the user password is synchronized with the SNMP v1 v2 community ICS Security Guide Classic Switch Software Release 1 01 09 2015 Secure Configuration 4 1 Starting Up Deactivate password sync In order to be able to assign different passwords for different users and SNMP access rights deactivate the Password Sync function Action Default setting Recommended Available setting Further information Deactivat On e password sync Off L2B Yes GUI L2B password SNMP v3 access CLI L2B users passwd L2E Yes GUI L2E password SNMP v3 access CLI L2E users passwd L2P Yes GUI L2P password SNMP v3 access CLI L2P users passwd L3E Yes GUI L3E password SNMP v3 access CLI L3E users passwd L3P Yes GUI L3P password SNMP v3 access CLI L3P users passwd ICS Security Guide
7. C Further Support Technical Questions For technical questions please contact any Hirschmann dealer in your area or Hirschmann directly You will find the addresses of our partners on the Internet at http www hirschmann com Contact our support at https hirschmann support belden eu com You can contact us in the EMEA region at Tel 49 0 1805 14 1538 E mail hac support belden com in the America region at Tel 1 717 217 2270 E mail inet support us belden com in the Asia Pacific region at Tel 65 6854 9860 E mail inet ap belden com Hirschmann Competence Center The Hirschmann Competence Center is ahead of its competitors Consulting incorporates comprehensive technical advice from system evaluation through network planning to project planning Training offers you an introduction to the basics product briefing and user training with certification The current technology and product training courses can be found at http www hicomcenter com Support ranges from the first installation through the standby service to maintenance concepts ICS Security Guide Classic Switch Software Release 1 01 09 2015 123 Further Support With the Hirschmann Competence Center you have decided against making any compromises Our client customized package leaves you free to choose the service components you want to use Internet http www hicomcenter com ICS Security Guide Classic Switch Software 124 Release 1 01 0
8. The separation of the VLANs from each other mainly depends on the settings for the ports not a member T tagged U untagged and F forbidden In general the default setting for every port in every VLAN should be F forbidden This means that when a new VLAN is created every port in this VLAN should be initially set to F not a member and GVRP forbidden and be assigned to exactly one VLAN only when required Configure the switch so that when a frame without a VLAN tag is received at a port this frame is not assigned to another VLAN in the switch Action Default Recommended Available Further information setting setting Set default nota When GVRP is L2B No setting of member but deactivated L2E Yes GUI L2E VLAN Static switch port to GVRP not a member is CLI L2E vlan F allowed ee z participation i z forbidden as the L2P Yes GUI L2P VLAN Static default setting and CLI L2P vlan then assignment participation to one VLAN if L3E Yes GUI L3E VLAN Static required CLI L3E vlan participation L3P Yes GUI L3P VLAN Static CLI L3P vlan participation Assign 1 Same VLANas L2B No untagged was activated for gt Yes GUIL2E VLAN Static frames to this port CLI L2E vlan tagging VEAN L2P Yes GUI L2P VLAN Static CLI L2P vlan tagging L3E Yes GUI L3E VLAN Static CLI L3E vlan tagging L3P Yes GUI L3P VLAN Static CLI L3P vlan tagging ICS Security Guide Classic Switch Software Release 1
9. Activate ARP Off On L2B No selective L2E No learning L2P No L3E Yes Set GUI L3E ARP parameters CLI L3E arp selective learning L3P Yes Set GUI L3P ARP parameters CLI L3P arp selective learning Known limitations When a device sets up a connection for the 1st time via the router this can take slightly longer ICS Security Guide Classic Switch Software Release 1 01 09 2015 49 Secure Configuration 4 2 Separating networks Deactivate router discovery Router advertisement can be used for a range of attacks on the IT security Here the problem is not the router itself but the terminal devices that react to such advertisement frames and then send the frames to fake routers These routers can then intercept or corrupt the traffic and forward it to the real router or discard the traffic Denial of Service Therefore ICMP router advertisement router and terminal devices should generally be foregone Action Default Recommended Available in Further information setting setting SW version Deactivate Off Off L2B No router L2E No discovery L2P No L3E Yes GUI L3E configuration Router Discovery CLI L3E ip irdp L3P Yes GUI L3P configuration Router Discovery CLI L3P ip irdp Use RIPv2 with authentication When an application case requires the use of a dynamic routing protocol use only RIP v2 with MD5 authentication In this way you can prevent an attacker without authentication from manipulating
10. However defects are still possible here such as when a device is operated outside the recommended specifications This results in the following threats Limitation of the availability Reading out of the configuration Reading out of secret keys SSL and SSH passwords and SNMP community strings ICS Security Guide Classic Switch Software Release 1 01 09 2015 115 Secure Configuration 4 8 Disturbance 4 8 2 Security Quick Check for Disturbance Do you require If necessary If not necessary Confidentiality in very sensitive areas and you are replacing the device Regularly check on security relevant updates and their installation The Help Desk can evaluate your diagnosis of the defect and start the RMA process If against expectations the error is a configuration error taking the route via the Help Desk saves time compared with sending the device in directly As the memory cannot be deleted safely for technological reasons no guarantee is made for the stored data Contact the Help Desk Contact the Help Desk Basic principle Reading out the configuration can compromise the confidentiality because passwords can be read out for example In very sensitive areas this can be classified as not acceptable 4 8 3 Measures Contact the Help Desk Contact the Help Desk so that your case can be processed as quickly as possible You can reach the Help Desk via the following portal https
11. encryption Force SNMP v3 Off On L2B No encryption L2E No L2P Yes CLI L2P users SNMP v3 encryption L3E Yes CLI L3E users SNMP v3 encryption L3P Yes CLI L3P users SNMP v3 encryption Note If no encryption can be activated all the messages are transferred in clear text 58 ICS Security Guide Classic Switch Software Release 1 01 09 2015 Secure Configuration 4 3 Administrative Access Activate SSH SSH provides integrity and confidentiality Telnet in contrast cannot guarantee this because both the login and the actual communication are transferred in clear text Action Default Recommended Available in Further information setting setting SW version Transfer Only use in trusted L2B No SSH key networks L2E No L2P Yes Replace faulty devices L3E Yes L3P Yes Prepare basic L3P SSH access Activate On On L2B No SSH server LOE No L2P Yes GUI L2P description of SSH access CLI L2P network mgmt access modify L3E Yes GUI L3E description of SSH access CLI L3E network mgmt access modify L3P Yes GUI L3P description of SSH access CLI L3P network mgmt access modify Timeout for Serial CLI Use a password to improve the access protection for CLI If CLI is not being used the user is automatically logged out This protects against unauthorized access Action Default Recommended Available in SW Further information setting setting version Set the timeout 5
12. exceptions to this may be very large rings a lot of traffic or a high rate of lost frames Action Default Recommended Available in Further information setting setting SW version Activate faster Standard activated L2B Yes Configure GUI L2B HIPER ring Ring configuration CLI L2B hiper ring recovery delay L2E Yes Configure GUI L2E HIPER Ring CLI L2E hiper ring recovery delay L2P Yes Configure GUI L2P HIPER Ring CLI L2P hiper ring recovery delay L3E Yes Configure GUI L3E HIPER Ring CLI L3E hiper ring recovery delay L3P Yes Configure GUI L3P HIPER Ring CLI L3P hiper ring recovery delay ICS Security Guide Classic Switch Software Release 1 01 09 2015 97 Secure Configuration 4 5 Service Level Management Network Quality Deactivate Spanning Tree protocol If the network has a completely ring shaped structure and the formation of loops in the network can be ruled out the Spanning Tree protocol should be deactivated Otherwise every status change at a switch port causes a reconfiguration of the spanning tree in the network and impedes the network traffic for several seconds and for up to several minutes Action Default Recommended Available in Further information setting setting SW version Deactivate Off Off L2B Yes GUI L2B Global Spanning Tree CLI L2B spanning tree protocol L2E Yes GUI L2E Global CLI L2E spanning tree L2P Yes GUI L2P Global CLI L2P spanning tree L3E Yes GUI L3E Gl
13. hirschmann support belden eu com The Help Desk can evaluate your diagnosis of the defect and start the RMA process If against expectations the error is a configuration error taking the route via the Help Desk saves time compared with sending the device in directly As the memory cannot be deleted safely for technological reasons no guarantee is made for the stored data 116 ICS Security Guide Classic Switch Software Release 1 01 09 2015 Secure Configuration 4 8 Disturbance Physical Destruction If you have installed the device in a highly sensitive area do not send in the device but dispose of it yourself by physically destroying it ICS Security Guide Classic Switch Software Release 1 01 09 2015 117 Secure Configuration 4 8 Disturbance ICS Security Guide Classic Switch Software 118 Release 1 01 09 2015 References A References 1 Homeland Security 2009 Recommended Practice Improving Industrial Control Systems Cybersecurity with Defense In Depth Strategies 2 Bundesamt f r Sicherheit in der Informationstechnik 2011 IT Grundschutz Katalog M 2 167 Auswahl geeigneter Verfahren zur L schung oder Vernichtung von Daten 3 Bundesamt fur Sicherheit in der Informationstechnik So l schen Sie Daten richtig https www bsi fuer buerger de BSIFB DE MeinPC RichtigLoeschen richtigloeschen_node html ICS Security Guide Classic Switch Software Release 1 01 09 2015 119 Readers Comments B
14. minutes 5 minutes L2B Yes CLI L2B serial timeout L2E Yes CLI L2E serial timeout L2P Yes CLI L2P serial timeout L3E Yes CLI L3E serial timeout L3P Yes CLI L3P serial timeout ICS Security Guide Classic Switch Software Release 1 01 09 2015 59 Secure Configuration 4 3 Administrative Access Deactivate HTTP and HTTPS Known limitations HTTP and HTTPS can only be deactivated together Action Default Recommended Available in SW Further information setting setting version Deactivate http On If no web accessis L2B Yes GUI L2B web access and required CLI L2B ip http server HTTPS servers deactivate HTTP L2E Yes GUIL2E Telnet web access and HTTPS CLI L2E ip http server L2P Yes GUI L2P Telnet web SSH access CLI L2P ip http server L3E Yes GUI L3E Telnet web SSH access CLI L3E ip http server L3P Yes GUI L3P Telnet web SSH access CLI L3P ip http server Deactivate SNMP v1 2 With SNMP v1 v2 the community is used as the password and is transferred unencrypted If you do not require any external access deactivate SNMP v1 2 or at least limit SNMP v1 2 to read access Action Default Recommended Available Further information setting setting Deactivate On Off L2B No SNMP v1 2 L2E Yes GUIL2E SNMP v1Wv2 server access settings CLI L2E snmp access version L2P Yes GUI L2P SNMP v1 v2 access settings CLI L2P snmp access version L3E Yes GUI L3E SNMP v1 v2 access settings CLI L3E snmp access
15. 01 09 2015 43 Secure Configuration 4 2 Separating networks Action Default Recommended Available Further information setting setting Allow tagged admitAll At ports L2B No frames only at configured with L2E Yes GUI L2E VLAN Port part T tagged CLI L2E vlan admitOnlyVlanTa acceptframe gged L2P Yes GUIL2P VLAN Port CLI L2P vlan acceptframe L3E Yes GUI L3E VLAN Port CLI L3E vlan acceptframe L3P Yes GUI L3P VLAN Port CLI L3P vlan acceptframe Evaluate off On L2B No VLAN tags L2E Yes GUI L2E VLAN Port ingress CLI L2E vlan filtering ingressfilter L2P Yes GUI L2P VLAN Port CLI L2P vlan ingressfilter L3E Yes GUI L3E VLAN Port CLI L3E vlan ingressfilter L3P Yes GUI L3P VLAN Port CLI L3P vlan ingressfilter Note Protocols IGMP from L2E and GMRP from L2P work without VLAN tags IGMP requests are flooded to all ports regardless of their VLAN assignment Note If port based routing has been activated ingress filtering is also activated ICS Security Guide Classic Switch Software 44 Release 1 01 09 2015 Secure Configuration 4 2 Separating networks Separate Spanning Tree instance for each VLAN The network structure can be influenced by manipulated Spanning Tree frames Additionally it cannot be ruled out that specific Spanning Tree frames BPDUs can be transported across switch and VLAN boundaries and thus open the way for an advanced attack scenario Using a separate Spanni
16. 01 09 2015 39 Secure Configuration 4 2 Separating networks 4 2 3 Measures Do not use VLAN 1 Use VLAN 1 only for the HIPER Ring protocol and ring coupling This measure makes it more difficult to manipulate the ring protocols Therefore make the following settings Action Default Recommended Available Further information setting setting Move the admin 1 In the range 2 L2B No interface to a 4042 L2E Yes GUIL2E VLAN different VLAN CLI L2E network mgmt_vlan L2P Yes GUI L2P VLAN CLI L2P network mgmt_vlan L3E Yes GUI L3E VLAN CLI L3E network mgmt_vlan L3P Yes GUI L3PE VLAN CLI L3P network mgmt_vlan Change the time 1 Same VLAN as for L2B No server admin interface L2E Yes GUI L2E SNTP configuration to a Configuration different VLAN CLI L2E sntp anycast vlan L2P Yes GUI L2P SNTP Configuration CLI L2P sntp anycast vlan L3E Yes GUI L3E SNTP Configuration CLI L3E sntp anycast vlan L3P Yes GUI L3P SNTP Configuration CLI L3P sntp anycast vlan Change all the 1 In the range 2 L2B No switch ports from 4042 L2E Yes GUIL2E VLAN Static VLAN1 to a CLI L2E vlan port pvid all diferent VEAN L2P Yes GUIL2P VLAN Static CLI L2P vlan port pvid all L3E Yes GUI L3E VLAN Static CLI L3E vlan port pvid all L3P Yes GUI L3P VLAN Static CLI L3P vlan port pvid all 40 ICS Security Guide Classic Switch Software Release 1 01 09 2015 Secure Configuration 4 2 Separating networks Note F
17. 1 01 09 2015 65 Secure Configuration 4 3 Administrative Access Action Default Recommended Available Further information setting setting Configure If the Security L2B No RMA SA oie L2E Yes L2E limited management access ee CLI L2E network mgmt access modif globally If the Ale application L2P Yes L2P limited management P access requires a protocol activate it COTA network mgmt for the access modify management L3E Yes L3E limited management network access CLI L3E network mgmt access modify L3P Yes L3P limited management access CLI L3P network mgmt access modify 66 ICS Security Guide Classic Switch Software Release 1 01 09 2015 Secure Configuration 4 3 Administrative Access Configuration of the Central User Management via RADIUS In bigger networks the local management of users and their passwords on the switch reaches its limitations when you want to change passwords create new users or delete users Therefore central user management on RADIUS servers is recommended Known limitations If the RADIUS servers can no longer be reached it is not possible to login to the switch with a RADIUS user This scenario is to be considered here It is always recommended to create an emergency access user on the switch keep its password safe and access the switch with this user in an emergency Afterwards this password must be changed Action Default Recommended Avai
