Detail Managing MS ISA As Accesspoint B en-US PDF

1
Managing the MS ISA Server/MS TMG as ___________________

Preface
Access Point Managing the MS ISA

___________
2
Server/MS TMG as Access
Point
___________________
Practical information 3
SIMATIC
Process Control System PCS 7

Managing the MS ISA Server/MS
TMG as Access Point
Commissioning Manual
12/2011
A5E02657550-02
Legal information
Legal information
Warning notice system
This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent
damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert
symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are
graded according to the degree of danger.
DANGER
indicates that death or severe personal injury will result if proper precautions are not taken.
WARNING
indicates that death or severe personal injury may result if proper precautions are not taken.
CAUTION
with a safety alert symbol, indicates that minor personal injury can result if proper precautions are not taken.
CAUTION
without a safety alert symbol, indicates that property damage can result if proper precautions are not taken.
NOTICE
indicates that an unintended result or situation can occur if the relevant information is not taken into account.
If more than one degree of danger is present, the warning notice representing the highest degree of danger will
be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to
property damage.
Qualified Personnel
The product/system described in this documentation may be operated only by personnel qualified for the specific
task in accordance with the relevant documentation, in particular its warning notices and safety instructions.
Qualified personnel are those who, based on their training and experience, are capable of identifying risks and
avoiding potential hazards when working with these products/systems.
Proper use of Siemens products
Note the following:
WARNING
Siemens products may only be used for the applications described in the catalog and in the relevant technical
documentation. If products and components from other manufacturers are used, these must be recommended
or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and
maintenance are required to ensure that the products operate safely and without any problems. The permissible
ambient conditions must be complied with. The information in the relevant documentation must be observed.
Trademarks
All names identified by ® are registered trademarks of Siemens AG. The remaining trademarks in this publication
may be trademarks whose use by third parties for their own purposes could violate the rights of the owner.
Disclaimer of Liability
We have reviewed the contents of this publication to ensure consistency with the hardware and software
described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the
information in this publication is reviewed regularly and any necessary corrections are included in subsequent
editions.
Siemens AG A5E02657550-02 Copyright © Siemens AG 2011.

Industry Sector Ⓟ 11/2011 Technical data subject to change
Postfach 48 48
90026 NÜRNBERG
GERMANY
Table of contents
1 Preface ...................................................................................................................................................... 5
1.1 Structure and organization of the document..................................................................................5
1.2 Special Notes .................................................................................................................................6
2 Managing the MS ISA Server/MS TMG as Access Point ........................................................................... 7
2.1 Managing the MS ISA Server/MS TMG as Access Point ..............................................................7
2.2 Network positions...........................................................................................................................9
2.2.1 Front firewall.................................................................................................................................10
2.2.2 Back firewall .................................................................................................................................11
2.2.3 Three-homed firewall ...................................................................................................................12
2.3 Technologies and configurations .................................................................................................13
2.3.1 General information .....................................................................................................................13
2.3.2 Web publication............................................................................................................................14
2.3.3 VPN server...................................................................................................................................16
2.3.4 Device direct dialing.....................................................................................................................20
2.3.5 IPSec connection .........................................................................................................................21
2.3.6 User-specific rules .......................................................................................................................21
2.4 Special case: Trust function between ERP and perimeter network.............................................22
3 Practical information ................................................................................................................................ 23
3.1 General information .....................................................................................................................23
3.1.1 Further information and instructions ............................................................................................26
Managing the MS ISA Server/MS TMG as Access Point

Commissioning Manual, 12/2011, A5E02657550-02 3
Table of contents

4 Commissioning Manual, 12/2011, A5E02657550-02
Preface 1
1.1 Structure and organization of the document
The Security Concept PCS 7 & WinCC has several parts:
● The basic document provides a central overview and guidance through Security
Concept PCS 7 & WinCC.
It systematically describes the basic principles and security strategies of the security
concept. All additional detail documents assume the reader has read the basic document.
● The detail documents (this is one such detail document) explain the individual
principles, solutions and configuration recommended there in detailed form, and each
focuses on a particular detailed issue. The detail documents are supplemented, updated
and published independently of one another to ensure that they are always up-to-date.

