Siemens Version: 1.2 User Manual

3. Security Analysis

3 Security

Analysis

The security module is designed for the use in automation networks. For

automation networks availability and robustness are of first priority since the

network must be protected against any failure so that the production never stops.

For instance, in the chemical industry this is extremely important.

Of course there are also high demands regarding the data security objectives

including data confidentiality, data integrity, and resistance against attacks from the

external network. From the technical point of view the security module meets these

high security goals. In this chapter the technical aspects will be analyzed in detail.

3.1 Network and Protocol Analysis

3.1.1 VPN

The VPN is based on the IPsec protocol family. In the last years this protocol family

was established as an industrial standard for VPNs. Hence, interoperability with

other systems is provided. Within this analysis the interoperability to the IPsec-

implementation of the Linux kernel 2.6.x was confirmed. For the VPN functionality

the IKE daemon isakmpd of OpenBSD was used. The IKE-protocol supports the

following algorithms, where the default values are represented in bold:

Phase 1

Authentication

Modes

DH-groups

Encryption

Life cycle

Authentication

RSA , PSK

Main, Aggressive

1 (768 bit key-length), 2 (1024 bit), 5

(1536 bit)

DES, 3DES

999.999.999 seconds

SHA1, MD5

Phase 2

Life cycle

Encryption

Authentication

PFS

Time (7200s), limit

DES, 3DES, AES

SHA1, MD5

yes, no

19-Aug-05 escrypt

GmbH