Siemens Version: 1.2 User Manual
3. Security Analysis
3 Security
Analysis
The security module is designed for the use in automation networks. For
automation networks availability and robustness are of first priority since the
network must be protected against any failure so that the production never stops.
For instance, in the chemical industry this is extremely important.
Of course there are also high demands regarding the data security objectives
including data confidentiality, data integrity, and resistance against attacks from the
external network. From the technical point of view the security module meets these
high security goals. In this chapter the technical aspects will be analyzed in detail.
3.1 Network and Protocol Analysis
3.1.1 VPN
The VPN is based on the IPsec protocol family. In the last years this protocol family
was established as an industrial standard for VPNs. Hence, interoperability with
other systems is provided. Within this analysis the interoperability to the IPsec-
implementation of the Linux kernel 2.6.x was confirmed. For the VPN functionality
the IKE daemon isakmpd of OpenBSD was used. The IKE-protocol supports the
following algorithms, where the default values are represented in bold:
Phase 1
Authentication
Modes
DH-groups
Encryption
Life cycle
Authentication
RSA , PSK
Main, Aggressive
1 (768 bit key-length), 2 (1024 bit), 5
(1536 bit)
DES, 3DES
999.999.999 seconds
SHA1, MD5
Phase 2
Life cycle
Encryption
Authentication
PFS
Time (7200s), limit
DES, 3DES, AES
SHA1, MD5
yes, no
19-Aug-05 escrypt
GmbH
12