Preface
1.2 Special Notes
1.2 Special Notes
Objective of the Security Concept PCS 7 & WinCC

The main priority of automation is to maintain control over production and process. Even
measures which aim to prevent the spread of a security threat must not affect control over
production and process.
Security Concept PCS 7 & WinCC is intended to ensure that only authenticated users can
perform authorized (permitted) operations via operating permissions (assigned to them) for
authenticated devices. These operations should only be performed via defined and planned
access routes to ensure safe production or coordination of a job without danger to humans,
the environment, product, goods to be coordinated and the business of the enterprise.
Security Concept PCS 7 & WinCC, therefore, recommends the use of the latest available
security mechanisms. To achieve the highest possible level of security, scaled, system-
specific configurations should never contradict the basic principles of this security concept.
Security Concept PCS 7 & WinCC is intended to facilitate the cooperation between network
administrators of company networks (IT administrators) and automation networks
(automation engineers) to exploit the advantages provided by the networking of process
control technology and the data processing of other production levels, without increasing
security risks at either end.
Required Knowledge
This documentation is aimed at anyone who is involved in configuring, commissioning and
operating automated systems based on SIMATIC. It is assumed that readers have
appropriate management knowledge of office IT.
Validity
Security Concept PCS 7 & WinCC incrementally replaces the following previous documents
and recommendations: "Security Concept PCS 7" and "Security Concept WinCC", and is
valid as of WinCC V6.2 and PCS 7 V7.0.

Managing the MS ISA Server/MS TMG as Access
Point 2
2.1 Managing the MS ISA Server/MS TMG as Access Point
Security Concept PCS 7 & WinCC recommends the "Microsoft® Internet Security and
Acceleration (ISA) Server" as a high-performance firewall or access point and the
"Microsoft® Forefront Threat Management Gateway (TMG)" successor product released in
2010. This document only relates to the Microsoft ISA Server\TMG; other documents deal
with other products, e.g. Siemens SCALANCE S.
Instead of listing the reasons why the ISA Server\TMG is the recommended product, we will
explain a few security "myths" with regard to the ISA Server\TMG here.
1. "A Windows-based firewall - that is a contradiction in itself."
On the contrary, the strength of ISA Server\TMG is that it is based on Windows Server
2003 and therefore inherits all of the strengths of this operating system. It is the most
frequently used server operating system and is subject to very strict quality and system
test requirements. As a result of its widespread use, potential gaps are discovered and
closed quickly. As the ISA Server\TMG is based on Windows, it can use all of the
services and technologies of the Windows environment and an be perfectly integrated
into an existing Windows network. Windows authentication and communication
mechanisms can be used directly and do not have to be provided to the firewall via
"proprietary" interfaces, which often have security gaps. This makes it possible to create
user-specific rules on the ISA Server\TMG with the applicable and most recent
authentication options such as Kerberos.
2. "So many security gaps are found in Windows that the ISA Server\TMG cannot possibly
be secure."
Nearly all of these gaps are errors in programs running on the relevant Windows
operating system that can only be exploited when a user is logged into the operating
system and starts the program. Any virus/trojan that exploits such weaknesses has to
enter the application layer of the OSI reference model. However, the ISA Server\TMG
works at layers 2 to 5 of this model. These are the transport and network layers (e.g. the
TCP/IP layer) and can therefore not be infected by such malware. To guarantee this
advantage across the board, the ISA Server\TMG must not be treated as a workstation or
application server. It is a network device. After installation and initial configuration the ISA
Server\TMG works like a router, for example, without a keyboard, mouse or screen and
with no user logged in. For maintenance and service you can connect remotely to the ISA
Server\TMG via the individually installable management console or a secured terminal
session, which prevents the local execution of insecure programs.
3. “The ISA Server\TMG is not a proper firewall and can only be used within the network
structure, not as protection against external threats."
Correctly configured, the ISA Server\TMG can be used at any network position. Microsoft
protects its complete global network using the ISA Server\TMG exclusively wherever a
firewall is used.

2.1 Managing the MS ISA Server/MS TMG as Access Point
4. "As the ISA/TMG is Windows-based it cannot be used without a local virus scanner."
In spite of its modern and secure design the ISA Server\TMG can be penetrated if it is
improperly configured or used incorrectly. The use of a local virus scanner represents a
potential risk to the security of the ISA Server\TMG. Currently there are no virus scan
clients that have been developed and approved for the ISA Server\TMG. A virus scanner
is in any case not necessary, as firewalls should in general not carry out local data
exchange, execute third-party programs or have local logins etc.
5. There are a number of modules by well-known virus scanner manufacturers that allow the
ISA Server\TMG to scan incoming network data traffic for viruses. Scanning and
forwarding, however, take place in layers 2-5, whereas a local virus scan client in general
only works in layers 6-7 and requires local execution and login.
"Microsoft products are insecure and have to be patched too often."
6. Since the publication of ISA Server 2004, in contrast to other firewall manufacturers, no
security gaps have been found.
Except for two service packs that have improved the functionality and range of functions,
no security-related patches have been issued for ISA Server 2004 and the more recent
ISA Server 2006.
7. “The ISA Server\TMG is an office firewall and is not suitable for industry."
Yes, it is correct that the ISA Server\TMG provides a lot of options and interfaces that
have been designed specifically for Web servers, mail servers and other office
applications. However, this does not equate to any restrictions whatsoever on industrial
use and operation of this firewall solution. On the contrary, these interfaces are being
used more and more frequently in industrial applications to implement more secure web-
based operating and observation solutions, for example. Appliance manufacturers
(manufacturers of ISA Server\TMG / hardware bundle systems) are also increasingly
offering ISA Server\TMG in industrial-grade housings, i.e. protected from dust and
splash- and explosion-proof. The high performance and the large number of potential
standard configurations are also of interest to industry.

