Siemens RUGGEDCOM ROX II User Manual page 45

RUGGEDCOM ROX II
CLI User Guide
• PAP (Password Authentication Protocol) is not considered a secure protocol and should only be enabled when
required. Consider using CHAP (Challenge-Handshake Authentication Protocol) whenever possible.
Physical/Remote Access
• It is highly recommended to enable Brute Force Attack (BFA) protection to prevent a third-party from obtaining
unauthorized access to the device. For more information, refer to
Attack Protection".
• SSH and SSL keys are accessible to users who connect to the device via the serial console. Make sure to take
appropriate precautions when shipping the device beyond the boundaries of the trusted environment:
▪ Replace the SSH and SSL keys with throwaway keys prior to shipping.
▪ Take the existing SSH and SSL keys out of service. When the device returns, create and program new keys
for the device.
• The default and auto-generated SSL certificates are self-signed. It is recommended to use an SSL certificate
that is either signed by a trusted third-party Certificate Authority (CA) or by an organization's own CA. For more
information, refer to
w3.siemens.com/mcms/industrial-communication/Documents/AN22_Application-Note_EN.pdf].
• Restrict physical access to the device to only trusted personnel. A person with malicious intent in possession
of the flash card could extract critical information, such as certificates, keys, etc. (user passwords are protected
by hash codes), or reprogram the card.
• Passwords/passphrases for service mode and maintenance mode should only be given to a limited number of
trusted users. These modes provide access to private keys and certificates.
• Control access to the serial console to the same degree as any physical access to the device. Access to
the serial console allows for potential access to BIST mode, which includes tools that may be used to gain
complete access to the device.
• When using SNMP (Simple Network Management Protocol):
▪ Limit the number of IP addresses that can connect to the device and change the community names. Also
configure SNMP to raise a trap upon authentication failures. For more information, refer to
"Managing SNMP".
▪ Make sure the default community strings are changed to unique values.
• When using RUGGEDCOM ROX II as a client to securely connect to a server (such as, in the case of a
secure upgrade or a secure syslog transfer), make sure the server side is configured with strong ciphers and
protocols.
• Limit the number of simultaneous Web Server, CLI, SFTP and NETCONF sessions allowed.
• If a firewall is required, configure and start the firewall before connecting the device to a public network. Make
sure the firewall is configured to accept connections from a specific domain. For more information, refer to
Section 5.17, "Managing
• Modbus is deactivated by default in RUGGEDCOM ROX II. If Modbus is required, make sure to follow the
security recommendations outlined in this CLI User Guide and configure the environment according to defense-
in-depth best practices.
• Configure secure remote system logging to forward all logs to a central location. For more information, refer to
Section 3.9, "Managing
• Configuration files are provided in either NETCONF or CLI format for ease of use. Make sure configuration files
are properly protected when they exist outside of the device. For instance, encrypt the files, store them in a
secure place, and do not transfer them via insecure communication channels.
• It is highly recommended that critical applications be limited to private networks, or at least be accessible only
through secure services, such as IPsec. Connecting a RUGGEDCOM ROX II device to the Internet is possible.
Security Recommendations
Generating SSH Keys and SSL Certificates for ROS and ROX Using Windows
Firewalls".
Logs".
Section 5.6, "Enabling/Disabling Brute Force
Chapter 1
Introduction
[http://
Section 5.11,
7