Tofino VPN Server and Client LSMs

Secure remote SCADA communication

  • The only VPN with an integrated SCADA-capable firewall

  • Supports legacy automation devices and protocols

  • No IT expertise needed for set up or administration



Industrial facilities often want to utilize high-speed Internet connectivity in order to integrate control systems and/or people from multiple locations. How can you take advantage of this cost-effective technology without risking viruses or inappropriate access to your control and SCADA systems?


The Tofino VPN solution creates secure ‘tunnels’ of communication over untrusted networks, such as the Internet or corporate business networks.  Unlike other VPNs, the Tofino VPN is easy to deploy, test, and manage.  This ensures that good security is not compromised because of configuration errors.


The Tofino VPN also supports legacy automation devices and protocols, and is industrially hardened. Best of all, it can be combined with other Tofino LSMs, such as the Tofino Firewall LSM or the Tofino Modbus TCP Enforcer LSM, to provide a comprehensive security solution.


Saves You Money Through:

  • Reduced telecommunications and travel costs

  • Reduced implementation, engineering and IT costs due to ease of deployment

  • Leveraging investments by enabling communications to legacy non-IP devices


  • Creates highly secure tunnels using Secure Sockets Layer (SSL) technology to protect control system integrity

  • Easy to deploy, test, and manage with drag and drop configuration interface

  • Allows testing of the VPN tunnel without committing control traffic to it

  • Supports legacy automation protocols

  • Interoperates seamlessly with other Tofino LSMs to provide fine grained VPN access and SCADA-capable firewall protection

  • Industrially hardened


  • Manage remote plants from a central facility

  • Provide secure access to plant facilities or remote personnel

  • Interconnect legacy non-IP equipment

  • Secure communications between critical controllers


Security Implementation

Industry-standard Secure Sockets Layer (SSL/TLS)


AES-CBC, 128-bit key


SHA-1, 160-bit key

Maximum no. connections

Server supports at least 16 simultaneous connections

Devices Connected

  • Tofino Security Appliances

  • Tofino Security Appliances and PCs

  • Tofino Security Appliances and supported third-party VPN servers

User-Settable Options

The following options may be set for each connection:

  • Endpoint IP address

  • IP address mask

  • Enable server routing between clients

  • Allow non-IP broadcast


Built-in data compression for optimum performance over low-bandwidth networks

Supported Protocols

Tunnels all IP and non-IP Ethernet-based protocols

Easy deployment, test, and management

  • Configuration is simple using drag and drop interface

  • Test the VPN tunnel without risking control traffic

  • No changes required to the network design or addressing

  • Configuration and management is done centrally with the Tofino CMP

Operating Modes

All standard Tofino modes supported: Passive, Test, and Operational

Security Alerts

Reports security alerts to the Tofino CMP management console via the Tofino 'Exception Heartbeat' mechanism

System Requirements

Ordering Information

Part number: LSM-VPNS-100    

Name: Tofino VPN Server LSM


Part number: LSM-VPNC-100   

Name: Tofino VPN Client LSM


Part number: LSM-VPNL-100 

Name: Tofino VPN PC Client License


Additional Information:


 Download Tofino VPN Server and Client LSM Data Sheet