Schneider Electric TCSEFEA23F3F20 Tofino Firewall - ConneXium User Manual
ConneXium S1B76071.00 TCSEFEA Tofino Firewall User Manual www.schneider-electric.com Contents Contents Safety Information 5 About this Manual 7 Key 9 1 Introducing the ConneXium Tofino Configurator 11 1.1 Navigating the ConneXium Tofino Configurator 12 2 10 Steps to a Secure Control System 15 3 Installing Your ConneXium Tofino Configurator 17 4 Creating Projects 19 4.1 Creating a New Project 21 4.2 Viewing and Editing a Project 22 4.3 Managing Project Files 23 5 Defining Tofino SA Configurations 25 5.1 Creating a New Tofino SA 26 5.2 Viewing and Editing a Tofino SA 29 5.3 Tofino SA General Settings 30 5.4 Managing Tofino SAs 34 6 Defining Assets 35 6.1 Creating an Asset 37 6.2 Asset Templates 40 6.3 Viewing and Editing Assets 42 6.4 Managing Assets 46 7 Defining Firewall Rules 47 7.1 Managing Firewall Rules 48 S1B76071 - 06/12 3 Contents 7.2 Viewing and Editing Firewall Rules 53 7.3 Using Modbus TCP Enforcer Rules 62 8 Configuring Event Logging 67 9 Loading and Verifying Configurations 71 9.1 Creating a USB Configuration 72 9.2 USB Loading Your Tofino SA 73 9.3 USB Save from Your Tofino SA 75 9.4 USB Verification 77 10 Advanced Topic - Creating and Managing Protocols 81 10.1 Creating a Protocol 83 10.2 Viewing and Editing Protocols 85 10.3 Managing Protocols 88 11 Advanced Topic - Importing Templates and Security Profiles 89 12 Advanced Topic - ConneXium Tofino Configurator Settings 91 12.1 User Administration 92 12.2 Preferences 93 13 95 Troubleshooting 13.1 Tofino SA Diagnostics 96 13.2 Firewall Not Blocking Traffic 100 13.3 USB Storage Device Recommendations 101 13.4 Factory Resetting Your Tofino SA 103 14 4 Glossary 105 S1B76071 - 06/12 Safety Information Safety Information Important Information Notice: Read these instructions carefully, and look at the equipment to become familiar with the device before trying to install, operate, or maintain it. The following special messages may appear throughout this documentation or on the equipment to warn of potential hazards or to call attention to information that clarifies or simplifies a procedure. S1B76071 - 06/12 5 Safety Information PLEASE NOTE: Electrical equipment should be installed, operated, serviced, and maintained only by qualified personnel. No responsibility is assumed by Schneider Electric for any consequences arising out of the use of this material. © 2012 Schneider Electric. All Rights Reserved. 6 S1B76071 - 06/12 About this Manual About this Manual Validity Note The data and illustrations found in this book are not binding. We reserve the right to modify our products in line with our policy of continuous product development. The information in this document is subject to change without notice and should not be construed as a commitment by Schneider Electric. Product Related Information Schneider Electric assumes no responsibility for any errors that may appear in this document. If you have any suggestions for improvements or amendments or have found errors in this publication, please notify us. No part of this document may be reproduced in any form or by any means, electronic or mechanical, including photocopying, without express written permission of Schneider Electric. All pertinent state, regional, and local safety regulations must be observed when installing and using this product. For reasons of safety and to ensure compliance with documented system data, only the manufacturer should perform repairs to components. When devices are used for applications with technical safety requirements, please follow the relevant instructions. Failure to use Schneider Electric software or approved software with our hardware products may result in improper operating results. Failure to observe this product related warning can result in injury or equipment damage. User Comments We welcome your comments about this document. You can reach us by e-mail at [email protected] S1B76071 - 06/12 7 About this Manual Related Documents Title TCSEFEA ConneXium Tofino Firewall User Manual TCSEFEA ConneXium Tofino Firewall Installation Manual 8 Reference number S1B76071 S1B69349 S1B76071 - 06/12 Key Key The designations used in this manual have the following meanings: List Work step Subheading Link Note: Cross-reference with link A note emphasizes an important fact or draws your attention to a dependency. Courier ASCII representation in user interface S1B76071 - 06/12 9 Key 10 S1B76071 - 06/12 Introducing the ConneXium Tofino Configurator 1 Introducing the ConneXium Tofino Configurator The ConneXium Tofino Industrial Security Solution is a comprehensive package for securing industrial control systems, particularly at the Local Area Network (LAN) level. The system consists of three core components: ConneXium Tofino Firewall- Referred to in this manual as the Tofino Security Appliance or Tofino SA, these industrially hardened devices are installed in front of individual and/or clusters of Human Machine Interfaces (HMI), Distributed Control Systems (DCS), Programmable Logic Controllers (PLC) or Remote Terminal Units (RTU) control devices that require protection. Tofino Loadable Security Modules (LSM) - a variety of software modules providing security services such as Firewall and Event Logger. Each LSM is activated on the Tofino SAs to allow them to offer customizable security functions, depending on the requirements of the control system. ConneXium systems have the LSMs pre-loaded at the factory. ConneXium Tofino Configurator - a Windows-based off-line management system for the configuration of each Tofino SA. Use the ConneXium Tofino Configurator off-line on your PC to define configuration data for each Tofino SA in your plant. When you have finished editing the configuration, you can save a copy of the configuration data to a USB storage device and then use this storage device to transfer the configuration into the Tofino SAs. You can also retrieve configuration details from a Tofino SA and load them back into the ConneXium Tofino Configurator to verify that the correct configuration is being used in the field. S1B76071 - 06/12 11 Introducing the ConneXium Tofino Configurator 1.1 Navigating the ConneXium Tofino Configurator 1.1 Navigating the ConneXium Tofino Configurator The ConneXium Tofino Configurator is designed to look and operate just like Windows Explorer that you use to navigate files and folders on your computer. This way you can start using the ConneXium Tofino Configurator immediately. 1 - Project Explorer view: where Tofino SAs, Asset Templates, Assets, Protocols and Special Rules are listed in a tree format similar to the way that files are displayed in Windows Explorer. Any object in the Project Explorer view can be clicked on and details can be viewed in the Details view. Clicking on the root folder will display a table of defined objects of that type. For example, clicking on the Assets folder will present a table of the defined assets in the project. 2 - Details view: where the details of what is selected in the Project Explorer are displayed. This is where you can edit particular values for an object. 12 S1B76071 - 06/12 Introducing the ConneXium Tofino Configurator 1.1 Navigating the ConneXium Tofino Configurator The ConneXium Tofino Configurator has a tool bar that allows you to perform actions on the objects in a project. The toolbar contains 3 sections Project Edit commands - This section appears at the far left of the toolbar and is for commands related to managing project files and their data. It includes: Create new Projects, Assets, Asset Templates, Protocols, or Tofino SAs, using a wizard. Open an existing project. Save a project. Import predefined Asset Templates, Protocols, Special Rules and Security Profiles Cut/Copy/Paste/Delete of objects and fields. Context commands - This section appears in the center of the toolbar and is for commands related to the content that is currently being worked on. The list of commands which appears here changes depending on the type of object selected in the Project Explorer. Help and Configuration commands - This section appears at the far right of the toolbar and is for: Audit Logs: Viewing and managing the audit system. Preferences: Setting configurations, such as the location of the audit file. Help menu commands (down arrow to the right of Help); including About and Display Help. S1B76071 - 06/12 13 Introducing the ConneXium Tofino Configurator 14 1.1 Navigating the ConneXium Tofino Configurator S1B76071 - 06/12 10 Steps to a Secure Control System 2 10 Steps to a Secure Control System The ConneXium Tofino Configurator was designed to make the installation of security firewalls in an industrial control system as simple as possible. Follow the steps below to configure and install your ConneXium Tofino Industrial Security Solution. Install your ConneXium Tofino Configurator on your computer. Create a Tofino ConneXium project. Define the Tofino SAs for your project: This information will be used to configure the actual Tofino SAs that will be installed on your network. S1B76071 - 06/12 15 10 Steps to a Secure Control System Define Assets for your project: These objects represent both real network entities (such as HMIs and PLCs) and virtual entities (such as Broadcast Addresses) on your network. They are used to simplify tasks like creating firewall rules. Define Firewall Rules for your Tofino SAs: These use the assets you created earlier, along with predefined protocols and special rules that are supplied with the ConneXium Tofino Configurator to determine what network traffic the Tofino SA will allow or block. The Modbus TCP Enforcer is accessed through the Firewall selection. Configure the Event Logger (Optional): Enter the details for your syslog server where you want Tofino SA alarms and events sent. Or configure the Tofino SA to save logs locally on the Tofino SA for later offloading via USB storage device. Create a configuration on a USB storage device: This builds encrypted configuration files for loading into Tofino SAs and stores them to a USB storage device. Install your Tofino SA hardware on the network, between the device(s) to be protected and the rest of the network. Load the configuration into the Tofino SAs: Insert the USB storage device containing your configuration files into the USB port on the matching Tofino SAs and then load the configuration. Verify the configuration: Retrieves the configuration load reports from the USB storage device that was used to load configurations onto one or more Tofino SAs. This will allow you to record the configuration of Tofino SAs in the field and save it in your project. You have successfully installed the ConneXiumTofino Industrial Security Solution and significantly improved the security of your process network. Note: The Tofino SA will pass network traffic freely during the initial configuration or when its configuration is being updated. Firewall rules take effect after completion of the initial configuration or update of the Tofino SA so that network operations are not affected before the full rule set can be loaded. A typical configuration load will finish in approximately 30 seconds. 