18. Administration Access 4 3 3 Measures Monitoring 4 4 1 Threats 4 4 2 Security Quick Check for Monitoring 4 3 Measures A fo rvice Level Management Network Quality 1 Threats 2 Security Quick Check for Service Level Management 5 3 Measures pdates 6 1 Threats 6 2 Security Quick Check 6 3 Measures RAY D 5 U AAAC A ecommissioning 7 1 Threats 7 2 Security Quick Check 7 3 Measures AAA Disturbance 4 8 1 Threats 4 8 2 Security Quick Check for Disturbance 4 8 3 Measures References Readers Comments Further Support 110 113 113 113 114 115 115 116 116 119 120 123 ICS Security Guide Classic Switch Software Release 1 01 09 2015 Motivation and Goals 4 Motivation and Goals This document is based on a template that was created by TUV SUD Rail on request from Hirschmann for Hirschmann devices ICS Security Guide Classic Switch Software Release 1 01 09 2015 5 Motivation and Goals 1 1 Motivation 1 1 Motivation The switch is used in industrial automation and control technology in order to connect control technology systems and office IT This communication is requested by our customers more and more because continuous communication speeds up production lowers costs and can support our customers business processes via close links However cyber attacks such as Stuxnet have shown that industrial automation and control technol
19. Classic Switch Software Release 1 01 09 2015 37 Secure Configuration 4 2 Separating networks 4 2 Separating networks 4 2 1 Threats Separating networks or network segments is an important aspect of network security It can be used for example to form different confidentiality classes The following threats exists for secure network separation O Incorrect configuration of port O Incorrect configuration of VLAN O Incorrect configuration of ACL O Breaking through VLAN boundaries LC ARP flooding O Faking an identity When Layer 3 software routing is used there are additional threats Manipulation of VRRP HiVRRP protocol Manipulation of routing via fake Router Discovery frames Manipulation of routing via fake RIPv1 or RIPv2 frames Manipulation of the routing paths via Proxy ARP frames Risk of incorrect configuration due to multiple IP subnetworks on the same subnetwork multinetting Network infrastructure revealed via Router Discovery frames O OOOOO All of the threats named attempt to break through the separation of the networks or network segments from each other or to manipulate the communication paths between network segments Layer 2 and Layer 3 ICS Security Guide Classic Switch Software 38 Release 1 01 09 2015 Secure Configuration 4 2 Separating networks 4 2 2 Security Quick Check for Separation of Networks This table helps you to identify which measures in your system environment should
20. GUI Switching GMRP CLI set gmrp adminmode L3P Yes GUI Switching GMRP CLI set gmrp adminmode Deactivate Generic Multicast Registration Protocol GMRP The GMRP protocol gives a client the option to enter itself in a multicast group on Layer 2 Deactivate this protocol if you do not really require it Action Default Recommended Available in Further information setting setting SW version Deactivate Off Off default L2B No GMRP L2E No L2P Yes GUI Switching GMRP CLI no set gmrp adminmode L3E Yes GUI Switching GMRP CLI no set gmrp adminmode L3P Yes GUI Switching GMRP CLI no set gmrp adminmode ICS Security Guide Classic Switch Software 54 Release 1 01 09 2015 Secure Configuration 4 3 Administrative Access 4 3 Administrative Access 4 3 1 Threats Write access to a switch is required throughout the entire life cycle of the switch This results in the following threats Identity theft Expanding the rights Manipulation of the configuration Configuration error You can counteract threats with the following configuration items Adhere to the confidentiality and integrity of the administration access Use secure connections for the administration Depending on the software version the switching platform provides the following options for increasing the security SNMP v3 SSH The administration access via telnet and SNMP v1 v2 does not provide any protecti
21. IP information viaa DHCP server and also a TFTP server for configurations An attacker can misuse this service For higher availability select a static IP configuration for infrastructure components Dynamic IP configurations require the existence of protocols which present a target to attackers Action Default Recommended Available Further information setting setting Activate On Activate DHCP only L2B Yes GUI L2B Network DHCP client if you require CLI L2B network protocol dynamic address 2E Yes GUIL2E Network assignment for your CLI L2E network protocol infrastructure L2P Yes GUIL2P Network components CLI L2P network protocol L3E Yes GUI L3E Network CLI L3E network protocol L3P Yes GUI L3P network CLI L3P network protocol ICS Security Guide Classic Switch Software Release 1 01 09 2015 29 Secure Configuration 4 1 Starting Up Activate BOOTP The switch can dynamically receive IP information via a BOOTP server and also a TFTP server for configurations An attacker can misuse this service For higher availability select a static IP configuration for infrastructure components Dynamic IP configurations require the existence of protocols which present a target to attackers Action Defa Recomm Available Further information ult ended setti setting ng Activat Off Activate L2B Yes GUI L2B Network e BOOTP CLI L2B network protocol BOOT only if you L2 Yes GUI L2E Network
22. L2B No L2E Yes GUI L2E Syslog CLI L2E logging host remove L2P Yes GUI L2P Syslog CLI L2P logging host remove L3E Yes GUI L3E Syslog CLI L3E logging snmp requests set operation L3P Yes GUI L3P Syslog CLI L3P logging snmp requests set operation ICS Security Guide Classic Switch Software 82 Release 1 01 09 2015 Secure Configuration 4 4 Monitoring Central logging of SNMP write accesses via syslog To be able to trace changes or manipulations of the configuration of the switch log the SNMP write accesses and send the log entries to the central syslog server Action Default Recommended Available in Further information setting setting SW version Log SNMP Off On severity L2B No write informational L2E Yes GUI L2E Syslog requests CLI L2E logging snmp requests set operation L2P Yes GUI L2P Syslog CLI L2P logging snmp requests set operation L3E Yes GUI L3E Syslog CLI L3E logging snmp requests set operation L3P Yes GUI L3P Syslog CLI L3P logging snmp requests set operation Deactivate central logging of SNMP write accesses via syslog If no syslog server is available deactivate the logging of SNMP write accesses via syslog Action Default Recommended Available in Further information setting setting SW version Log SNMP_ Off Off L2B No write L2E Yes GUI L2E Syslog requests CLI L2E logging snmp requests set operation L2P Yes GUI L2P Syslog CLI
23. L3E RIP CLI L3E ip rip authentication L3P Yes GUI L3P RIP CLI L3P ip rip authentication ICS Security Guide Classic Switch Software Release 1 01 09 2015 51 Secure Configuration 4 2 Separating networks Use only static routes If the application does not require a dynamic routing protocol use only static routes To prevent possible attacks via routing protocols deactivate all functions of these protocols Action Default Recommended Available in Further information setting setting SW version Deactivate Off Off default L2B No RIP L2E No L2P No L3E Yes GUI L3E RIP CLI L3E ip rip L3P Yes GUI L3P RIP CLI L3P ip rip Use OSPF only with encrypted authentication When OSPF is being used as the routing protocol the routers should authenticate themselves to each other This makes it more difficult for attackers to change routing information in the network via fake routing frames or routing frames that they have smuggled in Action Default Recommended Available in Further information setting setting SW version Activate none encrypt L2B No OSPF a 5 L2E No authentication L2P No L3E No L3P Yes CLI L3P ip ospf authentication 52 ICS Security Guide Classic Switch Software Release 1 01 09 2015 Secure Configuration 4 2 Separating networks Use OSPF virtual links only with authentication If virtual links are to be used for OSPF routing these should be a
24. P require CLI L2E network protocol dynamic 2p Yes GUI L2P Network pac A CLI L2P network protocol FE veur Ee Yes GUI L3E Network infrastruct CLI L3E network protocol ure L3P Yes GUI L3P Network componen CLI L3P network protocol ts Activate PROFINET PROFINET can be used to read and change specific properties of the switch Only activate this option if you require PROFINET Action Default Recommended Available Further information setting setting Activate Off Activate PROFINET L2B No be used CLI L2E profinetio L2P Yes GUI L2P PROFINET IO CLI L2P profinetio L3E Yes GUI L3E PROFINET IO CLI L3E profinetio L3P Yes GUI L3P PROFINET IO CLI L3P profinetio ICS Security Guide Classic Switch Software 30 Release 1 01 09 2015 Secure Configuration 4 1 Starting Up Activate EtherNet IP EtherNet IP can be used to read and change specific properties of the switch Only activate this option if you require EtherNet IP Action Default Recommended Available Further information setting setting Activate Off Activate L2B No EtherNet IP EtherNet IP if the L2E Yes GUI L2E EtherNet IP protocol is to be CLI L2E ethernet ip used L2P Yes GUIL2P EtherNet IP CLI L2P ethernet ip L3E Yes GUIL3E EtherNet IP CLI L3E ethernet ip L3P Yes GUIL3P EtherNet IP CLI L3P ethernet ip Activate LLDP The switch uses the Link Layer Discovery Protocol to send information about itself regularly to the network T
25. Readers Comments What is your opinion of this manual We are always striving to provide as comprehensive a description of our product as possible as well as important information that will ensure trouble free operation Your comments and suggestions help us to further improve the quality of our documentation Your assessment of this manual Very good Good Satisfactory Mediocre Poor Precise description O O O O O Readability O O O O O Understandability O O O O O Examples O O O O O Structure O O O O O Completeness O O O O O Graphics O O O O O Drawings O O O O O Tables O O O O O Did you discover any errors in this manual If so on what page ICS Security Guide Classic Switch Software 120 Release 1 01 09 2015 Readers Comments Suggestions for improvement and additional information General comments Sender Company Department Name Telephone no Street Zip code City e mail Date Signature Dear User Please fill out and return this page as a fax to the number 49 0 7127 14 1600 or by post to Hirschmann Automation and Control GmbH Department 01RD NT Stuttgarter Str 45 51 72654 Neckartenzlingen ICS Security Guide Classic Switch Software Release 1 01 09 2015 121 Readers Comments ICS Security Guide Classic Switch Software 122 Release 1 01 09 2015 Further Support
26. Suitable for RS20 RS30 RS40 MS20 MS30 Enhanced Basic level plus a wide range of management L2E filter and diagnostic functions Also supported fast redundancy procedures industrial profiles and security functions Ideal for standard industrial applications Layer 2 Suitable for RS20 RS30 RS40 MS20 MS30 Professional OCTOPUS PowerMICE RSR20 RSR30 L2P MACH100 MACH1000 MACH4000 Enhanced software plus enhanced diagnostic and filter properties security functions and redundancy procedures A software package for applications that attach great importance to the uncompromising security of the production plant and maximum availability ICS Security Guide Classic Switch Software Release 1 01 09 2015 11 Description of the Product Routing Layer 3 Suitable for PowerMICE MACH4000 Layer 2 Enhanced Professional software plus additional security L3E static routing and router and connection redundancy The Layer 3 software is intended for smaller data networks and applications with increased security requirements Layer 3 Suitable for PowerMICE MACH1040 Professional MACH4000 Layer 3 Enhanced plus a wide L3P range of dynamic routing protocols faster router redundancy and improved connection redundancy 12 ICS Security Guide Classic Switch Software Release 1 01 09 2015 Framework Conditions 3 Framework Conditions This document refers to software 7 1 05 for software variants L2E L2P L3E
27. Yes CLI L2P users name L3E Yes CLI L3E users name L3P Yes CLI L3P users name Define write Readwrite L2B Yes access for users CLI L2B users access L2E Yes CLI L2E users access L2P Yes CLI L2P users access L3E Yes CLI L3E users access L3P Yes CLI L3P users access Set password Secure password of 16 characters L2B Yes CLI L2B users passwd L2E Yes CLI L2E users passwd L2P Yes CLI L2P users passwd L3E Yes CLI L3E users passwd L3P Yes CLI L3P users passwd ICS Security Guide Classic Switch Software Release 1 01 09 2015 57 Secure Configuration 4 3 Administrative Access Action Default Recommended Available in SW Further information setting setting version Issue SNMP v3 Readwrite L2B Yes access CLI L2B users SNMP v3 accessmode L2E Yes CLI L2E users SNMP v3 accessmode L2P Yes CLI L2P users SNMP v3 accessmode L3E Yes CLIL3E users SNMP v3 accessmode L3P Yes CLI L3P users 3 accessmode SNMP v3 SHA L2B Yes authentication CLI L2B users SNMP v3 authentication L2E Yes CLI L2E users SNMP v3 authentication L2P Yes CLI L2P users SNMP v3 authentication L3E Yes CLI L3E users SNMP v3 authentication L3P Yes CLIL3P users SNMP v3 authentication SNMP v3 DES key with a L2B No encryption length of 16 L2E No characters L2P Yes CLI L2P users SNMP v3 encryption L3E Yes CLI L3E users SNMP v3 encryption L3P Yes CLI L3P users SNMP v3
28. alarm interface situation alarm on load L2P Yes GUI L2P load network load L3E Yes GUI L3E load network load L3P Yes GUI L3P load network load ICS Security Guide Classic Switch Software Release 1 01 09 2015 103 Secure Configuration 4 5 Service Level Management Network Quality Configuration of rate limiter The function of the rate limiter allows incoming or outgoing frames broadcasts multicasts unicasts from MAC addresses not learned yet to be filtered in terms of a specific bandwidth Kbit s or in terms of frames depends on the product used This improves the protection against overloading for both the switch and the devices behind it Only use the rate limiter if the effects on the network can be estimated and you can estimate and accept the risks of using this function Action Default Recommended Available in Further information setting setting SW version Incoming frame BC BC default L2B No types Broadcasts L2E Yes GUI L2E Rate Limiter CLI L2E storm control broadcast L2P Yes GUI L2P Rate Limiter CLI L2P storm control broadcast L3E Yes GUI L3E Rate Limiter CLI L3E storm control broadcast L3P Yes GUI L3P Rate Limiter CLI L3P storm control broadcast Ingress limiter Off On L2B No L2E Yes GUI L2E Rate Limiter CLI L2E storm control ingress limiting L2P Yes GUI L2P Rate Limiter CLI L2P storm control ingress limiting L3E Yes GUI L3E Rate Limiter CLI L3E storm c
