Chapter 1
Introduction
RUGGEDCOM ROX II
CLI User Guide
8 Security Recommendations
• If a firewall is required, configure and start the firewall before connecting the device to a public network. Make
sure the firewall is configured to accept connections from a specific domain. For more information, refer to
Section6.9, “Managing Firewalls”.
• Modbus is deactivated by default in RUGGEDCOM ROX II. If Modbus is required, make sure to follow the security
recommendations outlined in this CLI User Guide and configure the environment according to defense-in-depth
best practices.
• Configure secure remote system logging to forward all logs to a central location. For more information, refer to
Section4.10, “Managing Logs”.
• Configuration files are provided in either NETCONF or CLI format for ease of use. Make sure configuration files
are properly protected when they exist outside of the device. For instance, encrypt the files, store them in a
secure place, and do not transfer them via insecure communication channels.
• It is highly recommended that critical applications be limited to private networks, or at least be accessible only
through secure services, such as IPsec. Connecting a RUGGEDCOM ROX II device to the Internet is possible.
However, the utmost care should be taken to protect the device and the network behind it using secure means
such as firewall and IPsec. For more information about configuring firewalls and IPsec, refer to Section6.9,
“Managing Firewalls” and Section12.8, “Managing IPsec Tunnels”.
• Management of the certificates and keys is the responsibility of the device owner. Consider using RSA key sizes
of 2048 bits in length for increased cryptographic strength. Before returning the device to Siemens Canada Ltd
for repair, replace the current certificates and keys with temporary throwaway certificates and keys that can be
destroyed upon the device's return.
• Be aware of any non-secure protocols enabled on the device. While some protocols, such as HTTPS, SSH and
802.1x, are secure, others, such as Telnet and RSTP, were not designed for this purpose. Appropriate safeguards
against non-secure protocols should be taken to prevent unauthorized access to the device/network.
• Make sure the device is fully decommissioned before taking the device out of service. For more information,
refer to Section4.7, “Decommissioning the Device”.
• Configure port security features on access ports to prevent an unauthorized third-party from physically
connecting to the device. For more information, refer to Section6.6.2, “Configuring Port Security”.
Hardware/Software
CAUTION!
Configuration hazard – risk of data corruption. Maintenance mode is provided for troubleshooting
purposes and should only be used by Siemens Canada Ltd technicians. As such, this mode is not fully
documented. Misuse of this maintenance mode commands can corrupt the operational state of the
device and render it inaccessible.
• Make sure the latest firmware version is installed, including all security-related patches. For the latest
information on security patches for Siemens products, visit the Industrial Security website [https://
www.siemens.com/global/en/home/company/topic-areas/future-of-manufacturing/industrial-security.html]
or the ProductCERT Security Advisories website [http://www.siemens.com/innovation/en/technology-focus/
siemens-cert/cert-security-advisories.htm]. Updates to Siemens Product Security Advisories can be obtained
by subscribing to the RSS feed on the Siemens ProductCERT Security Advisories website, or by following
@ProductCert on Twitter.
• Only enable the services that will be used on the device, including physical ports. Unused physical ports could
potentially be used to gain access to the network behind the device.
• Use the latest Web browser version compatible with RUGGEDCOM ROX II to make sure the most secure
Transport Layer Security (TLS) versions and ciphers available are employed. Additionally, 1/n-1 record splitting
is enabled in the latest Web browser versions of Mozilla Firefox, Google Chrome and Internet Explorer, and
To Next Page
Loading...
Need help?
General
