How can you protect the S7-300/400 against unauthorized access from the LAN (local area network)?
If you are using an Industrial Ethernet CP that supports the "IP access list" function in the S7-300/400, you can prevent unauthorized access via the LAN (local area network).
The following modules support the "IP access list" function:
6GK7 343-1GX20-0XE0 - from V1.0 (CP343-1 IT)
6GK7 343-1GX21-0XE0 - from V1.0 (CP343-1 Advanced)
6GK7 343-1GX30-0XE0 - from V1.0 (CP343-1 Advanced)
6GK7 343-1EX21-0XE0 - from V1.0 (CP343-1)
6GK7 343-1EX30-0XE0 - from V2.0 (CP343-1)
6GK7 443-1EX10-0XE0 - from V2.3 (CP443-1)
6GK7 443-1EX11-0XE0 - from V2.3 (CP443-1)
6GK7 443-1EX20-0XE0 - from V1.0 (CP443-1)
6GK7 443-1EX40-0XE0 - from V1.0 (CP443-1 Advanced)
6GK7 443-1EX41-0XE0 - from V1.0 (CP443-1 Advanced)
6GK7 443-1GX20-0XE0 - from V2.0 (CP443-1 Advanced)
IP access list
The IP access list is configured in the Properties dialog of the Industrial Ethernet CP concerned.
In the configuration, it is possible to define a list of IP addresses that are permitted access to the module. For example, in the configuration you can enter all the IP addresses of the programming devices that are authorized to have access. This then prevents unauthorized access from PCs, for example, to the S7-300/400 via the LAN.
The CP works on the following principle
Every time a message is received via the LAN, a check is made to see whether the sender's IP address is on the IP access list. If not, the message is discarded, and the partner receives neither a positive nor a negative response. If the IP address is on the IP access list, i.e. it has access authorization, the message is forwarded and processed.
Special feature of the IP access list
If you want double IP addresses to be recognized in the network, then you must enter the IP address of the Industrial Ethernet CP in the IP access list.
Otherwise, no reply is made to the PING sent by the partner module, because the IP access list check reveals that it does not have access authorization. The double IP address in the network is not recognized otherwise.
Configuration of the IP access list
- Open the HW Config of your S7-300/400.
- Double-click on the Industrial Ethernet CP. The Properties dialog opens.
- Select the "IP Access Protection" tab.
- Check the "Activate access protection for IP communication" function to activate the IP access list.
- Now enter the IP addresses or IP address bands of the devices that have access authorization.
The IP Access List is only effective in TCP / UDP or ISO-on-TCP communication. It does not take into account messages sent via the ISO transport protocol and MAC addresses.
Loading the configuration into the module
You have the following options for loading the configuration data.
- Loading via the MPI interface of the CPU.
- Loading via the LAN (ISO protocol or TCP/IP protocol).
The following points should be noted here.
- Loading via MPI
There are no restrictions for loading configuration data via MPI.
- Loading via ISO protocol
The Industrial Ethernet CP, via which the configuration data is to be loaded, must support the ISO protocol.
- Loading via the TCP/IP protocol
If the configuration is to be loaded with the IP access list into the module via TCP/IP, the IP address of the configuration PC/PG has to be entered in the IP access list!
The IP access list becomes effective before the loading into the module procedure has been terminated. The IP address of the PC/PG then suddenly no longer has access authorization to the S7-300/400. STEP 7 then reports a faulty loading procedure and the CPU reports inconsistent configuration.
Enter the IP address of the configuration PC/PG into the IP access list and the load the configuration again via ISO protocol or MPI.
If the IP address of the PC/PG is not to be entered in the IP access list, then the configuration usually has to be loaded via MPI or ISO protocol.
Security, LAN, Access authorization, Module protection, Network