Firewall method and apparatus for industrial systems

US 20060155865A1
Filed: 01/06/2006
Published: 07/13/2006
Est. Priority Date: 01/06/2005
Status: Active Grant

First Claim

Patent Images

1. A method for use with a system including networked resources where communication between resources is via at least first and second protocols wherein the first protocol includes a first protocol packet including a source identifier, a first protocol destination identifier that indicates a first protocol destination resource and a first protocol data field, the second protocol including a second protocol packet including at least one second protocol destination identifier that indicates a second protocol destination resource and a second protocol data field, wherein at least some communication between resources includes first protocol packets including second protocol packets embedded in the first protocol data fields, packet transmitting and receiving resources being source and destination resources, respectively, the method for controlling communication between resources and comprising the steps of:

specifying access control information for at least a subset of the resources;

for each first protocol packet transmitted on the network that includes a second protocol packet embedded in the first protocol data field;

(i) intercepting the first protocol packet prior to the first protocol destination resource;

(ii) examining at least a subset of the embedded second protocol packet information to identify the second protocol destination resource;

(iii) identifying the access control information associated with the second protocol destination resource;

(iv) identifying at least a subset of characteristics of the first protocol packet;

(v) comparing the first protocol packet characteristics to the access control information associated with the second protocol destination resource; and

(vi) restricting transmission of the first protocol packet as a function of the comparison results.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention includes a method and apparatus for use with a system including networked resources where communication between resources is via a dual packet protocol wherein a first protocol includes a frame that specifies a destination device/resource and a data field and the second protocol specifies a final destination device/resource and includes a data field and where the second packets are encapsulated in the first protocol packet frames the method including the steps of specifying access control information for resources, for each first protocol packet transmitted on the network, intercepting the first protocol packet prior to the first protocol destination resource, examining at least a subset of the additional embedded packet information to identify at least one of the intermediate path resources and the final destination resource, identifying the access control information associated with the identified at least one of the intermediate path resources and the final destination resource and restricting transmission of the first protocol packet as a function of the identified access control information.

63 Citations

View as Search Results

71 Claims

1. A method for use with a system including networked resources where communication between resources is via at least first and second protocols wherein the first protocol includes a first protocol packet including a source identifier, a first protocol destination identifier that indicates a first protocol destination resource and a first protocol data field, the second protocol including a second protocol packet including at least one second protocol destination identifier that indicates a second protocol destination resource and a second protocol data field, wherein at least some communication between resources includes first protocol packets including second protocol packets embedded in the first protocol data fields, packet transmitting and receiving resources being source and destination resources, respectively, the method for controlling communication between resources and comprising the steps of:
- specifying access control information for at least a subset of the resources;
  
  for each first protocol packet transmitted on the network that includes a second protocol packet embedded in the first protocol data field;
  
  (i) intercepting the first protocol packet prior to the first protocol destination resource;
  
  (ii) examining at least a subset of the embedded second protocol packet information to identify the second protocol destination resource;
  
  (iii) identifying the access control information associated with the second protocol destination resource;
  
  (iv) identifying at least a subset of characteristics of the first protocol packet;
  
  (v) comparing the first protocol packet characteristics to the access control information associated with the second protocol destination resource; and
  
