EP 1 024 636 B1 describes a method for configuring a safety device in a communication device, in which the communication device can be connected via a network connection unit to a local network having a plurality of communication units. The communication units and the network connection unit are each assigned a first address identifying the respective unit and a second address identifying the respective unit and the local network thereof. For the determination of the first addresses of the communication units by the network connection unit, in each case, a request message is sent to all the addressable units which are determined in the local network using the second address of the network connection unit. Within the scope of the request message, a communication unit is addressed by its second address.
In cases wherein a communication unit transmits back a confirmation message to the network connection unit owing to a received request message, the first address of the communication unit, which is also transmitted in this context, is stored in the safety device, with an assignment to the respective communication unit.
DE 101 46 397 B4 discloses a method for configuring a firewall or a router, wherein a first computer or a first computer network is connected via the firewall or the router to a second computer network. The router or the firewall is configured such that a computer communication between a computer of the second computer network and the first computer or a predefined computer of the first computer network is made possible. In this context, a prefabricated request form, which is assigned to the respective computer communication, is filled-in. The request form is based on a technical risk analysis that has been produced once and is assigned to the respective computer communication. Furthermore, the filled-in request form is converted into a code which is suitable for the configuration of the firewall or of the router. The firewall or the router is automatically configured as a function of the code.
EP 2 400 708 B1 discloses a network protection device for controlling the communication between an external data processing device outside an automation network and an automation device in the automation network. An automation protocol is provided for communication with the automation device. Protocol rules are stored in the network protection device. These protocol rules comprise prescriptions that make a decision about passing on or not passing on a protocol message of the automation protocol dependent on the content of the protocol message. The network protection device is configured to make a decision about passing on or not passing on an incoming protocol message of the automation protocol in accordance with the prescriptions of the protocol rules. Furthermore, the protocol rules stored in the network protection device comprise prescriptions that make a decision whether to pass on or not to pass on the protocol message based on an operating state of one or more elements of the automation network or one or more devices connected to the automation network.
When there are dynamically changing communication network addresses, previous approaches for the configuration of firewalls are of limited practical value since they basically require static communication network addresses to which firewall filter rules relate. This problem will increase even further with IPv6 since communication devices with IPv6 can generate their communication network addresses independently and in a decentralized fashion.
In one aspect, the present application provides a method for the efficient updating of message filter rules of a network access control unit in communication network addresses that are dynamically changing or assigned in a decentralized fashion, and suitable technical ways of implementing the method.
In one embodiment of updating message filter rules of a network access control unit of an industrial communication network, a first communication device (to which at least one address-based message filter rule is assigned) is registered with its communication network address and a device description in an address management unit when activation occurs. In this context, the device description comprises at least one function indication or topology indication. Address-based message filter rules are applied by the network access control unit. The network access control unit can be, for example, a firewall for data frames or data packets. When the first communication device is replaced by a second communication device, the second communication device is registered in the address management unit. In this context, a communication network address and a device description of the second communication device are acquired.
During the registration of the second communication device, the address management unit of the present application checks whether a communication device with an identical device description is already registered. In the event of a positive check result, the address management unit transmits a change message relating to the registration of the second communication device, which has an identical device description to that of the first communication device, to the network access control unit or to a converter unit. In this context, the change message comprises at least the communication network address and the device description of the second communication device.
When the change message is received, the communication network address of the first communication device is replaced by the communication network address of the second communication device in the at least one address-based message filter rule. In this way, message filter rules can be adapted quickly and reliably to communication network addresses that change dynamically or are assigned in a decentralized way. In addition, existing firewalls can continue to be used. Only functionalities of the address management unit and of the converter unit are replaced.
An industrial communication network usually serves in an industrial automation system to link a multiplicity of industrial automation devices to one-another. The industrial automation devices are provided within the scope of fabrication automation or process automation to perform open-loop or closed-loop control of systems, machines and devices. Due to time-critical peripheral conditions in technical systems that are automated by industrial automation devices, real-time communication protocols such as PROFINET, PROFIBUS or Real-Time Ethernet are typically used in industrial communication networks for communicating between automation devices. Accordingly, efficient application and updating of message filter rules in network access control units such as firewalls is required.