Belden HIRSCHMANN HiOS-2A, User Manual

Page 1: ...UM Security BRS 2A Release 8 7 05 2022 Technical support https hirschmann support belden com User Manual Security BOBCAT Rail Switch HiOS 2A ...

Page 2: ...performance features described here are binding only if they have been expressly agreed when the contract was made This document was produced by Hirschmann Automation and Control GmbH according to the best of the company s knowledge Hirschmann reserves the right to change the contents of this document without prior notice Hirschmann can give no guarantee in respect of the correctness or accuracy o...

Page 3: ...llation location 18 1 4 2 Plan a dedicated user account login policy 19 1 4 3 Plan a dedicated user account password policy 19 1 4 4 Plan a dedicated user account name and access role policy for device management 20 1 4 5 Plan a dedicated logging policy 20 1 4 6 VLAN plan considerations depending on redundancy protocols 21 1 4 7 Network time synchronization considerations 21 2 Device security 23 2...

Page 4: ... user account names and access roles for device management 34 2 6 20 Adapt session timeouts 35 2 6 21 Configure time synchronization 35 2 6 22 Configure logging 36 2 6 23 Configure dedicated login banners 36 2 6 24 Configure advanced device security 36 2 6 25 Configure advanced user authentication 36 2 6 26 Create a backup of device specific data 37 2 7 Possible hardware modifications for security...

Page 5: ...gure ACLs 48 3 7 Secure the network protocols used 49 3 7 1 Disable GMRP and MMRP 49 3 8 Secure the redundancy protocols used 50 3 8 1 Secure RSTP guards and helper protocols 50 3 8 2 Secure MRP 50 3 8 3 Secure HIPER Ring 50 3 8 4 Secure Ring Network Coupling 50 3 9 Configure attack protection functions 51 3 9 1 Configure Denial of Service DoS protection 51 3 9 2 Configure rate limiters 51 3 10 Co...

Page 6: ...Contents 6 UM Security BRS 2A Release 8 7 05 2022 ...

Page 7: ...OPC UA Server 0 99c RC3 2022 04 04 U Messerle Internal Removed misplaced function related tag 0 99d RC4 2022 04 05 U Messerle Review incorporated Improved description of hardening Clarified restrictions to physical access Pointed out forced password change Removed claims that the external memory function of the USB port can be disabled Changed delivery state setting of EtherNet IP management acces...

Page 8: ...Document History 8 UM Security BRS 2A Release 8 7 05 2022 ...

Page 9: ...trolled machine actions caused by data loss configure all the data transmission devices individually Before you start any machine which is controlled via data transmission be sure to complete the configuration of all data transmission devices Failure to follow these instructions can result in death serious injury or equipment damage ...

Page 10: ...Safety instructions 10 UM Security BRS 2A Release 8 7 05 2022 ...

Page 11: ...nterface to operate the individual functions of the device The Command Line Interface reference manual contains detailed information on using the Command Line Interface to operate the individual functions of the device The Security user manual contains considerations for system security planning recommendations for the device security over the device lifecycle and descriptions how the device can h...

Page 12: ...meanings List Work step Link Cross reference with link Note A note emphasizes a significant fact or draws your attention to a dependency Courier Representation of a CLI command or field contents in the graphical user interface Execution in the Graphical User Interface Execution in the Command Line Interface ...

Page 13: ...ope This document deals with the recommended device security measures throughout the device lifecycle These recommendations include How to achieve defense in depth for the device How to harden the device How a specifically configured device can help you achieve defense in depth for your system How a specifically configured device can help you harden your system A network device is part of a supero...

Page 14: ...ns Some security requirements measures and steps mentioned in this document may exceed the target security level SL C 1 They are therefore not strictly required to achieve SL C 1 They are nevertheless included when these security measures and steps generally mean little effort and reasonable effect 1 1 5 Document Outline The following main chapters deal with 2 main subjects The security of the dev...

