Skip to main content

Getting started with the Tofino Xenon and the DNP3 Enforcer LSM - Knowledgebase / Tofino / DNP3 - Tofino Security Support Center

Getting started with the Tofino Xenon and the DNP3 Enforcer LSM

Tofino DNP3 Functionality
The Tofino Security Appliance (TSA) implements a DNP3 loadable security module (LSM) which enables deep packet inspection (DPI) firewall capabilities for DNP3 traffic. The installation engineer specifies master/slave device pairs between which DNP3 traffic will be allowed to flow. Only correctly formatted DNP3 traffic will be allowed. For example most of the DNP3 exceptions suggested in the Open DNP Group’s document “DNP3 Application Note AN2013-004b: Validation of Incoming DNP3 Data” are implemented within the LSM. This includes checking of common header byte fields, packet lengths, DNP3 CRC values, etc.
For each master/slave device pair, the engineer can also specify which DNP3 Application Layer message types or function codes will be allowed for request and response traffic. By selecting function codes, writing to, operating on, etc. objects can be disabled.