EATON MTL 9202-ETS MTL Tofino configurator Instruction Manual
- June 9, 2024
- EATON
Table of Contents
MTL 9202-ETS MTL Tofino configurator
DRAFT – 19 March 2018
Instruction manual
MTL industrial security
March 2018 INM MTL Tofino configurator REV 3.2
MTL Tofino configurator
Installation and configuration instructions for MTL Tofino security appliances
DRAFT – 19 March 2018
DECLARATION OF CONFORMITY
A printed version of the Declaration of Conformity has been provided
separately within the original shipment of goods. However, you can find a copy
of the latest version at –
http://www.mtl-inst.com/certificates
ii
INM MTL Tofino configurator REV 3.2
DRAFT – 19 March 2018
DECLARATION OF CONFORMITY. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii
1 INTRODUCTION. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 1.2 Navigating the Eaton Tofino Configurator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 1.3 Search Functionality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
2 NINE STEPS TO A SECURE CONTROL SYSTEM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3 INSTALLING YOUR EATON TOFINO CONFIGURATOR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 3.1 Running the Eaton Tofino Configurator Installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 3.2 LED Unit Connectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
4 PROJECTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 4.1 Creating a New Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12 4.2 Opening an Existing Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14 4.3 Editing Project Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14 4.4 Deleting a Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 4.5 Duplicating a Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17 4.6 Exporting a Project File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
5 TOFINO SAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 5.1 Defining the
Tofino SAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . .19
5.1.1 Manually creating a Tofino SA . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
.20 5.1.2 Discovering a Tofino SA. . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . .23 5.2 Editing a Tofino SA . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
.25 5.3 Deleting a Tofino SA . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26 5.4
Tofino SA Status Page . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
6 ASSETS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 6.1 Asset
Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
6.1.1 Creating an Asset Template . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
.29 6.1.2 Deleting an Asset Template . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . .32 6.2 Creating Assets . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
.32 6.2.1 Creating an Asset Manually . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . .33 6.2.2 Creating an Asset from a Template . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . .35 6.3 Editing an Asset or an Asset Template . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36 6.4 Creating
an Asset Template from an Existing Asset . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .37 6.5 Deleting an Asset . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . .38 6.6 Detecting an Asset . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . .39
7 FIREWALL RULES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
7.1 Creating Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
7.2
Suggesting Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
7.2.1 Suggesting Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
7.3 Deep Packet Inspection Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
7.3.1 7.3.2 7.3.3 7.3.4
Creating a Modbus TCP Enforcer Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57 Creating an OPC Classic Enforcer Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60 Creating IEC104 Enforcer Firewall Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62 Creating an EtherNet/IP Enforcer Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
7.3.4.1 Ethernet IP Wild Card Feature. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68 7.3.5 Creating a DNP3 Enforcer Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69 7.3.6 Creating a GOOSE Enforcer Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71
INM MTL Tofino configurator REV 3.2
iii
DRAFT – 19 March 2018
7.4 Editing Firewall Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
7.5 How Automatic Rule Generation Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76
7.6
Using Tofino Test Mode to Validate Firewall Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
7.7
Firewall Rules for Grouped Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
7.8
Statistics of Firewall Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
7.9
Digital Input Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
8 EVENT LOGGING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . 86 8.1 Setting up the
Event Logger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . .86 8.2 Retrieving Log Files . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .89 8.3 Viewing Syslogs . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . .90
8.3.1 Suggesting Rules From Event Logger View . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91
9 APPLYING AND VERIFYING CONFIGURATIONS. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . 92 9.1 Applying a Tofino SA Configuration . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . .92
9.1.1 Loading Your Tofino SA via USB . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
9.1.2 Validation Mechanism for Firewall Rules. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96 9.2
Verifying a Tofino SA Configuration . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . .98 9.3 Transferring Data
from Your Tofino SA via USB. . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . .100 9.4 Retrieving Diagnostics File via Network. . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. 101
10 ADVANCED TOPIC: PROTOCOLS . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . 103 10.1 Creating a Protocol. . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .103 10.2 Editing Protocols. . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . .104 10.3 Deleting a Protocol . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . .106
11 ADVANCED TOPIC: IMPORTING TEMPLATES AND SECURITY PROFILES . . . . . . . . .
. . 107
12 ADVANCED TOPIC: EATON TOFINO CONFIGURATOR SETTINGS . . . . . . . . . . . .
. . . . . 108 12.1 Adding LSM Licenses. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
.108 12.2 Managing User Logging, Access, and Privileges . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . .109
12.2.1 Managing Access to a Project . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
.110 12.2.2 Managing User Activity Logging and Privileges within a Project . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111 12.3
Customizing Program Settings and Preferences . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . 112
13 ADVANCED TOPIC: IMPORTING TEMPLATES AND SECURITY PROFILES . . . . . . . . .
. . 116 13.1 Update DNP3 objects for DNP3 enforcer . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 13.2 Update
Request/Response. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . .120
13.2.1 Add/delete groups from request/response . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120 13.2.2
Add/delete variations from groups. . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123 13.2.3
Add/delete function codes for variation. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125 13.2.4
Add/delete qualifier codes . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126
14 ADVANCED TOPIC: PCAP GENERATION . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . 128
15 TC AND CCM INTEGRATION . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . 130
16 CONVERTING CMP LICENSE TO A TC LICENSE. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . 131
17 UPGRADING YOUR TOFINO SA . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . 132 17.1 Upgrading over the Network. .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . .132 17.2 Upgrading via USB. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . .133
iv
INM MTL Tofino configurator REV 3.2
DRAFT – 19 March 2018
18 REFERENCE: FIELD DESCRIPTIONS . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . 134 18.1 Tofino SA Fields . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .134 18.2 Asset and Asset Template Fields . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . .138
19 TROUBLESHOOTING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 141 19.1 Tofino SA Diagnostics .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .141 19.2 Firewall Not Blocking Traffic . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . .145 19.3 USB Storage Device Recommendations . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146
19.4 Factory Resetting Your Tofino SA. . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . .147 19.5 Special
Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . .147
19.5.1 Tofino Rapid Network Recovery . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147
19.6 The Discovery Feature is Not Finding Tofino SAs . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . .148 19.7 Unable to Open a Project
File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .148 19.8 Eaton Tofino Configurator Error Logging
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . .149
20 GLOSSARY. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
INM MTL Tofino configurator REV 3.2
v
DRAFT – 19 March 2018
THIS PAGE IS LEFT INTENTIONALLY BLANK
vi
INM MTL Tofino configurator REV 3.2
DRAFT – 19 March 2018
1 INTRODUCTION
1.1 Description
The Tofino Industrial Security Solution is a comprehensive package for
securing industrial control systems, particularly at the Local Area Network
(LAN) level. The system consists of three core components:
· Tofino Security Appliance: These industrially hardened devices are installed
in front of individual and/or clusters of Human Machine Interfaces (HMI),
Distributed Control Systems (DCS), Programmable Logic Controllers (PLC), or
Remote Terminal Units (RTU) control devices that require protection.
· Tofino Loadable Security Modules (LSM): A variety of software modules
providing security services, such as Firewall and Event Logger. Each LSM is
activated on the Tofino SAs to allow them to offer customizable security
functions, depending on the requirements of the control system. LSMs can be
either preloaded at the factory or added in the field via the Tofino Customer
Portal.
· Eaton Tofino Configurator: A Windows-based management system for the
configuration of each Tofino SA.
Use the Eaton Tofino Configurator on your PC to define configuration data for
each Tofino SA in your plant. When you have finished editing the
configuration, you can transfer the configuration data into the Tofino SAs.
You can also retrieve configuration details from a Tofino SA to verify that
the correct configuration is being used in the field.
The Eaton Tofino Configurator will run on any of these supported Microsoft
operating systems: Windows XP, Windows 7 (32- and 64-bit), and Windows Server
2003, 2008, and 2008 SR2. No other applications or services (such as Java,
.NET, or Flash) are required for the Eaton Tofino Configurator to operate.
INM MTL Tofino configurator REV 3.2
1
DRAFT – 19 March 2018
1.2 Navigating the Eaton Tofino Configurator
The Eaton Tofino Configurator is designed to look and operate like Windows
Explorer, which you use to navigate files and folders on your computer. Being
familiar with basic Windows functionality enables you to start using the Eaton
Tofino Configurator immediately. The main view is divided into two sections:
1 Project Explorer view: Tofino SAs, Asset Templates, Assets, Protocols, and
Special Rules are listed in a tree format similar to the way that files are
displayed in Windows Explorer. Any object in the Project Explorer view can be
clicked to display its information in the Details view. Clicking the root
folder will display a table of defined objects of that type. For example,
clicking the Assets folder will display a table listing the assets defined in
the project.
2 Details view: The details of what is selected in the Project Explorer view
display here. This is where you can edit particular values for an object.
Figure 1: Project explorer and Details views Figure 2: TC toolbar
2
INM MTL Tofino configurator REV 3.2
DRAFT – 19 March 2018
The toolbar contains 3 sections:
1 Project edit commands: This section appears at the far left of the toolbar
and is for commands related to managing project files and their data. It
includes: · Create new Projects, Assets, Asset Templates, Protocols, or Tofino
SAs using a wizard · Open an existing project · Save and export a project ·
Import predefined Asset Templates, Protocols, Special Rules, and Security
Profiles · Cut, Copy, Paste, and Delete objects and fields
2 Context commands: This section appears in the center of the toolbar and is
for commands related to the content that is currently being worked on. The
commands that appear here change depending on the type of object selected in
the Project Explorer view.
3 Help and Configuration commands: This section appears at the far right of
the toolbar and is for:
· Audit Logs: Viewing and managing the audit system · Preferences: Setting
configurations, such as the location of the
audit file · Licensing: Viewing your software licenses and performing tasks
that allow you to obtain new LSM licenses through the Tofino Customer Portal ·
Help: Displaying the Online help and Eaton Tofino Configurator product
information
INM MTL Tofino configurator REV 3.2
3
DRAFT – 19 March 2018
1.3 Search Functionality
The Eaton Tofino Configurator has search functionality and is part of the
project edit commands on the TC toolbar. You can search any object – assets,
asset templates, protocols and configured firewall rules, with a keyword. A
list of objects appears containing that keyword.
You can search objects by the following ways: · Search by Name – Enter
keywords or name of any object and it appears in search result. · Search by
IP/MAC – Enter IP/MAC addresses of objects to search assets and asset
templates. · Search by Parameters – Enter parameters of objects like port
number to search TCP/IP protocols. · Search by Assets and Protocols – Enter
parameters of objects like assets, protocols, or IP/MAC to search rules. ·
Search Subfolders – Enter the name of a subfolder to perform a search on a
folder. This search also works recursively.
Follow these steps to perform a search on any object: · Click on the search
button present on the toolbar.
Figure 3: Search button on toolbar
· A search box appears. Enter a keyword to search, like here, SA is searched.
Click on OK button.
Figure 4: Search keyword
4
INM MTL Tofino configurator REV 3.2
DRAFT – 19 March 2018 · A detailed search result appears. All objects that
have “SA” keyword
in them appear in the result list.
Figure 5: Search result · Select an object that you want to access. Like here,
we have selected
one object. Click on OK button.
Figure 6: Select object in search result · The Eaton Tofino Configurator opens
the selected object directly from
the search result list.
Figure 7: TC opens the selected object
INM MTL Tofino configurator REV 3.2
5
DRAFT – 19 March 2018
2 NINE STEPS TO A SECURE CONTROL SYSTEM The Eaton Tofino Configurator was
designed to simplify the installation of security firewalls in an industrial
control system. The following 9 steps describe how to install and configure
your Tofino Industrial Security Solution.
Figure 8: Steps to install and configure TC
· Install the Eaton Tofino Configurator on your computer.
· Create a project.
· Define the Tofino SAs for your project. Create a virtual representation of
the physical Tofino SA devices. You can manually create these or discover
existing devices. This information will be used to configure the actual Tofino
SAs that will be installed on your network.
· Define assets for your project. These objects represent both real network
entities (such as HMIs and PLCs) and virtual entities (such as Broadcast
Addresses and subnets) on your network. They are used to simplify tasks like
creating firewall rules.
· Define firewall rules for your Tofino SAs. These use the assets you created
earlier, along with predefined protocols and special rules that are supplied
with the Eaton Tofino Configurator, to determine what network traffic the
Tofino SA will allow or block. The various Deep Packet Inspection (DPI)
Enforcer modules are accessed through the Firewall selection.
6
INM MTL Tofino configurator REV 3.2
DRAFT – 19 March 2018
· Configure the Event Logger (optional). Enter the details for your syslog
server where you want Tofino SA alarms and events sent. You can also configure
the Tofino SA to save logs locally on the Tofino SA for later offloading via a
USB storage device.
· Install your Tofino SA hardware. The Tofino SA gets installed on the network
between the device(s) to be protected and the rest of the network.
· Apply the configuration settings to the Tofino SAs in the field. Depending
on the options you have purchased, you can transfer the configuration data
from the Eaton Tofino Configurator to the Tofino SA(s) over the network or
using a USB storage device.
· Apply the configuration settings to the Tofino SAs in the field. You can
transfer the configuration data from the Eaton Tofino Configurator to the
Tofino SA(s) over the network or using a USB storage device.
