Andover Continuum. Network Security Configuration Guide

(1)

Andover Continuum

(2)

No part of this publication may be reproduced, read or stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of Schneider Electric.

This document is produced in the United States of America.

Product Names are trademarks of Schneider Electric. All other trademarks are the prop-erty of their respective owners.

Title: Andover Continuum Network Security Configuration Guide Revision: B

Date: February, 2010

Schneider Electric part number: 30-3001-996

Controller names and version number: NetController II model 9680 version 2.0 and ACX 57x0 first-release firmware.

Software application version number: Andover Continuum CyberStation Version 1.8 The information in this document is furnished for informational purposes only, is subject to change without notice, and should not be construed as a commitment by Schneider Elec-tric. Schneider Electric assumes no liability for any errors or inaccuracies that may appear in this document.

Schneider Electric One High Street

North Andover, MA 01845 Phone: (978) 975-9600 Fax: (978) 975-9782

(3)

February, 2010

Network Security Configuration

Guide

30-3001-996 Revision B

(4)

(5)

About this Manual

What’s in this Manual

This manual contains the following content:

z Chapter 1, Network Security Configuration Overview, describes the

steps required for establishing network security on both the controller and the CyberStation workstations that communicate with the controller.

z Chapter 2, Configuring the Controller, presents the procedures to

configure network security on the controller

z Chapter 3, Configuring the Workstation, presents the procedures to configure security on the CyberStation workstations that

communicate with the controller.

z Chapter 4, Activating Network Securing for the Controller, presents

procedures to activate the network security configuration on both existing and new controllers.

(6)

About this Manual

6 Schneider Electric

Symbols Used

The Notes, Warnings and Cautions used in this manual are listed below.

Note: Contains additional information of interest to the user.

Document Document

Number NetController II Installation Instructions 30-3001-994 NetController II Operation and Technical Reference Guide 30-3001-995 ACX 57xx Series Controller Installation Instructions TBD ACX 57xx Controller Operation and Technical Reference

Guide

TBD Andover Continuum CyberStation Configurator’s Guide 30-3001-781

CAUTION or WARNING Type of hazard

How to avoid hazard.

Failure to observe this precaution can result in injury or equipment damage.

(7)

Chapter 1 Security Configuration Overview ...

5

Securing IP Controllers Overview ... 6

Before Getting Started ... 7

Chapter 2 Configuring the Controller ...

9

Determining if the Network Security Option is Enabled ... 10

Configuring a Controller for Secure Communication ... 11

Accessing the Network Security Configuration Web Page ... 12

Configuring the Controller for the Preferred Security ... 13

Peer to Peer Security Configuration ... 13

Network Security Options ... 14

Web Server Security Options ... 14

Submit the Changes for Network Security Configuration ... 15

Chapter 3 Configuring the Workstation ...

17

Importing the IPSec Security Policy ... 18

Editing the Imported Security Policy ... 22

Assigning the Imported Security Policy ... 25

Exporting the Modified Security Policy ... 26

Chapter 4 Activating Network Security for the Controller ...

29

Setting the Network Security Attribute of an Existing Controller 30 Creating a New Controller in CyberStation ... 32

(8)

Contents

(9)

Chapter 1

Security Configuration

Overview

This chapter presents a brief overview of the major steps for

establishing network security on a new network controller, such as the NetController II 9680 or the ACX 57x0, and it provides the

requirements checklist for hardware, software, communication, and access privileges.

Topics include:

z Securing IP Controller Overview z Before Getting Started

(10)

Chapter 1: Security Configuration Overview

Securing IP Controllers Overview

The communication between the controller and workstation is secured using Internet Protocol Security (IPSec) and the Internet Key

Exchange Protocol (IKE).

IPSec, a set of extensions to the IP protocol family, ensures data authentication, integrity, and encryption or authentication and integrity only of IP packets.

IKE securely negotiates the properties of the security associations of IPSec enabled peers, such as Andover Continuum controllers and workstations, once all of the following tasks have been addressed. Configuring Network security for the newest generation of Schneider Electric controllers includes the following steps:

Task 1: Determine if network security is enabled for the controller Task 2: Configure controller for secure communication

Task 3: Configure network security on the workstation Task 4: Activate network security for the controller

The following table provides a brief overview of the configuration process and the major tasks defined in this manual.

Task Configured In Description

Task 1 CyberStation software (Chapter 2)

Determines whether or not your site has purchased the network security option for this NetController II 9680 or ACX 57x0 controller.

Task 2 Controller (Chapter 2)

Configured network security settings inside the controller.

