Page 1
User Manual Security BOBCAT Rail Switch HiOS-2S UM Security BRS-2S Technical support Release 8.7 05/2022 https://hirschmann-support.belden.com...
Page 2
The naming of copyrighted trademarks in this manual, even when not specially indicated, should not be taken to mean that these names may be considered as free in the sense of the trademark and tradename protection law and hence that they may be freely used by anyone.
Document History Document History Version Finalize date Finalized by Relevant content changes 0.21a 2021-08-30 U. Messerle Prepared draft for review. 0.30b 2021-11-02 U. Messerle Reworked according to review results: Removed default user credentials "user/public". Added "hardening" to scope. Generalized some descriptions for device security (they also apply to operation and maintenance).
Page 8
Document History UM Security BRS-2S Release 8.7 05/2022...
Safety instructions Safety instructions WARNING UNCONTROLLED MACHINE ACTIONS To avoid uncontrolled machine actions caused by data loss, configure all the data transmission devices individually. Before you start any machine which is controlled via data transmission, be sure to complete the configuration of all data transmission devices.
Page 10
Safety instructions UM Security BRS-2S Release 8.7 05/2022...
About this Manual About this Manual The “Configuration” user manual contains the information you need to start operating the device. It takes you step by step from the first startup operation through to the basic settings for operation in your environment. The “Installation”...
The designations used in this manual have the following meanings: List Work step Link Cross-reference with link Note: A note emphasizes a significant fact or draws your attention to a dependency. Representation of a CLI command or field contents in the graphical user interface Courier Execution in the Graphical User Interface Execution in the Command Line Interface...
Security planning 1.1 Introduction 1 Security planning Introduction 1.1.1 Subject The user manual "Security" contains security recommendations for your network device. It deals with the following lifecycle phases of your device: Secure installation Secure commissioning Secure administration and operation ...
Security planning 1.1 Introduction 1.1.4 Capability security level The security requirements, planning steps, and measures in this document deal with the capability security level 1 (SL-C 1) according to the standard IEC 62443-4-2. SL-C 1 means protection against casual or coincidental security violations. Some security requirements, measures, and steps mentioned in this document may exceed the target security level SL-C 1.
Security planning 1.2 Defense in depth Defense in depth 1.2.1 Purpose Defense in depth is a strategy that employs various independent security measures to guard an asset under consideration against specific attacks. A system that employs defense in depth first confronts an attacker with a particular barrier. If an attacker overcomes this barrier, the system presents another barrier of a different type.
Page 16
Security planning 1.2 Defense in depth Barrier Description Non-default user account An attacker must guess or find out the real user account names. names An attacker must guess or find out the real passwords. Non-default passwords Specific, restricted An attacker must guess or find out the administrator account account privileges credentials to read privileged data or manipulate device settings.
Security planning 1.3 Impact of the system lifecycle to the device lifecycle Impact of the system lifecycle to the device lifecycle A network device is a component in a superordinate system. Therefore, the system lifecycle determines parts of the device lifecycle. A system lifecycle involves a planning phase. The decisions taken in the planning phase affect the device lifecycle directly or indirectly.
Security planning 1.4 Impact of device requirements on system planning Impact of device requirements on system planning Some requirements of the device have an impact on the system lifecycle phases, in particular on system planning. Topics of this interdependence include: A secure installation location, including the aspects: ...
Security planning 1.4 Impact of device requirements on system planning Digital Input If you plan to use the Digital Input, consider the following security aspects: To help protect the device, connect the Digital Input only to a circuit that meets the device ...
Security planning 1.4 Impact of device requirements on system planning Note: The device asks you to change the default password on the first login. Hirschmann recommends planning an overarching user account password policy and apply it to each device. To deter attackers, consider planning different passwords on different devices. Table 1: User credentials for the user account in the delivery state User Name Default Password Access Role...
Security planning 1.4 Impact of device requirements on system planning 1.4.6 VLAN plan considerations depending on redundancy protocols Network availability can be an important base for the security of the superordinate system. The device offers redundancy protocols for this purpose. The redundancy protocols HIPER Ring and Ring/Network Coupling employ the fixed VLAN ID 1 for their protocol packets.
Page 22
Security planning 1.4 Impact of device requirements on system planning UM Security BRS-2S Release 8.7 05/2022...
Device security 2.1 Security vs. functionality 2 Device security Security vs. functionality This chapter deals with the device security throughout lifecycle phases of the device. For the functional device lifecycle phases, refer to the detailed device documents: User manual "Installation", for example, for permissible ambient conditions ...