· Verify the configuration. Retrieves the configuration load reports sent over
the network or from the USB storage device that was used to load
configurations onto one or more Tofino SAs. This will allow you to record the
configuration of Tofino SAs in the field and save it in your project.
You have successfully installed the Tofino Industrial Security Solution and
significantly improved the security of your process network.
NOTE The Tofino SA will pass network traffic freely during the initial
configuration or when its configuration is being updated. Firewall rules take
effect after
completion of the initial configuration or update of the Tofino SA so that
network operations are not affected before the full rule set can be loaded.
A typical configuration load will finish in approximately 30 seconds.
INM MTL Tofino configurator REV 3.2
7
DRAFT – 19 March 2018
3 INSTALLING YOUR EATON TOFINO CONFIGURATOR
This section details the procedure for installing the Eaton Tofino
Configurator on a computer that has not previously had the Eaton Tofino
Configurator installed on it. Prior to installing your Eaton Tofino
Configurator software, please verify that you have the following materials
ready:
· Eaton Tofino Configurator installer downloaded from the Tofino Security
website (www.tofinosecurity.com)
· License Activation Key (a 25 string of letters and numbers such as X4QP9
-RMNRQ-B59SD-AG5H6-KSFRW; this is affixed to the document supplied with the
Tofino Firewall product)
· License Activation Key (a string of 25 letters and numbers, such as X4QP9
-RMNRQ-B59SD-AG5H6-KSFRW)
If you have a License Activation key, download your Eaton Tofino Configurator
software as follows:
· Visit www.tofinosecurity.com/licensing and register your product. · On the
Tofino Security website, navigate to the Support page and
click them appropriate product. · Click Software and Security Profiles. · In
the portal, click Download Eaton Tofino Configurator.
If you do not have a License Activation Key, contact your reseller.
3.1
Running the Eaton Tofino Configurator Installer
Running the Eaton Tofino Configurator installer launches the installation
wizard. Work through the pages of the wizard to configure the installation,
accept the license agreement, and activate your license. Running the Eaton
Tofino Configurator installer launches the installation wizard. Work through
the pages of the wizard to configure the installation, accept the license
agreement, and activate your license. You need a License
Activation Key (LAK) to perform this final step. The LAK is attached to the
Read Me document that was included with the Tofino SA.
To install the Eaton Tofino Configurator, you need a Windows user account with
Administrator permissions.
· Run the Eaton Tofino Configurator installer.
· Follow the on-screen instructions to install the Eaton Tofino Configurator.
8
INM MTL Tofino configurator REV 3.2
DRAFT – 19 March 2018
Figure 9: Eaton Tofino Configurator installer
The Eaton Tofino Configurator installation wizard walks you through the steps
to configure your installation:
· Accept the license agreement · Specify the installation type · Select a
destination folder · Add program icons to specific folders Click “Next” and
“Back” to move between the pages of the wizard. On the Start Installation page
of the wizard, review the settings you selected.
Figure 10: Select the path to install TC
Clicking “Next” on this page begins the installation. NOTE
To install the Eaton Tofino Configurator with the default installation
settings, click “Install” in the bottom left corner at any time.
· To complete the installation, click “Finish” on the final page of the
wizard. If this is a new installation of the Eaton Tofino Configurator, the
program displays the Activate Your License dialog box.
INM MTL Tofino configurator REV 3.2
9
DRAFT – 19 March 2018
Figure 11: Enter Activation license key and personal information
· Enter your License Activation Key and contact information. Click “OK”. The
Eaton Tofino Configurator will start automatically if you selected the “Start
the Eaton Tofino Configurator” check box on the final page of the wizard.
The installation is complete and your license has been activated. Additional
configuration steps may be required depending on who will be using this
program.
A Windows user with administrator permissions has full access to all Eaton
Tofino Configurator functionality. To enable Windows users without
Administrator permissions to use the application, perform the following
additional steps.
· By default, the Eaton Tofino Configurator preferences and audit log files
are located in C:ProgramDataTofino SecurityEaton Tofino Configurator. Non-
administrator users need permission to write to this location. Using Windows
security, allow Write access to this folder. You can choose to relocate the
audit log file to a write-accessible location (see “Customizing Program
Settings and Preferences”) but you cannot move the preferences file.
· To give non-administrator users full access to a Eaton Tofino Configurator
project, save the project file (.tpf) to a folder that allows them
Administrator or Read/Write access. To limit their functionality in a project,
save the project file to a folder that allows them ReadOnly access. See
“Managing User Logging, Access, and Privileges” for additional techniques on
how to control access to the project file.
· If you plan to use the NetConnect Loadable Security Module (LSM), you need
to create firewall exceptions to open ports for both the TCP and UDP
protocols. The defined port of Tofino is 6689.
10
INM MTL Tofino configurator REV 3.2
DRAFT – 19 March 2018
4 PROJECTS
The Eaton Tofino Configurator uses project files to coordinate one or more
Tofino SAs that are being used for a common facility or project. Each project
file contains the configurations of the Tofino SAs it is managing along with
other information, such as network assets and common protocols. When you start
the Eaton Tofino Configurator, you will be asked if you would like to do the
following:
· Create a new project (see “Creating a New Project” on page 11) · Open an
existing project
Figure 12: Create a new or open an existing project
Once you create a project file, that file will be visible for you to open from
the start-up screen. The last five projects opened display here. You can set a
specific project file as the default project so that it automatically opens
every time you start the Eaton Tofino Configurator. After you do this, the
start-up screen will no longer appear. You set and clear the default project
with the Preferences feature (see “Customizing Program Settings and
Preferences”on page 112). Once you load a project file, you can view the
project details and protection information. This includes the project name;
the name and location of the project file on the computer; the revision number
of the project; the users who created and last modified the project file; the
company name; the project protection settings; and the administrator
protection setting.
Figure 13: Project details, protection and password information
INM MTL Tofino configurator REV 3.2
11
DRAFT – 19 March 2018
4.1 Creating a New Project
To begin using the Eaton Tofino Configurator, create a project. You can do
this from the start-up screen or from within the application. Create as many
projects as you need for your site. While only one project is required, you
may choose to segregate your network into smaller projects.
As part of project creation, you can restrict access to the project file with
the License Activation Key, a password, or both. Each time the project is
saved, the license key and/or the password will be used to encrypt the project
file. Anyone who acquires the project file will be unable to access the
content without first providing the appropriate key and/or password. When a
user attempts to open the project in the Eaton Tofino Configurator, the
license key will automatically be read from the program, but the user will be
prompted to enter the password.
As an extra layer of protection, you can set an Administrator password. This
helps keep users from performing certain functions without approval from the
Administrator. When this password is set, users require Administrator
permission to change the Project Protection settings or move the project file.
For more information on project protection, see “Managing User Logging,
Access, and Privileges”.
· On the start-up screen, click “Create New Project…”.
Figure 14: Create a new project
NOTE Once you set a default project to open automatically, the start-up screen
no longer appears.
Alternately, within the application, click the New icon in the toolbar to open
the wizard, then select ” Project” and click “Next”. If you have another
project open, a message informs you that it will be closed. You will be
prompted to save the project, if necessary. Whether you create the project
from the start-up screen or from within the application, the New Project
Wizard opens. Here you enter the details for the project you are creating.
12
INM MTL Tofino configurator REV 3.2
DRAFT – 19 March 2018
Figure 15: Enter project details · Enter a project name and a company name.
Click “Next”. · Select how you want to restrict access to the project file:
“License
Activation Key” and/or “Password”.
Figure 16: Project protection settings
If you choose password protection, complete the “Password” and “Confirm
Password” fields. Create a password that is at least 6 characters long and
includes uppercase, lowercase, and special characters.
NOTE
If you leave both check boxes empty, any user will be able to access the
information in the .tpf project file.
To restrict access to the project file, you select the License Activation Key
option. When selected, the project file will open exclusively on a machine
with a matching License Activation Key. You can disable this option when you
need to share the project file with technical support or a person in your
company who is running a different copy of the Eaton Tofino Configurator.
Click “Next”.
· Set an optional administrator password. Select the “Use Administrator
Password” check box then complete the “Password” and “Confirm Password”
fields.
INM MTL Tofino configurator REV 3.2
13
DRAFT – 19 March 2018
Figure 17: Specify administrator password
Create a password that is at least 6 characters long and includes uppercase,
lowercase, and special characters.
· Click “Finish”. The project is created but has not yet been saved. · Click
the Save icon in the toolbar. The standard Windows Save As
dialog box opens. · Select a location on your computer to store the project
file and enter a
name for the project. The filename will be appended with .tpf. · Click “Save”.
4.2 Opening an Existing Project
You can open an existing project file when you start the Eaton Tofino
Configurator or you can open a project from within the application.
· On the start-up screen, click “Open Project…”.
Figure 18: Open an existing project
For convenience, the start-up screen displays the last six projects opened. If
the project you want to open appears in this list, click it to load the
project.
14
INM MTL Tofino configurator REV 3.2
DRAFT – 19 March 2018
NOTE Once you set a default project, that project will load automatically when
you start the Eaton Tofino Configurator.
Alternately, within the application, click the Open icon in the toolbar. If
you have another project open, a message informs you that it will be closed.
You will be prompted to save the project, if necessary.
· Locate the project file on your computer. The filename will be appended with
.tpf.
· Click the file you want to open to select it. Click “Open”. · When the
project is password protected, the program prompts you to
enter the password. Type the project password and click “OK”.
4.3 Editing Project Details
You can view and edit the details of the project you currently have open in
the Eaton Tofino Configurator. You can also change the protection settings and
passwords.
· Click the project name in the Project Explorer view. The details for the
current project display.
Figure 19: Edit project details
Update the Project Details section as necessary.
· Project Name: A user editable project name.
· Project File: The name of the project file with the location it was loaded
from or last saved to. This is also the location where the project will be
stored the next time it is saved. This field displays
· Project Revision: The number of the current version of this project, along
with a specially calculated hash code to reduce the chance of accidental
duplication of revision numbers. The project revision number is incremented
each time the project is saved.
INM MTL Tofino configurator REV 3.2
15
DRAFT – 19 March 2018
· Creator: The user who created the project. This is the Windows user name of
the person who was logged in when the project was created.
· Last Modified By: The user who last saved the project. This is the Windows
user name of the person who was logged in when the project was last saved.
· Company: A user editable company name. In the Project Protection section,
change how you want to restrict access to the project file. You can add
protection settings, remove protection settings, and change the current
password.
· Click a selected check box to turn off a protection setting. · Click an
empty check box to turn on a protection setting. · Click “Change Password…” to
edit the current project protection
password, if one is set. You will need to enter the current password and then
enter and confirm a new password. Create a password that is at least 6
characters long and includes uppercase, lowercase, and special characters.
Click “OK”. In the Administrator Password section, change the administrator
setting. · To make yourself the project administrator, enable the check box if
it is not already selected. Set a password and click “OK”. · To remove
protection at this level, clear the check box. You will be prompted to confirm
the action; click “OK”. When prompted, enter the current password and click
“OK” to confirm that you have permission to remove the protection. · To edit
the current password, click “Change Administrator Password…”. Enter the
current password and then enter and confirm a new password. Create a password
that is at least 6 characters long and includes uppercase, lowercase, and
special characters. Click “OK”. Click the Save icon in the toolbar. If this is
a new project that has not been saved, select a location on your computer to
store the project file, enter a name for the project, and click “Save”.
4.4 Deleting a Project
You delete a project from outside the Eaton Tofino Configurator. Delete the
project file as you would delete any Windows file.
· Open Windows Explorer and locate the project file on your computer. · Select
the .tpf file you want to delete. · Press DELETE. A message prompts you to
confirm the deletion. · Click “Yes”.
16
INM MTL Tofino configurator REV 3.2
DRAFT – 19 March 2018
4.5 Duplicating a Project
The Save As feature lets you create a copy of your project file. You can also
use this feature to save a project file to a new location on your computer.
· Open the project you want to duplicate. · Open the Save menu and click “Save
As”.
Figure 20: Duplicating project
· Select a location on your computer to store the new project file. · Edit the
filename for the project. · Click “Save”. If an administrator password is set
for this project, then administrator approval is required to save the project
to a new location. To continue you need the project’s administrator password.
4.6 Exporting a Project File
The Export feature lets you create a copy of your project file. Use this
action when you need to send a project file to technical support for
troubleshooting assistance. This feature allows users with Read Only or
Read/Write access to the project to export the information to outside
projects. It also lets users transfer project details to other people, such as
Technical Support staff, without having to provide passwords. Sensitive
information on your ConneXium Tofino encryption keys is deliberately removed
from all export files, so the resulting file cannot be used to connect to any
Tofino SAs.
INM MTL Tofino configurator REV 3.2
17
DRAFT – 19 March 2018 · Open the project you want to export. · Open the Save
menu and click “Export”.
Figure 21: Exporting project file · Select a location on your computer to
store the exported file. · Edit the filename (optional). · Click “Save”. If an
administrator password is set for this project, then administrator approval is
required to save the export file to a new location. To continue you need the
project`s administrator password.
