communicate with the controller.
z Chapter 4, Activating Network Securing for the Controller, presents procedures to activate the network security configuration on both existing and new controllers.
About this Manual
6 Schneider Electric
Related Documentation
For additional or related information, refer to these documents.
See also the Continuum CyberStation online help.
Symbols Used
The Notes, Warnings and Cautions used in this manual are listed below.
Note: Contains additional information of interest to the user.
Document Document
Number NetController II Installation Instructions 30-3001-994 NetController II Operation and Technical Reference Guide 30-3001-995 ACX 57xx Series Controller Installation Instructions TBD ACX 57xx Controller Operation and Technical Reference
Guide
TBD Andover Continuum CyberStation Configurator’s Guide 30-3001-781
CAUTION or WARNING Type of hazard
How to avoid hazard.
Failure to observe this precaution can result in injury or equipment damage.
Contents
Chapter 1 Security Configuration Overview ... 5
Securing IP Controllers Overview ... 6
Before Getting Started ... 7
Chapter 2 Configuring the Controller ... 9
Determining if the Network Security Option is Enabled ... 10
Configuring a Controller for Secure Communication ... 11
Accessing the Network Security Configuration Web Page ... 12
Configuring the Controller for the Preferred Security ... 13
Peer to Peer Security Configuration ... 13
Network Security Options ... 14
Web Server Security Options ... 14
Submit the Changes for Network Security Configuration ... 15
Chapter 3 Configuring the Workstation ... 17
Importing the IPSec Security Policy ... 18
Editing the Imported Security Policy ... 22
Assigning the Imported Security Policy ... 25
Exporting the Modified Security Policy ... 26
Chapter 4 Activating Network Security for the Controller ... 29
Setting the Network Security Attribute of an Existing Controller 30 Creating a New Controller in CyberStation ... 32
Contents
2 Schneider Electric
Chapter 1
Security Configuration Overview
This chapter presents a brief overview of the major steps for
establishing network security on a new network controller, such as the NetController II 9680 or the ACX 57x0, and it provides the
requirements checklist for hardware, software, communication, and access privileges.
Topics include:
z Securing IP Controller Overview z Before Getting Started
Chapter 1: Security Configuration Overview
4 Schneider Electric
Securing IP Controllers Overview
The communication between the controller and workstation is secured using Internet Protocol Security (IPSec) and the Internet Key
Exchange Protocol (IKE).
IPSec, a set of extensions to the IP protocol family, ensures data authentication, integrity, and encryption or authentication and integrity only of IP packets.
IKE securely negotiates the properties of the security associations of IPSec enabled peers, such as Andover Continuum controllers and workstations, once all of the following tasks have been addressed.
Configuring Network security for the newest generation of Schneider Electric controllers includes the following steps:
Task 1: Determine if network security is enabled for the controller Task 2: Configure controller for secure communication
Task 3: Configure network security on the workstation Task 4: Activate network security for the controller
The following table provides a brief overview of the configuration process and the major tasks defined in this manual.
Task Configured In Description
Task 1 CyberStation software (Chapter 2)
Determines whether or not your site has purchased the network security option for this NetController II 9680 or ACX 57x0 controller.
Task 2 Controller (Chapter 2)
Configured network security settings inside the controller.
Task 3 Workstation (Chater 3)
Imports, edits, assigns, and exports the local Schneider Electric network security policy on the workstation.
Task 4 CyberStation sofware (Chapter 4)
Sets the Network Security attributes for an existing controller or a new controller.
Chapter 1: Security Configuration Overview
Before Getting Started
Before you start configuring your controllers and workstations, make sure you have the required hardware and software to configure network security successfully.
Note: You may need to contact your Network Administrator to get the IP addresses.
Note: Older versions of Andover Continuum controllers do not support network security. However, the new versions of CyberStation and the new controllers, such as NetController II 9680 and ACX 57x0, can be configured to communicate with controllers that do not support network security.
Table 1 Required Hardware and Software WorkStation
Software Continuum CyberStation v1.8 (and higher) Windows XP SP2, Windows 2000 SP4, Windows Server 2003
Controller
Hardware NetController II 9680 ACX 57x0 series Access
Privileges Administrative privileges on the workstation to configure the Local Secity Policy.
Administrative privileges on the controller to logon to the Web configuration pages and configure Network Security Properties.
Network IP
Addresses You must know the static IP address for each workstation.