29. ethernet ip Deactivate LLDP The switch uses the Link Layer Discovery Protocol LLDP to send information about itself regularly to the network This information can be an important aid for troubleshooting However this information also supplies an attacker with valuable data Action Default Recommended Available Further information setting setting Deactivate LLDP On Off L2B Yes GUI L2B Topology Discovery CLI L2B Ildp L2E Yes GUI L2E Topology Discovery CLI L2E Ildp L2P Yes GUI L2P Topology Discovery CLI L2P Ildp L3E Yes GUI L3E Topology Discovery CLI L3E Ildp L3P Yes GUI L3P Topology Discovery CLI L3P Ildp Deactivate On Off L2B No LLDP MED LOE No L2P Yes GUI L2P LLDP MED CLI L2P Ildp med L3E Yes GUI L3E LLDP MED CLI L3E Ildp med L3P Yes GUI L3P LLDP MED CLI L3P Ildp med Note PROFINET requires LLDP in order to operate ICS Security Guide Classic Switch Software 34 Release 1 01 09 2015 Secure Configuration 4 1 Starting Up Skip ACA when booting If you are not using an ACA you can use this to speed up the booting procedure and make unauthorized loading of a configuration during the start more difficult Action Default Recommended Available Further information setting setting Skip ACA Off On L2B No L2E Yes CLI L2E skip aca on boot L2P Yes CLI L2P skip aca on boot L3E Yes CLI L3E skip aca on boot L3P Yes CLI L3P skip aca on boot Read access f
30. on a specific switch port so that you can manage the device better If you are not using this function deactivate this option Action Default Recommended Available in Further information setting setting SW version Do not 0 0 0 0 0 0 0 0 disabled for L2B Yes GUI L2B DHCP Relay configure any disabled all 4 possible server Agent DHCP server for all 4 entries CLI L2B dhcp relay IP addresses possible L2E Yes GUI L2E DHCP Relay server Agent entries CLI L2E dhcp relay L2P Yes GUI L2P DHCP Relay Agent CLI L2P dhcp relay L3E Yes GUI L3E DHCP Relay Agent CLI L3E dhcp relay L3P Yes GUI L3P DHCP Relay Agent CLI L3P dhcp relay Activate routing If the switch is to function as a router activate the routing Action Default Recommended Available in Further information setting setting SW Version Activate Off On L2B No routing L2E No globally L2P No L3E Yes GUI L3E Routing Global CLI L3E Routing Commands L3P Yes GUI L3P Routing Global CLI L3P Routing Commands ICS Security Guide Classic Switch Software 46 Release 1 01 09 2015 Secure Configuration 4 2 Separating networks Action Default Recommended Available in Further information setting setting SW Version Activate Off On L2B No routing on the L2E No required ports L2P No L3E Yes GUI L3E Router Interfaces Configure CLI L3E routing L3P Yes GUI L3P Router Interfaces Configure CLI L3P routing Deactiva
31. selftest ramtest Cold start for undefined software behavior If undefined behavior occurs in the software of the switch during operation the switch can restart itself This function helps to prevent errors and problems during operation due to individual subsystems that are not working correctly any more Action Default Recommended Available in Further information setting setting SW version Cold start for On On L2B Yes GUI L2B Selftest undefined CLI L2B selftest reboot on software error behavior L2E Yes GUIL2E Selftest CLI L2E selftest reboot on error L2P Yes GUI L2P Selftest CLI L2P selftest reboot on error L3E Yes GUI L3E Selftest CLI L3E selftest reboot on error L3P Yes GUI L3P Selftest CLI L3P selftest reboot on error ICS Security Guide Classic Switch Software 108 Release 1 01 09 2015 Secure Configuration 4 6 Updates 4 6 Updates 4 6 1 Threats Hirschmann regularly expands and improves the software of the switch Hirschmann makes the resulting updates available for downloading from the product page on the Internet Implement the updates on the switch This results in the following threats Implementation of defective damaging software Interruption of the update process Misuse of the update function A defective or malicious update can be implemented deliberately and this can impair the confidentiality and integrity and even the availability of the sw
32. setting SW version Activate Off On L2B No detection of CRC fragment ae No errors for each L2P Yes GUI L2P Port Monitor port CLI L2P port monitor condition crc fragment Global Config L3E Yes GUI L3E Port Monitor CLI L3E port monitor condition crc fragment Global Config L3P Yes GUI L3P Port Monitor CLI L3P port monitor condition crc fragment Global Config Action Activate Deactivate Send trap L2B No sending of trap port L2E No for each port L2P Yes GUI L2P Port Monitor CLI L2P port monitor action L3E Yes GUI L3E Port Monitor CLI L3E port monitor action L3P Yes GUI L3P Port Monitor CLI L3P port monitor action ICS Security Guide Classic Switch Software Release 1 01 09 2015 91 Secure Configuration 4 4 Monitoring Send SNMP traps when using VRRP HiVRRP When you are using router redundancy with VRRP or HiVRRP get the switch to report important status changes to you via SNMP traps O When the router becomes master O When the router receives VRRP frames with incorrect authentication Action Default Recommended Available in Further information setting setting SW version Send VRRP Off On L2B No master trap L2E No L2P No L3E Yes GUI L3E VRRP HiVRRP CLI L3E vrrp trap L3P Yes GUI L3P VRRP HiIVRRP CLI L3P vrrp trap Send VRRP Off On L2B No authentication L2E No trap L2P No L3E Yes GUI L3E VRRP HiIVRRP CLI L3E vrrp trap L3P Yes GUI L3P VRRP HiIVRRP CLI L3P vrrp tra
33. this function RFC 2644 Changing the Default for Directed Broadcasts in Routers defines that the default behavior of routers should be that directed broadcasts are not forwarded by default Note All net directed broadcasts 255 255 255 255 are discarded Action Default Recommended Available in Further information setting setting SW version Deactivate Off Off default L2B No net directed L2E No broadcasts L2P No L3E Yes GUI L3E Router Interfaces Configure CLI L3E ip netdirbcast L3P Yes GUI L3P Router Interfaces Configure CLI L3P ip netdirbcast ICS Security Guide Classic Switch Software 48 Release 1 01 09 2015 Secure Configuration 4 2 Separating networks Activate ARP selective learning In the default setting the router learns all the MAC addresses that it sees at its ports and keeps these addresses for 1 200 seconds 20 minutes in its memory before deleting them again Sending fake frames with invalid or non existent MAC addresses can cause the table on the router to overflow and thus compromise the availability or integrity man in the middle attack Therefore the router should only put MAC addresses that it explicitly requested into its table Note If this option is activated the 1st frame of a connection takes somewhat longer because of the ARP request that is then required Action Default Recommended Available in Further information setting setting SW version
34. version L3P Yes GUI L3P SNMP v1 v2 access settings CLI L3P snmp access version ICS Security Guide Classic Switch Software 60 Release 1 01 09 2015 Secure Configuration 4 3 Administrative Access Deactivate Telnet Telnet transfers the data unencrypted via the network and therefore should not be used Known limitation If the Telnet service has been deactivated the Command Line Interface CLI does not work in the web interface any more Action Default Recommended Available Further information setting setting Deactivate On Off L2B No Telnet server L2E Yes GUIL2E Telnet web access CLI L2E telnet L2P Yes GUI L2P Telnet web SSH access CLI L2P telnet L3E Yes GUI L3E Telnet web SSH access CLI L3E telnet L3P Yes GUI L3P Telnet web SSH access CLI L3P telnet Note If a user calls up the Telnet service via the web interface with HTTP or HTTPS the access data is still transferred as clear text Deactivate SSH Action Default Recommended Available Further information setting setting Activate Off Deactivate if no L2B No Deactivate remote access tothe L2E No server console is required L2P Yes GUI L2P Telnet web SSH access CLI L2P network mgmt access modify L3E Yes GUI L3E Telnet web SSH access CLI L3E network mgmt access modify L3P Yes GUI L3P Telnet web SSH access CLI L3P network mgmt access modify ICS Security Guide Classic Switch Software Release 1
35. 01 09 2015 61 Secure Configuration 4 3 Administrative Access Create a Read Access For the following reasons you should generally avoid using the standard user user O The user name is publicly known and therefore makes it significantly easier to attack by guessing the password O Actions on the switch cannot be assigned to any user traceability of configuration changes Therefore create a separate account for every employee Action Default Recommended Available Further information setting setting Create user Use unique users L2B No L2E No GUI L2E password SNMP v3 access CLI L2E users name L2P Yes GUI L2P password SNMP v3 access CLI L2P users name L3E Yes GUI L3E password SNMP v3 access CLI L3E users name L3P Yes GUI L3P password SNMP v3 access CLI L3P users name Define write Readonly L2B No access for L2E No GUI L2E password users SNMP v3 access CLI L2E users access L2P Yes GUI L2P password SNMP v3 access CLI L2P users access L3E Yes GUI L3E password SNMP v3 access CLI L3E users access L3P Yes GUI L3P password SNMP v3 access CLI L3P users access ICS Security Guide Classic Switch Software 62 Release 1 01 09 2015 Secure Configuration 4 3 Administrative Access Action Default Recommended Available Further information setting setting Set password Secure password of L2B No 16 characters L2E Yes GUI L2E password SNMP v3
36. 09 2015 105 Secure Configuration 4 5 Service Level Management Network Quality Action Default Recommended Available in Further information setting setting SW version Egress limiting Off Off default L2B No rate all L2E Yes GUI L2E Rate Limiter CLI L2E storm control egress limiting L2P Yes GUI L2P Rate Limiter CLI L2P storm control egress limiting L3E Yes GUI L3E Rate Limiter CLI L3E storm control egress limiting L3P Yes GUI L3P Rate Limiter CLI L3P storm control egress limiting Egress limiting 0 off 0 off default L2B No rate all per port L2E Yes GUI L2E Rate Limiter CLI L2E storm control egress limit L2P Yes GUI L2P Rate Limiter CLI L2P storm control egress limit L3E Yes GUI L3E Rate Limiter CLI L3E storm control egress limit L3P Yes GUI L3P Rate Limiter CLI L3P storm control egress limit ICS Security Guide Classic Switch Software 106 Release 1 01 09 2015 Secure Configuration 4 5 Service Level Management Network Quality Use redundant routers When using the switch as a router in an environment with high availability requirements use an additional router to increase the availability in the case of a failure redundancy This router communicates via the VRRP or HiVRRP protocol to determine when the other router takes over the data transmission Here it is also possible to use fake Hi VRRP frames to impair the availability of the network
37. 9 2015 Further Support ICS Security Guide Classic Switch Software Release 1 01 09 2015 125 For more information please visit us at www beldensolutions com Be certain you stay in touch fe Ho 7 ia Mole Wale E A 1110 0 1010 ohio rio1st010 2 gg11001 gi i101 OOTY 11 000 10000 goo 01011101101 0010 no W10 1110 oe 101101101011 pooo m01 10 000110010101 10 90 o1 110011000110 a 1001110101 0111010010 11000100 101110 EUROPE MIDDLE EAST AFRICA Germany Head Office Phone 49 7127 14 0 inet sales belden com France Phone 33 1 393 501 00 reseau france belden com Italy Phone 39 039 5965 250 info milano belden com AMERICAS USA Phone 1 855 400 9071 inetsalesops belden com Belden Belden Sending All The Right Signals Hirschmann GarrettCom Tofino Security and the Belden logo are trademarks or registered trademarks of Belden Inc or its affiliated companies in the United States and other jurisdictions Belden and other parties may also Russia Phone 7 495 287 1391 info belden ru Spain Phone 34 91 746 17 30 madrid salesinfo belden com Sweden Phone 46 40 699 88 60 inet sales belden com ASIA PACIFIC Singapore Phone 65 6879 9800 singapore sales belden com have trademark rights in other terms used herein The Netherlands Phone 31 773 878 555 venlo salesinfo belden com United Arab Emirates Phone 971 4 391 0490 dubai salesinfo belden com United Ki
38. I L3E sntp client L3P Yes GUI L3P SNTP configuration CLI L3P sntp client ICS Security Guide Classic Switch Software 78 Release 1 01 09 2015 Secure Configuration 4 4 Monitoring Deactivate SNTP client If there is no time source in the network deactivate the SNTP service Also deactivate the SNTP client when using PTP Action Default Recommended Available in Further information setting setting SW version Deactivate Off Off see text L2B Yes GUI L2B SNTP configuration SNTP client description above CLI L2B sntp operation L2E Yes GUI L2E SNTP configuration CLI L2E sntp operation L2P Yes GUI L2P SNTP configuration CLI L2P sntp operation L3E Yes GUI L3E SNTP configuration CLI L3E sntp operation L3P Yes GUI L3P SNTP configuration CLI L3P sntp operation Deactivate SNTP server Every service running unnecessarily on the switch provides an area of attack Therefore also deactivate the SNTP server service when you are not operating the switch as an SNTP server Action Default Recommended Available in Further information setting setting SW version Configuratio On if SNTP Off L2B Yes GUI L2B SNTP configuration nof SNTP has been CLI L2B sntp operation server activated L2E Yes GUIL2E SNTP configuration CLI L2E sntp operation L2P Yes GUI L2P SNTP configuration CLI L2P sntp operation L3E Yes GUI L3E SNTP configuration CLI L3E sntp operation L3P Yes GUI L3P SNTP configuration CLI
39. L2P logging snmp requests set operation L3E Yes GUI L3E Syslog CLI L3E logging snmp requests set operation L3P Yes GUI L3P Syslog CLI L3P logging snmp requests set operation ICS Security Guide Classic Switch Software Release 1 01 09 2015 83 Secure Configuration 4 4 Monitoring Configuration of switch name During an installation with more than one switch to be able to distinguish the switches from each other easily give the switch a name This also makes it easier to identify the switch in a network management system which can read out this value via SNMP Action Default setting Recommended Available in Further information setting SW version Configure lt Product gt lt part lt Name gt L2B Yes GUI L2B System switch of the MAC CLI L2B snmp server name address gt sysname L2E Yes GUI L2E System CLI L2E snmp server sysname L2P Yes GUI L2P System CLI L2P snmp server sysname L3E Yes GUI L3E System CLI L3E snmp server sysname L3P Yes GUI L3P System CLI L3P snmp server sysname Configuration of system prompt During an installation with more than one switch to be able to distinguish the switches from each other easily assign a system prompt that the CLI displays This helps avoid incorrect configurations Action Default setting Recommended Available in Further information setting SW version Configure Hirschmann lt Name gt L2B Yes CLI L2B set prompt system Rail
40. L3P sntp operation ICS Security Guide Classic Switch Software Release 1 01 09 2015 79 Secure Configuration 4 4 Monitoring Do not accept SNTP broadcasts SNTP broadcasts can be sent from random devices within the same subnetwork This enables the manipulation of the local time in the switch Additionally when the receipt of SNTP broadcasts with another service in the network is activated the switch can be addressed Therefore deactivate the receipt of SNTP broadcasts Action Default Recommended Available in Further information setting setting SW version Do not Accept Do not accept L2B Yes GUI L2B SNTP configuration accept CLI L2B sntp client accept SNTP broadcast broadcasts L2E Yes GUIL2E SNTP configuration CLI L2E sntp client accept broadcast L2P Yes GUI L2P SNTP configuration CLI L2P sntp client accept broadcast L3E Yes GUI L3E SNTP configuration CLI L3E sntp client accept broadcast L3P Yes GUI L3P SNTP configuration CLI L3P sntp client accept broadcast Activate PTP time synchronization For SNMP traps and log entries the time of the message plays a major role In particular when clearing up a security incident it helps to have the precise identical time on all devices Therefore synchronize the clock of the switch permanently with a central time source As an alternative to SNTP PTP is a more precise variant Use the newer version 2 of PTP Action Default Recommended Avai
