Running H/F 12 - MTL Instruments Group
Contents
1. SNMP Simple Network Management Protocol A protocol used to manage devices such as routers switches and hosts SQL A database computer language designed for managing data in relational database management systems SSL Secure Socket Layer A de facto standard for encrypted communications created by Netscape Incorporated Syslog A standard for logging event messages TCP Transmission Control Protocol A transport level protocol that provides a connection oriented stream service TFTP Trivial File Transfer Protocol Tofino Configuration software for configuring the Tofino security appliances Configurator Tofino Security An industrially hardened security appliance designed to be installed in front of Appliance individual and or networks of HMI DCS PLC or RTU control devices that require protection UDP User Datagram Protocol Connectionless network transport protocol URL Uniform Resource Locator The address of a resource on the Internet USB Universal Serial Bus a specification to establish communication between devices and a host controller usually personal computers in the context of this document it refers to USB based flash drives used to transfer files XML eXtensible Markup Language A general purpose markup language for creating special purpose markup languages that are capable of describing many different kinds of data INM MTL Tofino Configurator Rev 2 2 167 Glossary 168 INM2. O Name the Tofino SA interfaces and set the configuration of each interface Click Next E New Tofino SA o amp s Loadable Security Modules LSMs The LSMs active on this Tofino SA F Firewall LSM 7 Event Logger LSM Modbus TCP Enforcer LSM OPC Classic Enforcer LSM EtherNet IP Enforcer LSM O On the final page of the wizard select the LSMs you want to activate for this Tofino SA NetConnect LSM The Tofino NetConnect LSM enables the MTL Tofino Configurator and the Tofino SA to communicate over the network This allows you to perform certain tasks such as applying and verifying configuration from your PC without having to physically visit the Tofino SA in the field The NetConnect LSM will automatically activate itself once the MTL Tofino Configurator communicates with a Tofino SA licensed with that LSM Firewall LSM The Tofino Firewall LSM checks the communications on your control network against a list of traffic rules that are defined by your controls engineer Any communication that is not on the allowed list will be blocked and reported by the Firewall LSM 36 INM MTL Tofino Configurator Rev 2 2 Tofino SAs 5 1 Defining the Tofino SAs Event Logger LSM The Tofino Event Logger LSM records security events and alarm information It can record and back up this information simultaneously to both a remote IT syslog server and a non volatile memory in the Tofino SA Modbus TCP Enforcer LSM The Tofino Mod
3. Tofino 00 50 C2 B3 2B D2 munication for this Tofino SA sion 6 0 49A jon 6 0 49A n DTX 00T1TISDOZSOOOZTATO2 2 00 Select the LSMs you want to activate for this Tofino SA 7 amp EtherNevP Enforcer LSM General The General section provides identification information for the selected Tofino SA Tofino ID The ID number from the lower front of the Tofino SA s face This number is used to confirm that the configuration is loaded into the correct Tofino SA Enter it accurately If you don t know the Tofino ID of your appliance you can enter a temporary ID of 00 00 00 00 00 XxX where XX is any two digit number This lets you configure the Tofino SA without the actual ID number However you will receive a message indicating that you need to enter a correct Tofino ID in order to apply the configuration to a Tofino SA Name Insert aname or identifier that uniquely identifies the Tofino SA e g Jasper Pump Station Tofino or JP TFN 001 Each Tofino SA needs to have a unique name for clarity and ease of deployment Description A text field that can be used to describe the function of this Tofino SA General Location A text field for reference 140 INM MTL Tofino Configurator Rev 2 2 Reference Field Descriptions 16 1 Tofino SA Fields Specific Location A text field for reference NTP Time Sync A check box indicating the Tofino SA uses Network Time Protocol messages to calibrate its inter
4. Name New Tofino SA Description General Location Specific Location Mode Test Cancel Enter the Tofino ID This number is found on the face of the Tofino SA device If you don t know the Tofino ID of your appliance you can enter a temporary ID of 00 00 00 00 00 xx where XX is any two digit number This lets you configure the Tofino SA without the actual ID number However you will receive a message indicating Tofino ID is not a valid Tofino Security Tofino ID Enter information to identify this specific Tofino SA device in the Name Description General Location and Specific Location fields Select the mode Operational or Test that you want the Tofino SA to run in when the configuration is loaded Click Next Note During commissioning confirm that the Tofino SA is set to Test mode to allow validation of the firewall rules without dropping needed traffic Once the rules have been validated set the Tofino SA to Operational mode For more information on using Test mode see Using Tofino Test Mode to Validate Firewall Rules INM MTL Tofino Configurator Rev 2 2 35 Tofino SAs 5 1 Defining the Tofino SAs Tofino SA Configure the network interface settings for the new Tofino SA Net 1 Interface Name Netl Net 1 Interface Medium Auto Net 2 Interface Name Net 2 Net 2 Interface Medium Auto lt Back Net gt Finish Cancel
5. lt Back Next F Cancel For each asset you L Select the interface where the asset or address is found O Specify the asset or address that the rule applies to You can enter a specific address or select from a list of known assets You can also specify that the rule applies to any asset O Set the direction to indicate which asset can establish the connection The options are left right and bidirectional O Define the rule protocols for the selected assets When the assets selected have no rule profiles associated with them the Protocol page opens where you manually create the rule profiles However when one or both of the assets selected is associated with a rule profile a prompt appears You can choose to use the existing profile to build the firewall rules or create the firewall rules manually 68 INM MTL Tofino Configurator Rev 2 2 Firewall Rules 7 1 Creating Firewall Rules Asset Rule Profiles Select whether you want to use the asset rule profiles or not The previously selected assets contain associated rule profiles that can be used to determine a set of firewall rules Use rule profiles associated with selected assets to build firewall rules Manually create the firewall rules for the selected assets GoFish zene If prompted select how you want to create the firewall rules and click Finish When you choose to manually create the rule profiles you are directed to the Protoc
6. Asset Interface Direction Asset Interface Protocol Permission Log Type iz Any FSHMI Network GW Fs PLC 001 FS Contro DHCP BOOTP Allow Stand MI Any FSHMINetwork Any FS Contro fy ARP OAlow 1 Stand iz B Fs HMLO0L FS HMI Network GW Fs PLC 001 FS Contro MODBUS TCP Enforcer Stand tz E Fs HMLO0I FSHMI Network W Fs PLC 001 FS Contro HTTP allow 1 Stand MW Any FSHMINetwork Fs PLC 001 FS Contro lt none gt O Deny A ASe MI Any FSHMINetwork I Fs_PLC_oo1 FS Contro lt none gt O Deny Wo te Sc iz rs HMLOHI FS HMI Network W Fs PLC 011 FS Contro OPC Classic O Enforcer Stand iz IB Fs HML012 FSHMI Network W Fs PLC o11 FS Contro EtherNet IP CIP Enforcer MM Stand Assisted Firewall Rule Creation Some firewall rules are needed for other rules to work correctly For example because the devices using the TCP protocol use the ARP protocol to determine each other s addresses an ARP Allow rule is needed in order for a TCP rule to work The Tofino SA detects when an additional rule is needed and prompts you to insert it The message displays in the title bar above the rule table INM Tofino Configurator Rev 2 2 63 Firewall Rules 4 Rule Table The firewall rules configured for this Tofino SA Create Rule X Hep v FS TSA 001 Firewall No ARP rule exists IP traffic will not be allowed without ARP Click here to crea
7. MTL Tofino configurator 2 2 IO Nw De o as NW WO e LY CO Powering Business Worldwide Contents Contents 3 3 1 4 4 1 4 2 4 3 4 4 4 5 4 6 5 5 1 5 2 5 3 6 6 1 6 2 About this Manual Key Introducing the MTL Tofino Configurator Navigating the MTL Tofino Configurator Nine Steps to a Secure Control System Installing Your MTL Tofino Configurator Running the MTL Tofino Configurator Installer Projects Creating a New Project Opening an Existing Project Editing Project Details Deleting a Project Duplicating a Project Exporting a Project File Tofino SAs Defining the Tofino SAs 5 1 1 Manually creating a Tofino SA 5 1 2 Discovering a Tofino SA Editing a Tofino SA Deleting a Tofino SA Assets Asset Templates 6 1 1 Creating an Asset Template 6 1 2 Deleting an Asset Template Creating Assets 6 2 1 Creating an Asset Manually INM MTL Tofino Configurator Rev 2 2 11 12 15 17 18 21 23 26 27 29 30 31 33 34 38 40 42 43 45 49 51 51 6 2 2 Creating an Asset from a Template 54 6 3 Editing an Asset or an Asset Template 56 6 4 Creating an Asset Template from an Existing Asset 58 6 5 Deleting an Asset 59 7 Firewall Rules 61 7 4 Creating Firewall Rules 67 7 2 Deep Packet Inspection Firewalls 72 7 2 1 Creating a Modbus TCP Enforcer Rule 73 7 2 2 Creating an OPC Classic Enforcer Rule 77 7 2 3 Creating an EtherNet IP Enforcer Rule 80 7 3 Editing F
8. Tofino SAs 5 3 Deleting a Tofino SA Delete a Tofino SA if you no longer need it in the current project The Tofino SA in your MTL Tofino Configurator project is a virtual representation of the physical Tofino SA device Special keys are stored in both of these locations to enable communication between them Deleting a Tofino SA from the project deletes its configuration data including the special keys This will block any future network communication between the MTL Tofino Configurator and that Tofino SA device until a factory reset is performed on the Tofino SA device The factory reset clears the second of the two keys and opens the door for a new MTL Tofino Configurator Tofino SA pairing to be established L In the Project Explorer view click the Tofino SA you want to delete O Click the Delete icon in the toolbar When the Communications setting is Network Only or Both USB and Network a message asks if you want to perform a factory reset on the Tofino SA Click Yes The MTL Tofino Configurator automatically resets the Tofino SA to the factory settings When the Communications setting is USB Only you need to perform the factory reset manually See Factory Resetting Your Tofino SA A message prompts you to confirm the deletion Click OK to proceed 42 INM Tofino Configurator Rev 2 2 Assets 5 3 Deleting a Tofino SA 6 Assets In the MTL Tofino Configurator assets represent the real world d
9. you can either pass this type of traffic through the firewall according to stateful layer 3 and 4 filters or block it 80 INM Tofino Configurator Rev 2 2 Firewall Rules 7 2 Deep Packet Inspection Firewalls A CAUTION LOSS OF COMMUNICATION OR PROCESS VIEW L To create firewall rules to manage implicit messages select EtherNet IP CIP Implicit Msg L To allow PCCC traffic embedded in CIP EtherNet IP to pass through the firewall select the EtherNet IP CIP Explicit Msg protocol on the applicable firewall rules and then select the Allow Embedded PCCC option on the Enforcer tab O To allow PCCC traffic embedded in the CSP v4 protocol to pass through the firewall select the Rockwell CSP protocol on the applicable firewall rules L Before deploying the firewall test your settings by sending both implicit and explicit messages and verify that your configuration is correct Failure to follow these instructions can result in injury or equipment damage L Open the General settings page for the Tofino SA you are configuring Check that the Firewall LSM and EtherNet IP Enforcer LSM options are selected in the Loadable Security Modules list O Open the Firewall settings page and click Create Rule L Work through the New Firewall Rule Wizard to define a firewall rule with the following settings On the Rule Type page select Standard rule Click Next On the Assets page create a firewall rule between
10. 32 INM MTL Tofino Configurator Rev 2 2 Tofino SAs 4 6 Exporting a Project File 5 Tofino SAs Tofino Security Appliances referred to as Tofino SAs are the hardware devices installed on your live network They also exist in the MTL Tofino Configurator where you create a Tofino SA to represent each physical device being installed You configure the devices in the MTL Tofino Configurator and then transfer the configuration data to the devices either over the network or with a USB device From the Tofino SAs item in the Project Explorer view you can create edit and delete the configuration data for multiple Tofino SAs contained in a single project By selecting a specific Tofino SA in the Project Explorer view you can do the following Create a new Tofino SA View and edit the Tofino SA configuration Delete a Tofino SA Create a configuration that can be loaded onto a Tofino SA device in the field Verify the configuration that is installed on a Tofino SA Normally you will perform the last two tasks once your Tofino SA is fully configured After defining a Tofino SA in the project you may also need to configure event logging and define firewall rules The Discovery item in the Project Explorer view lets you search for existing Tofino SAs already configured on your network INM MTL Tofino Configurator Rev 2 2 33 Tofino SAs 5 1 Defining the Tofino SAs 5 1 Defining the Tofino SAs Within a project you define a Tofin
11. CI Password Change Password Administrator Password Administrator protection settings for this project Use Administrator Password Change Administrator Password INM Tofino Configurator Rev 2 2 124 Advanced Topic MTL Tofino 13 2 Managing User Logging Access Configurator Settings and Privileges There are three options for controlling access to your project Project Protection License Activation Key When the License Activation Key option is selected the project file is encrypted when saved Each time the project file is opened the system confirms that the MTL Tofino Configurator is using the same LAK that it had when the project was created If the LAK is different then the file cannot be decrypted This is a low level of security but it restricts computers that are running other copies of MTL Tofino Configurator software from viewing or modifying your projects provided that the LAK is not shared outside the company Project Protection Password When the Password option is selected the project file is encrypted when saved Each time the project file is opened the user will be prompted for the project password If the password entered is incorrect then the file cannot be decrypted or opened This is a higher level of security as it restricts unauthorized users from viewing or modifying your projects Administrator Password When the Use Administrator Password option is selected the user is unable to make a
12. Network or USB Drive Note You may be unable to change the transport method specified in this dialog box The Communications section on the General settings page determines how the MTL Tofino Configurator can communicate with the Tofino SA in the field O When the transport method is set to USB Drive insert a USB device and click Browse Select the location you want to save the configuration to Click the Use as default location check box to save the selected location as the default for the next time you perform this action INM MTL Tofino Configurator Rev 2 2 97 Applying and Verifying Configurations 9 1 Applying a Tofino SA Configuration Note You can save the configuration directly to the USB device or you can save it to a location on your computer and transfer it to the USB device at another time The configuration file is saved as a tcf file Click Finish If you transferred the configuration data over the network the MTL Tofino Configurator displays a results page indicating whether or not the transfer was successful Click OK to close this dialog box When the transfer is successful verification files for each Tofino SA configured will be returned to the MTL Tofino Configurator If you transferred the configuration data to a USB device you need to manually load that data into the Tofino SA Proceed to the task Loading Your Tofino SA via USB Note The Tofino SA will pass network traff
13. To create rules manually on the Protocol page expand the folders and select the protocols you want to use for the asset rules Use SHIFT click to select a range of protocols use CTRL click to select multiple protocols out of sequence A rule will be created for each protocol selected O Set the permission This tells the firewall what to do with a packet that matches the rule allow it to pass Allow or stop it from passing Deny The Enforcer option inspects and filters the traffic using Deep Packet Inspection This option is appropriate solely for the Enforcer protocols L To create a log each time the rule is triggered select the Enable Logging check box O Click Finish O Finish configuring the firewall details in the Rule Details section Many firewall rules allow you to adjust advanced settings such as traffic rate limiting Additional settings for the selected rule are displayed in one or more tabs below the rules table The Details column in the rules table displays a summary of these advanced settings For more information on setting these rule details see Firewall Rate Limiting and the appropriate sections on Enforcer rules Creating a Modbus TCP Enforcer Rule Creating an OPC Classic Enforcer Rule Creating an EtherNet IP Enforcer Rule INM MTL Tofino Configurator Rev 2 2 70 Firewall Rules 7 1 Creating Firewall Rules O Manually reorder the rules as necessary LJ Click the Save
14. Viewing and managing the audit system Preferences Setting configurations such as the location of the audit file Licensing Viewing your software licenses and performing tasks that allow you to obtain new LSM licenses through the Tofino Customer Portal Help Displaying the online help and MTL Tofino Configurator product information INM Tofino Configurator Rev 2 2 13 Introducing the MTL Tofino Configurator 14 INM MTL Tofino Configurator Rev 2 2 Nine Steps to a Secure Control System 2 Nine Steps to a Secure Control System The MTL Tofino Configurator was designed to simplify the installation of security firewalls in an industrial control system The following 9 steps describe how to install and configure your Tofino Industrial Security Solution Install Tofino Create Define Configurator Project Tofino SAs Define Define Configure Assets Firewall Rules Event Logger Install Tofino Hardware Apply Verify Configuration Configuration Install the MTL Tofino Configurator on your computer Create a project INM MTL Tofino Configurator Rev 2 2 15 Nine Steps to a Secure Control 1 1 Navigating the MTL Tofino Configurator System O Define the Tofino SAs for your project Create a virtual representation of the physical Tofino SA devices You can manually create these or discover existing devices This information will be used to configure the actual Tofino SAs that will be installed on your n
15. access See Managing User Logging Access and Privileges for additional techniques on how to control access to the project file If you plan to use the NetConnect Loadable Security Module LSM you need to create firewall exceptions to open ports for both the TCP and UDP protocols Tofino s defined port is 6689 INM MTL Tofino Configurator Rev 2 2 Projects 3 1 Running the MTL Tofino Configurator Installer 4 Projects The MTL Tofino Configurator uses project files to coordinate one or more Tofino SAs that are being used for a common facility or project Each project file contains the configurations of the Tofino SAs it is managing along with other information such as network assets and common protocols When you start the MTL Tofino Configurator you will be asked if you would like to do the following Create a new project see Creating a New Project on page 23 Open an existing project Tofino Configurator Project Selection Create a new project or open an existing project Ci Create New Project amp Open Project Gy CAUsersikxm082611DesktopNFort Sask Control Network v9 tpf G Users lorm08261 Desktop ABC Environemtnal Project tpf Z C Users lorm08261 Desktop Northern Area Network Systems tpf Set this as the default project and do not ask again Once you create a project file that file will be visible for you to open from the start up screen The last five projects opened display her
16. irehi u a Creste Rule E Project Explorer 87 FS_TSA_001 Firewall Rule Table The firewall rules configured for this Tofino SA The check box in this column indicates if the rule is active selected When the check box is not selected the rule will not be loaded into the firewall This allows you to create rules in advance to activate later It also allows you to quickly deactivate rules for testing without having to delete them Asset first of two An asset or address that the rule applies to Certain protocols require a specific address type or a predefined address Interface The Tofino SA interface where the first asset or address is found Direction The direction a session is initiated There are three possible options right left and bidirectional Asset second of two An asset or address that the rule applies to Certain protocols require a specific address type or a predefined address INM MTL Tofino Configurator Rev 2 2 85 Firewall Rules 7 3 Editing Firewall Rules Interface The Tofino SA interface where the second asset or address is found Protocol The protocol defined when the firewall rule was created The Protocols folder contains a list of available protocols Permission What the firewall does with a packet based on the defined rules There are three options Allow The Tofino SA will allow traffic matching the rule to pass Deny The Tofino SA will stop traffic matching
17. prompted to confirm the action click OK When prompted enter the current password and click OK to confirm that you have permission to remove the protection To edit the current password click Change Administrator Password Enter the current password and then enter and confirm a new password Create a password that is at least 6 characters long and includes uppercase lowercase and special characters Click OK O Click the Save icon in the toolbar If this is a new project that has not been saved select a location on your computer to store the project file enter a name for the project and click Save 28 INM MTL Tofino Configurator Rev 2 2 Projects 4 4 Deleting a Project 4 4 Deleting a Project You delete a project from outside the MTL Tofino Configurator Delete the project file as you would delete any Windows file Open Windows Explorer and locate the project file on your computer Select the tpf file you want to delete Press DELETE A message prompts you to confirm the deletion Click Yes INM MTL Tofino Configurator Rev 2 2 29 Projects 4 5 Duplicating a Project 4 5 Duplicating a Project The Save As feature lets you create a copy of your project file You can also use this feature to save a project file to a new location on your computer Open the project you want to duplicate Open the Save menu and click Save As Select a location on your computer to store t
18. relocate templates Some templates are factory defined and cannot be cut or deleted INM MTL Tofino Configurator Rev 2 2 45 Assets 6 1 Asset Templates 6 1 1 Creating an Asset Template Create as many asset templates in a project as you need to simplify the process of creating assets When you have several assets that are similar it will save time to create a template containing the common information and then use that to create your assets You can create rule profiles for asset templates When you create a template you can specify the protocols that this type of asset typically uses along with how you want those protocols managed The New Firewall Rule Wizard can use this information to automatically create rules for the assets created from this template For more information see Rule Profiles 46 INM MTL Tofino Configurator Rev 2 2 Assets 6 1 Asset Templates Note To add rule profiles to preloaded templates first make a copy of the template and then add the rule profiles O Click Asset Templates in the Project Explorer view and then click New Asset Template in the toolbar Alternately open the New menu in the toolbar and click Asset Template Note This creates an asset template at the top level Select a folder before clicking New Asset Template to create the template in a specific location Use the New Folder feature in the toolbar to create folders to organize the templates The New Asset Tem
19. A standard based on OLE COM and DCOM for accessing process control information on Microsoft Windows systems Parent A parent node is one that has nodes connected to it known as children PCN Process Control Network A communications network used to transmit instructions and data to control devices and other industrial equipment PLC Programmable Logic Controller A PLC is a small dedicated computer used for controlling industrial machinery and processes Protocol A convention or standard that controls or enables the connection communication and data transfer between two computing endpoints In its simplest form a protocol can be defined as the rules governing the syntax semantics and synchronization of communication Protocols may be implemented by hardware software or a combination of the two At the lowest level a protocol defines the behavior of a hardware connection RPC Remote Procedure Call A standard for invoking code residing on another computer across a network SA Security Appliance An industrially hardened security appliance designed to be installed in front of individual and or networks of HMI DCS PLC or RTU control devices that require protection SCADA Supervisory Control And Data Acquisition A system for industrial control consisting of multiple Remote Terminal Units RTUs a communications infrastructure and one or more Control Computers 166 INM MTL Tofino Configurator Rev 2 2 Glossary