Page 15: ...n any barriers as possible and reasonable A strategy for hardening may include the concepts least necessary functions for the device and least necessary privileges for user accounts Develop a strategy for defense in depth first Then complement it by hardening 1 2 3 Responsibilities Defense in depth as well as hardening need planning implementation and maintenance It is the responsibility of the sy...

Page 16: ... out the real passwords 7 Specific restricted account privileges An attacker must guess or find out the administrator account credentials to read privileged data or manipulate device settings 1 Dedicated user account names can be device specific and could be deliberately chosen to be non descriptive 2 Passwords can be specific to a certain access protocol for example HTTPS or SNMPv3 and can be dev...

Page 17: ... separation also applies to flooded multicast broadcast and unknown unicast frames This helps confidentiality besides helping reduce the network load on layer 1 A VLAN plan is a prerequisite for a secure configuration of the device itself and in turn for the security and availability of your system Create a VLAN plan that segregates your network on layer 2 A dedicated management VLAN can be a barr...

Page 18: ...n more detail see on page 23 Device security 1 4 1 Secure installation location Refer to the user manual Installation for a suitable physical installation location Select a location that in addition offers appropriate device security by restricting physical access Install the device in a room that can be locked and where only authorized personnel have access Install the device in a cabinet to whic...

Page 19: ...e Interface CLI using SSH or Telnet The Graphical User Interface GUI using HTTPS or HTTP You can configure the following requirements for the user login Maximum number of failed user logins in a row until the device locks the respective user account Waiting time Login attempts period before the device auto unlocks a locked user account Access to the CLI using the serial connection is exempt from t...

Page 20: ...and apply the password policy check Plan strong SNMPv3 authentication and encryption types and strong related passwords for the new user accounts Remove user accounts with standard names Note Hirschmann recommends planning an overarching user account and access role policy and apply it to each device To deter attackers consider planning different user account names and different passwords on diffe...

Page 21: ...rations Network time synchronization can be required for several reasons including secure logging The protocols NTP and PTP implicitly trust the time source To make network time synchronization more secure planning an overarching network time synchronization policy is recommended Parameters of this policy may include The choice of the network protocol for time distribution The choice of the primar...

Page 22: ...Security planning 1 4 Impact of device requirements on system planning 22 UM Security BRS 2A Release 8 7 05 2022 ...

Page 23: ... phases of the device For the functional device lifecycle phases refer to the detailed device documents User manual Installation for example for permissible ambient conditions User manual Configuration for example for basic settings and software update Reference manual Graphical User Interface for example for specific settings Reference manual Command Line Interface for example for specific comman...

Page 24: ...ce of a secure installation location Creating a dedicated user account login policy see on page 19 Plan a dedicated user account login policy Creating a dedicated user account password policy Creating a dedicated user account and access role policy for device management Creating a dedicated policy for SNMPv3 authentication and encryption types and for the related passwords Traffic segregation on l...

Page 25: ...te before the initial device installation can have the following benefits The required resources for example prepared configuration files and device labels may be more conveniently available in an office location Time consuming steps like software updates can be performed in parallel Associated devices for example devices participating in a ring redundancy can be configured contiguously For certai...

Page 26: ...er supply redundancy requirements Provide an adequate power budget see on page 26 Power supply power budget requirements Provide data link redundancy see on page 26 Data link redundancy requirements Power supply redundancy requirements Check that the power supply redundancy requirements are fulfilled if needed The device is powered by 2 redundant power sources The power supply cables to the device...

Page 27: ...e management At the first login with the default password the device asks you to change the password Use a dedicated password according to your password policy see on page 19 Plan a dedicated user account password policy Refer to the user manual Configuration for details on how to Determine the currently running software release Determine the stored software release Check for newer available softw...

Page 28: ...evice asks you to change the password Use a dedicated password according to your password policy see on page 19 Plan a dedicated user account password policy Overview and recommended sequence Perform the following steps as needed Assign a static IP address for the device management Configure a VLAN dedicated to management access Disable HiDiscovery access Disable logical access to unused ports and...

