• Use passwords with a high password strength. Avoid weak passwords, (e.g. password1,
123456789, abcdefgh) or recurring characters (e.g. abcabc).
This recommendation also applies to symmetrical passwords/keys congured on the device.
• Make sure that passwords are protected and only disclosed to authorized personnel.
• Do not use the same passwords for multiple user names and systems.
• Store the passwords in a safe location (not online) to have them available if they are lost.
• Regularly change your passwords to increase security.
• A password must be changed if it is known or suspected to be known by unauthorized
persons.
• When user authentication is performed via RADIUS, make sure that all communication takes
place within the security environment or is protected by a secure channel.
• Watch out for link layer protocols that do not oer their own authentication between
endpoints, such as ARP or IPv4. An attacker could use vulnerabilities in these protocols to
attack hosts, switches and routers connected to your layer 2 network, for example, through
manipulation (poisoning) of the ARP caches of systems in the subnet and subsequent
interception of the data trac. Appropriate security measures must be taken for non-secure
layer 2 protocols to prevent unauthorized access to the network. Physical access to the local
network can be secured or secure, higher layer protocols can be used, among other things.
Certicates and keys
• There is a pre-installed Web server certicate (RSA, 2048 bit key length) and an SSH Private
Key in the device. Replace this certicate with a user-generated, high-quality certicate with
key. Use a certicate signed by a reliable external or internal certication authority. You can
install the certicate in the WBM via "System > Load and Save".
• Use the certication authority including key revocation and management to sign the
certicates.
• Use password-protected certicates in the format "PKCS #12".
• Use certicates with a key length of 4096 bits.
• Make sure that user-dened private keys are protected and inaccessible to unauthorized
persons.
• If there is a suspected security violation, change all certicates and keys immediately.
• SSH and SSL keys are available for admin users. Make sure that you take appropriate security
measures when shipping the device outside of the trusted environment:
– Replace the SSH and SSL keys with disposable keys prior to shipping.
– Decommission the existing SSH and SSL keys. Create and program new keys when the
device is returned.
• Verify certicates based on the ngerprint on the server and client side to prevent "man in the
middle" attacks. Use a second, secure transmission path for this.
• Before sending the device to Siemens for repair, replace the current certicates and keys with
temporary disposable certicates and keys, which can be destroyed when the device is
returned.
Security recommendations
3.1Security recommendations
SCALANCE MUM853-1
14 Operating Instructions, 03/2023, C79000-G8976-C650-05
To Next Page
Loading...