16 S1B76071 - 06/12 Installing Your ConneXium Tofino Configurator 3 Installing Your ConneXium Tofino Configurator This section details the procedure for installing the ConneXium Tofino Configurator on a computer that has not previously had the ConneXium Tofino Configurator installed on it. The steps for installing a new copy of the ConneXium Tofino Configurator are as follows: Run the ConneXium Tofino Configurator installer. Assign a License Activation Key (LAK), affixed to the CD envelope supplied with the ConneXium Tofino Firewall product. Initial Preparation Prior to installing your ConneXium Tofino Configurator software, please verify that you have the following materials ready: ConneXium Tofino Configurator Installer CD. License Activation Key (a 25 string of letters and numbers such as X4QP9-RMNRQ-B59SD-AG5H6-KSFRW). Run the ConneXium Tofino Configurator Installer Run the ConneXium Tofino Configurator installer from the CD. Follow the on-screen instructions to install the ConneXium Tofino Configurator. Enter your LAK, and required information on the Activate Your License screen. S1B76071 - 06/12 17 Installing Your ConneXium Tofino Configurator 18 S1B76071 - 06/12 Creating Projects 4 Creating Projects The ConneXium Tofino Configurator uses Project Files to coordinate one or more Tofino SAs that are being used for a common facility or project. Each Project File contains the configurations of the Tofino SAs it is managing along with other data such as network assets and common protocols. The first time you start the ConneXium Tofino Configurator, you will be asked if you would like to: Create a new Project, see “Creating a New Project”. Open an existing Project. Once you have worked on a Project File, that file will be visible for you to open, with one click, on the start up window. You can also set a specific Project File as the default project so that it is opened every time the ConneXium Tofino Configurator is started. Clearing or changing the default project is done in the Project Preferences, see “Preferences”. S1B76071 - 06/12 19 Creating Projects Once the project is open, the details about that project can be viewed in the Details view when the root folder in the Project Explorer is selected. This includes information such as the Project Name, Project File location on the PC, Project Revision, Creator and Company. 20 S1B76071 - 06/12 Creating Projects 4.1 Creating a New Project 4.1 Creating a New Project To begin using the ConneXium Tofino Configurator, create a Project. To launch the New Project Wizard, Select Create a New Project from the start-up screen. (You can also create a new project from the Project Explorer view by clicking the New button and selecting Project). Once the user has started the wizard, it will ask you to complete two fields: Project Name and Company. S1B76071 - 06/12 21 Creating Projects 4.2 Viewing and Editing a Project 4.2 Viewing and Editing a Project Clicking on the project name in the Project Explorer view will open the Project Details view. Here you can edit the details and check the current project version, creator and editors. Project Name - User editable project name. Defaults to "My Project". Project File - The file name and location where the Project File was loaded from or lasted saved to. This is also the location where the project will be stored the next time it is saved. It appears as "<unsaved>" for new, unsaved projects. Project Revision - The number of the current version of this project, along with a specially calculated hash code to reduce the chance of accidental duplication of revision numbers. The project revision number is incremented each time the project is saved. Creator - Uses the Windows username that was logged in at the time the project was created. Last Modified By - Uses the Windows username that was logged in at the time the project was last saved. Company - User editable company name. 22 S1B76071 - 06/12 Creating Projects 4.3 Managing Project Files 4.3 Managing Project Files Project Files can be managed just like any Windows' files. Using the ConneXium Tofino Configurator you can do the following: Open - Open an existing Project File. Save - Save the current project to the Project File. Save As - Save the current project to a different Project File with a new name. If you want to delete the Project File, you can use Windows Explorer to delete it, just like you would for any other computer file. S1B76071 - 06/12 23 Creating Projects 24 4.3 Managing Project Files S1B76071 - 06/12 Defining Tofino SA Configurations 5 Defining Tofino SA Configurations The Tofino SA management features allow you to create, edit, and delete the configuration data for multiple Tofino SAs contained in a single project. By selecting a specific Tofino SA in the Project Explorer view, you can do the following: Create a new Tofino SA. View and edit the Tofino SA configuration. Create a loadable configuration which you can save on a USB storage device. You can then insert the USB storage device into the USB port of a Tofino SA and load the configuration. Verify the load report from a USB storage device which was used to load a configuration. This will allow you to review and record successful USB loads. S1B76071 - 06/12 25 Defining Tofino SA Configurations 5.1 Creating a New Tofino SA 5.1 Creating a New Tofino SA New Tofino SAs are created using the New Tofino SA Wizard. There are three ways to launch the New Tofino SA Wizard: Click the New button and select Tofino SA. Click the New Tofino SA button in the middle section of the tool bar. Right click on an existing Tofino SA and select New Tofino SA. New Tofino SA Wizard Once the wizard has started, it will ask you to enter the Tofino ID, Name, Description, General Location, Specific Location and Model. The Firmware Code will be automatically calculated based on the Model Number you enter. Lastly select the Mode (Operational or Test) you want the Tofino SA to run in when the configuration is loaded. 26 S1B76071 - 06/12 Defining Tofino SA Configurations 5.1 Creating a New Tofino SA The second page of the wizard allows you to name the Tofino SA interfaces and set the configuration of each interface. The third page of the wizard allows you to select which LSMs you would like to have activated on the Tofino SA. S1B76071 - 06/12 27 Defining Tofino SA Configurations 5.1 Creating a New Tofino SA For more information on these fields, see “Tofino SA General Settings”. 28 S1B76071 - 06/12 Defining Tofino SA Configurations 5.2 Viewing and Editing a Tofino SA 5.2 Viewing and Editing a Tofino SA Clicking on the Tofino SA name in the Project Explorer view will open the Tofino SA Details view. Here you can navigate to pages for configuring the Tofino SA and launch wizards to perform actions such as creating a configuration on a USB storage device. The configuration and setting options available for a Tofino SA will depend on the LSMs selected earlier. Typically, the available settings include: General Settings - Configure the general settings for the selected Tofino SA. This includes general information, communications parameters, and LSM selection. Event Logger LSM Settings - Configure alarm and event logging for the selected Tofino SA. Firewall LSM Settings - Configure firewall rules for the selected Tofino SA. Some actions that can be performed for the selected Tofino SA are: Create Loadable USB Drive - Builds a loadable configuration and stores it to a selected USB storage device. This storage device can then be inserted into the USB port on the selected Tofino SA and the configuration loaded. Verify Loaded USB Drive - Retrieves the configuration report from a USB drive which was used to load a configuration onto the selected Tofino SA. This will allow you to review and record successful USB loads. S1B76071 - 06/12 29 Defining Tofino SA Configurations 5.3 Tofino SA General Settings 5.3 Tofino SA General Settings The Tofino SA General Settings view allows you to view and configure the common settings for the selected Tofino SA. This includes general information, communications parameters, status and LSM selection. General Tofino ID: The ID number found on the right hand side of the Tofino SA‘s face. This number is used to confirm that the configuration is loaded into the correct Tofino SA. Name: Insert a name or identifier that uniquely identifies the Tofino SA. (i.e. Jasper Pump Station Tofino or JP-TFN-001). Each Tofino SA needs to have a unique name for clarity and ease of deployment. Description: A text field that can be used to describe the function of this Tofino SA. General Location: A text field for reference. Specific Location: A text field for reference. 30 S1B76071 - 06/12 Defining Tofino SA Configurations 5.3 Tofino SA General Settings Network Interfaces Net 1 Name: A name or identifier that describes the upper Ethernet port on the Tofino SA. For example, you could name it after the network it connects to (such as "Business Network") or it could be named by function (such as "Untrusted"). Net 1 Medium: This sets the interface settings on the upper Ethernet port. The Tofino SA supports auto-negotiation of both Ethernet ports. Auto-negotiation means the Tofino SA‘s connection and transmission parameters are negotiated automatically with the switch or device it is attached to. Depending on the media type in the Tofino SA, you can manually set the Ethernet ports to the following: – Auto (auto-negotiate) – 10baseT-HD (Twisted pair, 10 Mb/s, half duplex) – 10baseT-FD (Twisted pair,10 Mb/s, full duplex) – 100baseTX-HD (Twisted pair,100 Mb/s, half duplex) – 100baseTX-FD (Twisted pair,100 Mb/s, full duplex) The default value is "Auto". Net 2 Name: A name or identifier that describes the lower Ethernet port on the Tofino SA. For example, you could name it after the network it connects to (such as "Control Network") or you could name it by function (such as "Trusted"). Net 2 Medium: This sets the interface settings on the lower Ethernet port. The Tofino SA supports auto-negotiation of both Ethernet ports. Auto-negotiation means the Tofino SA‘s connection and transmission parameters are negotiated automatically with the switch or device it is attached to. Depending on the media type, you can also manually set the Ethernet ports to: – Auto (auto-negotiate) – 10baseT-HD (Twisted pair, 10 Mb/s, half duplex) – 10baseT-FD (Twisted pair,10 Mb/s, full duplex) – 100baseTX-HD (Twisted pair,100 Mb/s, half duplex) – 100baseTX-FD (Twisted pair,100 Mb/s, full duplex) The default value is "Auto". S1B76071 - 06/12 31 Defining Tofino SA Configurations 5.3 Tofino SA General Settings Status Mode: You can set the Tofino SA to one of two modes: – Test: The Tofino SA is fully operational, processes traffic but will not drop any network traffic. You can use this mode to test if the Tofino SA is correctly configured before you use it to filter control system traffic. – Operational: The Tofino SA provides full-packet processing and protection. Configuration Status: This is the current status of the actual Tofino SA in the field, as determined by the last USB verification: – Unknown: The configuration has either not been loaded into the Tofino SA or has not been verified. – Verified: A USB configuration was successfully loaded onto the Tofino SA and the Verify Loaded USB command was run to read the results back into ConneXium Tofino Configurator. – Failed: The result of the Verify Loaded USB command shows that there was an unsuccessful load the last time the USB Load command was executed on this Tofino SA. Latest Configuration Revision: The number of the current version of this Tofino SA‘s configuration in this Project File, along with a specially calculated hash code to reduce the chance of accidental duplication of revision numbers. The configuration revision number is incremented each time you modify the settings of the Tofino SA and the project is saved. This is calculated separately from the Project Revision number by the ConneXium Tofino Configurator. Verified Configuration Revision: The number of the last version of this Tofino SA‘s configuration that has been verified by the