Considerations – Rockwell Automation 1756-EN2TSC EtherNet/IP Secure Communication User Manual User Manual

Page 10

Advertising
background image

10

Rockwell Automation Publication ENET-UM003B-EN-P - September 2013

Chapter 1

Secure Communication Architecture

The 1756-EN2TSC module provides a level of protection against unauthorized
network access, either malicious or accidental, to a ControlLogix controller via
an EtherNet/IP connection. The 1756-EN2TSC module uses the IPsec protocol
suite to provide a secure communication tunnel.

The 1756-EN2TSC module is intended for use behind an existing
firewall/DMZ that protects the plant network from outside access. This module
is not intended to be connected directly to the public Internet or to provide a
mechanism by which remote access is provided to a network. The module does
not provide the ability to expose a private network address range via IPsec; only
the module’s IP address is available.

Considerations

Out-of-the-box, the module functions just like a 1756-EN2T module, except
that the module does

not support the following:

Integrated motion on EtherNet/IP networks
ControlLogix redundancy systems
SIL 2 applications
Email capabilities
EtherNet/IP socket interface

Once security is enabled, modules like POINT I/O™ adapters, FLEX™ I/O
adapters, and PowerFlex® drives are not able to establish a secure connection
because they do not support secure tunnels.

When security is enabled, the module connects with:

Upper level systems and user workstations with Windows 7 operating

systems

Cisco ASA security appliances
Other 1756-EN2TSC modules

The module supports the current versions of common web browsers, such as
Internet Explorer (8 and 9). For security reasons, Secure Sockets Layer (SSL) 2.0
is disabled in the module. Browsers must enable support for cryptographic
protocols SSL 3.0 or Transport Layer Security (TLS) 1.0.

The 1756-EN2TSC module lets only those devices with proper credentials
access the module. This module is intended for use behind an existing
firewall/DMZ that protects the plant network from outside access.

To minimize complexity, the module supports the following authentication and
encryption methods.

IPsec technology with as many as 8 VPN tunnels (only one of which can

be a Cisco ASA connection)

Pre-shared key authentication
AES encryption (128, 192, and 256 bit)'

Advertising
Popular Brands
Popular manuals