Firewall method and apparatus for industrial systems
DCFirst Claim
1. A method for use with a system including networked resources linked via a network where communication between resources is via at least first and second protocols wherein the first protocol includes a first protocol packet including a source identifier identifying a source resource, a first protocol destination identifier that indicates a first protocol destination resource and a first protocol data field, the second protocol including a second protocol packet including at least one second protocol destination identifier that indicates a second protocol destination resource and a second protocol data field, wherein at least some communication between the resources includes first protocol packets including second protocol packets embedded in the first protocol data field, packet transmitting and receiving resources being source and destination resources, respectively, the method for controlling communication between the resources and comprising the steps of:
- specifying access control information for at least a subset of the resources;
for each first protocol packet transmitted on the network that includes a second protocol packet embedded in the first protocol data field;
(i) intercepting the first protocol packet prior to the first protocol destination resource;
(ii) examining at least a subset of embedded second protocol packet information to identify the second protocol destination resource;
(iii) identifying the access control information associated with the second protocol destination resource;
(iv) identifying at least a subset of characteristics of the first protocol packet, the subset of characteristics of the first protocol packet being first protocol packet characteristics;
(v) comparing the first protocol packet characteristics to the access control information associated with the second protocol destination resource; and
(vi) restricting transmission of the first protocol packet as a function of the comparison results.
1 Assignment
Litigations
0 Petitions
Reexamination
Accused Products
Abstract
The invention includes a method including the steps of specifying access control information for resources, for each first protocol packet transmitted on the network, intercepting the first protocol packet prior to a first protocol destination resource, examining embedded packet information to identify at least one of the intermediate path resources and the final destination resource, identifying the access control information associated with the identified at least one of the intermediate path resources and the final destination resource and restricting transmission of the first protocol packet as a function of the identified access control information.
30 Citations
67 Claims
-
1. A method for use with a system including networked resources linked via a network where communication between resources is via at least first and second protocols wherein the first protocol includes a first protocol packet including a source identifier identifying a source resource, a first protocol destination identifier that indicates a first protocol destination resource and a first protocol data field, the second protocol including a second protocol packet including at least one second protocol destination identifier that indicates a second protocol destination resource and a second protocol data field, wherein at least some communication between the resources includes first protocol packets including second protocol packets embedded in the first protocol data field, packet transmitting and receiving resources being source and destination resources, respectively, the method for controlling communication between the resources and comprising the steps of:
-
specifying access control information for at least a subset of the resources; for each first protocol packet transmitted on the network that includes a second protocol packet embedded in the first protocol data field; (i) intercepting the first protocol packet prior to the first protocol destination resource; (ii) examining at least a subset of embedded second protocol packet information to identify the second protocol destination resource; (iii) identifying the access control information associated with the second protocol destination resource; (iv) identifying at least a subset of characteristics of the first protocol packet, the subset of characteristics of the first protocol packet being first protocol packet characteristics; (v) comparing the first protocol packet characteristics to the access control information associated with the second protocol destination resource; and (vi) restricting transmission of the first protocol packet as a function of the comparison results. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A method for use with a system including networked resources linked via a network where communication between resources is via at least first and second protocols wherein the first protocol includes a first protocol packet including a source identifier identifying a source resource, a first protocol destination identifier that indicates a first protocol destination resource and a first protocol data field, the second protocol including a second protocol packet including at least one second protocol destination identifier that indicates a second protocol destination resource and a second protocol data field, wherein at least some communication between the resources includes first protocol packets including second protocol packets embedded in the first protocol data field, packet transmitting and receiving resources being source and destination resources, respectively, wherein at least one protocol packet generated by a first protocol packet source requires a response from at least one second protocol destination resource including specific identifying information, the method for controlling communication between the resources and comprising the steps of:
-
specifying access control information for at least a subset of the resources; for each first protocol packet transmitted on the network that includes a second protocol packet embedded in the first protocol data field; (i) intercepting the first protocol packet prior to the first protocol destination resource; (ii) examining at least a subset of embedded second protocol packet information to identify the second protocol destination resource; (iii) identifying the access control information associated with the second protocol destination resource; (iv) identifying at least a subset of characteristics of the first protocol packet, the subset of characteristics of the first protocol packet being first protocol packet characteristics; (v) comparing the first protocol packet characteristics to the access control information associated with the second protocol destination resource; and (vi) restricting transmission of the first protocol packet as a function of the comparison results, the step of restricting including, when a first protocol packet source is not authorized to access the second protocol destination resource, encapsulating the specific identifying information in a response packet and transmitting the response packet to the first protocol packet source; wherein the at least one protocol packet generated by the first protocol packet source includes a target-originator (T-O) ID and wherein the specific identifying information includes the T-O ID.
