US2014259099A1PendingUtilityA1

Firewall method and apparatus for industrial systems

55
Assignee: BRANDT DAVID DPriority: Jan 6, 2005Filed: May 23, 2014Published: Sep 11, 2014
Est. expiryJan 6, 2025(expired)· nominal 20-yr term from priority
H04L 69/163H04L 69/16H04L 63/10H04L 63/0263H04L 63/02H04L 63/0245H04L 69/166H04L 63/0428H04L 63/102
55
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Methods and apparatus for controlling access in an electronic network include receiving a communication from a source device, the communication comprising a first protocol packet having first protocol packet information including a first protocol destination resource identifier, wherein a second protocol packet is embedded in the first protocol packet; retrieving at least one access rule based on at least one characteristic of the second protocol packet; applying the at least one access rule to at least one characteristic of the first protocol packet to determine an access rule outcome; and controlling access of the communication to a first protocol destination resource associated with the first protocol destination resource identifier according to the access rule outcome.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A method for controlling access in an electronic network, comprising:
 receiving a communication from a source device, the communication comprising a first protocol packet having first protocol packet information including a first protocol destination resource identifier, wherein a second protocol packet is embedded in the first protocol packet;   retrieving at least one access rule based on at least one characteristic of the second protocol packet;   applying the at least one access rule to at least one characteristic of the first protocol packet to determine an access rule outcome; and   controlling access of the communication to a first protocol destination resource associated with the first protocol destination resource identifier according to the access rule outcome.   
     
     
         2 . The method of  claim 1 , wherein retrieving at least one access rule comprises accessing the at least one access rule from an external access control database. 
     
     
         3 . The method of  claim 1 , wherein controlling access of the communication further comprises restricting access a second protocol destination resource when the access rule outcome indicates that the second protocol destination resource is within a control configuration. 
     
     
         4 . The method of  claim 1 , wherein the at least one access rule comprises at least one zone designation. 
     
     
         5 . The method of  claim 4 , wherein controlling access of the communication to the first protocol destination resource further comprises restricting access when the access rule outcome indicates that the source device is outside the at least one zone designation. 
     
     
         6 . The method of  claim 4 , wherein controlling access of the communication to the first protocol destination resource further comprises restricting access when the access rule outcome indicates that the source device is inside the at least one zone designation. 
     
     
         7 . The method of  claim 1 , wherein the at least one access rule is configured via at least one central administrator interface. 
     
     
         8 . The method of  claim 7 , further comprising receiving the at least one access rule via the at least one central administrator interface. 
     
     
         9 . The method of  claim 1 , wherein the at least one access rule specifies communication sources authorized to communicate with a second protocol destination resource specified in the second protocol packet and communication sources not authorized to communicate with the second protocol destination resource. 
     
     
         10 . The method of  claim 9 , further comprising generating a warning signal when the access rule outcome indicates that at least one of the communication sources is not authorized to communicate with the second protocol destination resource. 
     
     
         11 . The method of  claim 10 , further comprising transmitting the warning signal to a configuration server. 
     
     
         12 . The method of  claim 1 , wherein the first protocol packet is configured in accordance with an IP protocol. 
     
     
         13 . The method of  claim 1 , wherein the at least one characteristic of at least one of the first protocol packet and the second protocol packet comprises a source identifier associated with the source device. 
     
     
         14 . The method of  claim 13 , wherein the source identifier comprises an IP address. 
     
     
         15 . The method of  claim 13 , wherein the source identifier comprises an Ethernet address. 
     
     
         16 . The method of  claim 1 , wherein the second protocol packet is configured according to a common industrial protocol. 
     
     
         17 . The method of  claim 1 , wherein the second protocol packet is configured according to a Data Highway Plus protocol. 
     
     
         18 . The method of  claim 1 , wherein the first protocol packet is configured in accordance with an Ethernet/IP protocol. 
     
     
         19 . The method of  claim 1 , wherein the at least one characteristic of the second protocol packet is at least one of a command, a service, an object, and an address filter. 
     
     
         20 . The method of  claim 1 , wherein controlling access of the communication to the first protocol destination resource further comprises halting transmission of the first protocol packet when the access rule outcome indicates an unauthorized access attempt. 
     
     
         21 . The method of  claim 1 , wherein the second protocol packet specifies a path through a plurality of path resources, and wherein the at least one access rule includes access control information associated with at least one of the path resources. 
     
     
         22 . The method of  claim 1 , wherein the second protocol packet specifies a path through a plurality of path resources, and wherein the at least one access rule includes access control information associated with each of the path resources. 
     
     
         23 . An apparatus for controlling access in an electronic network, comprising:
 a memory;   a processor disposed in communication with the memory and configured to issue processing instructions stored in the memory to:   receive a communication from a source device, the communication comprising a first protocol packet having first protocol packet information including a first protocol destination resource identifier, wherein a second protocol packet is embedded in the first protocol packet;   retrieve at least one access rule based on at least one characteristic of the second protocol packet;   apply the at least one access rule to at least one characteristic of the first protocol packet to determine an access rule outcome; and   control access of the communication to a first protocol destination resource associated with the first protocol destination resource identifier according to the access rule outcome.   
     
     
         24 . The apparatus of  claim 23 , wherein the apparatus is programmable to retrieve at least one access rule from an external access control database. 
     
     
         25 . The apparatus of  claim 23 , wherein the apparatus is programmable to restrict access to a second protocol destination resource when the access rule outcome indicates that the second protocol destination resource is within a control configuration. 
     
     
         26 . The apparatus of  claim 23 , wherein the apparatus is programmable to connect to a central administrator interface, wherein the central administrator interface is programmable to create the at least one access rule. 
     
     
         27 . A non-transitory processor-accessible medium storing processor-issuable instructions to:
 receive a communication from a source device, the communication comprising a first protocol packet having first protocol packet information including a first protocol destination resource identifier, wherein a second protocol packet is embedded in the first protocol packet;   retrieve at least one access rule based on at least one characteristic of the second protocol packet;   apply the at least one access rule to at least one characteristic of the first protocol packet to determine an access rule outcome; and   control access of the communication to a first protocol destination resource associated with the first protocol destination resource identifier according to the access rule outcome.   
     
     
         28 . A method for restricting transmission of a protocol packet between a source device and a destination device linked on a network, the method comprising:
 intercepting a first protocol packet having a second protocol packet embedded within the first protocol packet, wherein the second protocol packet includes a destination identifier that identifies a destination device for the second protocol packet;   examining at least a portion of the embedded second protocol packet to identify the destination device;   identifying access control information associated with the destination device;   identifying a first protocol packet characteristic;   comparing the first protocol packet characteristic to the access control information associated with the destination device; and   restricting transmission of the first protocol packet as a function of the access control information and the first protocol packet characteristic.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.