Siemens SIMATIC NET System Manual page 263
Industrial ethernet / profinet industrial ethernet
Hide thumbs
Also See for SIMATIC NET:
- Configuration manual (464 pages) ,
- Manual (300 pages) ,
- Operating instructions manual (90 pages)
Table of Contents
Advertisement
Firewall
The firewall functionality of SCALANCE S Industrial Security Appliances protects the internal
network from influences or disturbances from external networks. This means that, depending
on the configuration, only certain specified communication relations between the network
nodes from the internal network and the network nodes from the external networks are
allowed. All network nodes that are located in the internal network segment of a SCALANCE
S Industrial Security Application are protected by its firewall. Furthermore, up to four internal
networks as well as the communication relationships permissible between these networks
can be configured.
The SCALANCE S Industrial Security Appliances thus offer the realization of a flexible cell
protection concept via firewall:
● Protection of random Ethernet-based automation devices and systems that have no own
security functions
● Protection of several devices at the same time
● Reduction of potential network malfunctions and unauthorized network accesses by
forming secure communication islands (network segmentation)
● Securing the communication from and to the automation cells
The firewall functionality can be configured for the following protocol levels:
● IP firewall including Stateful Inspection
● Firewall for Ethernet "non-IP" frames according to IEEE 802.3; (layer 2 frames)
The stateful inspection firewall (also known as Stateful Packet Filter or Dynamic Packet
Filter) is a firewall technology that operates both on the network and at the application layer.
The IP packets are accepted on the network layer, checked according to their state by an
analysis module and compared with a status table. For the communication partner, a firewall
with stateful inspection appears as a direct connection that only allows communication
according to the rules.
Firewall rules are the rules for data traffic in the following directions:
● From the internal to the external network and vice versa
● From the internal network into an IPsec tunnel and vice versa (only with SCALANCE
S615, SCALANCE SC642-2C and SCALANCE SC646-2C)
● As well as within a network segment for internal to internal communication
For all devices, user-specific firewall rules can also be specified. They are assigned during
login, user-dependently, for a limited time.
SCALANCE S in routing mode
If SCALANCE S Industrial Security Appliances are operated in routing mode, they separate
the internal network from the external network based on the evaluation of the IP addresses.
The frames intended for an existing IP address in the subnetwork (internal or external) are
forwarded. The firewall rules for the direction of transmission also apply. The configuration
specifies which ports are assigned to the internal network and to the external network.
Industrial Ethernet
System Manual, 09/2019, C79000-G8976-C242-10
SCALANCE network components
4.8 SCALANCE S Industrial Security Appliance
263
Hide quick links:
Advertisement
Table of Contents
