Siemens RUGGEDCOM ROX II User Manual page 46

Chapter 1
Introduction
However, the utmost care should be taken to protect the device and the network behind it using secure means
such as firewall and IPsec. For more information about configuring firewalls and IPsec, refer to
"Managing Firewalls"
• Management of the certificates and keys is the responsibility of the device owner. Consider using RSA key
sizes of 2048 bits in length for increased cryptographic strength. Before returning the device to Siemens
Canada Ltd. for repair, replace the current certificates and keys with temporary throwaway certificates and keys
that can be destroyed upon the device's return.
• Be aware of any non-secure protocols enabled on the device. While some protocols, such as HTTPS, SSH
and 802.1x, are secure, others, such as Telnet and RSTP, were not designed for this purpose. Appropriate
safeguards against non-secure protocols should be taken to prevent unauthorized access to the device/
network.
• Prevent access to external, untrusted Web pages while accessing the device via a Web browser. This can
assist in preventing potential security threats, such as session hijacking.
• Make sure the device is fully decommissioned before taking the device out of service. For more information,
refer to Section 3.7, "Decommissioning the
• Configure port security features on access ports to prevent a third-party from launching various attacks that can
harm the network or device. For more information, refer to
Hardware/Software
CAUTION!
Configuration hazard – risk of data corruption. Maintenance mode is provided for troubleshooting
purposes and should only be used by Siemens Canada Ltd. technicians. As such, this mode is not fully
documented. Misuse of this maintenance mode commands can corrupt the operational state of the
device and render it inaccessible.
• Make sure the latest firmware version is installed, including all security-related patches. For the latest
information on security patches for Siemens products, visit the
www.industry.siemens.com/topics/global/en/industrial-security/news-alerts/Pages/alerts.aspx] or the
ProductCERT Security Advisories website
cert/cert-security-advisories.htm]. Updates to Siemens Product Security Advisories can be obtained by
subscribing to the RSS feed on the Siemens ProductCERT Security Advisories website, or by following
@ProductCert on Twitter.
• Only enable the services that will be used on the device, including physical ports. Unused physical ports could
potentially be used to gain access to the network behind the device.
• Use the latest Web browser version compatible with RUGGEDCOM ROX II to make sure the most secure
Transport Layer Security (TLS) versions and ciphers available are employed. Additionally, 1/n-1 record splitting
is enabled in the latest Web browser versions of Mozilla Firefox, Google Chrome and Internet Explorer, and
mitigates against attacks such as SSL/TLS Protocol Initialization Vector Implementation Information Disclosure
Vulnerability (e.g. BEAST).
• For optimal security, use SNMPv3 whenever possible. Use strong passwords with this feature. For more
information about creating strong passwords, refer to the password requirements in
Passwords and Passphrases".
Policy
• Periodically audit the device to make sure it complies with these recommendations and/or any internal security
policies.
• Review the user documentation for other Siemens products used in coordination with the device for further
security recommendations.
8
and Section 5.29, "Managing IPsec
Device".
[http://www.siemens.com/innovation/en/technology-focus/siemens-
Tunnels".
Section 3.17.3, "Configuring Port
Industrial Security website
RUGGEDCOM ROX II
CLI User Guide
Section 5.17,
Security".
[http://
Section 4.10, "Managing
Security Recommendations