  (vi) restricting transmission of the first protocol packet as a function of the comparison results.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 2. The method of claim 1 wherein the step of specifying includes specifying access control information that includes at least one of characteristics of first protocol packets that are authorized to be transmitted to an associated resource and characteristics of first protocol packets that are unauthorized to be transmitted to an associated resource.
  - 3. The method of claim 2 wherein the step of specifying access control information includes, for each of at least a subset of destination resources, specifying source resources authorized to communicate with the destination resource.
  - 4. The method of claim 3 wherein the step of identifying at least a subset of the characteristics of the first protocol packet includes identifying the source of the first protocol packet and the step of comparing the first protocol packet characteristics to the access control information associated with the destination resource includes comparing the source of the first protocol packet to the resources authorized to communicate with the destination resource.
  - 5. The method of claim 4 wherein the step of restricting includes, when the first protocol packet source is not authorized to access the second protocol destination resource, halting transmission of the first protocol packet.
  - 6. The method of claim 4 wherein the step of restricting includes, when the first protocol packet source is not authorized to access the second protocol destination resource, at least one of activating an alarm signal and providing a signal back to the source indicating that the packet has been halted.
  - 7. The method of claim 2 wherein the step of specifying access control information includes specifying packet characteristics (PCs) that include characteristics identifiable directly from the first protocol packet.
  - 8. The method of claim 2 wherein the step of specifying access control information includes specifying non-packet characteristics (NPQs) that include characteristics other than those identifiable directly from the first protocol packet.
  - 9. The method of claim 8 wherein the NPQs include at least a subset of a time associated with the first protocol packet transmission, the location of the source resource, where a person initiates the first protocol packet transmission, the identity of the initiating person and, where a person initiates the first protocol packet transmission, characteristics of the initiating person.
  - 10. The method of claim 2 wherein the step of specifying access control information further includes specifying times during which resources can communicate with other resources, the method further including the step of, when a first protocol packet that includes an embedded second protocol packet is received, identifying a time associated with the received packet, the step of comparing including comparing the packet associated time with the specified times.
  - 11. The method of claim 1 wherein the first protocol is one of an Ethernet protocol and an IP protocol.
  - 12. The method of claim 1 wherein the second protocol is one of a common industrial protocol (CIP) and a Data Highway Plus protocol.
  - 13. The method of claim 1 further including the steps of specifying at least first and second priorities for network transmissions and, wherein, the step of restricting transmission includes transmitting as a function of the specified priorities and the packet characteristics.
  - 14. The method of claim 2 wherein the step of specifying access control information includes the step of specifying locations of source resources from which communications with associated resources are allowed, the method further including the step of identifying the location of a source resource that transmits a first protocol packet that includes an embedded second protocol packet and the step of comparing further including comparing the identified source resource location with the specified source resource location.
  - 15. The method of claim 1 wherein each destination resource includes at least one of a programmable logic controller (PLC), a human-machine interface (HMI), a sensor, an actuator, a drive, and a remote input/output device.
  - 16. The method of claim 2 wherein the step of specifying access control information includes specifying characteristics of persons authorized to communicate with associated resources, the step of identifying at least a subset of the characteristics of the first protocol packet including identifying characteristics of a person that initiates a communication and the step of comparing including comparing the specified and identified characteristics.
  - 17. The method of claim 1 wherein the embedded protocol packet specifies a path of resources to a final destination resource, the method further including identifying access control information associated with each of the path resources, comparing the first protocol packet characteristics to the access control information associated each of the path resources and restricting transmission of the first protocol packet as a function of the results of the comparison to the access control information associated with the path resources.
  - 18. The method of claim 4 wherein at least one protocol packet generated by a first protocol packet source requires a response from at least one second protocol destination resource including specific identifying information and wherein step of restricting includes, when a first protocol packet source is not authorized to access the second protocol destination resource, encapsulating the specific identifying information in a response packet and transmitting the response packet to the first protocol packet source.
  - 19. The method of claim 18 wherein the specific identifying information includes the identity of the second protocol destination resource.
  - 20. The method of claim 18 wherein the at least one protocol packet generated by the first protocol packet source includes a target-originator (T-O) ID and wherein the specific identifying information includes the T-O ID.
  - 21. The method of claim 1 wherein at least some communication between resources includes first protocol packets that include first protocol packets including second protocol packets embedded in the first protocol packet data fields where the second protocol packets further include additional embedded protocol packets, wherein, for each first protocol packet transmitted on the network that includes a second protocol packet embedded in the first protocol data field and additional embedded packets, the step of examining including examining at least a subset of the additional embedded packet information to identify at least a final destination resource and the step of identifying the access control information including identifying access control information associated with at least the final destination resource.
  - 22. The method of claim 21 where the additional embedded protocol packets are second protocol packets.
  - 23. The method of claim 21 wherein each of the second and additional protocol packets specifies a target resource and wherein the step of identifying the access control information includes identifying access control information associated with, in addition to the final destination resource, access control information associated with each of the target resources.