Task 3 Workstation (Chater 3)

Imports, edits, assigns, and exports the local Schneider Electric network security policy on the workstation.

Task 4 CyberStation sofware (Chapter 4)

Sets the Network Security attributes for an existing controller or a new controller.

(11)

Before Getting Started

Before you start configuring your controllers and workstations, make sure you have the required hardware and software to configure network security successfully.

Note: You may need to contact your Network Administrator to get the

IP addresses.

Note: Older versions of Andover Continuum controllers do not support

network security. However, the new versions of CyberStation and the new controllers, such as NetController II 9680 and ACX 57x0, can be configured to communicate with controllers that do not support network security.

Table 1 Required Hardware and Software

WorkStation

Software Continuum CyberStation v1.8 (and higher)_{Windows XP SP2, Windows 2000 SP4,} Windows Server 2003

Controller

Hardware NetController II 9680_{ACX 57x0 series} Access

Privileges Administrative privileges on the workstation _{to configure the Local Secity Policy.} Administrative privileges on the controller to logon to the Web configuration pages and configure Network Security Properties. Network IP

Addresses You must know the static IP address for each _workstation. You must have an available static IP address for each controller.

(12)

(13)

Chapter 2

Configuring the Controller

This chapter presents the procedures for configuring network security on the controllers.

Topics include:

z Determining if the Network Security Option is Enabled z Configuring a Controller for Secure Communication

z Configuring a Controller for Secure Communication in FIPS 140-2

(14)

Chapter 2: Configuring the Controller

Determining if the Network Security Option is Enabled

To determine if the Network Security option is enabled on the controller, complete this procedure

Note: On Andover Continuum controllers, Network Security is not

enabled by default and must be purchased as a separately sold option from Schneider Electric.

Step 1: From the Continuum Explorer, edit the online controller Step 2: Select the Options tab on the Infinity Controller editor and

check the value of the Network Security option.

If the Network Security option value is “Enabled,” proceed to:

Configuring a Controller for Secure Communication. If the Network Security option value says “Disabled,” continue with the next step.

(15)

Step 3: Click the Update OS button, and load the appropriate UPD file, which was provided when you purchased the Network Security option from Schneider Electric, to enable the Network Security option for this controller.

Step 4: When you have completed the update, verify that the controller has returned online.

Step 5: Select the Options tab on the Infinity Controller editor and verify that the Network Security option is set to “Enabled.”

Configuring a Controller for Secure Communication

(16)

Note: If a controller has the Network Security option enabled, you

must access and configure the controller using a Web browser.

Accessing the Network Security Configuration Web Page

To access the controller's Web configuration page, log in as an administrative user and navigate to the Network Security

Configuration Web page. For instructions on logging in and

navigating, see the NetController II Operation and Technical Reference Guide 30-3001-995, or the ACX 57xx Series Controller Operation and Technical Reference Guide, 30-3001-999

(17)

Configuring the Controller for the Preferred Security

When you are configuring the controller on the Network Security

Configuration Web page, you can set the following security options:

z Peer to Peer Security Configuration-- These options allow each

workstation and controller to communication with each other and authenticate each other’s identity using the same Shared

Authorization Secret.

z Network Security Options -- These options allow for different

levels of network security, including no security (the factory default), a network security policy requiring that all Andover Continuum traffic be authenticated, or a network security policy requiring that all Andover Continuum traffic be authenticated and encrypted.

z Web Server Security Options -- This option allows for applying

the network security level selected under Network Security Options to the controllers Web Server. The network security level will be applied to all of the Web Configuration and Plain English Web pages if this option is turned on.

Peer to Peer Security Configuration

To configure Peer to Peer Security, complete this procedure: Step 1: In the Enter Code field, enter an Authentication Secret

for Key Negotiation. The secret may be any ASCII string up

to 32 characters.

Note: The default secret from the factory is “itsasecret”. You must

remember the secret that you enter here for later use. All controllers and CyberStations that need to communicate securely must be configured with the same secret.

Step 2: You must re-enter the same secret in the Confirm Code field to confirm your secret.

(18)

network, select Allow communication with unsecured

controllers.

Step 4: If this controller will only communicate with secure peers, select Do not allow communication with unsecured

controllers.

Network Security Options

To configure the Network Security Options, complete this procedure:

Step 1: Keeping the default selection, No Network Security, allows this controller to communicate unsecurely, without network security.

Step 2: Selecting Authentication Only authenticates packets only. Choosing this option will allow packet snooping of the Schneider Electric Andover Continuum Protocol on the wire. However, packets may not be replayed to the controller and the controller will disregard any packets that have had their data altered by an intrusive third party.

