View
226
Download
0
Category
Preview:
Citation preview
© 2013 Belden Inc. | belden.com | @Belden Inc. 1
Tofino Xenon
Tofino Configurator 2.0
© 2013 Belden Inc. | belden.com | @Belden Inc. 2
Today's Discussion
What is the Tofino Configurator?
Tofino Configurator Philosophy
Tofino Configurator Work Flow
Advanced Configuration Topics
Questions
© 2013 Belden Inc. | belden.com | @Belden Inc. 3
• Industrial firewall appliances with easy-to deploy
configuration management software designed for
automation systems:
Focused on securing ICS protocols and devices
Designed not to disrupt critical operations
Easy to use by control systems professionals
What is the Tofino Industrial Security Solution?
Helps make control systems and industrial networks
more reliable
© 2013 Belden Inc. | belden.com | @Belden Inc. 4
The Tofino Configurator (TC) is part of the Tofino
Xenon family of industrial cyber security devices and
management tools with innovative features:
Intuitive user interface
Simple deployment process – plug & protect
Fast
Flexible, powerful rule creation with built-in templates
Expert system – Firewall rule validation
Enhanced change management and audit controls
Easy integration into 3rd party security products
What is the Tofino Configurator?
© 2013 Belden Inc. | belden.com | @Belden Inc. 5
History of the Tofino Configurator2008: Tofino
Central Management
Platform (CMP) released.
Designed to be an easy-to-use
firewall configuration tool
2010: Tofino, working with
Exxon, develops next generation
management tool
Tofino Configurator (TC)
2011: TC 1.0 released to
Exxon
2012: Tofino expands TC
features.Releases
ConneXiumTC 1.1 with Schneider
2013: Tofinoreleases
ConneXium TC1.2 with Schneider
Electric
2014: General market
release of TC 2.0 (Tofino Xenon)
Tofino Xenon – built on consistent innovation in
industrial cyber security
© 2013 Belden Inc. | belden.com | @Belden Inc. 6
• Tofino Xenon Security Appliance: Industrially hardened
devices for securing zones of HMIs, DCS, PLCs, RTUs and other
industrial control devices.
• Tofino Loadable Security Modules (LSM): Software modules
providing security services such as Firewall and Event Logger.
• Tofino Configurator: Windows-based management software for
the configuration of each Tofino SA.
Key Components
© 2013 Belden Inc. | belden.com | @Belden Inc. 7
New Tofino Xenon Appliance
Redundant power and
alarm relay connector
USB Connector for
external memory
Screw connector for ground
connection
LED status indicators
Wiring diagram - power &
alarm connector
Load/Save/ Reset button
ID Label
Digital input feature
• Real Time Clock & Digital Input
• Extended temp range -40/70°C
• Added Certifications : • ATEX / HazLoc for Oil&Gas (pending)
• GL for Shipbuilding & offshore (pending)
• IEC 61850 / IEEE 1613 for Substation
• EN50121-4 for Train & Transportation
Identical specifications (form/fit) to
current hardware (EAGLE 20 TOFINO) +
these added features:
Next Gen Hardware Platform – strong life cycle
© 2013 Belden Inc. | belden.com | @Belden Inc. 8
Loadable Security Modules (LSM)
Current Release: TC 2.0
• NetConnect – provides secure remote configuration over networks
• Firewall - compares network traffic against a set of rules
• Event Logger - logs security events and sends alarms to appliance memory and external alarm management (SIEM) systems
• Modbus TCP Enforcer - content inspection for Modbus TCP and UDP communications
• EtherNet/IP Enforcer - content inspection for EtherNet/IP (CIP) communications
• OPC Classic Enforcer – content inspection and connection tracking for OPC DA, HDA
and A&E communications
Future Release: TC 2.1− Advanced Secure Asset Management – Asset detection and automated rule
generation (will be included with Firewall LSM)
− Additional DPI Protocols - e.g. DNP3, GOOSE, IEC-104,etc.