41. MP traps specific IP addresses Send SNMP traps Assign secure SNMP passwords communities Configure alarm for specific errors Activate port monitor Are there legal specifications Central logging of SNMP write Deactivate central logging of for logging changes to the accesses via syslog SNMP write accesses via configuration Activate PTP time syslog synchronization Default setting Do not accept SNTP broadcasts Should it be possible to clear M4 8 or 4 12 time This is not an option for up a security incident synchronization security relevant applications Central logging via syslog if no syslog server is available Deactivate syslog Is an SNTP time source Activate and configure SNTP Deactivate PTP time available in the network client synchronization Deactivate SNTP client Deactivate PTP time synchronization Is a PTP time source available Deactivate SNTP client Activate and configure SNTP in the network Deactivate SNTP server client Activate PTP time Deactivate SNTP server synchronization Do not accept SNTP broadcasts Is device monitoring with a Monitor the device status via the signal contact planned signal contact Is there an environment with Activate PROFINET Deactivate PROFINET see which the device status can also Deactivate PROFINET be monitored via PROFINET Is VRRP or HiVRRP being Send SNMP traps when using used VRRP HiVRRP Basic principles Table 2 Security Quick C
42. NMP v3 access CLI L2E users passwd GUI L2P password SNMP v3 access CLI L2P users passwd GUI L3E password SNMP v3 access CLI L3E users passwd GUI L3P password SNMP v3 access CLI L3P users passwd L2E Yes L2P Yes L3E Yes L3P Yes 64 ICS Security Guide Classic Switch Software Release 1 01 09 2015 Secure Configuration 4 3 Administrative Access Limiting the Administration on IP Address Ranges Limit the administration of the switch not only with regard to the services but also the networks from which access is possible Action Default Recommended Available Further information setting setting restricted z On L2B No management L2E Yes L2E limited management access access Activate CLI L2E network mgmt RMA access operation L2P Yes L2P limited management access CLI L2P network mgmt access operation L3E Yes L3E limited management access CLI L3E network mgmt access operation L3P Yes L3P limited management access CLI L3P network mgmt access operation Add RMA Up to 16 RMAs L2B No can be created 2 Yes L2E limited management access CLI L2E network mgmt access add L2P Yes L2P limited management access CLI L2P network mgmt access add L3E Yes L3E limited management access CLI L3E network mgmt access add L3P Yes L3P limited management access CLI L3P network mgmt access add ICS Security Guide Classic Switch Software Release
43. SNMP v1 v2 access settings CLI L3E snmp access version L3P Yes GUI L3P SNMP v1 v2 access settings CLI L3P snmp access version ICS Security Guide Classic Switch Software 76 Release 1 01 09 2015 Secure Configuration 4 4 Monitoring Send SNMP traps Along with reading out status information via SNMP read access the switches provide the option to send messages about error statuses via SNMP traps notification to a network management system Activate this function Action Default Recommended Available in Further information setting setting SW version SendSNMP No trap Activate all L2B Yes GUI L2B alarms traps traps destination existing trap CLI L2B snmp server configured triggers e g enable traps authentication link L2E up down Yes GUI L2E alarms traps CLI L2E snmp server enable traps L2P Yes GUI L2P alarms traps CLI L2P snmp server enable traps L3E Yes GUI L3E alarms traps CLI L3E snmp server enable traps L3P Yes GUI L3P alarms traps CLI L3P snmp server enable traps ICS Security Guide Classic Switch Software Release 1 01 09 2015 77 Secure Configuration 4 4 Monitoring Deactivate sending of SNMP traps Along with reading out status information via SNMP read access the switches provide the option to send messages about error statuses via SNMP traps notification to a network management system If no network management syste
44. Security Guide Classic Switch Software 20 Release 1 01 09 2015 Framework Conditions 3 4 Patch Management 3 4 Patch Management To maintain security during operation it is important to be informed by the manufacturer in good time about the installation of recommended patches and releases and to test these and implement them if applicable Perform a risk evaluation considering the risk of both implementation and non implementation of the patch or the release You should always implement security patches unless there are serious reasons against this ICS Security Guide Classic Switch Software Release 1 01 09 2015 21 Framework Conditions 3 5 Security Incident Handling 3 5 Security Incident Handling To maintain the IT security during operation draw up a concept for handling disturbances in particular security incidents and rehearse the handling of disturbances To avoid or limit damage the handling of security incidents should be carried out quickly and efficiently The possible damage resulting from a security incident can affect both the confidentiality or integrity of data and its availability ICS Security Guide Classic Switch Software 22 Release 1 01 09 2015 Framework Conditions 3 6 Protection from Malware 3 6 Protection from Malware Clearly regulate skills and responsibilities for protecting the industrial environment from malware malicious software You require a process that identifies preventive measure
45. a different system makes it more difficult to manipulate the log data Action Default Recommended Available in Further information setting setting SW version Activate Off On L2B No sending of L2E Yes GUI L2E Syslog log entries CLI L2E logging host via syslog L2P Yes GUIL2P Syslog CLI L2P logging host L3E Yes GUI L3E Syslog CLI L3E logging host L3P Yes GUI L3P Syslog CLI L3P logging host ICS Security Guide Classic Switch Software Release 1 01 09 2015 81 Secure Configuration 4 4 Monitoring Action Default Recommended Available in Further information setting setting SW version Setup and No server Atleastonesyslog L2B No activate the defined server that is L2E Yes GUI L2E Syslog sending of configured as CLI L2E logging host n oG TNE L2P Yes GUIL2P Syslog at least one CLI L2P logging host server L3E Yes GUI L3E Syslog CLI L3E logging host L3P Yes GUI L3P Syslog CLI L3P logging host Sending of Debug Informational L2B No log entries L2E Yes GUI L2E Syslog e CLI L2E logging host wi information L2P Yes GUI L2P Syslog al and CLI L2P logging host higher L3E Yes GUI L3E Syslog CLI L3E logging host L3P Yes GUI L3P Syslog CLI L3P logging host Deactivate syslog If no syslog server is available deactivate the sending of log entries via syslog Action Default Recommended Available in Further information setting setting SW version Syslog Off Off
46. access CLI L2E users passwd L2P Yes GUI L2P password SNMP v3 access CLI L2P users passwd L3E Yes GUI L3E password SNMP v3 access CLI L3E users passwd L3P Yes GUI L3P password SNMP v3 access CLI L3P users passwd Create a Write Access Action Default Recommended Available Further information setting setting Create user Use unique users L2B Yes GUI L2B password SNMP v3 access CLI L2B users name L2E Yes GUI L2E password SNMP v3 access CLI L2E users name L2P Yes GUI L2P password SNMP v3 access CLI L2P users name L3E Yes GUI L3E password SNMP v3 access CLI L3E users name L3P Yes GUI L3P password SNMP v3 access CLI L3P users name ICS Security Guide Classic Switch Software Release 1 01 09 2015 63 Secure Configuration 4 3 Administrative Access Default setting Recommended setting Action Available Further information Define write readwrite access for users L2B Yes GUI L2B password SNMP v3 access CLI L2B users access GUI L2E password SNMP v3 access CLI L2E users access GUI L2P password SNMP v3 access CLI L2P users access GUI L3E password SNMP v3 access CLI L3E users access GUI L3P password SNMP v3 access CLI L3P users access L2E Yes L2P Yes L3E Yes L3P Yes Set password 16 characters Secure password of L2B Yes GUI L2B password SNMP v3 accessCLI L2B users passwd GUI L2E password S
47. and L3P The basic software version for variant L2B is version 05 3 02 The functions described in this document are relevant to later software versions Most of the functions described in this document are relevant to earlier software versions The EtherNet IP and PROFINET product variants have default settings specific to industry protocols Therefore this IT security manual does not apply to product variants that contain EtherNet IP or PROFINET in the product code When you apply the content of this IT security manual to these switches the switches lose their industry protocol specific settings For the measures in chapter Secure Configuration on page 27 the following documents are used for the configuration Title ID Version Reference Manual CLI L2B Release 5 3 Command Line Interface 05 2012 Industrial ETHERNET Switch RSB20 OCTOPUS OS20 0S24 Managed Reference Manual GUI L2B Release 5 3 Web based Interface 05 2012 Industrial ETHERNET Switch RSB20 OCTOPUS OS20 0S24 Managed Reference Manual CLI L2E Release 7 1 Command Line Interface 12 2011 Industrial ETHERNET Gigabit Switch RS20 RS30 RS40 RSB20 MS20 MS30 OCTOPUS Reference Manual GUI L2E Release 7 1 GUI Graphical User Interface 12 2011 Industrial ETHERNET Gigabit Switch RS20 RS30 RS40 MS20 MS30 OCTOPUS Reference Manual CLI L2P Release 7 1 Command Line Interface 12 2011 Industrial ETHERNET Gigabit Switch RS20 RS30 RS40 MS20 MS30 OCTOPUS Powe
48. and assign lt user gt L2E No RADIUS lt listname gt authentication L2P Yes CLI L2P users login L3E Yes CLI L3E users login L3P Yes CLI L3P users login 68 ICS Security Guide Classic Switch Software Release 1 01 09 2015 Secure Configuration 4 4 Monitoring 4 4 Monitoring 4 4 1 Threats Monitoring is necessary for the traceability of actions carried out and for ensuring that the state of the switch is error free If more than one switch is being used central monitoring is recommended Document configuration changes in a traceable way using suitable logging This results in the following threats Loss of availability confidentiality and integrity due to Configuration error Manipulation of the configuration Hardware and software errors The information that a switch sends to the central monitoring software can be specifically suppressed changed or intercepted depending on the configuration This can infringe on confidentiality and integrity ICS Security Guide Classic Switch Software Release 1 01 09 2015 69 Secure Configuration 4 4 Monitoring 4 4 2 Security Quick Check for Monitoring Control question If necessary If not necessary Is the availability of the Activate SNMP v1 v2 read Deactivate SNMP v1 v2 network important access Activate SNMP v3 read access Deactivate SNMP v1 v2 Assign secure SNMP passwords communities Limit SNMP read access to Send SN
49. ecure Configuration 4 4 Monitoring Configure alarm for high network load If you want to be notified when the network load exceeds a specific threshold value activate this alarm for each port The upper threshold value depends on the installation environment of the switch Therefore determine the upper threshold value on site Action Default Recommended Available in Further information setting setting SW version Alarm for high 0 00 lt Depending on L2B Yes GUI L2B load network network load network load upper environment gt L2E Yes GUIL2E load network threshold activate alarm load value L2P Yes GUI L2P load network load L3E Yes GUI L3E load network load L3P Yes GUI L3P load network load Configure alarm for specific errors The switch enables specific error statuses to be reported via SNMP trap Use this option so that you can detect error statuses quickly Action Default setting Recommended Available in Further information setting SW version Generate Off On L2B Yes GUI L2B trap setting trap when CLI L2B snmp trap link status status changes L2E Yes GUIL2E trap setting CLI L2E snmp trap link status L2P Yes GUI L2P trap setting CLI L2P snmp trap link status L3E Yes GUI L3E trap setting CLI L3E snmp trap link status L3P Yes GUI L3P trap setting CLI L3P snmp trap link status 86 ICS Security Guide Classic Switch Software Release 1 01 09 2015 Secure Co
50. ecurity Guide Classic Switch Software Release 1 01 09 2015 17 Framework Conditions 3 1 System Preparation Process 3 1 6 Decommissioning Also consider security aspects when decommissioning a system or parts of the system For example delete sensitive data from memories so that you can rule out the data from being restored with a reasonable effort or destroy the data carriers accordingly Also represent the decommissioning in the change management process in order to rule out or consider undesired effects on other systems ICS Security Guide Classic Switch Software 18 Release 1 01 09 2015 Framework Conditions 3 2 Physical Framework Conditions 3 2 Physical Framework Conditions Make sure that the physical protection of the device or the system fulfills the requirements in the underlying risk analysis This can vary significantly depending on the environment and the threat situation ICS Security Guide Classic Switch Software Release 1 01 09 2015 19 Framework Conditions 3 3 Requirements for Personnel 3 3 Requirements for Personnel IT security is not a state that can be created exclusively with just a product The know how and experience of the planner and the operator are also required Hirschmann provides you with support via a range of training courses and certification options You will find our current training courses here http www beldensolutions com en Service competence center training index phtml ICS
51. en using L2B Yes GUI L2B Global trust mode VLAN on this CLI L2B classofservice trust port L2E Yes GUI L2E Global trustDot1p CLI L2E classofservice trust otherwise L2P Yes GUIL2P Global trustDscp CLI L2P classofservice trust L3E Yes GUI L3E Global CLI L3E classofservice trust L3P Yes GUI L3P Portkonfiguration CLI L3P classofservice trust Configuration of priority classes for each port Frames that cannot be prioritized with the trustDot1p or trustDscp mode or frames that are received in the untrusted mode are prioritized based on the configured priority of the switch port Therefore configure the priorities on the switch ports as a backup solution Further information Enter GUI L2B port priority CLI L2B vlan port priority all Enter GUI L2E port priority CLI L2E vlan port priority all Enter GUI L2P port priority CLI L2P vlan port priority all Enter GUI L3E port priority CLI L3E vlan port priority all Action Default Recommended Available in setting setting SW version Port priority 0 Depending on the L2B Yes application betweenOand7 L2E Yes L2P Yes L3E Yes L3P Yes Enter GUI L3P port priority CLI L3P vlan port priority all ICS Security Guide Classic Switch Software Release 1 01 09 2015 99 Secure Configuration 4 5 Service Level Management Network Quality Configuration of mapping of VLAN priority classes to traffic class The following switche
