Firewall with application packet classifer
First Claim
1. A network device for providing secure communications between an internal device connected to an industrial network and at least one external device, wherein a plurality of application functions execute on the at least one external device, the network device comprising:
- a memory device operative to store a rules database and an application database, the application database including a plurality of application functions, wherein each application function is defined by a plurality of message packets formatted according to an industrial network protocol and wherein the application database includes the signature of each of the plurality of message packets defining each application;
a packet processing module configured to receive each of the plurality of message packets from the at least one external device and to extract a signature from each received message packet;
an application classifier configured to identify one of the plurality of application functions stored in the application database based on the signature extracted from each message packet,a rules engine operable to compare the application function identified by the application classifier to each rule in the rules database responsive to receiving a first message packet, wherein each rule identifies one of the plurality of application functions and defines whether the plurality of message packets for the corresponding application function is allowed to pass through the network device and wherein the network device establishes a connection between the external device and the internal device when the identified application function is allowed by one of the rules, anda connection manager operative to;
transmit the first message packet to the internal device after the connection is established,identify each additional message packet belonging to the application function on the established connection, andtransmit the additional message packets belonging to the application function to the internal device via the established connection without comparing each additional message packet to the rules database.
1 Assignment
0 Petitions
Accused Products
Abstract
An improved system for establishing rules in a firewall for an industrial network is disclosed. Rules are established at an application level, identifying, for example, actions to occur between two devices. The action may be, for example, read data table or get attribute, and each action may require multiple message packets to be transmitted between the two devices in order to complete. A network device executing the firewall is configured to receive message packets from a sending device and to inspect the message packets to determine which action the sending device is requesting to perform. If the action corresponds to a rule in the database, the network device manages communications between the two devices until all message packets have been transmitted. Thus, a single action, or application, may be defined in the rules database to permit multiple data packets to be communicated between the devices.
-
Citations
16 Claims
-
1. A network device for providing secure communications between an internal device connected to an industrial network and at least one external device, wherein a plurality of application functions execute on the at least one external device, the network device comprising:
-
a memory device operative to store a rules database and an application database, the application database including a plurality of application functions, wherein each application function is defined by a plurality of message packets formatted according to an industrial network protocol and wherein the application database includes the signature of each of the plurality of message packets defining each application; a packet processing module configured to receive each of the plurality of message packets from the at least one external device and to extract a signature from each received message packet; an application classifier configured to identify one of the plurality of application functions stored in the application database based on the signature extracted from each message packet, a rules engine operable to compare the application function identified by the application classifier to each rule in the rules database responsive to receiving a first message packet, wherein each rule identifies one of the plurality of application functions and defines whether the plurality of message packets for the corresponding application function is allowed to pass through the network device and wherein the network device establishes a connection between the external device and the internal device when the identified application function is allowed by one of the rules, and a connection manager operative to; transmit the first message packet to the internal device after the connection is established, identify each additional message packet belonging to the application function on the established connection, and transmit the additional message packets belonging to the application function to the internal device via the established connection without comparing each additional message packet to the rules database. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for providing secure communications between an internal device connected to an industrial network and at least one external device, the method comprising the steps of:
-
defining at least one firewall rule on a network device connected to the industrial network between the internal device and the at least one external device, wherein each firewall rule is a function of one of a plurality of application functions executing on the at least one external device; receiving a plurality of message packets for the application function from the external device at the network device; extracting a signature from each received message packet with a packet processing module executing on the network device; identifying one of the plurality of application functions from an application database stored on the network device based on the signatures extracted from each message packet using an application classifier executing on the network device, wherein; the application database includes a plurality of application functions, each application function is defined by a plurality of message packets formatted according to an industrial network protocol, and the application database includes the signature of each of the plurality of message packets defining each application; comparing the identified application function to each of the firewall rules using a rules engine when the received message packet is a first message packet of the identified application, wherein each rule identifies one of the plurality of application functions and defines whether the plurality of message packets for the corresponding application function is allowed to pass through the network device; establishing a connection on the industrial network between the internal device and the external device with a connection manager when the rules engine determines the identified application is allowed by one of the firewall rules; and transmitting each of the plurality of message packets to the internal device via the established connection when the message packet belongs to the application function on the established connection. - View Dependent Claims (9, 10, 11, 12)
-
-
13. A network device for providing secure communications between an internal device connected to an industrial network and at least one external device, wherein a plurality of application functions execute on the at least one external device, the network device comprising:
-
a memory device operative to store a rules database and an application database, the application database including a plurality of application functions, wherein each application function is defined by a plurality of message packets formatted according to an industrial network protocol and wherein the application database includes the signature of each of the plurality of message packets defining each application; a packet processing module configured to receive a message packet from the at least one external device and to extract a signature from the message packet; an application classifier configured to identify one of the plurality of application functions stored in the application database based on the signature extracted from the message packet; and a connection manager operative to establish a connection between the external device and the internal device when the identified application function is allowed by a rule in the rules database and to transmit each message packet belonging to the application function to the internal device via the connection, wherein; each rule identifies one of the plurality of application functions and defines whether the plurality of message packets for the corresponding application function is allowed to pass through, the network device, the application database stores at least one encrypted signature for each application function, a rules engine compares the extracted signature to the at least one encrypted signature to verify that the extracted signature belongs to the application function. - View Dependent Claims (14, 15, 16)
-
Specification