24. A method for use with a system including networked resources where communication between resources is via at least first and second protocols wherein the first protocol includes a first protocol packet including a source identifier, a first protocol destination identifier and a first protocol data field, the second protocol including a second protocol packet including at least one second protocol destination identifier and a second protocol data field, wherein at least some communication between resources includes first protocol packets including second protocol packets embedded in the first protocol data fields, packet senders and intended recipient'"'"'s being source and destination resources, respectively, the method for controlling communication between resources and comprising the steps of:
- specifying access control information for at least a subset of the resources;
  
  for each first protocol packet transmitted on the network that includes a second protocol packet embedded in the first protocol data field;
  
  (i) intercepting the first protocol packet prior to the second protocol destination resource;
  
  (ii) examining at least a subset of the embedded second protocol packet information to identify the second protocol destination resource;
  
  (iii) examining the first protocol packet information to identify at least one additional resource in addition to the second protocol destination resource;
  
  (iv) identifying the access control information associated with the second protocol destination resource and the access control information associated with the additional resource;
  
  (v) identifying at least a subset of characteristics of the first protocol packet;
  
  (vi) comparing the first protocol packet characteristics to the access control information associated with the second protocol destination resource and comparing the first protocol packet characteristics to the access control information associated with the additional resource; and
  
  (vii) restricting transmission of the first protocol packet as a function of the comparison results.
- View Dependent Claims (25, 26, 27)
- - 25. The method of claim 24 wherein the step of specifying includes specifying access control information that includes at least one of characteristics of first protocol packets that are authorized to be transmitted to an associated resource and characteristics of first protocol packets that are unauthorized to be transmitted to an associated resource.
  - 26. The method of claim 25 wherein the additional resource is the first protocol packet destination resource.
  - 27. The method of claim 25 wherein the second protocol packet specifies at least one path resource to the second protocol packet destination resource through which data is to be routed between the first and second protocol packet destination resources and wherein the step of identifying at least one additional resource includes identifying the at least one path resource.

28. A method for controlling communications between a source device linked to an IP network and a target device linked to a non-IP network wherein the target device includes at least one object, each communication specify at least one object and at least one service related to the target device, the method comprising the steps of:
- providing an access control database that correlates the source device with at least a subset of target devices, objects and services where the correlated target devices include devices that the source can access and the correlated services include services that the source can initiate at the correlated object;
  
  receiving at least one communication transmitted from the source to the target device;
  
  decapsulating the communications to identify at least a subset of the target device and related at least one object and the at least one service;
  
  comparing the identified at least a subset of the target device, at least one object and at least one service with the target device, object and service information in the database; and
  
  selectively transmitting the at least one communication to the target device as a function of the comparison.
- View Dependent Claims (29)
- - 29. The method of claim 28 wherein the correlated object includes a combination of a class, an instance of a class, an attribute of a class and an attribute of an instance of a class.

30. A method for controlling communications between a source device and a target device, the method comprising the steps of:
- providing an access control database that correlates the source device with target devices where the correlated target devices include devices that the source can access for at least one purpose;
  
  providing a firewall between the source device and the target device;
  
  intercepting a connection open packet transmitted by the source device to the target device that is intended to open a connection path between the source and the target devices;
  
  using the access control database to determine if the source device may access the target device; and
  
  transmitting the connection open packet toward the target device when the source device may access the target device.

