Security network gateway units (e.g., firewalls) are installed at network boundaries in order to couple differently critical network areas in a controlled manner. The data traffic is filtered in this case, with the result that only permissible data traffic is let through. In industrial automation systems (e.g., a signal tower or a train controller in railway automation), in production halls in manufacturing automation, or in refineries or breweries in process automation, automation areas that are critical with regard to security are coupled to general networks (e.g., an office network). For this purpose, security gateways or firewalls are used and configured such that only authorized data traffic may pass through.
In this case, the data stream is filtered according to configurable filtering rules. Owing to errors in an implementation of the security network gateway unit or owing to errors in configuration, such as filtering rules, or else as a result of the security network gateway unit being compromised by an attack on the gateway unit itself, a security network gateway unit may operate incorrectly and let impermissible data packets through.
Some shortcomings of a security network gateway unit have been reduced by connecting a plurality of security network gateway units (e.g., a plurality of firewalls) in series. Network gateway units from different manufacturers may be used. However, this has the disadvantage that the delay and the jitter is increased as a result of longer processing times; therefore, the requirements for real-time communication are not met.
The filtering rules are to be continuously updated in a security network gateway unit in order to be able to provide protection, such as against new attacks (e.g., caused by viruses or worms). In some industrial automation environments, high demands are imposed on the integrity, with the result that the security network gateway units and the filtering rules implemented therein are to be authorized, and it is not permissible to change or update the configuration of the security network gateway units, the filtering rules, or the antivirus software. It is also to be provided that the data stream is not changed by a security network gateway unit to the automation network (e.g., no additional data packets are fed into the automation network by the network gateway unit).
For example, application number DE 10 2011 007 387 discloses self-monitoring of a security network gateway unit. In this application, a check is carried out in order to determine whether a corresponding incoming data packet has been received for an outgoing data packet, making it possible to provide that a network gateway unit does not itself generate data packets in the event of a malfunction.