Nk8000 Network Planning; Nk8000 Security - Siemens DMS8000 Application & Planning

5

NK8000 network planning

5.1

NK8000 Security

Building Technologies
CPS Fire Safety
NK8000 networks can be built as a dedicated safety- and security IP network, or can
be integrated into an existing customer network (shared network). The NK8000 Secu-
rity and IT rules apply in both cases.
To ensure the system security and prevent physical damages and attacks that may
compromise the system integrity and confidentiality, make sure to install NK823x units
according to the following criteria:
·
NK823x units must be updated to latest Kernel and firmware versions.
·
NK823x units must be must be installed in locked cabinets (for example, a
control panel housing or the dedicated NE8001 cabinet).
·
Cabinets must be installed in locked rooms with constant surveillance and
·
Restricted access to authorized personnel only.
·
Most of the communication protocols, used between the NK823x units and the
management station and between subsystems and the NK823x units, are
open and unprotected protocols (e.g. BACnet, Modbus TCP, IEC 60870-5-
104, etc.). Therefore, the networks where the NK823x units are connected to
must be protected from unauthorized data access, use, disclosure, disruption,
modification, and destruction. This concerns all networks that are somehow
vulnerable due to external connections (WAN, Internet), open technologies
(wireless networks), or any other risk of fraudulent access. To achieve the re-
quired level of security, the protective measures must include:
The use of firewalls on the Intranet to filter external traffic and select
o
the allowed ports
NOTE: The list of ports used by the management system can be
found in 5.4.2.
The use of Virtual Private Networks (VPN) or other equivalent solu-
o
tions to establish a secure (encrypted) tunnel between the NK823x
LAN and the management station across public or unprotected net-
works.
·
In the NK823x unit download, the secure (default) option must be selected. Do
not use the FTP modes.
· The built in NK823x firewall and routing capabilities provide only a basic level
of protection for gateway purposes. For that reason the usage of NK823x as
firewall for protecting subsystems, management stations or customer net-
works is not recommended.
In installations with critical infrastructure and higher security requirements the
usage of up-to-date, professional and properly configured firewalls is highly
recommended.
049_DMS_DMS8000_Application_Specification_Planning_MP4.81_A6V10063710_a_en.doc
NK8000 network planning
09.2016
75