52. escribe the interaction of the individual security measures Draw a complete picture of the security of the overall system that also shows the defense in depth strategy You will find an example of a defense in depth strategy for industrial use in article 1 see references in Appendix ICS Security Guide Classic Switch Software 16 Release 1 01 09 2015 Framework Conditions 3 1 System Preparation Process 3 1 3 Implementation The implementation of the security measures is generally carried out by using projects Therefore monitor the implementation of the measures based on a project plan Document the implementation of the security measures 3 1 4 Test Verify the effectiveness and correctness of the implemented measures by means of tests and audits You perform the security tests and audits according to a test plan If any gaps are discovered propose improvement measures and document implement and monitor them 3 1 5 Operation and Maintenance In the threat analysis also identify risks resulting from the operation and maintenance for example risks due to insufficiently secure remote maintenance In particular make every change to the system in accordance with a documented change management process which authorizes changes based on a dual control principle Document changes to the system Define a security incident process with which you can react appropriately to security incidents in line with their criticality ICS S
53. heck for Monitoring ICS Security Guide Classic Switch Software 70 Release 1 01 09 2015 Secure Configuration 4 4 Monitoring Control question If necessary If not necessary Central monitoring Traceability of changes to the configuration Shared time on all systems Central logging General measures to be implemented Configuration of switch name Configuration of system prompt Configuration of switch location and contact person Table 2 Security Quick Check for Monitoring cont Known limitations O At present the log data can only be transferred unencrypted and via UDP protocol possible frame loss and risk of fake log data O Syslog uses port 514 as the source port This makes the Stateful Inspection of the traffic on a firewall more difficult SNMP v3 encrypted is currently only available in the Professional software variant 4 4 3 Measures You can counteract the threats with the following configuration items ICS Security Guide Classic Switch Software Release 1 01 09 2015 71 Secure Configuration 4 4 Monitoring Activate SNMP v1 v2 read access In addition to using Ping to test device reachability activation of SNMP v1 v2 read access gives network management software without SNMP v3 the option to read system internal values such as the temperature or the status of the power supply units along with the availability of the switch Actio
54. heir installation Along with security problems you can also use updates to remove functional problems including those that may exist but have not become apparent as yet Please note the following Inform yourself regularly at Hirschmann about security gaps that have been discovered As soon as new software closes the gaps implement this new software You will find information sources in section 1 4 Further Information Obtain updates from a trusted source Only obtain the software directly from the manufacturer in a ZIP archive at http www hirschmann de de Hirschmann Industrial_ Ethernet Software Software_Platforms index phtml Using check sums the ZIP archive can detect whether the updates were damaged by transfer errors during the transfer process Known limitations The updates are not digitally signed and are therefore not protected against manipulation on the way from Hirschmann to the switch The JAR file JAVA applet in the software contains SHA 1 check sums Additionally the JAR file is signed with a code signing certificate from Hirschmann Digital ID Class 3 Java Object Signing that was issued by Verisign When the validity of the certificate has elapsed the user receives a warning notice to this effect It is not possible to extend the certificate You may possibly be able to implement a newer certificate via an update to a current software version of the switch You can read about th
55. his information can be an important aid for troubleshooting However this information also provides an attacker with valuable data and should therefore be used only when absolutely necessary LLDP Med is and extension of LLDP It is primarily intended for Voice over IP applications and should always remain deactivated if possible Action Default Recommended Available Further information setting setting Activate LLDP On LLDP provides L2B Yes GUI L2B Topology information about Discovery your switch Only CLI L2B Ildp use when L2E Yes GUI L2E Topology required Discovery CLI L2E Ildp L2P Yes GUI L2P Topology Discovery CLI L2P Ildp L3E Yes GUI L3E Topology Discovery CLI L3E Ildp L3P Yes GUI L3P Topology Discovery CLI L3P Ildp ICS Security Guide Classic Switch Software Release 1 01 09 2015 31 Secure Configuration 4 1 Starting Up Do not skip ACA when booting During the booting procedure the device can load the configuration from the ACA If the ACA is being used in your environment then execute this procedure using the CLI command see table below Action Default Recommended Available Further information setting setting Do not skip ACA Off If the ACA is being L2B No used the device gt E Yes CLI L2E skip aca on boot can use it to load the configuration L2P Yes CLI L2P skip aca on boot when booting L3E Yes CLI L3E skip aca on boot L3P Yes CLI L3P skip aca on boot Deactiva
56. ice to create a VLAN in a switch or register a port in a VLAN The switch functions as a security component for the network separation between VLANs Deactivate GVRP so that no other device can change the VLAN configuration Action Default Recommended Available Further information setting setting Configure VLAN auto include or L2B No participation exclude L2E Yes GUIL2E VLAN Port CLI L2E vlan participation L2P Yes GUI L2P VLAN Port CLI L2P vlan participation L3E Yes GUI L3E VLAN Port CLI L3E vlan participation L3P Yes GUI L3P VLAN Port CLI L3P vlan participation Note If you still want to use GVRP deactivate GVRP on all untrusted ports Ports not in more than one VLAN The switch allows you to assign multiple VLANs to a port This can cancel the separation between the VLANs Therefore assign to each switch port user port exactly one VLAN setting U untagged or T tagged Action Default Recommended Available in Further information setting setting SW version Assignment to nota When used either L2B No exactly one member but U or T L2E Yes GUI L2E VLAN Port VLAN GVRP CLI L2E vlan allowed L2P Yes GUIL2P VLAN Port CLI L2P vlan L3E Yes GUI L3E VLAN Port CLI L3E vlan L3P Yes GUI L3P VLAN Port CLI L3P vlan 42 ICS Security Guide Classic Switch Software Release 1 01 09 2015 Secure Configuration 4 2 Separating networks Unique assignment of the switch ports to VLANs
57. icient In your specific application case check the default settings and adjust them if necessary Action Default Recommended Available in Further information setting setting SW version Mapping See CLI Default settings L2B Yes GUI L2B IP DSCP Mapping DSCP to documentati CLI L2B classofservice ip traffic class on dscp mapping L2E Yes GUI L2E IP DSCP Mapping CLI L2E classofservice ip dscp mapping L2P Yes GUI L2P IP DSCP Mapping CLI L2P classofservice ip dscp mapping Configuration of MAC based port security To prevent undesired devices from connecting to the network the switches allow you to permit specific devices for each port based on their MAC addresses For environments in which the physical access control for a switch port is not sufficient this can be used to improve the security Action Default Recommended Available in Further information setting setting SW version Configuratio No MAC MAC addresses L2B No n of MAC addresses that are to be L2E Yes GUI L2E Port Security based port defined permitted at the CLI L2E port sec allowed security switch port mac L2P Yes GUI L2P Port Security CLI L2P port sec allowed mac L3E Yes GUI L3E Port Security CLI L3E port sec allowed mac L3P Yes GUI L3P Port Security CLI L3P port sec allowed mac ICS Security Guide Classic Switch Software Release 1 01 09 2015 101 Secure Configuration 4 5 Service Level Management Network Quality
58. ideally be implemented on the switch in connection with the separation of networks for security reasons Do you require If necessary If not necessary VLANs Do not use VLAN 1 Deactivate GVRP Do not use VLAN 0 Deactivate GVRP Ports not in more than one VLAN Unique assignment of the switch ports to VLANs Do not use port mirroring Do not use DHCP Relay Routing between Activate routing Deactivate routing subnetworks Deactivate Proxy ARP necessary Dynamic routing Use RIPv2 with authentication Use only static routes protocol RIP If applicable Use OSPF only with necessary encrypted authentication Dynamic routing Use OSPF only with encrypted Use only static routes protocol OSPF authentication If applicable Use RIPv2 with necessary If applicable Use OSPF virtual authentication links only with authentication Are there different Use IP Access Control Lists security zones for ACLs the connected networks Dynamic multicast Activate Generic Multicast Deactivate Generic Multicast Registration registration with Registration Protocol GMRP Protocol GMRP GMRP Basic principle Deactivate the services and functions that you do not require Further measures To increase the security implement all the measures in the Administration Access section because an attacker can use such an access to disable all the measures described here ICS Security Guide Classic Switch Software Release 1
59. ies in our products which have not yet been fixed Bulletins Reports about security vulnerabilities in our products which have been fixed Report Security Vulnerabilities An online form for people to report vulnerabilities The site also contains a description of how Hirschmann Automation and Control GmbH handles reported vulnerabilities ICS Security Guide Classic Switch Software Release 1 01 09 2015 9 Motivation and Goals 1 4 Further Information ICS Security Guide Classic Switch Software 10 Release 1 01 09 2015 Description of the Product 2 Description of the Product The Hirschmann software provides a range of functions that are normally used in backbone systems of company networks These include management diagnostic and filter functions various redundancy procedures security mechanisms and real time applications The software used in the MACH MICE Rail and OCTOPUS managed switch series optimizes the bandwidth the configuration functions and the service functions In version 9 of our Classic Software configuring one switch is sufficient to configure the entire ring Additionally configurations can also be performed offline i e without an active connection to the switch Switching Layer 2 Suitable for RSB20 OCTOPUS The Basic economical introduction to managed switch L2B functions including statistics filters and redundancy technologies The alternative to unmanaged switches Layer 2
60. ion of the access to an IP address or to IP address ranges Action Default Recommended setting setting Available in SW version Further information Limit SNMP 0 0 0 0 0 0 Address of the access to 0 0 network specific IP access management addresses allowed from any address L2B Yes GUI L2B SNMP vi v2 access settings CLI L2B snmp server community ipaddr L2E Yes GUI L2E SNMP v1 v2 access settings CLI L2E snmp server community ipaddr L2P Yes GUI L2P SNMP v1 v2 access settings CLI L2P snmp server community ipaddr L3E Yes GUI L3E SNMP v1 v2 access settings CLI L3E snmp server community ipaddr L3P Yes GUI L3P SNMP vi v2 access settings CLI L3P snmp server community ipaddr ICS Security Guide Classic Switch Software Release 1 01 09 2015 75 Secure Configuration 4 4 Monitoring Deactivate SNMP v1 v2 SNMP v1 and v2 do not allow encrypted data transfer Additionally values can be read via the switch and the connected devices that can be used to prepare or carry out attacks Action Default Recommended Available in Further information setting setting SW version Deactivate v1 and v2 v1 and v2 off L2B Yes GUI L2B SNMP v1 v2 SNMP active access v1 v2 settings CLI L2B snmp access version L2E Yes GUI L2E SNMP v1 v2 access settings CLI L2E snmp access version L2P Yes GUI L2P SNMP v1 v2 access settings CLI L2P snmp access version L3E Yes GUI L3E
61. is in the release notes if necessary ICS Security Guide Classic Switch Software Release 1 01 09 2015 111 Secure Configuration 4 6 Updates No updates during ongoing operation During the update the processor of the switch is subject to an additional load and may possibly behave differently Also after the update the switch requests a restart This can limit network availability particularly when Spanning Tree is being used ICS Security Guide Classic Switch Software 112 Release 1 01 09 2015 Secure Configuration 4 7 Decommissioning 4 7 Decommissioning 4 7 1 Threats When a switch has reached the end of the planned period of use decommission it This results in the following threats Reading out of the configuration after decommissioning Reconnection due to human error sabotage Reading out of secret keys SSL and SSH 4 7 2 Security Quick Check Do you require If necessary If not necessary Security after Regularly check on security planned life cycle relevant updates and their installation Reset the configuration clear config Delete the Auto Configuration Adapter ACA Basic principle Reading out the configuration can compromise the confidentiality because passwords can be read out for example ICS Security Guide Classic Switch Software Release 1 01 09 2015 113 Secure Configuration 4 7 Decommissioning 4 7 3 Measures You can counteract the threats w
62. itch You can counteract the threats with the following configuration items ICS Security Guide Classic Switch Software Release 1 01 09 2015 109 Secure Configuration 4 6 Updates 4 6 2 Security Quick Check Do you require If necessary If not necessary Security for your Regularly check on security application relevant updates and their installation Basic principle New security gaps are discovered every day in the widest variety of systems Close these gaps quickly in security relevant systems They can often be caused by the installation of new software on the switch General measures Regularly check on updates to remove errors and their installation Obtain updates from a trusted source No updates during ongoing operation Table 4 Security Quick Check for Updates 4 6 3 Measures Regularly check on security relevant updates and their installation You can close many security gaps that have been discovered by means of an update that closes these gaps Please note the following O Inform yourself regularly at Hirschmann about security gaps that have been discovered O As soon as new software closes the gaps implement this new software You will find information sources in section 1 4 Further Information ICS Security Guide Classic Switch Software 110 Release 1 01 09 2015 Secure Configuration 4 6 Updates Regularly check on updates to remove errors and t
63. ith the following configuration items Reset the configuration If a switch is accidentally or carelessly connected to a network the availability can be impaired Examples of this are Spanning Tree calculation times or IP address conflicts Action Default Recommended Available Further information setting setting Clear Clear config factory L2B Yes GUI L2B Configuration Config Load Save CLI L2B clear config factory L2E Yes GUI L2E Configuration Load Save CLI L2E clear config factory L2P Yes GUI L2P Configuration Load Save CLI L2P clear config factory L3E Yes GUI L3E Configuration Load Save CLI L3E clear config factory L3P Yes GUI L3P Configuration Load Save CLI L3P clear config factory Delete the Auto Configuration Adapter ACA The mere removal of the existing files on the ACA does not provide sufficient protection to prevent a third party from restoring them For safe deletion of flash memories such as the ACA the Federal Office for Information Security BSI recommends Where there is a high security requirement the entire memory area must be overwritten three times using suitable software 2 You will find an option for suitable software on the BSI website 3 ICS Security Guide Classic Switch Software 114 Release 1 01 09 2015 Secure Configuration 4 8 Disturbance 4 8 Disturbance 4 8 1 Threats The switch supplied is a high quality product in terms of hardware and software
