Security Tab

Overview

The Security tab allows you to configure the security level of the services.

The default settings represent the maximum level of security level. The increased security reduces the communication capabilities and the access to communication ports.

NOTE: For general information about security, refer to the Modicon Controllers Platform, Cyber Security, Reference Manual.

Properties

This table describes the properties of the Security tab:

Parameter		Description
Global Policy	Enforce Security	Reset all the services to the default settings and implement the highest level of security.
Global Policy	Unlock Security	Use the lowest level security settings (opposite of default settings).
Services	FTP	Enable or disable (default) firmware upgrade.
	HTTP	Enable or disable (default) the Web access service.
	SNMP	Enable or disable (default) the diagnostic access service.
	EIP	Enable or disable (default) the diagnostic access service for exchanging I/Os and diagnostic information with the CPU.
Access Control	Enabled (by default)	Ethernet services access authorized for the listed addresses.
Access Control	Disabled	There is no restriction on which network devices can access EtherNet services. The BMECXM module accepts EtherNet/IP requests from any device.

Services

For security reasons, all the communication ports of the BMECXM module are disabled by default.

If EIP service is disabled, exchanging with the CPU is not possible. Therefore, you have to enable at least the EIP service in the Security tab so that the scanner can access the BMECXM module.

If FTP service is disabled, an FTP upgrade is not possible.

Set the Security tab parameters before downloading the application to the .

NOTE: Schneider Electric recommends disabling services that are not being used.

Enabling Access Control

When the Access Control is enabled, it restricts access to the BMECXM module services declared in the list.

In the box, you can add the of:

The BMECXM module with Subnet set to Yes that allows any device in the subnet to communicate with the module using EtherNet/IP.
Any client device that may send a request to the BMECXM module, which in this case acts as an EtherNet/IP server.
Your maintenance PC that communicates with the BMECXM module via Control Expert to configure and diagnose your application and view the module web pages.

You must ensure that the corresponding CPU scanner address is filled in the list of authorized addresses.

NOTE: Using the BMECXM module in RIO/DIO requires to add the corresponding RIO/DIO scanner IP address in the Access Control list (ACL).

Adding Devices to the Access Control List

NOTE: Before declaring a new address in the list, you must enable the corresponding service in the section Services.

To add devices, follow these steps:

Step	Action
1	Enable the Access Control.
2	Click Add.
3	Enter the address of the device to access the BMECXM module with either of these methods: Add a single IP address: Enter the IP address of the device and select No in the Subnet column. Add a subnet: Enter a subnet address in the IP Address column. Select Yes in the Subnet column. Enter a subnet mask in the Subnet Mask column. NOTE: The subnet in the IP Address column can be the subnet itself or any IP address in the subnet. If you enter a subnet without a subnet mask, an on-screen message states that the modification cannot be validated. NOTE: A red exclamation point (!) indicates a detected error in the entry. You can save the configuration only after the detected error is addressed.
4	Select one or more of the following methods of access you are granting the device or subnet: FTP, HTTP, SNMP, EIP.
5	Repeat these steps 2 to 4 for each additional device or subnet to which you want to grant access to the BMECXM module. NOTE: You can enter up to 128 authorized IP addresses or subnets.
6	Click Apply.

NOTE: You can remove a device by selecting its IP address and clicking Delete.