CONFIGURING FIREWALLS FOR AN INDUSTRIAL AUTOMATION NETWORK

US 20170295141A1
Filed: 04/08/2016
Published: 10/12/2017
Est. Priority Date: 04/08/2016
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

installing a virtual firewall on a port of a device that communicates across a zone boundary within an industrial network;

configuring the virtual firewall based on operation of the industrial network; and

communicating, by the port via the firewall, to a remote virtual firewall of a remote port of a remote device across the zone boundary.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a virtual firewall is installed on a port of a device that communicates across a zone boundary within an industrial network. The virtual firewall is then configured based on operation of the industrial network, such that the port may then communicate via the firewall to a remote virtual firewall of a remote port of a remote device across the zone boundary.

112 Citations

View as Search Results

20 Claims

1. A method, comprising:
- installing a virtual firewall on a port of a device that communicates across a zone boundary within an industrial network;
  
  configuring the virtual firewall based on operation of the industrial network; and
  
  communicating, by the port via the firewall, to a remote virtual firewall of a remote port of a remote device across the zone boundary.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method as in claim 1, wherein every port of every device that communicates across a zone boundary within the industrial network communicates via a respective virtual firewall.
  - 3. The method as in claim 2, wherein ports of devices that do not communicate across a zone boundary within the industrial network communicate without a virtual firewall.
  - 4. The method as in claim 1, wherein the configuring of the virtual firewall is controlled from an external controller.
  - 5. The method as in claim 1, wherein the virtual firewall is a software configuration at the port.
  - 6. The method as in claim 1, wherein the virtual firewall is a dongle plugged into the port.
  - 7. The method as in claim 1, wherein configuring the virtual firewall comprises at least one of:
    - synchronizing the virtual firewall with the operation of the industrial network; and
      
      relating the virtual firewall to specific industrial protocols of the industrial network in use by the port of the device.
  - 8. The method as in claim 1, further comprising:
    - performing tunneling operations at the device on an outside of the virtual firewall.
  - 9. The method as in claim 1, wherein configuring the virtual firewall comprises:
    - receiving, at a controller, tag configuration data from each device included within the industrial network;
      
      receiving, at the controller, a zone architecture associated with the industrial network;
      
      deriving firewall rules based on the tag configurations and zone architecture; and
      
      configuring the virtual firewall of the device based on the derived firewall rules.

10. An apparatus, comprising:
- one or more network interfaces to communicate within an industrial network;
  
  a processor coupled to the network interfaces and adapted to execute one or more processes; and
  
  a memory configured to store a process executable by the processor, the process when executed operable to;
  
  install a virtual firewall on a port of a device that communicates across a zone boundary within an industrial network;
  
  configure the virtual firewall based on operation of the industrial network; and
  
  communicate, by the port via the firewall, to a remote virtual firewall of a remote port of a remote device across the zone boundary.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The apparatus as in claim 10, wherein every port of every device that communicates across a zone boundary within the industrial network communicates via a respective virtual firewall.
  - 12. The apparatus as in claim 11, wherein ports of devices that do not communicate across a zone boundary within the industrial network communicate without a virtual firewall.
  - 13. The apparatus as in claim 10, wherein the configuring of the virtual firewall is controlled from an external controller.
  - 14. The apparatus as in claim 10, wherein the virtual firewall is a software configuration at the port.
  - 15. The apparatus as in claim 10, wherein the virtual firewall is a dongle plugged into the port.
  - 16. The apparatus as in claim 10, wherein the process when executed to configure the virtual firewall is further operable to at least one of:
    - synchronize the virtual firewall with the operation of the industrial network; and
      
      relate the virtual firewall to specific industrial protocols of the industrial network in use by the port of the device.
  - 17. The apparatus as in claim 10, wherein the process when executed is further operable to:
    - perform tunneling operations at the device on an outside of the virtual firewall.
  - 18. The apparatus as in claim 10, wherein the process when executed to configure the virtual firewall is further operable to:
    - receive, as a controller, tag configuration data from each device included within the industrial network;
      
      receive, at the controller, a zone architecture associated with the industrial network;
      
      derive firewall rules based on the tag configurations and zone architecture; and
      
      configure the virtual firewall of the device based on the derived firewall rules.

19. A tangible, non-transitory, computer-readable media having software encoded thereon, the software when executed by a processor operable to:
- install a virtual firewall on a port of a device that communicates across a zone boundary within an industrial network;
  
  configure the virtual firewall based on operation of the industrial network; and
  
  communicate, by the port via the firewall, to a remote virtual firewall of a remote port of a remote device across the zone boundary.
- View Dependent Claims (20)
- - 20. The computer-readable media as in claim 19, wherein every port of every device that communicates across a zone boundary within the industrial network communicates via a respective virtual firewall.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Thubert, Pascal, Yang, Xuechen, Klecka, III, Rudolph B., Wetterwald, Patrick, Levy-Abegnoli, Eric

Granted Patent

US 10,243,926 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0209   Architectural arrangements,...

H04L 63/0272   Virtual private networks

H04L 67/12   specially adapted for propr...

CONFIGURING FIREWALLS FOR AN INDUSTRIAL AUTOMATION NETWORK

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

112 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

CONFIGURING FIREWALLS FOR AN INDUSTRIAL AUTOMATION NETWORK

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

112 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links