Method for updating message filter rules of a network access control unit of an industrial communication network address management unit, and converter unit

US 10,341,249 B2
Filed: 01/29/2015
Issued: 07/02/2019
Est. Priority Date: 01/30/2014
Status: Active Grant

First Claim

Patent Images

1. A method of updating message filter rules of a network access control unit within a firewall system of an industrial communication network including a first communication device, a second communication device, the firewall system further including an address management unit and a converter unit, the method comprising:

assigning at least one address-based message filter rule defined symbolically based on device descriptions to the first communication device;

registering the at least one address-based message filter rule defined symbolically based on device descriptions with a corresponding communication network address and a communication device description in the address management unit of the firewall system further including the network access control unit and the converter unit upon identifying an activation, the communication device description comprising at least one of a function indication and a topology indication;

replacing the first communication device with the second communication device, and registering the second communication device in the address management unit of the firewall system further including the network access control unit and the converter unit in response to the replacement of the first communication device with the second communication device such that a communication network address and a communication device description of the second communication device are acquired;

checking, by the address management unit of the firewall system further including the network access control unit and the converter unit, during the registration of the second communication device, whether a communication device with an identical communication device description is already registered;

upon determining that there is a positive check result by the address management unit of the firewall system further including the network access control unit and the converter unit, the address management unit of the firewall system transmitting a change message relating to the registration of the second communication device with a communication device description that is identical to that of the first communication device to the network access control unit or to the converter unit, the change message comprising at least the communication network address and the communication device description of the second communication device; and

upon receiving the change message, replacing the communication network address of the first communication device with the communication network address of the second communication device based on the at least one address-based message filter rule defined symbolically based on device descriptions to update the message filter rules of the firewall system including the address management unit, the network access control unit and the converter unit of the industrial communication network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Method and system of updating message filter rules of a network access control unit of an industrial communication network. At least one address-based message filter rule is assigned to the first communication device. The first communication device is replaced with the second communication device, and the second communication device is registered in the address management unit in response to the replacement of the first communication device with the second communication device. Upon determining that a communication device with an identical communication device description is already registered, the address management unit transmits a change message to the network access control unit or to the converter unit. The communication network address of the first communication device is replaced with the communication network address of the second communication device based on the at least one address-based message filter rule.

Citations

13 Claims

1. A method of updating message filter rules of a network access control unit within a firewall system of an industrial communication network including a first communication device, a second communication device, the firewall system further including an address management unit and a converter unit, the method comprising:
- assigning at least one address-based message filter rule defined symbolically based on device descriptions to the first communication device;
  
  registering the at least one address-based message filter rule defined symbolically based on device descriptions with a corresponding communication network address and a communication device description in the address management unit of the firewall system further including the network access control unit and the converter unit upon identifying an activation, the communication device description comprising at least one of a function indication and a topology indication;
  
  replacing the first communication device with the second communication device, and registering the second communication device in the address management unit of the firewall system further including the network access control unit and the converter unit in response to the replacement of the first communication device with the second communication device such that a communication network address and a communication device description of the second communication device are acquired;
  
  checking, by the address management unit of the firewall system further including the network access control unit and the converter unit, during the registration of the second communication device, whether a communication device with an identical communication device description is already registered;
  
  upon determining that there is a positive check result by the address management unit of the firewall system further including the network access control unit and the converter unit, the address management unit of the firewall system transmitting a change message relating to the registration of the second communication device with a communication device description that is identical to that of the first communication device to the network access control unit or to the converter unit, the change message comprising at least the communication network address and the communication device description of the second communication device; and
  
  upon receiving the change message, replacing the communication network address of the first communication device with the communication network address of the second communication device based on the at least one address-based message filter rule defined symbolically based on device descriptions to update the message filter rules of the firewall system including the address management unit, the network access control unit and the converter unit of the industrial communication network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method as claimed in claim 1, wherein the address-based message filter rules defined symbolically based on device descriptions are applied by the network access control unit.
  - 3. The method as claimed in claim 2, further comprising:
    - converting the message filter rules into address-based message filter rules defined symbolically based on device descriptions by the converter unit; and
      
