Siemens SCALANCE XRH-300 Product Manual page 16

Security recommendations
3.1 Security recommendations
• Record passwords in a safe, secure, off-line location for future retrieval should they be
misplaced.
• Change passwords regularly and often.
• When RADIUS is utilized for user authentication, make sure all communications are within
the security perimeter or protected by a secure channel.
• Be aware of any link layer protocols that do not provide any inherent authentication between
endpoints, such as ARP in IPv4. A malicious entity could exploit weaknesses in these protocols
to attack hosts, switches, and routers connected to your Layer 2 network, for example, by
poisoning the ARP caches of systems within the subnet and subsequently intercepting
traffic. Appropriate safeguards against non-secure Layer 2 protocols, such as securing
physical access to the local network and using secure higher layer protocols, should be taken
to prevent unauthorized access to the network.
Certificates and keys
• Immediately change all certificates and keys upon suspision of a security breach.
• SSH and SSL keys are accessible to admin users. Make sure to take appropriate precautions
when shipping the device beyond the boundaries of the trusted environment:
– Replace the SSH and SSL keys with throwaway keys prior to shipping.
– Take the existing SSH and SSL keys out of service. When the device returns, create and
• Use password-protected certificates that are in PKCS #12 format.
• Use certificates with a key length of 4096 bits.
• Before returning the device to Siemens for repair, replace the current certificates and keys
with temporary throwaway certificates and keys that can be destroyed upon the device's
return.
• Verify certificates and fingerprints on the server and client to prevent Man-in-the-Middle
(MitM) attacks.
Physical/remote access
• Only operate the devices in a protected network area. Attackers cannot access internal data
from outside when the internal and external network are disconnected.
• Restrict physical access to the device to only trusted personnel. A malicious user in possession
of the device's removable media could extract critical information, such as certificates, keys,
etc. (user passwords are protected by hash codes), or reprogram the media.
• Control access to the serial console to the same degree as any physical access to the device.
• It is highly recommended to keep Brute Force Attack (BFA) protection enabled to prevent a
third-party from obtaining unauthorized access to the device.
For more information, refer to "Supplementary documentation (Page 8)".
• For communication via non-secure networks, use additional devices with VPN functionality
to encrypt and authenticate communications.
• When securely connecting to a server (e.g. in the case of a secure upgrade), make sure the
server side is configured with strong ciphers and protocols.
16
program new keys for the device.
SCALANCE XRH-300/XRM-300
Equipment Manual, 10/2022, C79000-G8976-C546-01