18
INM MTL Tofino configurator REV 3.2
DRAFT – 19 March 2018
5 TOFINO SAs
Tofino Security Appliances, referred to as Tofino SAs, are the hardware
devices installed on your live network. They also exist in the Eaton Tofino
Configurator, where you create a Tofino SA to represent each physical device
being installed. You configure the devices in the Eaton Tofino Configurator
and then transfer the configuration data to the devices, either over the
network or with a USB device. From the Tofino SAs item in the Project Explorer
view, you can create, edit, and delete the configuration data for multiple
Tofino SAs contained in a single project. By selecting a specific Tofino SA in
the Project Explorer view, you can do the following:
· Create a new Tofino SA · View and edit the Tofino SA configuration · Delete
a Tofino SA · View Status of a Tofino SA · Create a configuration that can be
loaded onto a Tofino SA device in
the field · Verify the configuration that is installed on a Tofino SA Normally
you will perform the last two tasks once your Tofino SA is fully configured.
After defining a Tofino SA in the project, you may also need to configure
event logging and define firewall rules. The Discovery item in the Project
Explorer view lets you search for existing Tofino SAs already configured on
your network.
5.1 Defining the Tofino SAs
Within a project, you define a Tofino SA for each Tofino SA hardware device
that will be installed on your network. The two most common ways to define a
Tofino SA are:
· Create a new Tofino SA manually · Discover Tofino SA devices already
configured on the network You can also copy and paste a Tofino SA within the
same project or across different projects. Once you paste the Tofino SA into
the project, edit the settings as necessary. The Tofino SAs you define appear
in the Project Explorer view beneath the item Tofino SAs. Click this top level
item to display the current folder structure and the defined Tofino SAs.
INM MTL Tofino configurator REV 3.2
19
DRAFT – 19 March 2018
Figure 22: List of Tofino SA available You can create a folder hierarchy to
organize your Tofino SAs. Use the New Folder feature in the toolbar to create
folders. You can use the Cut and Paste actions in the toolbar to move the
devices.
5.1.1 Manually creating a Tofino SA Create as many Tofino SAs in the project
as are needed to represent each physical device being installed on the
network. · Click “Tofino SAs” in the Project Explorer view and then click ”
New Tofino SA” in the toolbar. Alternately, open the New menu in the toolbar
and click ” Tofino SA”. The New Tofino SA wizard opens.
Figure 23: Enter Tofino SA details
· Enter the Tofino ID. This number is found on the face of the Tofino SA
device. If you don`t know the Tofino ID of your appliance you can enter a
temporary ID of 00:00:00:00:00:XX, where XX is any two digit number. This lets
you configure the Tofino SA without the actual ID number. However, you will
receive a message indicating “Tofino ID is not a valid Tofino Security Tofino
ID”.
· Enter information to identify this specific Tofino SA device in the “Name:,
“Description:”, “General Location:”, and “Specific Location:” fields.
· Select the mode-“Operational” or “Test”- that you want the Tofino SA to run
in when the configuration is loaded. Click “Next”.
20
INM MTL Tofino configurator REV 3.2
DRAFT – 19 March 2018
NOTE During commissioning, confirm that the Tofino SA is set to Test mode to
allow validation of the firewall rules without dropping needed traffic. Once
the rules have been validated, set the Tofino SA to Operational mode. For more
information on using Test mode, see “Using Tofino Test Mode to
Validate Firewall Rules”.
Figure 24: Network interface settings of Tofino SA · Name the Tofino SA
interfaces and set the configuration of each
interface. Click “Next”.
Figure 25: Select LSMs
On the final page of the wizard, select the LSMs you want to activate for this
Tofino SA.
· NetConnect LSM: The Tofino NetConnect LSM enables the Eaton Tofino
Configurator and the Tofino SA to communicate over the network. This allows
you to perform certain tasks, such as applying and verifying configuration,
from your PC without having to physically visit the Tofino SA in the field.
The NetConnect LSM will automatically activate itself once the Eaton Tofino
Configurator communicates with a Tofino SA licensed with that LSM.
INM MTL Tofino configurator REV 3.2
21
DRAFT – 19 March 2018
· Firewall LSM: The Tofino Firewall LSM checks the communications on your
control network against a list of traffic rules that are defined by your
controls engineer. Any communication that is not on the allowed list will be
blocked and reported by the Firewall LSM.
· Event Logger LSM: The Tofino Event Logger LSM records security events and
alarm information. It can record and back up this information simultaneously
to both a remote IT syslog server and a non-volatile memory in the Tofino SA.
· Modbus TCP Enforcer LSM: The Tofino Modbus TCP Enforcer LSM checks every
Modbus command and response against a list of allowed commands defined by your
controls engineer. Any command that is not on the allowed list, or any attempt
to access a register or coil that is outside the allowed range, will be
blocked and reported. It also filters traffic based on the validity of the
Modbus TCP messages, screening out messages that have been either deliberately
or accidentally malformed.
· OPC Classic Enforcer LSM: The Tofino OPC Classic Enforcer LSM inspects,
tracks, and helps secure every connection that is created by an OPC
application. It dynamically opens only the TCP ports that are required for
each connection, and only between the specific OPC client and server that
created the connection. It also filters traffic based on the validity of the
OPC Classic messages, screening out messages that have been either
deliberately or accidentally malformed.
· IEC104 Enforcer LSM: The Tofino IEC104 Enforcer LSM enables DPI capabilities
for IEC 104 traffic. The protocol enables the Master Station to request data
from Substations using the predefined commands and Substations to respond by
transmitting the requested data. This enforcer has a feature – Sanity Check,
that blocks and reports any traffic that does not match the IEC 104 standards.
· EtherNet/IP Enforcer LSM: The Tofino EtherNet/IP Enforcer LSM checks
EtherNet/IP explicit messages for CIP objects or services, and compares them
against selected lists of allowed commands. This gives you the capability to
restrict traffic to data read-only, data read/ write, or programming messages
to PLC and other devices, as required for your security strategy. It also
filters traffic based on the validity of the EtherNet/IP messages, screening
out messages that have been either deliberately or accidentally malformed.
· DNP3 Enforcer LSM: The Tofino DNP3 Enforcer LSM enables Deep Packet
Inspection (DPI) capabilities for DNP3 traffic. It ensures that end values are
greater than the starting values. If this isn’t the case, the Tofino security
appliance should drop the packet regardless of data content. Only correctly
formatted DNP3 traffic is allowed. DNP3 validation includes checking of common
header byte fields, packet lengths, and DNP3 CRC values.
· Click “Finish”. The new Tofino SA appears in the Project Explorer view.
· Expand the Tofino SA and click “General” to display the General settings
page. See the reference section “Tofino SA Fields” for a detailed description
of the fields on this page.
· Confirm the information for this device is correct. Check the Communications
section, which defaults to “Both USB and Network”. Change this setting as
necessary.
You can specify whether you want to transfer configuration data to the Tofino
SA device over the network or with a USB device. If you do not have a license
for the NetConnect LSM, choose “USB Only”.
22
INM MTL Tofino configurator REV 3.2
DRAFT – 19 March 2018
5.1.2 Discovering a Tofino SA
The Discovery feature lets you search your network for new and existing Tofino
SA devices. By scanning IP address ranges, the Tofino SAs can be discovered
and then added to your project.
A Tofino SA does not have its own IP address. During Discovery, the Eaton
Tofino Configurator sends discovery messages to addresses of devices on the
opposite side from the Tofino SA. The Eaton Tofino Configurator may be located
anywhere in the network, as long as it is able to communicate with at least
one device on the opposite side of the Tofino SAs. If any routers or firewalls
are located between the Eaton Tofino Configurator and a Tofino SA in the
network, configure each router and firewall device to allow the Eaton Tofino
Configurator traffic to pass through these devices. See “Communications” for
more information.
When working with multiple Tofino SAs, you may want to organize them in
folders. You can create the folder hierarchy before you discover the devices
or when you enter the scan details. To create folders prior to configuring the
scan settings, use the New Folder feature in the toolbar. Select “Tofino SAs”
or an existing folder in the Project Explorer view to display this button.
· In the Project Explorer view, expand the Tofino SA you are working with and
click “Discovery”. On the Tofino Discovery page, you configure a scan on the
left side of the page. On the right side, you view the progress and results of
the scan.
Figure 26: Discover Tofino SA
· In the “Start IP: ” and “End IP: ” fields, enter the starting and ending IP
addresses for the range you want to scan. The number of addresses to be
scanned and the estimated runtime is calculated and displayed in the Results
section.
NOTE When setting scan ranges, it is helpful to keep them as small as possible
as scanning is deliberately slow so that it does not impact the process
network in any way. One scan message is sent each second, so scanning
larger ranges (greater than 5000 addresses) may take several hours.
INM MTL Tofino configurator REV 3.2
23
DRAFT – 19 March 2018
Specify the folder where you want to save the Tofino SAs that are discovered
with this scan.
· To display the existing folders, click the button to the right of the
“Destination Folder: ” field.
· To create a new folder beneath the currently selected folder, click the Add
button (+). Enter a name for the new folder and click “OK”.
· Select the destination folder for discovered Tofino SAs.
· Click “OK”.
To run the scan repeatedly, select the “Continuous Scan: ” check box. The scan
will run until you manually stop it. This feature enables you to start the
scan before the Tofino SA devices are actually installed. As they are
installed on the network, the scan will discover them.
To begin the scan, click “Start”. To pause the scan at any time, click
“Pause”. The scan is held at this point until you click “Start” to begin it
again. The “Duration: ” field displays how long the scan has been running
since the last time “Start” was clicked. To return the scan Results fields to
the default values, click “Reset”.
The progress of the scan displays in the Results section. There are four
states:
· Ready: The scan is configured but has not been started.
· Complete: The entire address range has been scanned.
· Paused: The user has paused the scan.
· Rescanning: The scan is in progress for the entire address range. When
Continuous Scan option is enabled, this state relates to the “Iteration: ”
feature. The “Iteration: ” value indicates how many times the range has been
scanned.
As devices are discovered, they appear in the Project Explorer view at the
specified location. The General settings page is populated with basic device
information: Tofino ID, Name, and Hardware Type. A network connection is
automatically attempted and, if successful, provides additional device
details.
24
INM MTL Tofino configurator REV 3.2
DRAFT – 19 March 2018
5.2 Editing a Tofino SA
Selecting or expanding a Tofino SA in the Project Explorer view displays links
that let you navigate to pages where you can edit the device configuration.
The configuration and setting options available for a Tofino SA will depend on
its associated LSMs. Typically, the available settings include:
· General settings: Configure the general settings for the selected Tofino SA.
This includes general information, communication parameters, and LSM
selection.
· Event Logger LSM settings: Configure alarm and event logging for the
selected Tofino SA.
· Firewall LSM settings: Configure firewall rules for the selected Tofino SA.
When you copy a Tofino SA from another project, review the configuration
settings to verify that it is set up properly for the new location. · In the
Project Explorer view, expand the Tofino SA you want to work with
and click “General”. The page displayed shows the general configuration
settings for this Tofino SA.
Figure 27: General settings of Tofino SA
· Update theTofino SA configuration as necessary. See the reference section
“Tofino SA Fields” for a detailed description of the fields on this page.
· Click the Save icon in the toolbar.Editing a Tofino SA
INM MTL Tofino configurator REV 3.2
25
DRAFT – 19 March 2018
5.3 Deleting a Tofino SA
Delete a Tofino SA if you no longer need it in the current project. The Tofino
SA in your Eaton Tofino Configurator project is a virtual representation of
the physical Tofino SA device. Special keys are stored in both of these
locations to enable communication between them. Deleting a Tofino SA from the
project deletes its configuration data, including the special keys. This will
block any future network communication between the Eaton Tofino Configurator
and that Tofino SA device until a factory reset is performed on the Tofino SA
device. The factory reset clears the second of the two keys and opens the door
for a new Eaton Tofino Configurator/Tofino SA pairing to be established.
· In the Project Explorer view, click the Tofino SA you want to delete. ·
Click the Delete icon in the toolbar.
Figure 28: Deleting Tofino SA
When the Communications setting is “Network Only” or “Both USB and Network”, a
message asks if you want to perform a factory reset on the Tofino SA. Click
“Yes”. The Eaton Tofino Configurator automatically resets the Tofino SA to the
factory settings.
When the Communications setting is “USB Only”, you need to perform the factory
reset manually. See “Factory Resetting Your Tofino SA”.
· A message prompts you to confirm the deletion. Click “OK” to proceed.
Figure 29: Confirm prompt
26
INM MTL Tofino configurator REV 3.2
DRAFT – 19 March 2018
5.4 Tofino SA Status Page
Tofino SA Status page shows the current status of parameters in a particular
TSA. These parameters reflects the data of both the interfaces. Tofino Status
Page is part of the specific Tofino SA folder; it can be navigated like other
pages (General, Event Logger etc.).
Figure 30: Tofino SA Status page
The listed parameters are divided into four categories: · General Status ·
Load & Memory · Interface 1 · Interface 2 These categories have the
information about memory, transmitted/received parameters of both the
interfaces, sysUptime, Temperature and Load with units and many more such
parameters. To fetch the latest parameters of a Tofino SA, follow these steps:
· Click on Status page of TSA. · Click on “Fetch Status Parameters” button
located at the bottom of
the page. Eaton Tofino Configurator now fetches latest parameters of that
particular Tofino SA.
