Protocols – BECKHOFF IPC-Security User Manual

5.1.3.4. Exploiting vulnerabilities of the operating system

By reaching a vulnerable network service of the operating system (e.g. SMBas described in MS11-043), an
attacker could misuse the target service.

The impact depends on the specific vulnerability, reaching from denial-of-service up to arbitrary remote code
execution with system privileges.

5.1.4. Protocols

The following table provides an overview about network protocols that play an important part in this scenario.
Each protocol will be classified according to its representation in the OSI model (Open Systems Intercon-
nection model, see ISO/IEC 7498-1 for more information). Please note that some protocols may not fully fit
into this model, these are marked with an asterisk *.

Protocol

OSI layer

Description

TCP

4

Network protocol that provides a reliable, ordered, error-checked delivery
of a data stream between network programs

UDP

4

Network protocol that has been optimized for performance and throughput
and therefore does not provide ordering or reliability

RDP

4-7

Proprietary network protocol designed by Microsoft to control desktop envi-
ronments of a remote computer

ADS*

4-7

Proprietary network protocol designed by Beckhoff for internal TwinCAT
communication

OPC-UA*

7

Standardized communication protocol that provides reliable, secure and
cross-platform communication

PPTP

5

Protocol to implement virtual private networks. Internally uses TCP and
GRE

GRE*

3

Tunneling protocol used for encapsulating network layer protocols

IPSec

3

Protocol suite that provides security for IP-based communications

5.1.4.1. Network ports

You should use a firewall (see chapter refsec:firewalls) to block all network ports except the ones that are
needed in your environment.

Please see chapter A.4.1.4 for a tabular overview about all network services that are either part of a default
operating system image or can be installed later via TwinCAT Function/Supplement products.

5.1.4.2. Firewalls

Windows provides a software firewall that is part of every Windows installation. You can use this firewall to
block or allow access to specific network ports, as mentioned in chapter 5.1.4.1. When creating a firewall
rule to allow access to a specific network port, this rule should be configured in a restrictive way. You should
limit access to the network port only to the computers that need to access the port. Do not just allow access
to the network port for ALL computers. Instead, specify a single computer or a subnet range so that only
the required computers can access the network port.

Please see chapters A.4.2.7 and A.4.3.19 for more information about the firewalls that are integrated into
Microsoft Windows.

28