20. Configurator window or in an external browser Click Help in the side panel type filter text Help O v v Audit a Specify how help information is displayed elp Ponjecis Open Modes Open help search In the dynamic help view Open help contents In the help browser ContextHelp Open window context help In an infopop Open dialog context help In an infopop Restore Defaults Apply Cancel Select from the lists to indicate how you want to display the help content To save the settings click Apply INM MTL Tofino Configurator Rev 2 2 129 Advanced Topic MTL Tofino Configurator Settings 13 3 Customizing Program Settings and Preferences You can also incorporate help topics from remote servers into the local help system O Open the Help item in the side panel and click Content type filter text Content Audit 4 Help Content Projects Configure information centers Include local help only Include remote help and give it priority Include remote help and give local help priority Name URL Enablec l New ir L Configure the remote servers you want to include content from LJ To save the settings click Apply Project Preferences The Projects page allows you to set a default project to open automatically when you start the MTL Tofino Configurator LJ Click Projects in the side pa
21. Fort Sask Pipeline Co SF Define Assets Create objects to represent the real world devices and systems ca the control network both physical ual entities These will be used to create in the Project Explorer view rol ne the Change Password how the Tofino SA vali handle network traffic Co assets you defined with predefined protocols to build the rules Administrator Password Chock Frewall under the Tofino SA you want to create firewall rules for Adm x protection settings for thn proyect i x 4 Configure the Event Logger optional Configure the Use Admunistrator Passwords Event Logger LSM to take advantage of external alarm and Change Administrator Password event logging Specify the type of events you want to collect and where you want to store the log files Click Event Logger under the Tofino SA you want to configure 5 DE Create the configuration After fing the Tofino SAs uration data to the Select a Tofino SA and click Apply in the tocibar Update the Project Details section as necessary Project Name A user editable project name Project File The name of the project file with the location it was loaded from or last saved to This is also the location where the project will be stored the next time it is saved This field displays lt unsaved gt for new unsaved projects Project Revision The number of the current version of this project along with a
22. Industrial 4 Common IT 4 Any IP Any TCP Any UDP i ARP DHCP BOOTP DNS Protocol Name ARP Description Address Resolution Protocol used to translate IP addresses to MAC addresses Protocol Type Ethernet EtherType 00806 112 INM MTL Tofino Configurator Rev 2 2 Advanced Topic Protocols 10 3 Deleting a Protocol Delete a protocol if you no longer need it in the current project The factory defined protocols cannot be edited cut or deleted In the Project Explorer view click the protocol you want to delete View the details to verify that this is the protocol you want to delete Click the Delete icon in the toolbar If the selected protocol is referenced in a firewall rule you will receive a message with two options You can choose to cancel the deletion or delete the protocol and fix the resulting errors later When you choose to delete the protocol a message prompts you to confirm the action Click OK to proceed Canceling the deletion at this prompt will not reinstate the protocol in any firewall rules or assets from which it was removed INM MTL Tofino Configurator Rev 2 2 113 Advanced Topic Protocols 114 INM MTL Tofino Configurator Rev 2 2 Advanced Topic Importing Templates and Security Profiles 11 Advanced Topic Importing Templates and Security Profiles The MTL Tofino Configurator allows you to import predefined objects that can be used as
23. Name Last Name Country Phone Number Email Address Company Name Cance e O Enter your License Activation Key and contact information Click OK 20 The MTL Tofino Configurator will start automatically if you selected the Start the MTL Tofino Configurator check box on the final page of the wizard The installation is complete and your license has been activated Additional configuration steps may be required depending on who will be using this program A Windows user with administrator permissions has full access to all MTL Tofino Configurator functionality To enable Windows users without Administrator permissions to use the application perform the following additional steps By default the MTL Tofino Configurator preferences and audit log files are located in C ProgramData Tofino Security MTL Tofino Configurator Non administrator users need permission to write to this location Using Windows security allow Write access to this folder You can choose to relocate the audit log file to a write accessible location see Customizing Program Settings and Preferences but you cannot move the preferences file To give non administrator users full access to a MTL Tofino Configurator project save the project file tpf to a folder that allows them Administrator or Read Write access To limit their functionality in a project save the project file to a folder that allows them Read Only
24. Priority Message to be Logged setting options for the Event The following table shows the priority settings for a selection of event logs generated by the Tofino SA Event Type Syslog Level Network Interface Up Down Power Failure or Power Recovery License Eypiration TC Configuration Load Attempted Tofino Mode Change Firewall Packet Allow Deny Modbus Enforcer Allow Deny EtherNet IP Enforcer Allow Deny OPC Enforcer Allow Deny W W P PM gt A A gt Event Log Periodic Message Table 2 Event Log Priority Settings 92 INM MTL Tofino Configurator Rev 2 2 Event Logging To record when packets are denied by the Firewall and Enforcer modules set the Lowest Priority Logged value to 3 or higher L Complete the fields in the Syslog Address section to indicate the address from which syslog messages will originate Tofino SA IP Address This address is used exclusively for syslog reporting The Tofino SA will not respond to traffic directed to this address Tofino SA Subnet Mask The subnet mask is used by the Tofino SA in conjunction with the IP address to identify if the syslog server is on the same subnet as the Tofino SA A subnet mask is a 32 bit number that is notated by using four numbers from 0 to 255 separated by periods Typically subnet masks use either 255 or 0 for each number such as 255 255 255 0 but other numbers can appear in special cases
25. Pump Station Control Room z Specific Location Right Desk Asset Tag 675849 23 Rule Profiles The rule profiles associated with this asset Protocol Type Server Client Permission Log Details Description MODBUS TCP Standard O m OHow O DHCP BOOTP Standard O m aAlow O ICMP Ping Only Standard m WM BAlw O HTTP Standard O m QaAlow O 4b Add Rule Profile General The General section contains the basic settings for an asset Name The name or identifier that uniquely identifies the asset e g Jasper Pump Station PLC or JP PLC 001 Each asset needs to have a unique name to avoid confusion Type The asset type Asset types include Computer Controller Device Network Network Equipment Broadcast Multicast Description A text field describing the function of this asset Manufacturer The make or company that manufactured or sold this asset e g Schneider Electric 146 INM MTL Tofino Configurator Rev 2 2 Reference Field Descriptions 16 2 Asset and Asset Template Fields Model The model of this asset e g Quantum General Location A text field for reference Specific Location A text field for reference Asset Tag A user defined field for corporate asset tags Communications The Communications section contains the settings related to the Tofino SA s communication settings IP Address This is the IP address of the asset In order for the firewall rules to operate properly
26. SA appears in the Project Explorer view Expand the Tofino SA and click General to display the General settings page See the reference section Tofino SA Fields for a detailed description of the fields on this page Confirm the information for this device is correct Check the Communications section which defaults to Both USB and Network Change this setting as necessary You can specify whether you want to transfer configuration data to the Tofino SA device over the network or with a USB device If you do not have a license for the NetConnect LSM choose USB Only INM MTL Tofino Configurator Rev 2 2 37 Tofino SAs 5 1 Defining the Tofino SAs 5 1 2 Discovering a Tofino SA The Discovery feature lets you search your network for new and existing Tofino SA devices By scanning IP address ranges the Tofino SAs can be discovered and then added to your project A Tofino SA does not have its own IP address During Discovery the MTL Tofino Configurator sends discovery messages to addresses of devices on the opposite side from the Tofino SA The MTL Tofino Configurator may be located anywhere in the network as long as it is able to communicate with at least one device on the opposite side of the Tofino SAs If any routers or firewalls are located between the MTL Tofino Configurator and a Tofino SA in the network configure each router and firewall device to allow the MTL Tofino Configurator traf
27. This will allow you to record the configuration of Tofino SAs in the field and save it in your project You have successfully installed the Tofino Industrial Security Solution and significantly improved the security of your process network Note The Tofino SA will pass network traffic freely during the initial configuration or when its configuration is being updated Firewall rules take effect after completion of the initial configuration or update of the Tofino SA so that network operations are not affected before the full rule set can be loaded A typical configuration load will finish in approximately 30 seconds 16 INM MTL Tofino Configurator Rev 2 2 Installing Your MTL Tofino Configurator 1 1 Navigating the MTL Tofino Configurator 3 Installing Your MTL Tofino Configurator This section details the procedure for installing the MTL Tofino Configurator on a computer that has not previously had the MTL Tofino Configurator installed on it Prior to installing your MTL Tofino Configurator software please verify that you have the following materials ready MTL Tofino Configurator installer downloaded from the Belden Inc website www tofinosecurity com License Activation Key a string of 25 letters and numbers such as X4QP9 RMNRQ B59SD AG5H6 KSFRW If you have a License Activation key download your MTL Tofino Configurator software as follows Visit www tofinosecurity com licensing and register your pr
28. Zone A small network inserted as a neutral zone between a trusted private network and the outside untrusted network DNP3 Distributed Network Protocol 3 A protocol used between components in process automation systems DNS Domain Name System A distributed database system for resolving human readable names to Internet Protocol addresses DPI Deep Packet Inspection EtherNet IP An industrial control protocol defined by the Open DeviceNet Vendors Association ODVA Firewall A set of security schemes that helps prevent unauthorized persons or devices from gaining access to protected nodes on a network A firewall essentially works as a control point that blocks invalid connections to nodes behind the firewall while allowing trusted communications to pass through unaffected FTP File Transfer Protocol GOOSE Generic Object Oriented Substation Events GUI Graphical User Interface Graphical as opposed to textual interface to a computer HMI Human Machine Interface This interface enables the interaction of human and machine HTML HyperText Markup Language The authoring software language used on the Internet s World Wide Web INM MTL Tofino Configurator Rev 2 2 165 Glossary HTTP HyperText Transfer Protocol The protocol used to transfer Web documents from a server to a browser HTTPS HyperText Transfer Pro
29. and models may work but have not been tested Only USB devices formatted as FAT or FAT32 are compatible The Tofino SA Fault LED will flash twice when it detects an invalid storage device Following a successful USB Save function five or more files should be stored on your USB storage device for the Tofino SA lt tofino id gt is replaced with the actual ID of the Tofino SA lt tofino id gt _tc_data Verification data indicating if the configuration was successful or not see Verifying a Tofino SA Configuration on page 101 lt tofino id gt _diagnostics txt Diagnostics information on the Tofino SA see Tofino SA Diagnostics on page 152 eventlogger_ lt tofino id gt zip and eventlogger_ lt tofino id gt X zip Event logs from the Tofino SA in a compressed file see Setting up the Event Logger on page 90 lt tofino id gt _kernel_evt enc Encrypted kernel diagnostics information solely for factory troubleshooting use lt tofino id gt _diagnostics enc Encrypted module diagnostics information solely for factory troubleshooting use lt tofino id gt _configuration txt Configuration data listing the LSMs licensed for this Tofino SA INM MTL Tofino Configurator Rev 2 2 105 Applying and Verifying Configurations 9 3 Transferring Data from Your Tofino SA via USB 106 INM MTL Tofino Configurator Rev 2 2 Advanced Topic Protocols 9 3 Transferring Data from Your Tofino SA via USB 10 Advanced Topic Prot
30. assets accordingly without reference to the Modbus TCP Enforcer Click Finish The MTL Tofino Configurator creates the Enforcer firewall rule and adds it to the table Configure the firewall settings in the Rule Details section at the bottom of the page 74 INM MTL Tofino Configurator Rev 2 2 Firewall Rules 7 2 Deep Packet Inspection Firewalls Rule Table FS TSA 001 Firewall The firewall rules configured for this Tofino SA Asset Any FSHMIN gt Any FS Contro fly ARP O Mlow O Stand IZ Any FSHMIN EP 1 Fs PLC 001 FS Contro DHCP BOOTP DAllow C Stand m GQ FSHMIN EP M Fs_PLc_oo1 FS Contro MODBUS TCP Enforcer Stand E Fs HMLOOL FSHMIN ep NU Fs_pLc_oo1 FS Contro dp HTTP OAlow 1 Stand Any FSHMIN W Fs PLC 001 FS Contro lt none gt O Deny Mi sd Any FSHMIN i Fs PLC 001 FS Contro lt none gt O Deny m sd iz Fs HMLo11 FSHMIN gt W Fs PLC o11 FS Contro OPC Classic Enforcer C Stand tz E Fs HML012 FSHMIN EP W Fs PLC o11 FS Contro b EtherNet IP CIP Enforcer Ml Stand Rule Details Additional options for the selected firewall rule E General Enforcer Function Codes Read Only Unit ID Interface Direction Asset Interface Protocol Permission Log Type Read Write Sanity Check v Programming OFS State Check T Any Exception Advanced Reset ci O Select the General tab Set rate and bu
31. configuration was successful or not see Verifying a Tofino SA Configuration on page 101 lt tofino id gt _diagnostics txt Diagnostics information on the Tofino SA INM MTL Tofino Configurator Rev 2 2 152 Troubleshooting 17 1 Tofino SA Diagnostics eventlogger_ lt tofino id gt zip and eventlogger_ lt tofino id gt X zip Event logs from the Tofino SA in a compressed file see Setting up the Event Logger on page 90 lt tofino id gt _kernel_evt enc Encrypted kernel diagnostics information solely for factory troubleshooting use lt tofino id gt _diagnostics enc Encrypted module diagnostics information solely for factory troubleshooting use lt tofino id gt _configuration txt Configuration data listing the LSMs licensed for this Tofino SA If you examine the file ending in txt using a standard text editor such as WordPad you should see something like the following 2 Tofino Version information 3 Tofino Firmware version Tofino Linux 1 7 0 4 Tofino Hardware Info 5 Hardware Hirschmann EAGLE20 Development Platform 6 Processor XScale IXP42x Family rev 2 v5b 7 Flash Type P Flash 8 Tofino ID 00 80 63 73 77 649 O Network Statistics 1 unsecured IF ifconfig 2 eth0 Link encap Ethernet HWaddr 00 80 63 73 77 64 3 inet6 addr fe80 280 66ff fe04 652c 64 Scope Link 4 UP BROADCAST RUNNING MULTICAST MTU 1500 Metric 1 5 RX packets 2776 errors 0 dropped 0 overruns 0 frame 0 6 TX packets 3900 errors 0 dropp
32. network it connects to such as Control Network or you could name it by function such as Trusted Net 2 Medium This sets the interface settings on the lower Ethernet port The Tofino SA supports auto negotiation of both Ethernet ports meaning the Tofino SA s connection and transmission parameters are negotiated automatically with the switch or device it is attached to Depending on the media type you can also manually set the Ethernet ports to Auto auto negotiate 10baseT HD Twisted pair 10 Mb s half duplex INM MTL Tofino Configurator Rev 2 2 441 Reference Field Descriptions 16 1 Tofino SA Fields 10baseT FD Twisted pair 10 Mb s full duplex 100baseTX HD Twisted pair 100 Mb s half duplex 100baseTX FD Twisted pair 100 Mb s full duplex The default value is Auto Status The Status section provides status and version information for the selected Tofino SA 142 Mode You can set the Tofino SA to one of two modes Test The Tofino SA is fully functional and processes traffic but will not drop any network traffic You can use this mode to test if the Tofino SA is correctly configured before you use it to filter control system traffic For more information on using Test mode see Using Tofino Test Mode to Validate Firewall Rules Operational The Tofino SA provides full packet processing and protection Configuration Status This is the current status of the actual Tofino SA in th
33. physical network link between adjacent devices e g two Ethernet switches Without further configuration a Tofino SA will not pass link status information from one of its network ports to the other port Therefore it may interrupt or block the correct detection of a device or connectivity loss by a redundancy protocol To allow the Tofino SA to forward link status information between its two network ports create a rule in its firewall configuration that has the special rule type Tofino Rapid Network Recovery Note Even with the Tofino Rapid Network Recovery special rule configured each Tofino SA adds a small time span to the overall recovery time of the network Also when a Tofino SA loses the physical link to both of its network ports simultaneously the first network port to be reconnected will experience a short link up before taking down the network link again 160 INM MTL Tofino Configurator Rev 2 2 Troubleshooting 17 5 Special Rules When utilizing a Tofino SA with the Tofino Rapid Network Recovery special rule test the network recovery time in your installation prior to commissioning Also check that the redundancy protocol utilized can cope with a possible short link up on one network port of the Tofino SA INM MTL Tofino Configurator Rev 2 2 161 Troubleshooting 17 6 The Discovery Feature is Not Finding Tofino SAs 17 6 The Discovery Feature is Not Finding Tofino SAs The Discovery feature lets you scan IP addre
34. second press the Save Load LED illuminates in yellow and on the third press the Reset LED illuminates in yellow with the Save Load LED off After a few seconds the Mode Save Load Reset and Fault LEDs flash simultaneously while the factory reset is being performed Once the factory reset is complete the LEDs will turn off This indicates that the Tofino SA is passive and passing traffic without filtering If the Mode LED is green either flashing or solid repeat this task If the LEDs are different than described in this task contact technical support INM MTL Tofino Configurator Rev 2 2 159 Troubleshooting 17 5 Special Rules 17 5 Special Rules Special Rules are complex rules that go beyond allow or deny For example a Special Rule could be used to block a subset of a particular type of traffic They often have specific permission protocol and direction attributes embedded within them You can view the available Special Rules in the Special Rules folder in the Project Explorer view You use special rules solely in exceptional cases 17 5 1 Tofino Rapid Network Recovery Tofino Security Appliances are often utilized in networks that have high availability requirements Therefore these networks use redundancy protocols such as the RSTP Rapid Spanning Tree Protocol or other comparable protocols to achieve redundant connections Many of these protocols detect device or media errors based on the loss of the
35. sent each second so scanning larger ranges greater than 5000 addresses may take several hours Specify the folder where you want to save the Tofino SAs that are discovered with this scan To display the existing folders click the button to the right of the Destination Folder field To create a new folder beneath the currently selected folder click the Add button Enter a name for the new folder and click OK Select the destination folder for discovered Tofino SAs Click OK To run the scan repeatedly select the Continuous Scan check box The scan will run until you manually stop it This feature enables you to start the scan before the Tofino SA devices are actually installed As they are installed on the network the scan will discover them To begin the scan click Start To pause the scan at any time click Pause The scan is held at this point until you click Start to begin it again The Duration field displays how long the scan has been running since the last time Start was clicked To return the scan Results fields to the default values click Reset The progress of the scan displays in the Results section There are four states Ready The scan is configured but has not been started Complete The entire address range has been scanned Paused The user has paused the scan Rescanning The scan is in progress for the entire address
36. specially calculated hash code to reduce the chance of accidental duplication of revision numbers The project revision number is incremented each time the project is saved Creator The user who created the project This is the Windows user name of the person who was logged in when the project was created INM MTL Tofino Configurator Rev 2 2 27 Projects 4 3 Editing Project Details Last Modified By The user who last saved the project This is the Windows user name of the person who was logged in when the project was last saved Company A user editable company name LJ In the Project Protection section change how you want to restrict access to the project file You can add protection settings remove protection settings and change the current password Click a selected check box to turn off a protection setting Click an empty check box to turn on a protection setting Click Change Password to edit the current project protection password if one is set You will need to enter the current password and then enter and confirm a new password Create a password that is at least 6 characters long and includes uppercase lowercase and special characters Click OK LJ In the Administrator Password section change the administrator setting To make yourself the project administrator enable the check box if it is not already selected Set a password and click OK To remove protection at this level clear the check box You will be
37. the Assets folder to create an asset However this does not run the wizard To make the asset unique you need to edit the details manually 6 2 1 Creating an Asset Manually Creating an asset involves defining its general information communication parameters and rule profiles You can create as many assets as needed for your project When working with multiple assets you may want to organize them in folders Use the New Folder feature in the toolbar to create the folder hierarchy In the Project Explorer view expand Assets and click the folder where you want the new asset to reside To create the asset at the top level click Assets Click New Asset in the toolbar Alternately open the New menu in the toolbar and click Asset The New Asset wizard opens INM MTL Tofino Configurator Rev 2 2 51 Assets 6 2 Creating Assets Asset Create a new asset Name Type Computer Description Manufacturer Model General Location Specific Location Asset Tag O Enter a name for this asset and select its type L Complete the remaining fields to identify the asset optional Click Next O Enter an IP address and or a MAC address for this asset This information will be used by the MTL Tofino Configurator when creating firewall rules for this asset Click Finish The new asset appears in the specified location in the Project Explorer view The details view displays the asse
38. the rule L Click the cell you want to edit and make the necessary change in the table Depending on the cell selected you will be able to do the following Change the state of a check box Select an entry in a list Open a dialog box and select from a list of appropriate values Enter text 86 INM MTL Tofino Configurator Rev 2 2 Firewall Rules FS_TSA_001 Firewall a FSHMIN 60 Default rule to ali Ht ARP traf Rp PSHMEN sb AL DHCP BOOTE O aw Sande FSHMIN s amp monsusTcP Enforcer Standard 25 second FSHMIN mH O FSHMIN 4 lt O De FSHMIN CS Ode Rule Details Additional options for the selected firewall rule Mi Generasi Entorcer Rate Lima 25 second Burst Limit 100 O On the General and Enforcer tabs in the Rule Details section update the settings as necessary for the currently selected rule in the table L Reorder the rules as necessary Packets will be inspected sequentially beginning at the top of the table Select a rule and position it by clicking Move Up and Move Down in the toolbar O Check the title bar above the rule table for messages You will be prompted if a rule is incorrect or if an additional rule is required O Click the Save icon in the toolbar INM MTL Tofino Configurator Rev 2 2 87 Firewall Rules 7 4 Using Tofino Test Mode to Validate Firewall Rules 7 4 Using Tofino Test Mode to Validate Firewall Rules You can