      transmitting the converted message filter rules defined symbolically based on device descriptions to the network access control unit.
  - 4. The method as claimed in claim 3, further comprising:
    - transmitting to the converter unit within the firewall system the change message relating to the registration of the second communication device having a communication device description that is identical to that of the first communication device.
  - 5. The method as claimed in claim 3, further comprising:
    - connecting the converter unit within the firewall system to a memory unit for message filter rules defined symbolically based on device descriptions;
      
      accessing and reading the memory unit, by the converter unit within the firewall system; and
      
      updating the address-based message filter rules in response to the accessing and reading the memory unit.
  - 6. The method as claimed in claim 5, wherein the message filter rules that are defined symbolically based on the device descriptions remaining unchanged upon replacing a communication device.
  - 7. The method as claimed in claim 1, further comprising:
    - deleting the registration of the first communication device upon detecting a correspondence between the device descriptions of the first and second communication devices.
  - 8. The method as claimed in claim 1, further comprising:
    - automatically defining the communication network addresses of the first and second communication devices, respectively, within the industrial communication network.
  - 9. The method as claimed in claim 1, wherein the communication network addresses of the first and second communication devices are IPv6 addresses.
  - 10. The method as claimed in claim 1, wherein the network access control unit is a firewall for at least one of data frames and data packets.
  - 11. The method as claimed in claim 1, wherein:
    - the replacement of the first communication device with the second communication device takes place logically;
      
      the first communication device differs from the second communication device only in its communication network address; and
      
      the replacement of the first communication device with the second communication device comprises a change of address.
  - 12. The method as claimed in claim 1, wherein:
    - a group of first communication devices and a group of second communication devices are provided;
      
      the groups of first communication devices and second communication devices differ only in a network address prefix;
      
      a replacement of the first group of communication devices with the second group of communication devices comprises a change of a network address prefix for a group of communication devices; and
      
      the change of the network address prefix is registered in the address management unit by the communication device that is assigned to the respective group.

13. An address management unit within a firewall system of an industrial communication network, the network comprising:
- a first communication device;
  
  a second communication device; and
  
  a converter unit;
  
  wherein the address management unit within the firewall system is configured to register the communication devices, upon activation of the respective communication device;
  
  wherein each communication device includes a respective communication network address and a device description;
  
  wherein the device description comprises at least one of a function indication and topology indication;
  
  wherein the address management unit within the firewall system is configured to check whether a registered second communication device has a device description that is identical to that of the first communication device that is registered earlier;
  
  wherein the address management unit within the firewall system is configured to transmit a change message to one of a network access control unit within the firewall system and to the converter unit upon determining a positive check result to update message filter rules of the network access control unit defined symbolically based on the device description within the firewall system of the industrial communication network; and
  
  wherein the change message comprises at least the communication network address and the device description of the second communication device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Siemens AG
Original Assignee
Siemens AG
Inventors
Albrecht, Harald, Plonka, Reiner
Primary Examiner(s)
Vu, Viet D

Application Number

US14/608,919
Publication Number

US 20150215232A1
Time in Patent Office

1,615 Days
Field of Search

709225, 713201, 726 18
US Class Current
CPC Class Codes

G05B 19/4185   characterised by the networ...

H04L 41/082   the condition being updates...

H04L 45/745   Address table lookup; Addre...

H04L 47/70   Admission control; Resource...

H04L 61/5038   for local use, e.g. in LAN ...

H04L 61/5076   Update or notification mech...

H04L 61/5092   by self-assignment, e.g. pi...

H04L 63/0236   Filtering by address, proto...

Y02P 90/02   Total factory control, e.g....

Method for updating message filter rules of a network access control unit of an industrial communication network address management unit, and converter unit

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Method for updating message filter rules of a network access control unit of an industrial communication network address management unit, and converter unit

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links