You must have an available static IP address for each controller.
Chapter 1: Security Configuration Overview
6 Schneider Electric
Chapter 2
Configuring the Controller
This chapter presents the procedures for configuring network security on the controllers.
Topics include:
z Determining if the Network Security Option is Enabled z Configuring a Controller for Secure Communication
z Configuring a Controller for Secure Communication in FIPS 140-2 Validated Mode
Chapter 2: Configuring the Controller
8 Schneider Electric
Determining if the Network Security Option is Enabled
To determine if the Network Security option is enabled on the controller, complete this procedure
Note: On Andover Continuum controllers, Network Security is not enabled by default and must be purchased as a separately sold option from Schneider Electric.
Step 1: From the Continuum Explorer, edit the online controller Step 2: Select the Options tab on the Infinity Controller editor and
check the value of the Network Security option.
If the Network Security option value is “Enabled,” proceed to:
Configuring a Controller for Secure Communication. If the Network Security option value says “Disabled,” continue with the next step.
Chapter 2: Configuring the Controller
Step 3: Click the Update OS button, and load the appropriate UPD file, which was provided when you purchased the Network Security option from Schneider Electric, to enable the Network Security option for this controller.
Step 4: When you have completed the update, verify that the controller has returned online.
Step 5: Select the Options tab on the Infinity Controller editor and verify that the Network Security option is set to “Enabled.”
Configuring a Controller for Secure Communication
To configure a controller, complete the steps in the following sections.
Chapter 2: Configuring the Controller
10 Schneider Electric
Note: If a controller has the Network Security option enabled, you must access and configure the controller using a Web browser.
Accessing the Network Security Configuration Web Page
To access the controller's Web configuration page, log in as an administrative user and navigate to the Network Security Configuration Web page. For instructions on logging in and
navigating, see the NetController II Operation and Technical Reference Guide 30-3001-995, or the ACX 57xx Series Controller Operation and Technical Reference Guide, 30-3001-999
Chapter 2: Configuring the Controller
Configuring the Controller for the Preferred Security
When you are configuring the controller on the Network Security Configuration Web page, you can set the following security options:
z Peer to Peer Security Configuration-- These options allow each workstation and controller to communication with each other and authenticate each other’s identity using the same Shared
Authorization Secret.
z Network Security Options -- These options allow for different levels of network security, including no security (the factory default), a network security policy requiring that all Andover Continuum traffic be authenticated, or a network security policy requiring that all Andover Continuum traffic be authenticated and encrypted.
z Web Server Security Options -- This option allows for applying the network security level selected under Network Security Options to the controllers Web Server. The network security level will be applied to all of the Web Configuration and Plain English Web pages if this option is turned on.
Peer to Peer Security Configuration
To configure Peer to Peer Security, complete this procedure:
Step 1: In the Enter Code field, enter an Authentication Secret for Key Negotiation. The secret may be any ASCII string up to 32 characters.
Note: The default secret from the factory is “itsasecret”. You must remember the secret that you enter here for later use. All controllers and CyberStations that need to communicate securely must be configured with the same secret.
Step 2: You must re-enter the same secret in the Confirm Code field to confirm your secret.
Step 3: If this controller will be required to communicate with legacy
Chapter 2: Configuring the Controller
12 Schneider Electric
network, select Allow communication with unsecured controllers.
Step 4: If this controller will only communicate with secure peers, select Do not allow communication with unsecured controllers.
Network Security Options
To configure the Network Security Options, complete this procedure:
Step 1: Keeping the default selection, No Network Security, allows this controller to communicate unsecurely, without network security.
Step 2: Selecting Authentication Only authenticates packets only.
Choosing this option will allow packet snooping of the Schneider Electric Andover Continuum Protocol on the wire.
However, packets may not be replayed to the controller and the controller will disregard any packets that have had their data altered by an intrusive third party.
Step 3: Selecting Authentication and Encryption authenticates and encrypts packets. Choosing this option does not allow snooping of the Schneider Electric Andover Continuum Protocol on the wire, as the data are encrypted. Packets may not be replayed to the controller and the controller will disregard any packets that have had their data altered by an intrusive third party.
Note: You must remember the option you selected for later use. All controllers and CyberStations that will communicate securely MUST be configured with the same option.
Web Server Security Options
To configure the Web Server Security Options, complete this procedure:
Step 1: Selecting Do not apply Security to Web pages will allow all Web communication to be unsecured and allows sniffing of the http protocol.
