Industrial Ethernet Firewall - Hirschmann EAGLE20 Tofino

Comparison with EAGLE20

Both products operate on the firewall concept of being a gateway separating a 'secure' or 'internal' side from an 'insecure' or 'external' side.

EAGLE20 is a standalone hardware firewall featuring IP Routing and the unique firewall learning mode to simplify configuration. These firewall rules typically include MAC or IP address and TCP/UDP port filtering. Out of the box, EAGLE20 works in transparent mode offering 'stateleful inspection', meaning only traffic originating in the secure side is allowed through the gateway. See our other article for more details.

EAGLE20 Tofino is a Layer 2 device, however it conducts 'deep packet inspection' to check the contents of the datagrams againt firewall rules to provide absolute control over data flows. Out of the box, EAGLE20 Tofino passes all traffic, allowing it to be installed and configured insitu with the least disruption to the network. Another key difference is the system design. A typical EAGLE20 Tofino installation includes the following:

• EAGLE20 Tofino 'Appliance' - the hardware
• EAGLE20 Tofino Loadable Security Modules (LSM) which provide the required functionality (see below).
• EAGLE20 Tofino Central management Platform - A software tool for system wide configuration of the appliances

Security Concept

Stuxnet demonstrated that the old 'security by obscurity' strategy needed a rethink. EAGLE20 or EAGLE20 Tofino by themselves will not quarantine a system from every possible attack. They do however form an important part of the 'defence in depth' paradigm of combining online realtime packet inspections with sound practices such as secured network accessibility and procedures surrounding things as commonplace as USB sticks.

By dividing networks into cells with gateway points, the installation of secure gateways like the EAGLE20 range provides the ability to limit traffic entering the cell, and constraining a problem such as a Denial of Service attack or even an inadvertent broadcast storm to small sections of the network.

Simple to Install

As EAGLE20 Tofino operates transparently and out of the box will pass all traffic, (it doesn't even have an IP address!), it can be quickly installed as a gateway device in seconds with minimal disruption to the network. The management software can then locate the device, and apply the chosen LSMs from the available stock as purchased. Firewall rules are then applied, with a number of automation vendor specific templates (Rockwell, Siemens, Schneider etc) available to suit any of a large number of predefined applications specific to the relevant vendor.

Loadable Security Modules

The following LSMs are available:

• Eagle 20 Tofino Firewall LSM Directs and controls industrial network traffic
• Eagle 20 Tofino Secure Asset Management  LSM Tracks and identifies network devices
• Eagle 20 Tofino Modbus TCP Enforcer LSM Content inspection for Modbus
• Eagle 20 Tofino VPN Client LSM
• Eagle 20 Tofino VPN Server LSM
• Eagle 20 Tofino VPN PC License secures remote SCADA communication
• Eagle 20 Tofino Event Logger LSM logs security events and alarms

Hirschmann Industrial Ethernet - For Mission Critical Applications

See the Hirschmann Security Solutions here.