2.2 Network positions

The most secure and effective configuration is a front/back firewall solution and this should
be used for large and medium-sized systems (see the graphic below). The back firewall
protects the production network and the MON network. The front firewall protects the
perimeter network and all of the networks behind it.
ECN
(office network)
Support Station
WAN
Intranet
extern
Dial in Router ISDN

ISDN 1
Firewall
ISA Server
Front-Firewall Perimeter Network
Manufacturing Operations Network

Dial in
MES
Firewall
ISA Server
intern
Back-Firewall Router ISDN
ISDN 2
Process Control Network
Adequate security can be provided for small systems with a “single firewall strategy” or a
three-homed firewall to avoid the cost and administrative cost of the above solution.

2.2.1 Front firewall

The front firewall in the following graphic protects the system's perimeter network and
therefore also the other production networks behind it from unauthorized external access,
regardless of whether it is used in a corporate network (intranet/office network) or on the
Internet directly. The front firewall can therefore also act as the access point for all security
zones at the production level (MCS as per ISA S95) and the production planning level (MES
as per IS S95).
It has the following main functions:
● Publication of Web servers in the perimeter network to the Internet/intranet (office
network)
● HTTP/HTTPS access for the servers in the perimeter to the Internet/intranet (e.g.
download new updates from WSUS or virus scan server)
● VPN server publication for the back firewall (e.g. support dialup)
● Access and forwarding of essential services for the Internet/intranet (e.g. DNS, NTP)
● Refusal of all other accesses
(QWHUSULVH&RQWURO1HWZRUN
)LUHZDOO
SURWHFWLQJWKH 'RPDLQ&RQWUROOHU
:LQ&&:HE 26:HE +LVWRULDQ:HE RIILFH
&OLHQW &OLHQW &OLHQW RIILFH1HWZRUN 6XSSRUW6WDWLRQ
:$1
,QWUDQHW
H[WHUQ
'LDO,Q
9LUXVVFDQ6HUYHU :6866HUYHU
)LUHZDOO
,6$6HUYHU 3HULPHWHU1HWZRUN
)URQW)LUHZDOO
:HE1DYLJDWRU 26:HE6HUYHU &$%6HUYHU

6HUYHU

2.2.2 Back firewall

The back firewall in the following graphic directly protects the Process Control Network
(PCN). A network for Manufacturing Execution Systems (MES) (the Manufacturing Operation
Network, MON) should also be connected to the back firewall and protected by it. The back
firewall thus acts as a direct access point to the security zone of the production level and
regulates the connection of downstream computers to this security zone.
It has the following main functions:
● IPSec connection for computers from other security cells
● Publication of the Web servers in the perimeter network to the PCN and MON (e.g. for
security patch or virus pattern updates)
● Access to services in and from PCN (e.g. DNS, WINS, NTP)
● Access to services in and from MON (e.g. DNS, WINS, NTP)
● VPN server for PCN and MON
● HTTP/HTTPS access for the servers in the perimeter to the MON
(e.g. WSUS or virus scan server)
● Remote support access
● Active Directory replication between PCN and MON
+LVWRULDQ:HE 6,0$7,&,76HUYHU 6,0$7,&,764/

&OLHQW 6HUYHU
0DQXIDFWXULQJ2SHUDWLRQV1HWZRUN
3HULPHWHU1HWZRUN
3HULPHWHU 6XSSRUW6WDWLRQ
'RPDLQ 'RPDLQ '0=
&RQWUROOHU &RQWUROOHU 0(6
'LXDO,Q
)LUHZDOO
,6$6HUYHU
LQWHUQ
%DFN)LUHZDOO
5RXWHU,6'1
'RPDLQ 'RPDLQ
:LQ&&&OLHQW 26&OLHQW &RQWUROOHU &RQWUROOHU
3URFHVV&RQWURO1HWZRUN
6&$/$1&(;EDVHGUHGXQGDQW5LQJ
:LQ&&6HUYHU :LQ&&6HUYHU 266HUYHU 266HUYHU (QJLQHHULQJ6WDWLRQ 0DLQWHQDQFH6WDWLRQ

