Firewall System and Method for Establishing Secured Communications Connections to an Industrial Automation System
1 Assignment
0 Petitions
Accused Products
Abstract
A connection management device for establishing secured communications connections to an industrial automation system, wherein the device provides, in cases of a positive authorization verification outcome, access control information for establishing an encrypted communication connection between a first communication unit of a requesting user and a selected second communication unit, where the connection management device is formed by a server instance running on a firewall system, where data packets transmitted via an encrypted communications connection between the first communication unit of the requesting user and the selected second communication unit are encrypted for verification by the firewall system, based on specified security rules and, in cases of a successful verification, the data packets are forwarded encrypted to the first communication unit of the requesting user or to the selected second communication unit.
3 Citations
25 Claims
-
1-11. -11. (canceled)
-
12. A method for establishing secured communications connections to an industrial automation system in which communications connections are set up from first communications devices outside of the industrial automation system to second communications devices assigned to the industrial automation system via a connection management device, the communications connections established via the connection management device between first communications devices and second communications devices being Virtual Private Network (VPN) connections, the connection management device being formed by a server instance running on a firewall system, and data packets transmitted via an encrypted communications connection between the first communication device of the requesting user and the selected second communication device being decrypted for a verification by the firewall system based on defined security rules, the method comprising:
-
performing, by the connection management device, an authorization verification for a requesting user based on an access control list in an event of a request to set up a connection to a selected second communication device by a requesting user of a first communication device, the authorization verification comprising an authentication of the requesting user against the connection management device; providing, by the connection management device, access control information for establishing an encrypted communications connection between the first communication device of the requesting user and the selected second communication device for these communication devices in an event of a positive authorization verification outcome, the connection management device providing access control information to the requesting user regarding a use of a VPN connection between the first communication device of the requesting user and the selected second communication device only after an authentication of the requesting user, and the access control information items comprising passwords for VPN sessions or temporarily valid passwords; forwarding, the firewall system, data packets successfully verified based on defined security rules in encrypted form to at least one of (i) the first communication device of the requesting user and (ii) the selected second communication device, the verification by the firewall system based on the defined security rules comprising a verification of a correctness of passwords for VPN sessions or temporarily valid passwords; and rejecting, by the firewall system, data packets for the transmission of which incorrect passwords have been specified. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A firewall system comprising:
-
a processor; memory operatively coupled to said processor; wherein the firewall system is configured to; verify data packets based on specified security rules; process at least one server instance forming a connection management device which is configured to establish a communications connection from first communication devices outside of an industrial automation system to second communication devices assigned to the industrial automation system; wherein the communications connections established via the connection management device between first communications devices and second communications devices are Virtual Private Network (VPN) connections; wherein the connection management device is further configured, in an event of a request, to set up a connection to a selected second communication device by a requesting user of a first communication device, and is further configured to perform an authorization verification for the requesting user based on an access control list, the authorization verification comprising an authentication of the requesting user against the connection management device; wherein the connection management device is additionally configured, in the event of a positive authorization verification outcome, to provide access control information for establishing an encrypted communications connection between the first communication device of the requesting user and the selected second communication device for these communication devices; wherein the connection management device is additionally configured to provide access control information to the requesting user regarding use of a VPN connection between the first communication device of the requesting user and the selected second communication device only after an authentication of the requesting user, the access control information items comprising passwords for VPN sessions or temporarily valid passwords; and wherein the firewall system is further configured to; decrypt data packets transmitted via an encrypted communications connection between the first communication device of the requesting user and the selected second communication device for the verification based on defined security rules; and forward data packets successfully verified based on the defined security rules in encrypted form to the first communication device of the requesting user or to the selected second communication device, the verification by the firewall system based on the defined security rules comprising a verification of the correctness of passwords for VPN sessions or temporarily valid passwords, and reject data packets, for the transmission of which incorrect passwords have been specified.
-
Specification