Triconex Tofino Firewall 4350-100 Your Tricon controller is critical to the continued safe operation of your plant. But the growing complexity and connectivity of modern DCS control systems, as well as their reliance on offthe-shelf PC and networking technology,
bring with them the potential to disrupt the operation of the safety system due to excessive or improper network traffic.
A multi-layered Defense in Depth strategy is necessary to isolate your Tricon from computer viruses, network device failures and human error.
The Triconex Tofino Firewall protects the Tricon Communications Module (TCM) from potential disruption due to abnormal or excessive network traffic. It permits only the specific types and rates of network communications
that are required for correct system operation, and prevents all other types of network traffic from reaching the TCM. This provides an additional layer of
protection to your Safety Instrumented System, further enhancing the overall safety and reliability of your facility. Any security events, e.g., blocked network traffic,
detected by the Triconex Tofino Firewall are logged internally on the device and saved for later review by operations or security personnel.
Many control systems use Microsoft’s OPC (OLE for Process Control) technology. The Triconex Tofino Firewall protects the Tricon OPC server by tracking the OPC
client data requests and dynamically opening only the minimum required ports in the Triconex Tofino Firewall to permit these data connections to pass through. All
other unnecessary ports are blocked, resulting in significantly enhanced security for the Tricon OPC server.
The Triconex Tofino Firewall is easy to install. Simply apply DC power and connect the device in-line in the network connection to the Triconex
ommunications Module. The Triconex Tofino Firewall is pre-configured to work in most installations without changes. If the TCM has been configured to use nonstandard network ports, then the Triconex Tofino Firewall’s configuration may be
easily modified to match the TCM configuration using the Triconex Tofino Firewall Configuration Utility.
FEATURES
• Triconex Tofino Firewall permits only those
types of network traffic required for correct
system operation. All other unnecessary
traffic is blocked.
• Tracks OPC (OLE for Process Control) client
requests to Tricon 4353 OPC server and
dynamically opens only the minimum
required TCP ports in the Triconex Tofino
Firewall for data connections.
• All traffic that is permitted through the
Triconex Tofino Firewall is rate-limited to
prevent overload of the Tricon
Communications Module.
• All security events, including blocked
network traffic, are logged on the appliance
for subsequent analysis.
• Security event logs may be offloaded via USB
storage device.
• Pre-configured − no configuration required
for most Tricon installations.
• 10/100BaseT network interfaces − direct
connection to TCM models 4351A, 4351B,
and 4353.
• Plug and play installation − no changes required to external equipment,
network design or network IP addresses.
Network Interfaces
• Two 10/100 Base T Ethernet twisted-pair interfaces − “Trusted” (closed padlock symbol) and
“Untrusted” (open padlock symbol).
• “Trusted” network interface connects to 10/100BaseT interface on Tricon 4351A, 4351B and 4353
Communications Module.
• “Untrusted” network interface connects to external control interface.
• Network link speed and duplex auto-negotiated with link partner.
• Auto-MDX adapts to straight-through or cross-over connections.
Permitted network traffic
• Tricon protocols: TSAA, TriStation, TMI, Downloader, Control (Time Sync), Peer-to-Peer
• Modbus TCP (master and slave)
• Simple Network Time Protocol (SNTP) (Tricon client, external server)
• Network printer access (Tricon client to external print server)
• OPC (bidirectional)
• ICMP ‘ping’ (echo request) – incoming only
• Address Resolution Protocol (ARP)
• Incoming traffic rate limit: 5,000 packets per second
• Port numbers are adjustable via Triconex Tofino Firewall Configuration Utility to match any
custom TCM configuration
Power
• 9-32VDC; 24VDC nominal
• 170mA typical, 350mA max. at 24VDC
• Dual redundant power inputs; 24-12AWG screw cage terminals
• Dual power-fail indicator digital inputs (security event log entry generated on state change)