&RQWURO6\VWHP1HWZRUN
6+ 6 6 6)+

2.2.3 Three-homed firewall

A three-homed firewall (see following graphic) may be an adequate solution for small
systems that have no connection to an independent MON and only have a very small
perimeter network. Depending on requirements, it combines the functions of the front and
back firewalls. Individual MES components can be integrated directly into the PCN.
)LUHZDOO 'RPDLQ
:LQ&&:HE 26:HE 'DWD0RQLWRU +LVWRULDQ:HE &RQWUROOHU 6XSSRUW6WDWLRQ
&OLHQW &OLHQW :HE&OLHQW &OLHQW
:$1
,QWUDQHW
3HULPHWHU1HWZRUN
)LUHZDOO
,6$6HUYHU
7KUHHKRPHG
)LUHZDOO
:HE1DYLJDWRU 26:HE6HUYHU
+LVWRULDQ:HE 6HUYHU
&OLHQW 6,0$7,&,76HUYHU
:LQ&&&OLHQW 26&OLHQW
:LQ&&6HUYHU :LQ&&6HUYHU 266HUYHU 266HUYHU (QJLQHHULQJ6WDWLRQ 0DLQWHQDQFH6WDWLRQ
6+ 6 6 6)+

2.3 Technologies and configurations

The following description only deals with the configuration of the front and back firewalls. The
three-homed firewall is an analogous combination of the two configurations.
2.3.1 General information

The Microsoft ISA Server\TMG is a network device similar to a switch or router (but not
similar to a workstation PC), and must be viewed as such. This means that it must be placed
in a secure location after initial configuration. It should never be possible or permitted for a
simple user to log on to the ISA Server\TMG locally. The remote-enabled ISA management
console should be used for maintenance and configuration purposes. Programs other than
the ISA Server\TMG services must not be installed or started on the computer. No memory
media (e.g. USB sticks, CDs/DVDs) should be connected or read.
The front firewall is the first line of defense against external threats. This ISA Server\TMG is
therefore exposed to the majority of attacks. It should therefore never be a member of a
domain or save information on internal users and passwords locally. User accounts with
administrative rights to the ISA Server\TMG should not be created on another computer in
the system and should not have access. This means that any attacker who manages to take
over the front firewall will find it impossible or at least very difficult to obtain access to other
computers within the system.
The back firewall does not have to be treated so restrictively. It is part of the MCS security
zone and can query the user authentications of this domain as a member of the production
domain (MCS domain), as required.
Only technologies and their configurations that are needed in terms of PCS 7 and WinCC
systems are discussed in more detail below. Not all of the conventional "rules" that have to
be created on the ISA Server\TMG are explained in detail. For example, rules for DNS, NTP
or WINS communication are not required in each case, but rather arise from the applicable
network structure. The details of such conventional rules are explained in the documentation
for the ISA Server\TMG.

2.3.2 Web publication

In order to access a Web server in the perimeter network from the MON or from external
networks, the Web server has to be published via the front firewall. The web bridging
technology that is supported by ISA Server\TMG and is used in this case offers much better
security than the outmoded web tunneling technology. Opening ports 80 or 443 and thus
simply passing through the queries by the ISA Server\TMG directly to the Web server should
therefore no longer be used.
In Web bridging (see following graphics), the Web client places its query to the ISA
Server\TMG (1.) instead of accessing the Web server directly. The ISA Server forwards this
query to the Web server (2.) after checking, receives the desired information (3.) back and
passes it on to Web client (4.).
Only HTTPS should be allowed between the Web client and the ISA Server\TMG. The
authenticity of the ISA Server\TMG can then be guaranteed with a server certificate. Either
HTTP or HTTPS can be used for the ISA Server\TMG access to the Web server depending
on the desired degree of internal security.
If Web clients are to access the Web server from an external network, they have to be
published at the front firewall. If, on the other hand, Web clients are to access from a MES
network (MON), publishing is performed at the back firewall.
26:HE&OLHQW
(53

:$1
)LUHZDOO ,QIUDVWUXFWXU
,6$6HUYHU 6HUYHU
*$7()5217 ,1)5$
3HULPHWHU1HWZRUN

26:HE6HUYHU
350
Figure 2-1 Web bridging


26:HE&OLHQW
0(6 ,QIUDVWUXFWXU
6HUYHU
0DQXIDFWXULQJ2SHUDWLRQV1HWZRUN ,1)5$
3HULPHWHU1HWZRUN
)LUHZDOO
,6$6HUYHU
*$7(%$&.