Verify Loaded USB command as installed in the Tofino SA. There is also a specially calculated hash code to reduce the chance of accidental duplication of revision numbers. If the Verified Configuration Revision is different than the Latest Configuration Revision, then the Tofino SA in the field may contain an outdated configuration. Hardware Type: 32 S1B76071 - 06/12 Defining Tofino SA Configurations 5.3 Tofino SA General Settings This field is updated by the Verify Loaded USB command based on the Tofino type reported by the Tofino SA. Model: This field is updated by the Verify Loaded USB command based on the model reported by the Tofino SA Firmware Code: This field indicates the available LSMs pre-loaded in this product. Firmware Version: This field is updated by the Verify Loaded USB command based on the firmware version reported by the Tofino SA. Loadable Security Modules (LSMs) Here you can select the LSMs you wish to have activated on your Tofino SA during the USB Load. These include: Firewall LSM Event Logger LSM Modbus TCP Enforcer LSM When an LSM is selected, additional sub-folders may appear below the Tofino SA folder. These allow you to configure the specific LSM. Keep in mind that settings for the Enforcer LSMs are included in the Firewall subfolder. S1B76071 - 06/12 33 Defining Tofino SA Configurations 5.4 Managing Tofino SAs 5.4 Managing Tofino SAs You can manage your Tofino SAs just like any Windows' object. By right clicking on a Tofino SA, or using the tool bar, you have the following options: New Tofino SA - Launches the New Tofino SA wizard. Create Loadable USB - Create a loadable configuration which can be saved on a USB storage device. The USB storage device can then be inserted into the USB port of a Tofino SA and the configuration loaded. Verify Loaded USB- Verify the load report from a USB storage device which was used to load a configuration. This will allow you to review and record successful USB loads. Cut - Removes the highlighted Tofino SA from the project and saves it in the clipboard for later pasting in a different location. Copy - Makes a copy of the highlighted Tofino SA from the project and saves it in the clipboard for later pasting in a different location. Paste - Pastes the contents of the clipboard into the project. Delete - Removes the highlighted Tofino SA from the project. 34 S1B76071 - 06/12 Defining Assets 6 Defining Assets In the ConneXium Tofino Configurator, you have "Assets" that include both physical devices such as PLCs, computers and network equipment, as well as "virtual" assets such as a broadcast address range, a network or a multicast address. This provides flexibility in the creation of firewall rules. The Asset management features allow you to create, edit, and delete assets representing real world devices and systems on the control network. You can also use Asset Templates to help create a standard for commonly used assets. By selecting a specific asset in the Project Explorer view, you can: Create a new asset or folder. View and edit the asset's details. Delete an asset. Cut, Copy and Paste assets. Computer, Controller, Device, and Network Equipment Assets Most assets used in the ConneXium Tofino Configurator are real devices. These typically use messages known as Unicast messages. A Unicast message is network traffic directed from a specific device to another specific device. When you define an asset to be a computer, controller, device or network equipment, the ConneXium Tofino Configurator assumes it is a physical device on your network and helps create rules appropriate for that type of device. S1B76071 - 06/12 35 Defining Assets Network Assets Network assets are a virtual representation of the devices contained in a specific network or subnetwork. When you define an asset to be a network, the ConneXium Tofino Configurator assumes it is a collection of devices on your network that belong to a group of IP addresses known as a subnet. Thus, if you use a network asset in a rule, the ConneXium Tofino Configurator helps create rules that allow or deny traffic from that range of addresses. Broadcast and Multicast Assets In most networks there are messages that are sent to a general address and are expected to be received by everyone on the network. These are called Broadcast and Multicast messages. The ConneXium Tofino Configurator has special assets designed to handle these types of messages. Broadcast: This asset represents an address that is used for IP broadcasts. Broadcast packets, which are a normal part of network operation, are transmitted by a device to a broadcast address that many devices listen to. For example, IP networks use broadcasts to resolve network addresses using Address Resolution Protocol (ARP). The exact broadcast address is dependent on the subnet defined for a given network. If the node address is 192.168.1.1 the broadcast address might be 192.168.1.255, depending on the subnet of the node. This type of asset is required if you wish to provide broadcast filtering rules in the Firewall LSM. Multicast: This asset represents an address that is used for IP multicasts. Multicast packets are transmitted to a multicast address that a set of devices listen to. Typically these are IP addresses in the range between 224.0.0.0 through 239.255.255.255 and depend on the manufacturer of controller hardware, the protocols in use and the network configuration. For example, 239.192.22.121 is often used in Ethernet/IP networks, while 234.5.6.7 is often used with Fault Tolerant Ethernet Systems. This is required if you wish to provide multicast filtering rules in the Firewall LSM. 36 S1B76071 - 06/12 Defining Assets 6.1 Creating an Asset 6.1 Creating an Asset You can create new assets using the New Asset Wizard. You can launch the New Asset Wizard in four ways: Click the New button and select Asset. Click the New Asset button in the middle section of the tool bar. Right click on an existing asset and select New Asset. Creating an asset from an Asset Template. The fourth method is available when the Asset Template folder is selected. You can also copy and paste from existing assets or asset templates to the asset folder. However this will not run the wizard, so you will have to manually edit the appropriate fields such as name and IP address. S1B76071 - 06/12 37 Defining Assets 6.1 Creating an Asset New Asset Wizard Once you start the wizard, it will ask you to enter the Name, Asset Type, and a number of optional fields. For more information on these fields, see “Viewing and Editing Assets” The second page of the wizard allows you to enter the address information for the asset. This information will be used by the ConneXium Tofino Configurator when creating firewall rules for this asset. 38 S1B76071 - 06/12 Defining Assets 6.1 Creating an Asset The third page of the wizard allows you to define rule profiles by selecting protocols that the asset typically uses to communicate. These rule profiles are used in the firewall rule generation to suggest possible rules. S1B76071 - 06/12 39 Defining Assets 6.2 Asset Templates 6.2 Asset Templates Asset Templates are a tool to help you create multiple Assets quickly. They contain pre-defined fields that can be used to rapidly create similar assets. For example, if you have 10 PLCs in your plant that are a similar make and model, you can create an Asset Template (or use a pre-existing Asset Template) to represent that type of PLC. Then you can quickly generate Assets to represent the10 PLCs. Each time you use the New Asset From Template tool, a new Asset will be created with the fields filled out except for the Name, Location and Address information. The ConneXium Tofino Configurator comes with a number of templates preloaded for Schneider Automation products. You can also import new templates using the Import command or create templates of your own. You can also create Asset Templates by copying an existing Asset and pasting it into the Asset Template folder. By selecting a specific Asset Template in the Project Explorer view, you can: Create a new asset template or folder. Create a new asset from the selected template. View and edit the asset templates's details. Delete an asset. Cut, Copy and Paste asset templates. Some templates are factory defined, and cannot be cut or deleted. In order to use an Asset Template as the basis for an asset, select the template you wish to use and then select the New Asset From Template button. This will start the New Asset wizard with most of the fields already completed. 40 S1B76071 - 06/12 Defining Assets S1B76071 - 06/12 6.2 Asset Templates 41 Defining Assets 6.3 Viewing and Editing Assets 6.3 Viewing and Editing Assets Clicking on an asset name in the Project Explorer view will open the Asset Details view. This allows you to view and configure the settings for the selected asset. This includes general information and communications parameters. 42 S1B76071 - 06/12 Defining Assets 6.3 Viewing and Editing Assets General Name: Insert a name or identifier that uniquely identifies the asset. (i.e. Jasper Pump Station PLC or JP-PLC-001). Each Asset needs to have a unique name to avoid confusion. Type: Select an asset type.The fields available for input, will be determined by the asset chosen. Asset types include: – Computer – Controller – Device – Network – Network Equipment – Broadcast – Multicast Description: A text field you can use to describe the function of this asset. Manufacturer: The make or company that manufactured or sold this asset (for example, Schneider Electric). Model: The model of this asset (for example, Quantum). General Location: A text field for reference. Specific Location: A text field for reference. Asset Tag: User defined field for corporate asset tags. S1B76071 - 06/12 43 Defining Assets 6.3 Viewing and Editing Assets Communications IP Address: This is the IP address of the asset. In order for the firewall rules to operate properly, check that the address is correct. Subnet Mask: The subnet mask is used by the Tofino SA in conjunction with the IP address to identify the computers or devices that are part of a "local" or subnetwork. A subnet mask is 32-bit number that is notated by using four numbers from 0 to 255, separated by periods. Typically subnet masks use either 255 or 0 for each number (such as 255.255.255.0), but other numbers can appear in special cases. MAC Address: This is the Ethernet MAC or physical address of the asset. For most assets this is an optional field and should be left blank. However if you are creating rules for non-IP protocols such as GOOSE, then enter a MAC address. Rule Profiles When you create an asset you can also specify the protocols that this asset typically uses. You can also specify whether the asset uses these protocols as a client (i.e.: it initiates the communications) or as a server (i.e.: it responds to requests from clients). The New Firewall Rule Wizard can use this information to automatically create rules for the asset. Protocol: A list of protocols that this asset can use for network communications. Note: that if you select an application layer protocol such as Modbus or HTTP you do not have to select the lower layer protocols such as Ethernet, TCP and IP. Server: Selecting this box indicates that the asset acts as a server and responds to requests from clients. For example, a web server or a Modbus slave device (such as a PLC) would be selected as a server. Client: Selecting this box indicates that the asset acts as a client and initiates requests to servers. For example, a web browser or a Modbus client device (such as a HMI) would be selected as a client. 