Common Remote Service Platform (crsp) Security Concept



Similar documents
siemens.com/energy/remoteservices Remote Services Security Concept Answers for energy.

VPN. VPN For BIPAC 741/743GE

Network Access Security. Lesson 10

Cornerstones of Security

MANAGED SECURITY SERVICES

CISCO IOS NETWORK SECURITY (IINS)

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Avaya TM G700 Media Gateway Security. White Paper

Avaya G700 Media Gateway Security - Issue 1.0

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Sophos UTM. Remote Access via PPTP. Configuring UTM and Client

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

Implementing Secured Converged Wide Area Networks (ISCW) Version 1.0

Introduction to Security and PIX Firewall

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Understanding the Cisco VPN Client

VPN SECURITY. February The Government of the Hong Kong Special Administrative Region

Virtual Private Networks

Virtual Private Networks (VPN) Connectivity and Management Policy

Cisco Which VPN Solution is Right for You?

Chapter 4 Virtual Private Networking

How To Pass A Credit Course At Florida State College At Jacksonville

SCADA SYSTEMS AND SECURITY WHITEPAPER

Asheville-Buncombe Technical Community College Department of Networking Technology. Course Outline

How To Understand And Understand The Security Of A Key Infrastructure

Electronic Service Agent TM. Network and Transmission Security And Information Privacy

Case Study for Layer 3 Authentication and Encryption

Support and Remote Dialup SIMATIC. Process Control System PCS 7. Support and Remote Dialup. Preface 1. Support and Remote Dialup.

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

ICTTEN8195B Evaluate and apply network security

This section provides a summary of using network location profiles to identify network connection types. Details include:

Remote Access Security

Data Collection and Analysis: Get End-to-End Security with Cisco Connected Analytics for Network Deployment

Technical papers Virtual private networks

Machine control going www - Opportunities and risks when connecting a control system to the Internet

Remote Connectivity for mysap.com Solutions over the Internet Technical Specification

Executive Summary and Purpose

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

Network Security and Firewall 1

Security Technology: Firewalls and VPNs

Creating a VPN Using Windows 2003 Server and XP Professional

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

ASA and Native L2TP IPSec Android Client Configuration Example

Chapter 5. Data Communication And Internet Technology

Astaro Security Gateway V8. Remote Access via L2TP over IPSec Configuring ASG and Client

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

Objectives. Remote Connection Options. Teleworking. Connecting Teleworkers to the Corporate WAN. Providing Teleworker Services

G/On. Basic Best Practice Reference Guide Version 6. For Public Use. Make Connectivity Easy

Exam Questions SY0-401

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD CCNA SECURITY. VERSION 1.0

Site to Site Virtual Private Networks (VPNs):

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Network Security Guidelines. e-governance

Virtual Private Network and Remote Access Setup

Overview. Protocols. VPN and Firewalls

AN OVERVIEW OF REMOTE ACCESS VPNS: ARCHITECTURE AND EFFICIENT INSTALLATION

Secure SCADA Network Technology and Methods

Study on Remote Access for Library Based on SSL VPN

Innovative Defense Strategies for Securing SCADA & Control Systems

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 2

If you have questions or find errors in the guide, please, contact us under the following address:

ZyWALL 5. Internet Security Appliance. Quick Start Guide Version 3.62 (XD.0) May 2004

Chapter 8 Virtual Private Networking

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

VPN VPN requirements Encryption VPN-Types Protocols VPN and Firewalls

Cisco Certified Security Professional (CCSP)

TABLE OF CONTENTS NETWORK SECURITY 2...1

ICANWK406A Install, configure and test network security

Professional Integrated SSL-VPN Appliance for Small and Medium-sized businesses

TANDBERG and Security

Payment Card Industry Self-Assessment Questionnaire

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

Inside-Out Attacks. Security Event April 28, 2004 Page 1. Responses to the following questions

Basics of Internet Security

Information Technology Career Cluster Introduction to Cybersecurity Course Number:

Securing Cisco Network Devices (SND)