26:HE6HUYHU
350
Figure 2-2 Web bridging
The greatest advantage of Web bridging is that direct access to the target network from the
outside is not possible. The connection of the Web clients always ends at the external
interface of the ISA Server\TMG. The ISA Server\TMG checks these access attempts with
various application filters and can thus prevent "harmful" queries.
When Web tunneling is used, the Web server has to recognize "harmful" queries by itself
and its functionality can therefore be impaired.
A further advantage provided by Web bridging is that it allows public names to be used
externally. This means that in the perimeter network the Web server is called, for example,
PRM29.prm.plant.com but is accessed in the external network by the name
www.plant.com/Plant1. Special consideration needs to be given to such Web publication in
combination with the SIMATIC WebNavigator Server, see Chapter Practical information
(Page 23).

2.3.3 VPN server

This section describes the positioning and configuration of the VPN server. How the VPN
accesses the system is described in the "Support & Remote Access" detailed report.
There are two options when positioning the VPN server (front or back firewall). In this case,
the target network is responsible for the positioning the VPN server, not the source network.
It is unlikely that VPN access attempts originate from the MON network, as the MON network
should be "known" and potentially trustworthy network that belongs to the system operator. If
this is not the case it is not a conventional trusted network, but rather another external
network.
If only computers in the perimeter network are accessed via the VPN connection, the VPN
server should be positioned at the front firewall (see following graphic).
The VPN client establishes a connection to the ISA Server\TMG (1.). After successful
authentication, it obtains access to a specially isolated quarantine network, if the quarantine
function of the ISA Server\TMG has been configured correspondingly. Customer-specific
checks are carried out on the client computer. If these checks are completed successfully,
the tunnel into the VPN network of the ISA Server\TMG is fully established (2.) and the VPN
client is allowed access to specified computers in the perimeter network (3.). Without a
quarantine function, VPN client access is granted immediately after successful
authentication.
6XSSRUW6WDWLRQ
'0=

:$1
)LUHZDOO
,6$6HUYHU
*$7()5217 4XDUDQWLQH1HWZRUN
3HULPHWHU1HWZRUN

:LQ&&&OLHQW 26&OLHQW 7HUPLQDO6HUYHU ,QIUDVWUXFWXU
0(6 0(6 6HUYHU
7(50,1$/ ,1)5$
)LUHZDOO
,6$6HUYHU
*$7(%$&.

If direct access to computer in the MON or PCN is required, i.e. access without Remote
Desktop, NetMeeting or a similar function, the VPN server has to be positioned at the back
firewall (see following graphic) and published at the front firewall. This is necessary as the
front firewall does not "know" the PCN and CSN for security reasons and it should not have
any routing information to the PCN and CSN. If an attacker were able to "take over" the front
firewall, he would have access to the perimeter network, but still not to the system itself. The
system continues to be reliably protected by the back firewall.
6XSSRUW6WDWLRQ
'0=

:$1
)LUHZDOO
,6$6HUYHU
*$7()5217
3HULPHWHU1HWZRUN

7HUPLQDO6HUYHU ,QIUDVWUXFWXU
6HUYHU
0(6 0(6 7(50,1$/ ,1)5$
)LUHZDOO
,6$6HUYHU 4XDUDQWLQH1HWZRUN
*$7(%$&.
0&6 0&6
:LQ&&6HUYHU 266HUYHU
0&6 0&6

The VPN client (see previous graphic) establishes a connection to the front firewall (1.). This
query is passed on to the back firewall by the VPN publishing (2.). After successful
authentication and confirmation by the back and front firewalls (3.) (4.),the VPN client
establishes a tunnel through the front firewall into the VPN network of the back firewall (see
following graphic) (5.) and obtains defined access to the networks (see following graphic)
(6.).
6XSSRUW6WDWLRQ
'0=
:$1

)LUHZDOO
,6$6HUYHU
*$7()5217
3HULPHWHU1HWZRUN
:LQ&&&OLHQW
0(6
26&OLHQW
0(6 7(50,1$/
6HUYHU
,1)5$
)LUHZDOO 4XDUDQWLQH1HWZRUN
,6$6HUYHU
*$7(%$&.
0&6 0&6
0&6 0&6

A certificate-based L2TP connection should always be used for every VPN dialup.
The use of PPTP is only adequate for connections that are additionally protected via VPN.
For authentication of the VPN user we recommend the use of a radius server positioned
either in the perimeter network or, if the VPN server was set up on the back firewall, installed
directly on the domain controllers in the PCN network. In addition, the quarantine function of
the ISA Server\TMG should be used for every VPN connection, as it allows the client that is
dialing to be checked to ensure, for example, that all security updates have been installed
and that a virus scanner is installed on the client and is up-to-date etc.