44 S1B76071 - 06/12 Defining Assets 6.3 Viewing and Editing Assets Protocols can be set as both client and server on an asset if appropriate. For example, a computer may contain both web server software and web browser software and thus could be designated as both a HTTP client and an HTTP server. S1B76071 - 06/12 45 Defining Assets 6.4 Managing Assets 6.4 Managing Assets You can manage assets just like any Windows' object. By right clicking on an asset, or using the tool bar, you have the following options: New Asset - Launches the New Asset wizard. New Folder- Creates a new folder for organizing your assets. Cut - Removes the highlighted asset from the project and saves it in the clipboard for later pasting in a different location. Copy - Makes a copy of the highlighted asset from the project and saves it in the clipboard for later pasting in a different location. Paste - Pastes the contents of the clipboard into the project. Delete - Removes the highlighted asset from the project. 46 S1B76071 - 06/12 Defining Firewall Rules 7 Defining Firewall Rules What is a firewall? A firewall is a mechanism used to control and monitor traffic between two networks (or two portions of the same network) to help protect devices on the network. It compares the traffic passing through the firewall to a predefined set of rules, discarding traffic that does not meet the rule criteria. In effect, it is a filter blocking unwanted network traffic and placing limitations on the amount and type of communication that occurs between devices (or networks) in need of protection and other systems - such as the corporate network, or another portion of a site's control network. The Tofino Firewall is an LSM that is activated on the Tofino SA to process traffic. It is a stateful deep-packet inspection firewall. What is an Enforcer? An Enforcer is an advanced firewall for specific SCADA and ICS protocols. It allows you to filter traffic based on specific function codes and message content. Enforcers are designed to be add-ons to the standard Tofino Firewall LSM. Enforcers include: Modbus TCP Enforcer: This LSM provides security features for managing Modbus TCP traffic such as: – Checks to determine if each Modbus packet conforms to the protocol specification and then allows or rejects this packet. – Allows you to specify Modbus functions that should be allowed or denied by the Tofino SA. – Monitors the state of Modbus TCP connections to determine that incoming messages are expected and in sequence. S1B76071 - 06/12 47 Defining Firewall Rules 7.1 Managing Firewall Rules 7.1 Managing Firewall Rules The Firewall details page contains a list of firewall rules configured for the selected Tofino SA. It also allows you to: Create a new firewall rule. View and edit the rules. Reorder rules. Cut, Copy and Paste rules. Delete rules. For the Cut, Copy, Paste and Delete commands you can select multiple firewall rules and perform mass operations. For example you can copy a block of rules from one Tofino SA and paste it into another. If you select a rule, a Rule Details section will appear with options for that specific rule and protocol. 48 S1B76071 - 06/12 Defining Firewall Rules 7.1 Managing Firewall Rules Creating Firewall Rules The ConneXium Tofino Configurator allows you to create two types of firewall rules: Standard firewall rules are designed to allow or deny specific protocols passing through the firewall. They allow you to set the source, destination, direction, permission and rate limits for traffic of a particular protocol type. For example, if you want to allow Modbus/ TCP traffic between two devices, a standard rule can be used. Use standard rules for most applications. Special Rules are highly complex rules that go beyond simple allow or deny. For example, a Special Rule could be used to block a subset of a particular type of traffic. The available Special Rules can be viewed in the Special Rules folder. You should only use these rules in exceptional cases. New rules are created using the New Firewall Rule Wizard.You can launch the wizard by selecting the Firewall Details view for the Tofino SA you wish to create a rule for and then by clicking the Create Rule button in the middle section of the tool bar. Once the wizard has started, it will ask you if you want to create your rule based on a standard rule or a Special Rule. If you select Special Rule, you will be asked to choose from a list of available Special Rule templates. S1B76071 - 06/12 49 Defining Firewall Rules 7.1 Managing Firewall Rules Next you will be asked to enter the Interfaces, Direction and either Assets or Addresses. For more information on these fields, see “Viewing and Editing Firewall Rules” 50 S1B76071 - 06/12 Defining Firewall Rules 7.1 Managing Firewall Rules The second page of the wizard asks you to select one or more protocols for the rules. You can either allow the wizard to: Use the rule profiles associated with the assets you just selected to automatically generate the rules Manually select the protocols you want rules created for. If more than one protocol is selected, then a rule will be created for each protocol. Finally, you select the permission (i.e.: Allow, Deny or Enforcer) and whether you want logs created whenever this rule is triggered. S1B76071 - 06/12 51 Defining Firewall Rules 7.1 Managing Firewall Rules Note: When the option to automatically generate rules is selected, the ConneXium Tofino Configurator will check both of the assets selected earlier in the wizard for protocols listed in the rule profiles. The automatic rule generator will then create one rule for every protocol the two assets have in common. If the two assets do not have any protocols in common or if they have a protocol in common but are either both clients or both servers then a warning will be sent and no rules generated. 52 S1B76071 - 06/12 Defining Firewall Rules 7.2 Viewing and Editing Firewall Rules 7.2 Viewing and Editing Firewall Rules Clicking on the Firewall sub-folder for a Tofino SA in the Project Explorer view will open the Firewall Details view. Here you can view and edit the firewall rules for this Tofino SA including rule details (See “Firewall Rule Details”). You can also change the order rules are evaluated (See “Firewall Rule Order”). The ConneXium Tofino Configurator will also prompt you to create firewall rules that it deems necessary (See “Assisted Firewall Rule Creation”). S1B76071 - 06/12 53 Defining Firewall Rules 7.2 Viewing and Editing Firewall Rules Editing Firewall Rules ! : This Active Rule check box will activate (selected) or deactivate (not selected) the rule. If the checkbox is not selected, the rule will not be loaded into the firewall. This allows you to create rules in advance that you wish to activate at a later time.It also allows you to quickly deactivate rules for testing, without having to delete them. Asset (#1) An asset or address that the rule applies to. The following are valid entries: – Any. – A defined asset name. – IP or MAC Address Keep in mind, that certain protocols require a specific address type or a predefined address. Interface: This is the Tofino SA interface where the left asset or address is found. 54 S1B76071 - 06/12 Defining Firewall Rules 7.2 Viewing and Editing Firewall Rules Direction: The direction a session is initiated (See “Right versus Left versus Bidirectional”). There are three possible selections to choose from in the table: – Right. – Left. – Bidirectional. Asset (#2): An asset or address that the rule applies to. The following are valid entries: – Any. – A defined asset name. – IP or MAC Address. Keep in mind, that certain protocols require a specific address type or a predefined address. Interface: This is the Tofino SA interface where the correct asset or address is found. Protocol The protocol that you define when setting up the firewall rule in the ConneXium Tofino Configurator. There is a list of protocols found in the Protocol folder. Permission: What the firewall does with a packet, based on the defined rules. There are three options: – Allow: Traffic matching the rule is allowed through the Tofino SA. – Deny: Traffic matching the rule is blocked by the Tofino SA. – Enforcer: Traffic matching the rule in the Tofino SA will be further inspected and filtered based on Deep Packet Inspection settings. This option is available for protocols such as Modbus that have Enforcer LSMs installed. S1B76071 - 06/12 55 Defining Firewall Rules 7.2 Viewing and Editing Firewall Rules Type: – Standard: These rules are designed to simply allow or deny specific protocols passing through the firewall. They allow the user to set the source, destination, direction and permission for traffic of a particular protocol type. For example, if the user wants to allow Modbus/TCP traffic between two devices, a standard rule can be used. – Special: These rules are highly complex rules that go beyond simple allow or deny. For example, a Special Rule could be used to block a subset of a particular type of traffic. The available Special Rules can be viewed in the Special Rules folder. Log: A checkbox for setting Logging on the rule. Note: By default, denied packets are logged and allowed packets are not logged. Selecting Logging on an Allow rule results in messages for permitted traffic being logged. De-selecting the logging option on a Deny rule results in the blocked traffic being dropped without any logs. This option is useful for blocking broadcast traffic that can create excessive nuisance alarms. Details: A short form summary of special Firewall Rule Details such as "RO" for Modbus Read-Only. Description: This field is available as a convenience, so the controls engineer may add text to document the rules that you have set up on the Tofino SA. Firewall Rule Details Many firewall rules allow you to adjust advanced settings such as traffic rate limiting. The settings for a selected rule are displayed in one or more tabs below the rule table in the ConneXium Tofino Configurator. A summary of these settings are also shown in the Details column of the Firewall table. 