-
-
24. A method for use with a system including networked resources linked via a network where communication between resources is via at least first and second protocols wherein the first protocol includes a first protocol packet including a source identifier, a first protocol destination identifier and a first protocol data field, the second protocol including a second protocol packet including at least one second protocol destination identifier and a second protocol data field, wherein at least some communication between resources includes first protocol packets including second protocol packets embedded in the first protocol data field, packet senders and intended recipient'"'"'s being source and destination resources, respectively, the method for controlling communication between the resources and comprising the steps of:
-
specifying access control information for at least a subset of the resources; for each first protocol packet transmitted on the network that includes a second protocol packet embedded in the first protocol data field; (i) intercepting the first protocol packet prior to a second protocol destination resource; (ii) examining at least a subset of embedded second protocol packet information to identify the second protocol destination resource; (iii) examining the first protocol packet information to identify at least one additional resource in addition to the second protocol destination resource; (iv) identifying the access control information associated with the second protocol destination resource and the access control information associated with the additional resource; (v) identifying at least a subset of characteristics of the first protocol packet, the subset of characteristics of the first protocol packet being first protocol packet characteristics; (vi) comparing the first protocol packet characteristics to the access control information associated with the second protocol destination resource and comparing the first protocol packet characteristics to the access control information associated with the additional resource; and (vii) restricting transmission of the first protocol packet as a function of the comparison results. - View Dependent Claims (25, 26, 27)
-
-
28. A method for controlling communications between a source device linked to an IP network and a target device linked to a non-IP network wherein the target device includes at least one object, each communication specify the at least one object and at least one service related to the target device, the method comprising the steps of:
-
providing an access control database that correlates the source device with target devices, objects and services where correlated target devices include devices that the source can access and correlated services include services that the source can initiate at a correlated object; receiving at least one communication transmitted from a source device to the target device; decapsulating the communications to identify the target device and the related at least one object and the at least one service; comparing the identified target device, the related at least one object and the at least one service with the target device, object and service information in the access control database; and selectively transmitting the at least one communication to the target device as a function of the comparison. - View Dependent Claims (29)
-
-
30. A method for controlling communications between a source device and a target device including at least one object, the method comprising the steps of:
-
providing an access control database that correlates the source device with target devices and objects, where the correlated target devices include devices that the source can access for at least one purpose; providing a firewall between the source device and the target device; intercepting a connection open packet transmitted by the source device to the target device that is intended to open a connection path between the source device and the target device; using the access control database to determine if the source device may access the target device and the at least one object; comparing the target device, the at least one object, and at least one service with target device information, object information, and service information in the access control database; and transmitting the connection open packet toward the target device when the source device may access the target device.
-
-
31. A method for minimizing processing delays when unauthorized communications occur on a system that includes a source device, a target device and a communication stack including stack communications, the source device sequentially generating and transmitting communication packets for each of the stack communications and, after a packet is transmitted, waiting for a response packet for at least a subset of the communications prior to transmitting another communication packet associated with another of the stack communications, the method comprising the steps of:
-
providing an access control database useable to identify unauthorized communications on the system; providing a firewall linked to the system; transmitting an original communication packet from the source device that targets the target device; via the firewall; intercepting the original communication packet; using the access control database to identify that the original communication packet is associated with an unauthorized communication; where the original communication packet is associated with the unauthorized communication, encapsulating a spoof response packet that simulates a response from the target device and that is of a form that will be accepted by the source device as a legitimate response from the target device; transmitting the spoof response packet to the source device; accepting the spoof response packet as a legitimate response packet from the target device; and moving on to process a next communication in the communication stack. - View Dependent Claims (32, 33, 34, 35)
-
-
36. A method for minimizing processing delays when unauthorized communications occur on a system that includes a source device, a target device and a communication stack including stack communications, the source device sequentially generating and transmitting communication packets for each of the stack communications and, after a packet is transmitted, waiting for a response packet for at least a subset of the communications prior to transmitting another communication packet associated with another of the stack communications, the method comprising the steps of:
-
providing a firewall linked to the system; transmitting an original communication packet from the source device that targets the target device; via the firewall; intercepting the original communication packet; encapsulating a spoof response packet that simulates a response from the target device and that is of a form that will be accepted by the source device as a legitimate response from the target device; transmitting the spoof response packet to the source device; accepting the spoof response packet as a legitimate response packet from the target device; and moving on to process a next communication in the communication stack; wherein the step of encapsulating further includes generating at least some bogus information to instantiate at least a subset of the response packet information and instantiating at least portions of the response packet with the bogus information.
