Siemens SIMATIC NET SCALANCE XF-200BA Operating Instructions Manual page 13

Certificates and keys
• The device contains a pre-installed X.509 certificate with key. Replace this certificate with a
self-made certificate with key. Use a certificate signed by a reliable external or internal
certification authority. You can install the certificate via the WBM ("System > Load and Save").
• Use the certification authority including key revocation and management to sign the
certificates.
• Make sure that user-defined private keys are protected and inaccessible to unauthorized
persons.
• If there is a suspected security violation, change all certificates and keys immediately.
• Use password-protected certificates in the format "PKCS #12".
• Use certificates with a key length of 4096 bits.
• Verify certificates based on the fingerprint on the server and client side to prevent "man in the
middle" attacks. Use a second, secure transmission path for this.
• Before sending the device to Siemens for repair, replace the current certificates and keys with
temporary disposable certificates and keys, which can be destroyed when the device is
returned.
Secure/non-secure protocols and services
• Avoid or disable non-secure protocols and services, for example HTTP, Telnet and TFTP. For
historical reasons, these protocols are available, however not intended for secure
applications. Use non-secure protocols on the device with caution.
• Check whether use of the following protocols and services is necessary:
– Non authenticated and unencrypted ports
– MRP, HRP
– IGMP snooping
– LLDP
– DCP
– Syslog
– RADIUS
– DHCP Options 66/67
– TFTP
– GMRP and GVRP
SCALANCE XF-200BA
Operating Instructions, 02/2023, C79000-G8976-C470-08
Recommendations on network security
13