• When user authentication is performed via RADIUS, make sure that all communication takes
place within the security environment or is protected by a secure channel.
• Watch out for link layer protocols that do not offer their own authentication between
endpoints, such as ARP or IPv4. An attacker could use vulnerabilities in these protocols to
attack hosts, switches and routers connected to your layer 2 network, for example, through
manipulation (poisoning) of the ARP caches of systems in the subnet and subsequent
interception of the data traffic. Appropriate security measures must be taken for non-secure
layer 2 protocols to prevent unauthorized access to the network. Physical access to the local
network can be secured or secure, higher layer protocols can be used, among other things.
Certificates and keys
• There is a preset SSL certificate with 1024 bit key length in the device. Replace this certificate
with a self-made certificate with key. We recommend that you use a certificate signed either
by a reliable external or by an internal certification authority.
• Use a certification authority including key revocation and management to sign certificates.
• Make sure that user-defined private keys are protected and inaccessible to unauthorized
persons.
• Verify certificates and fingerprints on the server and client to prevent "man in the middle"
attacks.
• It is recommended that you use certificates with a key length of at least 2048 bits.
• Change certificates and keys immediately if there is a suspicion of compromise.
Note
The devices have a default SSL certificate with a key length of 1024 bit.
Decommissioning
Shut down the device properly to prevent unauthorized persons from accessing confidential
data in the device memory.
To do this, restore the factory settings on the device.
Also restore the factory settings on the storage medium.
Security recommendations
SCALANCE X-200RNA
Operating Instructions, 04/2022, C79000-G8976-C342-07
17