Brand Logo
Help
  • Get started
  • Ask the Community
  • How-To & Best Practices
  • Contact Support
Login / Register
Help
  • Get started
  • Ask the Community
  • How-To & Best Practices
  • Contact Support
close
  • Community Home
  • Forums
    • By Topic
    • By Topic
      EcoStruxure Building
      • Field Devices Forum
      • SmartConnector Forum
      EcoStruxure Power & Grid
      • Gateways and Energy Servers
      • Metering & Power Quality
      APC UPS, Critical Power, Cooling and Racks
      • APC UPS Data Center & Enterprise Solutions Forum
      • APC UPS for Home and Office Forum
      EcoStruxure IT
      • EcoStruxure IT forum
      Remote Operations
      • EcoStruxure Geo SCADA Expert Forum
      • Remote Operations Forum
      Industrial Automation
      • Alliance System Integrators Forum
      • AVEVA Plant SCADA Forum
      • CPG Expert Forum DACH
      • EcoStruxure Automation Expert / IEC 61499 Forum
      • Fabrika ve Makina Otomasyonu Çözümleri
      • Harmony Control Customization Forum
      • Industrial Edge Computing Forum
      • Industry Automation and Control Forum
      • Korea Industrial Automation Forum
      • Machine Automation Forum
      • Modicon PAC Forum
      • PLC Club Indonesia
      Schneider Electric Wiser
      • Schneider Electric Wiser Forum
      Power Distribution IEC
      • Eldistribution & Fastighetsautomation
      • Elektrik Tasarım Dağıtım ve Uygulama Çözümleri
      • Paneelbouw & Energie Distributie
      • Power Distribution and Digital
      • Solutions for Motor Management
      • Specifiers Club ZA Forum
      • Електропроектанти България
      Power Distribution NEMA
      • Power Monitoring and Energy Automation NAM
      Power Distribution Software
      • EcoStruxure Power Design Forum
      • LayoutFAST User Group Forum
      Light and Room Control
      • SpaceLogic C-Bus Forum
      Solutions for your Business
      • Solutions for your Business Forum
      Support
      • Ask the Community
  • Knowledge Center
    • Building Automation Knowledge Base
    • Geo SCADA Knowledge Base
    • Industrial Automation How-to videos
    • Digital E-books
    • Success Stories Corner
  • Events & Webinars
    • All Events
    • Innovation Talks
    • Innovation Summit
    • Let's Exchange Series
    • Partner Success
    • Process Automation Talks
    • Technology Partners
  • Ideas
    • EcoStruxure Building
      • EcoStruxure Building Advisor Ideas
      Remote Operations
      • EcoStruxure Geo SCADA Expert Ideas
      • Remote Operations Devices Ideas
      Industrial Automation
      • Modicon Ideas & new features
  • Blogs
    • By Topic
    • By Topic
      EcoStruxure Power & Grid
      • Backstage Access Resources
      Remote Operations
      • Remote Operations Blog
      Industrial Automation
      • Industrie du Futur France
      • Industry 4.0 Blog
      Power Distribution NEMA
      • NEMA Power Foundations Blog
      Light and Room Control
      • KNX Blog
      Knowledge Center
      • Digital E-books
      • Geo SCADA Knowledge Base
      • Industrial Automation How-to videos
      • Success Stories Corner

Firewall and security considerations for Powerchute Network Shutdown (pcns)

APC UPS Data Center & Enterprise Solutions Forum

Schneider Electric support forum for our Data Center and Business Power UPS, UPS Accessories, Software, Services, and associated commercial products designed to share knowledge, installation, and configuration.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
  • Home
  • Communities
  • APC UPS, Critical Power, Cooling and Racks
  • APC UPS Data Center & Enterprise Solutions Forum
  • Firewall and security considerations for Powerchute Network Shutdown (pcns)
Options
  • Subscribe to RSS Feed
  • Mark Topic as New
  • Mark Topic as Read
  • Float this Topic for Current User
  • Bookmark
  • Subscribe
  • Mute
  • Printer Friendly Page
Invite a Co-worker
Send a co-worker an invite to the Exchange portal.Just enter their email address and we’ll connect them to register. After joining, they will belong to the same company.
You have entered an invalid email address. Please re-enter the email address.
This co-worker has already been invited to the Exchange portal. Please invite another co-worker.
Please enter email address
Send Invite Cancel
Invitation Sent
Your invitation was sent.Thanks for sharing Exchange with your co-worker.
Send New Invite Close
Top Experts
User Count
BillP
Administrator BillP Administrator
5022
voidstar_apc
Janeway voidstar_apc
195
Erasmus_apc
Sisko Erasmus_apc
111
TheNotoriousKMP_apc
Sisko TheNotoriousKMP_apc
108
View All
Invite a Colleague

Found this content useful? Share it with a Colleague!

Invite a Colleague Invite
Solved Go to Solution
Back to APC UPS Data Center & Enterprise Solutions Forum
Solved
cgiuliani_apc
cgiuliani_apc
Cadet

Posted: ‎2021-07-08 11:19 PM

0 Likes
3
170
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
Share

Posted: ‎2021-07-08 11:19 PM

Firewall and security considerations for Powerchute Network Shutdown (pcns)

This was originally posted on APC forums on 3/25/2019


I have been unable to find convincing, complete documentation on this subject.

