Siemens Version: 1.2 User Manual
2. Security Services
2.3.1 First Initiation
At first initialization an IP address is assigned to the Scalance S moduls. After the
IP configuration the modules can also be configured over the network. The first
user to take the module in operation enters a user name and password which puts
him in the position of administrator.
After the security module is turned on or reset, if it does not contain any
configuration data either in the internal flash or on a removable media it does not
allow any communication. Hence, the device is in a state which cannot be used in
any way for an attack from the external network. The communication between
protected devices behind different security modules via the external network must
also explicitly be approved by the configuration.
If the device needs to be reset in case of loss of passwords, there is a reset button
on the back of the module. By pushing it the device is set to the delivery state. This
button is protected by a cover on the back side such that it is not pushed by
mistake. If the device is built in a rack, it first needs to be removed of it after the
back cover can be opened.
2.3.2 User Management:
There are two user groups having different rights: The administrator and the user
with restricted rights. The administrator is able to grant users access to the
modules, the users are able to change configuration settings according to their
rights. The authentication of the user to the security module is carried out by digest
authentication with user-name and password. With this kind of authentication the
password is never sent in plaintext.
2.3.3 Learning
In order to keep the configuration of the modules simple, the automatic learning
was integrated. A module can learn the existence (and with that the addresses) of
further modules and add this information to its own list of reachable modules. In the
same way it can learn which nodes are in the internal network of another module.
A VPN tunnel can only be set up if the end-point is known inducing that also the
module that protects the network with that endpoint needs to be known. The
learning is done automatically or by manual configuration.
For this purpose, the security module provides the security configuration protocol
(SCP). This protocol contains the functions
• Find further security modules
19-Aug-05 escrypt
GmbH
10