2.3.4 Device direct dialing

As direct dialup always uses a VPN connection in order to increase the security for the
device, there is no difference in the procedure described above for positioning dialup
devices. Depending on the networks to be accessed, the dialup device is connected either to
the front or the back firewall. In the following graphic, the dialup device is connected to the
back firewall via an ISDN router. The devices first establish a connection with each other (1.)
then a VPN tunnel is established between e.g. the support PC and ISA Server\TMG (2.) and
the support PC receives access to the relevant networks (3.).
3HULPHWHU1HWZRUN
0(6 0(6
6HUYHU
7(50,1$/ ,1)5$

)LUHZDOO
,6$6HUYHU 5RXWHU,6'1 5RXWHU,6'1
0&6 0&6 *$7(%$&. ,6'1 ,6'1 6XSSRUW6WDWLRQ
'0=

0&6 0&6
6 6 6)+

$6 $6 $6
Always ensure that the dialup device does not connect directly to the ISA Server\TMG when
using direct dialup for devices. If the device, e.g. an ISDN card, were installed directly in the
ISA Server\TMG, the ISA Server\TMG cannot protect itself against potential attacks by this
device. An external device, e.g. an ISDN router, should therefore always be used for dialup.
The router is connected with ISA Server\TMG and integrated there as a separate network.
The ISA Server\TMG can therefore control any traffic with its built-in firewall mechanisms.

2.3.5 IPSec connection

IPSec is used to connect trusted devices from known networks, such as the MON. As this
usually involves connections by individual devices, the firewall rules for these devices have
to be set very specifically. In general IPSec should not be allowed between MON and PCN.
Only access by individual devices via IPSec in the MON should be allowed to individual
devices in the PCN.
2.3.6 User-specific rules

The ISA Server\TMG is one of the few firewalls that offers the option of creating user-specific
rules. This means that it is not the protocol or the client's IP address that is key to whether
access is granted or not, but the user logged onto the client. However, some general
conditions have to be fulfilled. The ISA Firewall Client has to be installed and configured on
the client and the application that attempts to access has to be a WinSocket application. The
ISA Server\TMG must be a member of the domain in which the accessing user is created or
has been linked by a trust function. For further information please refer to the detail
documentation "Managing Computers and Users".

2.4 Special case: Trust function between ERP and perimeter network
2.4 Special case: Trust function between ERP and perimeter network
A trust function between the ECN, i.e. the corporate or office network, which is also
protected by its own firewall (see following graphic) (GateCorp) and the system's perimeter
network is not recommended from the perspective of maximum protection of the front
firewall. However, it is often necessary for economic reasons and in order to avoid duplicate
user account maintenance.
The purpose of such a trust function is that user accounts from the ERP domains in the
office network can, for example, access resources from the perimeter network. However, this
requires several configurations to be made, and the advice above was not to avoid multiple
configurations. The ECN (office network) must be made known to the front firewall, and the
back firewall needs its own routing information in order to reach this network. Normally the
ECN, like all other external networks, is not known to the firewalls and is covered by the ISA
Server\TMG-specific standard "external" network and is therefore checked with the strictest
rules. In addition, a separate production domain must be established. If user-dependent
rules also have to be created for office user accounts, the front firewall ISA Server\TMG has
to become a member of the production domain or be able to query this information from the
production domain via the radius protocol. At least a one-sided trust function then has to be
established between the production domain and the ERP domain (see “Management of
Computers and Users" detail document). Users of the ERP domain can now be
authenticated by the production domain (1.) and access can be granted to the specified
resources in the system (2.).
&RPSDQ\
)LUHZDOO
+LVWRULDQ:HE &RPSDQ\'RPDLQ
&OLHQW &RQWUROOHU *$7(&253
(53 (53
:$1

75
86
7
)LUHZDOO
,6$6HUYHU
*$7()5217 &$%6HUYHU
350
3HULPHWHU1HWZRUN
7HUPLQDO6HUYHU ,QIUDVWUXFWXU6HUYHU
7(50,1$/ ,1)5$

Practical information 3
3.1 General information
Instructions and descriptions

Detailed instructions and descriptions about how to set up and configure the configurations
stated above are available under the following links:
● ISA:
http://www.microsoft.com/germany/technet/prodtechnol/isa/default.mspx
http://www.isaserver.org/articles_tutorials/
● TMG:
http://www.microsoft.com/germany/forefront/edgesecurity/tmg/default.mspx

Practical information
AddOn Automation Firewall

In cooperation with SecureGUARD (www.secureguard.de), Siemens offers the
SecureGUARD Automation Firewall Appliance series as an add-on. The SecureGUARD
Automation Firewall Appliance series is used to secure SIMATIC® PCS 7- and SIMATIC®
WinCC®-based automation systems in industrial systems. A pre-installed wizard simplifies
and automates startup.
The SecureGUARD Automation Firewall Appliance series secures the access points to the
production networks and guarantees restriction to the data traffic required to operate the
automation system. Based on the firewall solution from Microsoft (Forefront Threat
Management Gateway 2010), the industrial wizard of the integrated SecureGUARD
Appliance Management is used to create an optimized set of rules.
The necessary information on system and network components is entered using the
industrial wizard depending on the configuration variant. All necessary access policies are
generated automatically in order to protect the communication both within the system and
externally.
TMG restrictions (as of September 2011)

The TMG implements some innovations such as virus scanning functionality for all data
traffic that runs via the TMG, and intrusion prevention functionality. At present these
functions have not yet been released due to compatibility with PCS 7/WinCC. Please contact
your sales partner for more up-to-date information.