NOTE
Previously fetched values of Tofino Status parameters remain saved if you
navigate to the other pages in the TC project explorer. However, if you close
a project, then you need to fetch the stats again as these are not saved in
project file.
INM MTL Tofino configurator REV 3.2
27
DRAFT – 19 March 2018
6 ASSETS
In the Eaton Tofino Configurator, assets represent the real world devices and
systems on the control network. An asset can represent a physical device, such
as a PLC, a computer, or network equipment. It can also represent a virtual
asset, such as a broadcast address range, a network, or a multicast address.
This provides flexibility when creating firewall rules.
By selecting a specific asset in the Project Explorer view, you can do the
following:
· Create a new asset manually
· Create a folder
· View and edit the asset’s details
· Create an asset template from the selected asset
· Delete an asset
You can create a new asset manually or from a template.
Computer, Controller, Device, and Network Equipment Assets Most assets used in
the Eaton Tofino Configurator are real devices. These typically use messages
known as Unicast messages. A Unicast message is network traffic directed from
a specific device to another specific device. When you define an asset to be a
computer, controller, device, or network equipment, the Eaton Tofino
Configurator assumes it is a physical device on your network and helps create
rules appropriate for that type of device.
Network Assets Network assets are a virtual representation of the devices
contained in a specific network or subnetwork. When you define an asset to be
a network, the Eaton Tofino Configurator assumes it is a collection of devices
on your network that belong to a group of IP addresses known as a subnet.
Thus, if you use a network asset in a rule, the Eaton Tofino Configurator
helps create rules that allow or deny traffic from that range of addresses.
Broadcast and Multicast Assets In most networks there are messages that are
sent to a general address and are expected to be received by everyone on the
network. These are called Broadcast and Multicast messages. The Eaton Tofino
Configurator has special assets designed to handle these types of messages.
· Broadcast: This asset represents an address that is used for IP broadcasts.
Broadcast packets, which are a normal part of network operation, are
transmitted by a device to a broadcast address that many devices listen to.
For example, IP networks use broadcasts to resolve network addresses using
Address Resolution Protocol (ARP). The exact broadcast address is dependent on
the subnet defined for a given network. If the node address is 192.168.1.1 the
broadcast address might be 192.168.1.255, depending on the subnet of the node.
This type of asset is required if you wish to provide broadcast filtering
rules in the Firewall LSM.
· Multicast: This asset represents an address that is used for IP multicasts.
Multicast packets are transmitted to a multicast address that a set of devices
listen to. Typically these are IP addresses in the range between 224.0.0.0
through 239.255.255.255 and depend on the manufacturer of controller hardware,
the protocols in use, and the network configuration. For example,
239.192.22.121 is often used in EtherNet/IP networks, while 234.5.6.7 is often
used with Fault Tolerant Ethernet Systems. This is required if you wish to
provide multicast filtering rules in the Firewall LSM.
28
INM MTL Tofino configurator REV 3.2
DRAFT – 19 March 2018
6.1 Asset Templates
An asset template is a tool to help you create multiple assets quickly. It
contains predefined fields that can be used to rapidly create similar assets.
For example, if you have ten PLCs in your plant that are a similar make and
model, you can create an asset template (or use a pre-existing template) to
represent that type of PLC. Then you can quickly generate assets to represent
the ten similar PLCs. The Eaton Tofino Configurator comes with a number of
templates preloaded for Schneider Automation products. You can also import new
templates or create templates of your own. The Eaton Tofino Configurator comes
with a number of templates preloaded for common automation products. You can
also import new templates or create templates of your own. By selecting a
specific asset template in the Project Explorer view, you can do the
following:
· Create a new asset template · Create a folder · Create a new asset from the
selected template · View and edit the asset template’s details · Delete the
asset template The templates that you create appear in the Project Explorer
view in the Asset Templates folder. You can create a folder hierarchy to
organize your templates. Use the New Folder feature in the toolbar to create
folders. You can create a template in a specific folder, or you can use the
Cut and Paste actions in the toolbar to relocate templates. Some templates are
factory defined, and cannot be cut or deleted.
6.1.1 Creating an Asset Template
Create as many asset templates in a project as you need to simplify the
process of creating assets. When you have several assets that are similar, it
will save time to create a template containing the common information and then
use that to create your assets. You can create rule profiles for asset
templates. When you create a template you can specify the protocols that this
type of asset typically uses, along with how you want those protocols managed.
The New Firewall Rule Wizard can use this information to automatically create
rules for the assets created from this template. For more information, see
“Rule Profiles”.
NOTE
To add rule profiles to preloaded templates, first make a copy of the template
and then add the rule profiles.
INM MTL Tofino configurator REV 3.2
29
DRAFT – 19 March 2018
· Click “Asset Templates” in the Project Explorer view and then click ” New
Asset Template” in the toolbar. Alternately, open the New menu in the toolbar
and click ” Asset Template” The templates that you create appear in the
Project Explorer view in the Asset Templates folder.
NOTE This creates an asset template at the top level. Select a folder before
clicking ” New Asset Template” to create the template in a specific location.
Use the New Folder feature in the toolbar to create folders to
organize the templates.
The New Asset Template dialog box opens.
Figure 31: New asset template · Enter a name for this asset template and
select the type of asset it
represents. · Complete the remaining fields (optional). · Click “Finish”.
The program adds the new template in the specified location in the Project
Explorer view. The details view displays the template configuration.
30
INM MTL Tofino configurator REV 3.2
DRAFT – 19 March 2018
Figure 32: Detail view of an asset
Generally, you will not complete the Communications section. A user will add
these details when creating a specific asset from this template.
You can now define rule profiles. This lets you specify the protocols that an
asset uses, along with how you want the protocols managed. The New Firewall
Rule Wizard uses this information to automatically create rules for the asset.
For more information, see “Rule Profiles”.
· To open the New Rule Profile Wizard, click “Add Rule Profile… ” beneath the
Rule Profiles table.
· Select the type of rule you want to create: standard or special. If you are
creating a special rule, you also select a rule type from the list provided.
Click “Next”.
· Define the rule profiles.
· Expand the folders and select the protocols you want to use. Use SHIFT+click
to select a range of protocols; use CTRL+click to select multiple protocols
out of sequence. The Eaton Tofino Configurator creates a rule profile for each
protocol selected.
· Set the permission. This tells the firewall what to do with a packet that
matches the rule profile: allow it to pass (“Allow”) or stop it from passing
(“Deny”). The “Enforcer” option inspects and filters the traffic using Deep
Packet Inspection. This option is appropriate solely for the Enforcer
protocols.
· To create a log each time the rule is triggered, select the “Enable Logging”
check box.
· Click “Finish”. The profiles created appear in the Rule Profiles table.
· Select the rule protocol in this table and finish configuring it in the Rule
Details section.
INM MTL Tofino configurator REV 3.2
31
DRAFT – 19 March 2018
Figure 33: New rule profile wizard
You can adjust advanced settings, such as traffic rate limiting, for most rule
profiles. Additional settings for the selected rule profile are displayed in
one or more tabs below the table.
· Click the Save icon in the toolbar. See the reference section “Asset and
Asset Template Fields” for a detailed description of the fields on this page.
6.1.2 Deleting an Asset Template
Delete an asset template if you no longer need it in the current project. The
templates reside in the “Asset Templates” folder.
· In the Project Explorer view, locate the asset template you want to delete
and click it in the tree to select it.
· View the details to verify that this is the correct template. · Click the
Delete icon in the toolbar. A message prompts you to
confirm the deletion. · Click “OK” to proceed.
6.2 Creating Assets
To build your asset library, you can create assets manually or from existing
templates. Asset templates contain default asset details, allowing you to
create similar assets quickly. You can also copy and paste an asset or asset
template into the Assets folder to create an asset. However, this does not run
the wizard. To make the asset unique, you need to edit the details manually.
32
INM MTL Tofino configurator REV 3.2
DRAFT – 19 March 2018
6.2.1 Creating an Asset Manually
Creating an asset involves defining its general information, communication
parameters, and rule profiles. You can create as many assets as needed for
your project. When working with multiple assets, you may want to organize them
in folders. Use the New Folder feature in the toolbar to create the folder
hierarchy.
· In the Project Explorer view, expand “Assets” and click the folder where you
want the new asset to reside. To create the asset at the top level, click
“Assets”.
· Click ” New Asset” in the toolbar. Alternately, open the New menu in the
toolbar and click ” Asset”. The New Asset wizard opens.
Figure 34: Create asset manually
· Enter a name for this asset and select its type. · Complete the remaining
fields to identify the asset (optional).
Click “Next”. · Enter an IP address and/or a MAC address for this asset. This
information will be used by the Eaton Tofino Configurator when creating
firewall rules for this asset. · Click “Finish”. The new asset appears in the
specified location in the Project Explorer view. The details view displays the
asset details.
INM MTL Tofino configurator REV 3.2
33
DRAFT – 19 March 2018
Figure 35: Detail view of an asset
You can now define rule profiles. This lets you specify the protocols that an
asset uses, along with how you want the protocols managed. The New Firewall
Rule Wizard uses this information to automatically create rules for the asset.
For more information, see “Rule Profiles”.
· To open the New Rule Profile Wizard, click “Add Rule Profile… ” beneath the
Rule Profiles table.
· Select the type of rule you want to create: standard or special. If you are
creating a special rule, you also select a rule type from the list provided.
Click “Next”.
· Define the rule profiles.
· Expand the folders and select the protocols you want to use. Use SHIFT+click
to select a range of protocols; use CTRL+click to select multiple protocols
out of sequence. The Eaton Tofino Configurator creates a rule profile for each
protocol selected.
· Set the permission. This tells the firewall what to do with a packet that
matches the rule profile: allow it to pass (“Allow”) or stop it from passing
(“Deny”). The “Enforcer” option inspects and filters the traffic using Deep
Packet Inspection. This option is appropriate solely for the Enforcer
protocols.
· To create a log each time the rule is triggered, select the “Enable Logging”
check box.
· Click “Finish”. The profiles created appear in the Rule Profiles table.
· Select the rule protocol in this table and finish configuring it in the Rule
Details section
34
INM MTL Tofino configurator REV 3.2
DRAFT – 19 March 2018
Figure 36: Rule profile section
You can adjust advanced settings, such as traffic rate limiting, for most rule
profiles. Additional settings for the selected rule profile are displayed in
one or more tabs below the table.
· Click the Save icon in the toolbar. See the reference section “Asset and
Asset Template Fields” for a detailed description of the fields on this page.
6.2.2 Creating an Asset from a Template
Use a template to quickly create an asset with default values already
completed. Assets created from a template are placed in the Assets folder in
alphabetical order. You can reorganize the assets into specific folders as
needed.
· In the Project Explorer view, expand “Asset Templates” and locate the
template you want to use to create an asset.
· Click the asset template to select it and click ” New Asset from Template”
in the toolbar. The New Asset wizard opens with default values populating some
of the fields completed.
Figure 37: Create an asset from template
INM MTL Tofino configurator REV 3.2
35
DRAFT – 19 March 2018
· Change the entry in the “Name: ” field to identify the asset you are
creating.
· Complete the remaining fields to identify the asset (optional). Click
“Next”.
· Enter an IP address and/or a MAC address for this asset. This information
will be used by the Eaton Tofino Configurator when creating firewall rules for
this asset.
· Click “Finish”. The program adds the new asset to the Assets folder in the
Project Explorer view. The Rule Profiles table displays any rule profiles
configured for the template.
· Click the Save icon in the toolbar. · To relocate the asset to another
folder, use the Cut and Paste actions
in the toolbar. See the reference section “Asset and Asset Template Fields”
for a detailed description of the fields on this page.
6.3 Editing an Asset or an Asset Template
Selecting an asset or an asset template in the Project Explorer view displays
the configuration details for the selected item. From here you can edit the
settings. This page includes general information, communication parameters,
and rule profiles. The Rule Profiles table displays the rule profiles created
for the selected asset or template. You can make changes directly on this
page: in the table and in the Rule Details section.
· In the Project Explorer view, click the asset or template you want to edit.
The configuration details are displayed.
Figure 38: Editing an asset template
36
INM MTL Tofino configurator REV 3.2
DRAFT – 19 March 2018
· Update the fields in the General and Communications sections.
NOTE Generally, you will not complete the Communications section for an asset
template. A user will add these details when creating a specific asset from
this template.
· In the Rule Profiles table, click the cell you want to edit and make the
necessary change in the table. Depending on the cell selected, you will be
able to: · Change the state of a check box · Select an entry in a list · Open
a dialog box and select from a list of appropriate values · Enter text To
delete a rule profile, select it in the table and click the Remove button (x)
beneath the table.
· On the General and Enforcer tabs in the Rule Details section, update the
settings as necessary for the currently selected rule profile.
· Click the Save icon in the toolbar. See the reference section “Asset and
Asset Template Fields” for a detailed description of the fields on this page.
6.4 Creating an Asset Template from an Existing Asset
You may find yourself in the situation where you need to create several assets
that are similar to one you already have in your project. You can create an
asset template from that existing asset. This will then allow you to quickly
create the additional assets from the template.