Protecting systems and patient privacy

HughesNet Broadband VPN End-to-End Security Using the Cisco 87x

FileCloud Security FAQ

Information Technology Security Procedures

Chapter 4: Security of the architecture, and lower layer security (network security) 1

Domain 6.0: Network Security

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Stable and Secure Network Infrastructure Benchmarks

E-Commerce Security. The Client-Side Vulnerabilities. Securing the Data Transaction LECTURE 7 (SECURITY)

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

Associate in Science Degree in Computer Network Systems Engineering

Best Practices For Department Server and Enterprise System Checklist

Telemedicine HIPAA/HITECH Privacy and Security

"ASM s INTERNATIONAL E-Journal on Ongoing Research in Management and IT"

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

Security basics and application SIMATIC NET. Industrial Ethernet Security Security basics and application. Preface. Introduction and basics

MIGRATIONWIZ SECURITY OVERVIEW

CCNA Security. IINS v2.0 Implementing Cisco IOS Network Security ( )

Transcription:

Siemens Remote Support Services Common Remote Service Platform (crsp) Security Concept White Paper April 2013 1

Contents Siemens AG, Sector Industry, Industry Automation, Automation Systems This entry is from the Technical Support portal. If you have any questions concerning this document please e-mail us using the following address: support.automation@siemens.com 3 Introduction 3 1.1 Remote services motivation and objectives 4 General operational concept 4 2.1 Purpose and usage of this document 4 2.2 Service and maintenance of technical equipment 4 2.3 Using a standard solution 5-9 Technical and organizational security concept 5 3.1 Overview 5 3.1.1 Establishing the connection 5 3.1.2 Access Control 5 3.1.3 Remote access logging 5 3.1.4 Privacy along the transmission route 5 3.1.5 Organizational measures 6-9 3.2 Security infrastructure of crsp 7 3.2.1 Authentication and authorization of Siemens service personal 7 3.2.2 Demilitarized Zone (DMZ) 7-8 3.2.3 Securing the transmission route 8-9 3.2.4 Security measures in the customer network 8 3.2.4.1 Access to the customer network 8 3.2.4.2 System access 8 3.2.4.3 Protocols 8-9 3.2.4.4 Data transmission from your systems to the crsp server 9 3.2.4.5 Data transmission from the crsp server to your systems (optional) 9 3.2.5 Protection against malicious attacks 9 3.2.5.1 Protected crsp server 9 3.2.5.2 Protecting customer systems 2

Introduction 1.1 Remote services motivation and objectives Remote services have become increasingly more important as companies try to offset rising costs of operations and issues with the availability of facilities and equipment increase. Remote condition monitoring and diagnosis can detect developing faults in the early stages, allowing maintenance to take place when needed, rather than at fixed intervals or when failures occur. Due to an extensive use of integrated electronics in today s products and the conversion from mechanical/electromechanical product features to software-based functionality, tomorrow s product support and service portfolio will look quite different. IT-related and knowledge-intensive expert services will further displace traditional types of services. Furthermore, networking of products and IT solutions, as well as advanced communication technology will drive demand for new effective remote service offerings. However, security and data privacy are becoming very important in providing remote services. 3