Track changes (only available from ISA Server 2006 SP1)

ISA Server 2006 SP1 delivers a range of new features, including track changes. Each
configuration change can now be logged on the ISA Server\TMG and also assigned to a
specific administrator. This option is included in the standard TMG package.
Track changes is a separate tab in the monitoring area of the administration console. It is not
activated by default. In order to log configuration changes, we recommend activating track
changes.
Background networks
If the network structures are more complex and there are, for example, reasons for dividing
the load, several stepped networks must also be configured on the ISA Server\TMG. As the
ISA Server\TMG has no physical contact in these networks and therefore does not
“recognize" them, the address ranges of these networks must be added to the known
networks of the ISA Server\TMG.
Routes must also be configured so that the ISA Server\TMG can reach these networks.
In the example shown in the graphic below, the address range 192.168.35.x of network
MCS 2 must be added to the ISA Server\TMG in addition to the known network MCS 1 with
address range 192.168.25.x. A route must also be created on the ISA Server\TMG that
defines the 192.168.25.201 gateway for the MCS2 network.
Ping
ICMP (INTERNET CONTROL MESSAGE PROTOCOL), often informally referred to simply
as ping, is used to check the availability of network devices and computers. Many devices
and programs use it before actual communication to check whether the partner is even
reachable. We therefore recommend permitting “pinging" between all networks on the ISA
Server\TMG as a "network diagnosis tool”, as long as this creates no security risk.
Pinging must always be allowed between a PCS 7/WinCC Engineering Station and all the
computers to be loaded from it.

3.1.1 Further information and instructions
Publishing the SIMATIC WebNavigator Server

If one or more WebNavigator servers are published using external names with sub-folders
on the ISA Server\TMG, or if the WebNavigator server to be published is installed as a virtual
website, please note the following:
● As shown in the following two graphics, the WebNavigator creates the additional virtual
directories "WebNavigator" and “SCSWebBridge”, and therefore at least 2 publishing
rules must be created on the ISA Server\TMG for these virtual directories.
● A separate publishing rule with its own link compilation, etc. has to be created for both the
"WebNavigator" web page and for the virtual directory "SCSWebBridge".

Publishing "load balanced" WinCC WebNavigator servers

The following information applies to WinCC up to and including WinCC V6.2.x.
The following particular points should be noted when "load balanced" WebNavigator servers
are published on the ISA Server\TMG:
● All WebNavigator servers must be published on the ISA server with different external
names (e.g. WebServer01.ent.com and WebServer02.ent.com).
● The external interface of the ISA Server\TMG (e.g. 222.222.222.222) through which the
Web clients get access must be accessible via all of the external names.
● The "load balanced" WebNavigator servers have to be able to reach each other via their
external names (e.g. WebServer01.ent.com and WebServer02.ent.com).
● The external names must be entered in the "load balance" configuration dialog (see the
WebNavigator documentation for further details) (see following graphic).

The following graphic shows an implementation with split DNS. In the external network, all
the external DNS names point to the external IP address of the front firewall. In the local
network they point to the real IP address of the relevant WebNavigator server.
26:HE&OLHQW
:HE6HUYHUHQWFRP
:HE6HUYHUHQWFRP
,QWHUQHW,QWUDQHW
'166HUYHU