56 S1B76071 - 06/12 Defining Firewall Rules 7.2 Viewing and Editing Firewall Rules Firewall Rule Order The Tofino SA inspects packets in a sequential manner according to the order that the rules are displayed in the firewall rule table. Having the same rules, but placing them in a different order, can radically alter how the Tofino SA manages traffic. When the Tofino SA receives a packet, it compares it against the first rule, then the second, then the third, etc. When it finds a rule that matches, it stops checking and applies that rule. If the packet goes through each rule without finding a match, then that packet is denied. You can manually reorder the rules by selecting a rule and clicking the Move Up and Move Down buttons in the middle tool bar. S1B76071 - 06/12 57 Defining Firewall Rules 7.2 Viewing and Editing Firewall Rules Keep in mind that the first rule in the Tofino SA that matches, is applied to the packet, not the rule that best matches. Based on this, set the more specific rules at the top of the list, followed by the more general rules. This helps to prevent a general rule being matched before hitting a more specific rule. There are certain exceptions to this strategy - for example, rules using MAC addresses need to be evaluated before rules using IP addresses. The ConneXium Tofino Configurator advises you if this is required. Assisted Firewall Rule Creation Some firewall rules are needed for other rules to work correctly. For example, for a TCP rule to work an ARP Allow rule is needed. This is because the devices using the TCP protocol use the ARP protocol to determine each other's addresses. The Tofino SA detects when an additional rule is needed and prompts you to insert it. 58 S1B76071 - 06/12 Defining Firewall Rules 7.2 Viewing and Editing Firewall Rules Firewall Rate Limiting Three advanced settings that are available for rules are the Rate Limiting settings. These define the rate at which packets that have met the other criteria for a given rule are allowed through the firewall. The rate limiting uses a token bucket filter algorithm with three settings: Rate Limit: The average packet allow rate over the defined time interval. Interval: The time interval used for the Rate Limit (Second, Minute, Hour). Burst Limit: Maximum initial number of packets allowed. This will be greater than or equal to the Rate Limit. To understand how token bucket filtering works, picture a 'bucket' of 'tokens'. It costs one token for the firewall to forward one packet. If the bucket is out of tokens, then the firewall will drop packets until there are more tokens in the bucket. The number of tokens (and thus the number of forwarded packets) is controlled by two settings; Rate limit and Burst Limit. The Rate Limit is the rate at which the bucket is refilled with tokens. The rate limit setting is calculated over an interval set by the user (such as per second or per minute). Thus if the rate limit is 50 and the interval is "per second", then 50 tokens per second will be placed in the bucket and 50 packets per second will be let through the firewall. Keep in mind, that the refilling of the bucket is done gradually over an interval (not at the start of the interval). The Burst Limit is the initial number of tokens in the bucket, as well as the maximum number of tokens the bucket can hold. In other words, this helps to prevent the number of tokens from building up during times of low traffic. S1B76071 - 06/12 59 Defining Firewall Rules 7.2 Viewing and Editing Firewall Rules The firewall will immediately allow through any burst of packets equal to the number of tokens in the bucket. Once the bucket is empty, the firewall can only forward packets as the bucket refills over time at the rate specified by the rate limit. If the rate of packets is faster than the rate limit, the bucket will empty at the rate of packets, and then will be limited by the rate limit which refills the bucket. In other words, if your burst limit is 100 and your rate limit is 25 per second and 1000 packets are sent to the firewall, then the first 100 will be allowed, followed by another 25 packets per second after that. Any other packets will be dropped. Right versus Left versus Bidirectional Many firewall rules have a direction associated with them. This displayed arrow direction indicates which device establishes a connection between the two nodes. It does not refer to packet flow. For example, if an HMI is using Modbus/TCP to request data from a PLC, the HMI will be the device initially setting up the communications connection. Once the connection is established, then packets will flow in both directions. Another way of thinking of this is to consider a normal telephone system. The person dialing the phone number (Person 1) is who is setting up (i.e. establishing) the connection. Once the other person (Person 2) answers the phone, then speech can flow both ways. 60 S1B76071 - 06/12 Defining Firewall Rules 7.2 Viewing and Editing Firewall Rules The Tofino Firewall LSM allows three choices on direction of connection set up: Right: Connections can only be established by the left asset (as defined in the rule table) and will flow to the right. For example, an HMI could be the left asset and a PLC the right asset and the direction set to "Right". This would allow the HMI to initiate the connection and the PLC to respond, but the PLC would not be allowed to initiate a session. Left: Connections can exclusively be established by the right asset (as defined in the rule table) and will flow to the left. For example, a Workstation with a browser client could be the right asset and a Web Server the left asset and the direction set to "Left". This would allow the Workstation to initiate web sessions and the Web Server to respond, but the Web Server would not be allowed to initiate a session. Bidirectional: The connections can be established by either device. Remember, once the connection is established, traffic will be able to flow in both directions regardless of the direction of the rule. S1B76071 - 06/12 61 Defining Firewall Rules 7.3 Using Modbus TCP Enforcer Rules 7.3 Using Modbus TCP Enforcer Rules The Modbus TCP Enforcer LSM is an advanced deep packet inspection firewall for the Modbus TCP protocol. It allows you to filter traffic based on specific Modbus function codes, register ranges and the validity of the Modbus messages. The Modbus TCP Enforcer LSM is a security software module to the standard ConneXium Tofino Firewall. Activating the Modbus TCP Enforcer LSM Before Modbus TCP Enforcer capabilities are available, activate both the Firewall LSM and the Modbus TCP Enforcer LSM on theTofino SA “Tofino SA General Settings”. Creating Modbus TCP Enforcer Rules Follow these steps to create a Modbus Enforcer firewall rule: Create a firewall rule between two assets. Set the protocol to either Modbus TCP or Modbus UDP. Set the direction of the rule so that it is FROM the Modbus Master TO the Modbus Slave. (Keep in mind that the Bidirectional option cannot be used with the Modbus TCP Enforcer LSM). Set the Permission to Enforcer. Note: If you select ALLOW or DENY, the Modbus traffic between the two assets will simply be allowed or blocked accordingly by the Tofino SA, without reference to the Modbus TCP Enforcer. Once you create a Modbus Enforcer rule, the next step is to configure it. 62 S1B76071 - 06/12 Defining Firewall Rules 7.3 Using Modbus TCP Enforcer Rules Configuring Modbus TCP Enforcer Rules Follow these steps to configure the Modbus TCP Enforcer firewall rule you have created: Click on the Enforcer Details tab. Set the following fields as needed: Function Codes. This is either set to one of the following: Read-Only: only function codes that are data read commands are permitted. Read/Write: only function codes that are data read or data write commands are permitted. Programming/OFS: only function codes that are either data read write or programming commands are permitted. Any: all Modbus function codes are permitted. Advanced: opens a new window so you can individually select function codes and ranges. Unit ID: The Tofino SA uses the 'Unit Identifier' to communicate via devices such as bridges, routers and gateways that use a single IP address to support multiple independent Modbus end units. For most Modbus TCP applications, this should be set to either 0 or 1. If you don't want the Unit ID to be checked, clear this field. S1B76071 - 06/12 63 Defining Firewall Rules 7.3 Using Modbus TCP Enforcer Rules Sanity Check: For well known Modbus commands (1-6, 15, 16, 20-24), the Tofino SA can check if the messages are properly formed and follow the Modbus specification. If they do not, the Tofino SA will block the message. For example, if a Modbus Write Multiple Registers command (Function Code 16) has a value in its length field that is either illegal or does not match the amount of data being sent, then the message would be dropped. This option may have to be disabled for Modbus devices that do not conform to the Modbus/ TCP 1.1b specification (Keep in mind that sanity checking of the Modbus MBAP header is performed regardless of whether this option is selected). State Check: When selected, this box will cause the Tofino SA to block and report any Modbus command or response that is out of sequence for the current state of the connection. Examples of some 'out-of-state' traffic include: two Modbus commands sent by the master without an intervening response from the slave, a command sent by the slave device to the master, or a response sent by the master device to the slave. If this box is not selected, then the Tofino SA will not block these out-of-state commands or responses. Exception: If this box is selected, the Tofino SA will send a Modbus TCP exception response (if appropriate) to the Modbus device that generated a blocked message. Keep in mind that some illegal Modbus TCP messages have a defined exception response. For Modbus UDP it is recommended that the Exception option be off (not selected) and the Reset option be on (selected). Reset: If this box is selected, the Tofino SA will send a TCP reset message to both Modbus devices when it blocks a message. This can help to prevent session lock up on certain poorly designed Modbus products. If you selected Advanced for the function code, the Advanced Modbus TCP Function Code Filtering window will open. This will allow you to specify the function codes and register/coil ranges that you wish to allow for this rule. To do this, select the Add Function Code button on the tool bar. Then, select the function code you want to allow, and optionally add a register or coil range. You can add as many Function Codes as needed to one rule but each function code should only be entered once for a given rule. 64 S1B76071 - 06/12 Defining Firewall Rules S1B76071 - 06/12 7.3 Using Modbus TCP Enforcer Rules 65 Defining Firewall Rules 66 7.3 Using Modbus TCP Enforcer Rules S1B76071 - 06/12 Configuring Event Logging 8 Configuring Event Logging The Event Logger LSM is a security module used to provide external alarm and event logging for the Tofino SA to a syslog server. It offers two methods for saving event logs: Via the syslog protocol to forward Tofino SA exception events to a remote Syslog server Saving exception events to long term memory in theTofino SA for offloading via USB Storage Device Activating the Event Logger LSM Before Event Logger capabilities are available, activate the Event Logger LSM on theTofino SA “Tofino SA General Settings”. Setting up the Event Logger You can configure the Event Logger by clicking on the Event Logger folder displayed in the Project View. Syslog Server IP Address: This is the address of the Syslog server where you would like your logs sent to. In order to disable the remote syslog feature, set this field to all zeros. Default Gateway: This is the IP address of the forwarding router on the network where the Tofino SA is located. This is only required if the Syslog server is on a different network than the Tofino SA. If the syslog feature is not being used, or if the Tofino SA and the Syslog server are on the same subnet, set this field to all zeros. S1B76071 - 06/12 67 Configuring Event Logging Destination Port: This is the UDP port number your syslog server is listening for log messages on (usually Port 514). To disable the syslog feature, leave the field blank. Lowest Priority Logged: This is the cut-off as to the lowest logging level you would like the Tofino SA to record. Setting the priority to 0 would result in just the emergency events being recorded while setting the priority to 7 would result in every detected event being recorded. The default setting is 5. 0 1 2 3 4 5 6 7 Lowest Priority Message to be Logged Emergency: system is unusable Alert: action must be taken immediately Critical: critical conditions Error: error conditions Warning: warning conditions Notice: normal but significant condition Informational: informational messages Debug: debug-level messages Table 1: Lowest Priority Message to be Logged setting options for the Event Logger. Note: Keep in mind that the Tofino SA does not require an IP address to communicate to a remote Syslog server. The Tofino SA uses special stealth technology to communicate without having an IP address. The Syslog server will see the messages coming from either address 0.0.0.0 or 169.254.2.2. Retrieving Logs Using a USB Storage Device To retrieve the logs stored on the Tofino SA, insert a USB storage device into the USB port on the Tofino SA and then initiating the USB save operation. For more detail see: “USB Save from Your Tofino SA”. 