Scribd
Upload
394 views2 pages

SICAM A8000 CP-8050: Hardware Based Application Layer Firewall

Uploaded by

Denis
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
394 views2 pages

SICAM A8000 CP-8050: Hardware Based Application Layer Firewall

Uploaded by

Denis
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

SICAM A8000 CP-8050

Hardware based application layer Firewall

www.siemens.com/sicam-a8000

What describes a “Hardware based application layer SCADA


firewall”?
At least two different Ethernet LANs are used (e.g. con- Data exchange to
trol center LAN A and station LAN B), information should other TSOs/DSOs

be transferred from/to these LANs but without any physi- IEC60870-5-104


Hardware-based-application-
cal connection and without any layer < 7 connection. layer-Firewall
That means no TCP/IP connection between these LANs. Maintenance & Service

The TCP/IP stacks run independently from each other. IEC60870-5-104


IEC61850
“Hardware based application layer firewall” with
SICAM A8000 CP-8050/CI-8520
Note: CI-8520 is only a “multiplier of Ethernet ports”
without any CPU that means the ports are logical part of
the CP-8050. Each of the ports are part of a switch but
can be configured that every single port is separated from trusted trusted
each other (no physical connection) and each of the ports
can have its own MAC address. Configuration information

In this solution, IEC60870-5-104 has its own TCP/IP stack. · Protocol FWI4 has to be used for this feature
That means additional to the already possible hardware · FWI4 can be used more than one time on a CP-8050
split of the Ethernet ports (each Ethernet port can have system
its own MAC address), a different TCP/IP stack is used to
allow even the same IP address multiple times in the · Virtual-LAN configuration is possible
same CP-8050 system. The operating system and other (connect multiple ports to one LAN)
communication services and protocols cannot see these · No other services can be used on this dedicated inter-
ports anymore. This is reached by implementation of a face
different path to the drivers to handle the communication
between the Ethernet driver and the TCP/IP stacks. The Benefits of a hardware based application layer firewall
operating system can only see the Ethernet interfaces · Network security also within the Substation zone
that are not special parametrized for hardware based
application layer firewall, which means all TCP/IP func- · No transparent IP-connection to devices “behind” the
tions in the operation system can only see their own “Hardware based application layer Firewall”
ports. (SNMP or statistic cannot see these ports). Also the
· No additional hardware needed to SICAM A8000
IP addresses parametrized for this protocol are unknown
to the operating system.
Compared to SICAM RTUs

BDEW White Paper conformity Comparison to the solution in SICAM RTUs

If the specification “For the network separation the use of The solution with SICAM AK3 or SICAM TM can be covered
Gateways that perform a protocol conversion and do not within in the new SICAM A8000 system with CP-8050 and
allow any direct IP traffic should be examined.” (BDEW CI-8520.
White Paper) is to be implemented; no conventional net-
SICAM RTUs had two independent CPUs each with its own
work firewalls (Layer 3+4) can be used.
TCP/IP stack. SICAM A8000 is a single CPU system. But still
In this case SICAM A8000 CP-8050/CI-8520 can be used as each of the ports can be configured to be separated from
a firewall. The data of one network interface are unpacked each other (no physical connection) and each of the ports
up to Layer 7 before they are packed again into IP packets has its own MAC address. Because of the two different
at another network interface and forwarded. TCP/IP stacks each can have its own IP address, subnet
mask, default gateway, even the same IP address.

1) Regarding the single CPU architecture this cannot be achieved, influence is reduced
with software capabilities (disable interrupt during broadcast storm, switch re-
duced traffic on CI-8520 module)
2) Data throughput is limited regarding system internal bus between CPUs.

For all products using


security features of
OpenSSL, the
Siemens 2019 For the U.S. published by following shall apply:
Siemens Industry Inc. This product includes
Smart Infrastructure
software developed
Digital Grid 100 Technology Drive by the OpenSSL
Humboldtstrasse 59 Alpharetta, GA 30005 Project for use in the
91459 Nuremberg, United States OpenSSL Toolkit
Germany (www.openssl.org)
and cryptographic
software written by
Customer Support: http://www.siemens.com/csc
Eric Young
(eay@cryptsoft.com)
© Siemens 2019. Subject to changes and errors. and software devel-
oped by Bodo
Moeller.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy