The Tofino Xenon security appliance is the ideal solution for segmenting a control network into security zones. It can be installed into an existing control system with no changes to the network, forming, conduits’ of communications between the zones. The control engineer defines rules that specify which network devices are allowed to communicate and what protocols they may use. Deep Packet Inspection (DPI) options allow detailed filters to enforce security policy such as only allowing read commands to be sent to a PLC. Any network traffic that does not fit the rules is automatically blocked by the Tofino Xenon and reported as a security alert.
The standard Tofino Xenon includes a stateful firewall with layer 2, 3 and 4 filtering. Adding Enforcer LSMs provides stateful DPI to manage traffic based on high level message content, such as the commands/services being used or the registers/objects being accessed. There are multiple Enforcers available – each one providing inspection for a different protocol. The LSMs can be pre-loaded onto the Tofino Xenon at the factory, or purchased and installed at a later date as your needs change.
Using the free Tofino Configurator Software customers can configure Tonfino Xenon Appliances over the network or with ACA21-USB. Tofino Configurator software makes it easy for the control technician to define rules that specify exactly which devices are allowed to communicate, what protocols they may use, and what actions those protocols perform. The built-in Test Mode allows customers to verify firewall rules without putting any risk to business critical operation.