Chapter 2: Configuring the Controller
Step 2: Selecting Apply Security to Web Pages secures the Web communication with the selected Network Security Option.
Note: If this option is selected, it is recommended that the default Web port be changed from TCP Port 80, to Port 33920. You can make this change on the controller’s Controller Network
Configuration Web page. Refer to the NetController Operation and Technical Reference Guide, 30-3001-995, and the ACX 57xx Series Controller Operational and Technical Reference Guide, 30-3001-999. Submit the Changes for Network Security Configuration
Submit the Changes for Network Security Configuration
To submit changes, follow this procedure.
Step 1: Review all changes.
Chapter 2: Configuring the Controller
14 Schneider Electric
Note: After submitting changes, informational messages that signify the configuration changes are displayed on the bottom of the page.
Step 2: To commit the changes and restart the controller, navigate to the Commit Changes page and then click Commit
Changes/Restart Controller.
Changes take effect when the controller restarts.
Chapter 2: Configuring the Controller
Configuring a Controller for Secure Communication in FIPS 140-2 Validated Mode
To configure a controller for Secure Communication in FIPS 140-2 validated mode, complete the steps in the following sections.
In order to configure the controller to operate in a FIPS 140-2 validated mode, the controller must have the “Network Security - FIPS 140-2 validated” option enabled.
To verify the FIPS 140-2 option is enabled:
Step 1: Navigate to the controller’s Web configuration page.
Step 2: Log in as an administrator
Note: For instructions on logging in and navigating, refer to the NetController II Operation and Technical Reference Guide, 30-3001-995, or the ACX 57xx Series Controller Operation and Technical Reference Guide, 30-3001-999.
Step 3: Select “Option Settings” from the menu. The Network Security option should be listed as “Enabled - FIPS 140-2”
Chapter 2: Configuring the Controller
16 Schneider Electric
.
Accessing the Network Security Configuration Web Page
When configuring the controller to operate in FIPS 140-2 validated mode, specific steps must be taken for the initial security configuration.
In order to complete these steps you must connect directly from your laptop or PC’s Ethernet port to the controller’s Ethernet port using a RJ-45 cable.
Perform the following steps to start the initial configuration.
Step 1: Be sure to have a copy of the
TACEncryptAndAuthenticatePolicy.ipsec file on the laptop or PC that you will be using to configure the controller. This file can be found at: <install drive>:\Program
Files\Continuum\Network Security\
Chapter 2: Configuring the Controller
Step 2: Set your laptop or PC’s IP address to an address in the range of 169.254.1.2-254
Step 3: Directly connect an RJ-45 cable between your laptop or PC and the controller’s Ethernet port.
Step 4: Access the controller’s Web configuration page using a Web browser on your laptop or PC by navigating to the controller’s default IP address at http://169.254.1.1
Step 5: Log in as an administrative user and navigate to the Network Security Configuration Web page.
Note: For instructions on logging in and navigating, refer to the NetController II Operation and Technical Reference Guide, 30-3001-995, or the ACX 57xx Series Controller Operation and Technical Reference Guide, 30-3001-999.
Chapter 2: Configuring the Controller
18 Schneider Electric
Configuring the Controller for the Preferred Security
When configuring the controller on the Network Security Configuration Web page, you can set the following security options:
z Peer to Peer Security Configuration - These options allow each workstation and controller to communicate with each other and authenticate each other’s identity using the same Shared Authorization Secret.
z Network Security Options - These options allow for different levels of network security, including no security (the factory default), a network security policy requiring that all Andover Continuum traffic be authenticated, or a network security policy requiring that all Andover Continuum traffic be authenticated and encrypted.
z Web Server Security Options - This option allows for applying the network security level selected under Network Security Options to the controller’s Web server. The network security level will be applied to all of the Web Configuration and Plain English Web
Chapter 2: Configuring the Controller
pages if this option is turned on. Select this option when the controller is being configured to run in FIPS 140-2 validated mode.
Peer to Peer Security Configuration
To configure Peer to Peer Security, complete this procedure:
Step 1: In the Enter Previous Code field, enter an Authentication Secret for Key Negotiation. The secret may be any ASCII string with a minimum length of 8 characters and a maximum of 32 characters.
Note: The default secret from the factory is “itsasecret”. You must remember the secret that you enter here for later use. All controllers and CyberStations that need to communicate securely must be configured with the same secret.