39. to its default state as shipped from the factory You use the USB Load function to transfer configuration files generated by the MTL Tofino Configurator and firmware updates to a Tofino SA in the field This is the second part of a two step process Before you load the Tofino SA transfer the desired data to the USB storage device See the appropriate topic to perform this first step Applying a Tofino SA Configuration Upgrading Your Tofino SA INM MTL Tofino Configurator Rev 2 2 99 Applying and Verifying Configurations 9 1 Applying a Tofino SA Configuration Note The following version 2 0 USB storage devices are known to work Kingston Data Traveler SanDisk Cruzer Sony Microvault Lexar and Hirschmann ACA21 Other brands and models may work but have not been tested Only USB devices formatted as FAT or FAT32 are compatible The Tofino SA Fault LED will flash twice when it detects an invalid storage device If the load was successful the Tofino SA s Fault LED will be off Following a successful USB Load function five or more files should be stored on your USB storage device for each Tofino SA loaded lt tofino id gt is replaced with the actual ID of the Tofino SA lt tofino id gt _tc_data Verification data indicating if the configuration was successful or not see Verifying a Tofino SA Configuration lt tofino id gt _diagnostics txt Diagnostics information on the Tofino SA see Tofino SA Diagnost
40. traffic using Deep Packet Inspection settings This option is available for protocols such as Modbus EtherNet IP and OPC Classic that have Enforcer LSMs installed Log A check box for setting logging on the rule INM MTL Tofino Configurator Rev 2 2 Reference Field Descriptions Note By default the Tofino SA will log denied packets that do not match any of the rules in the firewall table Similarly if you check the Log option on a rule the permission may be Allow or Deny packets matching the rule will be logged Conversely if you uncheck the Log option on a rule no log events will be created for packets matching this rule Acommon use for this option is to help stop nuisance alarms when blocking broadcast traffic Details A short form summary of special rule profile details such as RO for Modbus Read Only Description This field is available as a convenience so the controls engineer can add a comment about the rule profiles INM MTL Tofino Configurator Rev 2 2 149 Reference Field Descriptions 16 2 Asset and Asset Template Fields 150 INM MTL Tofino Configurator Rev 2 2 Troubleshooting 16 2 Asset and Asset Template Fields 17 Troubleshooting The topics in the Troubleshooting chapter address common questions that may arise while using the MTL Tofino Configurator INM MTL Tofino Configurator Rev 2 2 151 Troubleshooting 17 1 Tofino SA Diagnostics 17 1 Tofino SA Diagnostics The Tofino SA has the capa
41. 0baseT FD 10baseT w 802 3X flow control 45 End of basic transceiver information 46 47 48 Memory 49 total used free shared buffers cached 50 Mem 62952 17952 45000 0 140 9060 51 buffers cache 8752 54200 52 Swap 0 0 0 SRN NARA inn nna ann POJE Ev PRAP 54 MemTotal 62952 kB 55 MemFree 44992 kB 56 Buffers 140 kB 57 Cached 9060 kB 58 SwapCached 0 kB 59 Active 9288 kB 60 Inactive 1996 kB 61 SwapTotal 0 kB 62 SwapFree 0 kB 63 Dirty 0 kB 64 Writeback 0 kB 65 AnonPages 2100 kB 66 Mapped 1744 kB 67 Slab 3176 kB 68 SReclaimable 752 kB 69 SUnreclaim 2424 kB 70 PageTables 260 kB 71 NFS Unstable 0 kB 72 Bounce 0 kB 73 WritebackTmp 0 kB 74 CommitLimit 31476 kB 75 Committed AS 5200 kB 76 VmallocTotal 958464 kB 77 VmallocUsed 33436 kB 78 VmallocChunk 917500 kB 79 154 INM MTL Tofino Configurator Rev 2 2 Troubleshooting 17 1 Tofino SA Diagnostics 80 Flash 81 Filesystem Size Used Available Use Mounted on 82 rootfs 31 5M 8 1M 23 4M 26 83 The files ending in enc are encrypted files and should be sent to product technical support The eventlogger lt tofino id gt zip and eventlogger lt tofino id gt X zip files are compressed files that contain log files created by the Event Logger LSM After you extract the log files you can open and view them with any event management system or text editor INM MTL Tofino Configurator Rev 2 2 155 Troubleshooting 17 2 Firewa
42. 2 Firewall Rules 7 2 Deep Packet Inspection Firewalls Advanced Opens a new window where you add CIP objects and services Select the Add CIP Filter button to open the Add CIP Object window From the drop down list select a CIP object and then select the CIP services codes that you want to allow Add a comment if desired You can add as many CIP objects as needed to one firewall rule To include specific types of CIP Services select Also Include CIP Services and then select the appropriate option Read Only Data or Read Write Data Click OK Allow Embedded PCCC This is useful when securing network traffic to PLC 5 and MicroLogix controllers To have the Tofino SA inspect PCCC messages that are embedded within EtherNet IP select Allow Embedded PCCC This is useful when securing network traffic to PLC 5 and MicroLogix controllers Note You can use the Tofino SA in test mode to determine if an option is suitable for your application A CAUTION LOSS OF COMMUNICATION OR PROCESS VIEW Select the EtherNet IP Debug option only when you are using the product in a test environment Failure to follow these instructions can result in injury or equipment damage INM MTL Tofino Configurator Rev 2 2 83 Firewall Rules 7 2 Deep Packet Inspection Firewalls L To have the Tofino SA validate that the EtherNet IP command layer adheres to the ODVA specification select Sanity Check Validati
43. 239 192 22 121 is often used in EtherNet IP networks while 234 5 6 7 is often used with Fault Tolerant Ethernet Systems This is required if you wish to provide multicast filtering rules in the Firewall LSM AA INM MTL Tofino Configurator Rev 2 2 Assets 6 1 Asset Templates 6 1 Asset Templates An asset template is a tool to help you create multiple assets quickly It contains predefined fields that can be used to rapidly create similar assets For example if you have ten PLCs in your plant that are a similar make and model you can create an asset template or use a pre existing template to represent that type of PLC Then you can quickly generate assets to represent the ten similar PLCs The MTL Tofino Configurator comes with a number of templates preloaded for common automation products You can also import new templates or create templates of your own By selecting a specific asset template in the Project Explorer view you can do the following Create a new asset template Create a folder Create a new asset from the selected template View and edit the asset template s details Delete the asset template The templates that you create appear in the Project Explorer view in the Asset Templates folder You can create a folder hierarchy to organize your templates Use the New Folder feature in the toolbar to create folders You can create a template ina specific folder or you can use the Cut and Paste actions in the toolbar to
44. 7 Firewall Rules 7 2 Deep Packet Inspection Firewalls Note To create and apply an OPC Classic Enforcer rule the OPC Classic Enforcer LSM needs to be licensed for activation in your Tofino SA Without a license for the LSM you can create trial Enforcer rules in the MTL Tofino Configurator however you will be unable to load them into the Tofino SA L Open the General settings page for the Tofino SA you are configuring Check that the Firewall LSM and OPC Classic Enforcer LSM options are selected in the Loadable Security Modules list O Open the Firewall settings page and click Create Rule L Work through the New Firewall Rule Wizard to define a firewall rule with the following settings O On the Rule Type page select Standard rule Click Next O On the Assets page create a firewall rule between two assets Set the direction to Bidirectional to allow OPC callbacks from servers Click Next L On the Protocol page expand the Common Industrial folder and select OPC Classic In the Permission section select Enforcer Note If you select Allow or Deny as the permission setting the Tofino SA will allow or block the OPC traffic between the two assets accordingly without reference to the OPC Enforcer Click Finish The MTL Tofino Configurator creates the Enforcer firewall rule and adds it to the table Configure the firewall settings in the Rule Details section at the bottom of the page 78
45. Asset You may find yourself in the situation where you need to create several assets that are similar to one you already have in your project You can create an asset template from that existing asset This will then allow you to quickly create the additional assets from the template LJ Inthe Project Explorer view locate the asset you want to use as the basis for an asset template View the details to verify that this is the correct asset In the Project Explorer view right click that asset and click Copy Right click the folder where you want the new asset template to reside and click Paste You can place it in the Asset Templates folder or one of the subfolders The asset appears in the specified location In the Project Explorer view click the new asset template to display its details Make any changes necessary so that it can be used to quickly create assets O Click the Save icon in the toolbar OOO O 58 INM MTL Tofino Configurator Rev 2 2 Assets 6 5 Deleting an Asset Delete an asset if it no longer belongs in the current project The assets reside in the Assets folder or in a subfolder In the Project Explorer view locate the asset you want to delete and click it in the tree to select it View the details to verify that this is the correct asset Click the Delete icon in the toolbar If the selected asset is referenced in a firewall rule you will receive a message with three options You can choose t
46. Click Next and Back to move between the pages of the wizard On the Start Installation page of the wizard review the settings you selected 18 INM Tofino Configurator Rev 2 2 Installing Your MTL Tofino Configurator The installer is ready to install MTL Tofino configurator 02 2 01 on your computer Click Next to begin the installation or Back to change the current settings listed below Current settings Destination folder C Program Files x86 MTL MTL Tofino configurator 02 2 01 Program folder MTLYMTL Tofino configurator 02 2 01 Create shortcuts on the desktop Install lt Back Next gt Cancel y JB MTL Tofino configurator 02 2 01 Excelsior Installer Sa Start installation raced ETN 4 Clicking Next on this page begins the installation Note To install the MTL Tofino Configurator with the default installation settings click Install in the bottom left corner at any time L To complete the installation click Finish on the final page of the wizard If this is a new installation of the MTL Tofino Configurator the program displays the Activate Your License dialog box INM MTL Tofino Configurator Rev 2 2 19 Installing Your MTL Tofino Configurator Activate Your License Please enter the License Activation Key provided by your sales representative License Activation Key The following information is required to obtain product support First
47. Click the Save icon in the toolbar Note Keep in mind that the Tofino SA does not require an IP address to communicate to a remote syslog server The Tofino SA uses special stealth technology to communicate without having an IP address The syslog server will see the messages coming from the address you entered as the Tofino SA IP Address If nothing is specified in Tofino SA IP Address i e by default syslog server will see the messages coming from 169 254 2 2 INM MTL Tofino Configurator Rev 2 2 93 Event Loggin 8 2 Retrieving Log Files gging 8 2 Retrieving Log Files When the Event Logger is configured to save to the Tofino SA s long term memory you use a USB storage device to retrieve the log files O Power on the Tofino SA for at least one minute L Insert the USB storage device into the USB port O Press the Save Load Reset button once The Save Load LED will illuminate in green After a few seconds the Mode Save Load and Reset LEDs will flash in green in a left to right sequence to indicate the USB Save is in progress When the flashing sequence stops remove the USB storage device If the save was successful the Tofino SA LEDs will revert to the state they were in prior to the save action Note For more details on the USB Save function see Transferring Data from Your Tofino SA via USB on page 104 Insert the USB device into a computer Open the storage device to locate and view the fi
48. Client Permission Log Details J Standard m m OAlow O Rule Details Additional options for the selected firewall rule General Il Rate Limit Burst Limit Description SP Add Rule Profile You can adjust advanced settings such as traffic rate limiting for most rule profiles Additional settings for the selected rule profile are displayed in one or more tabs below the table O Click the Save icon in the toolbar See the reference section Asset and Asset Template Fields for a detailed description of the fields on this page 6 1 2 Deleting an Asset Template Delete an asset template if you no longer need it in the current project The templates reside in the Asset Templates folder and click it in the tree to select it INM MTL Tofino Configurator Rev 2 2 In the Project Explorer view locate the asset template you want to delete View the details to verify that this is the correct template 49 Assets 6 1 Asset Templates L Click the Delete icon in the toolbar A message prompts you to confirm the deletion O Click OK to proceed 50 INM MTL Tofino Configurator Rev 2 2 Assets 6 2 Creating Assets 6 2 Creating Assets To build your asset library you can create assets manually or from existing templates Asset templates contain default asset details allowing you to create similar assets quickly You can also copy and paste an asset or asset template into
49. Configurator Rev 2 2 Advanced Topic Protocols 10 2 Editing Protocols MN UDP TCP Protocol Project Explorer E amp TFTP dp RRAC z 4 SMe Protocol Details SMTP The details describing this protocol 4 SNMP Protocol Name TFTP SNMP Trap Description Trivial File Transfer Protocol SSH Protocol Type 7 UDP esmase mre elni TFTP Ports 69 Ap UPnP TCP Ports canbe entered asa list oF ranges UPnP UDP separated by commas Example 1 2 5 9 Ap VRRP amp WS Discovery 4 WSUS Vendor Specific amp Special Rules z E IP Protocol Project Explorer B 4 43 Fort Sask Control Network 48 Tofino SAs Asset Templates Assets 4 A Protocols 5 Common Industrial 4 5 Common IT fp Any IP Any TCP Any UDP fh ARP DHCP BOOTP DNS Mp FTP fy GARP GMRP HP PDL HTTP HTTPS ICMP fp ICMP Ping Only fp ICMP Redirect IGMP fy P6 z 4 IGMP Protocol Details The details describing this protocol Protocol Name IGMP Description Internet Group Management Protocol Protocol Type Internet Protocol IP IP Protocol 2 INM MTL Tofino Configurator Rev 2 2 111 Advanced Topic Protocols 10 2 Editing Protocols E Ethernet Protocol Project Explorer B 6 ARP 4 5 Fort Sask Control Network a B Tofino SAs Protocol Details Asset Templates E The details describing this protocol Assets 4 A Protocols 5 Common
50. Create Rule in the toolbar The New Firewall Rule Wizard opens Rule Type Select the type of firewall rule you want to create Standard rule Select a special rule type from the list below f Tofino Rapid Network Recovery ons Select the type of rule you want to create standard or special If you are creating a special rule you also select a rule type from the list provided Click Next INM MTL Tofino Configurator Rev 2 2 67 Firewall Rules 7 1 Creating Firewall Rules O Define the assets involved in the firewall rule and click Next Assets Select the assets involved in this firewall rule Asset 1 Direction Asset 2 Interface FS HMI Network z Interface FS Control Network x Any Any IP Address K D IP Address MAC Address MAC Address 0 Select an asset from the list below Select an asset from the list below Name IP Address MAC Address sa Name IP Address MAC Address Fort Sask Main Fort Sask Main a Fort Sask C 192 168 1 0 00 00 00 00 00 00 nd Jasper Fs HMI 00 192168115 00 00 00 00 00 00 Sumas S Fs HMI 00 192168116 00 00 00 00 00 00 Fort Sask Subn 192 1681 255 00 00 00 00 00 00 Fs HMI 00 192168117 00 00 00 00 00 00 Fs PLC 001 192168110 00 00 00 00 00 00 M FS PLC 00 192168111 00 00 00 00 00 00 a FS_SWT_00 1921681250 00 00 00 00 00 00 Jasper Sumas a Fort Sask Subn 192168 1255 00 00 00 00 00 00
51. Explorer view display here This is where you can edit particular values for an object Project Explorer vs Fort Sask Control Network 4 te Fort Sask Control Network 12 Tofino SAs Asset Templates O Special Rules Project Details Details specific to this project file Fort Sask Control Network CUserskkam08261 Desktop Fort Sask Control Project Name Project File Project Revnsore 17 F507 Creator Enebyres Last Modded By karmoB261 Company Fort Sask Pipeline Co Project Protection The protection method for this project License Activation Key Password Change Password Administrator Password Administrat settings for this project Use Administrator Password 2 2 Change Administrator Password Getting Started Work through these steps to set up your project 1 f Define the Tofino SAs Define a Tofino SA for each physical device in the field Y te a new Tofino SA from scratch or discover devices ly configured on the network You will transfer the configurations from the Totimo Configurator to the actual Tofino network Click Tofino SAs in the Project Explorer vsew installed on your 2 4 Define Assets Create objects devices and systems on the contr devices and virtual entities These will be used to cr firewall rules Click Assets in the Project Explorer view 3 Define Firewall Rules Create firewall rules to control Click Firewall under the Tofino SA you want to creste firewall rules
52. INM MTL Tofino Configurator Rev 2 2 Firewall Rules 7 2 Deep Packet Inspection Firewalls P FS_TSA_001 Firewall Default rule to allow all ARP traffic ARP is n A An FSHMEN v a FS HMLOLI FS HME N trrseste 3 nee Mrs PICI Mrs Pico O Select the General tab Set rate and burst limits as required L Select the Enforcer tab and configure the rule as follows To have the Tofino SA check that the connection establishment messages are properly formed and follow the RPC specification select Sanity Check To have the Tofino SA check to see if the connection establishment messages have been fragmented select Fragment Check Set the Connection Timeout in seconds This is the amount of time the Tofino SA will wait for an OPC connection after a port has been requested To have the Tofino SA wait indefinitely select the Never Timeout check box Rather than performing a DCOM object request each time they connect to an object some OPC clients perform the object request solely on the first connection They then re use the same TCP port number without performing a new object request on subsequent connections to that OPC data object Use the Never Timeout option so that the firewall doesn t drop subsequent connections Click the Save icon in the toolbar INM MTL Tofino Configurator Rev 2 2 79 Firewall Rules 7 2 Deep Packet Inspection Firewalls 7 2 3 Cr
53. Inthe Project Explorer view expand Protocols and click the folder where you want the new protocol to reside Click Protocols to create the protocol at the top level O Click New Protocol in the toolbar Alternately open the New menu in the toolbar and click Protocol The New Protocol wizard opens Protocol Create a new protocol Name New protocol Description Type fh Ethernet protocol IP protocol Qp UDP TCP protocol TF Fish Guanes L Enter a name and description for the protocol and select the type Click Next On the second page of the wizard you enter specific details for the protocol This page varies depending on the type of protocol selected 108 INM MTL Tofino Configurator Rev 2 2 Advanced Topic Protocols 10 1 Creating a Protocol UDP TCP Protocol Create a new UDP TCP protocol Protocol Type UDP 7 TCP Ports 107 Ports can be entered as a list of ranges separated by commas Example 1 2 5 9 25 lt Back t Cancel L Complete the fields as appropriate for your protocol For a detailed description of these fields see Editing Protocols on page 110 Click Finish The new protocol appears in the Project Explorer view INM MTL Tofino Configurator Rev 2 2 109 Advanced Topic Protocols 10 2 Editing Protocols 10 2 Editing Protocols Selecting a protocol in the Project Explorer view allows you to view and edit its current setti
54. MTL Tofino Configurator Rev 2 2 AUSTRALIA MTL Instruments Pty Ltd 10 Kent Road Mascot New South Wales 2020 Australia Tel 61 1300 308 374 Fax 61 1300 308 463 E mail mtlsalesanz eaton com BeNeLux MTL Instruments BV Terheijdenseweg 465 4825 BK Breda The Netherlands Tel 31 0 76 7505360 Fax 31 0 76 7505370 E mail mtl benelux eaton com CHINA Cooper Electric Shanghai Co Ltd 955 Shengli Road Heging Industrial Park Pudong New Area Shanghai 201201 Tel 86 21 2899 3817 Fax 86 21 2899 3992 E mail mtl cn eaton com FRANCE MTL Instruments sarl 7 rue des Rosi ristes 69410 Champagne au Mont d Or France Tel 33 0 4 37 46 16 53 Fax 33 0 4 37 46 17 20 E mail mtlfrance eaton com GERMANY MTL Instruments GmbH Heinrich Hertz Str 12 50170 Kerpen Germany Tel 49 0 22 73 98 12 0 Fax 49 0 22 73 98 12 2 00 E mail mtlgmbh eaton com INDIA MTL India No 36 Nehru Street Off Old Mahabalipuram Road Sholinganallur Chennai 600 119 India Tel 91 0 44 24501660 24501857 Fax 91 0 44 24501463 E mail mtlindiasales eaton com ITALY MTL Italia srl Via San Bovio 3 20090 Segrate Milano Italy Tel 39 02 959501 Fax 39 02 95950759 E mail chmninfo eaton com JAPAN Cooper Crouse Hinds Japan KK MT Building 3F 2 7 5 Shiba Daimon Minato ku Tokyo Japan 105 0012 Tel 81 0 3 6430 3128 Fax 81 0 3 6430 3129 E mail mtl jp eaton com CROUSE HINDS SERIES NORWAY N
55. NICATION OR PROCESS VIEW Select the Modbus Exception option only when you are using the product in a test environment Failure to follow these instructions can result in injury or equipment damage To have the Tofino SA send a Modbus TC exception response if appropriate to the Modbus device that generated a blocked message select Exception Setting this option may make some Windows based client applications unresponsive This can happen when the operating system incorrectly processes TCP reset packages sent when the firewall blocks traffic if those packets also contain additional information When this occurs the TCP IP session remains open leaving the client in a wait state To have the Tofino SA send a TCP reset message to both Modbus devices when it blocks a message select Reset This can keep session from locking up Click the Save icon in the toolbar 7 2 2 Creating an OPC Classic Enforcer Rule The Tofino OPC Classic Enforcer Loadable Security Module LSM inspects tracks and helps to secure every connection that is created by an OPC application It dynamically opens the TCP ports that are required for each connection and between the specific OPC client and server that created the connection No configuration changes are required on the OPC clients and servers and it is more secure than conventional firewall or tunneler solutions INM MTL Tofino Configurator Rev 2 2 7
56. SAs There are three types and directions of traffic that pass between the MTL Tofino Configurator and Tofino SAs TCP Port 6689 MTL Tofino Configurator to Tofino SA UDP Port 6689 MTL Tofino Configurator to Tofino SA UDP Port 6689 Tofino SA to MTL Tofino Configurator INM Tofino Configurator Rev 2 2 144 Reference Field Descriptions 16 1 Tofino SA Fields Loadable Security Modules LSMs The Loadable Security Modules LSMs section displays the LSMs active for the selected Tofino SA A key icon to the left of the LSM indicates that the Tofino SA is licensed to use that LSM The check box to the left of the LSM indicates that this LSM has been activated If you activate an LSM that is not licensed you can configure the features associated with this unlicensed LSM However if you do this you need to purchase a license for that LSM to successfully apply the Tofino SA configuration to the Tofino SA device INM MTL Tofino Configurator Rev 2 2 145 Reference Field Descriptions 16 2 Asset and Asset Template Fields 16 2 Asset and Asset Template Fields FS HMI 001 General Communications The general settings for this asset The communication settings for this asset Name FS HMI 001 IP Address 192 168 1 15 Type Computer Subnet Mask _ 2 5 Description Main Pump Station HMI 1 MAC Address 00 00 00 00 00 00 Manufacturer Schneider Model CitectSCADA General Location Main
57. The Discovery Feature is Not Finding Tofino SAs Unable to Open a Project File Glossary Further Support INM MTL Tofino Configurator Rev 2 2 121 122 123 124 126 128 133 135 136 137 139 140 146 151 152 156 157 159 160 160 162 163 165 169 INM MTL Tofino Configurator Rev 2 2 About this Manual About this Manual The MTL Tofino Configurator User Manual contains the information you need to start operating the MTL Tofino Configurator It takes you from installation through to configuring your Tofino Security Appliances This manual contains a device description safety instructions a description of the display and the other information that you need to install and operate the program The MTL Tofino Configurator User Manual requires you to be familiar with the Tofino Firewall Installation Manual Maintenance We are continually working on improving and developing our software Check regularly whether there is an updated version of the software that provides you with additional benefits You can find more information and software downloads on our website at www mtl inst com INM MTL Tofino Configurator Rev 2 2 About this Manual INM MTL Tofino Configurator Rev 2 2 Key Key The designations used in this manual have the following meanings List Work step Subheading Link Cross reference with link Note A note emphasizes an important fact o