· In the Project Explorer view, locate the asset you want to use as the basis
for an asset template.
· View the details to verify that this is the correct asset. · In the Project
Explorer view, right click that asset and click “Copy”. · Right click the
folder where you want the new asset template to
reside and click “Paste”. You can place it in the Asset Templates folder or
one of the subfolders. The asset appears in the specified location.
INM MTL Tofino configurator REV 3.2
37
DRAFT – 19 March 2018
Figure 39: Create asset from an existing template
· In the Project Explorer view, click the new asset template to display its
details. Make any changes necessary so that it can be used to quickly create
assets.
· Click the Save icon in the toolbar.
6.5 Deleting an Asset
Delete an asset if it no longer belongs in the current project. The assets
reside in the Assets folder or in a subfolder.
· In the Project Explorer view, locate the asset you want to delete and click
it in the tree to select it.
· View the details to verify that this is the correct asset. · Click the
Delete icon in the toolbar.
Figure 40: Delete asset
38
INM MTL Tofino configurator REV 3.2
DRAFT – 19 March 2018
If the selected asset is referenced in a firewall rule, you will receive a
message with three options. You can choose to cancel the deletion; delete the
asset and replace the references to it with its current address; or delete the
asset and fix the detected errors later. When you choose to delete the asset,
a message prompts you to confirm the action. Click “OK” to proceed. Canceling
the deletion at this prompt will not reinstate the asset in any firewall rules
from which it was removed.
6.6 Detecting an Asset
There are a few prerequisites to enable the Tofino to gather asset
information: · The Tofino must have the Firewall LSM and Event Logger enabled
and active. · The Tofino must be in TEST mode to gather network traffic
passing through. · The Tofino must be allowed 10-15 minutes to gather
information.
Use the “Detect Assets” button on the TC toolbar to detect the existing
asset(s).
· Click “Assets” in the Project Explorer view. · Click the “Detect Assets”
button in the toolbar. · Click the check box in the “Asset Detection Wizard”
pop-up box
to select the Tofino SA (TSA) for which asset(s) is to be detected. You can
select only one Tofino SA. You receive an error message if more than one TSA
is selected.
Figure 41: Error when more than one asset selected
INM MTL Tofino configurator REV 3.2
39
DRAFT – 19 March 2018
Figure 42: Select one asset
· Click the “Next” button · Select the suggested assets to be added to the
Assets folder and
click the “Finish” button. The selected suggested assets are added in the
“Assets” folder view.
Figure 43: Select suggested assets
40
INM MTL Tofino configurator REV 3.2
DRAFT – 19 March 2018 · An error message appears if there are no assets to
populate. · No assets are discovered if the assets are already present in the
assets list. When there is no traffic, no log files are created and the
following error message displays.
Figure 44: Error when no traffic
INM MTL Tofino configurator REV 3.2
41
DRAFT – 19 March 2018
7 FIREWALL RULES
A firewall is a mechanism used to control and monitor traffic between two
networks (or two portions of the same network) to increase the level of
security on the network. It compares the traffic passing through the firewall
to a predefined set of rules, discarding traffic that does not meet the rule
criteria. In effect, it is a filter that blocks unwanted network traffic and
places limitations on the amount and type of communication that occurs between
devices (or networks) in need of protection and other systems, such as the
corporate network or another portion of a site’s control network. The Tofino
Firewall is a Loadable Security Module (LSM) that is activated on the Tofino
SA to process traffic. On its own, it is a stateful layer 2, 3, and 4
firewall. When combined with the Enforcer LSMs, it also offers stateful Deep
Packet Inspection. An Enforcer is an advanced firewall for specific SCADA and
ICS protocols. It allows you to filter traffic based on high level message
content, such as the commands and services being used or the memory locations
being accessed. Enforcers are designed to be add-ons to the standard Tofino
Firewall LSM. There are multiple Enforcers that you can activate and use; each
one provides Deep Packet Inspection for a different protocol. The following
Enforcers are available in the current version of the Eaton Tofino
Configurator:
· Modbus TCP Enforcer · OPC Classic Enforcer · IEC104 Enforcer · EtherNet/IP
Enforcer · DNP3 Enforcer · GOOSE Enforcer
The Tofino SA model and the installed LSM licenses determine the Enforcers
available in the Eaton Tofino Configurator. The Firewall details page lists
the firewall rules configured for the selected Tofino SA. On this page you can
create a new firewall rule and manage the existing rules. You can do the
following:
· Create a new firewall rule · View and edit the rules · Reorder rules · Cut,
copy, and paste rules · Delete rules
The Rule Table supports multiple selection. Use SHIFT+click to select a range
of rules; use CTRL+click to select multiple rules out of sequence. This lets
you copy multiple rules from one Tofino SA and paste them into another.
Selecting a rule in the table displays additional information for that rule
and protocol in the Rule Details section at the bottom of the page.
42
INM MTL Tofino configurator REV 3.2
DRAFT – 19 March 2018
Figure 45: Firewall rule table
· Firewall Rule Order
The Tofino SA inspects packets in a sequential manner according to the order
that the rules are displayed in the firewall rule table. Having the same rules
but placing them in a different order can alter how the Tofino SA manages
traffic.
When the Tofino SA receives a packet, it compares it against the first rule,
then the second, then the third, and so on. When it finds a rule that matches,
it stops checking and applies that rule. If the packet goes through each rule
without finding a match, then that packet is denied.
You can manually reorder the rules by selecting a rule and clicking ” Move Up”
and ” Move Down” in the toolbar.
Figure 46: Move up and down the rules
Keep in mind that the first rule in the Tofino SA that matches is applied to
the packet: not the rule that is the most appropriate match. Based on this,
set the more specific rules at the top of the list, followed by the more
general rules. This helps to prevent a general rule being matched before
hitting a more specific rule.
There are certain exceptions to this strategy: for example, rules using MAC
addresses need to be evaluated before rules using IP addresses. The Eaton
Tofino Configurator advises you if this is required..
INM MTL Tofino configurator REV 3.2
43
DRAFT – 19 March 2018
Figure 47: MAC based rules evaluated before IP based rules
· Assisted Firewall Rule Creation
Some firewall rules are needed for other rules to work correctly. For example,
because the devices using the TCP protocol use the ARP protocol to determine
each other’s addresses, an ARP Allow rule is needed in order for a TCP rule to
work. The Tofino SA detects when an additional rule is needed and prompts you
to insert it. The message displays in the title bar above the rule table.
Figure 48: ARP rule is must for IP traffic
· Firewall Rate Limiting
The Rate Limit fields are advanced settings that are available for firewall
rules. These define the rate at which packets that have met the other criteria
for a given rule are allowed through the firewall. The rate limiting uses a
token bucket filter algorithm with three settings:
· Rate Limit: the average packet allow rate over the defined time interval
· Interval: the time interval used for the rate limit (second, minute, hour,
day)
· Burst Limit: the maximum initial number of packets allowed
To understand how token bucket filtering works, picture a bucket’ of tokens’. It costs one token for the firewall to forward one packet. If the
bucket is out of tokens, then the firewall will drop packets until there are
more tokens in the bucket. The number of tokens (and thus the number of
forwarded packets) is controlled by two settings: Rate Limit and Burst Limit.
44
INM MTL Tofino configurator REV 3.2
DRAFT – 19 March 2018
The Rate Limit is the rate at which the bucket is refilled with tokens. The
rate limit setting is calculated over an interval set by the user (such as per
second or per minute). If the rate limit is 50 and the interval is set to
seconds, then 50 tokens per second will be placed in the bucket and 50 packets
per second will be let through the firewall. Keep in mind that the bucket is
refilled gradually over an interval and not at the start of the interval.
The Burst Limit is the initial number of tokens in the bucket, as well as the
maximum number of tokens the bucket can hold. In other words, this helps to
prevent the number of tokens from building up during times of low traffic.
The firewall will immediately allow through any burst of packets equal to the
number of tokens in the bucket. Once the bucket is empty, the firewall can
only forward packets as the bucket refills over time at the rate specified by
the rate limit. If the rate of packets is faster than the rate limit, the
bucket will empty at the rate of packets and then will be limited by the rate
limit which refills the bucket. In other words, if your burst limit is 100,
your rate limit is 25 per second, and 1000 packets are sent to the firewall,
then the first 100 will be allowed, followed by another 25 packets per second
after that. Other packets will be dropped.
· Direction: Right, Left, Bidirectional
The arrow in the rule table indicates which device establishes a connection
between the two nodes. The direction indicator does not refer to packet flow.
For example, if a Human Machine Interface (HMI) is using Modbus/ TCP to
request data from a PLC, the HMI will be the device initially setting up the
communications connection. Once the connection is established, then packets
will flow in both directions.
Another way of thinking about this is to consider a normal telephone system.
The person dialing the phone number (Person 1) is the one setting up (i.e.,
establishing) the connection. Once the other person (Person 2) answers the
phone, then speech can flow both ways.
There are three direction options for a Tofino Firewall LSM:
· Right: Connections can be established by the left asset (as defined in the
rule table) and will flow to the right.
Example: Consider an HMI is the left asset and a PLC is the right asset with
the direction set to Right. This would allow the HMI to initiate the
connection and the PLC to respond, but the PLC would not be allowed to
initiate a session.
· Left: Connections can be established by the right asset (as defined in the
rule table) and will flow to the left.
Example: Consider a Workstation with a browser client is the right asset and a
Web Server is the left asset with the direction set to Left. This would allow
the Workstation to initiate web sessions and the Web Server to respond, but
the Web Server would be unable to initiate a session.
· Bidirectional: The connections can be established by either device.
Once the connection is established, traffic will be able to flow in both
directions regardless of the direction set in the rule.
INM MTL Tofino configurator REV 3.2
45
DRAFT – 19 March 2018
7.1 Creating Firewall Rules
The Eaton Tofino Configurator allows you to create two types of firewall
rules: · Standard rules · Special rules
Standard firewall rules are designed to allow or deny specific protocols
passing through the firewall. They let you set the source, destination,
direction, permission and rate limits for traffic of a particular protocol
type. For example, if you want to allow Modbus/TCP traffic between two
devices, a standard rule can be used. Special Rules are highly complex rules
that go beyond simple allow or deny. For example, a Special Rule could be used
to block a subset of a particular type of traffic. The available Special Rules
can be viewed in the Special Rules folder. You will normally use standard
rules. Use special rules solely in exceptional cases.
· In the Project Explorer view, expand the Tofino SA you want to work with and
click ” Firewall”.
· Click ” Create Rule” in the toolbar. The New Firewall Rule Wizard opens.
Figure 49: Create new firewall rule
· Select the type of rule you want to create: standard or special. If you are
creating a special rule, you also select a rule type from the list provided.
Click “Next”.
· Define the assets involved in the firewall rule and click “Next”.
46
INM MTL Tofino configurator REV 3.2
DRAFT – 19 March 2018
Figure 50: Select the assets involved
For each asset you:
· Select the interface where the asset or address is found.
· Specify the asset or address that the rule applies to. You can enter a
specific address or select from a list of known assets. You can also specify
that the rule applies to any asset.
· Set the direction to indicate which asset can establish the connection. The
options are left, right, and bidirectional.
· Define the rule protocols for the selected assets. When the assets selected
have no rule profiles associated with them, the Protocol page opens where you
manually create the rule profiles.
However, when one or both of the assets selected is associated with a rule
profile, a prompt appears. You can choose to use the existing profile to build
the firewall rules or create the firewall rules manually.
Figure 51: Either use assets profile or manual mode
· If prompted, select how you want to create the firewall rules and click
“Finish”. When you choose to manually create the rule profiles, you are
directed to the Protocol page.
INM MTL Tofino configurator REV 3.2
47
DRAFT – 19 March 2018
When you choose to use the existing rule profiles, the Eaton Tofino
Configurator checks both of the assets for protocols listed in their rule
profiles. The automatic rule generator then creates one rule for every
protocol that the two assets have in common. The New Firewall Rule Wizard
closes and the rules created display in the table on the Firewall page. If the
assets have no protocols in common, no rules are generated. Similarly, if they
have protocols in common but are both clients or are both servers, no rules
are generated. In these cases, a message informs you of the situation and you
will need to define the protocols manually on the Protocol page.
Figure 52: Select protocol, specify permissions and enable logging
· To create rules manually on the Protocol page, expand the folders and select
the protocols you want to use for the asset rules. Use SHIFT+click to select a
range of protocols; use CTRL+click to select multiple protocols out of
sequence. A rule will be created for each protocol selected.
· Set the permission. This tells the firewall what to do with a packet that
matches the rule: allow it to pass (“Allow”) or stop it from passing (“Deny”).
The “Enforcer” option inspects and filters the traffic using Deep Packet
Inspection. This option is appropriate solely for the Enforcer protocols.
· To create a log each time the rule is triggered, select the “Enable Logging”
check box.
· Click “Finish”.
· Finish configuring the firewall details in the Rule Details section. Many
firewall rules allow you to adjust advanced settings, such as traffic rate
limiting. Additional settings for the selected rule are displayed in one or
more tabs below the rules table. The Details column in the rules table
displays a summary of these advanced settings. For more information on setting
these rule details, see “Firewall Rate Limiting” and the appropriate sections
on Enforcer rules: “Creating a Modbus TCP Enforcer Rule”, “Creating an OPC
Classic Enforcer Rule”, “Creating IEC104 Enforcer Firewall Rule”, “Creating an
EtherNet/IP Enforcer Rule”, “Creating a DNP3 Enforcer Rule””Creating a GOOSE
Enforcer Rule”.