Note: The first time the controller is configured for Network Security in FIPS 140-2 validated mode, the connection to the controller is unsecured. After configuring the controller for Network Security in FIPS 140-2 validated mode for the first time, you may then go back and change the Authentication Secret from the factory default to a more secure secret of your choice.
Step 2: You must re-enter the same secret in the Enter New Code field.
Step 3: You must re-enter the same secret in the Confirm New Code field.
Step 4: If this controller will be required to communicate with legacy controllers that do not support the network security or controllers that have network security disabled on the same logical network, select Allow communication with unsecured controllers.
Step 5: If this controller will only communicate with secure peers, select Do not allow communication with unsecured controllers.
Chapter 2: Configuring the Controller
20 Schneider Electric
Network Security Options
To configure the Network Security Options, complete this procedure:
Step 1: Keeping the default selection, No Network Security, allows this controller to communicate unsecurely, without network security. In this configuration, FIPS 140-2 validated mode will be disabled.
Step 2: Selecting Authentication Only authenticates packets only.
Choosing this option will allow packet snooping of the Schneider Electric Andover Continuum Protocol on the wire.
However, packets may not be replayed to the controller and the controller will disregard any packets that have had their data altered by an intrusive third party.
Step 3: Selecting Authentication and Encryption authenticates and encrypts packets. Choosing this option does not allow snooping of the Schneider Electric Andover Continuum Protocol on the wire, as the data are encrypted. Packets may not be replayed to the controller and the controller will disregard any packets that have had their data altered by an intrusive third party.
Note: You must remember the option you selected for later use. All controllers and CyberStations that will communicate securely MUST be configured with the same option.
Web Server Security Options
To configure the Web Server Security Options, complete this procedure:
Step 1: Selecting Do not apply Security to Web Pages will allow all Web communication to be unsecured and allow sniffing of the http protocol.
Step 2: Selecting Apply Security to Web Pages secures the Web communication with the selected Network Security Option.
Chapter 2: Configuring the Controller
Note: This option should be selected when the controller is being configured to run in FIPS 140-2 validated mode. If this option is selected, it is recommended that the default Web port be
changed from TCP Port 80 to Port 33920. You can make this change on the controller’s Controller Network
Configuration Web page. Refer to the NetController Operation and Technical Reference Guide, 30-3001-995, and the ACX 57xx Series Controller Operational and Technical Reference Guide, 30-3001-999.
Submit the Changes for Network Security Configuration
To submit the changes, follow this procedure:
Step 1: Review all changes.
Note: After submitting changes, informational messages that signify
Chapter 2: Configuring the Controller
22 Schneider Electric
Step 2: To commit the changes and restart the controller, navigate to the Commit Changes page and then click Commit
Changes/Restart Controller. Changes take effect when the controller restarts.
Step 3: Follow the procedure in Chapter 3 “Configuring the
Workstation”, being sure to configure the workstation for Web Security. Once the workstation has been configured for Network Security, access the controller’s Web configuration pages again. You will now be accessing the controller’s Web pages securely and the controller will be operating in FIPS 140-2 validated mode.
Step 4: Log in to the controller’s Web page as an administrative user and navigate to the Network Security Configuration page.
Validate that the controller displays that all Encryption Algorithm Known Answer Tests have passed and that the controller is running in FIPS 140-2 validated mode.
Note: Since security is now applied to the Web pages and the default Web port changed from 80 to 33920, the following format must be used to access the controller’s Web page securely:
http://<ip address>:<web port>/
Chapter 2: Configuring the Controller
Step 5: At this time you may securely enter an authorization secret of your choosing.
Step 6: Now that the controller is operating in FIPS 140-2 validate mode, you may configure the controller to use an IP address that is appropriate for your network. Once the appropriate IP address has been entered, you may disconnect your laptop or PC from the controller and connect the controller to your network.
Chapter 2: Configuring the Controller
24 Schneider Electric
Chapter 3
Configuring the Workstation
This chapter describes the procedures for configuring a CyberStation workstation’s local security policy. The security configuration for each workstation that communicates with a Schneider Electric network controller must match the controller’s security configuration.
Topics include:
z Importing the IPSec Security Policy z Editing the Imported Security Policy z Assigning the Imported Security Policy z Exporting the Modified Security Policy
Note: These procedures must be performed by a system administrator and they must be performed on each CyberStation workstation with which the controller will communicate.