Table of Contents
Advertisement
Certificates and keys
• There is a preset SSL/TLS (RSA) certificate with 2048 bit key length in the device. Replace this
certificate with a user-generated, high-quality certificate with key. Use a certificate signed by
a reliable external or internal certification authority. You can install the certificate via the
WBM ("System > Load and Save").
• Use certificates with a key length of 4096 bits.
• Use the certification authority including key revocation and management to sign the
certificates.
• Make sure that user-defined private keys are protected and inaccessible to unauthorized
persons.
• If there is a suspected security violation, change all certificates and keys immediately.
• Use password-protected certificates in the format "PKCS #12".
• Verify certificates based on the fingerprint on the server and client side to prevent "man in the
middle" attacks. Use a second, secure transmission path for this.
• Before sending the device to Siemens for repair, replace the current certificates and keys with
temporary disposable certificates and keys, which can be destroyed when the device is
returned.
Secure/non-secure protocols and services
• Avoid or disable non-secure protocols and services, for example HTTP, Telnet and TFTP. For
historical reasons, these protocols are available, however not intended for secure
applications. Use non-secure protocols on the device with caution.
• Check whether use of the following protocols and services is necessary:
– Non authenticated and unencrypted ports
– MRP, HRP
– IGMP snooping
– LLDP
– Syslog
– RADIUS
– DHCP Options 66/67
– TFTP
– GMRP and GVRP
MM900 media modules for SCALANCE XR-500M
Compact Operating Instructions, 04/2022, A5E03275846-05
Recommendations on network security
11
Advertisement
Table of Contents