General operational concept 2.1 Purpose and usage of this document The security concept described provides insight as to the measures that Siemens takes to protect data, application programs, and IT systems when performing remote services. Siemens security concept is divided into two main sections. Starting with the general operational concept, the basic concept of Siemens Remote Support Services (SRSS), Siemens service processes, and the technical capabilities of Siemens products is explained. This section is aimed at product users, technical managers, and everyone who is interested in obtaining a basic understanding of how SRSS works. The second part, the technical and organizational security concept, is aimed at IT specialists and data security experts who need to know in detail what measures Siemens is taking to achieve a high level of data security and privacy. This section explains how a connection to Siemens crsp is established, what Siemens security infrastructure looks like, and what Siemens does to prevent attacks. 2.2 Service and maintenance of technical equipment Given the growing complexity of modern products and solutions, Siemens has responded to the challenge by providing additional services to support its customers. Furthermore, it is often simply more efficient and faster to first determine the causes of system problems via remote diagnosis and, where possible, correct the problem through remote repair. However, in those cases where remote repair is not possible, the information obtained via remote diagnosis can support the Siemens service engineer on site. Whether on site or remotely, many situations can be detected and corrected based on technical data from the system. Should access to data sets or images containing sensitive data become necessary, Siemens safeguards the compliance to data privacy guidelines and regulations. In the case of product classes where this is technically impossible, or where the task prohibits it (e.g., when accessing databases), Siemens limits access to this data to the extent necessary and implements specialized technical and organizational security measures. Features of online support Remote access to customer systems for online support (e.g., for user questions regarding operation) is also provided through remote desktop managing tools. This allows for a 1:1 display of the customer s monitor at the Service Center, as well as enables remote control by the Siemens service engineer. This is only possible if the customer has explicitly granted access. This authorization is required for each individual session. Additionally, in such cases, the customer can track the course of the session and, if necessary, terminate the access provided to the Service Center. 2.3 Using a standard solution A growing number of manufacturers offer remote services for their products in various configurations. This results in an increasing number and variety of remote connections between the customer and product manufacturers, as well as increased administrative costs for the customer. Additionally, added administrative complexity can also increase the probability of security gaps. Siemens avoids this situation by building a standards-compliant and certified solution. 4

Technical and organizational security concept 3.1 Overview 3.1.1 Establishing the connection As a general policy, the degree to which access is granted to a system is determined entirely by the customer. 3.1.2 Access control As a prerequisite for every service activity, the customer has to expressly grant access to SRSS and controls who is permitted access to the system. Access is only granted to identify or correct errors. After a set period of time during which no action has occurred, the SRSS session at the customer system is automatically terminated. 3.1.3 Remote access logging Siemens records and time stamps each time it accesses the customer system. In addition, the Siemens service engineer who accesses the system is assigned a unique user identification which is also recorded in this log. As a result, Siemens can inform the customer within an appropriate period of time, which service engineer had access to data, when, and what communication activities were performed on each system. These report logs are retained for a minimum of one year. 3.1.4 Privacy along the transmission route Siemens utilizes the most modern encryption methods to protect customer data from unauthorized access during transmission. This is a prerequisite for any communications via the Internet. As an option for data transfer on public lines, router-to-router encryption is also offered. For additional information, refer to section 3.2. 3.1.5 Organizational measures Siemens service engineers understand the need for data privacy and IT security. They realize the severe consequences of not abiding by the applicable requirements. Only service engineers who have been trained in, and are committed to, data privacy and security issues are authorized to perform SRSS. As outlined in the next section, Siemens crsp security infrastructure contains a secured list of these selected service employees, as well as their corresponding access rights. 5

3.2 Security infrastructure of crsp Within this section, more detailed technical information is provided concerning the following topics: Authentication and authorization of Siemens service engineers using crsp (Ch. 3.2.1), The crsp - DMZ, the demilitarized zone between the Siemens intranet and the internet or public lines (Ch. 3.2.2), Security measures for accessing the customer network (Ch. 3.2.4 ), and Protocols and services supported by crsp (Ch. 3.2.5.3). An architectural overview of Siemens security infrastructure is shown. 6

