implementing-ics-firewall-with-tofino

部署和配置Belden/Hirschmann的Tofino工业防火墙,利用深度包检测(DPI)保护SCADA系统和PLC,支持包括Modbus、EtherNet/IP、OPC和S7comm在内的OT协议,在ICS安全区域之间强制执行精细化访问控制。

9 stars

Best use case

implementing-ics-firewall-with-tofino is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

部署和配置Belden/Hirschmann的Tofino工业防火墙,利用深度包检测(DPI)保护SCADA系统和PLC,支持包括Modbus、EtherNet/IP、OPC和S7comm在内的OT协议,在ICS安全区域之间强制执行精细化访问控制。

Teams using implementing-ics-firewall-with-tofino should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/implementing-ics-firewall-with-tofino/SKILL.md --create-dirs "https://raw.githubusercontent.com/killvxk/cybersecurity-skills-zh/main/skills/implementing-ics-firewall-with-tofino/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/implementing-ics-firewall-with-tofino/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How implementing-ics-firewall-with-tofino Compares

Feature / Agentimplementing-ics-firewall-with-tofinoStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

部署和配置Belden/Hirschmann的Tofino工业防火墙,利用深度包检测(DPI)保护SCADA系统和PLC,支持包括Modbus、EtherNet/IP、OPC和S7comm在内的OT协议,在ICS安全区域之间强制执行精细化访问控制。

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# 使用Tofino实现ICS防火墙

## 适用场景

- 在关键PLC或RTU前部署区域级防火墙保护
- 需要对工业协议(Modbus、EtherNet/IP、OPC、S7comm)进行深度包检测
- 实现具有协议感知执行的IEC 62443区域和管道边界
- 保护无法打补丁且需要补偿控制措施的遗留PLC
- 在不影响现有工业通信的情况下对控制网络区域进行分段

**不适用于**企业IT防火墙部署、IT与OT之间的周界防火墙(在DMZ处使用Palo Alto/Fortinet),或仅使用基于IP协议而无OT特定DPI需求的环境。

## 前置条件

- 带有适当许可证的Tofino Xenon设备或Tofino虚拟设备
- 用于集中策略管理的Tofino中央管理平台(CMP)
- 显示PLC/RTU位置和通信需求的网络拓扑图
- OT协议通信基线(Modbus功能码、EtherNet/IP CIP服务)
- 在网络区域之间内联部署的变更管理审批

## 工作流程

### 步骤 1:设计Tofino部署架构

```yaml
# Tofino ICS防火墙部署架构
# 使用深度包检测进行区域级保护

deployment_zones:
  zone_1_reactor_control:
    tofino_appliance: "TOFINO-XN-001"
    deployment_mode: "inline_bridge"
    protected_assets:
      - name: "PLC-REACTOR-01"
        ip: "10.10.1.10"
        vendor: "Siemens S7-1500"
        protocols: ["S7comm/102", "Profinet"]
      - name: "PLC-REACTOR-02"
        ip: "10.10.1.11"
        vendor: "Siemens S7-1500"
        protocols: ["S7comm/102", "Profinet"]
    authorized_communications:
      - source: "10.10.2.50"  # 工程师工作站
        dest: "10.10.1.0/24"
        protocols: ["S7comm"]
        access_type: "engineering"
      - source: "10.10.2.10"  # HMI服务器
        dest: "10.10.1.0/24"
        protocols: ["S7comm"]
        access_type: "operational"

  zone_2_packaging:
    tofino_appliance: "TOFINO-XN-002"
    deployment_mode: "inline_bridge"
    protected_assets:
      - name: "PLC-PACK-01"
        ip: "10.10.3.10"
        vendor: "Rockwell ControlLogix"
        protocols: ["EtherNet-IP/44818", "CIP"]
    authorized_communications:
      - source: "10.10.2.20"  # HMI
        dest: "10.10.3.0/24"
        protocols: ["EtherNet-IP"]
        access_type: "operational"

  zone_3_utilities:
    tofino_appliance: "TOFINO-XN-003"
    deployment_mode: "inline_bridge"
    protected_assets:
      - name: "RTU-BOILER-01"
        ip: "10.10.4.10"
        vendor: "Schneider M340"
        protocols: ["Modbus-TCP/502"]
    authorized_communications:
      - source: "10.10.2.30"  # SCADA服务器
        dest: "10.10.4.0/24"
        protocols: ["Modbus-TCP"]
        allowed_function_codes: [1, 2, 3, 4]  # SCADA只读
```