· Manually reorder the rules as necessary.
· Click the Save icon in the toolbar.
48
INM MTL Tofino configurator REV 3.2
DRAFT – 19 March 2018
7.2 Suggesting Firewall Rules
The firewall rules determine what traffic is allowed to pass through the
Tofino SA once it is placed in the OPERATIONAL mode. In the TEST mode, the
Tofino allows all the traffic to pass, but flags the traffic which would be
flagged and blocked by a standard Firewall rule or an Enforcer rule while in
OPERATIONAL mode, given the current list of firewall rules. There are a few
pre-requisites to enable the Tofino to gather asset information:
· The Tofino must have the Firewall LSM and Event Logger enabled and active.
· The Tofino must be in TEST mode to gather network traffic passing through.
· The Tofino must be allowed 10-15 minutes to gather information. Use the
steps below to generate suggested firewall rules.
· In the Project Explorer view, expand the Tofino SA and click “Firewall”. ·
Click the “Suggest Firewall Rules” button on the toolbar. The “Suggested
Firewall Rules Wizard” opens. · Select the suggested firewall rules to be
added to the specific Tofino SA. · Click the “Finish” button. The selected
rule(s) display under the Firewall “Rule Table”.
Figure 53: Firewall Rule Table for SA
INM MTL Tofino configurator REV 3.2
49
DRAFT – 19 March 2018
Figure 54: Suggested Firewall Rule Page When there is no traffic, no log file
are created and the following error message displays.
Figure 55: No Logs Found Error
50
INM MTL Tofino configurator REV 3.2
DRAFT – 19 March 2018
7.2.1 Suggesting Firewall Rules
The rule suggestion supports enforcer rules. The enforcer logs are parsed from
TSA to suggest the combined and non-duplicate enforcer rules. Main highlights:
· Currently, enforcer rule suggestion is applicable for EtherNet/IP and MODBUS
enforcers only.
· The system suggests EIP Enforcer rule if the relevant log entry is present
at TSA log file.
· The system aggregates multiple logs for the same pair of assets and
protocols to show a common rule.
· The system does not suggests a duplicate rule. · The system correctly
displays the suggested enforcer rule. Use the steps below to generate
suggested firewall rules. · In the Project Explorer view, expand the Tofino SA
and click “Firewall”. · Click the “Suggest Firewall Rule” button on the
toolbar.
The “Suggested Firewall Rule Wizard” opens.
Figure 56: Suggested Firewall Rule Wizard
INM MTL Tofino configurator REV 3.2
51
DRAFT – 19 March 2018 · Select the suggested firewall rules to be added to the
specific
Tofino SA. Here we have highlighted EtherNet/IP.
Figure 57: Select EtherNet/IP rule to add in SA · Likewise, you can also
select MODBUS TCP/UDP. Here, MODBUS
UDP is highlighted:
Figure 58: Select MODBUS rule to add in SA
52
INM MTL Tofino configurator REV 3.2
DRAFT – 19 March 2018 · Click the “Finish” button. The selected rule(s)
display under the Firewall “Rule Table”. Here EtherNet/IP is shown.
Figure 59: Rules are added in SA Example – Suggesting Firewall Rules The given
example explains how to suggest firewall rule. Follow these steps:
· Create rules between two interfaces and apply the configurations.
Figure 60: Create a rule
INM MTL Tofino configurator REV 3.2
53
DRAFT – 19 March 2018
· Send any allowed/dis-allowed data packets between the interfaces. (Sending
dis-allowed packets is required in case of Enforcer rule because only denied
packets logs will get be logged in the heartbeat, not for the allowed
packets).
· Check if Enforcer specific messages are seen in the Event Logger. Here is
how a USB log looks like:
· Now delete the configured rule from the existing firewall detail page under
TSA. (This is important because firewall rule suggestion filters out the
duplicate rules as it sees that it already exists in the rules list and does
not need to be suggested for that particular TSA).
Figure 61: Delete the rule · Press Suggest Firewall Rule button to open the
firewall rule
suggestion wizard. This shows the rule corresponding to logs logged in the
Event Logger. (Make sure that TSA is in TEST mode.)
54
INM MTL Tofino configurator REV 3.2
DRAFT – 19 March 2018
Figure 62: Rules suggested in wizard
7.3 Deep Packet Inspection Firewalls
A Deep Packet Inspection firewall digs deeper into the protocols to understand
exactly what the protocol is being used for. After the traditional firewall
rules have been applied, the Enforcer firewall inspects the content of the
contained messages and applies more detailed rules. It then makes a more
informed decision on what should be allowed and what should be blocked.
There are multiple Enforcers that you can activate and use; each one provides
Deep Packet Inspection for a different protocol.
· Checks to determine if each Modbus packet conforms to the protocol
specification and then allows or rejects this packet as appropriate.
· Allows you to specify what classes of Modbus traffic are permitted, such as
data read-only, data read-write, or programming messages.
· Allows you to define specific Modbus functions, as well as register or coil
locations, that should be allowed or denied by the Tofino SA.
· Monitors the state of Modbus TCP connections to determine that incoming
messages are expected and in sequence.
The OPC Classic Enforcer LSM provides security features for managing OPC
traffic. This LSM does the following:
· Inspects, tracks, and secures every connection that is created by an OPC
application.
· Dynamically opens only the TCP ports that are required for each connection
between the specific OPC client and server.
· Checks to determine if each packet is properly formed and follows the RPC
and OPC specifications.
· Checks to determine if OPC session connection requests are fragmented.
INM MTL Tofino configurator REV 3.2
55
DRAFT – 19 March 2018
· Can be directed to block messages that are not properly formed or are
fragmented.
The IEC 104 Enforcer LSM enables DPI capabilities for IEC 104 traffic. This
LSM does the following:
· The protocol enables the Master Station to request data from Substations
using the predefined commands.
· The Substations to respond by transmitting the requested data.
· The IEC 104 has Sanity Check feature.
· Sanity Check blocks and reports any traffic that does not match the IEC 104
standards.
The EtherNet/IP Enforcer LSM provides security features for managing
EtherNet/IP and CIP traffic. This LSM does the following:
· Checks to determine if each packet conforms to the protocol specification
and then allows or rejects this packet accordingly.
· Allows you to specify what classes of EtherNet/IP traffic are permitted,
such as data read-only, data read-write, or programming messages.
· Allows you to specify CIP classes and services that should be allowed or
denied by the Tofino SA.
· Allows embedded PCCC.
The DNP3 Enforcer LSM enables DPI capabilities of DNP3 traffic. This LSM
· The protocol ensures that end values are greater than the starting values.
· If this isn’t the case, the Tofino security appliance should drop the packet
regardless of data content.
· Allows only correctly formatted DNP3 traffic.
· The DNP3 validation includes checking of common header byte fields, packet
lengths, and DNP3 CRC values.
The GOOSE Enforcer LSM enables DPI capabilities of GOOSE protocol. This LSM
does the following:
· It performs Deep Packet Inspection- a series of checking on the packet
content on every received GOOSE packet, guided by the GOOSE configuration
· The enforcer supports DPI for GOOSE PDU packets. Checking can be classified
into two classes: standard checking meant to always perform and configuration
checking meant to perform based on the configuration.
· The enforcer performs the following checks in GOOSE -PDU, if either of the
checks failed, the packet is dropped:
· Destination address of a packet should be either broadcast or multicast.
· Match the incoming packet’s source MAC address against the list of
configured connection filter policies via searching top-down until the first
one matching is found.
The Tofino SA model and the installed LSM licenses determine the Enforcers
available in the Eaton Tofino Configurator.
56
INM MTL Tofino configurator REV 3.2
DRAFT – 19 March 2018
7.3.1 Creating a Modbus TCP Enforcer Rule
The Modbus TCP Enforcer LSM is an advanced Deep Packet Inspection firewall for
the Modbus TCP protocol. It allows you to filter traffic based on specific
Modbus function codes, register ranges, and the validity of the Modbus
messages. The Modbus TCP Enforcer LSM is an optional loadable security module.
You can order it as a factory loaded option in specific models or you can
license it in the field. The Modbus TCP Enforcer LSM is an advanced Deep
Packet Inspection firewall for the Modbus TCP protocol. It allows you to
filter traffic based on specific Modbus function codes, register ranges, and
the validity of the Modbus messages. The Modbus TCP Enforcer LSM is a security
software module that is part of the standard ConneXium Tofino Firewall.
NOTE
To create and apply a Modbus TCP Enforcer rule, the Modbus TCP Enforcer LSM
needs to be licensed for activation in your Tofino SA. Without a
license for the LSM, you can create trial Enforcer rules in the Eaton Tofino
Configurator; however, you will be unable to load them into the Tofino SA.
· Open the General settings page for the Tofino SA you are configuring. Check
that the “Firewall LSM” and “Modbus TCP Enforcer LSM” options are selected in
the Loadable Security Modules list.
· Open the Firewall settings page and click ” Create Rule”. · Work through the
New Firewall Rule Wizard to define a firewall rule
with the following settings: · On the Rule Type page, select “Standard rule”.
Click “Next”. · On the Assets page, create a firewall rule between two assets.
Set the direction so that it is FROM the Modbus Master TO the Modbus Slave.
The Bidirectional option is not an appropriate selection for the Modbus TCP
Enforcer LSM. Click “Next”. · On the Protocol page, expand the “Common
Industrial” folder and select either “Modbus TCP” or “Modbus UDP”. In the
Permission section, select “Enforcer”.
NOTE
If you select “Allow” or “Deny” as the permission setting, the Tofino SA will
allow or block the Modbus TCP traffic between the two assets
accordingly without reference to the Modbus TCP Enforcer.
· Click “Finish”. The Eaton Tofino Configurator creates the Enforcer firewall
rule and adds it to the table. Configure the firewall settings in the Rule
Details section on the next page.
INM MTL Tofino configurator REV 3.2
57
DRAFT – 19 March 2018
Figure 63: Modbus firewall rule table
Select the “General” tab. Set rate and burst limits as required.
Select the “Enforcer” tab and configure the rule as follows.
Select the appropriate function code. The options are:
· Read-Only: Function codes that are data read commands are permitted.
· Read/Write: Function codes that are data read or data write commands are
permitted.
· Programming/OFS: Function codes that are either data read/write or
programming commands are permitted.
· Any: All Modbus function codes are permitted.
· Advanced: Opens a new window where you select from a list of available
function codes. Select a function code and then add the register or coil
ranges that you wish to allow for the rule, as appropriate. You can add a
comment for each code and reorder the codes. Add as many function codes as
needed to one rule, but select a single instance of each function code per
rule. Click the Add Function Code Rule button (+) to display the available
codes. Use the Move Up and Move Down icons to reorder the codes. Click “OK”
when you are done.
Figure 64: Advanced mode of function codes
58
INM MTL Tofino configurator REV 3.2
DRAFT – 19 March 2018
You can use the Tofino SA in test mode to determine if the selected function
code is suitable for your application.
· Specify the “Unit ID: “. Modbus master devices use the unit identifier to
communicate through devices such as Modbus bridges and gateways. It allows
these devices to use a single IP address to support multiple independent
Modbus end units. If you want the Unit ID to be inspected, enter one or more
comma separated values in this field. If you do not require restrictions on
the Unit ID, leave this field blank.
· To have the Tofino SA check that the messages for well-known Modbus commands
(1-6, 15, 16, 20-24) are properly formed and follow the Modbus specification,
select “Sanity Check: “. If a message does not follow the specification, the
Tofino SA will block it. For example, if a Modbus Write Multiple Registers
command (Function Code 16) has a value in its length field that is either
illegal or does not match the amount of data being sent, then the message
would be dropped. This option may have to be disabled for Modbus devices that
do not conform to the Modbus/ TCP 1.1b specification. The Tofino SA performs a
sanity check on the Modbus MBAP header whether or not this option is selected.
· To have the Tofino SA block and report any Modbus command or response that
is out of sequence for the current state of the connection, select “State
Check: “. Examples of `out-of-state’ traffic include a command sent by the
slave device to the master or a response sent by the master device to the
slave.
CAUTION !
LOSS OF COMMUNICATION OR PROCESS VIEW
Select the Modbus Exception option only when you are using the product in a
test environment.
Failure to follow these instructions can result in injury or equipment damage.
· To have the Tofino SA send a Modbus TC exception response, if appropriate,
to the Modbus device that generated a blocked message, select “Exception: “.
Setting this option may make some Windows-based client applications
unresponsive. This can happen when the operating system incorrectly processes
TCP reset packages (sent when the firewall blocks traffic) if those packets
also contain additional information. When this occurs, the TCP/IP session
remains open, leaving the client in a wait state.
· To have the Tofino SA send a TCP reset message to both Modbus devices when
it blocks a message, select “Reset: “. This can keep session from locking up.
· Click the Save icon in the toolbar.
