×

Firewall with application packet classifer

  • US 10,110,561 B2
  • Filed: 11/26/2014
  • Issued: 10/23/2018
  • Est. Priority Date: 11/26/2014
  • Status: Active Grant
First Claim
Patent Images

1. A network device for providing secure communications between an internal device connected to an industrial network and at least one external device, wherein a plurality of application functions execute on the at least one external device, the network device comprising:

  • a memory device operative to store a rules database and an application database, the application database including a plurality of application functions, wherein each application function is defined by a plurality of message packets formatted according to an industrial network protocol and wherein the application database includes the signature of each of the plurality of message packets defining each application;

    a packet processing module configured to receive each of the plurality of message packets from the at least one external device and to extract a signature from each received message packet;

    an application classifier configured to identify one of the plurality of application functions stored in the application database based on the signature extracted from each message packet,a rules engine operable to compare the application function identified by the application classifier to each rule in the rules database responsive to receiving a first message packet, wherein each rule identifies one of the plurality of application functions and defines whether the plurality of message packets for the corresponding application function is allowed to pass through the network device and wherein the network device establishes a connection between the external device and the internal device when the identified application function is allowed by one of the rules, anda connection manager operative to;

    transmit the first message packet to the internal device after the connection is established,identify each additional message packet belonging to the application function on the established connection, andtransmit the additional message packets belonging to the application function to the internal device via the established connection without comparing each additional message packet to the rules database.

View all claims
  • 1 Assignment
Timeline View
Assignment View
    ×
    ×