3.2.1 Authentication and authorization of Siemens service personnel The central maintenance and dial-in platform (crsp access portal) is located within the Siemens intranet and cannot be externally accessed. Access to the crsp portal is only available through the Siemens intranet and requires a valid crsp user ID and password. A strong authentication method (PKI with smart card) is utilized. A multi-level service domain concept defines which users are permitted access to specific systems. This means that Siemens service engineers can only access those customer systems for which they are expressly authorized. Additionally, only those SRSS functions for which the engineer is explicitly authorized are released. Other systems in the customer network that are not maintained by Siemens cannot be accessed via this platform. 3.2.2 Demilitarized Zone (DMZ) To protect customer s and Siemens intranet from reciprocal problems and attacks, Siemens has secured the crsp server, in a DMZ. Connections between the Siemens service engineer and the customer system are not put through directly. They terminate in the crsp server using a reverse proxy function. This means that a connection established from the Siemens intranet is terminated in the crsp access server. This server then establishes the connection to the customer s system and mirrors the communication coming from the customer back to the Siemens intranet. The possibility of a communication between the Siemens intranet and the customer s network over protocols that are not explicitly authorized is thereby prevented. Mirroring occurs only for predefined protocols and after successful authorization at the crsp portal. This architecture is designed to prevent: Unauthorized access from one network to the other (e.g., hackers) Access from a third-party network (e.g., the Internet) Fraudulent use of secure passwords, access data, etc. Transmission of viruses or similar harmful programs from one network to the other. In addition, Siemens does not store any critical data in the DMZ, in particular customer access data. Within Siemens proactive services, messages and data is frequently sent by the monitored product. Also, this communication is established only after successful authorization of the system requesting the connect. All data sent by the systems is only stored in the DMZ and is then securely transferred to the specified data server within the Siemens intranet. 3.2.3 Securing the transmission route Virtual Private Network (VPN) via the Internet Siemens recommends establishing a broadband, secure connection via the Internet which offers you the following advantages: Highest possible level of security Best data transfer quality and availability Access to all crsp-based services. Based on current technology, this is implemented via a VPN secured with Internet Protocol Security (IPSec) between the Siemens DMZ and your network portal. Siemens can provide you with the hardware necessary to use the SRSS (e.g., VPN router). The VPN endpoint on Siemens side is a Cisco router. VPN via dial-up connections If a broadband VPN connection via the Internet cannot be implemented, a VPN may be established via a dialup connection. If you already have dial-up capabilities, please contact your local Siemens representative to coordinate the required configuration. If you do not have a dial-up infrastructure, Siemens can provide you with a router (e.g., Cisco product) for use with SRSS. Technical security measures of the transmission route Siemens offers the following technical measures to provide added security: Secure password transmission with Challenge Handshake Protocol (CHAP) To transfer passwords, Siemens uses CHAP which provides encrypted password transmission. The ten-character CHAP passwords, as well as passwords for Telnet and configuration mode access, are randomly generated from uppercase and lowercase alphanumeric as well as special characters. More secure connection with Point-to-Point Protocol (PPP) callback (optional) When using a dial-up connection, Siemens implements the PPP that can be expanded with an optional callback function. This means that your service router will call back the number stored for the Siemens router once the number has been authenticated. This is designed to prevent the unlikely event of an unauthorized third party managing to guess the username, password and telephone number and then attempting to dial in using this data. 7