Step 3: Selecting Authentication and Encryption authenticates and encrypts packets. Choosing this option does not allow snooping of the Schneider Electric Andover Continuum Protocol on the wire, as the data are encrypted. Packets may not be replayed to the controller and the controller will disregard any packets that have had their data altered by an intrusive third party.

Note: You must remember the option you selected for later use. All

controllers and CyberStations that will communicate securely MUST be configured with the same option.

Web Server Security Options

To configure the Web Server Security Options, complete this procedure: Step 1: Selecting Do not apply Security to Web pages will allow all Web communication to be unsecured and allows sniffing of the http protocol.

(19)

Step 2: Selecting Apply Security to Web Pages secures the Web communication with the selected Network Security Option.

Note: If this option is selected, it is recommended that the default Web

port be changed from TCP Port 80, to Port 33920. You can make this change on the controller’s Controller Network

Configuration Web page. Refer to the NetController Operation

and Technical Reference Guide, 30-3001-995, and the ACX 57xx Series Controller Operational and Technical Reference Guide, 30-3001-999. Submit the Changes for Network Security Configuration

Submit the Changes for Network Security Configuration

To submit changes, follow this procedure.

(20)

Note: After submitting changes, informational messages that signify

the configuration changes are displayed on the bottom of the page.

Step 2: To commit the changes and restart the controller, navigate to the Commit Changes page and then click Commit

Changes/Restart Controller.

(21)

Configuring a Controller for Secure Communication in

FIPS 140-2 Validated Mode

To configure a controller for Secure Communication in FIPS 140-2 validated mode, complete the steps in the following sections.

In order to configure the controller to operate in a FIPS 140-2 validated mode, the controller must have the “Network Security - FIPS 140-2 validated” option enabled.

To verify the FIPS 140-2 option is enabled:

Step 1: Navigate to the controller’s Web configuration page. Step 2: Log in as an administrator

Note: For instructions on logging in and navigating, refer to the

NetController II Operation and Technical Reference Guide, 30-3001-995, or the ACX 57xx Series Controller Operation and Technical Reference Guide, 30-3001-999.

Step 3: Select “Option Settings” from the menu. The Network Security option should be listed as “Enabled - FIPS 140-2”

(22)

16 Schneider Electric .

Accessing the Network Security Configuration Web Page

When configuring the controller to operate in FIPS 140-2 validated mode, specific steps must be taken for the initial security configuration. In order to complete these steps you must connect directly from your laptop or PC’s Ethernet port to the controller’s Ethernet port using a RJ-45 cable.

Perform the following steps to start the initial configuration. Step 1: Be sure to have a copy of the

TACEncryptAndAuthenticatePolicy.ipsec file on the laptop or PC that you will be using to configure the controller. This file can be found at: <install drive>:\Program

(23)

Step 2: Set your laptop or PC’s IP address to an address in the range of 169.254.1.2-254

Step 3: Directly connect an RJ-45 cable between your laptop or PC and the controller’s Ethernet port.

Step 4: Access the controller’s Web configuration page using a Web browser on your laptop or PC by navigating to the controller’s default IP address at http://169.254.1.1

Step 5: Log in as an administrative user and navigate to the Network

Security Configuration Web page.

Note: For instructions on logging in and navigating, refer to the

NetController II Operation and Technical Reference Guide, 30-3001-995, or the ACX 57xx Series Controller Operation and Technical Reference Guide, 30-3001-999.

(24)

Configuring the Controller for the Preferred Security

When configuring the controller on the Network Security Configuration Web page, you can set the following security options:

z Peer to Peer Security Configuration - These options allow each

workstation and controller to communicate with each other and authenticate each other’s identity using the same Shared Authorization Secret.

z Network Security Options - These options allow for different

levels of network security, including no security (the factory default), a network security policy requiring that all Andover Continuum traffic be authenticated, or a network security policy requiring that all Andover Continuum traffic be authenticated and encrypted.

z Web Server Security Options - This option allows for applying

the network security level selected under Network Security Options to the controller’s Web server. The network security level will be applied to all of the Web Configuration and Plain English Web

(25)

pages if this option is turned on. Select this option when the controller is being configured to run in FIPS 140-2 validated mode.

Peer to Peer Security Configuration

To configure Peer to Peer Security, complete this procedure:

Step 1: In the Enter Previous Code field, enter an Authentication

Secret for Key Negotiation. The secret may be any ASCII

string with a minimum length of 8 characters and a maximum of 32 characters.