68 S1B76071 - 06/12 Configuring Event Logging Once the logs are transferred to the USB storage device, install it in a computer and view the storage device to find the file containing the logs. The logs will be stored in <tofino id>_evt.log files and <tofino id>_evt.<X>.gz files. The evt.log files contain the latest events and are uncompressed. The evt.X.gz files are compressed and contain older event logs. You can open the evt. log files using a syslog viewer or WordPad for better formatting. The evt.X.gz can be uncompressed using a gzip capable tool such as WinRAR or 7-zip. Below is an example of the log file opened with WordPad. S1B76071 - 06/12 69 Configuring Event Logging 70 S1B76071 - 06/12 Loading and Verifying Configurations 9 Loading and Verifying Configurations Once your Tofino SAs are configured in the ConneXium Tofino Configurator, these configurations need to be transferred to the Tofino SAs in the field. This is a three step process: Create a configuration on a USB storage device: This builds encrypted configuration files for loading into Tofino SAs and stores them to a USB storage device. Transfer the configuration to the Tofino SAs: Insert the USB storage device containing your configuration files into the USB port on the matching Tofino SAs and then load the configuration. Verify a configuration from a USB storage device: Retrieves the configuration load reports from the USB storage device that was used to load configurations onto one or more Tofino SAs. This will allow you to record and verify the configuration of Tofino SAs in the field and save it in your project. S1B76071 - 06/12 71 Loading and Verifying Configurations 9.1 Creating a USB Configuration 9.1 Creating a USB Configuration To configure a Tofino SA in the field, the Create Loadable USB Drive action is used in the ConneXium Tofino Configurator. This builds a loadable configuration for a Tofino SA and stores it to a selected USB storage device. You can insert the storage device into the USB port on the matching Tofino SA and load the configuration. Select the Tofino SAs that you would like a USB configuration created for. You can store multiple Tofino SA configurations on the same USB storage device. Click the Create Loadable USB button on the middle tool bar. Select the USB storage device that you will save the configuration files to. The option to create a USB configuration load file will only be possible if the following conditions are met: The Tofino SA configuration is free of errors. You have write access to the Project File. Any changes to the Project have been saved. The write access requirement helps to prevent users, without sufficient privileges, from modifying Tofino SAs in the field. The final requirement reduces the possibility that the configurations being loaded into the Tofino SAs in the field are different from the configuration in the Project File. 72 S1B76071 - 06/12 Loading and Verifying Configurations 9.2 USB Loading Your Tofino SA 9.2 USB Loading Your Tofino SA The Save Load Reset button on the Tofino SA provides three functions depending on the number of times it is pressed. Once: Saves diagnostics files and log files to a USB storage device. Twice: Loads configuration files from a USB storage device. Three times: Performs a factory reset and returns the Tofino SA back to its default state as shipped from the factory. The USB Load function allows either configuration files generated by the ConneXium Tofino Configurator's Create Loadable USB function or firmware updates to be loaded to a Tofino SA using a USB storage device (See “Creating a USB Configuration”). Note: The following version 2.0 USB storage devices are known to work: Kingston Data Traveler, SanDisk Cruzer, Sony Microvault, Lexar and Schneider TCSEAM0100. Other brands and models may work, but have not been tested. WARNING UNINTENDED EQUIPMENT OPERATION Follow these configuration loading steps carefully. Power on the Tofino SA for at least one minute. Insert the USB storage device containing the prepared files into one of its USB ports. Press the Save Load Reset button twice. Both the 1/S and the 2/L LEDs will illuminate to indicate a Load. After a few seconds the marquee will move from right to left to indicate a USB Load is in progress. When the flashing sequence stops remove the USB storage device. Failure to follow these instructions can result in death, serious injury, or equipment damage. S1B76071 - 06/12 73 Loading and Verifying Configurations 9.2 USB Loading Your Tofino SA If the load was successful, the Tofino SA‘s Fault LED will be off. Following a successful USB Load function, five or more files should be stored on your USB storage device for each Tofino SA loaded (<tofino id> is replaced with the actual ID of the Tofino SA): <tofino id>_tc_data “USB Verification” data indicating if the configuration was successful or not. <tofino id>_diagnostics.txt Diagnostics information on the Tofino SA (See “Tofino SA Diagnostics”). <tofino id>_evt.log and <tofino id>_evt.<X>.gz. Event logs from the Tofino SA (See “Configuring Event Logging”). <tofino id>_kernel_evt.enc: Encrypted kernel diagnostics information (For factory troubleshooting use only). <tofino id>_diagnostics.enc Encrypted module diagnostics information (For factory troubleshooting use only). Note: The Tofino SA will pass network traffic freely during the initial configuration or when its configuration is being updated. Firewall rules take effect after completion of the initial configuration or update of the Tofino SA so that network operations are not affected before the full rule set can be loaded. A typical configuration load will finish in approximately 30 seconds. 74 S1B76071 - 06/12 Loading and Verifying Configurations 9.3 USB Save from Your Tofino SA 9.3 USB Save from Your Tofino SA The Save Load Reset button on the Tofino SA provides three functions depending on the number of times it is pressed. Once: Saves diagnostics files and log files to a USB storage device. Twice: Loads configuration files from a USB storage device. Three times: Performs a factory reset and returns the Tofino SA back to its default state as shipped from the factory. The USB Save function copies diagnostics and validation files from the Tofino SA to the USB storage device. You can then validate these files using the ConneXium Tofino Configurator‘s Verify Loaded USB function, or they can be sent to technical support for analysis. To create these files you will need to perform a USB Save. Keep in mind that a USB Load will also execute a USB Save in order to record the results of the Load and the status of the Tofino SA after the load is finished. Power on the Tofino SA for at least one minute. Insert the USB storage device into one of its USB ports. Press the Save Load Reset button once. The 1/S LED will illuminate. After a few seconds the marquee will move from left to right to indicate a USB Save is in progress. When the flashing sequence stops remove the USB storage device. If the save was successful the Tofino SA LEDs will revert to the state they were in prior to the saving action. Note: The following version 2.0 USB storage devices are known to work: Kingston Data Traveler, SanDisk Cruzer, Sony Microvault, Lexar and Schneider TCSEAM0100. Other brands and models may work, but have not been tested. S1B76071 - 06/12 75 Loading and Verifying Configurations 9.3 USB Save from Your Tofino SA Following a successful USB Save function, five or more files should be stored on your USB storage device for each Tofino SA. These are (<tofino id> is replaced with the actual ID of the Tofino SA): <tofino id>_tc_data “USB Verification” data indicating if the configuration was successful or not. <tofino id>_diagnostics.txt Diagnostics information on the Tofino SA (See “Tofino SA Diagnostics”). <tofino id>_evt.log and <tofino id>_evt.<X>.gz Event logs from the Tofino SA (See “Configuring Event Logging”). <tofino id>_kernel_evt.enc Encrypted kernel diagnostics information (For factory troubleshooting use only). <tofino id>_diagnostics.enc Encrypted module diagnostics information (For factory troubleshooting use only). 76 S1B76071 - 06/12 Loading and Verifying Configurations 9.4 USB Verification 9.4 USB Verification To verify the configuration of one or more Tofino SAs in the field, use the Verify Loaded USB action. This retrieves the configuration load reports from the USB storage device that was used to load configurations onto one or more Tofino SAs. This will allow you to record and verify the configuration of Tofino SAs in the field. Insert the USB storage device, on which the files are contained, into your computer. Select one or more Tofino SAs that you would like to verify. Click the Verify Loaded USB button on the middle tool bar. A Wizard to guide you through verifying the configuration on the selected USB drive will open. Select the Tofino SAs you want to verify. Select the USB drive location. S1B76071 - 06/12 77 Loading and Verifying Configurations 9.4 USB Verification The verification data will be displayed and logged by the ConneXium Tofino Configurator. The Verified Configuration Revision, Hardware Type, and Firmware Version for the verified Tofino SAs will be updated in the Project File. You can also view the verification information on the “Tofino SA General Settings” folder of each Tofino SA. 78 S1B76071 - 06/12 Loading and Verifying Configurations S1B76071 - 06/12 9.4 USB Verification 79 Loading and Verifying Configurations 80 9.4 USB Verification S1B76071 - 06/12 Advanced Topic - Creating and Managing Protocols 10 Advanced Topic - Creating and Managing Protocols In the ConneXium Tofino Configurator, "Protocols" define the particular services that are communicated between devices on the network. For example, the use of web traffic on a network would use the HyperText Transport Protocol (HTTP) for communications between a web server and a web client. Similarly, a HMI might use the Modbus/TCP protocol to communicate to a PLC. The Tofino SA comes with a complete set of protocols already defined. However, in special cases you may want to create new protocols for specific types of equipment or situations. The Protocol management features allow you to create, edit, and delete protocols. The ConneXium Tofino Configurator comes with a number of predefined protocols that are common to many industrial systems. These factory defined protocols cannot be cut or deleted. S1B76071 - 06/12 81 Advanced Topic - Creating and Managing Protocols By selecting a specific Protocol in the Project Explorer view, you can: Create a new protocol or folder. View and edit the protocol's details. Delete a protocol. Cut, Copy and Paste protocols. Some protocols are factory defined and cannot be edited, cut or deleted. 82 S1B76071 - 06/12 Advanced Topic - Creating and Managing Protocols 10.1 Creating a Protocol 10.1 Creating a Protocol New protocols are created using the New Protocols Wizard. There are three ways to launch the New Protocols Wizard: Click the New button and select Protocol. Click the New Protocol button in the middle section of the tool bar. Right click on an existing protocol and select New Protocol. New Protocol Wizard Once the wizard has started, it will ask you to enter a name, description and select the protocol type. S1B76071 - 06/12 83 Advanced Topic - Creating and Managing Protocols 10.1 Creating a Protocol The second page of the wizard allows you to enter specific details for the protocol. This page will vary depending on the type of protocol selected on the first page. For more information on these fields, see “Viewing and Editing Protocols”. 