Firewall method and apparatus for industrial systems
First Claim
1. A method for use with a system including networked resources where communication between resources is via at least first and second protocols wherein the first protocol includes a first protocol packet including a source identifier, a first protocol destination identifier that indicates a first protocol destination resource and a first protocol data field, the second protocol including a second protocol packet including at least one second protocol destination identifier that indicates a second protocol destination resource and a second protocol data field, wherein at least some communication between resources includes first protocol packets including second protocol packets embedded in the first protocol data fields, packet transmitting and receiving resources being source and destination resources, respectively, the method for controlling communication between resources and comprising the steps of:
- specifying access control information for at least a subset of the resources;
for each first protocol packet transmitted on the network that includes a second protocol packet embedded in the first protocol data field;
(i) intercepting the first protocol packet prior to the first protocol destination resource;
(ii) examining at least a subset of the embedded second protocol packet information to identify the second protocol destination resource;
(iii) identifying the access control information associated with the second protocol destination resource;
(iv) identifying at least a subset of characteristics of the first protocol packet;
(v) comparing the first protocol packet characteristics to the access control information associated with the second protocol destination resource; and
(vi) restricting transmission of the first protocol packet as a function of the comparison results.
1 Assignment
0 Petitions
Accused Products
Abstract
The invention includes a method and apparatus for use with a system including networked resources where communication between resources is via a dual packet protocol wherein a first protocol includes a frame that specifies a destination device/resource and a data field and the second protocol specifies a final destination device/resource and includes a data field and where the second packets are encapsulated in the first protocol packet frames the method including the steps of specifying access control information for resources, for each first protocol packet transmitted on the network, intercepting the first protocol packet prior to the first protocol destination resource, examining at least a subset of the additional embedded packet information to identify at least one of the intermediate path resources and the final destination resource, identifying the access control information associated with the identified at least one of the intermediate path resources and the final destination resource and restricting transmission of the first protocol packet as a function of the identified access control information.
63 Citations
71 Claims
-
1. A method for use with a system including networked resources where communication between resources is via at least first and second protocols wherein the first protocol includes a first protocol packet including a source identifier, a first protocol destination identifier that indicates a first protocol destination resource and a first protocol data field, the second protocol including a second protocol packet including at least one second protocol destination identifier that indicates a second protocol destination resource and a second protocol data field, wherein at least some communication between resources includes first protocol packets including second protocol packets embedded in the first protocol data fields, packet transmitting and receiving resources being source and destination resources, respectively, the method for controlling communication between resources and comprising the steps of:
-
specifying access control information for at least a subset of the resources;
for each first protocol packet transmitted on the network that includes a second protocol packet embedded in the first protocol data field;
(i) intercepting the first protocol packet prior to the first protocol destination resource;
(ii) examining at least a subset of the embedded second protocol packet information to identify the second protocol destination resource;
(iii) identifying the access control information associated with the second protocol destination resource;
(iv) identifying at least a subset of characteristics of the first protocol packet;
(v) comparing the first protocol packet characteristics to the access control information associated with the second protocol destination resource; and
(vi) restricting transmission of the first protocol packet as a function of the comparison results. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. A method for use with a system including networked resources where communication between resources is via at least first and second protocols wherein the first protocol includes a first protocol packet including a source identifier, a first protocol destination identifier and a first protocol data field, the second protocol including a second protocol packet including at least one second protocol destination identifier and a second protocol data field, wherein at least some communication between resources includes first protocol packets including second protocol packets embedded in the first protocol data fields, packet senders and intended recipient'"'"'s being source and destination resources, respectively, the method for controlling communication between resources and comprising the steps of:
-
specifying access control information for at least a subset of the resources;
for each first protocol packet transmitted on the network that includes a second protocol packet embedded in the first protocol data field;
(i) intercepting the first protocol packet prior to the second protocol destination resource;
(ii) examining at least a subset of the embedded second protocol packet information to identify the second protocol destination resource;
(iii) examining the first protocol packet information to identify at least one additional resource in addition to the second protocol destination resource;
(iv) identifying the access control information associated with the second protocol destination resource and the access control information associated with the additional resource;
(v) identifying at least a subset of characteristics of the first protocol packet;
(vi) comparing the first protocol packet characteristics to the access control information associated with the second protocol destination resource and comparing the first protocol packet characteristics to the access control information associated with the additional resource; and
(vii) restricting transmission of the first protocol packet as a function of the comparison results. - View Dependent Claims (25, 26, 27)
-
-
28. A method for controlling communications between a source device linked to an IP network and a target device linked to a non-IP network wherein the target device includes at least one object, each communication specify at least one object and at least one service related to the target device, the method comprising the steps of:
-
providing an access control database that correlates the source device with at least a subset of target devices, objects and services where the correlated target devices include devices that the source can access and the correlated services include services that the source can initiate at the correlated object;
receiving at least one communication transmitted from the source to the target device;
decapsulating the communications to identify at least a subset of the target device and related at least one object and the at least one service;
comparing the identified at least a subset of the target device, at least one object and at least one service with the target device, object and service information in the database; and
selectively transmitting the at least one communication to the target device as a function of the comparison. - View Dependent Claims (29)
-
-
30. A method for controlling communications between a source device and a target device, the method comprising the steps of:
-
providing an access control database that correlates the source device with target devices where the correlated target devices include devices that the source can access for at least one purpose;
providing a firewall between the source device and the target device;
intercepting a connection open packet transmitted by the source device to the target device that is intended to open a connection path between the source and the target devices;
using the access control database to determine if the source device may access the target device; and
transmitting the connection open packet toward the target device when the source device may access the target device.