58. Type Z Any FS HMI Network 4 gt Any FS Contro fh ARP O Allow O Stand MI Any FSHMI Network p I Fs PLc_oo1 FS Contro DHCP BOOTP Allow O stand M IE Fs HMLOL FSHMINetwork Fs PLCO0I FSContro QMODBUS TCP Enforcer Stand Z E Fs HMLO001 FSHMINetwork FS PLC 001 FS Contro HTTP allow Stand izi Any FS HMI Network gt W Fs PLC 001 FS Contro lt none gt O Deny A o drsc Z Any FS HMI Network gt W Fs PLC 001 FS Contro lt none gt Deny WM ASe izi IB Fs HMLO11 FSHMINetwork gt W Fs PLC o11 FS Contro OPC Classic O Enforcer C Stand di IB Fs HMLo12 FS HMI Network W Fs PLC o11 FS Contro EtherNet IP CIP Q Enforcer Stand 4 mi Keep in mind that the first rule in the Tofino SA that matches is applied to the packet not the rule that is the most appropriate match Based on this set the more specific rules at the top of the list followed by the more general rules This helps to prevent a general rule being matched before hitting a more specific rule There are certain exceptions to this strategy for example rules using MAC addresses need to be evaluated before rules using IP addresses The MTL Tofino Configurator advises you if this is required d Create Rule MoveUp Move Down 3 Hep amp FS TSA 001 Firewall MAC address based rules are always evaluated before IP address based rules Rule Table The firewall rules configured for this Tofino SA
59. You can order it as a factory loaded option in specific models or you can license it in the field Note To create and apply a Modbus TCP Enforcer rule the Modbus TCP Enforcer LSM needs to be licensed for activation in your Tofino SA Without a license for the LSM you can create trial Enforcer rules in the MTL Tofino Configurator however you will be unable to load them into the Tofino SA Open the General settings page for the Tofino SA you are configuring Check that the Firewall LSM and Modbus TCP Enforcer LSM options are selected in the Loadable Security Modules list Open the Firewall settings page and click Create Rule INM MTL Tofino Configurator Rev 2 2 73 Firewall Rules 7 2 Deep Packet Inspection Firewalls L Work through the New Firewall Rule Wizard to define a firewall rule with the following settings O On the Rule Type page select Standard rule Click Next L On the Assets page create a firewall rule between two assets Set the direction so that it is FROM the Modbus Master TO the Modbus Slave The Bidirectional option is not an appropriate selection for the Modbus TCP Enforcer LSM Click Next L On the Protocol page expand the Common Industrial folder and select either Modbus TCP or Modbus UDP In the Permission section select Enforcer Note If you select Allow or Deny as the permission setting the Tofino SA will allow or block the Modbus TCP traffic between the two
60. age 6 2 2 Creating an Asset from a Template Use a template to quickly create an asset with default values already completed 54 INM MTL Tofino Configurator Rev 2 2 Assets 6 2 Creating Assets Assets created from a template are placed in the Assets folder in alphabetical order You can reorganize the assets into specific folders as needed In the Project Explorer view expand Asset Templates and locate the template you want to use to create an asset L Click the asset template to select it and click New Asset from Template in the toolbar The New Asset wizard opens with default values populating some of the fields completed Asset Create a new asset Name New Asset From Tofino Configurator Type Computer Description Represents a different TC that traffic needs to pass through Manufacturer Tofino Security Model Tofino Configurator General Location Specific Location Asset Tag Finish na O Change the entry in the Name field to identify the asset you are creating L Complete the remaining fields to identify the asset optional Click Next O Enter an IP address and or a MAC address for this asset This information will be used by the MTL Tofino Configurator when creating firewall rules for this asset Click Finish The program adds the new asset to the Assets folder in the Project Explorer view The Rule Profiles table displays any rule profiles confi
61. all Rule Wizard uses this information to automatically create rules for the asset For more information see Rule Profiles To open the New Rule Profile Wizard click Add Rule Profile beneath the Rule Profiles table 48 Select the type of rule you want to create standard or special If you are creating a special rule you also select a rule type from the list provided Click Next Define the rule profiles O Expand the folders and select the protocols you want to use Use SHIFT click to select a range of protocols use CTRL click to select multiple protocols out of sequence The MTL Tofino Configurator creates a rule profile for each protocol selected O Set the permission This tells the firewall what to do with a packet that matches the rule profile allow it to pass Allow or stop it from passing Deny The Enforcer option inspects and filters the traffic using Deep Packet Inspection This option is appropriate solely for the Enforcer protocols INM MTL Tofino Configurator Rev 2 2 Assets 6 1 Asset Templates L To create a log each time the rule is triggered select the Enable Logging check box O Click Finish The profiles created appear in the Rule Profiles table L Select the rule protocol in this table and finish configuring it in the Rule Details section Rule Profiles The rule profiles associated with this asset Protocol Type MODBUS TCP Server
62. alues given to required to match Modbus Advanced Filters Function Code Yes Function Codes common to both assets will be used Range Yes Ranges for Function Codes common to both assets will be used Comment No Both The comments from both assets are combined EtherNet IP CIP Services No The most Read Only Data most restrictive lt restrictive group Read Write Data lt Advanced lt Any takes precedence least restrictive If both assets have Advanced CIP Services see the EtherNet IP Advanced Filters section in this table Sanity Check No Enabled Reset No Enabled Debug No Enabled EtherNet IP Advanced Filters Object Yes Objects common to both assets will be used Service Yes Services common to both assets will be used Comment No Both The comments from both assets are combined OPC Classic Sanity Check No Enabled Fragment Check No Enabled Connection Timeout No Lowest A checked Never Timeout is considered the highest connection timeout setting INM MTL Tofino Configurator Rev 2 2 119 Advanced Topic How Automatic Rule 10 3 Deleting a Protocol Generation Works 120 INM MTL Tofino Configurator Rev 2 2 Advanced Topic MTL Tofino 10 3 Deleting a Protocol Configurator Settings 13 Advanced Topic Tofino Configurator Settings You can update and customize the following aspects of your MTL Tofino Configurator Licensing See Adding LSM Licenses on page 122 User permissions See Managing User Loggi
63. are Code FW EL N EIP OPC MB O Hardware Type 00000 O Mode TEST O Tofino SA Revision 1 2F39 O Project Fort Sask Control Network O Project Revision 4 9AE7 Created By blearn 4 Failure 4 FS_TSA_002 O Firmware Version Unknown Model Unknown O Firmware Code Unknown Hardware Type Unknown Mode Unknown Tofino SA Revision 0 Unkn O Project Unknown O Project Revision 0 Unkn Created By Unknown Error Unable to establish a connection All connection attempts timed out The Verified Configuration Revision Hardware Type and Firmware Version for the verified Tofino SAs will be updated in the project file You can view the verification information on the General settings page for each Tofino SA INM MTL Tofino Configurator Rev 2 2 103 Applying and Verifying Configurations 9 3 Transferring Data from Your Tofino SA via USB 9 3 Transferring Data from Your Tofino SA via USB The Save Load Reset button on the Tofino SA provides three functions depending on the number of times it is pressed Once Saves diagnostics files and log files to a USB storage device Twice Transfers configuration files from a USB storage device Three times Performs a factory reset and returns the Tofino SA back to its default state as shipped from the factory You use the USB Save function pressing the button once to copy diagnostics and validation files from the Tofino SA to the USB storage device Y
64. ation Select the Tofino SA s you want to verify and the appropriate transport method Name Transport Method Restrictions 7 FS TSA 001 V FS TSA 002 FS TSA 003 FS TSA 008 Check All Uncheck All Network USB Drive Location C Users kxm08261 Desktop Browse 7 Use as default location aa O Confirm that the Tofino SAs you want to verify are selected in the list O Select the method you want to use to transfer the configuration to the Tofino SA Network or USB Drive Note You may be unable to change the transport method specified in this dialog box The Communications section on the General settings page determines how the MTL Tofino Configurator can communicate with the Tofino SA in the field When the transport method is set to USB Drive insert into your computer the USB storage device that you used to load the configuration onto the Tofino SA in the field Click Browse and select the USB drive location Click the Use as default location check box to save the selected location as the default for the next time you perform this action Click Finish The verification data will be displayed and logged by the MTL Tofino Configurator INM Tofino Configurator Rev 2 2 102 Applying and Verifying Configurations 9 2 Verifying a Tofino SA Configuration Verification Results a 7 Successfull 4 2 FSTSA 001 O Firmware Version 02 0 00 O Model O Firmw
65. be required to move the project file or change the project protection settings Cancel Create a password that is at least 6 characters long and includes uppercase lowercase and special characters box opens Click Save INM Tofino Configurator Rev 2 2 Click Finish The project is created but has not yet been saved Click the Save icon in the toolbar The standard Windows Save As dialog Select a location on your computer to store the project file and enter a name for the project The filename will be appended with tpf 25 Projects 4 2 Opening an Existing Project 4 2 Opening an Existing Project You can open an existing project file when you start the MTL Tofino Configurator or you can open a project from within the application LJOn the start up screen click Open Project Tofino Configurator Project Selection Create a new project or open an existing project Ej Create New Project Open Project Gy C Users kam08261 Desktop Fort Sask Control Network v9 tpf Za CAUsers loomn08261 Desktop ABC Environemtnal Project tpf Ey CAUsers koem08261 Desktop Norther Area Network Systems tpf Set this as the default project and do not ask again For convenience the start up screen displays the last six projects opened If the project you want to open appears in this list click it to load the project Note Once you set a default project that project
66. bility to save diagnostics files to a USB storage device for troubleshooting purposes You can view these files with a standard text editor or send them to technical support for analysis To create these files you need to perform a USB Save L Power on the Tofino SA for at least one minute O Insert the USB storage device into the USB port O Press the Save Load Reset button once The Save Load LED will illuminate in green After a few seconds the Mode Save Load and Reset LEDs will flash in green in a left to right sequence to indicate the USB Save is in progress When the flashing sequence stops remove the USB storage device L If the save was successful the Tofino SA LEDs will revert to the state they were in prior to the saving action L Send copies of these files to technical support for analysis Note The following version 2 0 USB storage devices are known to work Kingston Data Traveler SanDisk Cruzer Sony Microvault Lexar and Hirschmann ACA21 Other brands and models may work but have not been tested Only USB devices formatted as FAT or FAT32 are compatible The Tofino SA Fault LED will flash twice when it detects an invalid storage device Interpreting Diagnostics Files If the USB Diagnostics Save is successful there will be files on the USB storage device similar to this lt tofino id gt is replaced with the actual ID of the Tofino SA lt tofino id gt _tc_data Verification data indicating if the
67. building blocks for your security design The following types of objects can be imported Asset templates Protocols Special rules Security profiles Importing asset templates protocols or special rules allows you to update existing definitions or add new ones to your project Importing new versions of asset templates protocols or special rules will not automatically update the rules in your firewalls Security profiles are predefined combinations of asset templates special rules and protocol definitions bundled into a single security profile file tsp They allow you to import the related objects needed to help secure PLCs DCS and other devices against published vulnerabilities as a single file Note If the asset templates or the security profiles in an imported file reference protocols or special rules these will be imported during the import operation To import a predefined object follow these steps O Click the Import icon in the toolbar L Select the type of object you would like to import Click Next Click Browse Locate and select the object file Click Finish INM MTL Tofino Configurator Rev 2 2 115 Advanced Topic Importing Templates and Security Profiles n e H llu Project ri e 4 Fort Sask Control Network A Tofino SAs Asset Templates Assets E Protocols amp Special Rules Select 4 Import one or more special rules into the active project Sele
68. bus TCP Enforcer LSM checks every Modbus command and response against a list of allowed commands defined by your controls engineer Any command that is not on the allowed list or any attempt to access a register or coil that is outside the allowed range will be blocked and reported It also filters traffic based on the validity of the Modbus TCP messages screening out messages that have been either deliberately or accidentally malformed OPC Classic Enforcer LSM The Tofino OPC Classic Enforcer LSM inspects tracks and helps secure every connection that is created by an OPC application It dynamically opens only the TCP ports that are required for each connection and only between the specific OPC client and server that created the connection It also filters traffic based on the validity of the OPC Classic messages screening out messages that have been either deliberately or accidentally malformed EtherNet IP Enforcer LSM The Tofino EtherNet IP Enforcer LSM checks EtherNet IP explicit messages for CIP objects or services and compares them against selected lists of allowed commands This gives you the capability to restrict traffic to data read only data read write or programming messages to PLC and other devices as required for your security strategy It also filters traffic based on the validity of the EtherNet IP messages screening out messages that have been either deliberately or accidentally malformed Click Finish The new Tofino
69. check that the address is correct Subnet Mask The subnet mask is used by the Tofino SA in conjunction with the IP address to identify the computers or devices that are part of a local or subnetwork A subnet mask is a 32 bit number that is notated by using four numbers from 0 to 255 separated by periods Typically subnet masks use either 255 or 0 for each number such as 255 255 255 0 but other numbers can appear in special cases MAC Address This is the Ethernet MAC or physical address of the asset This is an optional field so can be left blank However if you are creating rules for non IP protocols such as GOOSE then enter a MAC address Rule Profiles When you create an asset you can also specify the protocols that this asset typically uses along with how you want those protocols managed For example you can specify whether the asset uses a protocol as a client i e it initiates the communications or as a server i e it responds to requests from clients The New Firewall Rule Wizard can use this information to automatically create rules for the asset For more information on how rule profiles are used in automatic rule generation see INM MTL Tofino Configurator Rev 2 2 447 Reference Field Descriptions 16 2 Asset and Asset Template Fields The Rule Profiles section contains a table that lists the rule profiles associated with an asset You can set the following options for any rule profile 148 Protocol A list of pr
70. ct an import source type filter tet GF Asset Templates Protocols Special Rule Import Gp Security Profile Import one or more special rules into the active project dc Special Rules From File _C Desktop securityProfile tsp Browse ves Crn nel 116 INM MTL Tofino Configurator Rev 2 2 Advanced Topic How Automatic Rule Generation Works 12 Advanced Topic How Automatic Rule Generation Works The MTL Tofino Configurator offers the ability to automatically generate rules based on the rule profiles associated with a given asset For example if a workstation uses the protocol HTTP as a client i e it initiates the communications to an HTTP server the New Firewall Rule Wizard can use this information to automatically create HTTP rules for the asset to allow it to talk to the server When the option to automatically generate rules is selected the MTL Tofino Configurator will perform a series of checks based on the rule profiles of the assets selected earlier in the wizard If one of the assets has rule profiles and the other has no rule profiles then the rule profiles from the asset with rule profiles will be used to create rules If both of the assets have rule profiles the automatic rule generator will create one rule for every protocol the assets have in common If the assets have no protocols in common a message will display and no rules will be created Similarly no rules will be creat
71. der a Workstation with a browser client is the right asset and a Web Server is the left asset with the direction set to Left This would allow the Workstation to initiate web sessions and the Web Server to respond but the Web Server would be unable to initiate a session Bidirectional The connections can be established by either device Once the connection is established traffic will be able to flow in both directions regardless of the direction set in the rule 66 INM MTL Tofino Configurator Rev 2 2 Firewall Rules 7 1 Creating Firewall Rules 7 1 Creating Firewall Rules The MTL Tofino Configurator allows you to create two types of firewall rules Standard rules Special rules Standard firewall rules are designed to allow or deny specific protocols passing through the firewall They let you set the source destination direction permission and rate limits for traffic of a particular protocol type For example if you want to allow Modbus TCP traffic between two devices a standard rule can be used Special Rules are highly complex rules that go beyond simple allow or deny For example a Special Rule could be used to block a subset of a particular type of traffic The available Special Rules can be viewed in the Special Rules folder You will normally use standard rules Use special rules solely in exceptional cases In the Project Explorer view expand the Tofino SA you want to work with and click Firewall Click
72. dministrative changes to the project file such as changing the Project Protection settings attempting to move the project file to a new location or modifying audit log settings When activated users attempting to make these changes are prompted for the administrative password These three options can be used simultaneously For the highest level of project security activate all three options and use different passwords for the Project Protection and the Administrator passwords To help stop unwanted access to the project file limit the distribution of the Administrator Password INM MTL Tofino Configurator Rev 2 2 125 Advanced Topic MTL Tofino Configurator Settings 13 2 Managing User Logging Access and Privileges 13 2 2 Managing User Activity Logging and Privileges within a Project User Identification and User Privileges for the MTL Tofino Configurator are based on the Windows Account Management system The MTL Tofino Configurator continuously checks the active account name on the computer running the MTL Tofino Configurator software as well as the Windows access rights to the project file It then uses this information to log user activity and determine whether a user is permitted to configure a project or solely view it To accurately log user activity each user should be required to have a unique user account on the computer where the MTL Tofino Configurator is located When a user makes key changes to a project th
73. dvanced Topic MTL Tofino 13 3 Customizing Program Settings Configurator Settings and Preferences 13 3 Customizing Program Settings and Preferences The Preferences command allows you to view and edit preferences that are not project specific O Open the Preferences menu and click Preferences The Preferences dialog box opens There are three categories listed in the side panel Audit Help Project Audit Preferences The Audit page allows you to set the maximum size of the audit file and specify where it is stored O Click Audit in the side panel type filter text Audit X Audit Help Projects NOTE An application restart is required for these changes to take effect 7 Log audit events to file Maximum audit log file size in bytes 10485760 Audit log file location C ProgramData Tofit Browse Restore Defaults Apply e Coa LJ Click the Log audit events to file check box to enable logging O Specify the maximum size of the log file in bytes O Click Browse and select where you want to store the log files LJ Click Apply to save the settings 128 INM MTL Tofino Configurator Rev 2 2 Advanced Topic MTL Tofino 13 3 Customizing Program Settings Configurator Settings and Preferences Help Preferences The Help page allows you to select how MTL Tofino Configurator help content is displayed on your computer For example you can select whether the help is displayed in a MTL Tofino
74. e You can set a specific project file as the default project so that it automatically opens every time you start the MTL Tofino Configurator After you do this the start up screen will no longer appear You set and clear the default project with the Preferences feature see Customizing Program Settings and Preferences on page 128 INM MTL Tofino Configurator Rev 2 2 21 Projects 3 1 Running the MTL Tofino Configurator Installer Once you load a project file you can view the project details and protection information This includes the project name the name and location of the project file on the computer the revision number of the project the users who created and last modified the project file the company name the project protection settings and the administrator protection setting gre Hd ju x OHep Project Explorer le Fort Sask Control Network le Fort Sask Control Network D Tolino SA Project Details Getting Started T Detars specilu to thes project file Work through these steps to set up your project Asset Templates B Assets Project Name Fort Sask Control Network 1 i Define the Tofino SAs Define a Tofino SA for each 9 Protocols Project File C Users lernd8251 Desktop Fort Sask Control physical device in the field You can create a new Tofino SA Special Rules from scratch or discover devices already configured on the Ss Project Revision 17 8502 network You will transfer the configuration
75. e Windows user name for the active account will be recorded in the audit logs ii K Timestamp Mar 4 2014 10 29 40 AM Mar 4 2014 10 31 11 AM Mar 4 2014 10 31 11 AM Mar 4 2014 10 32 04 AM Mar 4 2014 10 32 04 AM Mar 4 2014 10 33 49 AM Mar 4 2014 10 34 23 AM Mar 4 2014 10 34 23 AM User km08080 km08080 km08080 km08080 km08080 km08080 km08080 km08080 Message Project file C Users km0808 Project file C Users km0808 Tofino SA has been created Tofino SA has been created Project file C Users km0808 Project file C Users km0808 New project created Project file C Users km0808 Project Name Northern Area Network Systems Northern Area Network Systems Northern Area Network Systems Northern Area Network Systems Northern Area Network Systems Northern Area Network Systems Fort Sask Network Fort Sask Network Project Revision TofinoID 3 0x8D40 4 DFC 4 DFC 5 OxF8ED 5 OxF8ED 5 OxF8ED 1 OxABF6 1 OxABF6 00 00 00 00 00 00 00 00 Mar 4 2014 10 34 28 AM km08080 Project file C Users km0808 Fort Sask Network 1 OxABF6 4 m 7 478 Audit Events 253 117 Bytes To limit access to project functions by giving users View Only i e Read Only or Configuration i e Read Write permissions the system administrator should set Windows user permission on either the Tofino Project File tpf or on the folder in which the project
76. e field as determined by the last verification Unconfigured The configuration has either not been loaded onto the Tofino SA or has not been verified Verified A configuration was successfully loaded onto the Tofino SA and the Verify command was run to read the results back into MTL Tofino Configurator Failed The last attempt to apply a configuration to this Tofino SA was unsuccessful Latest Configuration Revision The number of the current version of this Tofino SA s configuration in this project file along with a specially calculated hash code to reduce the chance of accidental duplication of revision numbers The configuration revision number is incremented each time you modify the settings of the Tofino SA and the project is saved This is calculated separately from the Project Revision number by the MTL Tofino Configurator Verified Configuration Revision The number of the last version of this Tofino SA s configuration This value is returned from the Tofino SA when you verify its configuration There is also a specially calculated hash code to reduce the chance of accidental duplication of revision numbers If the Verified Configuration Revision is different than the Latest Configuration Revision then the Tofino SA in the field may contain an outdated configuration INM MTL Tofino Configurator Rev 2 2 Reference Field Descriptions 16 1 Tofino SA Fields Hardware Type This field is updated by the Ver
