implementing-ics-firewall-with-tofino
部署和配置Belden/Hirschmann的Tofino工业防火墙,利用深度包检测(DPI)保护SCADA系统和PLC,支持包括Modbus、EtherNet/IP、OPC和S7comm在内的OT协议,在ICS安全区域之间强制执行精细化访问控制。
Best use case
implementing-ics-firewall-with-tofino is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
部署和配置Belden/Hirschmann的Tofino工业防火墙,利用深度包检测(DPI)保护SCADA系统和PLC,支持包括Modbus、EtherNet/IP、OPC和S7comm在内的OT协议,在ICS安全区域之间强制执行精细化访问控制。
Teams using implementing-ics-firewall-with-tofino should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/implementing-ics-firewall-with-tofino/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How implementing-ics-firewall-with-tofino Compares
| Feature / Agent | implementing-ics-firewall-with-tofino | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
部署和配置Belden/Hirschmann的Tofino工业防火墙,利用深度包检测(DPI)保护SCADA系统和PLC,支持包括Modbus、EtherNet/IP、OPC和S7comm在内的OT协议,在ICS安全区域之间强制执行精细化访问控制。
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# 使用Tofino实现ICS防火墙
## 适用场景
- 在关键PLC或RTU前部署区域级防火墙保护
- 需要对工业协议(Modbus、EtherNet/IP、OPC、S7comm)进行深度包检测
- 实现具有协议感知执行的IEC 62443区域和管道边界
- 保护无法打补丁且需要补偿控制措施的遗留PLC
- 在不影响现有工业通信的情况下对控制网络区域进行分段
**不适用于**企业IT防火墙部署、IT与OT之间的周界防火墙(在DMZ处使用Palo Alto/Fortinet),或仅使用基于IP协议而无OT特定DPI需求的环境。
## 前置条件
- 带有适当许可证的Tofino Xenon设备或Tofino虚拟设备
- 用于集中策略管理的Tofino中央管理平台(CMP)
- 显示PLC/RTU位置和通信需求的网络拓扑图
- OT协议通信基线(Modbus功能码、EtherNet/IP CIP服务)
- 在网络区域之间内联部署的变更管理审批
## 工作流程
### 步骤 1:设计Tofino部署架构
```yaml
# Tofino ICS防火墙部署架构
# 使用深度包检测进行区域级保护
deployment_zones:
zone_1_reactor_control:
tofino_appliance: "TOFINO-XN-001"
deployment_mode: "inline_bridge"
protected_assets:
- name: "PLC-REACTOR-01"
ip: "10.10.1.10"
vendor: "Siemens S7-1500"
protocols: ["S7comm/102", "Profinet"]
- name: "PLC-REACTOR-02"
ip: "10.10.1.11"
vendor: "Siemens S7-1500"
protocols: ["S7comm/102", "Profinet"]
authorized_communications:
- source: "10.10.2.50" # 工程师工作站
dest: "10.10.1.0/24"
protocols: ["S7comm"]
access_type: "engineering"
- source: "10.10.2.10" # HMI服务器
dest: "10.10.1.0/24"
protocols: ["S7comm"]
access_type: "operational"
zone_2_packaging:
tofino_appliance: "TOFINO-XN-002"
deployment_mode: "inline_bridge"
protected_assets:
- name: "PLC-PACK-01"
ip: "10.10.3.10"
vendor: "Rockwell ControlLogix"
protocols: ["EtherNet-IP/44818", "CIP"]
authorized_communications:
- source: "10.10.2.20" # HMI
dest: "10.10.3.0/24"
protocols: ["EtherNet-IP"]
access_type: "operational"
zone_3_utilities:
tofino_appliance: "TOFINO-XN-003"
deployment_mode: "inline_bridge"
protected_assets:
- name: "RTU-BOILER-01"
ip: "10.10.4.10"
vendor: "Schneider M340"
protocols: ["Modbus-TCP/502"]
authorized_communications:
- source: "10.10.2.30" # SCADA服务器
dest: "10.10.4.0/24"
protocols: ["Modbus-TCP"]
allowed_function_codes: [1, 2, 3, 4] # SCADA只读
```
### 步骤 2:配置深度包检测规则
```python
#!/usr/bin/env python3
"""Tofino ICS防火墙规则生成器。
根据通信基线分析,生成带有工业协议
深度包检测的Tofino防火墙规则。
"""
import json
import sys
from datetime import datetime
from typing import Dict, List
class TofinoRuleGenerator:
"""生成Tofino ICS防火墙DPI规则。"""
def __init__(self):
self.rules = []
self.rule_id = 1000
def add_modbus_rule(self, src: str, dst: str, allowed_funcs: List[int],
allowed_registers: List[dict] = None, description: str = ""):
"""生成Modbus DPI规则。"""
func_names = {
1: "read_coils", 2: "read_discrete_inputs",
3: "read_holding_registers", 4: "read_input_registers",
5: "write_single_coil", 6: "write_single_register",