- The PowerChute v4 installation guides says "PowerChute needs to be able to connect to the NMC Web Access port (default: TCP port 80) and receive data inbound to UDP port 3052"

- FAQ FA159753 confuses the issue by listing "allowed port values" of  "80 or 3052 (when HTTP is selected), 443 or 6547 (when HTTPS is selected), 5000 - 32768 (when either HTTP or HTTPS is selected)"

- A forum thread on this subject, from 2013, includes the following summary:

  • PCNS  -->  443/tcp  --> NMC  uni-directional
  • PCNS <--> 3052/udp <--> NMC  bi-directional
  • PCNS <--  6547/tcp <-- (admin web browser access) uni-directional

My network security team wants more information before they will allow these connections through our firewall.  They are asking me:

  1. What protocol and authentication mechanism is used on UDP:3052 ?  Is the traffic encrypted?
  2. Do we really require bidirectional connections UDP:3052.  The installation guide stays inbound (NMC --> pcns) only, but that previous forum thread seems to say it is required in both directions. 
  3. What authentication mechanism is used for the TCP:443 connection from pcns --> NMC

Labels
  • Labels:
  • UPS Management Devices & PowerChute Software
Reply
Share
  • All forum topics
  • Previous Topic
  • Next Topic

Accepted Solutions
BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-07-08 11:20 PM

0 Likes
0
170
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
Share

Posted: ‎2021-07-08 11:20 PM

This reply was originally posted by Bill on APC forums on 4/1/2019


Hi,

PCNS stores the NMC IP address in pcnsconfig.ini and it will listen for UDP packets from that IP. It will not react to UDP packets from other IPs. 

Addition: The communications mechanism between the NMC and PowerChute uses an MD5-based authentication scheme. 

  • Ensuring that the password is never sent in plain text.
  • Proving that the sender of a message is an authentic user as only those with knowledge of the password phrase can send valid messages.
  • Detecting if a message has been tampered with in transit.  Detecting if a message is being replayed. 

This mechanism does not guarantee:

  • That all data is encrypted.
  • That a brute-force attack will fail to determine the password phrase.
  • Prevention of most Denial of Service attacks.

A well configured firewall and solid security policy is integral to the security of any network. 

See Answer In Context

Reply
Share
Replies 3
BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-07-08 11:19 PM

0 Likes
0
170
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
Share

Posted: ‎2021-07-08 11:19 PM

This reply was originally posted by Bill on APC forums on 3/26/2019


Hi,

When you log into PCNS web interface you are logging in over TCP port 6547. Example HTTPS://192.168.1.10:6547. When PCNS is first installed and the configuration wizard is run it will communicate with the NMC over TCP port 80 or TCP port 443 depending on your selection. This connection is to register the PCNS system with the NMC. The NMC stores the IP addresses of registered PCNS system. The addresses are use by the NMC as the list to who should receive UDP packets. Once registered PCNS listens for information from the NMC on UDP port 3052. 

On 3/25/2019 5:59 PM, Carlo said:

What protocol and authentication mechanism is used on UDP:3052 ?  Is the traffic encrypted?

The traffic is not encrypted. 

On 3/25/2019 5:59 PM, Carlo said:

Do we really require bidirectional connections UDP:3052.  The installation guide stays inbound (NMC --> pcns) only, but that previous forum thread seems to say it is required in both directions. 

The communication is from NMC to PCNS. However if you are on a different subnet then the NMC is on the PCNS client may also forward the UDP packet. See Schneider Electric FAQ FA159540 that discusses adding more than 50 PCNS clients and how packets are transferred. 

On 3/25/2019 5:59 PM, Carlo said:

What authentication mechanism is used for the TCP:443 connection from pcns --> NMC

TLS is used. 

Reply
Share
cgiuliani_apc
cgiuliani_apc
Cadet

Posted: ‎2021-07-08 11:19 PM

0 Likes
0
169
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
Share

Posted: ‎2021-07-08 11:19 PM

This was originally posted on APC forums on 3/29/2019


TLS provides encyrption, not authentication.  Let me put it differently.  How can we be sure only an authorized NMC can issue a shutdown instruction to PCNS?

 

Reply
Share
BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-07-08 11:20 PM

0 Likes
0
171
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
Share

Posted: ‎2021-07-08 11:20 PM

This reply was originally posted by Bill on APC forums on 4/1/2019


Hi,

PCNS stores the NMC IP address in pcnsconfig.ini and it will listen for UDP packets from that IP. It will not react to UDP packets from other IPs. 

Addition: The communications mechanism between the NMC and PowerChute uses an MD5-based authentication scheme. 

  • Ensuring that the password is never sent in plain text.
  • Proving that the sender of a message is an authentic user as only those with knowledge of the password phrase can send valid messages.
  • Detecting if a message has been tampered with in transit.  Detecting if a message is being replayed. 

This mechanism does not guarantee:

  • That all data is encrypted.
  • That a brute-force attack will fail to determine the password phrase.
  • Prevention of most Denial of Service attacks.

A well configured firewall and solid security policy is integral to the security of any network. 

Reply
Share
Preview Exit Preview

never-displayed

You must be signed in to add attachments

never-displayed

Additional options
You do not have permission to remove this product association.
 
To The Top!

Forums

  • APC UPS Data Center Backup Solutions
  • EcoStruxure IT
  • EcoStruxure Geo SCADA Expert
  • Metering & Power Quality
  • Schneider Electric Wiser

Knowledge Center

Events & webinars

Ideas

Blogs

Get Started

  • Ask the Community
  • Community Guidelines
  • Community User Guide
  • How-To & Best Practice
  • Experts Leaderboard
  • Contact Support
Brand-Logo
Subscribing is a smart move!
You can subscribe to this forum after you log in or create your free account.
Forum-Icon

Create your free account or log in to subscribe to the forum - and gain access to more than 10,000+ support articles along with insights from experts and peers.

Register today for FREE

Register Now

Already have an account?Login

Terms & Conditions Privacy Notice Change your Cookie Settings © 2023 Schneider Electric, Inc