### 步骤 2:配置深度包检测规则

```python
#!/usr/bin/env python3
"""Tofino ICS防火墙规则生成器。

根据通信基线分析,生成带有工业协议
深度包检测的Tofino防火墙规则。
"""

import json
import sys
from datetime import datetime
from typing import Dict, List


class TofinoRuleGenerator:
    """生成Tofino ICS防火墙DPI规则。"""

    def __init__(self):
        self.rules = []
        self.rule_id = 1000

    def add_modbus_rule(self, src: str, dst: str, allowed_funcs: List[int],
                        allowed_registers: List[dict] = None, description: str = ""):
        """生成Modbus DPI规则。"""
        func_names = {
            1: "read_coils", 2: "read_discrete_inputs",
            3: "read_holding_registers", 4: "read_input_registers",
            5: "write_single_coil", 6: "write_single_register",
            15: "write_multiple_coils", 16: "write_multiple_registers",
        }

        rule = {
            "rule_id": self.rule_id,
            "protocol": "Modbus-TCP",
            "action": "ALLOW",
            "source": src,
            "destination": dst,
            "port": 502,
            "dpi_policy": {
                "allowed_function_codes": [
                    {"code": fc, "name": func_names.get(fc, f"FC{fc}")}
                    for fc in allowed_funcs
                ],
                "blocked_function_codes": [
                    fc for fc in range(1, 128) if fc not in allowed_funcs
                ],
            },
            "description": description,
            "log": True,
        }

        if allowed_registers:
            rule["dpi_policy"]["allowed_register_ranges"] = allowed_registers

        self.rules.append(rule)
        self.rule_id += 1
        return rule

    def add_s7comm_rule(self, src: str, dst: str, allowed_operations: List[str],
                        description: str = ""):
        """生成S7comm DPI规则。"""
        operation_map = {
            "read": {"function": 0x04, "name": "Read Variable"},
            "write": {"function": 0x05, "name": "Write Variable"},
            "setup": {"function": 0xF0, "name": "Setup Communication"},
            "download": {"function": 0x1A, "name": "Request Download"},
            "upload": {"function": 0x1D, "name": "Start Upload"},
            "cpu_stop": {"function": 0x29, "name": "PLC Stop"},
            "cpu_start": {"function": 0x28, "name": "PI Service (Start)"},
        }

        rule = {
            "rule_id": self.rule_id,
            "protocol": "S7comm",
            "action": "ALLOW",
            "source": src,
            "destination": dst,
            "port": 102,
            "dpi_policy": {
                "allowed_operations": [
                    operation_map[op] for op in allowed_operations if op in operation_map
                ],
                "block_cpu_stop": "cpu_stop" not in allowed_operations,
                "block_program_download": "download" not in allowed_operations,
            },
            "description": description,
            "log": True,
        }

        self.rules.append(rule)
        self.rule_id += 1
        return rule

    def add_ethernet_ip_rule(self, src: str, dst: str, allowed_services: List[str],
                              description: str = ""):
        """生成EtherNet/IP CIP DPI规则。"""
        rule = {
            "rule_id": self.rule_id,
            "protocol": "EtherNet-IP",
            "action": "ALLOW",
            "source": src,
            "destination": dst,
            "port": 44818,
            "dpi_policy": {
                "allowed_cip_services": allowed_services,
                "block_firmware_flash": True,
                "block_program_download": "program_download" not in allowed_services,
            },
            "description": description,
            "log": True,
        }

        self.rules.append(rule)
        self.rule_id += 1
        return rule

    def add_default_deny(self):
        """在末尾添加默认拒绝规则。"""
        self.rules.append({
            "rule_id": 9999,
            "protocol": "ANY",
            "action": "DENY",
            "source": "ANY",
            "destination": "ANY",
            "port": "ANY",
            "description": "默认拒绝 - 阻止所有不匹配的流量",
            "log": True,
        })

    def generate_config(self) -> str:
        """生成完整的Tofino防火墙配置。"""
        config = {
            "tofino_configuration": {
                "generated": datetime.now().isoformat(),
                "appliance_model": "Tofino Xenon",
                "firmware_version": "4.2",
                "mode": "inline_bridge",
                "failsafe": "fail_open",
                "rules": self.rules,
            }
        }
        return json.dumps(config, indent=2)

    def print_summary(self):
        """打印规则摘要。"""
        print(f"\n{'='*65}")
        print("TOFINO ICS防火墙规则摘要")
        print(f"{'='*65}")
        print(f"生成时间: {datetime.now().isoformat()}")
        print(f"规则总数: {len(self.rules)}")

        for rule in self.rules:
            action_icon = "+" if rule["action"] == "ALLOW" else "X"
            print(f"\n  [{action_icon}] 规则 {rule['rule_id']}: {rule.get('description', '')}")
            print(f"      {rule['source']} -> {rule['destination']}:{rule['port']}")
            print(f"      协议: {rule['protocol']}")
            if "dpi_policy" in rule:
                dpi = rule["dpi_policy"]
                if "allowed_function_codes" in dpi:
                    funcs = [f["name"] for f in dpi["allowed_function_codes"]]
                    print(f"      DPI - 允许的Modbus功能码: {', '.join(funcs)}")
                if "allowed_operations" in dpi:
                    ops = [o["name"] for o in dpi["allowed_operations"]]
                    print(f"      DPI - 允许的S7操作: {', '.join(ops)}")


if __name__ == "__main__":
    gen = TofinoRuleGenerator()

    # SCADA服务器到Modbus RTU:只读
    gen.add_modbus_rule(
        src="10.10.2.30",
        dst="10.10.4.0/24",
        allowed_funcs=[1, 2, 3, 4],
        description="SCADA到公用RTU - 只读",
    )

    # 工程师工作站到西门子PLC:完全访问
    gen.add_s7comm_rule(
        src="10.10.2.50",
        dst="10.10.1.0/24",
        allowed_operations=["read", "write", "setup", "download", "upload"],
        description="工程师工作站到反应器PLC - 完全工程访问",
    )

    # HMI到西门子PLC:仅读写(无程序下载)
    gen.add_s7comm_rule(
        src="10.10.2.10",
        dst="10.10.1.0/24",
        allowed_operations=["read", "write", "setup"],
        description="HMI到反应器PLC - 仅操作访问",
    )

    # HMI到Rockwell PLC:操作访问
    gen.add_ethernet_ip_rule(
        src="10.10.2.20",
        dst="10.10.3.0/24",
        allowed_services=["read_tag", "write_tag", "get_attribute"],
        description="HMI到包装PLC - 操作访问",
    )

    gen.add_default_deny()
    gen.print_summary()
```