-
-
37. A method for use with a system including networked resources linked via a network where communication between resources is via at least first and second different protocols wherein the first protocol includes a first protocol packet including a source identifier, a first protocol destination identifier that indicates a first protocol destination resource and a first protocol data field, a second protocol including a second protocol packet including at least one second protocol destination identifier that indicates a second protocol destination resource and a second protocol data field, wherein at least some communication between the resources includes first protocol packets including additional packets embedded in the first protocol data field, one of the additional embedded packets specifying a final destination resource and each of other additional embedded packets specifying an intermediate path resource, at last one of the additional embedded packets being a second protocol packet, the method for controlling communication between the resources and comprising the steps of:
-
specifying access control information for at least a subset of the resources; for each first protocol packet transmitted on the network that includes additional embedded packets; (i) intercepting the first protocol packet prior to the first protocol destination resource; (ii) examining at least a subset of additional embedded packet information to identify at least one of the intermediate path resource and the final destination resource; (iii) identifying the access control information associated with the identified at least one of the intermediate path resource and the final destination resource; (iv) identifying at least a subset of characteristics of the first protocol packet, the subset of characteristics of the first protocol packet being first protocol packet characteristics; (v) comparing the first protocol packet characteristics to the identified access control information; and (vi) restricting transmission as a function of the comparison. - View Dependent Claims (38, 39, 40, 41, 42)
-
-
43. An apparatus for use with a system including networked resources linked via a network where communication between resources is via at least first and second protocols wherein the first protocol includes a first protocol packet including a source identifier identifying a source resource, a first protocol destination identifier that indicates a first protocol destination resource and a first protocol data field, the second protocol including a second protocol packet including at least one second protocol destination identifier that indicates a second protocol destination resource and a second protocol data field, wherein at least some communication between the resources includes first protocol packets including second protocol packets embedded in the first protocol data field, packet transmitting and receiving resources being source and destination resources, respectively, the apparatus for controlling communication between the resources and comprising:
-
a database specifying access control information for at least a subset of the resources; a firewall linked to the network, the firewall, for each first protocol packet transmitted on the network that includes a second protocol packet embedded in the first protocol data field; (i) intercepting the first protocol packet prior to the first protocol destination resource; (ii) examining at least a subset of embedded second protocol packet information to identify the second protocol destination resource; (iii) identifying the access control information associated with the second protocol destination resource; (iv) identifying at least a subset of characteristics of the first protocol packet, the subset of characteristics of the first protocol packet being first protocol packet characteristics; (v) comparing the first protocol packet characteristics to the access control information associated with the second protocol destination resource; and (vi) restricting transmission of the first protocol packet as a function of the comparison results. - View Dependent Claims (44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56)
-
-
57. An apparatus for use with a system including networked resources linked via a network where communication between resources is via at least first and second protocols wherein the first protocol includes a first protocol packet including a source identifier, a first protocol destination identifier and a first protocol data field, the second protocol including a second protocol packet including at least one second protocol destination identifier and a second protocol data field, wherein at least some communication between the resources includes first protocol packets including second protocol packets embedded in the first protocol data field, packet senders and intended recipient'"'"'s being source and destination resources, respectively, the apparatus for controlling communication between the resources and comprising:
-
a database specifying access control information for at least a subset of the resources; a firewall, for each first protocol packet transmitted on the network that includes a second protocol packet embedded in the first protocol data field the firewall performing the steps of; (i) intercepting the first protocol packet prior to a second protocol destination resource; (ii) examining at least a subset of embedded second protocol packet information to identify the second protocol destination resource; (iii) examining the first protocol packet information to identify at least one additional resource in addition to the second protocol destination resource; (iv) identifying the access control information associated with the second protocol destination resource and the access control information associated with the additional resource; (v) identifying at least a subset of characteristics of the first protocol packet, the subset of characteristics of the first protocol packet being first protocol packet characteristics; (vi) comparing the first protocol packet characteristics to the access control information associated with the second protocol destination resource and comparing the first protocol packet characteristics to the access control information associated with the additional resource; and (vii) restricting transmission of the first protocol packet as a function of the comparison results. - View Dependent Claims (58)
