Firewall with application packet classifer

US 10,110,561 B2
Filed: 11/26/2014
Issued: 10/23/2018
Est. Priority Date: 11/26/2014
Status: Active Grant

First Claim

Patent Images

1. A network device for providing secure communications between an internal device connected to an industrial network and at least one external device, wherein a plurality of application functions execute on the at least one external device, the network device comprising:

a memory device operative to store a rules database and an application database, the application database including a plurality of application functions, wherein each application function is defined by a plurality of message packets formatted according to an industrial network protocol and wherein the application database includes the signature of each of the plurality of message packets defining each application;

a packet processing module configured to receive each of the plurality of message packets from the at least one external device and to extract a signature from each received message packet;

an application classifier configured to identify one of the plurality of application functions stored in the application database based on the signature extracted from each message packet,a rules engine operable to compare the application function identified by the application classifier to each rule in the rules database responsive to receiving a first message packet, wherein each rule identifies one of the plurality of application functions and defines whether the plurality of message packets for the corresponding application function is allowed to pass through the network device and wherein the network device establishes a connection between the external device and the internal device when the identified application function is allowed by one of the rules, anda connection manager operative to;

transmit the first message packet to the internal device after the connection is established,identify each additional message packet belonging to the application function on the established connection, andtransmit the additional message packets belonging to the application function to the internal device via the established connection without comparing each additional message packet to the rules database.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An improved system for establishing rules in a firewall for an industrial network is disclosed. Rules are established at an application level, identifying, for example, actions to occur between two devices. The action may be, for example, read data table or get attribute, and each action may require multiple message packets to be transmitted between the two devices in order to complete. A network device executing the firewall is configured to receive message packets from a sending device and to inspect the message packets to determine which action the sending device is requesting to perform. If the action corresponds to a rule in the database, the network device manages communications between the two devices until all message packets have been transmitted. Thus, a single action, or application, may be defined in the rules database to permit multiple data packets to be communicated between the devices.

Citations

16 Claims

1. A network device for providing secure communications between an internal device connected to an industrial network and at least one external device, wherein a plurality of application functions execute on the at least one external device, the network device comprising:
- a memory device operative to store a rules database and an application database, the application database including a plurality of application functions, wherein each application function is defined by a plurality of message packets formatted according to an industrial network protocol and wherein the application database includes the signature of each of the plurality of message packets defining each application;
  
  a packet processing module configured to receive each of the plurality of message packets from the at least one external device and to extract a signature from each received message packet;
  
  an application classifier configured to identify one of the plurality of application functions stored in the application database based on the signature extracted from each message packet,a rules engine operable to compare the application function identified by the application classifier to each rule in the rules database responsive to receiving a first message packet, wherein each rule identifies one of the plurality of application functions and defines whether the plurality of message packets for the corresponding application function is allowed to pass through the network device and wherein the network device establishes a connection between the external device and the internal device when the identified application function is allowed by one of the rules, anda connection manager operative to;
  
  transmit the first message packet to the internal device after the connection is established,identify each additional message packet belonging to the application function on the established connection, andtransmit the additional message packets belonging to the application function to the internal device via the established connection without comparing each additional message packet to the rules database.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The network device of claim 1, wherein:
    - the rules engine includes a first state in which each of the first message packets is compared to the plurality of rules in the database to determine whether the corresponding application function is allowed or denied and whether to transmit the first message packet, andthe rules engine includes a second state in which the additional message packets corresponding to each allowed application function are transmitted.
  - 3. The network device of claim 2 wherein the application database defines a plurality of states for each application function.
  - 4. The network device of claim 2 wherein:
    - a plurality of external devices are connected to a plurality of internal devices,the network device establishes a plurality of connections between the external devices and the internal devices, andthe connection manager is configured to maintain a record of each connection and a current state of each connection.
  - 5. The network device of claim 1 wherein:
    - the plurality of rules are configurable from a user interface, andeach of the plurality of packet signatures is encrypted prior to display on the user interface.
  - 6. The network device of claim 1 further comprising a processor operable in a learning mode to:
    - disable at least a portion of the rules in the rules database, allowing message packets to be transmitted between each external device and the internal device,store in the memory device a record of the application function identified when the rules are disabled, andgenerate at least one new rule to define whether an application function is allowed or denied based on the record stored in the memory device.
  - 7. The network device of claim 1 wherein the first packet is a first protocol and the at least one additional message packet is a second protocol, the second protocol being different than the first protocol.