Page 29: ... Local DHCP delivery state and BOOTP Selecting the setting Local that is static helps make the device more immune to potential attacks via the DHCP or BOOTP protocols 2 6 2 Disable HiDiscovery access The HiDiscovery protocol is enabled in the delivery state Setting the HiDiscovery protocol to Off helps make the device more immune to potential attacks via the HiDiscovery protocol 2 6 3 Configure a ...

Page 30: ...ork device to an unused port Note Treat inserted SFPs without a data cable the same way as unused ports 2 6 7 Configure Power over Ethernet Delivery state The device global setting PoE Global Operation is On Port related settings The setting PoE Port Enable is PoE enable The allowed classes Class 0 Class 4 are all enabled The Power limit W is 0 0 the device will not enforce a specific power limit ...

Page 31: ...the automatic device software update from an external memory This helps secure the device against rogue device software placed on an external memory and plugged into the device with the intention that the rogue device software will be copied to the device and take effect after a reboot See the user manual Configuration on how to disable automatic device software update from an external memory 2 6 ...

Page 32: ...lows restricting the management access to the device to a source IP address range You specify the address range by giving an IP address and a netmask You can configure the management access IP restrictions individually for each protocol or for a group of protocols Note Protocols with the delivery state Enabled bolded may be useful for the initial configuration of the device However they may be con...

Page 33: ...n the state of delivery the device contains a self signed SSH host key pair You have the option of Replacing the existing SSH host key pair with a new self signed SSH host key pair on the device Loading a dedicated SSH host key pair onto the device Note When you create a new self signed SSH host key pair on the device use the SSH host key fingerprint algorithm sha256 delivery state sha256 If you h...

Page 34: ...od does not apply This ensures access to the device management in situations where availability may be critical and for users who already have physical access to the device 2 6 18 Configure a dedicated user account password policy Note Hirschmann assumes that when reading this section you have already created a dedicated user account password policy see on page 19 Plan a dedicated user account pas...

Page 35: ...net Command Line Interface using the serial connection Note Configure the session timeouts as short as possible and as long as practical Set each timeout to a value 0 This helps ensure that the device terminates the respective session automatically when idle 2 6 21 Configure time synchronization The protocols NTP and PTP implicitly trust the time source Configure the network time synchronization p...

Page 36: ...in banners Configure dedicated login banners Configure the GUI pre login banner with only the minimal information necessary If possible avoid any information that may help an attacker Configure the CLI pre login banner with only the minimal information necessary If possible avoid any information that may help an attacker Configure the CLI post login banner with only the minimal information necessa...

Page 37: ...ating a backup copy of the configuration For example place the backup file in a device specific folder Include other device specific data For example copy device specific private keys or certificates to the same device specific folder Keep the backup files separate from the device in a secure location This minimizes your effort to replace a device should the hardware become inoperable ...

Page 38: ...or obstructing the USB port 2 7 2 Restrict physical access to network ports or SFP slots If you have high security requirements and you are sure you will not need certain network ports or SFP slots after commissioning consider covering or obstructing these network ports and SFP slots 2 7 3 Restrict physical visual access to the device and port LEDs If you have high security requirements perform th...

Page 39: ...details see the user manual Installation To help protect your system connect the Signal Contact only to circuits that do not have explicit security or safety requirements This means The circuit controlled by the Signal Contact does not have any security or safety function The controlled circuit does not rely on the secure or safe operation of the Signal Contact 2 8 3 Digital Input considerations I...

Page 40: ...ty steps during the operation phase to the considerations already described in this security manual the user manual Installation and the user manuals Configuration Graphical User Interface and Command Line Interface The most essential parts are repeated below 2 9 1 Environmental conditions Obey the environmental conditions given in the user manual Installation Do not open the device 2 9 2 Connecti...