15: "write_multiple_coils", 16: "write_multiple_registers",
}
rule = {
"rule_id": self.rule_id,
"protocol": "Modbus-TCP",
"action": "ALLOW",
"source": src,
"destination": dst,
"port": 502,
"dpi_policy": {
"allowed_function_codes": [
{"code": fc, "name": func_names.get(fc, f"FC{fc}")}
for fc in allowed_funcs
],
"blocked_function_codes": [
fc for fc in range(1, 128) if fc not in allowed_funcs
],
},
"description": description,
"log": True,
}
if allowed_registers:
rule["dpi_policy"]["allowed_register_ranges"] = allowed_registers
self.rules.append(rule)
self.rule_id += 1
return rule
def add_s7comm_rule(self, src: str, dst: str, allowed_operations: List[str],
description: str = ""):
"""生成S7comm DPI规则。"""
operation_map = {
"read": {"function": 0x04, "name": "Read Variable"},
"write": {"function": 0x05, "name": "Write Variable"},
"setup": {"function": 0xF0, "name": "Setup Communication"},
"download": {"function": 0x1A, "name": "Request Download"},
"upload": {"function": 0x1D, "name": "Start Upload"},
"cpu_stop": {"function": 0x29, "name": "PLC Stop"},
"cpu_start": {"function": 0x28, "name": "PI Service (Start)"},
}
rule = {
"rule_id": self.rule_id,
"protocol": "S7comm",
"action": "ALLOW",
"source": src,
"destination": dst,
"port": 102,
"dpi_policy": {
"allowed_operations": [
operation_map[op] for op in allowed_operations if op in operation_map
],
"block_cpu_stop": "cpu_stop" not in allowed_operations,
"block_program_download": "download" not in allowed_operations,
},
"description": description,
"log": True,
}
self.rules.append(rule)
self.rule_id += 1
return rule
def add_ethernet_ip_rule(self, src: str, dst: str, allowed_services: List[str],
description: str = ""):
"""生成EtherNet/IP CIP DPI规则。"""
rule = {
"rule_id": self.rule_id,
"protocol": "EtherNet-IP",
"action": "ALLOW",
"source": src,
"destination": dst,
"port": 44818,
"dpi_policy": {
"allowed_cip_services": allowed_services,
"block_firmware_flash": True,
"block_program_download": "program_download" not in allowed_services,
},
"description": description,
"log": True,
}
self.rules.append(rule)
self.rule_id += 1
return rule
def add_default_deny(self):
"""在末尾添加默认拒绝规则。"""
self.rules.append({
"rule_id": 9999,
"protocol": "ANY",
"action": "DENY",
"source": "ANY",
"destination": "ANY",
"port": "ANY",
"description": "默认拒绝 - 阻止所有不匹配的流量",
"log": True,
})
def generate_config(self) -> str:
"""生成完整的Tofino防火墙配置。"""
config = {
"tofino_configuration": {
"generated": datetime.now().isoformat(),
"appliance_model": "Tofino Xenon",
"firmware_version": "4.2",
"mode": "inline_bridge",
"failsafe": "fail_open",
"rules": self.rules,
}
}
return json.dumps(config, indent=2)
def print_summary(self):
"""打印规则摘要。"""
print(f"\n{'='*65}")
print("TOFINO ICS防火墙规则摘要")
print(f"{'='*65}")
print(f"生成时间: {datetime.now().isoformat()}")
print(f"规则总数: {len(self.rules)}")
for rule in self.rules:
action_icon = "+" if rule["action"] == "ALLOW" else "X"
print(f"\n [{action_icon}] 规则 {rule['rule_id']}: {rule.get('description', '')}")
print(f" {rule['source']} -> {rule['destination']}:{rule['port']}")
print(f" 协议: {rule['protocol']}")
if "dpi_policy" in rule:
dpi = rule["dpi_policy"]
if "allowed_function_codes" in dpi:
funcs = [f["name"] for f in dpi["allowed_function_codes"]]
print(f" DPI - 允许的Modbus功能码: {', '.join(funcs)}")
if "allowed_operations" in dpi:
ops = [o["name"] for o in dpi["allowed_operations"]]
print(f" DPI - 允许的S7操作: {', '.join(ops)}")
if __name__ == "__main__":
gen = TofinoRuleGenerator()
# SCADA服务器到Modbus RTU:只读
gen.add_modbus_rule(
src="10.10.2.30",
dst="10.10.4.0/24",
allowed_funcs=[1, 2, 3, 4],
description="SCADA到公用RTU - 只读",
)
# 工程师工作站到西门子PLC:完全访问
gen.add_s7comm_rule(
src="10.10.2.50",
dst="10.10.1.0/24",
allowed_operations=["read", "write", "setup", "download", "upload"],
description="工程师工作站到反应器PLC - 完全工程访问",
)
# HMI到西门子PLC:仅读写(无程序下载)
gen.add_s7comm_rule(
src="10.10.2.10",
dst="10.10.1.0/24",
allowed_operations=["read", "write", "setup"],
description="HMI到反应器PLC - 仅操作访问",
)
# HMI到Rockwell PLC:操作访问
gen.add_ethernet_ip_rule(
src="10.10.2.20",
dst="10.10.3.0/24",
allowed_services=["read_tag", "write_tag", "get_attribute"],
description="HMI到包装PLC - 操作访问",
)
gen.add_default_deny()
gen.print_summary()
```
## 核心概念
| 术语 | 定义 |
|------|------|
| Tofino Xenon | Belden/Hirschmann工业防火墙设备,具备OT协议深度包检测能力 |
| 深度包检测(DPI) | 检查标头之外的报文载荷内容,对工业协议操作强制执行细粒度规则 |
| 内联桥接模式(Inline Bridge Mode) | 透明部署模式,防火墙位于网络段之间,无需更改IP地址 |
| 失败开放(Fail-Open) | 安全模式,设备故障时防火墙放行所有流量,维持过程可用性 |
| 可加载安全模块(LSM) | Tofino插件模块,为Modbus、EtherNet/IP、OPC或其他协议提供特定协议DPI |
| 中央管理平台(CMP) | Tofino集中管理服务器,用于跨多个Tofino设备部署和管理策略 |
## 输出格式
```
TOFINO部署报告
===========================
日期: YYYY-MM-DD
已部署设备数: [数量]
各设备摘要:
[设备ID]:
模式: 内联桥接
故障安全: 失败开放
受保护资产: [数量]
规则: [数量]
DPI协议: [列表]
规则摘要:
允许规则: [数量]
拒绝规则: [数量]
DPI强制规则: [数量]
监控:
阻止的数据包(24小时): [数量]
DPI违规(24小时): [数量]
```Related Skills
performing-web-application-firewall-bypass
使用编码技术、HTTP 方法操控、参数污染和载荷混淆绕过 Web 应用防火墙保护,将 SQL 注入、XSS 及其他攻击载荷穿透 WAF 检测规则。
implementing-zero-trust-with-hashicorp-boundary
使用 HashiCorp Boundary 实现具备动态凭据代理、会话录制和 Vault 集成的身份感知零信任基础设施访问管理。
implementing-zero-trust-with-beyondcorp
使用身份感知代理(IAP,Identity-Aware Proxy)、上下文感知访问策略、设备信任验证和 Access Context Manager,部署 Google BeyondCorp Enterprise 零信任访问控制,对 GCP 资源和内部应用强制执行基于身份和安全态势的访问。
implementing-zero-trust-network-access
通过配置身份感知代理、微分段、基于条件访问策略的持续验证,以及在 AWS、Azure 和 GCP 环境中以 BeyondCorp 风格的架构替代传统 VPN 访问,在云环境中实施零信任网络访问(ZTNA)。
implementing-zero-trust-network-access-with-zscaler
使用 Zscaler 实施零信任网络访问(Zero Trust Network Access,ZTNA),通过 Zscaler Private Access(ZPA)配置应用分段、访问策略和连接器,替代传统 VPN 架构
implementing-zero-trust-in-cloud
本技能指导组织按照 NIST SP 800-207 和 Google BeyondCorp 原则在云环境中实施零信任(Zero Trust)架构,涵盖以身份为中心的访问控制、微分段(Micro-Segmentation)、持续验证、设备信任评估,以及部署身份感知代理(Identity-Aware Proxy)以消除 AWS、Azure 和 GCP 环境中的隐式网络信任。
implementing-zero-trust-for-saas-applications
使用 CASB、SSPM、条件访问策略、OAuth 应用治理和会话控制,为 SaaS 应用实施零信任访问控制, 对云托管服务强制执行身份验证、设备合规性检查和数据保护。
implementing-zero-trust-dns-with-nextdns
将 NextDNS 实施为零信任 DNS 过滤层,提供加密解析、威胁情报阻断、隐私保护,以及跨所有端点的组织策略执行。
implementing-zero-standing-privilege-with-cyberark
部署 CyberArk Secure Cloud Access,通过基于时间、权限和审批控制的即时访问,在混合云和多云环境中消除常设权限。
implementing-zero-knowledge-proof-for-authentication
零知识证明(ZKP)允许证明者在不泄露秘密本身的情况下证明对某个秘密(如密码或私钥)的了解。本技能实现 Schnorr 身份识别协议和使用离散对数问题的简化 ZKPP,使服务器永远不需要获取用户密码即可完成认证。
implementing-web-application-logging-with-modsecurity
配置带有 OWASP 核心规则集(CRS)的 ModSecurity WAF,实现 Web 应用程序日志记录, 调整规则以减少误报,分析审计日志进行攻击检测,并为应用程序特定威胁实现自定义 SecRules。 分析师配置 SecRuleEngine、SecAuditEngine 和 CRS 偏执级别,以在安全覆盖范围和运营稳定性之间取得平衡。 适用于涉及 WAF 配置、ModSecurity 规则调整、Web 应用审计日志或 CRS 部署的场景。
implementing-vulnerability-sla-breach-alerting
为漏洞修复 SLA 违规构建自动化告警,包含基于严重程度的时间线、升级工作流和合规性报告仪表板。