84 S1B76071 - 06/12 Advanced Topic - Creating and Managing Protocols 10.2 Viewing and Editing Protocols 10.2 Viewing and Editing Protocols Clicking on a protocol name in the Project Explorer view will open the Protocol Details view. This allows you to view and configure the settings for the selected protocol. This includes general information and specific parameters. The details vary depending on the type of protocol selected. Below are three typical protocols of different types. UDP/TCP Protocol S1B76071 - 06/12 85 Advanced Topic - Creating and Managing Protocols 10.2 Viewing and Editing Protocols IP Protocol Ethernet Protocol 86 S1B76071 - 06/12 Advanced Topic - Creating and Managing Protocols 10.2 Viewing and Editing Protocols General Protocol Name: Insert a name or identifier that uniquely identifies the protocol. Remember that each protocol needs to have a unique name to avoid confusion. Description: A text field for reference only and may be used to describe the function of this protocol. Protocol Type: The general classification of this protocol and determines the fields available for input. (UDP, TCP, IP or Ethernet). Ports: Identify the ports using commas to separate individual port numbers or dashes to separate a range of port numbers. For example if the protocol uses the TCP ports 5000 through 5004, they can be entered as either 5000, 5001, 5002, 5003, 5004 or 5000-5004. Exclusivley use the numbers 0 through 9 and commas and dashes. IP Protocol: The IP protocol number (in hexadecimal format). EtherType: The Ethernet type number (in hexadecimal format). For more information see: http://www.iana.org/assignments/ethernetnumbers. S1B76071 - 06/12 87 Advanced Topic - Creating and Managing Protocols 10.3 Managing Protocols 10.3 Managing Protocols You can manage protocols just like any Windows' object. By right clicking on a protocol, or using the tool bar, you have the following options: New Protocol - Launches the New Protocol Wizard. Create New Folder - Creates a folder to organize your protocols. Cut - Removes the highlighted protocol from the project and saves it in the clipboard for later pasting in a different location. Copy - Makes a copy of the highlighted protocol from the project and saves it in the clipboard for later pasting in a different location. Paste - Pastes the contents of the clipboard into the project. Delete - Removes the highlighted protocol from the project. Keep in mind that certain pre-defined protocols are read-only and are unable to be moved or deleted. 88 S1B76071 - 06/12 Advanced Topic - Importing Templates and Security Profiles 11 Advanced Topic - Importing Templates and Security Profiles The ConneXium Tofino Configurator allows you to import pre-defined objects that can be used as building blocks for your security design. The following types of objects can be imported: Asset Templates Protocols Special Rules Security Profiles Importing Asset Templates, Protocols or Special Rules allow you to update existing definitions or add new ones to your project. Importing new versions of Asset Templates, Protocols or Special Rules will not automatically update the rules in your firewalls. Security Profiles are predefined combinations of Asset Templates, Special Rules, and Protocol definitions, bundled into a single Security Profile (.tsp) file. They allow you to import the related objects needed to help secure PLCs, DCS and other devices against published vulnerabilities as a single file. S1B76071 - 06/12 89 Advanced Topic - Importing Templates and Security Profiles Note: If the Asset Templates or the Security Profiles in an imported file reference Protocols or Special Rules, these will be imported during the import operation. To import a pre-defined object follow these steps: Click the Import button. Select the type of object you would like to import. Browse for and select the object file. Click Finish. 90 S1B76071 - 06/12 Advanced Topic - ConneXium Tofino Configurator Settings 12 Advanced Topic - ConneXium Tofino Configurator Settings Your ConneXium Tofino Configurator can be adjusted using the following advanced settings: Defining the Audit preferences and Project Preferences, see “Preferences”. Setting user administration rights, see: “User Administration”. S1B76071 - 06/12 91 Advanced Topic - ConneXium Tofino Configurator Settings 12.1 User Administration 12.1 User Administration The User Identification and Administration system for the ConneXium Tofino Configurator is based on the Windows Account Management system. When you make changes to a project, the Windows user name for the active account on the computer is the user name recorded against any ConneXium Tofino Configurator activities. This user name is recorded in the audit logs for key changes to a project by the ConneXium Tofino Configurator. Similarly, user access control for a ConneXium Tofino Configurator project is based on the Windows File Management security settings for the Project File. For example, if a person is given read-only access to the folder where a Project File is stored, then the ConneXium Tofino Configurator will also give the user read-only access to project tasks. These settings extend beyond basic file management. For example, they can keep an unauthorized user from loading a new USB configuration into the Tofino SA. 92 S1B76071 - 06/12 Advanced Topic - ConneXium Tofino Configurator Settings 12.2 Preferences 12.2 Preferences The Preferences command allows you to view and edit preferences that are not project specific. Audit - The location and size of the audit file. Project - Determines the default project that opens on start-up. Audit Preferences This Preference page allows you to set the maximum size of the audit file and where it is stored. Help This Preference page allows you to select how ConneXium Tofino Configurator Help information is displayed on your computer. For example, you can select whether Help is displayed in a ConneXium Tofino Configurator window or in an external browser. Project Preferences This Preference page allows you to set the default project that opens on start-up. S1B76071 - 06/12 93 Advanced Topic - ConneXium Tofino Configurator Settings 94 12.2 Preferences S1B76071 - 06/12 Troubleshooting 13 Troubleshooting S1B76071 - 06/12 95 Troubleshooting 13.1 Tofino SA Diagnostics 13.1 Tofino SA Diagnostics The Tofino SA has the capability to save diagnostics files to a USB storage device for troubleshooting purposes. To create these files you will need to perform a USB Save. You can also view these files with a standard text editor or they can be sent to technical support for analysis. To create these files you will need to perform a USB Save. Power on the Tofino SA for at least one minute. Insert the USB storage device into one of its USB ports. Press the Save Load Reset button once. The 1/S LED will illuminate. After a few seconds the marquee will move from left to right to indicate a USB Save is in progress. When the flashing sequence stops remove the USB storage device. If the save was successful the Tofino SA LEDs will revert to the state they were in prior to the saving action. Send copies of these files to technical support for analysis. Note: The following version 2.0 USB storage devices are known to work: Kingston Data Traveler, SanDisk Cruzer, Sony Microvault, Lexar and Schneider TCSEAM0100. Other brands and models may work, but have not been tested. Interpreting Diagnostics Files If the USB Diagnostics Save is successful there will be three or four files on the USB storage device similar to this:1 <tofino id>_tc_data: “USB Verification” data indicating if the configuration was successful or not. <tofino id>_diagnostics.txt: Diagnostics information on the Tofino SA. 1. The prefix of the file name will be equal to the Tofino ID. 96 S1B76071 - 06/12 Troubleshooting 13.1 Tofino SA Diagnostics <tofino id>_evt.log and <tofino id>_evt.<X>.gz: Event logs from the Tofino SA (See “Configuring Event Logging”). <tofino id>_kernel_evt.enc: Encrypted kernel diagnostics information (For factory troubleshooting use only). <tofino id>_diagnostics.enc: Encrypted module diagnostics information (For factory troubleshooting use only). If you examine the file ending in .txt using a standard text editor such as WordPad, you should see something like the following: ================================================================== 2 Tofino Version information: 3 Tofino Firmware version: Tofino Linux: 1.7.0 4 Tofino Hardware Info: 5 Hardware : Schneider ConneXium Development Platform 6 Processor : XScale-IXP42x Family rev 2 (v5b) 7 Flash Type: P-Flash 8 Tofino ID: 00:80:63:73:77:649 ================================================================= 10 Network Statistics 11 unsecured IF ifconfig 12 eth0 Link encap:Ethernet HWaddr 00:80:63:73:77:64 13 inet6 addr: fe80::280:66ff:fe04:652c/64 Scope:Link 14 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 15 RX packets:2776 errors:0 dropped:0 overruns:0 frame:0 16 TX packets:3900 errors:0 dropped:0 overruns:0 carrier:0 17 collisions:0 txqueuelen:100 18 RX bytes:419084 (409.2 KiB) TX bytes:586268 (572.5 KiB) 19 20 secured IF ifconfig 21 eth1 Link encap:Ethernet HWaddr 00:80:63:73:77:65 22 inet6 addr: fe80::280:66ff:fe04:652d/64 Scope:Link 23 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 24 RX packets:15 errors:0 dropped:0 overruns:0 frame:0 25 TX packets:716 errors:0 dropped:0 overruns:0 carrier:0 26 collisions:0 txqueuelen:100 27 RX bytes:846 (846.0 B) TX bytes:95002 (92.7 KiB) 28 29 unsecured IF Settings 30 Basic registers of MII PHY #0: 1000 782d 0013 7a11 01e1 45e1 0005 6001. 31 The autonegotiated capability is 01e0. 32 The autonegotiated media type is 100baseTx-FD. 33 Basic mode control register 0x1000: Auto-negotiation enabled. 34 You have link beat, and everything is working OK. 35 Your link partner advertised 45e1: Flow-control 100baseTx-FD 100baseTx 10baseT-FD 10baseT, w/ 802.3X flow control. 36 End of basic transceiver information. 37 38 secured IF Settings 39 Basic registers of MII PHY #1: 1000 782d 0013 7a11 01e1 45e1 0005 S1B76071 - 06/12 97 Troubleshooting 13.1 Tofino SA Diagnostics 6001. 40 The autonegotiated capability is 01e0. 41 The autonegotiated media type is 100baseTx-FD. 42 Basic mode control register 0x1000: Auto-negotiation enabled. 43 You have link beat, and everything is working OK. 44 Your link partner advertised 45e1: Flow-control 100baseTx-FD 100baseTx 10baseT-FD 10baseT, w/ 802.3X flow control. 45 End of basic transceiver information. 46 47 ================================================================== 48 Memory 49 total used free shared buffers cached 50 Mem: 62952 17952 45000 0 140 9060 51 -/+ buffers/cache: 8752 54200 52 Swap: 0 0 0 53---------------------------------------------------------------54 MemTotal: 62952 kB 55 MemFree: 44992 kB 56 Buffers: 140 kB 57 Cached: 9060 kB 58 SwapCached: 0 kB 59 Active: 9288 kB 60 Inactive: 1996 kB 61 SwapTotal: 0 kB 62 SwapFree: 0 kB 63 Dirty: 0 kB 64 Writeback: 0 kB 65 AnonPages: 2100 kB 66 Mapped: 1744 kB 67 Slab: 3176 kB 68 SReclaimable: 752 kB 69 SUnreclaim: 2424 kB 70 PageTables: 260 kB 71 NFS_Unstable: 0 kB 72 Bounce: 0 kB 73 WritebackTmp: 0 kB 74 CommitLimit: 31476 kB 75 Committed_AS: 5200 kB 76 VmallocTotal: 958464 kB 77 VmallocUsed: 33436 kB 78 VmallocChunk: 917500 kB 79 =============================================================== 80 Flash 81 Filesystem Size Used Available Use% Mounted on 82 rootfs 31.5M 8.1M 23.4M 26% / 83 ================================================================ The files ending in .enc are encrypted files and should be sent to product technical support. 