8. A method for providing secure communications between an internal device connected to an industrial network and at least one external device, the method comprising the steps of:
- defining at least one firewall rule on a network device connected to the industrial network between the internal device and the at least one external device, wherein each firewall rule is a function of one of a plurality of application functions executing on the at least one external device;
  
  receiving a plurality of message packets for the application function from the external device at the network device;
  
  extracting a signature from each received message packet with a packet processing module executing on the network device;
  
  identifying one of the plurality of application functions from an application database stored on the network device based on the signatures extracted from each message packet using an application classifier executing on the network device, wherein;
  
  the application database includes a plurality of application functions,each application function is defined by a plurality of message packets formatted according to an industrial network protocol, andthe application database includes the signature of each of the plurality of message packets defining each application;
  
  comparing the identified application function to each of the firewall rules using a rules engine when the received message packet is a first message packet of the identified application, wherein each rule identifies one of the plurality of application functions and defines whether the plurality of message packets for the corresponding application function is allowed to pass through the network device;
  
  establishing a connection on the industrial network between the internal device and the external device with a connection manager when the rules engine determines the identified application is allowed by one of the firewall rules; and
  
  transmitting each of the plurality of message packets to the internal device via the established connection when the message packet belongs to the application function on the established connection.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The method of claim 8 wherein a plurality of external devices are connected to a plurality of internal devices and wherein a plurality of connections between the external devices and the internal devices are established, the method further comprising the step of maintaining a record of each connection and a current state of each connection with the connection manager executing on the network device.
  - 10. The method of claim 8 further comprising an initial step of disabling the firewall rules such that each of the received message packets are transmitted from the network device to the internal device.
  - 11. The method of claim 10 further comprising the steps of:
    - storing in a memory device of the network device a record of the application function identified when the rules are disabled, andgenerating at least one firewall rule to define whether the application function is allowed or denied based on the record stored in the memory device.
  - 12. The method of claim 8 wherein the first message packet is a first protocol and at least one of the additional message packets is a second protocol, the second protocol being different than the first protocol.

13. A network device for providing secure communications between an internal device connected to an industrial network and at least one external device, wherein a plurality of application functions execute on the at least one external device, the network device comprising:
- a memory device operative to store a rules database and an application database, the application database including a plurality of application functions, wherein each application function is defined by a plurality of message packets formatted according to an industrial network protocol and wherein the application database includes the signature of each of the plurality of message packets defining each application;
  
  a packet processing module configured to receive a message packet from the at least one external device and to extract a signature from the message packet;
  
  an application classifier configured to identify one of the plurality of application functions stored in the application database based on the signature extracted from the message packet; and
  
  a connection manager operative to establish a connection between the external device and the internal device when the identified application function is allowed by a rule in the rules database and to transmit each message packet belonging to the application function to the internal device via the connection, wherein;
  
  each rule identifies one of the plurality of application functions and defines whether the plurality of message packets for the corresponding application function is allowed to pass through, the network device,the application database stores at least one encrypted signature for each application function,a rules engine compares the extracted signature to the at least one encrypted signature to verify that the extracted signature belongs to the application function.
- View Dependent Claims (14, 15, 16)
- - 14. The network device of claim 13 wherein:
    - the application database defines a plurality of packet signatures for each application function, each packet signature corresponding to one of the message packets for the application function;
      
      the plurality of rules are configurable from a user interface, andeach of the plurality of packet signatures for the application function is encrypted prior to display on the user interface.
  - 15. The network device of claim 13 wherein:
    - a plurality of external devices are connected to a plurality of internal devices,the network device establishes a plurality of connections between the external devices and the internal devices, andthe connection manager is configured to maintain a record of each connection and a current state of each connection.
  - 16. The network device of claim 13 further comprising a processor operable in a learning mode to:
    - disable at least a portion of the rules in the rules database, allowing message packets to be transmitted between each external device and the internal device,store in the memory device a record of at least one of the message packets and the application function identified when the rules are disabled, andgenerate at least one new rule to define whether an application function is allowed or denied based on the record stored in the memory device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Rockwell Automation Technologies Incorporated (Rockwell Automation, Inc.)
Original Assignee
Rockwell Automation Technologies Incorporated (Rockwell Automation, Inc.)
Inventors
Batke, Brian A., Balasubramanian, Sivaram, Ptacek, Petr, Jasper, Taryl
Primary Examiner(s)
Poltorak, Piotr

Application Number

US14/554,621
Publication Number

US 20160149861A1
Time in Patent Office

1,427 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/0245   Filtering by information in...

H04L 63/0254   Stateful filtering

H04L 63/0263   Rule management

H04L 63/10   for controlling access to d...

H04L 63/1408   by monitoring network traff...

H04L 63/168   above the transport layer

H04L 67/12   specially adapted for propr...

Firewall with application packet classifer

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Firewall with application packet classifer

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links