Device security 2.2 Prerequisites for installation and setup Prerequisites for installation and setup Hirschmann assumes that, when reading this section, you have already performed the system planning steps, including: The choice of a suitable physical location for the devices (see on page 26 “Choice of a secure ...
Device security 2.3 Recommended installation work step sequence Recommended installation work step sequence The device security lifecycle phases in a practical order are: Choice of a secure installation location (see on page 26 “Choice of a secure installation location”) Initial software update (see on page 27 “Software update”) ...
Device security 2.4 Choice of a secure installation location Choice of a secure installation location Refer to the user manual "Installation" for a suitable physical installation location. Select an installation location that in addition offers appropriate device security by restricting physical access. Check that the following device security requirements are fulfilled if needed: Install the device in a room that can be locked and where only authorized personnel have ...
Device security 2.5 Software update Software update The following description applies to: The initial software update for a device out-of-the-box A software update as part of operation or maintenance Check if an updated release of the device software is available. You find information and software downloads on the Hirschmann product pages on the Internet at www.hirschmann.com.
Device security 2.6 Security configuration Security configuration The following description applies to: The initial security configuration for a device out-of-the-box Changes in the security configuration as part of operation or maintenance Refer to the user manual "Configuration" for the functional device configuration. Note: To configure the device, you need management access to the device, which requires at least a preliminary IP configuration.
Device security 2.6 Security configuration You can also elect to configure the following advanced user authentication measures as needed (see on page 36 “Configure advanced user authentication”): Use 802.1X for user authentication. Use a dedicated authentication policy list. Configure RADIUS access instead of or in addition to the local IAS (Integrated Authentication ...
Device security 2.6 Security configuration 2.6.4 Disable logical access to the Signal Contact If you do not need the Signal Contact, disable the Signal Contact in the device configuration. In the delivery state, the Signal Contact is disabled. If you do need the Signal Contact (see on page 39 “Signal Contact considerations”).
Device security 2.6 Security configuration Energy conservation aspects: If you set the power limit for a given port to the known power consumption of the PD, this may help in powering more PDs in certain cases. If you know the power consumption needs of a PD on a time-of-day or day-of-week basis, you ...
Device security 2.6 Security configuration 2.6.12 Disable loading a configuration profile that lacks a valid fingerprint Disable the loading of a configuration profile that lacks a valid fingerprint. This helps secure the device against loading an unsigned configuration profile placed on an external memory and plugged into the device with the intention that the unsigned configuration profile will take effect after a reboot.
Device security 2.6 Security configuration 2.6.15 Configure a dedicated HTTPS certificate In the state of delivery, the device contains a self-signed HTTPS certificate. You have the option of: Replacing the existing HTTPS certificate with a new, self-signed HTTPS certificate on the ...
Device security 2.6 Security configuration Waiting time before the device auto-unlocks a locked user account: For security reasons, configure the value as high as possible. For availability reasons, configure it as low as practical. Use a value >0. Chose a value that corresponds to your situation. These steps helps ensure that the device will lock out a user after the maximum number of failed user logins in a row and then enforces a waiting period.
Device security 2.6 Security configuration Create user accounts. For each new user account, perform the following steps: – Create a user account with a dedicated name. – Assign the new user account an access role that offers only the least necessary privileges. –...
Device security 2.6 Security configuration 2.6.22 Configure logging Configure logging: Configure synchronization of the device system clock to a trusted source. See the user manual "Configuration" on how to synchronize the device system clock to a trusted source. If you use PTP (IEEE 1588), refer to the PTP chapters. Configure logging severity levels.
Device security 2.6 Security configuration 2.6.26 Create a backup of device-specific data When the device configuration is complete: Consider creating a backup copy of the configuration. For example, place the backup file in a device-specific folder. Include other device-specific data. For example, copy device-specific private keys or certificates ...
Device security 2.7 Possible hardware modifications for security Possible hardware modifications for security The following descriptions apply to: The possible hardware modifications for a device out-of-the-box Possible hardware modifications as part of operation or maintenance Perform the following hardware modification steps, like covering or obstructing a slot or a port, as needed: Restrict physical access to the USB port.
Device security 2.8 Device installation Device installation The following description applies to: The installation of a device in a new system Changes to the device as part of operation or maintenance Perform the device installation according to the user manual "Installation" for the device. 2.8.1 Data connections Perform the data connections according to the user manual "Installation"...
Device security 2.9 Operation Operation In the operation phase of the device, Hirschmann assumes you have already taken the appropriate physical and logical steps to set up the device and operate it properly regarding the functional and security aspects of the device. This essentially reduces the required security steps during the operation phase to the considerations already described in this security manual, the user manual "Installation"...