Note: The default secret from the factory is “itsasecret”. You must

remember the secret that you enter here for later use. All controllers and CyberStations that need to communicate securely must be configured with the same secret.

Note: The first time the controller is configured for Network Security

in FIPS 140-2 validated mode, the connection to the controller is unsecured. After configuring the controller for Network Security in FIPS 140-2 validated mode for the first time, you may then go back and change the Authentication Secret from the factory default to a more secure secret of your choice.

Step 2: You must re-enter the same secret in the Enter New Code field.

Step 3: You must re-enter the same secret in the Confirm New Code field.

Step 4: If this controller will be required to communicate with legacy controllers that do not support the network security or controllers that have network security disabled on the same logical network, select Allow communication with

unsecured controllers.

Step 5: If this controller will only communicate with secure peers, select Do not allow communication with unsecured

(26)

Network Security Options

To configure the Network Security Options, complete this procedure:

Step 1: Keeping the default selection, No Network Security, allows this controller to communicate unsecurely, without network security. In this configuration, FIPS 140-2 validated mode will be disabled.

Step 2: Selecting Authentication Only authenticates packets only. Choosing this option will allow packet snooping of the Schneider Electric Andover Continuum Protocol on the wire. However, packets may not be replayed to the controller and the controller will disregard any packets that have had their data altered by an intrusive third party.

Step 3: Selecting Authentication and Encryption authenticates and encrypts packets. Choosing this option does not allow snooping of the Schneider Electric Andover Continuum Protocol on the wire, as the data are encrypted. Packets may not be replayed to the controller and the controller will disregard any packets that have had their data altered by an intrusive third party.

Note: You must remember the option you selected for later use. All

controllers and CyberStations that will communicate securely MUST be configured with the same option.

Web Server Security Options

To configure the Web Server Security Options, complete this procedure:

Step 1: Selecting Do not apply Security to Web Pages will allow all Web communication to be unsecured and allow sniffing of the http protocol.

Step 2: Selecting Apply Security to Web Pages secures the Web communication with the selected Network Security Option.

(27)

Note: This option should be selected when the controller is being

configured to run in FIPS 140-2 validated mode. If this option is selected, it is recommended that the default Web port be

changed from TCP Port 80 to Port 33920. You can make this change on the controller’s Controller Network

Configuration Web page. Refer to the NetController Operation

and Technical Reference Guide, 30-3001-995, and the ACX 57xx Series Controller Operational and Technical Reference Guide, 30-3001-999.

Submit the Changes for Network Security Configuration

To submit the changes, follow this procedure:

Step 1: Review all changes.

(28)

Step 2: To commit the changes and restart the controller, navigate to the Commit Changes page and then click Commit

Changes/Restart Controller. Changes take effect when the

controller restarts.

Step 3: Follow the procedure in Chapter 3 “Configuring the

Workstation”, being sure to configure the workstation for Web Security. Once the workstation has been configured for Network Security, access the controller’s Web configuration pages again. You will now be accessing the controller’s Web pages securely and the controller will be operating in FIPS 140-2 validated mode.

Step 4: Log in to the controller’s Web page as an administrative user and navigate to the Network Security Configuration page. Validate that the controller displays that all Encryption Algorithm Known Answer Tests have passed and that the controller is running in FIPS 140-2 validated mode.

Note: Since security is now applied to the Web pages and the default

Web port changed from 80 to 33920, the following format must be used to access the controller’s Web page securely:

(29)

Step 5: At this time you may securely enter an authorization secret of your choosing.

Step 6: Now that the controller is operating in FIPS 140-2 validate mode, you may configure the controller to use an IP address that is appropriate for your network. Once the appropriate IP address has been entered, you may disconnect your laptop or PC from the controller and connect the controller to your network.

(30)

(31)

Chapter 3

Configuring the Workstation

This chapter describes the procedures for configuring a CyberStation workstation’s local security policy. The security configuration for each workstation that communicates with a Schneider Electric network controller must match the controller’s security configuration. Topics include:

z Importing the IPSec Security Policy z Editing the Imported Security Policy z Assigning the Imported Security Policy z Exporting the Modified Security Policy

Note: These procedures must be performed by a system administrator

and they must be performed on each CyberStation workstation with which the controller will communicate.

(32)

Chapter 3: Configuring the Workstation

Importing the IPSec Security Policy

To import IPSec Security Policies, complete this procedure: Step 1: From the Windows Control Panel, double click on

(33)

Step 2: From the Administrative Tools display, double click Local

Security Policy.

