Network security appliance

US 20070199061A1
Filed: 10/05/2006
Published: 08/23/2007
Est. Priority Date: 10/05/2005
Status: Active Grant

First Claim

Patent Images

1. A method of securing a networked industrial device using a security appliance, the security appliance coupling the network industrial device to a data network, the method comprising the steps of:

monitoring, in the security appliance, data traffic originating from the industrial device to other devices accessible through the data network, for determining attributes associated with the industrial device;

receiving, at the security appliance, encrypted management connection data originating from a management server connected to the data network, from packets addressed to the device;

sending, to the management server, the determined device attributes, utilizing the address associated with the device as the originating address for the packet;

receiving, at the security appliance, encrypted configuration data from the management, from packets addressed to the device, wherein the configuration data is selected by the management server based upon the supplied device attributes;

managing packets between the industrial device and the network based upon the configured data; and

periodically sending an encrypted heartbeat message to the management server utilizing the address associated with the device as the originating address for the packet.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network security appliance that provides security to devices in industrial environments by transparently bridging traffic to the endpoint device. The security appliance securely communicates with a management server for receiving configuration data for operation of security modules in the appliance by encrypted communications. The security appliance utilizes the network address of the industrial device when communicating with a management server and is addressed by the management server using the address of one of the protected devices associated with the appliance. Learned device characteristics are provided by the appliance to the management server which tailors software and security rules to specific network vulnerabilities of the device and control protocol. The security appliance sends periodic heartbeat messages to the management server using the network address of the device. The heartbeat message can also report anomalous events which may required additional software being provided from the management server to the node.

181 Citations

20 Claims

1. A method of securing a networked industrial device using a security appliance, the security appliance coupling the network industrial device to a data network, the method comprising the steps of:
- monitoring, in the security appliance, data traffic originating from the industrial device to other devices accessible through the data network, for determining attributes associated with the industrial device;
  
  receiving, at the security appliance, encrypted management connection data originating from a management server connected to the data network, from packets addressed to the device;
  
  sending, to the management server, the determined device attributes, utilizing the address associated with the device as the originating address for the packet;
  
  receiving, at the security appliance, encrypted configuration data from the management, from packets addressed to the device, wherein the configuration data is selected by the management server based upon the supplied device attributes;
  
  managing packets between the industrial device and the network based upon the configured data; and
  
  periodically sending an encrypted heartbeat message to the management server utilizing the address associated with the device as the originating address for the packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The security appliance of claim 1 wherein the packet address further includes a port number not utilized by the device.
  - 3. The security appliance of claim 1 wherein security appliance utilizes both layer 2 and layer 3 addresses of the industrial device when sending data to the management server.
  - 4. The method of claim 1 wherein the heartbeat is generated for exception events based upon the managing of the packets.
  - 5. The method of claim 1 wherein the configuration software is selected from the group comprising a firewall module, a device identification module, a virtual private networking (VPN) module, an intrusion detection module, a network statistics gathering module and a bandwidth monitoring and traffic shaping module.
  - 6. The method of claim 1 wherein the exception event causes the management server to send reconfiguration data to the security appliance.
  - 7. The method of claim 1 wherein the communications module receives a management connection request from the management server and for establishing an encrypted connection with the management server.
  - 8. The method of claim 1 wherein the data is encrypted by a secure socket link (SSL) or IPSec security connection.
  - 9. The method of claim 1 wherein the configuration data supplied to the security appliance from the management server comprises security rules and software modules tailored to the specific control protocol utilized for by the device.
  - 10. The method of claim 1 wherein the heartbeat packets and the encrypted management connection data utilize connectionless packet types.

11. A security appliance for protecting one or more industrial devices downstream of the security appliance in a data network, the security appliance comprising:
- a heartbeat module for generating an encrypted heartbeat message to a management server in the data network, utilizing the address associated with one of the devices as the originating address for the packet;
  
  a communications module for processing packets transmitted from the management server, addressed to one of the devices downstream of the security appliance, the communications module decrypting data embedded in the packets; and
  
  one or more security modules configurable by the management server, the modules providing security management on data transiting the security module between devices on the network and one or more industrial devices downstream of the security appliance based upon security profiles associated with each one or more industrial devices.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The security appliance of claim 11 wherein the one or more security modules is selected from the group comprising a firewall module, a device identification module, a virtual private networking (VPN) module, an intrusion detection module, a network statistics gathering module and a bandwidth monitoring and traffic shaping module.
  - 13. The security appliance of claim 11 wherein the heartbeat modules generates an exception heartbeat and a timed heartbeat, the exception heartbeat generated when an anomalous event is identified by the one or more security modules.
  - 14. The security appliance of claim 11 wherein communication module further comprises an authenticator module for authenticating data between the security appliance and management server.
  - 15. The security appliance of claim 11 wherein the one or more security modules are configured by the management server based upon attributes of the one or more devices.
  - 16. The security appliance of claim 11 wherein the communications module processes encrypted packets addressed with an IP address and a predefined port number of one of the devices downstream of the security appliance.
  - 17. The security appliance of claim 11 wherein the communications module establishes a secure encrypted connection with the management server for exchanging configuration data utilizing SSL or IPSec encryption.

18. A data network comprising:
- a plurality of networked industrial devices;
  
  a plurality of security appliances, each appliance associated with one or more of the plurality of industrial devices, the security appliance transparently bridging the industrial device to the data network and providing management of data traversing to and from the industrial device based upon identified characteristics of the associated industrial device;
  
  a management server for managing the plurality of security appliances; and
  
  wherein the management server communicates with the plurality of security devices by utilizing an address of one of the associated industrial devices and the plurality of security appliances periodically sends an encrypted heartbeat message to the management server utilizing address information of an associated device as the source of the heartbeat message.
- View Dependent Claims (19, 20)
- - 19. The data network of claim 18 wherein the plurality of security appliances and the management server can establish an encrypted data connection for exchanging configuration data.
  - 20. The data network of claim 18 wherein the management server provides configuration data to each of the plurality of security appliances based upon the identified characteristics of the industrial device wherein the configuration data is tailored to the control protocol utilized by the industrial device and the associated security vulnerabilities.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Belden Inc.
Original Assignee
Bryes Security, Co.
Inventors
Karsch, John, Lee, Khai, Lissimore, Darren, Byres, Eric

Granted Patent

US 8,042,147 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/11
CPC Class Codes

H04L 41/0213   Standardised network manage...

H04L 41/0806   for initial configuration o...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 43/10   Active monitoring, e.g. hea...

H04L 63/0218   Distributed architectures, ...

H04L 63/0263   Rule management

H04L 63/0428   wherein the data content is...

H04L 67/12   specially adapted for propr...

H04L 67/125   involving control of end-de...

H04L 67/303   Terminal profiles

H04L 67/34   involving the movement of s...

H04L 67/56   Provisioning of proxy servi...

Network security appliance

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

181 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Network security appliance

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

181 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links