## 核心概念

| 术语 | 定义 |
|------|------|
| Tofino Xenon | Belden/Hirschmann工业防火墙设备,具备OT协议深度包检测能力 |
| 深度包检测(DPI) | 检查标头之外的报文载荷内容,对工业协议操作强制执行细粒度规则 |
| 内联桥接模式(Inline Bridge Mode) | 透明部署模式,防火墙位于网络段之间,无需更改IP地址 |
| 失败开放(Fail-Open) | 安全模式,设备故障时防火墙放行所有流量,维持过程可用性 |
| 可加载安全模块(LSM) | Tofino插件模块,为Modbus、EtherNet/IP、OPC或其他协议提供特定协议DPI |
| 中央管理平台(CMP) | Tofino集中管理服务器,用于跨多个Tofino设备部署和管理策略 |

## 输出格式

```
TOFINO部署报告
===========================
日期: YYYY-MM-DD
已部署设备数: [数量]

各设备摘要:
  [设备ID]:
    模式: 内联桥接
    故障安全: 失败开放
    受保护资产: [数量]
    规则: [数量]
    DPI协议: [列表]

规则摘要:
  允许规则: [数量]
  拒绝规则: [数量]
  DPI强制规则: [数量]

监控:
  阻止的数据包(24小时): [数量]
  DPI违规(24小时): [数量]
```