77. eating an EtherNet IP Enforcer Rule The EtherNet IP Enforcer LSM is an advanced Deep Packet Inspection firewall for the EtherNet IP protocol It is specifically designed to increase the level of security on CIP explicit messaging network traffic It allows you to filter traffic based on specific CIP objects or services and the validity of the EtherNet IP messages The EtherNet IP Enforcer can also be configured to inspect PCCC messages that are encapsulated within CIP objects This is useful when securing communications to PLC 5 or MicroLogix controllers To perform EtherNet IP Deep Packet Inspection on CIP and PCCC messages select the Enforcer option on the applicable firewall rules Note To create and apply an EtherNet IP Enforcer rule the EtherNet IP Enforcer LSM needs to be licensed for activation in your Tofino SA Without a license for the LSM you can create trial Enforcer rules in the MTL Tofino Configurator however you will be unable to load them into the Tofino SA Some control products such as older Rockwell PLCs may be configured to use protocols like CSPv4 rather than EtherNet IP for Ethernet based communications You can enable these messages to pass through the firewall without Deep Packet Inspection The EtherNet IP Enforcer helps secure CIP Class 3 explicit messages Enforcer firewall rules do not process CIP implicit messages such as I O communications If you are setting up a firewall that filters implicit messages
78. ed return to the 88 General settings page set the mode to Operational and load the final configuration into the Tofino SA INM MTL Tofino Configurator Rev 2 2 Event Logging 7 4 Using Tofino Test Mode to Validate Firewall Rules 8 Event Logging The Event Logger LSM is a security module used to provide external alarm and event logging for the Tofino SA to a syslog server It offers two methods for saving event logs Via the syslog protocol to forward Tofino SA exception events to a remote syslog server Saving exception events to the long term memory in the Tofino SA for offloading via USB storage device INM MTL Tofino Configurator Rev 2 2 89 Event Logging 8 1 Setting up the Event Logger 8 1 Setting up the Event Logger Configure the Event Logger page to specify the type of events you want to collect in the log files and how you want to store the files Note To activate event logging the Event Logger LSM needs to be licensed for activation in your Tofino SA Without a license for the LSM you can create a trial logging configuration in the MTL Tofino Configurator however you will be unable to load them into the Tofino SA L Open the General settings page for the Tofino SA you are configuring Confirm that the Event Logger LSM is selected in the Loadable Security Modules list LJ In the Project Explorer view click Event Logger beneath the Tofino SA you are working with 90 INM Tofino Configurator R
79. ed 0 overruns 0 carrier 0 7 collisions 0 txqueuelen 100 8 RX bytes 419084 409 2 KiB TX bytes 586268 572 5 KiB 9 20 secured IF ifconfig 21 ethl Link encap Ethernet HWaddr 00 80 63 73 77 65 22 inet6 addr fe80 280 66ff fe04 652d 64 Scope Link 23 UP BROADCAST RUNNING MULTICAST MTU 1500 Metric 1 24 RX packets 15 errors 0 dropped 0 overruns 0 frame 0 25 TX packets 716 errors 0 dropped 0 overruns 0 carrier 0 26 collisions 0 txqueuelen 100 27 RX bytes 846 846 0 B TX bytes 95002 92 7 KiB 28 29 unsecured IF Settings 30 Basic registers of MII PHY 0 000 782d 0013 7all Olel 45e1 0005 6001 31 The autonegotiated capability is 0le0 32 The autonegotiated media type is 100baseTx FD 33 Basic mode control register 0x1000 Auto negotiation enabled 34 You have link beat and everything is working OK INM MTL Tofino Configurator Rev 2 2 153 Troubleshooting 17 1 Tofino SA Diagnostics 35 Your link partner advertised 45e1 Flow control 100baseTx FD 100baseTx 10baseT FD 10baseT w 802 3X flow control 36 End of basic transceiver information 37 38 secured IF Settings 39 Basic registers of MII PHY 1 1000 782d 0013 7all Olel 45e1 0005 6001 40 The autonegotiated capability is 0le0 41 The autonegotiated media type is 100baseTx FD 42 Basic mode control register 0x1000 Auto negotiation enabled 43 You have link beat and everything is working OK 44 Your link partner advertised 45e1 Flow control l00baseTx FD OObaseTx 1
80. ed by an OPC application Dynamically opens only the TCP ports that are required for each connection between the specific OPC client and server Checks to determine if each packet is properly formed and follows the RPC and OPC specifications Checks to determine if OPC session connection requests are fragmented Can be directed to block messages that are not properly formed or are fragmented 72 INM MTL Tofino Configurator Rev 2 2 Firewall Rules 7 2 Deep Packet Inspection Firewalls The EtherNet IP Enforcer LSM provides security features for managing EtherNet IP and CIP traffic This LSM does the following Checks to determine if each packet conforms to the protocol specification and then allows or rejects this packet accordingly Allows you to specify what classes of EtherNet IP traffic are permitted such as data read only data read write or programming messages Allows you to specify CIP classes and services that should be allowed or denied by the Tofino SA Allows embedded PCCC The Tofino SA model and the installed LSM licenses determine the Enforcers available in the Tofino Configurator 7 2 1 Creating a Modbus TCP Enforcer Rule The Modbus TCP Enforcer LSM is an advanced Deep Packet Inspection firewall for the Modbus TCP protocol It allows you to filter traffic based on specific Modbus function codes register ranges and the validity of the Modbus messages The Modbus TCP Enforcer LSM is an optional loadable security module
81. ed if the assets have a protocol in common but are either both clients or both servers Finally since two assets may have different rule profile settings for the same protocol the MTL Tofino Configurator will use a series of priorities to determine what the final rule should be The following table shows how these conflicts are resolved If a field is required to match and the rule profiles of the two assets do not match on that field then no rule will be created If the fields do match then the value of that field will be used for the new rule to be created If a field is indicated as not having to match then the priority describes how the value of the field in the resulting firewall rule is determined For example if the assets have different values for the Rate Limit then the lowest rate limit will have priority and will be used in the resulting firewall rule Alternatively if the two rule profiles both have comments that are different the automatic rule generator will combine the comments in the resulting rule INM MTL Tofino Configurator Rev 2 2 117 Advanced Topic How Automatic Rule Generation Works The following table shows the correlation between rule profiles and the resulting rules Field Are rule If values do not Notes profile match priority is values given to reguired to match Special Rule Type Yes Special Rules that lock assets cannot be used for ru
82. etwork Define assets for your project These objects represent both real network entities such as HMIs and PLCs and virtual entities such as Broadcast Addresses and subnets on your network They are used to simplify tasks like creating firewall rules Define firewall rules for your Tofino SAs These use the assets you created earlier along with predefined protocols and special rules that are supplied with the MTL Tofino Configurator to determine what network traffic the Tofino SA will allow or block The various Deep Packet Inspection DPI Enforcer modules are accessed through the Firewall selection O Configure the Event Logger optional Enter the details for your syslog server where you want Tofino SA alarms and events sent You can also configure the Tofino SA to save logs locally on the Tofino SA for later offloading via a USB storage device LJ Install your Tofino SA hardware The Tofino SA gets installed on the network between the device s to be protected and the rest of the network L Apply the configuration settings to the Tofino SAs in the field Depending on the options you have purchased you can transfer the configuration data from the MTL Tofino Configurator to the Tofino SA s over the network or using a USB storage device L Verify the configuration Retrieves the configuration load reports sent over the network or from the USB storage device that was used to load configurations onto one or more Tofino SAs
83. ev 2 2 Event Logging 8 1 Setting up the Event Logger dre Hr u Project Explorer 4 HE My Project 5 amp New Tofino SA Event Logger 4 Tofino SAs Event Logger Settings Syslog Address Discovery The communication settings for contacting your syslog server The address from which sy gt New Folder Syslog Server IP Address 0 0 a 0 0 Tofino SA IP Address a New Tofino SA Default Gateway 0 A 0 0 E 0 Tofino SA Subnet Mask i General Destination Port 514 5 Bai Event Logger Lowest Priority Logged 5 Notice normal but significant condition Firewall Asset Templates E Assets G Protocols amp Special Rules L Complete the fields in the Event Logger Settings section to specify the information to be captured and where the files should be stored Syslog Server IP Address This is the address of the syslog server where you would like your logs sent To disable the remote syslog feature set this field to zeros Default Gateway This is the IP address of the forwarding router on the network where the Tofino SA is located This is required when the syslog server is on a different network than the Tofino SA If the syslog feature is not being used or if the Tofino SA and the syslog server are on the same subnet set this field to zeros Destination Port This is the UDP port number your syslog server is listening for log messages on usually port 514 To disable the syslog feature leave this field b
84. evices and systems on the control network An asset can represent a physical device such as a PLC a computer or network equipment It can also represent a virtual asset such as a broadcast address range a network or a multicast address This provides flexibility when creating firewall rules By selecting a specific asset in the Project Explorer view you can do the following Create a new asset manually Create a folder View and edit the asset s details Create an asset template from the selected asset Delete an asset You can create a new asset manually or from a template Computer Controller Device and Network Equipment Assets Most assets used in the MTL Tofino Configurator are real devices These typically use messages known as Unicast messages A Unicast message is network traffic directed from a specific device to another specific device When you define an asset to be a computer controller device or network equipment the MTL Tofino Configurator assumes it is a physical device on your network and helps create rules appropriate for that type of device Network Assets Network assets are a virtual representation of the devices contained in a specific network or subnetwork When you define an asset to be a network the MTL Tofino Configurator assumes it is a collection of devices on your network that belong to a group of IP addresses known as a subnet Thus if you use a network asset in a rule the MTL Tofino Configurato
85. fic to pass through these devices See Communications for more information When working with multiple Tofino SAs you may want to organize them in folders You can create the folder hierarchy before you discover the devices or when you enter the scan details To create folders prior to configuring the scan settings use the New Folder feature in the toolbar Select Tofino SAs or an existing folder in the Project Explorer view to display this button LJ In the Project Explorer view expand the Tofino SA you are working with and click Discovery On the Tofino Discovery page you configure a scan on the left side of the page On the right side you view the progress and results of the scan ri e M a x Onep Project Explorer Tofino Discovery For rol Network Configuration The BP address range for this scan Start IP 1 0 o Eng IP 23 255 255 Destination Folder 8 Tofino S s Continuous Scan Reset O In the Start IP and End IP fields enter the starting and ending IP addresses for the range you want to scan The number of addresses to be scanned and the estimated runtime is calculated and displayed in the Results section 38 INM Tofino Configurator Rev 2 2 Tofino SAs 5 1 Defining the Tofino SAs Note When setting scan ranges it is helpful to keep them as small as possible as scanning is deliberately slow so that it does not impact the process network in any way One scan message is
86. file is located The MTL Tofino Configurator then limits access to project functionality to View Only Read Only or Configuration Read Write permissions based on these file or folder permissions For example if a user s account is given read only access to the folder where a project file is stored then the MTL Tofino Configurator will also give the user read only access to project tasks These settings extend beyond basic file management they can keep an unauthorized user from loading a new configuration into the Tofino SA 126 INM MTL Tofino Configurator Rev 2 2 Advanced Topic MTL Tofino 13 2 Managing User Logging Access Configurator Settings and Privileges The file permissions can be set as follows L Locate the folder on your computer where the project file tpf resides This can be on the local computer or a file server L Right click the folder or the project file and select Properties L Navigate to the Security tab L Set the advanced permissions for a specific user or group Confirm that View Only users are not included in any Windows permission groups that allow Full Control Modify or Write access Also check that View Only users do not have administrative rights in the project or on the computer that would allow them to change either the project file permissions or file locations Refer to the Windows documentation for details on setting user permissions INM MTL Tofino Configurator Rev 2 2 427 A
87. fino SA INM MTL Tofino Configurator Rev 2 2 135 Upgrading Your Tofino SA 15 1 Upgrading over the Network 15 1 Upgrading over the Network Perform your Tofino SA upgrade over the network when your device is licensed and activated to use the NetConnect LSM O In the Project Explorer view click Tofino SAs L To open the Tofino SA Update Wizard click Firmware Update in the toolbar Select Tofino SA Select the Tofino SAs you want to update FS TSA 001 FS TSA 002 FS TSA 003 FS TSA 008 Check All Uncheck All Cancel O Select the Tofino SAs that you want to update and click Next Selecting a folder also selects the Tofino SAs within that folder Click Browse Locate and select the tfo upgrade file provided to you LIClick Finish The MTL Tofino Configurator displays a confirmation dialog box LITo proceed with the update click Yes The Verification Results dialog box lets you know the verification is complete It indicates the upgrade was successful or lists any errors detected Click OK to close this window Note The purpose of firmware updates is to bring previously purchased Tofino SAs to the latest software level This update does not enable or license new LSMs on Tofino SA hardware To activate new LSMs see Adding LSM Licenses 136 INM MTL Tofino Configurator Rev 2 2 Upgrading Your Tofino SA 15 2 Upgrading via USB Upgrade a Tofino SA
88. firewall then the first 100 will be allowed followed by another 25 packets per second after that Other packets will be dropped Direction Right Left Bidirectional The arrow in the rule table indicates which device establishes a connection between the two nodes The direction indicator does not refer to packet flow For example ifa Human Machine Interface HMI is using Modbus TCP to request data from a PLC the HMI will be the device initially setting up the communications connection Once the connection is established then packets will flow in both directions Another way of thinking about this is to consider a normal telephone system The person dialing the phone number Person 1 is the one setting up i e establishing the connection Once the other person Person 2 answers the phone then speech can flow both ways INM MTL Tofino Configurator Rev 2 2 65 Firewall Rules 6 5 Deleting an Asset There are three direction options for a Tofino Firewall LSM Right Connections can be established by the left asset as defined in the rule table and will flow to the right Example Consider an HMI is the left asset and a PLC is the right asset with the direction set to Right This would allow the HMI to initiate the connection and the PLC to respond but the PLC would not be allowed to initiate a session Left Connections can be established by the right asset as defined in the rule table and will flow to the left Example Consi
89. for Configure the Event Logger optional Configure the Event Logger LSM to take advantage of external alarm and event logging Specify the type of events you went to collect and where you want to store the log files Click Event Logger under the Tofino SA you want to configure 5 EU Create the configuration After installing the Tofino S s in the field transfer the Tofino SA configuration data to the INM MTL Tofino Configurator Rev 2 2 Introducing the MTL Tofino Configurator The MTL Tofino Configurator has a toolbar that allows you to perform actions on the objects in a project The toolbar contains 3 sections 1 Project edit commands This section appears at the far left of the toolbar and is for commands related to managing project files and their data It includes Create new Projects Assets Asset Templates Protocols or Tofino SAs using a wizard Open an existing project Save and export a project Import predefined Asset Templates Protocols Special Rules and Security Profiles Cut Copy Paste and Delete objects and fields 2 Context commands This section appears in the center of the toolbar and is for commands related to the content that is currently being worked on The commands that appear here change depending on the type of object selected in the Project Explorer view 3 Help and Configuration commands This section appears at the far right of the toolbar and is for Audit Logs
90. gured for the template O Click the Save icon in the toolbar O To relocate the asset to another folder use the Cut and Paste actions in the toolbar See the reference section Asset and Asset Template Fields for a detailed description of the fields on this page INM MTL Tofino Configurator Rev 2 2 55 Assets 6 3 Editing an Asset or an Asset Template 6 3 Editing an Asset or an Asset Template Selecting an asset or an asset template in the Project Explorer view displays the configuration details for the selected item From here you can edit the settings This page includes general information communication parameters and rule profiles The Rule Profiles table displays the rule profiles created for the selected asset or template You can make changes directly on this page in the table and in the Rule Details section LJ In the Project Explorer view click the asset or template you want to edit The configuration details are displayed FS HMI 001 General Communications The general settings for this asset The communication settings for this asset Name FS HMI 001 IP Address 192 168 1 15 Type S Computer Subnet Mask Z s EE v 8 Description Main Pump Station HMI 1 MAC Address 00 00 00 00 00 00 Manufacturer Schneider Model CitectSCADA General Location Main Pump Station Control Room Z Specific Location Right Desk Asset Tag 675849 23 Rule Profiles The rule prof
91. he new project file Edit the filename for the project Click Save OOOOO If an administrator password is set for this project then administrator approval is required to save the project to a new location To continue you need the project s administrator password 30 INM MTL Tofino Configurator Rev 2 2 Projects 4 6 Exporting a Project File The Export feature lets you create a copy of your project file Use this action when you need to send a project file to technical support for troubleshooting assistance This feature allows users with Read Only or Read Write access to the project to export the information to outside projects It also lets users transfer project details to other people such as Technical Support staff without having to provide passwords Sensitive information on your ConneXium Tofino encryption keys is deliberately removed from all export files so the resulting file cannot be used to connect to any Tofino SAs Open the project you want to export Open the Save menu and click Export Select a location on your computer to store the exported file Edit the filename optional Click Save If an administrator password is set for this project then administrator approval is required to save the export file to a new location To continue you need the project s administrator password INM MTL Tofino Configurator Rev 2 2 31 Projects 4 6 Exporting a Project File
92. ic freely during the initial configuration or when its configuration is being updated Firewall rules take effect after completion of the initial configuration or update of the Tofino SA so that network operations are not affected before the full rule set can be applied A typical configuration transfer will finish in approximately 30 seconds 98 INM MTL Tofino Configurator Rev 2 2 Applying and Verifying Configurations 9 1 Applying a Tofino SA Configuration 9 1 1 Loading Your Tofino SA via USB A WARNING UNINTENDED EQUIPMENT OPERATION Follow these configuration loading steps carefully O Power on the Tofino SA for at least one minute O Insert the USB storage device containing the prepared files into the USB port O Press the Save Load Reset button twice The Save Load LED will illuminate in yellow After a few seconds the Mode Save Load and Reset LEDs will flash in yellow in a right to left sequence to indicate the USB Load is in progress O When the flashing sequence stops remove the USB storage device Failure to follow these instructions can result in death serious injury or equipment damage The Save Load Reset button on the Tofino SA provides three functions depending on the number of times it is pressed Once Saves diagnostics files and log files to a USB storage device Twice Transfers configuration files from a USB storage device Three times Performs a factory reset and returns the Tofino SA back
93. icon in the toolbar INM MTL Tofino Configurator Rev 2 2 71 Firewall Rules 7 2 Deep Packet Inspection Firewalls 7 2 Deep Packet Inspection Firewalls A Deep Packet Inspection firewall digs deeper into the protocols to understand exactly what the protocol is being used for After the traditional firewall rules have been applied the Enforcer firewall inspects the content of the contained messages and applies more detailed rules It then makes a more informed decision on what should be allowed and what should be blocked There are multiple Enforcers that you can activate and use each one provides Deep Packet Inspection for a different protocol The Modbus TCP Enforcer LSM provides security features for managing Modbus TCP traffic This LSM does the following Checks to determine if each Modbus packet conforms to the protocol specification and then allows or rejects this packet as appropriate Allows you to specify what classes of Modbus traffic are permitted such as data read only data read write or programming messages Allows you to define specific Modbus functions as well as register or coil locations that should be allowed or denied by the Tofino SA Monitors the state of Modbus TCP connections to determine that incoming messages are expected and in sequence The OPC Classic Enforcer LSM provides security features for managing OPC traffic This LSM does the following Inspects tracks and secures every connection that is creat
94. ics on page 152 eventlogger_ lt tofino id gt zip and eventlogger_ lt tofino id gt X zip Event logs from the Tofino SA in a compressed file see Setting up the Event Logger on page 90 lt tofino id gt _kernel_evt enc Encrypted kernel diagnostics information solely for factory troubleshooting use lt tofino id gt _diagnostics enc Encrypted module diagnostics information solely for factory troubleshooting use lt tofino id gt _configuration txt Configuration data listing the LSMs licensed for this Tofino SA Note The Tofino SA will pass network traffic freely during the initial configuration or when its configuration is being updated Firewall rules take effect after completion of the initial configuration or update of the Tofino SA so that network operations are not affected before the full rule set can be applied A typical configuration transfer will finish in approximately 30 seconds INM MTL Tofino Configurator Rev 2 2 100 Applying and Verifying Configurations 9 2 Verifying a Tofino SA Configuration 9 2 Verifying a Tofino SA Configuration To record and verify the configuration of one or more Tofino SAs in the field use the Verify action This retrieves the configuration transfer reports sent over the network or from a USB storage device When you configure the Tofino SAs over the network the verification files are automatically returned to the MTL Tofino Configurator When you transfer the configu