Device security 2.10 Maintenance 2.10 Maintenance 2.10.1 Software update If necessary, perform a software update: For the security aspects (see on page 27 “Software update”). For the detailed worksteps, see the user manual "Configuration", chapter "Loading software updates". 2.10.2 Hardware enhancement Typical application cases include:...
Device security 2.11 Decommissioning 2.11 Decommissioning If you have high security requirements, consider physical destruction (see on page 42 “Secure physical destruction of device and components”). Secure physical destruction addresses the possible reading-out of memory blocks from the flash memory and makes deletion and wiping (see on page 42 “Destruction of confidential data and secrets”) redundant.
Network security support 3.1 Introduction 3 Network security support This chapter lists what the device can do for the security of your network, including enhancing the availability of your network. The chapter deals with device functionality in the operation and maintenance lifecycle phases that can affect the security of your network.
Network security support 3.2 Prerequisites for setting up network security Prerequisites for setting up network security A securely configured device can help you make your network more secure and available. Hirschmann assumes that, when reading this section, you have taken the necessary steps to securing the device itself (see on page 23 “Device security”).
Network security support 3.3 Employ defense in depth for your network infrastructure Employ defense in depth for your network infrastructure Defense in creates uses several barriers that a potential attacker has to overcome one after the other. Hirschmann assumes that, when reading this section, you have already set up a dedicated plan for defending your system in depth (see on page 15 “Defense in depth”).
Network security support 3.4 Hardening the network infrastructure Hardening the network infrastructure The suggested hardening measures are collected in the chapter (see on page 47 “Measures to secure the network infrastructure”). Pick the measures suitable for defense in depth first. Then complement them by selecting from the remaining hardening possibilities.
Network security support 3.5 Measures to secure the network infrastructure Measures to secure the network infrastructure The collection of suggested measures can be used for hardening and for defense in depth. Pick the measures suitable for defense in depth first. Then complement them by selecting from the remaining hardening possibilities.
Network security support 3.6 Restrict logical access to your network Restrict logical access to your network 3.6.1 Configure a dedicated management VLAN If you have already set up a dedicated management VLAN, you can skip this chapter. Else follow the description (see on page 29 “Configure a VLAN dedicated to management access.”).
Network security support 3.7 Secure the network protocols used Secure the network protocols used 3.7.1 Disable GMRP and MMRP The GARP Multicast Registration Protocol (GMRP) and its successor, the Multiple MAC Registration Protocol (MMRP) can be used to register group MAC addresses dynamically and automatically setup multicast forwarding in a device.
Network security support 3.8 Secure the redundancy protocols used Secure the redundancy protocols used Note: Securing the redundancy protocols used can also help you enhance and maintain the availability of your network infrastructure. 3.8.1 Secure RSTP guards and helper protocols Secure RSTP guards.
Network security support 3.9 Configure attack protection functions Configure attack protection functions 3.9.1 Configure Denial of Service (DoS) protection Configure DoS protection. See the user manual "Graphical User Interface" on how to configure DoS protection. 3.9.2 Configure rate limiters Configure rate limiters. See the user manual "Graphical User Interface" on how to configure rate limiters.
Network security support 3.10 Configure network time synchronization 3.10 Configure network time synchronization Hirschmann assumes that, when reading this section, you have taken the necessary steps to securing the device itself (see on page 35 “Configure time synchronization”). To help synchronize the time in the network, the device may act as a time server. Configure the server function of the device.
Network security support 3.11 Configure logging 3.11 Configure logging Configure logging severity levels and destinations. The necessary settings depend on our security requirements. See the user manual "Configuration" on how to configure logging severity levels and destinations. Note: Secure logging also relies on the synchronization of the device system clock to a trustworthy source (see on page 35 “Configure time synchronization”).
Page 54
Network security support 3.11 Configure logging UM Security BRS-2S Release 8.7 05/2022...
You find the addresses of our partners on the Internet at www.hirschmann.com. A list of local telephone numbers and email addresses for technical support directly from Hirschmann is available at hirschmann-support.belden.com. This site also includes a free of charge knowledge base and a software download section.
Readers’ Comments C Readers’ Comments What is your opinion of this manual? We are constantly striving to provide as comprehensive a description of our product as possible, as well as important information to assist you in the operation of this product. Your comments and suggestions help us to further improve the quality of our documentation.
Page 65
Readers’ Comments General comments: Sender: Company / Department: Name / Telephone number: Street: Zip code / City: E-mail: Date / Signature: Dear User, Please fill out and return this page as a fax to the number +49 (0)7127/14-1600 or per mail to ...
Need help?
Do you have a question about the Hirschmann HiOS-2S and is the answer not in the manual?
Questions and answers