31. A method for minimizing processing delays when unauthorized communications occur on a system that includes a source device, a target device and a communication stack, the source device sequentially generating and transmitting communication packets for each of the stack communications and, after a packet is transmitted, waiting for a response packet for at least a subset of the communications prior to transmitting another communication packet associated with another of the stack communications, the method comprising the steps of:
- providing a firewall linked to the system;
  
  transmitting an original communication packet from the source device that targets the target device;
  
  via the firewall;
  
  intercepting the original communication packet;
  
  encapsulating a spoof response packet that simulates a response from the target device and that is of a form that will be accepted by the source device as a legitimate response from the target device;
  
  transmitting the spoof response packet to the source device;
  
  accepting the spoof response packet as a legitimate response packet from the target device; and
  
  moving on to process the next communication in the stack.
- View Dependent Claims (32, 33, 34, 35, 36, 37)
- - 32. The method of claim 31 further including the steps of:
    - providing an access control database useable to identify unauthorized communications on the system; and
      
      after intercepting the original communication packet and prior to encapsulating, using the access control database to identify that the communication packet is associated with an unauthorized communication.
  - 33. The method of claim 31 wherein the step of encapsulating includes obtaining at least some information from the original communication packet and using the obtained information to instantiate at least a subset of the response packet.
  - 34. The method of claim 33 wherein the original request packet includes a target-originator (T-O) ID and wherein the obtained information includes the T-O ID from the original request packet.
  - 35. The method of claim 33 wherein the obtained information includes information identifying the source device and information identifying the target device.
  - 36. The method of claim 35 wherein the step of encapsulating further includes generating at least some bogus information to instantiate at least a subset of the response packet information and instantiating at least portions of the response packet with the bogus information.
  - 37. The method of claim 31 wherein the step of encapsulating further includes generating at least some bogus information to instantiate at least a subset of the response packet information and instantiating at least portions of the response packet with the bogus information.

38. A method for use with a system including networked resources where communication between resources is via at least first and second different protocols wherein the first protocol includes a first protocol packet including a source identifier, a first protocol destination identifier that indicates a first protocol destination resource and a first protocol data field, the second protocol including a second protocol packet including at least one second protocol destination identifier that indicates a second protocol destination resource and a second protocol data field, wherein at least some communication between resources includes first protocol packets including additional packets embedded in the first protocol data fields, one of the additional embedded packets specifying a final destination resource and each of the other additional embedded packets specifying an intermediate path resource, at last one of the additional embedded packets being a second protocol packet, the method for controlling communication between resources and comprising the steps of:
- specifying access control information for at least a subset of the resources;
  
  for each first protocol packet transmitted on the network that includes additional embedded packets;
  
  (i) intercepting the first protocol packet prior to the first protocol destination resource;
  
  (ii) examining at least a subset of the additional embedded packet information to identify at least one of the intermediate path resources and the final destination resource;
  
  (iii) identifying the access control information associated with the identified at least one of the intermediate path resources and the final destination resource; and
  
  (iv) restricting transmission of the first protocol packet as a function of the identified access control information.
- View Dependent Claims (39, 40, 41, 42, 43, 44)
- - 39. The method of claim 38 wherein the step of restricting transmission includes identifying at least a subset of characteristics of the first protocol packet, comparing the first protocol packet characteristics to the identified access control information and restricting transmission as a function of the comparison.
  - 40. The method of claim 38 wherein the step of examining includes examining to identify each of the intermediate path resources and the final destination resource and wherein the step of identifying access control information further includes identifying access control information for each of the intermediate path resources and the final destination resource.
  - 41. The method of claim 38 wherein each of the additional embedded protocol packets is of the second type.
  - 42. The method of claim 38 wherein the step of identifying at least a subset of characteristics of the first protocol packet includes identifying at least a subset of the characteristics of each of the first and the embedded protocol packets.
  - 43. The method of claim 38 wherein the access control information includes at least one of characteristics of first protocol packets that are authorized to be transmitted to an associated resource and characteristics of first protocol packets that are unauthorized to be transmitted to an associated resource.
  - 44. The method of claim 38 wherein at least one protocol packet generated by a first protocol packet source requires a response from at least one of the intermediate path resources and the final destination resource including specific identifying information and wherein step of restricting includes, when a first protocol packet source is not authorized to communicate with the second protocol destination resource, encapsulating the specific identifying information in a response packet and transmitting the response packet to the first protocol packet source.