95. ify command based on the Tofino type reported by the Tofino SA Model This field is updated by the Verify command based on the model reported by the Tofino SA Firmware Version This field is updated by the Verify command based on the firmware version reported by the Tofino SA Communications The Communications section displays the chosen method of communication for the selected Tofino SA You can specify whether you want to transfer configuration data to the Tofino SA device over the network or with a USB device If you do not have a license for the NetConnect LSM choose USB Only The Contact Assets list displays the assets the MTL Tofino Configurator will use to communicate with the Tofino SA in the field A Tofino SA doesn t have its own IP address The MTL Tofino Configurator uses a contact asset s address in order to contact and communicate with send packets to the Tofino SA This does not impact the other devices on the network but it makes the Tofino SA almost impossible for hackers to detect You manually specify the contact devices for each Tofino SA You can define multiple contact assets for a Tofino SA You can select any device or IP address in the network as a contact device However for successful communication the contact device must be on the other side of the Tofino SA from the MTL Tofino Configurator INM MTL Tofino Configurator Rev 2 2 143 Reference Field Descriptions 16 1 Tofino SA Fields Note If
96. iles associated with this asset Protocol Type Server Client Permission Log Details Description MODBUS TCP Standard O z Allow O DHCP BOOTP Standard O A BAlw O ICMP Ping Only Standard m MW QaAlow O HTTP Standard CI m QaAlow O sb Add Rule Profile L Update the fields in the General and Communications sections Note Generally you will not complete the Communications section for an asset template A user will add these details when creating a specific asset from this template 56 INM MTL Tofino Configurator Rev 2 2 Assets 6 3 Editing an Asset or an Asset Template L In the Rule Profiles table click the cell you want to edit and make the necessary change in the table Depending on the cell selected you will be able to Change the state of a check box Select an entry in a list Open a dialog box and select from a list of appropriate values Enter text To delete a rule profile select it in the table and click the Remove button x beneath the table L On the General and Enforcer tabs in the Rule Details section update the settings as necessary for the currently selected rule profile L Click the Save icon in the toolbar See the reference section Asset and Asset Template Fields for a detailed description of the fields on this page INM MTL Tofino Configurator Rev 2 2 57 Assets 6 4 Creating an Asset Template from an Existing Asset 6 4 Creating an Asset Template from an Existing
97. ino SAs Yes Yes Yes Configure Tofino SAs No Yes Yes Change Project LAK or Password No No Yes Change Project File Location No No Yes Change Audit File Settings No No Yes Table 3 Available functionality by user permission level These levels are enforced using a combination of techniques which are described in Managing Access to a Project and Managing User Activity Logging and Privileges within a Project INM MTL Tofino Configurator Rev 2 2 123 Advanced Topic MTL Tofino 13 2 Managing User Logging Access Configurator Settings and Privileges 13 2 1 Managing Access to a Project The core method to control access to a project is based in the MTL Tofino Configurator protection settings This allows a combination of passwords License Activation Keys LAKs and encryption to help secure the project files The protection settings on the main project page in the MTL Tofino Configurator control who has access to the project gred ju Project Explorer B amp Fort Sask Control Network B Tofino A Project Details B Asset Templates Details specific to this project file Assets Project Name Fort Sask Control Network A Protocols Project File C Users korm08261 Desktop Fort Sask Control Network v9 tpf 5 Special Rules Project Revision 24 0x82CF Creator Ericbyres Last Modified By kxm08261 Company Fort Sask Pipeline Co Project Protection The protection method for this project License Activation Key
98. into the Tofino SAs You can also retrieve configuration details from a Tofino SA to verify that the correct configuration is being used in the field The MTL Tofino Configurator will run on any of these supported Microsoft operating systems Windows XP Windows 7 32 and 64 bit and Windows Server 2003 2008 and 2008 SR2 No other applications or services such as Java NET or Flash are required for the MTL Tofino Configurator to operate INM MTL Tofino Configurator Rev 2 2 41 Introducing the MTL Tofino Configurator 1 1 Navigating the MTL Tofino Configurator 1 1 Navigating the MTL Tofino Configurator The MTL Tofino Configurator is designed to look and operate like Windows Explorer which you use to navigate files and folders on your computer Being familiar with basic Windows functionality enables you to start using the MTL Tofino Configurator immediately The main view is divided into two sections 1 Project Explorer view Tofino SAs Asset Templates Assets Protocols and Special Rules are listed in a tree format similar to the way that files are displayed in Windows Explorer Any object in the Project Explorer view can be clicked to display its information in the Details view Clicking the root folder will display a table of defined objects of that type For example clicking the Assets folder will display a table listing the assets defined in the project 2 Details view The details of what is selected in the Project
99. ion 2 0 USB storage device USB storage devices that are version 1 1 are not compatible and will not work with the Tofino SA The Tofino SA Fault LED will flash twice indicating invalid USB storage device if it detects a version 1 1 USB storage device The tested and approved USB storage devices include Kingston Data Traveler SanDisk Cruzer Sony Microvault Lexar and Hirschmann ACA21 Only USB devices formatted as FAT or FAT32 are compatible No of Flashes During Load Sequence 1 The USB port is disabled Check the Communications setting on the General page The method of communication should be USB Only or Both USB and Network 2 No USB memory device is During Save Sequence No USB memory device is connected to the USB connection or the file system of the memory device is not formatted as FAT or FAT32 connected to the USB connection or the file system of the memory device is not formatted as FAT or FAT32 3 The files on the USB memory device The device was unable to create any are invalid diagnostic files Please contact your technical support 4 The device was unable to encrypt The device was unable to encrypt the configuration files It is possible the diagnostic files Please contact that the files were damaged during your technical support the copying operation Repeat the copying operation If the condition persists please contact your technical support Table 4 Fault LED Activity D
100. irewall Rules 85 7 4 Using Tofino Test Mode to Validate Firewall Rules 88 8 Event Logging 89 8 1 Setting up the Event Logger 90 8 2 Retrieving Log Files 94 9 Applying and Verifying Configurations 95 9 1 Applying a Tofino SA Configuration 96 9 1 1 Loading Your Tofino SA via USB 99 9 2 Verifying a Tofino SA Configuration 101 9 3 Transferring Data from Your Tofino SA via USB 104 10 Advanced Topic Protocols 107 10 1 Creating a Protocol 108 10 2 Editing Protocols 110 10 3 Deleting a Protocol 113 11 Advanced Topic Importing Templates and Security Profiles 115 12 Advanced Topic How Automatic Rule Generation Works 117 INM MTL Tofino Configurator Rev 2 2 13 13 1 13 2 13 3 14 15 15 1 15 2 16 16 1 16 2 17 17 1 17 2 17 3 17 4 17 5 17 6 17 7 18 Advanced Topic MTL Tofino Configurator Settings Adding LSM Licenses Managing User Logging Access and Privileges 13 2 1 Managing Access to a Project 13 2 2 Managing User Activity Logging and Privileges within a Project Customizing Program Settings and Preferences Converting CMP License to a TC License Upgrading Your Tofino SA Upgrading over the Network Upgrading via USB Reference Field Descriptions Tofino SA Fields Asset and Asset Template Fields Troubleshooting Tofino SA Diagnostics Firewall Not Blocking Traffic USB Storage Device Recommendations Factory Resetting Your Tofino SA Special Rules 17 5 1 Tofino Rapid Network Recovery
101. lank Lowest Priority Logged This is the cut off as to the lowest logging level you would like the Tofino SA to record Setting the priority to O would result in just the emergency events being recorded while setting the priority to 7 would result in every detected event with smaller or equal priority being recorded The default setting is 5 The following table shows the options available in the Lowest Priority Logged list INM MTL Tofino Configurator Rev 2 2 91 Event Logging 8 1 Setting up the Event Logger Lowest Priority Message to be Logged Explanation 0 Emergency system is unusable Not used by the Tofino SA 1 Alert action must be taken immediately A physical change to the system occurred such as a detected power supply failure or interface disconnection This can also indicate the detected loss of a process on the firewall 2 Critical critical conditions An event occurred that could modify the operation of the firewall such as a new configuration being loaded 3 Error error conditions The firewall and or an Enforcer dropped a network packet 4 Warning warning conditions Not used by the Tofino SA 5 Notice normal but significant condition Not used by the Tofino SA 6 Informational informational messages The Event Logger LSM generated a periodic event message 7 Debug debug level messages Not used by the Tofino SA Table 1 Logger Lowest
102. le containing the logs The logs will be stored in eventlogger_ lt tofino id gt zip which is compressed When an Event Logger file reaches 4 MB in size it is rotated The rotated files are numbered and appear as eventlogger_ lt tofino id gt X zip where X is the number of the file This number increases by 1 each time a new rotated file is created up to 20 rotated files are saved Upon reaching eventlogger_ lt tofino id gt 20 zip the first rotated file eventlogger_ lt tofino id gt 1 zip is removed and eventlogger_ lt tofino id gt 21 zip is created Extract the files using an extraction tool such as 7 zip Open the log files using a syslog viewer or WordPad The file is more clearly formatted in WordPad Following is an example of a log file opened with WordPad OO OO Fle Edt Views insert Format Djs SO al gt el S 94 INM MTL Tofino Configurator Rev 2 2 Applying and Verifying Configurations 8 2 Retrieving Log Files 9 Applying and Verifying Configurations Once your Tofino SAs are configured in the MTL Tofino Configurator these configurations need to be transferred to the Tofino SAs in the field This is a two step process Transfer the configuration to the Tofino SAs Verify the configuration The MTL Tofino Configurator can communicate with the Tofino SAs in the field in two ways Over the network Via encrypted files on a USB storage device To communicate with a Tofino SA over the network yo
103. le profiles Assets N A Protocol Yes Direction See Notes Rule direction is decided based on the relationship of Server and Client settings for both profiles Permission See Notes If one profile is set to Allow and the other is set to Enforcer Enforcer is the resulting permission Log No Enabled Rate Limit No Lowest If one asset has no Rate Limit defined the Rate Limit of the other asset is used Burst Limit No Lowest If one asset has no Burst Limit defined the Burst Limit of the other asset is used Enforcer Details No Refer to Modbus If one profile has an Enforcer detail and EtherNet IP and the other does not the existing sections in this Enforcer detail will be assigned to the table rule Description No Both The rule profile descriptions from both assets are combined Modbus Function Codes No The most Read Only most restrictive lt restrictive group Read Write lt Programming OFS lt takes precedence Advanced lt Any least restrictive If both assets have Advanced Function Codes see the Modbus Advanced Filters section in this table Unit ID Yes Unit IDs common to both assets will be used Sanity Check No Enabled State Check No Enabled Exception No Enabled Reset No Enabled 118 INM MTL Tofino Configurator Rev 2 2 Advanced Topic How Automatic Rule Generation Works Field Are rule If values do not Notes profile match priority is v
104. ll Not Blocking Traffic 17 2 Firewall Not Blocking Traffic If the Tofino Firewall LSM does not appear to be blocking traffic that you think it should first check the following The Tofino Firewall LSM status Is the Firewall LSM activated See Editing a Tofino SA on page 40 The mode of the Tofino SA Is the Tofino SA in Operational mode The Tofino SA s Mode LED should be on steady Does the configuration of the Tofino SA really match what is stored on the MTL Tofino Configurator If in doubt verify the Tofino SA configuration see Verifying a Tofino SA Configuration on page 101 Next check the rules on the Tofino SA s firewall details view for the following see Editing Firewall Rules on page 85 Are the device IP addresses correct Are the protocols and direction correct Are there conflicting rules For example does the Tofino SA have an Allow All rule as well as a protocol specific rule Was the connection between devices established before the rule was loaded The Tofino SA will not break established connections between two devices If you think the connection was made before the rule was loaded try breaking the connection by restarting one of the devices 156 INM MTL Tofino Configurator Rev 2 2 Troubleshooting 17 3 USB Storage Device Recommendations 17 3 USB Storage Device Recommendations If you are experiencing difficulties doing USB Loads or USB Saves check to see if you are using a vers
105. nal clock When selected the Tofino SA will intercept NTP packets that pass through it and calibrate its clock to the information in the packet This applies a more accurate timestamp to messages in log files When not selected the Tofino SA time will be set when information is loaded to the appliance via a USB device or over the network Network Interfaces The Network Interfaces section displays the network interface settings for the selected Tofino SA Net 1 Name A name or identifier that describes the upper Ethernet port on the Tofino SA For example you could name it after the network it connects to such as Business Network or it could be named by function such as Untrusted Net 1 Medium This sets the interface settings on the upper Ethernet port The Tofino SA supports auto negotiation of both Ethernet ports meaning the Tofino SA s connection and transmission parameters are negotiated automatically with the switch or device it is attached to Depending on the media type in the Tofino SA you can manually set the Ethernet ports to the following Auto auto negotiate 10baseT HD Twisted pair 10 Mb s half duplex 10baseT FD Twisted pair 10 Mb s full duplex 100baseTX HD Twisted pair 100 Mb s half duplex 100baseTX FD Twisted pair 100 Mb s full duplex The default value is Auto Net 2 Name A name or identifier that describes the lower Ethernet port on the Tofino SA For example you could name it after the
106. nel type filter text Projects Audit 4 Help Content Projects 7 Use default project on application startup Default project file Browse Restore Defaults Apply Cancel 130 INM MTL Tofino Configurator Rev 2 2 Advanced Topic MTL Tofino Configurator Settings L To enable the default project feature click the Use default project on application startup check box Note If a default project is specified but this check box is disabled the project will not open on start up L Click Browse Locate and select the project you want to open automatically on start up L To save the settings click Apply INM MTL Tofino Configurator Rev 2 2 131 Advanced Topic MTL Tofino Configurator Settings 432 INM MTL Tofino Configurator Rev 2 2 Converting CMP License to a TC License 14 Converting CMP License toa TC License Perform the steps below to convert your CMP license to a TC license Export your CMP database and take note of the location you selected where it was saved by CMP Login to the Customer Portal to access the Import CMP Project page Click the Browse button to locate the CMP Database backup file and click the Upload button Note New licenses created are part of ImportCMPDB project and are attached to a reserved TC LAK For a CMP license the number of TC license created are equal to the number of hardware instances attached to the CMP license If
107. ng Access and Privileges on page 123 Program settings and preferences See Customizing Program Settings and Preferences on page 128 INM MTL Tofino Configurator Rev 2 2 421 Advanced Topic MTL Tofino 13 1 Adding LSM Licenses Configurator Settings 13 1 Adding LSM Licenses The MTL Tofino Configurator allows you to manage licenses for the Loadable Security Modules LSMs used in the Tofino SAs This is a multi step process that involves exporting a project summary file to the Tofino Customer Portal assigning the desired LSM licenses to the Tofino SAs in your project and creating downloading and importing a license grant file into the project L Have your License Activation Key ready To locate the key open the Preferences menu and select Licensing gt View Licenses Record the license key and click Finish to close the dialog box Open the Preferences menu and select Licensing gt Export Project Summary File Name the project summary file and save it to a location on your computer Open your browser and navigate to the Tofino Customer Portal http www tofinosecurity com licensing Log in to your account or click New User to create an account In the portal perform the following three steps L Navigate to the Projects page and click New Project O Upload the project summary file psf L Navigate to the License Grants page and create a license grant file for the project For assistance in the Tofino Cust
108. nge Administrator Password 22 INM MTL Tofino Configurator Rev 2 2 Projects 4 1 Creating a New Project 4 1 Creating a New Project To begin using the MTL Tofino Configurator create a project You can do this from the start up screen or from within the application Create as many projects as you need for your site While only one project is required you may choose to segregate your network into smaller projects As part of project creation you can restrict access to the project file with the License Activation Key a password or both Each time the project is saved the license key and or the password will be used to encrypt the project file Anyone who acquires the project file will be unable to access the content without first providing the appropriate key and or password When a user attempts to open the project in the MTL Tofino Configurator the license key will automatically be read from the program but the user will be prompted to enter the password As an extra layer of protection you can set an Administrator password This helps keep users from performing certain functions without approval from the Administrator When this password is set users require Administrator permission to change the Project Protection settings or move the project file For more information on project protection see Managing User Logging Access and Privileges O On the start up screen click Create New Project Tofino Configurat
109. ngs This includes general information and specific parameters The information displayed in the Protocol Details view varies depending on the type of protocol selected The factory defined protocols cannot be edited cut or deleted LJ In the Project Explorer view click the protocol you want to edit L Edit the protocol settings as necessary The available fields may include Protocol Name A name or identifier that uniquely identifies the protocol Remember that each protocol needs to have a unique name to avoid confusion Description A text field solely for reference This can be used to describe the function of this protocol Protocol Type The general classification of this protocol The classification determines the fields available for input UDP TCP IP or Ethernet Ports The ports used by this protocol Use commas to separate individual port numbers and dashes to separate a range of port numbers For example if the protocol uses the TCP ports 5000 through 5004 they can be entered as either 5000 5001 5002 5003 5004 or 5000 5004 Exclusively use the numbers 0 through 9 and commas and dashes IP Protocol The IP protocol number in hexadecimal format EtherType The Ethernet type number in hexadecimal format For more information see http www iana org assignments ethernet numbers ethernet numbers xml O Click the Save icon in the toolbar Following are three typical protocols of different types 110 INM MTL Tofino
110. o SA for each Tofino SA hardware device that will be installed on your network The two most common ways to define a Tofino SA are Create a new Tofino SA manually Discover Tofino SA devices already configured on the network You can also copy and paste a Tofino SA within the same project or across different projects Once you paste the Tofino SA into the project edit the settings as necessary The Tofino SAs you define appear in the Project Explorer view beneath the item Tofino SAs Click this top level item to display the current folder structure and the defined Tofino SAs 37 gt Bele a C3 New Folder Gj NewTofinoSA Z Apply Verify 5 Firmware Update MW DHelp Project Explorer A Tofino SAs You can create a folder hierarchy to organize your Tofino SAs Use the New Folder feature in the toolbar to create folders You can use the Cut and Paste actions in the toolbar to move the devices INM MTL Tofino Configurator Rev 2 2 34 Tofino SAs 5 1 Defining the Tofino SAs 5 1 1 Manually creating a Tofino SA Create as many Tofino SAs in the project as are needed to represent each physical device being installed on the network Click Tofino SAs in the Project Explorer view and then click New Tofino SA in the toolbar Alternately open the New menu in the toolbar and click Tofino SA The New Tofino SA wizard opens Tofino SA Tofino SA Tofino ID is incomplete or invalid Tofino ID
111. o cancel the deletion delete the asset and replace the references to it with its current address or delete the asset and fix the detected errors later When you choose to delete the asset a message prompts you to confirm the action Click OK to proceed Canceling the deletion at this prompt will not reinstate the asset in any firewall rules from which it was removed INM MTL Tofino Configurator Rev 2 2 59 Assets 60 INM MTL Tofino Configurator Rev 2 2 Firewall Rules 7 Firewall Rules A firewall is a mechanism used to control and monitor traffic between two networks or two portions of the same network to increase the level of security on the network It compares the traffic passing through the firewall to a predefined set of rules discarding traffic that does not meet the rule criteria In effect it is a filter that blocks unwanted network traffic and places limitations on the amount and type of communication that occurs between devices or networks in need of protection and other systems such as the corporate network or another portion of a site s control network The Tofino Firewall is a Loadable Security Module LSM that is activated on the Tofino SA to process traffic On its own it is a stateful layer 2 3 and 4 firewall When combined with the Enforcer LSMs it also offers stateful Deep Packet Inspection An Enforcer is an advanced firewall for specific SCADA and ICS protocols It allows you
112. ocols In the MTL Tofino Configurator protocols define the particular services that are communicated between devices on the network For example the use of web traffic on a network would use the HyperText Transport Protocol HTTP for communications between a web server and a web client Similarly an HMI might use the Modbus TCP protocol to communicate to a PLC The MTL Tofino Configurator comes with a number of predefined protocols that are common to many industrial systems However in special cases you may want to create new protocols for specific types of equipment or situations By selecting a protocol in the Project Explorer view you can do the following Create a new protocol Create a folder View and edit the protocol s details Delete a protocol The factory defined protocols cannot be edited cut or deleted INM MTL Tofino Configurator Rev 2 2 107 Advanced Topic Protocols 10 1 Creating a Protocol 10 1 Creating a Protocol Create new protocols for specific types of equipment or situations where one of the predefined protocols does not meet your needs In addition to creating a protocol manually you can copy and paste an existing protocol to create a new one However this does not run the wizard To make the protocol unique you need to edit the details manually When creating your own protocols you may want to organize them in folders Use the New Folder feature in the toolbar to create the folder hierarchy L
113. oduct O On the Belden Inc website navigate to the Support page and click theappropriate product L Click Software and Security Profiles O In the portal click Download MTL Tofino Configurator If you do not have a License Activation Key contact your reseller INM MTL Tofino Configurator Rev 2 2 47 Installing Your MTL Tofino Configurator3 1 Running the Tofino Configurator Installer 3 1 Running the Tofino Configurator Installer Running the MTL Tofino Configurator installer launches the installation wizard Work through the pages of the wizard to configure the installation accept the license agreement and activate your license To install the MTL Tofino Configurator you need a Windows user account with Administrator permissions Run the MTL Tofino Configurator installer Follow the on screen instructions to install the MTL Tofino Configurator UF MTL Tofino configurator 02 2 01 Excelsior Installer ea me ma Welcome to Excelsior Installer for MTL Tofino configurator 02 2 0 Excelsior Installer will guide you through installation of the software on your computer To proceed dick Next E T N Powering Business Worldwide The MTL Tofino Configurator installation wizard walks you through the steps to configure your installation Accept the license agreement Specify the installation type Select a destination folder Add program icons to specific folders