64. lable Further information setting setting Configure radius server auth L2B No RADIUS host auth configures an 9F No server acct lt ipaddr gt authentication lt port gt server L2P Yes GUI L2P RADIUS server settings for IEEE 802 1X CLI L2P radius server host L3E Yes GUI L3E RADIUS server settings for IEEE 802 1X CLI L3E radius server host L3P Yes GUI L3P RADIUS server settings for IEEE 802 1X CLI L3P radius server host Configure Assign a shared L2B No shared secret secret of 20 L2E No characters L2P Yes GUI L2P RADIUS server settings for IEEE 802 1X CLI L2P radius server key L3E Yes GUI L3E RADIUS server settings for IEEE 802 1X CLI L3E radius server key L3P Yes GUI L3P RADIUS server settings for IEEE 802 1X CLI L3P radius server key ICS Security Guide Classic Switch Software Release 1 01 09 2015 67 Secure Configuration 4 3 Administrative Access Action Default Recommended Available Further information setting setting Create authentication Method must be L2B No authentication login radius L2E No list for lt listname gt RADIUS method 1 L2P Yes GUI L2P IEEE 802 1X method2 Port method3 Authentication oot CLI L2P authentication login L3E Yes GUI L3E IEEE 802 1X Port Authentication CLI L3E authentication login L3P Yes GUI L3P IEEE 802 1X Port Authentication CLI L3P authentication login Create users None users login L2B No
65. lable in Further information setting setting SW version Activate Off On L2B Yes GUI L2B PTP IEEE 1588 PTP CLI L2B lldp tlv ptp L2E Yes GUIL2E PTP IEEE 1588 CLI L2E Ildp tiv ptp L2P Yes GUI L2P PTP IEEE 1588 CLI L2P Ildp tiv ptp L3E Yes GUIL3E PTP IEEE 1588 CLI LE Ildp tiv ptp L3P Yes GUIL3P PTP IEEE 1588 CLI L3P Ildp tiv ptp ICS Security Guide Classic Switch Software 80 Release 1 01 09 2015 Secure Configuration 4 4 Monitoring Deactivate PTP time synchronization If no time is available in the network via PTP or the time is synchronized with SNTP on the switch deactivate PTP Action Default Recommended Available in Further information setting setting SW version Deactivate Off Off see text L2B Yes GUI L2B PTP IEEE 1588 PTP above CLI L2B lldp tlv ptp L2E Yes GUI L2E PTP IEEE 1588 CLI L2E lldp tlv ptp L2P Yes GUI L2P PTP IEEE 1588 CLI L2P Ildp tlv ptp L3E Yes GUI L3E PTP IEEE 1588 CLI L3E Ildp tlv ptp L3P Yes GUI L3P PTP IEEE 1588 CLI LP Ildp tiv ptp Known limitations At present there is no option for authenticating the communication partners using the time synchronization as it would be possible for example with NTPv3 using MD5 check sums Central logging via syslog The central storage of log messages enables faster clarification of security incidents and faster troubleshooting for malfunctions Additionally storing the log data on
66. m for example Industrial HiVision is being used deactivate this function to avoid making unnecessary information available in the network Action Default Recommended Available in Further information setting setting SW version Send SNMP No trap Deactivate all L2B Yes GUI L2B alarms traps traps destination existing trap CLI L2B snmp server configured triggers e g enable traps authentication link 2E Yes GUI L2E alarms traps up down CLI L2E snmp server enable traps L2P Yes GUI L2P alarms traps CLI L2P snmp server enable traps L3E Yes GUI L3E alarms traps CLI L3E snmp server enable traps L3P Yes GUI L3P alarms traps CLI L3P snmp server enable traps Activate and configure SNTP client For all SNMP traps and log entries the time of the message plays a major role In particular when clearing up a security incident it helps to have the precise identical time on all devices Therefore synchronize the clock of the switch permanently with a central time source If a 2nd time server is available then also configure this Action Default Recommended Available in Further information setting setting SW version Configuratio Off On atleastone L2B Yes GUI L2B SNTP configuration nof SNTP SNTP server CLI L2B sntp client client configuredand L2E Yes GUIL2E SNTP configuration tested CLI L2E sntp client L2P Yes GUI L2P SNTP configuration CLI L2P sntp client L3E Yes GUI L3E SNTP configuration CL
67. n Default Recommended Available in Further information setting setting SW version Activate SNMP v1 on SNMP v1 on L2B Yes GUI L2B SNMP v1 v2 SNMP v1 v2 SNMP v20n SNMP v2 on access settings read access CLI L2B snmp access version L2E Yes GUI L2E SNMP v1 v2 access settings CLI L2E snmp access version L2P Yes GUI L2P SNMP v1 v2 access settings CLI L2P snmp access version L3E Yes GUI L3E SNMP v1 v2 access settings CLI L3E snmp access version L3P Yes GUI L3P SNMP v1 v2 access settings CLI L3P snmp access version ICS Security Guide Classic Switch Software 72 Release 1 01 09 2015 Secure Configuration 4 4 Monitoring Activate SNMP v3 read access In addition to using Ping to test device reachability activation of SNMP v3 read access gives network management software the option to read system internal values such as the temperature or the status of the power supply units along with the availability of the switch In contrast to versions 1 and 2 SNMP v3 is encrypted and therefore preferable Default setting Action Recommended Available in setting SW version Further information Activate SNMP On v3 read access On L2B Yes GUI L2B password SNMP v3 access CLI L2B users SNMP v3 accessmode L2E Yes GUI L2E password SNMP v3 access CLI L2E users SNMP v3 accessmode L2P Yes GUI L2P password SNMP v3 access CLI L2P users SNMP v3 accessmode L3E Yes GUI L3E passwo
68. nfiguration 4 4 Monitoring Action Default setting Recommended Available in Further information setting SW version Monitoring Monitor power Monitor power L2B Yes GUI L2B device status supply unit 1 supply unit 1 CLI L2B device status Monitor power Monitor power monitor supply unit2 supply unit 2 if L2E Yes GUIL2E device status Ignore connected CLI L2E device status temperature Monitor monitor Ignore module temperature L2P Yes GUIL2P device status removal Remove ACA CLI L2P device status Ignore ACA depending on monitor ey ae case T3E Yes GUIL3E device status CLI L3E device status asynchronous asynchronous z ACA depending on monitor Ignore application case L3P Yes GUI L3P device status connection error not L2B CLI L3P device status Ignore ring Monitor monitor redundancy connection error Monitor ring redundancy if used not L2B Monitor ring network coupling if used not L2B Monitor the device status via the signal contact The switch enables specific error statuses to be reported via the signal contact Use this option so that you can detect error statuses quickly Action Default setting Recommended Available in Further information setting SW version Signal Signal contact 1 Function L2B Yes GUI L2B signal contact Contact device status Monitoring CLI L2B signal contact Mode Signal contact 2 L2E Yes GUIL2E signal contact manual setting CLI L2E signal contact contact clo
69. ng Tree instance for each VLAN provides better separation here Action Default Recommended Available in Further information setting setting SW version Configuring Off On L2B No MSTP L2E No L2P Yes GUI L2P MSTP Multiple Spanning Tree CLI L2P spanning tree mst L3E No GUI L3E MSTP Multiple Spanning Tree CLI L3E spanning tree mst L3P Yes GUI L3P MSTP Multiple Spanning Tree CLI L3P spanning tree mst Do not use port mirroring The mirroring of the network traffic from one or more ports to a destination port port mirroring enables traffic from other network segments to be intercepted This can put the confidentiality of this network segment at risk Action Default Recommended Available in Further information setting setting SW version No port Off Off L2B Yes GUI L2B Port Mirroring mirroring CLI L2B monitor session L2E Yes GUI L2E Port Mirroring CLI L2E monitor session L2P Yes GUI L2P Port Mirroring CLI L2P monitor session L3E Yes GUI L3E Port Mirroring CLI L3E monitor session L3P Yes GUI L3P Port Mirroring CLI L3P monitor session ICS Security Guide Classic Switch Software Release 1 01 09 2015 45 Secure Configuration 4 2 Separating networks Do not use DHCP Relay The DHCP Relay function provides the option to assign a defined IP address to a switch on a specific switch port via DHCP Option 82 This function can be used to always assign the same IP address to a device
70. ngdom Phone 44 161 4983749 manchestersalesinfo belden com China Phone 86 21 5445 2353 China Marketing belden com Contact us Copyright 2015 Belden Inc Printed in Germany ICS SECURITY GUIDE TO HIRSCHMANN SWITCHES_INIT_HIR_0915_E_ EMEA
71. obal CLI L3E spanning tree L3P Yes GUI L3P Global CLI L3P spanning tree Prioritize switch management frames The switches provide the option to prioritize management frames for the configuration and monitoring of the switches This enables the management traffic to be transmitted more reliably when there is a high network load Especially in error situations access to the switches is very important for identifying the cause and removing the error Therefore activate this option The prioritizing is effective for HTTP HTTPS Telnet and other IP traffic to the management IP address of the switch Action Default Recommended Available in Further information setting setting SW version Prioritize switch 0 7 L2B Yes GUI L2B Global management CLI L2B network priority frames L2E Yes GUI L2E Global CLI L2E network priority L2P Yes GUI L2P Global CLI L2P network priority L3E Yes GUI L3E Global CLI L3E network priority L3P Yes GUI L3P Global CLI L3P network priority ICS Security Guide Classic Switch Software 98 Release 1 01 09 2015 Secure Configuration 4 5 Service Level Management Network Quality Configuration of trust mode The trust mode defines whether and how the switch evaluates QoS tags in received frames and prioritizes the frames accordingly Action Default Recommended Available in Further information setting setting SW version Configuration of trustDot1p Wh
72. ogy systems are open to attack and can be manipulated In particular the links between industrial environments and office IT can be used to attack control technology Therefore you should secure these links and communication The switch can help with this in a particular way However for this it is absolutely necessary to determine the security requirements create a secure concept and integrate the product with a secure configuration of the product into this concept ICS Security Guide Classic Switch Software 6 Release 1 01 09 2015 Motivation and Goals 1 2 Objectives 1 2 Objectives It is practically impossible to set up secure networks without the support of the manufacturer of the network products This manual is part of the undertaking by Hirschmann Automation and Control GmbH to improve the security of its products and support the planners and users in configuring and using the products securely However there is no universally suitable configuration that can be seen as secure in all situations This IT security manual helps the planner and the operator of the switches relevant to this document in performing the following actions To determine sufficient and appropriate security requirements To implement the most secure configuration possible To perform an integration into the monitoring and operate this as securely as possible ICS Security Guide Classic Switch Software Release 1 01 09 2015 7 Mo
73. on in terms of confidentiality and integrity The protocols named are classified as insecure because information is transferred in clear text and spying and manipulation cannot be prevented The switch also provides the option of configuration via the web interface Here a Java application is loaded and the actual communication is via SNMP v3 including the login This application is supplied via HTTP If an attacker has access to the network he can fake the login page and access login data The following section Security Quick Check for Administration Access on page 56 is used to select only services that are required This reduces the load and decreases the area of attack Only use encrypted connections to transfer login data and configuration parameters ICS Security Guide Classic Switch Software Release 1 01 09 2015 55 Secure Configuration 4 3 Administrative Access 4 3 2 Security Quick Check for Administration Access This table helps you to identify which measures in your system environment should ideally be implemented on the switch in connection with administration access to the switch Do you require If necessary If not necessary GUI Configuration of SNMP v3 Write Deactivate HTTP and HTTPS Access CLI Remote Activate SSH Deactivate SSH Deactivate Telnet Deactivate Telnet CLI Serial Timeout for Serial CLI Timeout for Serial CLI Central Configuration of SNMP v3 Write Deac
74. ontrol ingress limiting L3P Yes GUI L3P Rate Limiter CLI L3P storm control ingress limiting ICS Security Guide Classic Switch Software 104 Release 1 01 09 2015 Secure Configuration 4 5 Service Level Management Network Quality Action Default Recommended Available in Further information setting setting SW version Ingress limiting O off 5 of the port L2B No rate per port bandwidth L2E Yes GUI L2E Rate Limiter CLI L2E storm control ingress limit L2P Yes GUI L2P Rate Limiter CLI L2P storm control ingress limit L3E Yes GUI L3E Rate Limiter CLI L3E storm control ingress limit L3P Yes GUI L3P Rate Limiter CLI L3P storm control ingress limit Egress limiter BC Off Off default L2B No L2E Yes GUI L2E Rate Limiter CLI L2E storm control broadcast L2P Yes GUI L2P Rate Limiter CLI L2P storm control broadcast L3E Yes GUI L3E Rate Limiter CLI L3E storm control broadcast L3P Yes GUI L3P Rate Limiter CLI L3P storm control broadcast Egress limiting 0 off 0 off default L2B No rate BC per port L2E Yes GUI L2E Rate Limiter CLI L2E storm control broadcast port related L2P Yes GUI L2P Rate Limiter CLI L2P storm control broadcast port related L3E Yes GUI L3E Rate Limiter CLI L3E storm control broadcast port related L3P Yes GUI L3P Rate Limiter CLI L3P storm control broadcast port related ICS Security Guide Classic Switch Software Release 1 01
75. or HiDiscovery HiDiscovery provides information about a device read mode or also allows changes to configuration parameters such as the IP address read write mode An attacker has the option to gather information about a device or divert data traffic by diverting the default gateway to a system under his control Therefore it is recommended to allow read access only for HiDiscovery in the live environment Action Default Recommended Available Further information setting setting HiDiscovery On Off reading L2B Yes GUI L2B Network read access reading CLI L2B network protocol and L2E Yes GUIL2E Network writing CLI L2E network protocol L2P Yes GUI L2P Network CLI L2P network protocol L3E Yes GUI L3E Network CLI L3E network protocol L3P Yes GUI L3P Network CLI L3P network protocol ICS Security Guide Classic Switch Software Release 1 01 09 2015 35 Secure Configuration 4 1 Starting Up Change the default access One of the first measures that an attacker carries out if he wants to gain access to a third party system is a login attempt with standard access data Therefore change the access data during the installation Note Changing the password in CLI only changes the SNMP v1 v2 password In contrast when the user password is changed in CLI the user password and the SNMP v1 v2 passwords are changed If a separate password is used for each of the user and SNMP v1 v2 deactivate the Password Sync