45. An apparatus for use with a system including networked resources where communication between resources is via at least first and second protocols wherein the first protocol includes a first protocol packet including a source identifier, a first protocol destination identifier that indicates a first protocol destination resource and a first protocol data field, the second protocol including a second protocol packet including at least one second protocol destination identifier that indicates a second protocol destination resource and a second protocol data field, wherein at least some communication between resources includes first protocol packets including second protocol packets embedded in the first protocol data fields, packet transmitting and receiving resources being source and destination resources, respectively, the apparatus for controlling communication between resources and comprising:
- a database specifying access control information for at least a subset of the resources;
  
  a firewall linked to the network, the firewall, for each first protocol packet transmitted on the network that includes a second protocol packet embedded in the first protocol data field;
  
  (i) intercepting the first protocol packet prior to the first protocol destination resource;
  
  (ii) examining at least a subset of the embedded second protocol packet information to identify the second protocol destination resource;
  
  (iii) identifying the access control information associated with the second protocol destination resource;
  
  (iv) identifying at least a subset of characteristics of the first protocol packet;
  
  (v) comparing the first protocol packet characteristics to the access control information associated with the second protocol destination resource; and
  
  (vi) restricting transmission of the first protocol packet as a function of the comparison results.
- View Dependent Claims (46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58)
- - 46. The apparatus of claim 45 wherein the database includes access control information including at least one of characteristics of first protocol packets that are authorized to be transmitted to an associated resource and characteristics of first protocol packets that are unauthorized to be transmitted to an associated resource.
  - 47. The apparatus of claim 46 wherein for each of at least a subset of destination resources, the database specifies source resources authorized to communicate with the destination resource.
  - 48. The apparatus of claim 47 wherein the firewall identifies at least a subset of the characteristics of the first protocol packet by identifying the source of the first protocol packet and compares the first protocol packet characteristics to the access control information associated with the destination resource by comparing the source of the first protocol packet to the resources authorized to communicate with the destination resource.
  - 49. The apparatus of claim 48 wherein the firewall restricts by, when the first protocol packet source is not authorized to access the second protocol destination resource, halting transmission of the first protocol packet.
  - 50. The apparatus of claim 48 wherein the firewall restricts by, when the first protocol packet source is not authorized to access the second protocol destination resource, at least one of activating an alarm signal and providing a signal back to the source indicating that the packet has been halted.
  - 51. The apparatus of claim 46 wherein the database specifies access control information by specifying packet characteristics (PCs) that include characteristics identifiable directly from the first protocol packet.
  - 52. The apparatus of claim 46 wherein the database specifies access control information by specifying non-packet characteristics (NPQs) that include characteristics other than those identifiable directly from the first protocol packet.
  - 53. The apparatus of claim 52 wherein the NPQs include at least a subset of a time associated with the first protocol packet transmission, the location of the source resource, where a person initiates the first protocol packet transmission, the identity of the initiating person and, where a person initiates the first protocol packet transmission, characteristics of the initiating person.
  - 54. The apparatus of claim 46 wherein the first protocol is one of an Ethernet protocol and an IP protocol.
  - 55. The apparatus of claim 46 wherein the second protocol is one of a common industrial protocol (CIP) and a Data Highway Plus protocol.
  - 56. The apparatus of claim 46 wherein the database specifies access control information by specifying locations of source resources from which communications with associated resources are allowed, the apparatus further including a location determiner useable to determine the location of a source resource that transmits a first protocol packet that includes an embedded second protocol packet and wherein the firewall compares by comparing the identified source resource location with the specified source resource location.
  - 57. The apparatus of claim 46 wherein the database specifies characteristics of persons authorized to communicate with associated resources, the firewall identifying at least a subset of the characteristics of the first protocol packet by identifying characteristics of a person that initiates a communication and the firewall comparing by comparing the specified and identified characteristics.
  - 58. The method of claim 46 wherein the embedded protocol packet specifies a path of resources to a final destination resource, the firewall further identifying access control information associated with each of the path resources, comparing the first protocol packet characteristics to the access control information associated each of the path resources and restricting transmission of the first protocol packet as a function of the results of the comparison to the access control information associated with the path resources.