-
-
59. An apparatus for controlling communications between a source device linked to an IP network and a target device linked to a non-IP network wherein the target device includes at least one object, each communication specify the at least one object and at least one service related to the target device, the apparatus comprising:
-
an access control database that correlates the source device with target devices, objects and services where correlated target devices include devices that the source can access and correlated services include services that the source device can initiate at a correlated object; a firewall programmed to perform the steps of; receiving at least one communication transmitted from the source to the target device; decapsulating the communications to identify the target device and the related at least one object and the at least one service; comparing the identified the target device, the related at least one object and at least one service with the target device, object and service information in the access control database; and selectively transmitting the at least one communication to the target device as a function of the comparison. - View Dependent Claims (60, 61)
-
-
62. An apparatus for controlling communications between a source device and a target device including at least one object, the apparatus comprising:
-
an access control database that correlates the source device with target devices and objects, where the correlated target devices include devices that the source can access for at least one purpose; a firewall programmed to perform the steps of; providing the firewall between the source device and the target device; intercepting a connection open packet transmitted by the source device to the target device that is intended to open a connection path between the source device and the target device; using the access control database to determine if the source device may access the target device and the at least one object; comparing the target device, the at least one object, and at least one service with target device information, object information, and service information in the access control database; and transmitting the connection open packet toward the target device when the source device may access the target device.
-
-
63. An apparatus for minimizing processing delays when unauthorized communications occur on a system that includes a source device, a target device and a communication stack including stack communications, the source device sequentially generating and transmitting communication packets for each of the stack communications and, after a packet is transmitted, waiting for a response packet for at least a subset of the communications prior to transmitting another communication packet associated with another of the stack communications, the apparatus comprising:
-
an access control database useable to identify unauthorized communications on the system; a firewall linked to the system, the firewall programmed to perform the steps of; intercepting an original communication packet; using the access control database to identify that the original communication packet is associated with an unauthorized communication; where the original communication packet is associated with the unauthorized communication, encapsulating a spoof response packet that simulates a response from the target device and that is of a form that will be accepted by the source device as a legitimate response from the target device; and transmitting the spoof response packet to the source device.
-
-
64. An apparatus for use with a system including networked resources linked via a network where communication between resources is via at least first and second different protocols wherein the first protocol includes a first protocol packet including a source identifier, a first protocol destination identifier that indicates a first protocol destination resource and a first protocol data field, the second protocol including a second protocol packet including at least one second protocol destination identifier that indicates a second protocol destination resource and a second protocol data field, wherein at least some communication between the resources includes first protocol packets including additional packets embedded in the first protocol data field, one of the additional embedded packets specifying a final destination resource and each of the other additional embedded packets specifying an intermediate path resource, at last one of the additional embedded packets being a second protocol packet, the apparatus for controlling communication between the resources and comprising:
-
a database including access control information for at least a subset of the resources; a firewall programmed to perform the steps of, for each first protocol packet transmitted on the network that includes additional embedded packets; (i) intercepting the first protocol packet prior to the first protocol destination resource; (ii) examining at least a subset of the additional embedded packet information to identify at least one of an intermediate path resources and the final destination resource; (iii) identifying the access control information associated with the identified at least one of the intermediate path resources and the final destination resource; (iv) identifying at least a subset of characteristics of the first protocol packet, the subset of characteristics of the first protocol packet being first protocol packet characteristics; (v) comparing the first protocol packet characteristics to the identified access control information; and (VI) restricting transmission as a function of the comparison. - View Dependent Claims (65, 66, 67)
-
Specification