76. or the ports via which the HIPER Ring protocol is running and for ports for ring network couplings the port must remain on VLAN 1 as otherwise operational problems occur Note If you change the VLAN for the management interface this can interrupt your connection to the switch Make sure that you can also administer the switch with the new configuration Note VLANs 4043 4095 are used for port based routing internally in the switch in order to implement the separation of the maximum possible 52 physical ports in the switch internally and therefore they may not be used by the user With port based routing the ingress filtering is active Therefore the switch discards frames with VLAN tags Do not use VLAN 0 VLAN 0 has a further special role in the switch and must be considered separately Note The use of PROFINET and GOOSE can cause limitations Action Default Recommended Available Further information setting setting Deactivate Off Off L2B No VLANO L2E Yes GUIL2E VLAN Global transparent mode CLI L2E vlano transparent mode L2P Yes GUI L2P VLAN Global CLI L2P vlan0 transparent mode L3E Yes GUI L3E VLAN Global CLI L3E vlan0 transparent mode L3P Yes GUI L3P VLAN Global CLI L3P vlan0 transparent mode ICS Security Guide Classic Switch Software Release 1 01 09 2015 41 Secure Configuration 4 2 Separating networks Deactivate GVRP GVRP GARP VLAN Registration Protocol allows another dev
77. p 92 ICS Security Guide Classic Switch Software Release 1 01 09 2015 Secure Configuration 4 5 Service Level Management Network Quality 4 5 Service Level Management Network Quality 4 5 1 Threats One of the main goals of IT security is to protect availability In industrial environments network availability is more than just the actual reachability of systems Depending on the application the following aspects play a role Quality of service QoS Integrity of the network High availability ring structure meshed structure The following threats exist for the switch and thus for the network Loss of connection due to failure of the switch Loss of connection due to cable defect Loss of connection due to overload Loss of connection due to attack on the redundancy mechanisms Latencies due to overload Jitter due to overload Limitation of availability due to connection of undesired devices ICS Security Guide Classic Switch Software Release 1 01 09 2015 93 Secure Configuration 4 5 Service Level Management Network Quality 4 5 2 Security Quick Check for Service Level Management Do you require If necessary If not necessary High network Set up network as ring availability structure Activate HIPER Ring protocol Activate MRP Activate faster ring configuration Deactivate Spanning Tree protocol High network Prioritize swi
78. ponents or the associated operating software In addition we refer to the conditions of use specified in the license contract You can get the latest version of this manual on the Internet at the Hirschmann product site www hirschmann com Hirschmann Automation and Control GmbH Stuttgarter Str 45 51 72654 Neckartenzlingen Germany Tel 49 1805 141538 ICS Security Guide to Hirschmann Switches Rel 1 01 01 09 2015 24 09 2015 Contents Contents 1 Motivation and Goals 1 1 Motivation 1 2 Objectives 1 3 Areas of Application 1 4 Further Information 2 Description of the Product 3 Framework Conditions 3 1 sa Preparation Process 3 1 1 Analysis of Requirements 3 1 2 Architecture 3 1 3 Implementation 3 1 4 Test 3 1 5 Operation and Maintenance 3 1 6 Decommissioning 3 2 Physical Framework Conditions 3 3 Requirements for Personnel 3 4 Patch Management 3 5 Security Incident Handling 3 6 Protection from Malware 3 7 Managing Users and Rights 3 8 Requirements for the Documentation 4 Secure Configuration 4 1 Starting Up 4 1 1 Threats 4 1 2 Security Quick Check for Starting Up 4 1 3 Measures 4 2 Separating networks 4 2 1 Threats 4 2 2 Security Quick Check for Separation of Networks 4 2 3 Measures ICS Security Guide Classic Switch Software Release 1 01 09 2015 oonN DD A 11 Contents 4 3 44 4 5 4 6 4 7 4 8 Administrative Access 4 3 1 Threats 4 3 2 Security Quick Check for
79. port monitor The port monitor functions can detect link changes and CRC errors and report them You can use this to detect when devices are plugged in and out You can also detect faulty connections e g defective cables in this way Action Default Recommended Available in Further information setting setting SW version Activate port Off On L2B No monitor globally L2E No L2P Yes GUI L2P Port Monitor CLI L2P port monitor Global Config L3E Yes GUI L3E Port Monitor CLI L3E port monitor Global Config L3P Yes GUI L3P Port Monitor CLI L3P port monitor Global Config Activate port Off On L2B No monitor for each L2E No port L2P Yes GUI L2P Port Monitor CLI L2P port monitor Global Config L3E Yes GUI L3E Port Monitor CLI L3E port monitor Global Config L3P Yes GUI L3P Port Monitor CLI L3P port monitor Global Config Activate Off On L2B No detection of link L2E No change for each port L2P Yes GUI L2P Port Monitor CLI L2P port monitor condition link flap Global Config L3E Yes GUI L3E Port Monitor CLI L3E port monitor condition link flap Global Config L3P Yes GUI L3P Port Monitor CLI L3P port monitor condition link flap Global Config ICS Security Guide Classic Switch Software 90 Release 1 01 09 2015 Secure Configuration 4 4 Monitoring Action Default Recommended Available in Further information setting
80. rMICE RSR20 RSR30 MACH 100 MACH 1000 MACH 4000 ICS Security Guide Classic Switch Software Release 1 01 09 2015 13 Framework Conditions Title ID Version Reference Manual GUI L2P Release 7 1 GUI Graphical User Interface 12 2011 Industrial ETHERNET Gigabit Switch RS20 RS30 RS40 MS20 MS30 OCTOPUS PowerMICE RSR20 RSR30 MACH 100 MACH 1000 MACH 4000 Reference Manual CLI L3E Release 7 1 Command Line Interface 12 2011 Industrial ETHERNET Gigabit Switch PowerMICE MACH 1040 MACH 4000 Reference Manual CLI L3P Release 7 1 Command Line Interface 12 2011 Industrial ETHERNET Gigabit Switch PowerMICE MACH 1040 MACH 4000 Reference Manual GUI L3E Release 7 1 GUI Graphical User Interface 12 2011 Industrial ETHERNET Gigabit Switch PowerMICE MACH 1040 MACH 4000 Reference Manual GUI L3P Release 7 1 GUI Graphical User Interface 12 2011 Industrial ETHERNET Gigabit Switch PowerMICE MACH 1040 MACH 4000 User Manual Basic Configuration AHG L2P Release 7 1 L3E 12 2011 Basic Configuration Basic L3P Release 7 1 Industrial ETHERNET Gigabit Switch 12 2011 PowerMICE MACH 1040 MACH 4000 14 ICS Security Guide Classic Switch Software Release 1 01 09 2015 Framework Conditions 3 1 System Preparation Process 3 1 System Preparation Process Operators of an IT infrastructure in an industrial environment shortened to system hereafter should have a s
81. rd SNMP v3 access CLI L3E users SNMP v3 accessmode L3P Yes GUI L3P password SNMP v3 access CLI L3P users SNMP v3 accessmode ICS Security Guide Classic Switch Software Release 1 01 09 2015 73 Secure Configuration 4 4 Monitoring Assign secure SNMP passwords communities When reading out and writing values with SNMP v1 and v2 what is known as a community string a kind of password is used as authentication The default values are generally known standard values and therefore cannot be seen as secure in any way Change these values Default setting Action setting Recommended Available in Further information SW version Assign secure SNMP passwords private 16 characters public and Community string L2B Yes with a length of GUI L2B SNMP v1 v2 access settings CLI L2B snmp server community L2E Yes GUI L2E SNMP v1 v2 access settings CLI L2E snmp server community L2P Yes GUIL2P SNMP v1 v2 access settings CLI L2P snmp server community L3E Yes GUI L3E SNMP v1 v2 access settings CLI L3E snmp server community L3P Yes GUI L3P SNMP v1 v2 access settings CLI L3P snmp server community 74 ICS Security Guide Classic Switch Software Release 1 01 09 2015 Secure Configuration 4 4 Monitoring Limit SNMP read access to specific IP addresses Access with SNMP allows in addition to regulation with the community string the regulat
82. ring L3E Yes Configure GUI L3E HIPER Ring CLI L3E hiper ring L3P Yes Configure GUI L3P HIPER Ring CLI L3P hiper ring Activate MRP Like HIPER Ring the MRP protocol also provides the functions required for the operation of high availability networks in ring form However MRP is an open standardized protocol that can be operated with the products of other manufacturers Additionally in the case of a ring failure it provides guaranteed switching times while adhering to the specified framework conditions Also the VLAN can be defined freely for the Ring protocol Note Either HIPER Ring or MRP can be used ICS Security Guide Classic Switch Software 96 Release 1 01 09 2015 Secure Configuration 4 5 Service Level Management Network Quality Action Default Recommended Available in Further information setting setting SW version Activate MRP Off On L2B Yes Configure GUI L2B MRP ring CLI L2B mrp current domain L2E Yes Configure GUI L2E MRP ring CLI L2E mrp current domain L2P Yes Configure GUI L2E MRP rin Cli L2E mrp current domain L3E Yes Configure GUI L3E MRP ring CLI L3E mrp current domain L3P Yes Configure GUI L3P MRP rin Cli L3P mrp current domain Activate faster ring configuration If a section fails within a network with a ring shaped structure this option provides faster restoring of the data transfer in the ring Where possible use a faster ring configuration However
83. s which present a target to attackers Action Default Recommended Available Further information setting setting Deactivate Off Off L2B Yes GUI L2B Network BOOTP CLI L2B network protocol L2E Yes GUI L2E Network CLI L2E network protocol L2P Yes GUI L2P Network CLI L2P network protocol L3E Yes GUI L3E Network CLI L3E network protocol L3P Yes GUI L3P Network CLI L3P network protocol Deactivate PROFINET PROFINET can be used to read and change specific properties of the switch Only activate this option if you require PROFINET Action Defa Recomm Available Further information ult ended setti setting ng Deactiv Off Off L2B No ate L2E Yes GUI L2E PROFINET IO ne CLI L2E profinetio L2P Yes GUI L2P PROFINET IO CLI L2P profinetio L3E Yes GUI L3E PROFINET IO CLI L3E profinetio L3P Yes GUI L3P PROFINET IO CLI L3P profinetio ICS Security Guide Classic Switch Software Release 1 01 09 2015 33 Secure Configuration 4 1 Starting Up Deactivate EtherNet IP EtherNet IP can be used to read and change specific properties of the switch Only activate this option if you require EtherNet IP Action Default Recommended Available Further information setting setting Deactivate Off Off L2B No Etherevle L2E Yes GUIL2E EtherNet IP CLI L2E ethernet ip L2P Yes GUI L2P EtherNet IP CLI L2P ethernet ip L3E Yes GUI L3E EtherNet IP CLI L3E ethernet ip L3P Yes GUI L3P EtherNet IP CLI L3P
84. s and reactive measures and the people responsible for them Develop a concept for protecting against malware that specifies both technical and organizational regulations ICS Security Guide Classic Switch Software Release 1 01 09 2015 23 Framework Conditions 3 7 Managing Users and Rights 3 7 Managing Users and Rights The management of users and rights organizes roles and their related rights that you require in the relevant environment according to the description of the activity Along with the creation of roles this includes the assignment of people to the roles over the entire life cycle of the system Typical tasks that you consider are the creation modification monitoring and withdrawal of rights These tasks must be represented in a process that regulates the identification of people and entities and authorizes the assignment of rights ICS Security Guide Classic Switch Software 24 Release 1 01 09 2015 Framework Conditions 3 8 Requirements for the Documentation 3 8 Requirements for the Documentation Keep a record of information relevant to security Organize the steering of these documents These documents are used in the case of a security incident to verify that the security processes have been adhered to ICS Security Guide Classic Switch Software Release 1 01 09 2015 25 Framework Conditions 3 8 Requirements for the Documentation 26 ICS Security Guide Classic Switch Software Release 1 01 09 2015
85. s support 4 traffic class divisions RS20 30 40 MS20 30 Octopus MACH102 RSR MACH1020 1030 RSB In the VLAN based on 802 1d however 8 priorities are supported Therefore map the VLAN priorities to the internal traffic class The default settings are usually sufficient In your specific application case check the default settings and adjust them if necessary Action Default Recommended Available in Further information setting setting SW version Mapping 0 1 default L2B Yes GUI L2B 802 1D p Mapping 802 1q to 1 0 default CLI L2B classofservice dot1p traffic class 2 0 default mapping 3 1 default L2E Yes GUIL2E 802 1D p Mapping 4 2 default CLI L2E classofservice dot1p deen rr efau 7 3 default L2P Yes GUI L2P 802 1D p Mapping CLI L2P classofservice dot1p mapping L3E Yes GUI L3E 802 1D p Mapping CLI L3E classofservice dot1p mapping L3P Yes GUI L3P 802 1D p Mapping CLI L3P classofservice dot1p mapping ICS Security Guide Classic Switch Software 100 Release 1 01 09 2015 Secure Configuration 4 5 Service Level Management Network Quality Configuration of mapping of IP DSCP to traffic class Most versions of the switches support 4 traffic class divisions Exception In software versions L3E and L3P the switches support 8 traffic classes However IP DSCP supports 63 DSCP values Therefore map the DSCP values to the internal traffic classes The default settings are usually suff
86. sed L2P Yes GUIL2P signal contact CLI L2P signal contact L3E Yes GUI L3E signal contact CLI L3E signal contact L3P Yes GUI L3P signal contact CLI L3P signal contact ICS Security Guide Classic Switch Software Release 1 01 09 2015 87 Secure Configuration 4 4 Monitoring Action Default setting Recommended Available in Further information setting SW version Generate Off Off already not L2B Yes GUI L2B trap setting trap when configured in CLI L2B snmp trap link status M4 21 status changes L2E Yes GUIL2E trap setting CLI L2E snmp trap link status L2P Yes GUI L2P trap setting CLI L2P snmp trap link status L3E Yes GUI L3E trap setting CLI L3E snmp trap link status L3P Yes GUI L3P trap setting CLI L3P snmp trap link status Monitoring Monitor power Monitor power L2B Yes GUI L2B device status supply unit 1 supply unit 1 CLI L2B device status Monitor power Monitor power monitor supply unit2 supply unit 2 if L2E Yes GUIL2E device status Ignore connected CLI L2E device status temperature Monitor Monitor Ignore module temperature not 5p Yes GUI L2P device status removal L2B CLI L2P device status Ignore ACA Remove ACA monitor removal depending on eas L3E Yes GUI L3E device status Ignore application case CLI L3E devi tat asynchronous ACA i exice Status ACA asynchronous Montor Ignore depending on L3P Yes GUI L3P device status connection error application case CLI L3P device s
87. switch L2E Yes CLIL2E set prompt prompt L2P Yes CLI L2P set prompt L3E Yes CLI L3E set prompt L3P Yes CLI L3P set prompt 84 ICS Security Guide Classic Switch Software Release 1 01 09 2015 Secure Configuration 4 4 Monitoring Configuration of switch location and contact person During an installation with more than one switch to be able to determine the location and the responsible contact person faster store these in the switch This makes it easier to identify the switch in a network management system which can read these values via SNMP Action Default Recommended Available in Further information setting setting SW version Configure Hirschmann lt Location name gt L2B Yes GUI L2B System location Railswitch CLI L2B snmp server location L2E Yes GUI L2E System CLI L2E snmp server location L2P Yes GUI L2P System CLI L2P snmp server location L3E Yes GUI L3E System CLI L3E snmp server location L3P Yes GUI L3P System CLI L3P snmp server location Configure Hirschmann lt Contact person gt L2B Yes GUI L2B System contact Automation CLI L2B snmp server person and Control contact GmbH L2E Yes GUIL2E System CLI L2E snmp server contact L2P Yes GUI L2P System CLI L2P snmp server contact L3E Yes GUI L3E System CLI L3E snmp server contact L3P Yes GUI L3P System CLI L3P snmp server contact ICS Security Guide Classic Switch Software Release 1 01 09 2015 85 S