59. An apparatus for use with a system including networked resources where communication between resources is via at least first and second protocols wherein the first protocol includes a first protocol packet including a source identifier, a first protocol destination identifier and a first protocol data field, the second protocol including a second protocol packet including at least one second protocol destination identifier and a second protocol data field, wherein at least some communication between resources includes first protocol packets including second protocol packets embedded in the first protocol data fields, packet senders and intended recipient'"'"'s being source and destination resources, respectively, the apparatus for controlling communication between resources and comprising:
- a database specifying access control information for at least a subset of the resources;
  
  a firewall, for each first protocol packet transmitted on the network that includes a second protocol packet embedded in the first protocol data field the firewall performing the steps of;
  
  (i) intercepting the first protocol packet prior to the second protocol destination resource;
  
  (ii) examining at least a subset of the embedded second protocol packet information to identify the second protocol destination resource;
  
  (iii) examining the first protocol packet information to identify at least one additional resource in addition to the second protocol destination resource;
  
  (iv) identifying the access control information associated with the second protocol destination resource and the access control information associated with the additional resource;
  
  (v) identifying at least a subset of characteristics of the first protocol packet;
  
  (vi) comparing the first protocol packet characteristics to the access control information associated with the second protocol destination resource and comparing the first protocol packet characteristics to the access control information associated with the additional resource; and
  
  (vii) restricting transmission of the first protocol packet as a function of the comparison results.
- View Dependent Claims (60)
- - 60. The apparatus of claim 59 wherein the database includes access control information including at least one of characteristics of first protocol packets that are authorized to be transmitted to an associated resource and characteristics of first protocol packets that are unauthorized to be transmitted to an associated resource.

61. An apparatus for controlling communications between a source device linked to an IP network and a target device linked to a non-IP network wherein the target device includes at least one object, each communication specify at least one object and at least one service related to the target device, the apparatus comprising:
- an access control database that correlates the source device with at least a subset of target devices, objects and services where the correlated target devices include devices that the source can access and the correlated services include services that the source can initiate at the correlated object;
  
  a firewall programmed to perform the steps of;
  
  receiving at least one communication transmitted from the source to the target device;
  
  decapsulating the communications to identify at least a subset of the target device and related at least one object and the at least one service;
  
  comparing the identified at least a subset of the target device, at least one object and at least one service with the target device, object and service information in the database; and
  
  selectively transmitting the at least one communication to the target device as a function of the comparison.
- View Dependent Claims (62, 63)
- - 62. The apparatus of claim 61 wherein the correlated object includes a combination of a class, an instance of a class, an attribute of a class and an attribute of an instance of a class.
  - 63. The apparatus of claim 61 wherein the database correlates the source device with target devices, objects and services where the correlated target devices include devices that the source can access and the correlated services include services that the source can initiate at the correlated object and wherein the firewall is programmed to decapsulate the communications to identify each of the target device and related at least one object and the at least one service, the step of comparing including comparing the identified target device, at least one object and at least one service with the target device, object and service information in the database.

64. An apparatus for controlling communications between a source device and a target device, the apparatus comprising:
- an access control database that correlates the source device with target devices where the correlated target devices include devices that the source can access for at least one purpose;
  
  a firewall programmed to perform the steps of;
  
  providing a firewall between the source device and the target device;
  
  intercepting a connection open packet transmitted by the source device to the target device that is intended to open a connection path between the source and the target devices;
  
  using the access control database to determine if the source device may access the target device; and
  
  transmitting the connection open packet toward the target device when the source device may access the target device.