-
-
31. A method for minimizing processing delays when unauthorized communications occur on a system that includes a source device, a target device and a communication stack, the source device sequentially generating and transmitting communication packets for each of the stack communications and, after a packet is transmitted, waiting for a response packet for at least a subset of the communications prior to transmitting another communication packet associated with another of the stack communications, the method comprising the steps of:
-
providing a firewall linked to the system;
transmitting an original communication packet from the source device that targets the target device;
via the firewall;
intercepting the original communication packet;
encapsulating a spoof response packet that simulates a response from the target device and that is of a form that will be accepted by the source device as a legitimate response from the target device;
transmitting the spoof response packet to the source device;
accepting the spoof response packet as a legitimate response packet from the target device; and
moving on to process the next communication in the stack. - View Dependent Claims (32, 33, 34, 35, 36, 37)
-
-
38. A method for use with a system including networked resources where communication between resources is via at least first and second different protocols wherein the first protocol includes a first protocol packet including a source identifier, a first protocol destination identifier that indicates a first protocol destination resource and a first protocol data field, the second protocol including a second protocol packet including at least one second protocol destination identifier that indicates a second protocol destination resource and a second protocol data field, wherein at least some communication between resources includes first protocol packets including additional packets embedded in the first protocol data fields, one of the additional embedded packets specifying a final destination resource and each of the other additional embedded packets specifying an intermediate path resource, at last one of the additional embedded packets being a second protocol packet, the method for controlling communication between resources and comprising the steps of:
-
specifying access control information for at least a subset of the resources;
for each first protocol packet transmitted on the network that includes additional embedded packets;
(i) intercepting the first protocol packet prior to the first protocol destination resource;
(ii) examining at least a subset of the additional embedded packet information to identify at least one of the intermediate path resources and the final destination resource;
(iii) identifying the access control information associated with the identified at least one of the intermediate path resources and the final destination resource; and
(iv) restricting transmission of the first protocol packet as a function of the identified access control information. - View Dependent Claims (39, 40, 41, 42, 43, 44)
-
-
45. An apparatus for use with a system including networked resources where communication between resources is via at least first and second protocols wherein the first protocol includes a first protocol packet including a source identifier, a first protocol destination identifier that indicates a first protocol destination resource and a first protocol data field, the second protocol including a second protocol packet including at least one second protocol destination identifier that indicates a second protocol destination resource and a second protocol data field, wherein at least some communication between resources includes first protocol packets including second protocol packets embedded in the first protocol data fields, packet transmitting and receiving resources being source and destination resources, respectively, the apparatus for controlling communication between resources and comprising:
-
a database specifying access control information for at least a subset of the resources;
a firewall linked to the network, the firewall, for each first protocol packet transmitted on the network that includes a second protocol packet embedded in the first protocol data field;
(i) intercepting the first protocol packet prior to the first protocol destination resource;
(ii) examining at least a subset of the embedded second protocol packet information to identify the second protocol destination resource;
(iii) identifying the access control information associated with the second protocol destination resource;
(iv) identifying at least a subset of characteristics of the first protocol packet;
(v) comparing the first protocol packet characteristics to the access control information associated with the second protocol destination resource; and
(vi) restricting transmission of the first protocol packet as a function of the comparison results. - View Dependent Claims (46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58)
-
-
59. An apparatus for use with a system including networked resources where communication between resources is via at least first and second protocols wherein the first protocol includes a first protocol packet including a source identifier, a first protocol destination identifier and a first protocol data field, the second protocol including a second protocol packet including at least one second protocol destination identifier and a second protocol data field, wherein at least some communication between resources includes first protocol packets including second protocol packets embedded in the first protocol data fields, packet senders and intended recipient'"'"'s being source and destination resources, respectively, the apparatus for controlling communication between resources and comprising:
-
a database specifying access control information for at least a subset of the resources;
a firewall, for each first protocol packet transmitted on the network that includes a second protocol packet embedded in the first protocol data field the firewall performing the steps of;