:HE6HUYHUHQWFRP
:HE6HUYHUHQWFRP
)LUHZDOO
,6$6HUYHU
)URQW)LUHZDOO '166HUYHU
3HULPHWHU1HWZRUN

26:HE6HUYHU 26:HE6HUYHU
350 350
)LUHZDOO
,6$6HUYHU
%DFN)LUHZDOO

Hardening of the ISA Server\TMG

Microsoft provides documents that describe in detail how the ISA Server\TMG can be
protected even further, so-called “hardening”.
They are available under the following links:
ISA
http://www.microsoft.com/technet/isa/2006/security_guide.mspx
http://www.microsoft.com/technet/isa/2004/plan/securityhardeningguide.mspx
The second link refers to the ISA Server 2004. However, the described settings are also
valid for the ISA Server 2006.
TMG
Included in the standard documentation
http://technet.microsoft.com/en-us/library/ff355324.aspx
The Security Configuration Wizard can also be used to harden the ISA Server\TMG.
ISA
http://www.microsoft.com/downloads/details.aspx?familyid=2748a927-bd3c-4d87-80fa-
8687d5e2ab35&displaylang=en
TMG
TMGRolesForSCW.exe Part of the Microsoft® Forefront Threat Management Gateway
(TMG) 2010 Tools & Software Development Kit:
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=11183
Deactivate the "IP routing" option in order to further increase the security of the ISA
Server\TMG (this option is set for TMG by default and can no longer be changed). It is
activated automatically as soon as a network rule with the “Route" relation is created. It is
often claimed that this option is required for routing rules, but this is not correct. If the option
is enabled, the ISA Server\TMG passes packages directly on to the target. If it is disabled,
the ISA Server\TMG generates a new package and copies the data block of the incoming
package into the new package. This eliminates the danger that the target devices may be
attacked via corrupt header information. The data throughput of the ISA Server\TMG is
slightly lower if IP routing is disabled. However, as protection and not the throughput has top
priority for industrial usage as a front firewall, this option should be disabled.

This option can be found under "Configuration > General > Configure IP protection > IP
routing" (see the following graphic).


Detail Managing MS ISA As Accesspoint B en-US PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Detail Managing MS ISA As Accesspoint B en-US PDF

Uploaded by

Copyright:

Available Formats

1

Managing the MS ISA Server/MS TMG as ___________________

Access Point Managing the MS ISA

Process Control System PCS 7

Siemens AG A5E02657550-02 Copyright © Siemens AG 2011.

Managing the MS ISA Server/MS TMG as Access Point

Managing the MS ISA Server/MS TMG as Access Point

Managing the MS ISA Server/MS TMG as Access Point

1.2 Special Notes

Objective of the Security Concept PCS 7 & WinCC

Managing the MS ISA Server/MS TMG as Access Point

Managing the MS ISA Server/MS TMG as Access Point

Managing the MS ISA Server/MS TMG as Access Point

2.2 Network positions

Dial in Router ISDN

Manufacturing Operations Network

Managing the MS ISA Server/MS TMG as Access Point

2.2.1 Front firewall

:HE1DYLJDWRU 26:HE6HUYHU &$%6HUYHU

Managing the MS ISA Server/MS TMG as Access Point

2.2.2 Back firewall

+LVWRULDQ:HE 6,0$7,&,76HUYHU 6,0$7,&,764/

:LQ&&6HUYHU :LQ&&6HUYHU 266HUYHU 266HUYHU (QJLQHHULQJ6WDWLRQ 0DLQWHQDQFH6WDWLRQ

6+ 6 6 6)+

Managing the MS ISA Server/MS TMG as Access Point

2.2.3 Three-homed firewall

:LQ&&6HUYHU :LQ&&6HUYHU 266HUYHU 266HUYHU (QJLQHHULQJ6WDWLRQ 0DLQWHQDQFH6WDWLRQ

6+ 6 6 6)+

Managing the MS ISA Server/MS TMG as Access Point

2.3 Technologies and configurations

2.3.1 General information

Managing the MS ISA Server/MS TMG as Access Point

2.3.2 Web publication

Figure 2-1 Web bridging

Managing the MS ISA Server/MS TMG as Access Point

Figure 2-2 Web bridging

Managing the MS ISA Server/MS TMG as Access Point

2.3.3 VPN server

Managing the MS ISA Server/MS TMG as Access Point

Managing the MS ISA Server/MS TMG as Access Point

Managing the MS ISA Server/MS TMG as Access Point

Managing the MS ISA Server/MS TMG as Access Point

2.3.4 Device direct dialing

6 6 6)+

Managing the MS ISA Server/MS TMG as Access Point

2.3.5 IPSec connection

2.3.6 User-specific rules

Managing the MS ISA Server/MS TMG as Access Point

Managing the MS ISA Server/MS TMG as Access Point

Instructions and descriptions

Managing the MS ISA Server/MS TMG as Access Point

AddOn Automation Firewall

TMG restrictions (as of September 2011)

Managing the MS ISA Server/MS TMG as Access Point

Track changes (only available from ISA Server 2006 SP1)

Managing the MS ISA Server/MS TMG as Access Point

3.1.1 Further information and instructions

Publishing the SIMATIC WebNavigator Server

Managing the MS ISA Server/MS TMG as Access Point

Publishing "load balanced" WinCC WebNavigator servers

Managing the MS ISA Server/MS TMG as Access Point

Managing the MS ISA Server/MS TMG as Access Point

Hardening of the ISA Server\TMG

+LVWRULDQ:HE 6,0$7,&,76HUYHU 6,0$7,&,764/

6+ 6 6 6)+

6+ 6 6 6)+

6 6 6)+