SMP Gateway User Manual • 87
A firewall must be used to isolate the substation LAN from the corporate WAN. The firewall
should be configured to block all ports and connections except those that are absolutely necessary
for the operation of the substation. For instance, the firewall could be set up to accept traffic
between the SCADA and the SMP Gateway only. The firewall could also be configured to limit
traffic to a single port, such as that used by a DNP3 communications link.
However, note that such a security policy would prevent the use of the SMP Tools outside the
substation.
13.2.2 Using SMP Tools through a Substation LAN Firewall
Cybectec SMP Tools use Microsoft DCOM technology. This technology is designed to be used
on a LAN. There are two strategies available to use DCOM through a firewall.
The most secure approach is to establish a VPN (Virtual Private Network) connection
between the substation LAN and the client workstations on the corporate LAN. A VPN
encapsulates and encrypts network messages before forwarding them to the recipient. You
will not need any special setup when installing the SMP Tools. This approach will also secure
access by any other tools.
If you cannot use a VPN, you will need to open the necessary ports for DCOM on the
firewalls and routers that connect to the corporate LAN.
Here is the list of ports and port ranges that you have to open in the substation LAN firewall,
to let a PC on one side of the firewall communicate with an SMP Gateway on the other side of
the firewall:
For access when not using VPN, open
Application Port Protocol
FTP server 21 TCP
Telnet 23 TCP
SMP Status 23 UDP
Web server 80 TCP
RPC server and
DCOM
135 TCP
DCOM 1024 to 1124 TCP
SMP maintenance
server
49152 TCP
Optional ports, using VPN or not
Application Port Protocol
SNMP server 161 UDP
SNTP server 123 TCP
To Next Page
Loading...
