A Firewall Using The Example Of A Scalance Sc - Siemens SCALANCE XC-200 Set Up And Configuration

2 How the service bridge works and how to use it
Note To prevent communication problems caused by duplicate IP addresses, we
recommend using different IP address ranges in all subordinate PROFINET
networks.
Note
Optionally, the system bus can also be structured with VLANs to logically
separate communication for service bridge access from process communication.
Further information on configuring VLANs can be found in the following FAQ:
"How is a Virtual Local Area Network (VLAN) configured in PCS 7?"
https://support.industry.siemens.com/cs/ww/en/view/66807297
2.3

A firewall using the example of a SCALANCE SC

It is recommended to use a firewall between the Service Bridge and the plant bus
in order to protect the plant bus against unauthorized accesses from the field.
This firewall must be able to operate as a Stateful Inspection Firewall, i.e. to check
packages depending on their state. It must also support bridge mode for operation
in flat networks, where external and internal interfaces are located on the same IP
subnet.
The firewall must be configured in such a way that it only allows communication
that is initiated by selected sources in the plant bus (e.g. the ES). This means that
the firewall allows the ES communication at any time but only allows devices from
the field bus to respond to message frames by the ES. Communication that is
initiated by devices from the field bus is blocked by the firewall.
This functionality can, for example, be implemented by the Security Modules of the
SCALANCE SC600-series from the firmware version V2.0. Instructions for
configuring the firewall using the example of a SCALANCE SC632-2C can be
found in chapter
Service Bridge – Setup and Configuration
Entry ID: 109747975, V1.4,
5.
05/2019
11