Siemens RUGGEDCOM ROX II User Manual page 54

Chapter 1
Introduction
• If a firewall is required, configure and start the firewall before connecting the device to a public network. Make
sure the firewall is configured to accept connections from a specific domain. For more information, refer to
Section 6.9, "Managing
• Modbus is deactivated by default in RUGGEDCOM ROX II. If Modbus is required, make sure to follow the security
recommendations outlined in this CLI User Guide and configure the environment according to defense-in-depth
best practices.
• Configure secure remote system logging to forward all logs to a central location. For more information, refer to
Section 4.10, "Managing
• Configuration files are provided in either NETCONF or CLI format for ease of use. Make sure configuration files
are properly protected when they exist outside of the device. For instance, encrypt the files, store them in a
secure place, and do not transfer them via insecure communication channels.
• It is highly recommended that critical applications be limited to private networks, or at least be accessible only
through secure services, such as IPsec. Connecting a RUGGEDCOM ROX II device to the Internet is possible.
However, the utmost care should be taken to protect the device and the network behind it using secure means
such as firewall and IPsec. For more information about configuring firewalls and IPsec, refer to
"Managing Firewalls"
• Management of the certificates and keys is the responsibility of the device owner. Consider using RSA key sizes
of 2048 bits in length for increased cryptographic strength. Before returning the device to Siemens Canada Ltd
for repair, replace the current certificates and keys with temporary throwaway certificates and keys that can be
destroyed upon the device's return.
• Be aware of any non-secure protocols enabled on the device. While some protocols, such as HTTPS, SSH and
802.1x, are secure, others, such as Telnet and RSTP, were not designed for this purpose. Appropriate safeguards
against non-secure protocols should be taken to prevent unauthorized access to the device/network.
• Make sure the device is fully decommissioned before taking the device out of service. For more information,
refer to Section 4.7, "Decommissioning the
• Configure port security features on access ports to prevent an unauthorized third-party from physically
connecting to the device. For more information, refer to
Hardware/Software
CAUTION!
Configuration hazard – risk of data corruption. Maintenance mode is provided for troubleshooting
purposes and should only be used by Siemens Canada Ltd technicians. As such, this mode is not fully
documented. Misuse of this maintenance mode commands can corrupt the operational state of the
device and render it inaccessible.
• Make sure the latest firmware version is installed, including all security-related patches. For the latest
information on security patches for Siemens products, visit the
www.siemens.com/global/en/home/company/topic-areas/future-of-manufacturing/industrial-security.html]
or the ProductCERT Security Advisories website
siemens-cert/cert-security-advisories.htm]. Updates to Siemens Product Security Advisories can be obtained
by subscribing to the RSS feed on the Siemens ProductCERT Security Advisories website, or by following
@ProductCert on Twitter.
• Only enable the services that will be used on the device, including physical ports. Unused physical ports could
potentially be used to gain access to the network behind the device.
• Use the latest Web browser version compatible with RUGGEDCOM ROX II to make sure the most secure
Transport Layer Security (TLS) versions and ciphers available are employed. Additionally, 1/n-1 record splitting
is enabled in the latest Web browser versions of Mozilla Firefox, Google Chrome and Internet Explorer, and
8
Firewalls".
Logs".
and Section 12.8, "Managing IPsec
Device".
Tunnels".
Section 6.6.2, "Configuring Port
Industrial Security website
[http://www.siemens.com/innovation/en/technology-focus/
RUGGEDCOM ROX II
CLI User Guide
Section 6.9,
Security".
[https://
Security Recommendations