65. An apparatus for minimizing processing delays when unauthorized communications occur on a system that includes a source device, a target device and a communication stack, the source device sequentially generating and transmitting communication packets for each of the stack communications and, after a packet is transmitted, waiting for a response packet for at least a subset of the communications prior to transmitting another communication packet associated with another of the stack communications, the apparatus comprising:
- a firewall linked to the system, the firewall programmed to perform the steps of;
  
  intercepting the original communication packet;
  
  encapsulating a spoof response packet that simulates a response from the target device and that is of a form that will be accepted by the source device as a legitimate response from the target device; and
  
  transmitting the spoof response packet to the source device.
- View Dependent Claims (66)
- - 66. The apparatus of claim 65 further including an access control database useable to identify unauthorized communications on the system, the firewall further programmed to, after intercepting the original communication packet and prior to encapsulating, using the access control database to identify that the communication packet is associated with an unauthorized communication.

67. An apparatus for use with a system including networked resources where communication between resources is via at least first and second different protocols wherein the first protocol includes a first protocol packet including a source identifier, a first protocol destination identifier that indicates a first protocol destination resource and a first protocol data field, the second protocol including a second protocol packet including at least one second protocol destination identifier that indicates a second protocol destination resource and a second protocol data field, wherein at least some communication between resources includes first protocol packets including additional packets embedded in the first protocol data fields, one of the additional embedded packets specifying a final destination resource and each of the other additional embedded packets specifying an intermediate path resource, at last one of the additional embedded packets being a second protocol packet, the apparatus for controlling communication between resources and comprising:
- a database including access control information for at least a subset of the resources;
  
  a firewall programmed to perform the steps of, for each first protocol packet transmitted on the network that includes additional embedded packets;
  
  (i) intercepting the first protocol packet prior to the first protocol destination resource;
  
  (ii) examining at least a subset of the additional embedded packet information to identify at least one of the intermediate path resources and the final destination resource;
  
  (iii) identifying the access control information associated with the identified at least one of the intermediate path resources and the final destination resource; and
  
  (iv) restricting transmission of the first protocol packet as a function of the identified access control information.
- View Dependent Claims (68, 69, 70, 71)
- - 68. The apparatus of claim 67 wherein the firewall is programmed to perform the step of restricting transmission by identifying at least a subset of characteristics of the first protocol packet, comparing the first protocol packet characteristics to the identified access control information and restricting transmission as a function of the comparison.
  - 69. The apparatus of claim 67 wherein firewall is programmed to perform the step of examining by examining to identify each of the intermediate path resources and the final destination resource and to perform the step of identifying access control information by identifying access control information for each of the intermediate path resources and the final destination resource.
  - 70. The apparatus of claim 67 wherein the firewall is programmed to perform the step of identifying at least a subset of characteristics of the first protocol packet by identifying at least a subset of the characteristics of each of the first and the embedded protocol packets.
  - 71. The apparatus of claim 67 wherein at least one protocol packet generated by a first protocol packet source requires a response from at least one of the intermediate path resources and the final destination resource including specific identifying information and wherein the firewall is programmed to perform the step of restricting by, when a first protocol packet source is not authorized to communicate with the second protocol destination resource, encapsulating the specific identifying information in a response packet and transmitting the response packet to the first protocol packet source.

Specification

Resources

Litigation Campaign Assessment

Granted Patent

US 7,990,967 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/230
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/0245   Filtering by information in...

H04L 63/0263   Rule management

H04L 63/0428   wherein the data content is...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 69/16   Implementation or adaptatio...

H04L 69/163   In-band adaptation of TCP d...

H04L 69/166   IP fragmentation; TCP segme...

Firewall method and apparatus for industrial systems

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

63 Citations

71 Claims

Specification

Solutions

Use Cases

Quick Links

Firewall method and apparatus for industrial systems

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

63 Citations

71 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links