Firewall and security considerations for Powerchute Network Shutdown (pcns)

Anonymous user · ‎2021-07-08

I have been unable to find convincing, complete documentation on this subject.

- The PowerChute v4 installation guides says "PowerChute needs to be able to connect to the NMC Web Access port (default: TCP port 80) and receive data inbound to UDP port 3052"

- FAQ FA159753 confuses the issue by listing "allowed port values" of "80 or 3052 (when HTTP is selected), 443 or 6547 (when HTTPS is selected), 5000 - 32768 (when either HTTP or HTTPS is selected)"

- A forum thread on this subject, from 2013, includes the following summary:

PCNS --> 443/tcp --> NMC uni-directional
PCNS <--> 3052/udp <--> NMC bi-directional
PCNS <-- 6547/tcp <-- (admin web browser access) uni-directional

My network security team wants more information before they will allow these connections through our firewall. They are asking me:

What protocol and authentication mechanism is used on UDP:3052 ? Is the traffic encrypted?
Do we really require bidirectional connections UDP:3052. The installation guide stays inbound (NMC --> pcns) only, but that previous forum thread seems to say it is required in both directions.
What authentication mechanism is used for the TCP:443 connection from pcns --> NMC

BillP · ‎2021-07-08

Hi,

PCNS stores the NMC IP address in pcnsconfig.ini and it will listen for UDP packets from that IP. It will not react to UDP packets from other IPs.

Addition: The communications mechanism between the NMC and PowerChute uses an MD5-based authentication scheme.

Ensuring that the password is never sent in plain text.
Proving that the sender of a message is an authentic user as only those with knowledge of the password phrase can send valid messages.
Detecting if a message has been tampered with in transit.  Detecting if a message is being replayed.

This mechanism does not guarantee:

That all data is encrypted.
That a brute-force attack will fail to determine the password phrase.
Prevention of most Denial of Service attacks.

A well configured firewall and solid security policy is integral to the security of any network.

See Answer In Context

BillP · ‎2021-07-08

Hi,

When you log into PCNS web interface you are logging in over TCP port 6547. Example HTTPS://192.168.1.10:6547. When PCNS is first installed and the configuration wizard is run it will communicate with the NMC over TCP port 80 or TCP port 443 depending on your selection. This connection is to register the PCNS system with the NMC. The NMC stores the IP addresses of registered PCNS system. The addresses are use by the NMC as the list to who should receive UDP packets. Once registered PCNS listens for information from the NMC on UDP port 3052.

On 3/25/2019 5:59 PM, Carlo said:
What protocol and authentication mechanism is used on UDP:3052 ? Is the traffic encrypted?

The traffic is not encrypted.

On 3/25/2019 5:59 PM, Carlo said:
Do we really require bidirectional connections UDP:3052. The installation guide stays inbound (NMC --> pcns) only, but that previous forum thread seems to say it is required in both directions.

The communication is from NMC to PCNS. However if you are on a different subnet then the NMC is on the PCNS client may also forward the UDP packet. See Schneider Electric FAQ FA159540 that discusses adding more than 50 PCNS clients and how packets are transferred.

On 3/25/2019 5:59 PM, Carlo said:
What authentication mechanism is used for the TCP:443 connection from pcns --> NMC

TLS is used.

Anonymous user · ‎2021-07-08

TLS provides encyrption, not authentication. Let me put it differently. How can we be sure only an authorized NMC can issue a shutdown instruction to PCNS?

BillP · ‎2021-07-08

Hi,

PCNS stores the NMC IP address in pcnsconfig.ini and it will listen for UDP packets from that IP. It will not react to UDP packets from other IPs.

Addition: The communications mechanism between the NMC and PowerChute uses an MD5-based authentication scheme.

Ensuring that the password is never sent in plain text.
Proving that the sender of a message is an authentic user as only those with knowledge of the password phrase can send valid messages.
Detecting if a message has been tampered with in transit.  Detecting if a message is being replayed.

This mechanism does not guarantee:

That all data is encrypted.
That a brute-force attack will fail to determine the password phrase.
Prevention of most Denial of Service attacks.

A well configured firewall and solid security policy is integral to the security of any network.