INM MTL Tofino configurator REV 3.2
59
DRAFT – 19 March 2018
7.3.2 Creating an OPC Classic Enforcer Rule
The Tofino OPC Classic Enforcer Loadable Security Module (LSM) inspects,
tracks and helps to secure every connection that is created by an OPC
application. It dynamically opens the TCP ports that are required for each
connection, and between the specific OPC client and server that created the
connection. No configuration changes are required on the OPC clients and
servers, and it is more secure than conventional firewall or tunneler
solutions.
NOTE To create and apply an OPC Classic Enforcer rule, the OPC Classic
Enforcer LSM needs to be licensed for activation in your Tofino SA. Without a
license for the LSM, you can create trial Enforcer rules in the Eaton Tofino
Configurator; however, you will be unable to load them into the Tofino SA.
NOTE If you have a pre-existing OPC connection, you need to re-establish it
when
switching Tofino from TEST to OPERATIONAL mode.
· Open the General settings page for the Tofino SA you are configuring. Check
that the ” Firewall LSM” and ” OPC Classic Enforcer LSM” options are selected
in the Loadable Security Modules list.
· Open the Firewall settings page and click ” Create Rule”. · Work through the
New Firewall Rule Wizard to define a firewall
rule with the following settings: · On the Rule Type page, select “Standard
rule”. Click “Next”. · On the Assets page, create a firewall rule between two
assets.
Set the direction to Bidirectional to allow OPC callbacks from servers. Click
“Next”. · On the Protocol page, expand the “Common Industrial” folder and
select “OPC Classic”. In the Permission section, select “Enforcer”.
NOTE If you select “Allow” or “Deny” as the permission setting, the Tofino SA
will allow or block the OPC traffic between the two assets accordingly
without reference to the OPC Enforcer.
· Click “Finish”. The Eaton Tofino Configurator creates the Enforcer firewall
rule and adds it to the table. Configure the firewall settings in the Rule
Details section at the bottom of the page.
60
INM MTL Tofino configurator REV 3.2
DRAFT – 19 March 2018
Figure 65: OPC Classic enforcer rule table
· Select the “General” tab. Set rate and burst limits as required. · Select
the “Enforcer” tab and configure the rule as follows. · To have the Tofino SA
check that the connection establishment
messages are properly formed and follow the RPC specification, select “Sanity
Check: “. · To have the Tofino SA check to see if the connection establishment
messages have been fragmented, select “Fragment Check: “. · Set the
“Connection Timeout: ” in seconds. This is the amount of time the Tofino SA
will wait for an OPC connection after a port has been requested. · To have the
Tofino SA wait indefinitely, select the “Never Timeout” check box. Rather than
performing a DCOM object request each time they connect to an object, some OPC
clients perform the object request solely on the first connection. They then
re-use the same TCP port number without performing a new object request on
subsequent connections to that OPC data object. Use the “Never Timeout” option
so that the firewall doesn`t drop subsequent connections. · Click the Save
icon in the toolbar.
INM MTL Tofino configurator REV 3.2
61
DRAFT – 19 March 2018
7.3.3 Creating IEC104 Enforcer Firewall Rule
The Tofino Security Appliance (Tofino SA) implements an IEC104 Loadable
Security Module (LSM) which enables Deep Pack Inspection (DPI) firewall
capabilities for IEC104 traffic. The IEC104 traffic is allowed to flow between
master station (client) / substation (server) device pairs and only correctly
formatted IEC104 packets are allowed. Tofino Configurator provides a user with
the capability to specify various IEC104 application layer parameter options
and formatting. Two assets are created – M104 for the master station and S104
for the substation. Use the steps below to add an IEC104 Enforcer firewall
rule.
· Click the “Firewall” icon to open the Firewall screen and to create a
firewall rule.
· Click the “Create Rule” button to open the New Firewall Rule Wizard. ·
Select the type of rule and click the “Next” button to open the
Assets panel. · Click “+” to the left of Common Industrial in the “Protocol”
pop-
up and select “IEC104/TCP” (the icon with orange circular badge). · Select
“Enforcer” in the Permission panel on the right side of the
“Protocol” pop up. · Click the “Finish” button to complete the IEC104 rule
configuration.
The Tofino Configurator shows the firewall rule table with the newly
configured IEC104 Enforcer rule highlighted. · Click the “Enforcer” tab in the
“Rule Details” panel to view the detailed configuration.
Figure 66: IEC104 enforcer rule table
62
INM MTL Tofino configurator REV 3.2
DRAFT – 19 March 2018
The table below depicts parameter options setting of the IEC104 Enforcer screen.
Parameter
Descrition
1 Type ID
Defines the allowed type IDs of incoming IEC104 packets. Only packets with type IDs selected in TC will be allowed. TC offers different options to group type IDs for the ease of selection. Refer to Table 2 for details
2 Originator Address
Identifies the devices from which packets originated. Only packets with specified originator addresses will be allowed. If this field is empty, then any originator address is allowed.
Valid vales are comma separated integer listfrom 0-255.
3 Common Address
Identifies the devices to which a packet is destined. Only packets with specified common address will be allowed. If this field is empty, then any common address is allowed.
Valid values are comma separated integer list from 0-255 when common address size is 1 byte, or from 0-65635 when common address size is 2.
4 Sanity Check
When checked, this Boolean flag enables the enforcer to perform sanity check on packets. These sanity checks ensure packets adhere the protocol specification.
5 Reset
When checked, this Boolean flag tells the enforcer to send TCP reset messages to both parties of the connection when DPI on an IEC104 packet failed.
6 Debug
When checked, this Boolean flag turns on the debugging of the enforcer.
7 Cause of Transmission Size (COT) The three size parameters define the variation of respective fields of packets. The enforcer performs DPI based on these settings. The default value of COT size is 2. When 1 is selected, the originator address field is grayed out, meaning there is no originator address in the packets.
Valid values are 1 or 2 where the latter is the most commonly used.
8 Common Address Size
Valid values are 1 or 2 where the latter is the most commonly used.
9 IO Address Size
Valid values are 1, 2 or 3 where the last one is the most commonly used.
Table 1: IEC104 Parameter Setting
INM MTL Tofino configurator REV 3.2
63
DRAFT – 19 March 2018
The table below provides the information about the Type ID options.
IEC Type ID Option 1 Read Only 2 Read / Write
3 Common
4 Any 5 Advanced
6 Allowed 7 IEC_60870_5_101
Descrition
1, 3, 5, 7, 9, 11, 13, 15, 20, 21, 30-40, 100102, 107.
1, 3, 5, 7, 9, 11, 13, 15, 20, 21, 30-40, 45-51, 58-64, 70, 100-102, 107.
1, 3, 5, 7, 9, 11, 13, 15, 20, 21, 30-40, 45-51, 58-64, 70, 100-103, 105, 107,
110-113, 120127.
When selected, the user can use any type IDs from the drop-down list.
When selected, the user can use any type IDs from the drop-down list, plus
select one of the above three option.
2, 4, 6, 8, 10, 12, 14, 16-19, 104, 106.
The type IDs in this list are those defined inIEC101 specification which may
or may notbe used by newer devices. This option can bechecked along with one
of the above fiveoptions. The effect is to merge the two options.
Example 1: If Read Only and Allowed IEC_60870_5_101 are selected, then the
final list of type IDs will be: 1, 3, 5, 7, 9, 11, 13, 15, 20, 21, 30-40,
100102, 107, 2, 4, 6, 8, 10, 12, 14, 16-19, 104, 106.
Example 2: Select Common with IEC_660870_5_101 checked will have all type IDs
defined.
Table 2: Type ID Options
64
INM MTL Tofino configurator REV 3.2
DRAFT – 19 March 2018
7.3.4 Creating an EtherNet/IP Enforcer Rule
The EtherNet/IP Enforcer LSM is an advanced Deep Packet Inspection firewall
for the EtherNet/IP protocol. It is specifically designed to increase the
level of security on CIP explicit messaging network traffic. It allows you to
filter traffic based on specific CIP objects or services and the validity of
the EtherNet/IP messages. The EtherNet/IP Enforcer can also be configured to
inspect PCCC messages that are encapsulated within CIP objects. This is useful
when securing communications to PLC-5 or MicroLogix controllers. To perform
EtherNet/IP Deep Packet Inspection on CIP and PCCC messages, select the
Enforcer option on the applicable firewall rules.
NOTE To create and apply an EtherNet/IP Enforcer rule, the EtherNet/IP
Enforcer
LSM needs to be licensed for activation in your Tofino SA. Without a license
for the LSM, you can create trial Enforcer rules in the Eaton Tofino
Configurator; however, you will be unable to load them into the Tofino SA.
Some control products, such as older Rockwell PLCs, may be configured to use
protocols like CSPv4 (rather than EtherNet/IP) for Ethernet-based
communications. You can enable these messages to pass through the firewall
without Deep Packet Inspection. The EtherNet/IP Enforcer helps secure CIP
Class 3 explicit messages. Enforcer firewall rules do not process CIP implicit
messages such as I/O communications. If you are setting up a firewall that
filters implicit messages, you can either pass this type of traffic through
the firewall according to stateful layer 3 and 4 filters or block it.
CAUTION !
LOSS OF COMMUNICATION OR PROCESS VIEW
· To create firewall rules to manage implicit messages, select EtherNet/IP
(CIP) Implicit Msg.
· To allow PCCC traffic embedded in CIP EtherNet/IP to pass through the
firewall, select the EtherNet/IP (CIP) Explicit Msg protocol on the applicable
firewall rules and then select the Allow Embedded PCCC option on the Enforcer
tab.
· To allow PCCC traffic embedded in the CSPv4 protocol to pass through
the firewall, select the Rockwell CSP protocol on the applicable firewall
rules.
· Before deploying the firewall, test your settings by sending both implicit
and explicit messages, and verify that your configuration is correct.
Failure to follow these instructions can result in injury or equipment damage.
INM MTL Tofino configurator REV 3.2
65
DRAFT – 19 March 2018
Open the General settings page for the Tofino SA you are configuring.Check
that the ” Firewall LSM” and “EtherNet/IP Enforcer LSM” options are selected
in the Loadable Security Modules list. Open the Firewall settings page and
click ” Create Rule”. Work through the New Firewall Rule Wizard to define a
firewall rule withthe following settings:
· On the Rule Type page, select “Standard rule”. Click “Next”. · On the Assets
page, create a firewall rule between two assets
Set the direction so that it is FROM the EtherNet/IP Client TO the EtherNet/IP
Server. The Bidirectional option is not an appropriate selection for the
EtherNet/IP Enforcer LSM. Click “Next”. · On the Protocol page, expand the
“Common Industrial” folder and select “EtherNet/IP (CIP) Explicit Msg”. In the
Permission section, select “Enforcer”.
NOTE
If you select “Allow” or “Deny”, the Tofino SA allows to pass (“Allow”) or
stops from passing (“Deny”) the EtherNet/IP traffic between the two assets
accordingly without reference to the EtherNet/IP Enforcer. The “Enforcer”
option inspects and filters the traffic using Deep Packet Inspection.
· To create a log each time the rule is triggered, select the “Enable Logging”
check box.
· Click “Finish”. The Eaton Tofino Configurator creates the Enforcer firewall
rule and adds it to the table. Configure the firewall settings in the
following Rule Details section.
66
INM MTL Tofino configurator REV 3.2
DRAFT – 19 March 2018
Select the “General” tab. Set rate and burst limits as required.
Select the “Enforcer” tab and configure the rule as follows.
Select the appropriate option for CIP Services. The options are:
· Read-Only Data: CIP services that are data read commands are permitted.
· Read/Write Data: CIP services that are data read or data write commands are
permitted.
· Any: All CIP services are permitted.
· Advanced: Opens a new window where you add CIP objects and services. Select
the Add CIP Filter button (+) to open the Add CIP Object window. From the
drop-down list, select a CIP object and then select the CIP services codes
that you want to allow. Add a comment, if desired. You can add as many CIP
objects as needed to one firewall rule. To include specific types of CIP
Services, select “Also Include CIP Services” and then select the appropriate
option: “Read-Only Data” or “Read/Write Data”. Click “OK”.
· Allow Embedded PCCC: This is useful when securing network traffic to PLC-5
and MicroLogix controllers.
· To have the Tofino SA inspect PCCC messages that are embedded within
EtherNet/IP, select “Allow Embedded PCCC”. This is useful when securing
network traffic to PLC-5 and MicroLogix controllers.
NOTE
You can use the Tofino SA in test mode to determine if an option issuitable
for your application.
CAUTION !
LOSS OF COMMUNICATION OR PROCESS VIEW
Select the EtherNet/IP Debug option only when you are using the product in a
test environment.
Failure to follow these instructions can result in injury or equipment damage.
INM MTL Tofino configurator REV 3.2
67
DRAFT – 19 March 2018
· To have the Tofino SA validate that the EtherNet/IP command layer adheres to
the ODVA specification, select “Sanity Check: “. Validation includes length
checking proper protocol version, option field values, and correct IP address
usage. If the “Allow Embedded PCCC” option has been selected, the PCCC
messages will also be inspected to determine if they adhere to the PCCC
protocol definitions.
· To have the Tofino SA send a TCP reset packet to both EtherNet/IP devices
when it blocks a message, select “Reset: “. This can keep a session from
locking up on certain EtherNet/IP products.