Step 3: From the Local Security Settings dialog, right click on IP

(34)

Step 4: Select All Tasks from the popup menu, then select Import

Policies from the submenu.

Step 5: From the Open dialog, navigate to the Network Security

Policy folder: <install drive>:\Program

Files\Continuum\Network Security. If you installed Continuum to another directory other than the default, the files will reside at: <install path>\Network Security. Step 6: If you configured the controller for Authentication Only,

select the TACAuthenticatePolicy.ipsec file. If you configured the controller for Authentication and Encryption, select the TACEncryptAndAuthenticatePolicy.ipsec file.

(35)

Step 7: Click Open to import the policy.

Step 8: Verify that the appropriate policy--TAC Encrypt and

Authenticate or TAC Authenticate--is now available under Local Security Settings.

(36)

Editing the Imported Security Policy

To edit imported security policies, complete this procedure:

Step 1: Double click the name of the imported security policy. The

TAC Encrypt and Authenticate Properties dialog

appears.

Step 2: If you configured the controller for Web Security, enable the

TAC Web Server Filter in the IP Security rules list by

checking the check box on the Rules tab. If you did not configure the controller for Web Security, leave the check box unchecked.

(37)

Step 3: For each TAC rule in the list, click Edit. For each, the Edit

Rule Properties dialog appears.

Step 4: Select the Authentication Methods tab, select the

(38)

Step 5: In the Edit Authentication Method Properties dialog, enter the same secret here that was entered in the controller.

Step 6: Repeat setting the Authentication Secret for each rule in the list

Note: The secret entered here is not a hidden field. Access to the Local

Security Policy tool is restricted to users with administrative privileges on the machine. In order to protect access to the shared secret, all other users of the machine that will run CyberStation should be restricted to Windows “Power Users.”

(39)

Assigning the Imported Security Policy

To assign imported security policies, complete this procedure: Step 1: Right click on TAC Encrypt and Authenticate or TAC

Authenticate, depending on which Security Policy you imported, and select Assign.

Step 2: IPSec Security Policy is now enabled, and the workstation can communicate to security enabled controllers.

(40)

Exporting the Modified Security Policy

For installations where there are multiple CyberStation workstations, the edited security policy may be exported for use on other

CyberStations. This will allow for importing the modified policy on the other CyberStation workstations without having to edit the policy on each.

Step 1: From the Local Security Settings dialog, right click on IP

Security Policies on Local Computer.

Step 2: Select All Tasks from the popup menu, then select Export

Policies from the submenu.

Step 3: From the Save As dialog, select an appropriate directory, or create a new directory, to which the modified policy will be exported.

(41)

Step 4: Provide an appropriate file name for the modified policy to be exported and click the Save button.

Step 5: Import the exported IPSec policy file to the other CyberStations that are installed, and assign the policy.

(42)

(43)

Chapter 4

Activating Network Security

for the Controller

When a CyberStation workstation has the local security policy that allows it to communicate securely with the controller's devices, the security attribute of the existing controllers can be turned on, or a new controller with the security attribute can be created. This chapter describes the following procedures.

Topics include:

z Setting the Network Security Attribute of an Existing Controller z Creating a New Controller in CyberStation

(44)

Chapter 4: Activating Network Security for the Controller

Setting the Network Security Attribute of an Existing

Controller

In CyberStation, set the Network Security attribute of an existing controller, complete the procedure:

Step 1: Enter offline editing mode in CyberStation.

Step 2: Bring up the InfinityController editor for that controller. Step 3: Check the Network Security check box, and click Apply.

(45)

Step 4: Enter online editing mode.

Step 5: Verify that the controller is online. Step 6: Teach the controller.

For more information on configuring controllers in CyberStation and the teach function, please see the Continuum online help and the Andover Continuum CyberStation Configurator’s guide, 30-3001-781.

(46)

Creating a New Controller in CyberStation

To create a new controller in CyberStation, complete this procedure: Step 1: In the Continuum Explorer, create a new InfinityController

object.

Step 2: On the General tab, select 9680 from the Controller Type dropdown menu.

Step 3: Enter the appropriate ACCNetID. Step 4: Check the Network Security checkbox.

Step 5: On the Network tab, enter the appropriate network settings. Step 6: Click Apply.

(47)

Step 7: Verify that the controller is online. Step 8: Teach the controller.

For more information on configuring controllers in CyberStation and the teach function, please see the Continuum online help and the Andover Continuum CyberStation Configurator’s guide, 30-3001-781.

(48)

(49)

(50)

Network Security Configuration Guide Document Number 30-0001-996

Andover Continuum. Network Security Configuration Guide