114. ol page When you choose to use the existing rule profiles the MTL Tofino Configurator checks both of the assets for protocols listed in their rule profiles The automatic rule generator then creates one rule for every protocol that the two assets have in common The New Firewall Rule Wizard closes and the rules created display in the table on the Firewall page If the assets have no protocols in common no rules are generated Similarly if they have protocols in common but are both clients or are both servers no rules are generated In these cases a message informs you of the situation and you will need to define the protocols manually on the Protocol page INM Tofino Configurator Rev 2 2 69 Firewall Rules 7 1 Creating Firewall Rules Protocol Select protocols specify the permission type and specify whether logging is enabled for this firewall rule Protocol Permission 4 Common Industrial O Allow p BACnet IP Deny amp DNP3 Enforcer p Ethernet IP CIP Explicit Msg 6 EtherNet IP CIP Explicit Msg SEE EtherNet IP CIP Implicit Msg Enable Logging FF fh GOOSE o ICCP p JEC 104 IEEE 1588 IPv4 fi IEEE 1588 L2 MODBUS TCP MODBUS UDP fi MRP 6 OPC Classic 4 OPC UA 4 OPC UA TLS 4 PROFINet 5 Common IT Vendor Specific Tip Use Shift click to select a range of protocols use Ctrl click to select multiple protocols out of sequence lt Back F Cancel L
115. omer Portal click the help button in the upper right corner of the page for information specific to that page In the MTL Tofino Configurator open the Preferences menu and select Licensing gt Import License Grant File The License Grant Results dialog box lets you know the upgrade is complete It indicates the upgrade was successful or lists any errors encountered The new LSM licenses will be loaded to the Tofino SA s automatically the next time a configuration is transferred OO OO 122 INM Tofino Configurator Rev 2 2 Advanced Topic MTL Tofino 13 2 Managing User Logging Access Configurator Settings and Privileges 13 2 Managing User Logging Access and Privileges The MTL Tofino Configurator is designed to give users the flexibility to tailor the security controls on the MTL Tofino Configurator projects to their needs It uses functionality built into the software along with the Windows File Management system to control user access to each Tofino project and log user activities There are three possible levels of access View Only Access Configuration Access Administration Access The following table details the functionality available in the MTL Tofino Configurator for each level of user permission Functionality View Only Configuration Administration Access Access Access Open Project Yes Yes Yes Save Project No Yes Yes Save As Project No No Yes Read from Tof
116. on includes length checking proper protocol version option field values and correct IP address usage If the Allow Embedded PCCC option has been selected the PCCC messages will also be inspected to determine if they adhere to the PCCC protocol definitions To have the Tofino SA send a TCP reset packet to both EtherNet IP devices when it blocks a message select Reset This can keep a session from locking up on certain EtherNet IP products To have the Tofino SA include an ASCII text string as a payload ina TCP reset packet select Debug The string will explain the reason why the message was dropped by the Tofino SA To view the text capture network traffic with a tool such as Wireshark Use this option solely during testing Clear this check box during regular operations as it may expose security details to potential attackers Click the Save icon in the toolbar 84 INM MTL Tofino Configurator Rev 2 2 Firewall Rules 7 3 Editing Firewall Rules 7 3 Editing Firewall Rules The Rule Table on the Firewall page displays the firewall rules created for the selected Tofino SA You can make changes directly on this page in the table and in the Rule Details section You can also change the order in which the rules are evaluated In the Project Explorer view expand the Tofino SA you want to work with and click Firewall The Firewall page displays the rules created for this Tofino SA
117. op packets until there are more tokens in the bucket The number of tokens and thus the number of forwarded packets is controlled by two settings Rate Limit and Burst Limit The Rate Limit is the rate at which the bucket is refilled with tokens The rate limit setting is calculated over an interval set by the user such as per second or per minute If the rate limit is 50 and the interval is set to seconds then 50 tokens per second will be placed in the bucket and 50 packets per second will be let through the firewall Keep in mind that the bucket is refilled gradually over an interval and not at the start of the interval INM MTL Tofino Configurator Rev 2 2 Firewall Rules 6 5 Deleting an Asset The Burst Limit is the initial number of tokens in the bucket as well as the maximum number of tokens the bucket can hold In other words this helps to prevent the number of tokens from building up during times of low traffic The firewall will immediately allow through any burst of packets equal to the number of tokens in the bucket Once the bucket is empty the firewall can only forward packets as the bucket refills over time at the rate specified by the rate limit If the rate of packets is faster than the rate limit the bucket will empty at the rate of packets and then will be limited by the rate limit which refills the bucket In other words if your burst limit is 100 your rate limit is 25 per second and 1000 packets are sent to the
118. operate the Tofino SA in two modes Test and Operational Running in Test mode allows the Tofino SA to fully process network messages and generate event logs without actually blocking network traffic This is a non invasive way to check the impact that the firewall rules will have when put in Operational mode Use Test mode to confirm that the Tofino SA is configured correctly O 0 O O 00 In the Project Explorer view expand the Tofino SA you want to work with and click General The main view displays the general settings for the selected Tofino SA In the Status section select Test as the mode On the Firewall page create firewall rules based on the known network traffic patterns and desired security Load the resulting configuration into the Tofino SA see Applying and Verifying Configurations Let the Tofino SA process network traffic for a period of time typically 24 hours or longer Using a syslog server or the USB Save feature and log viewing software see Retrieving Log Files review the log messages generated by the Tofino SA to determine if there are instances of either of the following Packets marked to be dropped that you think should be allowed Packets marked to be dropped that you think should be dropped without being logged i e nuisance alarms L If either of these are noted adjust the firewall rules accordingly and repeat this task L Once no unwanted log messages are being generat
119. or Project Selection Create a new project or open an existing project Ci Create New Project amp Open Project Gy CAUsers koemn 08261 Desktop Fort Sask Control Network v9 tpf Gy CAUsers koern08261 Desktop ABC Environemtnal Project tpf Z CAUsers koer08261 Desktop Northern Area Network Systems tpf Set this as the default project and do not ask again INM MTL Tofino Configurator Rev 2 2 23 Projects 4 1 Creating a New Project Note Once you set a default project to open automatically the start up screen no longer appears Alternately within the application click the New icon in the toolbar to open the wizard then select Project and click Next If you have another project open a message informs you that it will be closed You will be prompted to save the project if necessary Whether you create the project from the start up screen or from within the application the New Project Wizard opens Here you enter the details for the project you are creating New Project Wizard Create a new project Project Name Jasper Pumping Station Company AB Oil Co mam Enter a project name and a company name Click Next Select how you want to restrict access to the project file License Activation Key and or Password Project Protection Specify the project protection settings The new project will be protected by 7 License Activation Key 7 Pass
120. orex AS Fekjan 7c Postboks 147 N 1378 Nesbru Norway Tel 47 66 77 43 80 Fax 47 66 84 55 33 E mail info norex no RUSSIA Cooper Industries Russia LLC Elektrozavodskaya Str 33 Building 4 Moscow 107076 Russia Tel 7 495 981 3770 Fax 7 495 981 3771 E mail mtlrussia eaton com SINGAPORE Cooper Crouse Hinds Pte Ltd No 2 Serangoon North Avenue 5 06 01 Fu Yu Building Singapore 554911 Tel 65 6 645 9888 Fax 65 6 487 7997 E mail sales mtlsing eaton com SOUTH KOREA Cooper Crouse Hinds Korea 7E Parkland Building 237 11 Nonhyun dong Gangnam gu Seoul 135 546 South Korea Tel 82 6380 4805 Fax 82 6380 4839 E mail mtl korea eaton com UNITED ARAB EMIRATES Cooper Industries Eaton Corporation Office 205 206 2nd Floor SJ Towers off Old Airport Road Abu Dhabi United Arab Emirates Tel 971 2 44 66 840 Fax 971 2 44 66 841 E mail mtlgulf eaton com UNITED KINGDOM Measurement Technology Limited Great Marlings Butterfield Luton Beds LU2 8DL Tel 44 0 1582 723633 Fax 44 0 1582 422283 E mail mtlenquiry eaton com AMERICAS Cooper Crouse Hinds MTL Inc 3413 N Sam Houston Parkway W Suite 200 Houston TX 77086 USA Tel 1 281 571 8065 Fax 1 281 571 8069 E mail mtl us info eaton com EUROPE EMEA 44 0 1582 723633 mtlenquiry eaton com The given data is only intended as a product description and should not be regarded as a legal warranty of properties or guarantee In the in
121. otocols that this asset can use for network communications Note If you select an application layer protocol such as Modbus or HTTP lower layer protocols such as Ethernet TCP and IP are automatically included Type The type of protocol Standard firewall rules are designed to allow or deny specific protocols passing through the firewall Special Rules are highly complex rules that go beyond simple allow or deny For more information see Creating Firewall Rules Server Selecting this check box indicates that the asset acts as a server and responds to requests from clients For example a web server or a Modbus slave device such as a PLC would be selected as a server Client Selecting this check box indicates that the asset acts as a client and initiates requests to servers For example a web browser or a Modbus client device such as an HMI would be selected as a client Protocols can be set as both client and server on an asset if appropriate For example a computer may contain both web server software and web browser software and thus could be designated as both an HTTP client and an HTTP server Permission What the firewall does with a packet based on the defined rules There are three options Allow The Tofino SA will allow traffic matching the rule to pass Deny The Tofino SA will stop traffic matching the rule from passing Enforcer The Tofino SA will further inspect and filter the
122. ou can then validate these files using the Verify function in the MTL Tofino Configurator or you can send them to technical support for analysis Note Performing a USB Load see Loading Your Tofino SA via USB automatically executes a USB Save in order to record the results of the transfer and the status of the Tofino SA after the transfer is finished If you transferred configuration files via USB you will not need to perform a USB Save to retrieve the files reguired for verification They will already be on the USB storage device Power on the Tofino SA for at least one minute Insert the USB storage device into the USB port Press the Save Load Reset button once The Save Load LED will iluminate in green After a few seconds the Mode Save Load and Reset LEDs will flash in green in a left to right sequence to indicate the USB Save is in progress O When the flashing sequence stops remove the USB storage device If the save was successful the Tofino SA LEDs will revert to the state they were in prior to the saving action OOO 104 INM MTL Tofino Configurator Rev 2 2 Applying and Verifying Configurations Note The ACA22 USB storage device has been tested by Tofino and is therefore recommended For ordering ACA22 USB see Accessories in the Installation Guide The following version 2 0 USB storage devices are known to work Kingston Data Traveler SanDisk Cruzer Sony Microvault Lexar and Hirschmann ACA21 USB Other brands
123. ows the general configuration settings for this Tofino SA 40 INM MTL Tofino Configurator Rev 2 2 Tofino SAs Tofino 00 50 C2 B3 2B D2 General Network Interfaces The general identification details for this Tofino SA The settings for the network interfaces on this Tofino SA Tofino ID oo 1 50 C2 B3 28 D2 Net 1 Name Net L Name Tofino 00 50 C2 83 2B D2 Net 1 Medium Auto id Description Net 2 Name Net2 General Location Net Medium Auto ad Specific Location NTP Time Sync Communications The method of communication for this Tofino SA Status Network Only The current versions and operational status of this Tofino SA USB only Mode Operational s Both USB and Network Configuration Status Verified Contact Assets Latest Configuration Revision 6 0x 494 5 5 5113 Discovery Fy Verified Configuration Revision 6 0484 Hardware Type Tofino Xenon TX TX Model TofinoXe 0200TITISODZ9000ZTATO2 2 00 Firrnwaare Version 02 2 00 Loadable Security Modules LSMs Select the LSMs you want to activate for this Tofino SA 7 amp NetConnect LSM amp Firewall LSM Event Logger LSM gt Modbus TCP Enforcer LSM OPC Classic Enforcer LSM EtherNet IP Enforcer LSM SSS L Update theTofino SA configuration as necessary See the reference section Tofino SA Fields for a detailed description of the fields on this page O Click the Save icon in the toolbar INM MTL Tofino Configurator Rev 2 2 41
124. plate dialog box opens Asset Template Create a new asset template Name UnityPro Type S Computer Description Unity Pro Programming Station Manufacturer Model Unity Pro General Location Specific Location Asset Tag Ga Cas L Enter a name for this asset template and select the type of asset it represents L Complete the remaining fields optional L Click Finish The program adds the new template in the specified location in the Project Explorer view The details view displays the template configuration INM MTL Tofino Configurator Rev 2 2 47 Assets 6 1 Asset Templates UnityPro General Communications The general settings for this asset The communication settings for this asset Name UnityPro IP Address Os 8 se oz Type Computer Subnet Mask DOK z K o od Description Unity Pro Programming Station MAC Address 00 00 00 00 00 00 Manufacturer Model Unity Pro General Location Specific Location Asset Tag Rule Profiles The rule profiles associated with this asset Protocol Type Server Client Permission Log Details Description dp Add Rule Profile Generally you will not complete the Communications section A user will add these details when creating a specific asset from this template You can now define rule profiles This lets you specify the protocols that an asset uses along with how you want the protocols managed The New Firew
125. r draws your attention to a dependency Courier ASCII representation in the graphical user interface INM MTL Tofino Configurator Rev 2 2 Key 10 INM MTL Tofino Configurator Rev 2 2 Introducing the MTL Tofino Configurator 1 Introducing the Tofino Configurator The Tofino Industrial Security Solution is a comprehensive package for securing industrial control systems particularly at the Local Area Network LAN level The system consists of three core components Tofino Security Appliance These industrially hardened devices are installed in front of individual and or clusters of Human Machine Interfaces HMI Distributed Control Systems DCS Programmable Logic Controllers PLC or Remote Terminal Units RTU control devices that require protection Tofino Loadable Security Modules LSM A variety of software modules providing security services such as Firewall and Event Logger Each LSM is activated on the Tofino SAs to allow them to offer customizable security functions depending on the requirements of the control system LSMs can be either pre loaded at the factory or added in the field via the Tofino Customer Portal MTL Tofino Configurator A Windows based management system for the configuration of each Tofino SA Use the MTL Tofino Configurator on your PC to define configuration data for each Tofino SA in your plant When you have finished editing the configuration you can transfer the configuration data
126. r helps create rules that allow or deny traffic from that range of addresses INM MTL Tofino Configurator Rev 2 2 43 Assets 5 3 Deleting a Tofino SA Broadcast and Multicast Assets In most networks there are messages that are sent to a general address and are expected to be received by everyone on the network These are called Broadcast and Multicast messages The MTL Tofino Configurator has special assets designed to handle these types of messages Broadcast This asset represents an address that is used for IP broadcasts Broadcast packets which are a normal part of network operation are transmitted by a device to a broadcast address that many devices listen to For example IP networks use broadcasts to resolve network addresses using Address Resolution Protocol ARP The exact broadcast address is dependent on the subnet defined for a given network If the node address is 192 168 1 1 the broadcast address might be 192 168 1 255 depending on the subnet of the node This type of asset is required if you wish to provide broadcast filtering rules in the Firewall LSM Multicast This asset represents an address that is used for IP multicasts Multicast packets are transmitted to a multicast address that a set of devices listen to Typically these are IP addresses in the range between 224 0 0 0 through 239 255 255 255 and depend on the manufacturer of controller hardware the protocols in use and the network configuration For example
127. range When Continuous Scan option is enabled this state relates to the Iteration feature The Iteration value indicates how many times the range has been scanned As devices are discovered they appear in the Project Explorer view at the specified location The General settings page is populated with basic device information Tofino ID Name and Hardware Type A network connection is automatically attempted and if successful provides additional device details INM MTL Tofino Configurator Rev 2 2 39 Tofino SAs 5 2 Editing a Tofino SA 5 2 Editing a Tofino SA Selecting or expanding a Tofino SA in the Project Explorer view displays links that let you navigate to pages where you can edit the device configuration The configuration and setting options available for a Tofino SA will depend on its associated LSMs Typically the available settings include General settings Configure the general settings for the selected Tofino SA This includes general information communication parameters and LSM selection Event Logger LSM settings Configure alarm and event logging for the selected Tofino SA Firewall LSM settings Configure firewall rules for the selected Tofino SA When you copy a Tofino SA from another project review the configuration settings to verify that it is set up properly for the new location LJ In the Project Explorer view expand the Tofino SA you want to work with and click General The page displayed sh
128. rations or perform firmware updates via USB the verification files reside on the USB storage device that was used to transfer the configuration or upgrade the Tofino SAs To list the Tofino SAs in this project click Tofino SAs in the Project Explorer view Select the Tofino SAs you want to verify Use SHIFT click to select a range of devices use CTRL click to select multiple devices out of seguence tire Erl C9 New Folder Sj New Tofino SA Apply amp Verify 3 Firmware Update 3 Help Project Explorer 5 Tofino SAs 15 Fort Sask Control Network Name Tofino ID Mode Configuration Stat Type Version General Locat Specific L 4B Tofino SAs FS TSA 001 00 00 10 95 EF A0 Operational Unknown Schn 01 7 01 Fort Sask Cont Rackl Discovery Bl Fs TsA 002 00 00 10 95 EF Al Operational Unknown Schn 01701 Jasper Control Rackl dih FSTSA 001 Fs TSA 003 00 00 10 95 EF A2 Operational Unknown Schn 01 7 01 Jasper Control Rack14A dih FS TSA 002 FS TSA 008 00 00 10 95 EF AS Operational Unknown Schn 01701 Blue River Con Rack 14A FS TSA 003 FS TSA 008 Asset Templates Bl Assets E Protocols amp Special Rules m Click Verify in the toolbar The Verify Loaded Configuration dialog box opens INM MTL Tofino Configurator Rev 2 2 101 Applying and Verifying Configurations 9 2 Verifying a Tofino SA Configuration Verify Loaded Configur
129. red for this Tofino SA n log Type Details Stand Stand Stand ID FC N Asset Interface Any FS HME Network Any FS HMI Network D Fs Hao FS HMI Network ad FS HMLO0I FS HMI Network Any FS HMI Network Ary FS HME Network B Fs Haon FS HME Network A MA FS Ha on2 FS HMI Network P Firewali lt KK SSK a Mi ss pic on ro sic W rs PLC on FS Contro Etheriet P CP Enforce Stttssete Rule Details Additional options for the selected firewall nale Rate Limit second Burst Lima Firewall Rule Order The Tofino SA inspects packets in a sequential manner according to the order that the rules are displayed in the firewall rule table Having the same rules but placing them in a different order can alter how the Tofino SA manages traffic When the Tofino SA receives a packet it compares it against the first rule then the second then the third and so on When it finds a rule that matches it stops checking and applies that rule If the packet goes through each rule without finding a match then that packet is denied You can manually reorder the rules by selecting a rule and clicking Move Up and Move Down in the toolbar 62 INM MTL Tofino Configurator Rev 2 2 Firewall Rules sb Create Rule Move Up Move Down X Hep v FS_TSA_001 Firev Move Up Rule Table The firewall rules configured for this Tofino SA 1 Asset Interface Direction Asset Interface Protocol Permission Log
130. rst limits as required O Select the Enforcer tab and configure the rule as follows Select the appropriate function code The options are Read Only Function codes that are data read commands are permitted Read Write Function codes that are data read or data write commands are permitted Programming OFS Function codes that are either data read write or programming commands are permitted Any All Modbus function codes are permitted Advanced Opens a new window where you select from a list of available function codes Select a function code and then add the register or coil ranges that you wish to allow for the rule as appropriate You can add a comment for each code and reorder the codes Add as many function codes as needed to one rule but select a single instance of each function code per rule Click the Add Function Code Rule button to display the available codes Use the Move Up and Move Down icons to reorder the codes Click OK when you are done INM MTL Tofino Configurator Rev 2 2 75 Firewall Rules 7 2 Deep Packet Inspection Firewalls ey RG Details FC Function Name Range Commen t Mamon Gol Addes 0 03 Read Holding Registers 100 200 OL Read Coils 0 100 Maximum Coil Address 100 Comment You can use the Tofino SA in test mode to determine if the selected function code is suitable for your application O Specify the Unit ID Modbus master devices use the unit identifier
131. s from the Tofino Crestor Ericbyres Configurator to the actual Tofino SAs installed on your Last Modified By kom08261 ova SRENJE i Company Fort Sask Pipeline Co ick Tofino Sis in the Project Explorer 2 Ml Define Assets Create objects to represent the real world devices and systems on the control network beth physical Project Protection devices and virtual entities These wall be used to create The protection method for this project License Activation Key firewall rules Click Assets in the Project Explorer view 3 87 Define Firewall Rules Create firewall rules to control Password Change Password how the Tofino SA wall handle network traffic Combine the assets you defined with predefined protocols to build the rules Administrator Password Ga venel under the Tofino SA you want to create firewall rules for Admunistrator protection settings for this project gt F Configure the Event Logger optional Configure the Event Logger LSM to take advantage of external alarm and event logging Specify the type of events you want to collect and where you want to store the log files Click Event Logger under the Tofino SA you want to configure D Create the configuration Alter installing the Tofino SAs in the field transfer the Tofino SA configuration data to the devices You can do this over the network or with s USB storage dence Select a Tofino SA and click Apply in the toolbar Use Admanistrater Password _Cha
132. s in the field The final requirement reduces the possibility that the configurations being transferred to the Tofino SAs in the field are different from the configurations in the project file To list the Tofino SAs in this project click General in the Project Explorer view Select the Tofino SAs that you want to create configurations for Use SHIFTclick to select a range of devices use CTRL click to select multiple devices out of sequence Selecting a folder also selects the Tofino SAs within that folder You can create multiple Tofino SA configurations at once If transferring configurations via USB you can store them on a single USB device 96 INM MTL Tofino Configurator Rev 2 2 Applying and Verifying Configurations 9 1 Applying a Tofino SA Configuration Project Explorer A Tofino SAs t e id ul 4 O X iNew Folder Gi NesTofinssa S Apply Verity D Fiermaare Update K e Diep werk Name O Click Apply in the toolbar The Apply Configuration dialog box opens Apply Configuration Select the Tofino SA s you want to configure and the appropriate transport method for applying the configuration aT aa Transport Method Restrictions v a FS_TSA_002 a FS TSA 003 FS TSA 008 Check All Uncheck All Cancel O Confirm that the Tofino SAs that you want to configure are selected in the list O Select the method you want to use to transfer the configuration to the Tofino SA