88. tarting from an application case such as installation administration monitoring etc based on the security goals you first identify all of the principle threat scenarios that could lead to risks In describing the application cases also consider assumptions that you have made with regard to the environs of the system for the application cases Based on the identified threat scenarios and risks derive security requirements and measures for the system documented in a security requirements specification Make sure that the security measures you derive from the security requirements completely cover all of the security requirements The security requirements specification must be subjected to a review based on a dual control principle It is also used as the basis for deriving the tests for the system s security measures In chapter Secure Configuration on page 27 you will find examples of such application cases including threats and the measures that you should take in order to operate the switch securely 3 1 2 Architecture An architecture document describes the system with all of its components and security measures In particular it represents interfaces between the individual components A defense in depth strategy involves consecutive security measures so that if an attacker overcomes one obstacle he is faced with the next one If an attacker overcomes one security measure the security of the overall system is maintained D
89. tatus Ignore ring not L2B monitor redundancy Monitor connection error Monitor ring redundancy if used not L2B Monitor ring network coupling if used not L2B 88 ICS Security Guide Classic Switch Software Release 1 01 09 2015 Secure Configuration 4 4 Monitoring Activate PROFINET If it is possible to monitor PROFINET components in the network environment activate PROFINET on the switch and import the GSDML file into the configuration environment of the PROFINET environment Action Default Recommended Available in Further information setting setting SW version Activate Off On L2B No PROFINET L2E Yes GUIL2E PROFINET IO CLI L2E PROFINET IO L2P Yes GUI L2P PROFINET IO CLI L2P PROFINET IO L3E Yes GUI L3E PROFINET IO CLI L3E PROFINET IO L3P Yes GUI L3P PROFINET IO CLI L3P PROFINET IO Deactivate PROFINET If it is not possible to monitor the switch via PROFINET deactivate the PROFINET protocol on the switch default setting Action Default Recommended Available in Further information setting setting SW version Deactivate Off Off L2B No PROFINET L2E Yes GUIL2E PROFINET IO CLI L2E PROFINET IO L2P Yes GUI L2P PROFINET IO CLI L2P PROFINET IO L3E Yes GUI L3E PROFINET IO CLI L3E PROFINET IO L3P Yes GUI L3P PROFINET IO CLI L3P PROFINET IO ICS Security Guide Classic Switch Software Release 1 01 09 2015 89 Secure Configuration 4 4 Monitoring Activate
90. tch management availability and frames network separation Configuration of trust mode via VLAN Are different priority Configuration of priority classes classes required for for each port the network traffic Configuration of mapping of VLAN priority classes to traffic class Configuration of mapping of IP DSCP to traffic class Can the Configuration of MAC based unauthorized port security connection of Configuration of IP based port devices to the security network limit the Configuration of 802 1x port service level of the security network Can the overloading Set threshold value for upper of the network lead threshold of the network load to problems and notify via SNMP trap Configuration of rate limiter Is the switch being Use redundant routers used as a router in an environment with high availability requirements Basic principle The measures follow the minimal principle in order to reduce the system load of the switch and its area of attack Generally you should deactivate services not required General measures Activate RAM self test Activate Cold start for undefined software behavior Table 3 Security Quick Check for Service Level Management ICS Security Guide Classic Switch Software 94 Release 1 01 09 2015 Secure Configuration 4 5 Service Level Management Network Quality 4 5 3 Measures Known limitations Depending on the switch model 4 or 8 traffic classes are possible
91. te DHCP Client Note The switch can dynamically receive IP information via a DHCP server and also a TFTP server for configurations The DHCP server response can in turn contain a path to a remote configuration Then the switch loads the configuration via TFTP when booting An attacker can misuse this service For higher availability select a static IP configuration for infrastructure components Dynamic IP configurations require the existence of protocols which present a target to attackers Action Default Recommended Available Further information setting setting Deactivate On Off L2B Yes GUI L2B Network DHCP client CLI L2B network protocol L2E Yes GUIL2E Network CLI L2E network protocol L2P Yes GUIL2P Network CLI L2P network protocol L3E Yes GUI L3E Network CLI L3E network protocol L3P Yes GUI L3P Network CLI L3P network protocol ICS Security Guide Classic Switch Software 32 Release 1 01 09 2015 Secure Configuration 4 1 Starting Up Deactivate BOOTP Note The switch can dynamically receive IP information via a BOOTP server and also a TFTP server for configurations The BOOTP server response can in turn contain a path to a remote configuration Then the switch loads the configuration via TFTP when booting An attacker can misuse this service For higher availability select a static IP configuration for infrastructure components Dynamic IP configurations require the existence of protocol
92. te routing If you do not want the switch to perform any routing between Layer 3 subnetworks deactivate the routing function completely Action Default Recommended Available in Further information setting setting SW version Deactivate Off Off default L2B No routing L2E No globally L2P No L3E Yes GUI L3E Routing Global CLI L3E Routing Commands L3P Yes GUI L3P Routing Global CLI L3P Routing Commands ICS Security Guide Classic Switch Software Release 1 01 09 2015 47 Secure Configuration 4 2 Separating networks Deactivate Proxy ARP The Proxy ARP function allows end devices to communicate via the device working as a router without them having the required routing entries However this enables devices that are connected without authorization for example to communicate through the router with all subnetworks that the router knows Therefore deactivate Proxy ARP Action Default Recommended Available in Further information setting setting SW version Deactivate Off Off default L2B No Proxy ARP on L2E No every port L2P No L3E Yes GUI L3E Router Interfaces Configure CLI L3E ip proxy arp L3P Yes GUI L3P Router Interfaces Configure CLI L3P ip proxy arp Deactivate net directed broadcasts Net directed broadcasts enable broadcasts to be sent to other subnetworks via the router This behavior can be used to attack the availability Denial of Service DoS Therefore deactivate
93. the routing paths by means of fake RIP v1 frames or RIP v2 frames The consequences of this can be interception corruption or suppression of network traffic Known limitation Using RIPv2 can make some attacks via the routing protocol more difficult but it also provides a further protection level Action Default Recommended Available in Further information setting setting SW version Activate RIP Off On L2B No L2E No L2P No L3E Yes GUI L3E RIP CLI L3E ip rip L3P Yes GUI L3P RIP CLI L3P ip rip 50 ICS Security Guide Classic Switch Software Release 1 01 09 2015 Secure Configuration 4 2 Separating networks Action Default Recommended Available in Further information setting setting SW version Setthe RIP ripVersion2 ripVersion2 L2B No send version default L2E No L2P No L3E Yes GUI L3E RIP CLI L3E ip rip send version L3P Yes GUI L3P RIP CLI L3P ip rip send version Set the noAuthentic md5 L2B No authentication ation L2E No L2P No L3E Yes GUI L3E RIP CLI L3E ip rip authentication L3P Yes GUI L3PE RIP CLI L3P ip rip authentication Enter akey lt empty gt Secure password L2B No of 16 characters L2E No L2P No L3E Yes GUI L3E RIP CLI L3E ip rip authentication L3P Yes GUI L3P RIP CLI L3P ip rip authentication Define key ID 0 Shared ID with the L2B No other routers with L2E No which this router communicates L2P No L3E Yes GUI
94. tivate SNMP v1 2 management Access Deactivate SNMP v1 2 See alsoLimit SNMP read access to specific IP addresses Basic principle The measures follow the minimal principle in order to reduce the system load of the switch and its area of attack Generally you should deactivate services not required General measures Regardless of the type of administration access implement the following measures to increase the security Limiting the Administration on IP Address Ranges Configuration of the Central User Management via RADIUS M3 14 Blocking a user Table 1 Security Quick Check for Administration Access ICS Security Guide Classic Switch Software 56 Release 1 01 09 2015 Secure Configuration 4 3 Administrative Access 4 3 3 Measures Configuration of SNMP v3 Write Access Use SNMP v3 rather than versions 1 and 2 as versions 1 and 2 transfer passwords that are used for the authentication in clear text The same applies to the exchange of data The encryption method used is DES Data Encryption Standard SHA1 Secure Hash Algorithm hashes are used for the integrity protection Note DES is seen as a weak encryption method Therefore change the keys at regular short intervals Action Default Recommended Available in SW Further information setting setting version Create user Use unique users L2B Yes CLI L2B users name L2E Yes CLI L2E users name L2P
95. tivation and Goals 1 3 Areas of Application 1 3 Areas of Application The switch supports you via its wide range of communication options and enables problem free data exchange It covers a broad spectrum of industries including the energy sector automation applications and rail transportation Common to all of these areas is the goal of connecting end devices However a distinction can be made between 2 application scenarios The first case is an integration into an overall system such as in a power transformation substation The second is a closed system such as that integrated by a plant manufacturer into his system and then delivered to the customer There the plant and therefore also the switch is incorporated into an overall system In both cases the security of the switch contributes to the security of the overall system ICS Security Guide Classic Switch Software 8 Release 1 01 09 2015 Motivation and Goals 1 4 Further Information 1 4 Further Information You can register for a software update newsletter that informs you about new software versions that appear and their release notes If you find any possible vulnerabilities or security problems in Hirschmann Automation and Control GmbH products please report then via the Belden Security website or directly via e mail https www belden com security BEL SM PSIRT belden com The site contains the following Advisories Reports about security vulnerabilit
96. uration of 802 1x port security To prevent undesired devices from connecting to the network the switches allow you to control the login centrally via 1 or 2 RADIUS servers Permitted MAC addresses are configured centrally and also the assignment to specific VLANs if required Action Default Recommended Available in Further information setting setting SW version Configuration See CLI Default settings L2B No of 802 1x Port document L2E No Security ation L2P Yes GUI L2P IEEE 802 1X Port Authentication CLI L2P dot1x port control L3E Yes GUI L3E IEEE 802 1X Port Authentication CLI L3E dot1x port control L3P Yes GUI L3P IEEE 802 1X Port Authentication CLI L3P dot1x port control Possible negative effects Availability If all the RADIUS servers fail or the network connection to there no device can login to the network any more Set threshold value for upper threshold of the network load and notify via SNMP trap In order to detect an overload situation the switch provides the option to send an alarm for each port when a threshold value for the network load is exceeded Activate this function to detect an overload situation quickly Action Default Recommended Available in Further information setting setting SW version Configure 0 00 and Load values L2B Yes GUI L2B load network threshold value deactivated depend on load for network load for every application L2E Yes GUI L2E load network and
97. uthenticated to make it more difficult to manipulate the routing information in the network Action Default Recommended Available in Further information setting setting SW version Activate Off Off default L2B No authentication for OSPF E virtual links L2P No L3E No L3P Yes CLI L3P area virtual link Use IP Access Control Lists ACLs When coupling different Layer 3 networks via a switch with Layer 3 software L3E or L3P configure Access Control Lists ACLs on the switch to prevent unauthorized access between the networks This can be used to limit the traffic using IP addresses IP protocols or port numbers In this way basic security is possible without a special firewall Action Default Recommended Available in Further information setting setting SW version Use IP ACLs Off Off default L2B No L2E No L2P No L3E Yes CLI L3E QoS IP ACL L3P Yes CLI L3P Qos IP ACL ICS Security Guide Classic Switch Software Release 1 01 09 2015 53 Secure Configuration 4 2 Separating networks Activate Generic Multicast Registration Protocol GMRP The GMRP protocol gives a client the option to enter itself in a multicast group on Layer 2 Only activate this protocol if you really require it Action Default Recommended Available in Further information setting setting SW version Deactivate Off On L2B No GMRP L2E No L2P Yes GUI Switching GMRP CLI set gmrp adminmode L3E Yes
98. ystem preparation process shortened to SPP hereafter This is used to introduce change and maintain the system with all the security requirements The SPP is made up of the following main phases Analysis of requirements Architecture Implementation Test Operation and maintenance Decommissioning The operator of a system documents the SPP s main phases and activities He integrates the security aspects to be considered He describes the responsibilities roles and rights that ensure that the SPP fulfills the defined quality and security requirements For example suitable quality management that also addresses security The operator audits the SPP regularly makes improvements and monitors the implementation of the improvements He also ensures that only qualified personnel are used to execute the SPP What is known as asset or configuration management must be established so that the system can be recorded with all of its components and software versions Asset management is the basis of release and change management and is therefore the foundation for the quality assurance for every change made to the system ICS Security Guide Classic Switch Software Release 1 01 09 2015 15 Framework Conditions 3 1 System Preparation Process 3 1 1 Analysis of Requirements Perform an holistic threat analysis for the system that considers both the processes and the technologies used S
Download Pdf Manuals
Related Search