Tofino Firewall LSM

Traffic Control Cop for industrial networks

  • Create, test and deploy network traffic rules
  • Block and report unauthorized communications

The vast majority of control networks have little or no isolation between different subsystems. If a device misconfiguration, hardware failure or virus causes a problem in one part of the network it can spread throughout the entire network in seconds and bring your whole plant down. Even redundant backup systems can fail simultaneously if their network connections are not protected!

The Tofino Firewall LSM is like a traffic control cop for industrial networks, checking all communications on your control network against a list of traffic ‘rules’ that are defined by your control engineers. Any communication that is not on the ‘allowed’ list will be blocked and reported by the Tofino Firewall LSM.

Traffic rules are created using terms and concepts that are already familiar to control specialists. And Tofino’s unique ‘test’ mode helps test traffic rules without any risk of accidentally blocking communications that are critical to plant operation.

Tofino provides pre-defined templates for over 25 families of popular industrial controllers, including rule definitions to protect devices with known vulnerabilities. These definitions are updated regularly to provide ongoing protection of your critical controllers.

The Tofino Event Logger LSM is included with the Firewall LSM. The Event Logger reliably monitors and logs security events and alarms that occur on industrial networks, which is critical for identifying network threats, better securing plants, and complying with standards. This event logging system was created specifically for the industrial world. It reliably records and protects security events and alarms information in SCADA and process control environments, and is designed to be effective even when communication links are sporadic. It can record external alarm and event logging to both a remote syslog server and the long-term memory in the Tofino SA.

Summary

Saves You Money Through:
  • Reduced down time and production losses
  • Simplifying compliance to safety and security standards
  • Improved system reliability and stability

Features
  • Traffic rules are defined by your control team, specifying which devices may communicate using what protocols
  • Traffic that does not match the rules is automatically blocked and reported
  • Simple configuration using the Tofino Configurator’s graphical user interface
  • Over 125 pre-defined IT and industrial communication protocols
  • Over 180 pre-defined security templates for common controllers, drives, HMIs, and network products
  • Pre-defined ‘special rules’ for advanced traffic filtering and vulnerability protection

Applications
  • Isolate critical controllers from threat sources
  • Separate control network into security ‘zones’, restricting communications between zones
  • Protect controllers that exhibit known vulnerabilities

Specifications

Protects Multiple Devices

Hundreds of different device types are supported with unique rate control, direction, and permission settings for each allowed connection

Filter Policy

Deny by default: all network traffic that is not on the ‘allowed’ list is automatically blocked and reported

State Tracking

Stateful Packet Inspection (SPI)

User-Settable Options

IP-based protocols:

  • Source device: specific IP address, network, or ‘any’
  • Destination device: specific IP address, network, broadcast, multicast, or ‘any’
  • Application protocol: any combination of single, list, and/or range of port numbers
  • Direction: incoming, outgoing, bidirectional

Both IP-based and non-IP protocols:

  • Permission: Allow, Deny, Enforce (requires appropriate Enforcer LSM)
  • Logging: Enabled, Disabled
  • Rate limit controls

Transport Protocols

TCP, UDP, and non-IP protocols supported

Configuration Method

Configure, manage, and audit all Tofino Security Appliances from one workstation using the Tofino Configurator software

Operating Modes

All standard Tofino modes supported:

  • Test: all traffic allowed; alerts generated as per user rules
  • Operational: traffic filtered and alerts generated as per user rules

Security Alerts

Reports blocked traffic to a syslog server and to non-volatile memory on a Tofino Security Appliance

Certifications
  • MUSIC-2009-1 security certified (Foundation level)
  • Certified Modbus compliant by Modbus-IDA

Standards Compliance

ISA/IEC 62443 compliance

System Requirements

Ordering Information

Tofino™ Firewall LSM: Part number 942 016-110

Additional Information:

PDFTofino Firewall LSM Data Sheet