98 S1B76071 - 06/12 Troubleshooting 13.1 Tofino SA Diagnostics The files ending in .evt.log and <tofino id>_evt.<X>.gz are log files created by the Event Logger LSM and can be opened and viewed with any event management system, see: “Configuring Event Logging”. S1B76071 - 06/12 99 Troubleshooting 13.2 Firewall Not Blocking Traffic 13.2 Firewall Not Blocking Traffic If the Tofino Firewall LSM does not appear to be blocking traffic that you think it should, first check the following: The Tofino Firewall LSM status (is the Firewall LSM activated?). See: “Tofino SA General Settings” The mode of the Tofino SA (is the Tofino SA in Operational mode?). The Tofino SA‘s Mode LED should be on steady. Does the configuration of the Tofino SA REALLY match what is stored on the ConneXium Tofino Configurator? If in doubt, verify using the Verify Loaded USB feature (See “USB Verification”). Next, check the rules on the Tofino SA‘s firewall details view for the following (See “Managing Firewall Rules”): Are the device IP addresses correct? Are the protocols and direction correct? Are there conflicting rules? For example, does the Tofino SA have an "Allow All" rule as well as a protocol specific rule? Was the connection between devices established BEFORE the rule was loaded? The Tofino SA will not break established connections between two devices. If you think the connection was made before the rule was loaded, try breaking the connection by restarting one of the devices. 100 S1B76071 - 06/12 Troubleshooting 13.3 USB Storage Device Recommendations 13.3 USB Storage Device Recommendations If you are experiencing difficulties doing USB Loads or USB Saves, check to see if you are using a version 2.0 USB storage device. USB storage devices that are version 1.1 are not compatible and will not work with the Tofino SA. The Tofino SA Fault LED will flash twice (indicating invalid USB storage device), if it detects a version 1.1 USB storage device. The tested and approved USB storage devices include: Kingston Data Traveler, SanDisk cruzer, Sony Microvault, Lexar, Schneider TCSEAM0100. S1B76071 - 06/12 101 Troubleshooting No. of Flashes 2 3 4 5 6 7 13.3 USB Storage Device Recommendations During Load Sequence No USB memory device isconnected to the USB connection, orthe file system of the memory device is not formatted as FAT16 or FAT32. The files on the USB memorydevice are invalid. During Save Sequence No USB memory device is connected to the USB connection, or the file system of the memory device is not formatted as FAT16 or FAT32. The device was unable to create any diagnostic files. Please contact yourtechnical support. The device was unable to encrypt The device was unable to encrypt the configuration files. It is possible the diagnotic files. Please contact that the files were damaged during your technical support. the copying operation. Repeat the copying operation. If the condition persists, please contact your technical support The device was unable to load the The device was unable to copy the files. It is possible that the files encrypted diagnostic files to the weredamaged during the copying USB memory device. It is possible operation. Repeat the copying that the memory device is full. operation. If the condition persists, please contact your technical support The device was unable to The device was unable to deactivatethe USB connection. deactivatethe USB connection. Please contactyour technical Please contactyour technical support. support. The file system of the device does not have enough memory capacity to save the files temporarily before they are copied to the USB memory device. Please contact your technical support. Table 2: Fault LED Activity During Load/Save 102 S1B76071 - 06/12 Troubleshooting 13.4 Factory Resetting Your Tofino SA 13.4 Factory Resetting Your Tofino SA To reset the Tofino SA back to its default state as shipped from the factory, you can perform a 'Factory Reset'. Confirm that power is applied to the Tofino SA and it has completed its start-up initialization. Press, then release the "Save Load Reset" button three times so that the three LEDs are illuminated. On the first press, the " 1/s" indicator will be illuminated; on the second press, the " 2/L" indicator will be illuminated; and on the third press, the "V.24/R" indicator will be illuminated. After a few seconds, the Tofino SA will start its factory reset sequence. The " 1/s", " 2/L", "V.24/R", "Mode" and "Fault" indicators will flash simultaneously while the factory reset is being performed. Once the factory reset is complete, the " 1/s", " 2/L", "V.24/R", "Mode" and "Fault" indicators will turn off. This LED pattern confirms that the Tofino SA is passive and passing traffic without filtering. If the Mode LED is ON, repeat steps 1 through 3 above. If the LEDs are different from the above, please contact technical support. S1B76071 - 06/12 103 Troubleshooting 104 13.4 Factory Resetting Your Tofino SA S1B76071 - 06/12 Glossary 14 Glossary ACL ARG Children CIP CSP DCOM DCS DMZ DNP3 DNS DPI Firewall FTP GUI HMI HTML HTTP HTTPS IDS Access Control List: List of rules specifying access privileges to network resources. Assisted Rule Generation: a feature that helps you to create firewall rules for the purpose of helping to protect devices on your network. This feature comes with the Secure Asset Management LSM. A child node is one that is connected under another node (known as its parent). Common Industrial Protocol: CIP is an open standard for industrial network technologies. It is supported by an organization called Open DeviceNet Vendor Association (ODVA). Client Server Protocol: An Allen-Bradley protocol used to communicate to PLCs over TCP/IP. Distributed Component Object Model: This is an extension to the Component Object Model that Microsoft made to support communication among objects on different computers across a network. Distributed Control System: A Distributed Control System allows for remote human monitoring and control of field devices from one or more operation centers. Demilitarized Zone: A small network inserted as a "neutral zone" between a trusted private network and the outside untrusted network. Distributed Network Protocol 3: A protocol used between components in process automation systems. Domain Name System: A distributed database system for resolving human readable names to Internet Protocol addresses. Deep Packet Inspection. A set of security schemes that helps to prevent unauthorized persons or devices from gaining access to protected nodes on a network. A firewall essentially works as a control point that blocks invalid connections to nodes behind the firewall while still allowing trusted communications to pass through unaffected. File Transfer Protocol. Graphical User Interface: Graphical, as opposed to textual, interface to a computer. Human Machine Interface: This interface enables the interaction of human and machine. Hypertext Markup Language: The authoring software language used on the Internet's World Wide Web. Hypertext Transfer Protocol: The protocol used to transfer Web documents from a server to a browser. Hypertext Transfer Protocol over SSL: A protocol that uses encryption to transfer Web documents from a server to a browser. Intrusion Detection System: A system to detect suspicious patterns of network traffic. S1B76071 - 06/12 105 Glossary IP IT LAN LDAP LSM Modbus MySQL NETBEUI NetBIOS Asset OLE OPC Parent PCN PLC Protocol RPC SA SCADA SNMP SQL 106 Internet Protocol: The standard protocol used on the Internet that defines the datagram format and a best-effort packet delivery service. Information Technology: The development, installation and implementation of business computer systems and their applications. Local Area Network: A network that interconnects computers in a limited area such as a home, office, laboratory or factory. Lightweight Directory Access Protocol: Protocol to access directory services. Loadable Security Module: Software plug-ins providing security services such as: Firewall, Intrusion detection system (IDS), and Diagnostics. A communications protocol designed by Modicon Incorporated for use with its PLCs. A relational database management system (RDBMS) that runs as a server providing multi-user access to a number of databases. NetBIOS Extended User Interface: An enhanced version of the NetBIOS protocol. Network Basic Input Output System: A de facto IBM standard for applications to use to communicate over a LAN. The objects used to represent the devices (or groups of devices) installed in your control system. They can be broken down into seven categories: Computers, Controllers, Devices, Networks, Networking equipment, Broadcast and Multicast. Object Linking and Embedding: A precursor to COM, allowing applications to share data and manipulate shared data. OLE for Process Control: A standard based on OLE, COM and DCOM, for accessing process control information on Microsoft Windows systems. A parent node is one that has nodes connected to it (known as children). Process Control Network: A communications network used to transmit instructions and data to control devices and other industrial equipment. Programmable Logic Controller: A PLC is a small dedicated computer used for controlling industrial machinery and processes. A convention or standard that controls or enables the connection, communication, and data transfer between two computing endpoints. In its simplest form, a protocol can be defined as the rules governing the syntax, semantics, and synchronization of communication. Protocols may be implemented by hardware, software, or a combination of the two. At the lowest level, a protocol defines the behavior of a hardware connection. Remote Procedure Call: A standard for invoking code residing on another computer across a network. Security Appliance: An industrially hardened security appliance designed to be installed in front of individual and/or networks of HMI, DCS, PLC or RTU control devices that require protection. Supervisory Control And Data Acquisition: A system for industrial control consisting of multiple Remote Terminal Units (RTUs), a communications infrastructure, and one or more Control Computers. Simple Network Management Protocol: A protocol used to manage devices such as routers, switches and hosts. A database computer language designed for managing data in relational database management systems. S1B76071 - 06/12 Glossary SSL Secure Socket Layer: A de facto standard for encrypted communications created by Netscape Incorporated. TCP Transmission Control Protocol: A transport level protocol that provides a connection-oriented stream service. TFTP Trivial File Transfer Protocol. Tofino Security An industrially hardened security appliance designed to be installed in front of Appliance individual and/or networks of HMI, DCS, PLC or RTU control devices that require protection. UDP User Datagram Protocol: Connectionless network transport protocol. URL Uniform Resource Locator: The address of a resource on the Internet. XML eXtensible Markup Language: A general-purpose markup language for creating special purpose markup languages that are capable of describing many different kinds of data. S1B76071 - 06/12 107 Glossary 108 S1B76071 - 06/12
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
Download PDF
advertisement