(i) intercepting the first protocol packet prior to the second protocol destination resource;
(ii) examining at least a subset of the embedded second protocol packet information to identify the second protocol destination resource;
(iii) examining the first protocol packet information to identify at least one additional resource in addition to the second protocol destination resource;
(iv) identifying the access control information associated with the second protocol destination resource and the access control information associated with the additional resource;
(v) identifying at least a subset of characteristics of the first protocol packet;
(vi) comparing the first protocol packet characteristics to the access control information associated with the second protocol destination resource and comparing the first protocol packet characteristics to the access control information associated with the additional resource; and
(vii) restricting transmission of the first protocol packet as a function of the comparison results. - View Dependent Claims (60)
-
-
61. An apparatus for controlling communications between a source device linked to an IP network and a target device linked to a non-IP network wherein the target device includes at least one object, each communication specify at least one object and at least one service related to the target device, the apparatus comprising:
-
an access control database that correlates the source device with at least a subset of target devices, objects and services where the correlated target devices include devices that the source can access and the correlated services include services that the source can initiate at the correlated object;
a firewall programmed to perform the steps of;
receiving at least one communication transmitted from the source to the target device;
decapsulating the communications to identify at least a subset of the target device and related at least one object and the at least one service;
comparing the identified at least a subset of the target device, at least one object and at least one service with the target device, object and service information in the database; and
selectively transmitting the at least one communication to the target device as a function of the comparison. - View Dependent Claims (62, 63)
-
-
64. An apparatus for controlling communications between a source device and a target device, the apparatus comprising:
-
an access control database that correlates the source device with target devices where the correlated target devices include devices that the source can access for at least one purpose;
a firewall programmed to perform the steps of;
providing a firewall between the source device and the target device;
intercepting a connection open packet transmitted by the source device to the target device that is intended to open a connection path between the source and the target devices;
using the access control database to determine if the source device may access the target device; and
transmitting the connection open packet toward the target device when the source device may access the target device.
-
-
65. An apparatus for minimizing processing delays when unauthorized communications occur on a system that includes a source device, a target device and a communication stack, the source device sequentially generating and transmitting communication packets for each of the stack communications and, after a packet is transmitted, waiting for a response packet for at least a subset of the communications prior to transmitting another communication packet associated with another of the stack communications, the apparatus comprising:
a firewall linked to the system, the firewall programmed to perform the steps of;
intercepting the original communication packet;
encapsulating a spoof response packet that simulates a response from the target device and that is of a form that will be accepted by the source device as a legitimate response from the target device; and
transmitting the spoof response packet to the source device. - View Dependent Claims (66)
-
67. An apparatus for use with a system including networked resources where communication between resources is via at least first and second different protocols wherein the first protocol includes a first protocol packet including a source identifier, a first protocol destination identifier that indicates a first protocol destination resource and a first protocol data field, the second protocol including a second protocol packet including at least one second protocol destination identifier that indicates a second protocol destination resource and a second protocol data field, wherein at least some communication between resources includes first protocol packets including additional packets embedded in the first protocol data fields, one of the additional embedded packets specifying a final destination resource and each of the other additional embedded packets specifying an intermediate path resource, at last one of the additional embedded packets being a second protocol packet, the apparatus for controlling communication between resources and comprising:
-
a database including access control information for at least a subset of the resources;
a firewall programmed to perform the steps of, for each first protocol packet transmitted on the network that includes additional embedded packets;
(i) intercepting the first protocol packet prior to the first protocol destination resource;
(ii) examining at least a subset of the additional embedded packet information to identify at least one of the intermediate path resources and the final destination resource;
(iii) identifying the access control information associated with the identified at least one of the intermediate path resources and the final destination resource; and
(iv) restricting transmission of the first protocol packet as a function of the identified access control information. - View Dependent Claims (68, 69, 70, 71)
-
Specification