Caller authentication with Calling Line Identification (CLI) (optional) With CLI, your service router receiving the call verifies the Multiple Subscriber Number (MSN) of the router making the call. This means that the service router can only be accessed if the transmitted MSN matches the telephone number of the crsp router stored in the service router. This function is only available for ISDN service routers. IPSec protects data against tampering and being read by others (optional) Siemens uses the established standard IPSec with preshared secrets for encrypted and authenticated data transmission. Preshared secrets are comprised of 12 randomly selected characters. The Internet Security Association and Key Management Protocol (ISAKMP) is used to exchange encryption key information. The use of an Authentication Header (AH) provides the integrity of data with the Hash method MD5 or SHA1. Encrypted Secure Payload (ESP) provides the confidentiality of data by encrypting with algorithms DES or 3DES. The Diffie-Hellmann key with a 768, 1024, or 1536-bit key length can be used as symmetrical session keys. Enhanced control capabilities through debugging (optional) If you would like to receive Simple Network Management Protocol (SNMP) or Syslog service messages on your router, or if you would like to see the current service router configuration, please contact your local Siemens representative. 3.2.4 Security measures in the customer network 3.2.4.1 Access to the customer network Due to the security issues involved, external access to the customer network requires specific attention and measures. The key security features depend on the specific concept and configuration of the Service router (Customer Access Gateway) chosen. Access enabled by customer A general security measure can be used to block any external access when not explicitly authorized or initiated by a component within the customer network. This security measure is, of course, supported by crsp, but has some considerable limitations, especially if onsite personal are not available. However, when the chosen crsp supports various mechanisms like single log-in passwords or defined service time-slots, all security measures like authentication, authorization, and logging as described in Ch. 3.2.1 are available without any limitations. Customer supplied access In most cases, if you already have an existing remote access solution in place, this system can be configured to work securely with SRSS infrastructure. To clarify the required configuration and measures, please contact your local Siemens service representative. Service VPN-router / Siemens supplied access Due to cost, performance, and security benefits, Siemens specified VPN-router solution with broadband internet access (e.g., DSL) is preferred. This solution can support high-performance remote service solutions affordably and enables future value-added services. Specific customer demands for additional security measures of certain applications, network segments or requested onsite firewall features can be provided based on this solution. 3.2.4.2 System access When remote access to your system is released (either manually by user/administrator or automatically based on system configuration), the Siemens service engineer has to be authenticated by the system before being able to switch the system to service mode. 3.2.4.3 Protocols Depending on the capabilities of the software on your system, the protocols http or preferably https as well as the service tools/protocols: Telnet, PuTTY, NetOp, pcanywhere, WinVNC, TeraTermPro, Timbuktu, Netmeeting, Tarantella, Citrix / MS Terminal Server, SNMP, and X.11 can be used to service your system. 3.2.4.4 Data transmission from your systems to the crsp server Diagnostic data is sent from your system to the crsp server for some of Siemens proactive services, either automatically (based on your system configuration), or at the explicit request of the Siemens service engineer. In such cases, only technical data are transmitted. 8

Depending on the capabilities of the software, the following services are used: ftp / ftps (File Transfer Protocol, dto. secure ftp) scp (Secure Copy) 3.2.4.5 Data transmission from the crsp server to your systems (optional) Depending on your demands and product capabilities, a Software Update service is available based on crsp. Here data is sent automatically from the crsp server to your systems. This includes, for example, anti-virus patterns and Microsoft Hotfixes. This type of transmission is performed only with your prior approval. 3.2.5 Protection against malicious attacks 3.2.5.1 Protected crsp server The crsp servers are Linux servers. Infection by worms, viruses, Trojan horses, or other attacks is therefore extremely unlikely and has not occurred to date. Nevertheless, Siemens ensures that the crsp servers are protected using state-of-the-art technology. 3.2.5.2 Protecting customer systems No direct threat from the crsp server A virus infection to your system from the crsp servers, or distribution of viruses in the direction of your system, is unlikely due to the reverse proxy function described in section 2.2.2. Threat due to Internet connection Systems connected to the corresponding crsp server via the Internet are as with any connection via the Internet exposed to a certain level of threat. As long as you use Internet access only for SRSS purposes, infection by viruses is unlikely due to Siemens security infrastructure. However, should you use your Internet connection for other purposes, Siemens advises you to take appropriate precautions to protect your system. No threat from email traffic Certain types of customer systems send emails (without attachments) to the corresponding crsp server and in this direction only. Emails sent from a customer system to the crsp server are forwarded to the appropriate Siemens mail server, and then sent to the recipient. The Siemens mail server scans all email messages for viruses and reacts in accordance with Siemens guidelines to ensure that there is no threat to the Siemens intranet. Since emails are not sent in the other direction (to the customer system), infection of the customer system in this manner is unlikely. Infection of a serviced system through contact with an infected customer system Infection of the crsp server through contact with an infected customer system is unlikely since there is no direct IP routing between these systems (refer to reverse proxy function explanation in section 3.2.3). Siemens Industry, Inc. 3333 Old Milton Parkway Alpharetta, GA 30005 1-800-241-4453 info@siemens.com Order No. CSRS-10002-0413 Siemens Industry 2013 www.usa.siemens.com/services 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information