© 2013 Belden Inc. | belden.com | @Belden Inc. 9
Tofino Configurator Philosophy
• Simple Work Flow
− A GUI Familiar to Any Windows User
− Product Templates for Common Systems
− Assisted Firewall Rule Generation
• Expert System for Firewall Rule Validation
• Ready to Use Out-of-the-Box
© 2013 Belden Inc. | belden.com | @Belden Inc. 10
Simple Work Flow
Start Project
Define Tofinos
Define Assets
Define Rules
Apply Config
Verify Config
• Simple work process
• Allows validation of configuration results
• Configuration by either network or encrypted USB drives
• Uses existing Windows user authorization system
Step-by-step work flow – easy and reliable deployment
© 2013 Belden Inc. | belden.com | @Belden Inc. 11
A GUI Familiar to Any Windows User
• Designed to look and operate just like Windows Explorer
− Project Explorer View : Shows all items in a familiar tree style
− Details View: Shows details of selected items
• Can cut and paste just like Windows Explorer
Control Engineers/Technicians
understand Tofino Configurator immediately
© 2013 Belden Inc. | belden.com | @Belden Inc. 12
Device Templates for Consistent Rule Sets
Built-in Templates – easily define equipment and rules
© 2013 Belden Inc. | belden.com | @Belden Inc. 13
Assisted Firewall Rule Generation
Tofino Configurator creates rules
that match your equipment’s communications needs
1. Select Equipment
2. Select “Use Rule Profiles”
3. Rule Auto Generated
© 2013 Belden Inc. | belden.com | @Belden Inc. 14
Expert System - Firewall Rule Validation
Tofino Configurator checks for missing or invalid rules
and suggests solutions
© 2013 Belden Inc. | belden.com | @Belden Inc. 15
Ready to Use “Out-of-the-Box”
• Tofino Xenon Firewall shipped with factory installed licenses:
Firewall LSM
Event Logger LSM
User selected Enforcer LSMs – e.g Modbus, NetConnect, etc
• Tofino Configurator
License Activation Key (LAK) included with every firewall
Latest TC software available for download at no charge
Ready to install on any Windows XP, 7, Server 2003 or Server
2008 computer
On-line license activation (24/7) –
Setup Tofino the minute you receive it
© 2013 Belden Inc. | belden.com | @Belden Inc. 16
Tofino Configurator Work Flow
© 2013 Belden Inc. | belden.com | @Belden Inc. 17
Tofino Configurator Objects
© 2013 Belden Inc.
© 2013 Belden Inc. | belden.com | @Belden Inc. 18
A Tour of Tofino Configurator
© 2013 Belden Inc. | belden.com | @Belden Inc. 19
Step 1: Install Tofino Configurator
© 2013 Belden Inc. | belden.com | @Belden Inc. 20
Step 2: Create Project
© 2013 Belden Inc. | belden.com | @Belden Inc. 21
Step 3: Define Tofino Security Appliances
© 2013 Belden Inc. | belden.com | @Belden Inc. 22
Step 4: Define Assets
• "Assets“ include physical devices (such as PLCs and
computers), as well as "virtual" assets such as a network
• Provides flexibility and ease in creation of firewall rules
© 2013 Belden Inc. | belden.com | @Belden Inc. 23
Step 5: Define Firewall Rules
© 2013 Belden Inc. | belden.com | @Belden Inc. 24
Step 6: Configure Event Logger
• The Event Logger LSM provides alarm and event logging.
• Two methods for saving event logs:
− Via syslog protocol to a remote Syslog server
− To local long-term memory in the Tofino SA for later offloading
© 2013 Belden Inc. | belden.com | @Belden Inc. 25
Step 7: Apply Configuration to Tofino SAs
• Configurations can be applied over the network (if the
NetConnect LSM is licensed) or via encrypted USB drive
© 2013 Belden Inc. | belden.com | @Belden Inc. 26
Step 8: If Applying Configurations via USB
1. Power on the Tofino SA for at least one minute.
2. Insert the USB storage device containing the prepared files
into one of its USB ports.
3. Press the Save Load Reset button twice.
4. Both the 1/S and the 2/L LEDs will illuminate to indicate a
Load.
5. After a few seconds, the
LEDs will move from
right to left to indicate a
USB Load is in progress.
6. When the flashing sequence
stops remove the USB
storage device.
USB Port for
Configuration
Loading
S/L/R LED Status
Indicators
Save/Load/Reset
Button
© 2013 Belden Inc. | belden.com | @Belden Inc. 27
Step 9: Verify Configuration
• Verify confirms that the configuration as been successfully
applied and records important status information
© 2013 Belden Inc. | belden.com | @Belden Inc. 35
Questions?
Recommended