• Record passwords in a safe, secure, o-line location for future retrieval should they be
misplaced.
• Change passwords regularly and often.
• When RADIUS is utilized for user authentication, make sure all communications are within
the security perimeter or protected by a secure channel.
• Be aware of any link layer protocols that do not provide any inherent authentication between
endpoints, such as ARP in IPv4. A malicious entity could exploit weaknesses in these protocols
to attack hosts, switches, and routers connected to your Layer 2 network, for example, by
poisoning the ARP caches of systems within the subnet and subsequently intercepting
trac. Appropriate safeguards against non-secure Layer 2 protocols, such as securing
physical access to the local network and using secure higher layer protocols, should be taken
to prevent unauthorized access to the network.
Certicates and keys
• Immediately change all certicates and keys upon suspision of a security breach.
• SSH and SSL keys are accessible to admin users. Make sure to take appropriate precautions
when shipping the device beyond the boundaries of the trusted environment:
– Replace the SSH and SSL keys with throwaway keys prior to shipping.
– Take the existing SSH and SSL keys out of service. When the device returns, create and
program new keys for the device.
• Use password-protected certicates that are in PKCS #12 format.
• Use certicates with a key length of 4096 bits.
• Before returning the device to Siemens for repair, replace the current certicates and keys
with temporary throwaway certicates and keys that can be destroyed upon the device's
return.
• Verify certicates and ngerprints on the server and client to prevent Man-in-the-Middle
(MitM) attacks.
Physical/remote access
• Only operate the devices in a protected network area. Attackers cannot access internal data
from outside when the internal and external network are disconnected.
• Restrict physical access to the device to only trusted personnel. A malicious user in possession
of the device's removable media could extract critical information, such as certicates, keys,
etc. (user passwords are protected by hash codes), or reprogram the media.
• Control access to the serial console to the same degree as any physical access to the device.
• It is highly recommended to keep Brute Force Attack (BFA) protection enabled to prevent a
third-party from obtaining unauthorized access to the device.
For more information, refer to "Supplementary documentation (Page 8)".
• For communication via non-secure networks, use additional devices with VPN functionality
to encrypt and authenticate communications.
• When securely connecting to a server (e.g. in the case of a secure upgrade), make sure the
server side is congured with strong ciphers and protocols.
Security recommendations
3.1 Security recommendations
SCALANCE XRH-300/XRM-300
16 Equipment Manual, 10/2022, C79000-G8976-C546-01
To Next Page
Loading...