· To have the Tofino SA include an ASCII text string as a payload in a TCP
reset packet, select “Debug: “. The string will explain the reason why the
message was dropped by the Tofino SA. To view the text, capture network
traffic with a tool such as Wireshark. Use this option solely during testing.
Clear this check box during regular operations as it may expose security
details to potential attackers.
· Click the Save icon in the toolbar.
7.3.4.1 Ethernet IP Wild Card Feature
You can allow/disallow any CIP services for all the class objects by using the
wild card (asterisk *) option. The wild card works with all the services like
“Read-Only Data” or with separate multiple class objects and services
combinations.
Service codes entered under wild card are applied on all class objects. There
are basically to reduce the human efforts.
Figure 67: EtherNet/IP wild card feature
NOTE If you select a class object with a same service code that is present as
a wild card, the system gives priority to the wild card and considers it for
all
class objects.
68
INM MTL Tofino configurator REV 3.2
DRAFT – 19 March 2018
7.3.5 Creating a DNP3 Enforcer Rule
The Tofino Security Appliance (Tofino SA) implements a DNP3 Loadable Security
Module (LSM) which enables Deep Pack Inspection (DPI) firewall capabilities
for DNP3 traffic. The DNP3 traffic is allowed to flow between master/slave
device pairs and only correctly formatted DNP3 traffic is allowed. This
includes checking the common header byte fields, packet lengths, and DNP3 CRC
values. For each master/slave device pair, there is a provision to specify
which DNP3 application layer message types or function codes will be allowed
for request and response traffic. DNP3 Enforcer rules are unidirectional,
mapping from the client/master to the server/slave device. Use the steps below
to add a DNP3 Enforcer firewall rule.
· In the Project Explorer view, expand the Tofino SA and click “Firewall”. ·
Right-click the empty line below the ARP rule and select “Create
Rule”. The “New Firewall Rule Wizard” opens. · Click the “Next” button to open
the Assets panel. · Select the assets involved in the firewall rule and click
the “Next”
button. · Click “+” to the left of Common Industrial in the “Protocol” pop-
up and select “DNP3” (the icon with orange circular badge).
Figure 68: Select DNP3 protocol
· Select “Enforcer” in the Permission panel on the right side of the
“Protocol” pop up.
· Click the “Finish” button to complete the rule configuration. The Tofino
Configurator shows the firewall rule table with the newly configured DNP3
Enforcer rule highlighted.
INM MTL Tofino configurator REV 3.2
69
DRAFT – 19 March 2018
Figure 69: DNP3 Enforcer rule is selected
· Click the “Enforcer” tab in the “Rule Details” panel to view the detailed
configuration
Meaning of DNP3 Enforcer Check Boxes:
· Sanity Check – Enables sanity checking and validation of DNP3 packets. This
can be disabled if one of the sanity checks is causing a problem for valid
network traffic.
· Reset TCP – Enables the generation of a TCP reset packet on both Tofino
ports when a DNP3 packet is dropped by the Enforcer.
· Reset TCP Debug – Enables the generation of a debug message when a TCP reset
is sent by the Enforcer.
· Check CRC – Enables the computation and verification of CRCs in both DNP3
Data Link Layer Headers and Application Layer messages. The overhead of
computing and checking the CRCs is not as large as might be expected. Even for
heavily loaded systems, toggling this flag may not result in a detectable
change in performance.
· Check Outstation Traffic – Enables the checking of packets originating at an
outstation. Packets originating at a master are always checked when the
Enforcer is active.
NOTE If this flag is not enabled, packets originating at an outstation will
not
trigger any of the sanity checks mentioned in these requirements.
NOTE For more information on DNP3 objects, read the chapter “Advanced Topic:
DNP3 Objects”.
70
INM MTL Tofino configurator REV 3.2
DRAFT – 19 March 2018
NOTE Below “Select DNP3 Application Layer Query/Response Function Codes”
link, you can view selected DNP3 function codes in the quick view box. This
box is not editable.
Figure 70: DNP3 quick view box
7.3.6 Creating a GOOSE Enforcer Rule
The Tofino Security Appliance (Tofino SA) implements a GOOSE (Generic Object
Oriented Substation Event) Loadable Security Module (LSM) which enables Deep
Pack Inspection (DPI) firewall capabilities for GOOSE traffic. The GOOSE
traffic is one of the mapped standards of IEC 61850 protocol and is engineered
for configuration of Intelligent Electronic Devices for electrical substation
automation systems to be able to communicate with each other. Use the steps
below to add a GOOSE PDU Enforcer firewall rule.
· In the Project Explorer view, expand the Tofino SA and click “Firewall”. ·
Right-click the empty line below the ARP rule and select “Create Rule”.
The “New Firewall Rule Wizard” opens. · Click the “Next” button to open the
Assets panel. · Select the assets involved in the firewall rule and click the
“Next” button. · Click “+” to the left of Common Industrial in the “Protocol”
pop-up
and select “GOOSE PDU”.
INM MTL Tofino configurator REV 3.2
71
DRAFT – 19 March 2018
Figure 71: Select GOOSE PDU protocol
· Select “Enforcer” (the icon with orange circular badge) in the Permission
panel on the right side of the “Protocol” pop up.
· Click the “Finish” button to complete the rule configuration. The Tofino
Configurator shows the firewall rule table with the newly configured GOOSE PDU
Enforcer rule highlighted.
Figure 72: GOOSE PDU Enforcer is selected
· Click the “Enforcer” tab in the “Rule Details” panel to view the detailed
configuration
72
INM MTL Tofino configurator REV 3.2
DRAFT – 19 March 2018
Details of GOOSE PDU Enforcer check boxes:
· Sanity Check: The enforcer performs a sanity check on PDU data length and
field value.
· Remote: In both types of packet, there is a “src_location” parameter
indicating the packet source is remote (IED) or local (protected IED), if this
flag is checked, it means the system needs to check that the packet source is
remote else it treats the packet to be local.
· St (state) and sq (sequence) Check: The enforcer performs a sequencing check
on incoming PDU packets if the flag is set to be true. The enforcer performs
the following checks on packets with the same application id.
· if an incoming packet has an smaller st number than the previous packet’s,
then the packet is regarded as old packet and marked as DROPPED.
· if an incoming packet has an st number more than one greater than the
previous packet’s, then the packet is consider too new and an ALERT syslog
message is generated.
· if an incoming packet has the same st number as the previous packet’s, but
has a smaller sq number than the last packet’s, then the packet is regarded as
old packet and marked as DROPPED.
· if an incoming packet has the same st number as the previous packet’s, but
has a sq number more than one greater than the last packet’s , then the packet
is regarded as too new and an ALERT syslog message is generated.
· if an incoming packet has a time stamp older than the previous packet’s,
then the packet is regarded as old packet and marked as DROPPED.
INM MTL Tofino configurator REV 3.2
73
DRAFT – 19 March 2018
7.4 Editing Firewall Rules
The Rule Table on the Firewall page displays the firewall rules created for
the selected Tofino SA. You can make changes directly on this page: in the
table and in the Rule Details section. You can also change the order in which
the rules are evaluated. · In the Project Explorer view, expand the Tofino SA
you want to work with
and click ” Firewall”. The Firewall page displays the rules created for this
Tofino SA.
Figure 73: Firewall rule table
· The check box in this column indicates if the rule is active (selected).
When the check box is not selected, the rule will not be loaded into the
firewall. This allows you to create rules in advance to activate later. It
also allows you to quickly deactivate rules for testing without having to
delete them.
· Asset (first of two): An asset or address that the rule applies to. Certain
protocols require a specific address type or a predefined address.
· Interface: The Tofino SA interface where the first asset or address is
found.
· Direction: The direction a session is initiated. There are three possible
options: right, left, and bidirectional.
· Asset (second of two): An asset or address that the rule applies to. Certain
protocols require a specific address type or a predefined address.
· Interface: The Tofino SA interface where the second asset or address is
found.
· Protocol: The protocol defined when the firewall rule was created. The
Protocols folder contains a list of available protocols.
· Permission: What the firewall does with a packet based on the defined rules.
There are three options:
· Allow: The Tofino SA will allow traffic matching the rule to pass.
· Deny: The Tofino SA will stop traffic matching the rule from passing.
· Enforcer: The Tofino SA will further inspect and filter the traffic using
Deep Packet Inspection. This option is available for protocols that have
Enforcer LSMs installed.
74
INM MTL Tofino configurator REV 3.2
DRAFT – 19 March 2018
· Type: The type selected when the firewall was created: Standard or Special.
· Standard: These rules are designed to allow or deny specific protocols
passing through the firewall. They allow the user to set the source,
destination, direction, and permission for traffic of a particular protocol
type. · Special: These rules are highly complex and go beyond allowing and
denying traffic. For example, a Special Rule could be used to block a subset
of a particular type of traffic. The available Special Rules can be viewed in
the Special Rules folder.
· Log: A check box indicating if logging is enabled for the rule.
NOTE
By default, the Tofino SA will log denied packets that do not match any of the
rules in the firewall table. Similarly, if you enable logging on a rule (the
permission may be Allow or Deny), packets matching the rule will be logged.
Conversely, if logging is disabled on a rule, no log events will be created
for packets matching this rule.
A common use for this option is to help stop nuisance alarms from blocking
broadcast traffic.
· Details: A short form summary of special firewall rule details. The
information in this column comes from the Rule Details section.
· Description: A text field where the controls engineer can add a comment
about the rule.
· Click the cell you want to edit and make the necessary change in the table.
Depending on the cell selected, you will be able to do the following: · Change
the state of a check box · Select an entry in a list · Open a dialog box and
select from a list of appropriate values · Enter text
Figure 74: Select the rule to be edited
INM MTL Tofino configurator REV 3.2
75
DRAFT – 19 March 2018
· On the General and Enforcer tabs in the Rule Details section, update the
settings as necessary for the currently selected rule in the table.
· Reorder the rules as necessary. Packets will be inspected sequentially
beginning at the top of the table. Select a rule and position it by clicking ”
Move Up” and ” Move Down” in the toolbar.
· Check the title bar above the rule table for messages. You will be prompted
if a rule is incorrect or if an additional rule is required.
· Click the Save icon in the toolbar.
7.5 How Automatic Rule Generation Works
The Eaton Tofino Configurator offers the ability to automatically generate
rules based on the rule profiles associated with a given asset. For example,
if a workstation uses the protocol HTTP as a client (i.e., it initiates the
communications to an HTTP server), the New Firewall Rule Wizard can use this
information to automatically create HTTP rules for the asset to allow it to
talk to the server.
When the option to automatically generate rules is selected, the Eaton Tofino
Configurator will perform a series of checks based on the rule profiles of the
assets selected earlier in the wizard:
· If one of the assets has rule profiles and the other has no rule profiles,
then the rule profiles from the asset with rule profiles will be used to
create rules.
· If both of the assets have rule profiles, the automatic rule generator will
create one rule for every protocol the assets have in common. If the assets
have no protocols in common, a message will display andno rules will be
created. Similarly, no rules will be created if the assets have a protocol in
common, but are either both clients or both servers.
· Finally, since two assets may have different rule profile settings for the
same protocol, the Eaton Tofino Configurator will use a series of priorities
to determine what the final rule should be. The following table shows how
these conflicts are resolved.
If a field is required to match and the rule profiles of the two assets do not
match on that field, then no rule will be created. If the fields do match,
then the value of that field will be used for the new rule to be created.
If a field is indicated as not having to match, then the priority describes
how the value of the field in the resulting firewall rule is determined. For
example, if the assets have different values for the Rate Limit, then the
lowest rate limit will have priority and will be used in the resulting
firewall rule. Alternatively if the two rule profiles both have comments that
are different, the automatic rule generator will combine the comments in the
resulting rule.
76
INM MTL Tofino configurator REV 3.2
DRAFT – 19 March 2018
Field
Special Rule Type Assets Protocol Direction
Permission
Log Rate Limit
Burst Limit
Enforcer Details
Description
Are rule profile values required to match? Yes N/A Yes See Notes
See Notes
No No
No
No
No
If values do not match, priority is given to:
Enabled Lowest
Lowest
Refer to Modbus and EtherNet/IP sections in this table Both
Notes
Special Rules that lock assets cannot be used for rule profiles.
Rule direction is decided based on the relationship of Server and Client
settings for both profiles. If one profile is set to Allow and the other is
set to Enforcer, Enforcer is the resulting permission.
If one asset has no Rate Limit defined, the Rate Limit of the other asset is
used. If one asset has no Burst Limit defined, the Burst Limit of the other
asset is used. If one profile has an Enforcer detail and the other does not,
the existing Enforcer detail will be assigned to the rule. The rule profile
descriptions from both assets are combined.
Modbus
Function
No
Codes
Unit ID
Yes
Sanity Check No
State Check No
Exception No
Reset
No
The most restrictive group takes precedence
Enabled Enabled Enabled Enabled
Read Only (most restrict
References
- Eaton MTL » Controlling, operating and protecting assets in harsh and hazardous areas
- Tofino Industrial Security Solution | Looking for an easy way to secure SCADA or industrial control systems? Tofino Security is the solution for you.
- User Login | Tofino Industrial Security Solution