LENZE E94AMSE0074 E94AMSE0074 E94AMSE0074 E94AMSE0074 E94AMSE0074 E94AMSE0074

or those communication connections which require programming for the local CPU
and for the communication partner (e.g. Access via BSEND / BRECV instructions,
is possible even in the default configuration).
Communications, for which the local CPU is only server (that means, that there is
no configuration / programming of the communication to the communication
partner), are not possible in the operation of the CPU.
This includes:
? PUT/GET, FETCH/WRITE or FTP access via communication modules
? PUT/GET access by other S7-CPUs
? HMI access via PUT/GET communicationThe following chapters show which security mechanisms the SIMATIC S7-CPs
(CP x43-1 Advanced V3 and CP 1x43-1) offer.
Note The functions in CP 1543-1 can be configured from STEP 7 Professional V12
including update 1 onwards.
The CP 1243-1 needs STEP 7 Professional V13 Update 3 or higherFirewalls make it possible to filter the incoming and outgoing traffic that flows
through a system. A firewall can use one or more sets of “rules” to inspect network
packets as they come in or go out of network connections and either allows the
traffic through or blocks it. The rules of a firewall can inspect one or more
characteristics of the packets such as the protocol type, source or destination host
address, and source or destination port.
The filter capabilities of a package filter can be improved considerably if the
packages are checked in their proper context. For instance, a UDP package
arriving from an external computer should only be forwarded internally if another
UDP package has been sent to that computer shortly before from within the
network (e.g. in case of a DNS request of a client in the internal network to an
external DNS server). To enable this, the package filter must maintain records of all
states to all current connections. Package filters that are able to do this are
therefore referred to as Stateful.
Properties
Stateful Inspection Firewalls have the following properties:
? with TCP connections: Imitation of the status monitoring of a complete TCP/
protocol stack
? with UDP connections: simulation of virtual connections
? creation and deletion of dynamic filter rulesA VPN (virtual private network) is a private network that uses a public network (like
the ) for the transmission of private data to a private target network. The
networks need not be compatible with one another.
Although VPN uses the addressing mechanisms of the carrier network it still uses
its own network packages to separate the transport of private data packages from
the others. Due to this fact, the private networks appear as a shared logical (virtual)
network.
Sec
An important aspect for the communication of data across network boundaries is
Sec ( security). It is a standardized protocol suite and provides for
manufacturer-independent, secure, and protected data exchange via networks.
The main object of Sec is protecting and securing the data during a transmission
via an insecure network. Known weaknesses such as the intercepting and
changing of data packages can be prevented by this security standard, due to
encrypted data packages and authentication of the devices.
3.3 NAT/NAPT (address translation)
Descrtion
Network Address Translation (NAT) / Network Address Port Translation (NAPT)
are methods for converting private addresses into public addresses.
Address conversion with NAT
NAT is a protocol for address conversion between two address spaces. The main
task is the conversion of public addresses, i.e. addresses used and routed on
the into private addresses and vice versa.
Through the use of this technology the addresses of the internal network are not
visible in the external network. In the external network, the internal nodes are only
visible via external addresses defined in the address conversion list (NAT table).
The typical NAT is a 1:1 conversion, i.e. a private address is converted to a