133. s they control As a result you may experience situations where you are unable to open a project file Here are some reasons why this may occur When opening a project file you are asked for a password This indicates that the project is password protected Provide the correct password to proceed When opening a project file you are informed that your License Activation Key LAK is different from the one used to save the project you are trying to open This indicates that the License Activation Key LAK protection has been turned on for the project and the project you are trying to open was created with MTL Tofino Configurator software licensed with a different LAK than your current software To address this use the same MTL Tofino Configurator that was used to save the project When opening a project file you are asked for a Project Administrator Password This indicates that the project is protected by an Administrator Password The project file has been moved from its original location to its current location Provide the administrator password to proceed When opening a project file from the list of recent projects you are informed that the selected project cannot be found This indicates that the project has been moved Click Open Project to locate and open the correct project file tfp To help avoid being locked out of a project back up your project files regularly and record all passwords in a suitable password managemen
134. se CTRL click to select multiple protocols out of sequence The MTL Tofino Configurator creates a rule profile for each protocol selected Set the permission This tells the firewall what to do with a packet that matches the rule profile allow it to pass Allow or stop it from passing Deny The Enforcer option inspects and filters the traffic using Deep Packet Inspection This option is appropriate solely for the Enforcer protocols To create a log each time the rule is triggered select the Enable Logging check box Click Finish The profiles created appear in the Rule Profiles table INM MTL Tofino Configurator Rev 2 2 53 Assets 6 2 Creating Assets L Select the rule protocol in this table and finish configuring it in the Rule Details section Rule Profiles The rule profiles associated with this asset Protocol Type Server Client Permission Log Details Description IMODBUS TCP E Standard 1 m OAw O sle Add Rule Profile 36 Rule Details Additional options for the selected firewall rule E General Rate Limit secon d Burst Limit You can adjust advanced settings such as traffic rate limiting for most rule profiles Additional settings for the selected rule profile are displayed in one or more tabs below the table Click the Save icon in the toolbar See the reference section Asset and Asset Template Fields for a detailed description of the fields on this p
135. ss ranges to locate new and existing Tofino SA devices on your network If you are performing scans and not discovering Tofino SAs that you know are on the network try the following suggestions O Reset the scan settings and create a new scan L Verify that both interfaces of the Tofino SA are connected to networks or devices Also check that at least one device on the port opposite the port connected to the MTL Tofino Configurator has an IP address in the range you have selected to scan If any routers or firewalls are located between the MTL Tofino Configurator and a Tofino SA on the network check that each router firewall device is configured to allow the MTL Tofino Configurator traffic to pass through it For more details see Communications O Check that the Tofino SAs you are trying to discover are new Tofino SAs direct from the factory or existing Tofino SAs that have been factory reset In these cases the Mode light on the Tofino SA will be off To help stop attackers from using a stolen copy of the MTL Tofino Configurator to discover a Tofino SA the Tofino SAs configured by one project database cannot be discovered by a MTL Tofino Configurator using a different project INM Tofino Configurator Rev 2 2 162 Troubleshooting 17 7 Unable to Open a Project File Tofino project files are secured using state of the art cryptography to reduce the chance of unauthorized people accessing them and the Tofino SA
136. t system INM Tofino Configurator Rev 2 2 163 Troubleshooting 164 INM MTL Tofino Configurator Rev 2 2 Glossary 18 Glossary ACL Access Control List List of rules specifying access privileges to network resources ARG Assisted Rule Generation a feature that helps you create firewall rules for the purpose of helping to protect devices on your network This feature comes with the Secure Asset Management LSM Asset The objects used to represent the devices or groups of devices installed in your control system They can be broken down into seven categories Computers Controllers Devices Networks Networking equipment Broadcast and Multicast Children A child node is one that is connected under another node known as its parent CIP Common Industrial Protocol CIP is an open standard for industrial network technologies It is supported by an organization called Open DeviceNet Vendor Association ODVA CSP Client Server Protocol An Allen Bradley protocol used to communicate to PLCs over TCP IP DCOM Distributed Component Object Model This is an extension to the Component Object Model that Microsoft made to support communication among objects on different computers across a network DCS Distributed Control System A Distributed Control System allows for remote human monitoring and control of field devices from one or more operation centers DMZ Demilitarized
137. t details 52 INM Tofino Configurator Rev 2 2 Assets 6 2 Creating Assets S FS HMI 004 The general settings for this asset Communications The communication settings for this asset Name Type FS HMLO04 S Computer IP Address Subnet Mask m 0 168 k 18 o i 0 8 0 Description Manufacturer Model General Location Specific Location Asset Tag Rule Profiles The rule profiles ass Main Pump Station 4 Schneider CitectSCADA Main Pump Station Control Room ociated with this asset MAC Address 00 00 00 00 00 00 Protocol Type Server Client Permission Log Details Description lt P Add Rule Profile You can now define rule profiles This lets you specify the protocols that an asset uses along with how you want the protocols managed The New Firewall Rule Wizard uses this information to automatically create rules for To the asset For more information see Rule Profiles open the New Rule Profile Wizard click Add Rule Profile beneath the Rule Profiles table Select the type of rule you want to create standard or special If you are creating a special rule you also select a rule type from the list provided Click Next Define the rule profiles Expand the folders and select the protocols you want to use Use SHIFT click to select a range of protocols u
138. te the default ARP rule Asset Interface Direction Asset Interface Protocol Permission Log Type il Any FSHMI Network gt Fs PLC 001 FS Contro 4 DHCP BOOTP aAllow O Stand iz Fs_HMLo01 FSHMI Network i Fs PLC 001 FS Contro QMODBUS TCP Enforcer Stand tz IB Fs_HML001 FS HMI Network gt EU Fs PLC 001 FS Contro HTTP Allow O Stand iv Any FS HMI Network W Fs PLC 001 FS Contro lt none gt O Deny A ASen M Any FSHMINetwork 4 A Fs_PLc_oo1 FS Contro 0 lt none gt O Deny WM Ase iz B Fs HMLOHI FSHMI Network gt W Fs PLC oni FS Contro OPC Classic O Enforcer 1 _ Stand iz IB Fs HMI 012 FS HMI Network W Fs PLC 011 FS Contro EtherNet IP CIP Enforcer MW Stand 64 Firewall Rate Limiting The Rate Limit fields are advanced settings that are available for firewall rules These define the rate at which packets that have met the other criteria for a given rule are allowed through the firewall The rate limiting uses a token bucket filter algorithm with three settings Rate Limit the average packet allow rate over the defined time interval Interval the time interval used for the rate limit second minute hour day Burst Limit the maximum initial number of packets allowed To understand how token bucket filtering works picture a bucket of tokens It costs one token for the firewall to forward one packet If the bucket is out of tokens then the firewall will dr
139. terest of further technical developments we reserve the right to make design changes Measurement Technology Limited Great Marlings Butterfield Luton Beds LU2 8DL UK Tel 44 0 1582 723633 Fax 44 0 1582 422283 THE AMERICAS E mail mtlenquiry eaton com 1 800 835 7075 www mtl inst com mtl us info eaton com 2015 MTL ASIA PACIFIC All Rights Reserved 65 6 645 9888 Publication No INM MTL Tofino Configurator Rev 2 2 sales mtlsing eaton com Te Powering Business Worldwide
140. the conversion process is successful you will be redirected to the Project tab that shows the created licenses Otherwise an error message displays with an error code Contact the customer support for help to deal with the error Navigate to the Licenses tab to check the newly created TC licenses after a successful license migration Note The submitting user is set as the LAK s account activator which is attached to the newly created licenses Navigate to the Hardware tab to pair the created licenses to the specific Tofino hardware device Note Skip this step if the CMP license creates the hardware during the conversion process Navigate to the Grant tab to generate the grants file to import the licenses into your TC INM MTL Tofino Configurator Rev 2 2 133 Converting CMP License to a TC 13 3 Customizing Program Settings License and Preferences 134 INM MTL Tofino Configurator Rev 2 2 Upgrading Your Tofino SA 13 3 Customizing Program Settings and Preferences 15 Upgrading Your Tofino SA There are two ways to upgrade your Tofino SA device Over the network Via encrypted files on a USB storage device The information you receive with your upgrade will indicate the proper method for your Tofino SA To communicate with a Tofino SA over the network you need a license for the NetConnect Loadable Security Module LSM which you activate for the To
141. the rule from passing Enforcer The Tofino SA will further inspect and filter the traffic using Deep Packet Inspection This option is available for protocols that have Enforcer LSMs installed Type The type selected when the firewall was created Standard or Special Standard These rules are designed to allow or deny specific protocols passing through the firewall They allow the user to set the source destination direction and permission for traffic of a particular protocol type Special These rules are highly complex and go beyond allowing and denying traffic For example a Special Rule could be used to block a subset of a particular type of traffic The available Special Rules can be viewed in the Special Rules folder Log A check box indicating if logging is enabled for the rule Note By default the Tofino SA will log denied packets that do not match any of the rules in the firewall table Similarly if you enable logging on a rule the permission may be Allow or Deny packets matching the rule will be logged Conversely if logging is disabled on a rule no log events will be created for packets matching this rule A common use for this option is to help stop nuisance alarms from blocking broadcast traffic Details A short form summary of special firewall rule details The information in this column comes from the Rule Details section Description A text field where the controls engineer can add a comment about
142. to communicate through devices such as Modbus bridges and gateways It allows these devices to use a single IP address to support multiple independent Modbus end units If you want the Unit ID to be inspected enter one or more comma separated values in this field If you do not reguire restrictions on the Unit ID leave this field blank L To have the Tofino SA check that the messages for well known Modbus commands 1 6 15 16 20 24 are properly formed and follow the Modbus specification select Sanity Check If a message does not follow the specification the Tofino SA will block it For example if a Modbus Write Multiple Registers command Function Code 16 has a value in its length field that is either illegal or does not match the amount of data being sent then the message would be dropped This option may have to be disabled for Modbus devices that do not conform to the Modbus TCP 1 1b specification The Tofino SA performs a sanity check on the Modbus MBAP header whether or not this option is selected L To have the Tofino SA block and report any Modbus command or response that is out of seguence for the current state of the connection select State Check Examples of out of state traffic include a command sent by the slave device to the master or a response sent by the master device to the slave 76 INM MTL Tofino Configurator Rev 2 2 Firewall Rules 7 2 Deep Packet Inspection Firewalls A CAUTION LOSS OF COMMU
143. to filter traffic based on high level message content such as the commands and services being used or the memory locations being accessed Enforcers are designed to be add ons to the standard Tofino Firewall LSM There are multiple Enforcers that you can activate and use each one provides Deep Packet Inspection for a different protocol The following Enforcers are available in the current version of the MTL Tofino Configurator Modbus TCP Enforcer OPC Classic Enforcer EtherNet IP Enforcer The Tofino SA model and the installed LSM licenses determine the Enforcers available in the MTL Tofino Configurator The Firewall details page lists the firewall rules configured for the selected Tofino SA On this page you can create a new firewall rule and manage the existing rules You can do the following Create a new firewall rule View and edit the rules Reorder rules Cut copy and paste rules Delete rules INM MTL Tofino Configurator Rev 2 2 61 Firewall Rules The Rule Table supports multiple selection Use SHIFT click to select a range of rules use CTRL click to select multiple rules out of sequence This lets you copy multiple rules from one Tofino SA and paste them into another Selecting a rule in the table displays additional information for that rule and protocol in the Rule Details section at the bottom of the page amp Project Explorer FS_TSA_001 Firewall ol Network Rule Table The firewall rules configu
144. to the latest software version using the firmware update software downloaded from the Tofino Security website www tofinosecurity com You will use a USB storage device to load these files to the Tofino SA The USB device needs to be empty before you begin this task Place the upgrade files on a suitable USB storage device Follow the steps described in Loading Your Tofino SA via USB Once the USB Load is complete confirm that it was successful by performing a USB verification as described in Verifying a Tofino SA Configuration The Verification Results dialog box lets you know the verification is complete It indicates the upgrade was successful or lists any errors detected Click OK to close this window Note The purpose of firmware updates is to bring previously purchased Tofino SAs to the latest software level This update does not enable or license new LSMs on Tofino SA hardware To activate new LSMs see Adding LSM Licenses INM MTL Tofino Configurator Rev 2 2 137 Upgrading Your Tofino SA 15 2 Upgrading via USB 138 INM MTL Tofino Configurator Rev 2 2 Reference Field Descriptions 15 2 Upgrading via USB 16 Reference Field Descriptions The topics in this section provide detailed field descriptions to help you edit and maintain your project INM MTL Tofino Configurator Rev 2 2 139 Reference Field Descriptions 16 1 Tofino SA Fields 16 1 Tofino SA Fields
145. tocol over SSL A protocol that uses encryption to transfer Web documents from a server to a browser IDS Intrusion Detection System A system to detect suspicious patterns of network traffic IP Internet Protocol The standard protocol used on the Internet that defines the datagram format and a best effort packet delivery service IT Information Technology The development installation and implementation of business computer systems and their applications LAN Local Area Network A network that interconnects computers in a limited area such as a home office laboratory or factory LDAP Lightweight Directory Access Protocol Protocol to access directory services LSM Loadable Security Module Software plug ins providing security services such as Firewall Intrusion detection system IDS and Diagnostics Modbus A communications protocol designed by Modicon Incorporated for use with its PLCs MySQL A relational database management system RDBMS that runs as a server providing multi user access to a number of databases NETBEUI NetBIOS Extended User Interface An enhanced version of the NetBIOS protocol NetBIOS Network Basic Input Output System A de facto IBM standard for applications to use to communicate over a LAN NTP Network Time Protocol OFS OPC Factory Server Data server software OLE Object Linking and Embedding A precursor to COM allowing applications to share data and manipulate shared data OPC OLE for Process Control
146. two assets Set the direction so that it is FROM the EtherNet IP Client TO the EtherNet IP Server The Bidirectional option is not an appropriate selection for the EtherNet IP Enforcer LSM Click Next On the Protocol page expand the Common Industrial folder and select EtherNet IP CIP Explicit Msg In the Permission section select Enforcer INM MTL Tofino Configurator Rev 2 2 81 Firewall Rules 7 2 Deep Packet Inspection Firewalls Note If you select Allow or Deny the Tofino SA will allow or block the EtherNet IP traffic between the two assets accordingly without reference to the EtherNet IP Enforcer Click Finish The MTL Tofino Configurator creates the Enforcer firewall rule and adds it to the table Configure the firewall settings in the Rule Details section at the bottom of the page Tofino 00 50 C2 63 26 D2 Firewall on Asset Interface Protocol Ary Net2 fe ARP 24 Net2 EtherNevP CIP 82 Select the General tab Set rate and burst limits as required Select the Enforcer tab and configure the rule as follows Select the appropriate option for CIP Services The options are Read Only Data CIP services that are data read commands are permitted Read Write Data CIP services that are data read or data write commands are permitted Any All CIP services are permitted INM MTL Tofino Configurator Rev 2
147. u need a license for the NetConnect Loadable Security Module LSM which you activate for the Tofino SA INM MTL Tofino Configurator Rev 2 2 95 Applying and Verifying Configurations 9 1 Applying a Tofino SA Configuration 9 1 Applying a Tofino SA Configuration To configure a Tofino SA in the field you apply the configuration settings in the MTL Tofino Configurator to the matching Tofino SA device The Apply action builds an encrypted configuration that you transfer to the Tofino SA in one of two ways over the network or via encrypted files on a USB storage device When you set up a Tofino SA to communicate over the network you apply the configuration directly to the Tofino SA in the field When you set up a Tofino SA to communicate via USB you apply the configuration to a USB storage device and then transfer the configuration manually to the matching Tofino SA Regardless of how you transfer the configuration you will receive a set of files back from the Tofino SA that you can verify in the MTL Tofino Configurator You can apply a configuration if the following conditions are met The Tofino SA configuration is valid The MTL Tofino Configurator is licensed properly and the correct LSM licenses exist to support the LSMs being configured You have write access to the project file Any changes to the project have been saved The write access requirement helps to keep users without sufficient privileges from modifying Tofino SA
148. uring Load Save INM MTL Tofino Configurator Rev 2 2 157 Troubleshooting 17 3 USB Storage Device Recommendations No of Flashes During Load Sequence During Save Sequence 5 The device was unable to load the files It is possible that the files were damaged during the copying operation Repeat the copying operation If the condition persists please contact your technical support The device was unable to copy the encrypted diagnostic files to the USB memory device It is possible that the memory device is full 6 The device was unable to deactivate the USB connection Please contact your technical support The device was unable to deactivate the USB connection Please contact your technical support The file system of the device does not have enough memory capacity to save the files temporarily before they are copied to the USB memory device Please contact your technical support Table 4 Fault LED Activity During Load Save 158 INM MTL Tofino Configurator Rev 2 2 Troubleshooting 17 4 Factory Resetting Your Tofino SA 17 4 Factory Resetting Your Tofino SA To reset the Tofino SA back to its default state as shipped from the factory you can perform a Factory Reset Confirm that power is applied to the Tofino SA and it has completed its start up initialization Press and release the Save Load Reset button 3 times On the first press the Save Load LED illuminates in green on the
149. will load automatically when you start the MTL Tofino Configurator Alternately within the application click the Open icon in the toolbar If you have another project open a message informs you that it will be closed You will be prompted to save the project if necessary L Locate the project file on your computer The filename will be appended with tpf O Click the file you want to open to select it Click Open O When the project is password protected the program prompts you to enter the password Type the project password and click OK 26 INM Tofino Configurator Rev 2 2 Projects 4 3 Editing Project Details 4 3 Editing Project Details You can view and edit the details of the project you currently have open in the MTL Tofino Configurator You can also change the protection settings and passwords Click the project name in the Project Explorer view The details for the current project display r S HM iu a Hep Project Explorer 5 amp Fort Sask Control Network t For Control Network Project Details Getting Started Detais specific to thes project file Work through these steps to set up your project Project Name Fort Sesk Control Network 1 Define the Tofino SAs Define s Tofino SA for esch Project File C2 Users leern08281 Desktop Fort Sask Control T Project Revisio 17 uF S02 Creator Ericbyres Last Modified By kum08261 Click Tefino SAs in the Project Explorer view Company
150. wor d Password Confirm Password Password Strength Remember your password You cannot access your project without it If you choose password protection complete the Password and Confirm Password fields Create a password that is at least 6 characters long and includes uppercase lowercase and special characters 24 INM MTL Tofino Configurator Rev 2 2 Projects 4 1 Creating a New Project Note If you leave both check boxes empty any user will be able to access the information in the tpf project file To restrict access to the project file you select the License Activation Key option When selected the project file will open exclusively on a machine with a matching License Activation Key You can disable this option when you need to share the project file with technical support or a person in your company who is running a different copy of the MTL Tofino Configurator Click Next Set an optional administrator password Select the Use Administrator Password check box then complete the Password and Confirm Password fields Administrator Password Specify the project Administrator Password Use Administrator Password Passwort d Confirm Password Password Strength IMPORTANT You cannot use the administrator password to recover a lost project password Use the administrator password feature to prevent specific changes to the project file When set the administrator password will
151. your MTL Tofino Configurator is installed on a laptop that will be moved between various locations select contact assets on opposite sides of the Tofino SA This gives you a valid path for communicating between the MTL Tofino Configurator and the Tofino SA regardless of where you are on the network Managed switches make great contact assets Each Tofino SA in your project maintains a list of contact assets These assets can be one of three types The IP address of a contact asset found with the Discovery function A specific IP address An existing asset You can add any number of assets to this list but at least one needs to be on the other side of the Tofino SA from the MTL Tofino Configurator The MTL Tofino Configurator will attempt to establish communication with the Tofino SA using the first asset in the list and then move onto the next until a successful connection is established Use the arrow buttons to the right of the list to reorder the assets to make the connection process faster The MTL Tofino Configurator may be located anywhere in the network as long as it is able to communicate with the Tofino SAs that it manages If any routers or firewalls are located between the MTL Tofino Configurator and a Tofino SA in the network then configure each router firewall device to allow the MTL Tofino Configurator traffic to pass through these devices The MTL Tofino Configurator uses both TCP and UDP traffic to manage Tofino
Download Pdf Manuals
Related Search