Page 41: ...y for worst case device power budget even in case one of the redundant power supplies fails Configure PoE or PoE power budget Take the worst case PoE or PoE power budget into account Provide redundant data uplinks 2 10 3 Hardware replacement Note Do not open the device Perform the following steps Perform an initial software update see on page 27 Software update Perform the software configuration f...

Page 42: ...or the deletion of data perform the following steps as needed Reset the device to the delivery state This performs the following operations Deletes the current HTTPS certificate in the device and creates a new self signed HTTPS certificate Deletes the current SSH host key pair in the device and creates a new self signed SSH host key pair Deletes the configuration profiles and configuration scripts...

Page 43: ... maintenance lifecycle phases that can affect the security of your network The prerequisite is that you have secured the device itself see on page 23 Device security For the general device functions refer to the detailed manuals 3 1 Introduction Aside from the basic task of transmitting data packets in your network the device also can help you Employ defense in depth for your network infrastructur...

Page 44: ...elease 8 7 05 2022 3 2 Prerequisites for setting up network security A securely configured device can help you make your network more secure and available Hirschmann assumes that when reading this section you have taken the necessary steps to securing the device itself see on page 23 Device security ...

Page 45: ...re are 2 aspects how defense in depth is realized that is how they translate into specific device setups Measures to secure the device itself and in turn to secure the network These measures are described in the chapter Device security see on page 28 Security configuration Measures to secure the network by using specific device functions These measures are described in the remainder of this main c...

Page 46: ...05 2022 3 4 Hardening the network infrastructure The suggested hardening measures are collected in the chapter see on page 47 Measures to secure the network infrastructure Pick the measures suitable for defense in depth first Then complement them by selecting from the remaining hardening possibilities ...

Page 47: ...N segregation Disable GVRP and MVRP Configure Port Security Configure ACLs Secure the network protocols used see on page 49 Secure the network protocols used Disable GMRP and MMRP Secure the redundancy protocols used see on page 50 Secure the redundancy protocols used Configure RSTP guards and helper protocols Configure MRP MRP VLAN ID 2 tagged packets Configure HIPER Ring VLAN ID 1 tagged packets...

Page 48: ...edundancy protocols 3 6 3 Disable GVRP and MVRP The GARP VLAN Registration Protocol GVRP and its successor the Multiple VLAN Registration Protocol MVRP can be used to dynamically set up VLANs in a device This also creates a potential attack surface It is generally considered more secure to disable GVRP and MVRP In the delivery state GVRP and MVRP are both globally disabled on the device 3 6 4 Conf...

Page 49: ...t Registration Protocol GMRP and its successor the Multiple MAC Registration Protocol MMRP can be used to register group MAC addresses dynamically and automatically setup multicast forwarding in a device This also creates a potential attack surface It is generally considered more secure to disable GMRP and MMRP In the delivery state GMRP and MMRP are both globally disabled on the device ...

Page 50: ...o the device with the intention to trick it into disabling its respective port Note The delivery state for the L2 loop protection is disabled 3 8 2 Secure MRP Secure MRP MRP VLAN ID 2 tagged packets This may require an existing VLAN plan See the user manual Graphical User Interface on how to configure MRP 3 8 3 Secure HIPER Ring Secure HIPER Ring VLAN ID 1 tagged packets This may require an existi...

Page 51: ...gure attack protection functions 3 9 1 Configure Denial of Service DoS protection Configure DoS protection See the user manual Graphical User Interface on how to configure DoS protection 3 9 2 Configure rate limiters Configure rate limiters See the user manual Graphical User Interface on how to configure rate limiters ...

Page 52: ... securing the device itself see on page 35 Configure time synchronization To help synchronize the time in the network the device may act as a time server Configure the server function of the device Parameters to be configured may include Enable the server function of the device only if necessary Enable only the servers for the network protocols allowed by the policy Tune the server functions of th...

