西门子
8./10
Siemens IK PI · 2015
工业安全
Security Integrated
SCALANCE S
8.
■
设计
SCALANCE S602
•
检查数据流量和防止未经授权的保护
通过有状态检查防火墙访问。
•
Simple and fast configuration of the firewall through global
防火墙规则和符号名称的IP地址.
•
根据用户的用户特定访问权限 -
specific firewall rules.
•
10/100/1 000 Mbit / s用于连接和操作的端口
SCALANCE S也在千兆网络中
•
In addition to bridge mode, can also be operated in router
因此,可以直接在IP子网上使用模式
limits
•
Address translation
-
NAT (Network Address Translation) permits the use of private
IP addresses in the internal network in that public IP
addresses are converted to private ones
- 尼特(网络地址和端口翻译)允许
use of private IP addresses in the internal network in that
frames are converted to private IP addresses depending on
使用的通信端口
•
内部网络节点可以从中接收其IP地址
the integral DHCP server
•
日志文件也可以由syslog服务器进行评估
•
Enhanced integration in IT infrastructures and network
通过SNMP管理系统
•
Protection of individual, even alternating, devices by dynami-
cally taking over the IP address (ghost mode)
SCALANCE S612.
作为SCALANCE S602;此外:
•
使用VPN(IPsec)加密数据传输
-Protection against espionage
-Protection against unauthorized manipulation
•
Secure remote access over the Internet, e.g. in conjunction
使用SOFTNET安全客户端和SCALANCE M.
UMTS路由器(使用IPSec VPN函数)
SCALANCE S623.
As SCALANCE S612; additionally:
•
DMZ port with which a protected zone (DMZ = demilitarized)
can be set up between two networks. The DMZ is used to
provide data for other networks without granting direct access
to the automation network, thus increasing security. The DMZ
端口也可用于保护远程维护访问,
where, for example, only access to lower-level automation
细胞是可能的,无法访问植物网络
required.
•
通过安全,冗余的自动化单元连接
router and firewall redundancy
SCALANCE S627-2M
As SCALANCE S623; additionally:
•
Two media module slots for two additional switched red or
每个绿色港口。
- 可以在线或环形拓扑中的直接集成
-Integration into redundant rings (MRP, HRP) is possible
- 安全,冗余连接自动化单元或圆环
-
Direct integration in FO networks is possible through the use
媒体模块的
-
延长较长的电缆运行或使用现有的2线电缆
(e.g. PROFIBUS) by deploying the MM992-2VD media
modules (variable distance).
■
功能
Security functions
VPN(虚拟专用网络)
(only for SCALANCE S612, S623 and SCALANCE S627-2M);
对于网络站的可靠身份验证(识别),
用于加密数据和检查数据完整性。
• 验证;
All incoming data traffic is monitored and checked. As IP
addresses can be falsified (IP spoofing), checking the IP
address (of the client access) is not sufficient. In addition,
客户端PC可能具有更改的IP地址。为此原因
the authentication is performed by means of tried and tested
VPN机制。
•
Data encryption;
Secure encryption is necessary in order to protect data
来自间谍和未经授权的人类的沟通
lation。这意味着数据流量仍然是缺陷 -
sible to any eavesdropper in the network. The SCALANCE
安全模块建立VPN隧道其他年代ecurity
用于此目的的模块。
防火墙
can be used as an alternative or to supplement VPN with flexible
访问控制。
防火墙filters data packets and disables or enables
按照过滤列表和状态的通信链接
inspection. Both incoming and outgoing communication can be
根据IP和MAC地址筛选,无论是筛选
communication protocols (ports) or user-specific.
•Logging;
访问数据由日志文件中的安全模块保存。
检测如何访问它的方式,何时何种方式
与检测访问尝试一样重要,以确保
可以采取适当的预防措施。
Configuration
配置使用安全配置工具执行
(SCT). Therefore all SIMATIC NET security products can be
从中央位置配置和诊断。所有配置 -
uTation数据可以保存在可选的C-Plug交换介质上
(不包括在供应范围内),以便安全模块
can be replaced quickly in the event of a fault and without the
需要编程设备。
© Siemens AG 2014