Related Skills

performing-web-application-firewall-bypass

9
from killvxk/cybersecurity-skills-zh

使用编码技术、HTTP 方法操控、参数污染和载荷混淆绕过 Web 应用防火墙保护,将 SQL 注入、XSS 及其他攻击载荷穿透 WAF 检测规则。

implementing-zero-trust-with-hashicorp-boundary

9
from killvxk/cybersecurity-skills-zh

使用 HashiCorp Boundary 实现具备动态凭据代理、会话录制和 Vault 集成的身份感知零信任基础设施访问管理。

implementing-zero-trust-with-beyondcorp

9
from killvxk/cybersecurity-skills-zh

使用身份感知代理(IAP,Identity-Aware Proxy)、上下文感知访问策略、设备信任验证和 Access Context Manager,部署 Google BeyondCorp Enterprise 零信任访问控制,对 GCP 资源和内部应用强制执行基于身份和安全态势的访问。

implementing-zero-trust-network-access

9
from killvxk/cybersecurity-skills-zh

通过配置身份感知代理、微分段、基于条件访问策略的持续验证,以及在 AWS、Azure 和 GCP 环境中以 BeyondCorp 风格的架构替代传统 VPN 访问,在云环境中实施零信任网络访问(ZTNA)。

implementing-zero-trust-network-access-with-zscaler

9
from killvxk/cybersecurity-skills-zh

使用 Zscaler 实施零信任网络访问(Zero Trust Network Access,ZTNA),通过 Zscaler Private Access(ZPA)配置应用分段、访问策略和连接器,替代传统 VPN 架构

implementing-zero-trust-in-cloud

9
from killvxk/cybersecurity-skills-zh

本技能指导组织按照 NIST SP 800-207 和 Google BeyondCorp 原则在云环境中实施零信任(Zero Trust)架构,涵盖以身份为中心的访问控制、微分段(Micro-Segmentation)、持续验证、设备信任评估,以及部署身份感知代理(Identity-Aware Proxy)以消除 AWS、Azure 和 GCP 环境中的隐式网络信任。

implementing-zero-trust-for-saas-applications

9
from killvxk/cybersecurity-skills-zh

使用 CASB、SSPM、条件访问策略、OAuth 应用治理和会话控制,为 SaaS 应用实施零信任访问控制, 对云托管服务强制执行身份验证、设备合规性检查和数据保护。

implementing-zero-trust-dns-with-nextdns

9
from killvxk/cybersecurity-skills-zh

将 NextDNS 实施为零信任 DNS 过滤层,提供加密解析、威胁情报阻断、隐私保护,以及跨所有端点的组织策略执行。

implementing-zero-standing-privilege-with-cyberark

9
from killvxk/cybersecurity-skills-zh

部署 CyberArk Secure Cloud Access,通过基于时间、权限和审批控制的即时访问,在混合云和多云环境中消除常设权限。

implementing-zero-knowledge-proof-for-authentication

9
from killvxk/cybersecurity-skills-zh

零知识证明(ZKP)允许证明者在不泄露秘密本身的情况下证明对某个秘密(如密码或私钥)的了解。本技能实现 Schnorr 身份识别协议和使用离散对数问题的简化 ZKPP,使服务器永远不需要获取用户密码即可完成认证。

implementing-web-application-logging-with-modsecurity

9
from killvxk/cybersecurity-skills-zh

配置带有 OWASP 核心规则集(CRS)的 ModSecurity WAF,实现 Web 应用程序日志记录, 调整规则以减少误报,分析审计日志进行攻击检测,并为应用程序特定威胁实现自定义 SecRules。 分析师配置 SecRuleEngine、SecAuditEngine 和 CRS 偏执级别,以在安全覆盖范围和运营稳定性之间取得平衡。 适用于涉及 WAF 配置、ModSecurity 规则调整、Web 应用审计日志或 CRS 部署的场景。

implementing-vulnerability-sla-breach-alerting

9
from killvxk/cybersecurity-skills-zh

为漏洞修复 SLA 违规构建自动化告警,包含基于严重程度的时间线、升级工作流和合规性报告仪表板。