Page 53: ...nd destinations Note Secure logging also relies on the synchronization of the device system clock to a trustworthy source see on page 35 Configure time synchronization The audit trail function is always active and cannot be disabled Neither can the audit trail be deleted by resetting the device to the delivery state 3 11 1 Configure an audit trail Note The audit trail function is always active and...

Page 54: ...Network security support 3 11 Configure logging 54 UM Security BRS 2A Release 8 7 05 2022 ...

Page 55: ...ROFINET configuration 32 ACLs network 48 Adapt session timeouts configuration 35 Advanced device security configuration 36 Advanced user authentication configuration 36 Advanced user authentication overview 29 Assign a local IP address for the device management configuration 29 Assign a static IP address for the device management configuration 29 Attack protection functions network 51 Audience of ...

Page 56: ...n external memory 31 Disable insecure management protocols 32 Disable loading configuration profile from external memory 31 Disable loading configuration profile without valid fingerprint 32 Disable logical access to Digital Input 30 Disable logical access to Signal Contact 30 Disable logical access to unused ports and SFP slots 30 Disable writing unencrypted configuration profile to external memo...

Page 57: ...rets decommissioning 42 Device and port LEDs planning 19 Device availability planning 18 Device availability requirements installation 26 Device installation 39 Device security main chapter 23 Digital Input planning 19 Digital Input considerations installation 39 Disable automatic device software update from external memory configuration 31 Disable booting from an external memory configuration 31 ...

Page 58: ...tions 39 Data link redundancy requirements 26 Device 39 Device availability requirements 26 Digital Input considerations 39 Power supply power budget requirements 26 Power supply redundancy requirements 26 Signal Contact considerations 39 Software update 27 Intended Audience of this document introduction 13 Introduction network 43 Introduction planning 13 IP access restrictions configuration 32 L ...

Page 59: ...astructure 46 Introduction 43 Logging 53 Measures to secure the infrastructure 47 Port Security 48 Prerequisites 44 Rate limiters 51 Restrict logical access 48 RSTP guards 50 Secure HIPER Ring 50 Secure MRP 50 Secure Ring Network Coupling 50 Secure the network protocols used 49 Secure the redundancy protocols used 50 Securing the infrastructure 47 Synchronize the time 52 Time Synchronization 52 VL...

Page 60: ... User account password policy 19 VLAN 17 PoE power budget configuration 30 Port and device LEDs planning 19 Port Security network 48 Possible hardware modifications for security configuration 38 Power over Ethernet power budget configuration 30 Power supply power budget requirements installation 26 Power supply redundancy requirements installation 26 Preparation for installation recommendation 25 ...

Page 61: ...uthentication and encryption password policy configuration 35 Software update installation 27 Software update maintenance 41 SSH host key pair configuration 33 Static IP address for the device management configuration 29 Subject of this document 13 Synchronize the time network 52 Synchronize the time planning 21 T Technical questions 63 Time Synchronization network 52 Training courses 63 U User ac...

Page 62: ...Index 62 UM Security BRS 2A Release 8 7 05 2022 ...

Page 63: ...able at doc hirschmann com Customer Innovation Center The Customer Innovation Center is ahead of its competitors on three counts with its complete range of innovative services Consulting incorporates comprehensive technical advice from system evaluation through network planning to project planning Training offers you an introduction to the basics product briefing and user training with certificati...

Page 64: ...roduct Your comments and suggestions help us to further improve the quality of our documentation Your assessment of this manual Did you discover any errors in this manual If so on what page Suggestions for improvement and additional information Very Good Good Satisfactory Mediocre Poor Precise description O O O O O Readability O O O O O Understandability O O O O O Examples O O O O O Structure O O ...

Page 65: ...ser Please fill out and return this page as a fax to the number 49 0 7127 14 1600 or per mail to Hirschmann Automation and Control GmbH Department 01RD NT Stuttgarter Str 45 51 72654 Neckartenzlingen Germany Company Department Name Telephone number Street Zip code City E mail Date Signature ...

Page 66: ......