CN116155576A - A method, device, industrial firewall and medium for industrial firewall protection - Google Patents

Abstract

The present application relates to a method, device, industrial firewall and medium for industrial firewall protection, and relates to the field of industrial firewalls. The method includes, when receiving request information, judging whether the request information exists in the preset access control list, and if not , then determine the importance level of the request information, and based on the importance level, judge whether the request information is allowed to obtain the target data, the target data is the data to be obtained for the request information, and add the request information and the corresponding judgment result to the preset access control list. This application makes the industrial firewall have the effect of automatically adding request information.

Description

A method, device, industrial firewall and medium for industrial firewall protection

technical field

The present application relates to the field of industrial firewalls, in particular to an industrial firewall protection method, device, industrial firewall and media.

Background technique

Industrial firewall refers to a product that separates other networks from the industrial control network, so that other networks can enter the industrial control network only after obtaining an access permit, so as to achieve the effect of protecting the industrial control network.

At present, devices in other networks obtain the required data by sending request information to devices in the industrial control network. Since there may be information that may cause attacks on the public network among the many request information, it is necessary for the industrial firewall to process the request information. When checking the request information, the industrial firewall usually matches the request information with the request information in the access control list (ACL). When the match fails in the access control list, that is, the request information does not exist in the ACL , the access status of the request information will be determined as deny (Cisco ACL) or allow (Huawei ACL), that is, if the request information needs to be in deny status in the Huawei ACL, security personnel need to manually add the request information Go to the access control list, and mark the requested information as rejected, so as to prevent the subsequent request information from entering the industrial control network and causing attacks on the industrial control network, or the request information entering other networks, resulting in information leakage, etc. That is, the current industrial firewall cannot automatically add request information that is not in the access control list.

Contents of the invention

In order to enable an industrial firewall to automatically add request information that is not in an access control list, the present application provides an industrial firewall protection method, device, industrial firewall and medium.

In the first aspect, the present application provides a method for industrial firewall protection, which adopts the following technical solution:

A method for industrial firewall protection, comprising:

When receiving the request information, judging whether the request information exists in the preset access control list;

If it does not exist, determining the importance level of the requested information;

Based on the importance level, judging whether the request information allows acquisition of target data, where the target data is the data to be acquired by the request information;

Add the request information and the corresponding judgment result to the preset access control list.

By adopting the above technical solution, when the request information is received, it means that the current industrial firewall needs to judge whether the request information can pass through, and the preset access control list is a permission list set in advance, including multiple requests that can pass through the industrial firewall Information and multiple request information that cannot pass through the industrial firewall, judge whether the request information exists in the preset access control list, so as to achieve the effect of judging whether the request information can be recognized by the industrial firewall, when in the preset access control list If it exists in the list, it means that the industrial firewall can identify whether the requested information can pass through; if it does not exist in the preset access control list, it means that the industrial firewall cannot identify whether the requested information can pass through, so it can determine The importance level of the request information, so as to determine whether the request information allows the acquisition of target data according to the importance level, where the target data is the data that needs to be obtained for the request information, so that the request information and the corresponding judgment results can be added to the preset access in the future In the control list, so that when the request information is received again later, the industrial firewall can determine whether the request information can pass according to the preset access control list, and then achieve the effect that the industrial firewall can automatically add the request information.

In another possible implementation manner, the request information includes a destination ip address and a destination port number; the determination of the importance level of the request information includes:

Determine the post-level information of the user corresponding to the destination ip address;

determining the address level of the destination IP address based on the post level information;

Determine the process information of the destination port number on the device corresponding to the destination ip address, and the process information corresponds to a preset port level;

Summing the address level and the preset port level to obtain the importance level of the request information.

By adopting the above technical solution, the request information includes the destination ip address and the destination port number. The destination ip address is used to clarify that the target data to be obtained by the current request information belongs to the device information. Each port number has corresponding process information, and the destination port number The data used to specify the target data as the process information corresponding to the target port. Determine the post level information of the user corresponding to the destination ip address in the request information, so as to determine the address level corresponding to the destination ip address based on the post level information, and determine that the destination port number is on the device corresponding to the destination ip address The process information, wherein the process information corresponds to the preset port level, so that the address level and the preset port level can be summed subsequently, so as to obtain the importance level of the request information, and then achieve the effect of determining the importance level of the request information.

In another possible implementation manner, the request information includes a source IP address, and the judging whether the request information is allowed to obtain target data based on the importance level includes:

judging whether the source ip address exists in the preset access control list;

If it exists, then determine the historical request information corresponding to the source ip address, and determine the historical importance level corresponding to the historical request information, the historical request information is that the source ip address corresponds to the preset access control list request information;

Determining the historical request information corresponding to the highest historical importance level as the target historical request information;

If the highest historical importance level is not less than the importance level, and the target history request information allows acquisition of target historical target data, it is determined that the request information allows acquisition of the target data, and the target historical target data is the The target data to be obtained for target historical request information;

If the highest historical importance level is smaller than the importance level, and the target history request information allows acquisition of the target historical target data, it is determined that the request information refuses to acquire the target data.

By adopting the above technical solution, the request information includes the source ip address, and it is judged whether the source ip address exists in the preset access control list, so as to judge whether the device corresponding to the source ip address has request information in the history, and when it exists , indicating that there is request information corresponding to the source IP address in the history, so the historical request information corresponding to the source IP address can be determined, and the historical importance level corresponding to the historical request information can be determined, so that the follow-up can be based on the historical importance level And the importance level determines whether the request information allows access to the target process, and the higher the importance level corresponding to the request information, the higher the importance of the data that the request information can obtain, and because the history corresponding to the source ip address in the preset control list The number of requested information may be more than one, so the historical request information corresponding to the highest historical importance level can be determined as the target historical request information, when the highest historical importance level is not less than the important level, and the highest historical request information allows the acquisition of target historical target data, It shows that the source IP address allows acquisition of target data with a greater importance than the current one in history, so it can be determined that the request information allows acquisition of target data. When the highest historical importance level is less than the important level, and the highest historical request information allows obtaining target historical target data, it means that the source IP address can only obtain data with a low importance level during the historical access process, and the importance level of the current request information High, so it can be determined that the request information refuses to obtain the target data. In this way, the effect of judging whether the requested information is allowed to obtain the target data according to the importance level is achieved.

In another possible implementation manner, the judging whether the source IP address exists in the preset access control list further includes:

If it does not exist, obtain the target data;

generating data to be output based on the target data and preset label information;

outputting the data to be output based on a preset transmission channel, where the preset transmission channel is a transmission channel corresponding to the target data;

judging whether a feedback signal corresponding to the preset tag information is received within a first preset time;

Adding the request information and the judgment result to the preset access control list.

By adopting the above technical solution, when the source ip address does not exist in the preset access control list, it means that the current industrial firewall cannot judge whether the currently received request information is allowed to obtain the target data according to the request information in the preset access control list, and when The industrial firewall releases the request information, so that when the request information enters the industrial control network to obtain the target data, it may cause an attack on the industrial control network. Therefore, when the industrial firewall cannot judge whether the current request information is safe, the industrial firewall can obtain the target data based on the request information. data, and generate the data to be output according to the target data and the preset label information, wherein the preset label information is the label information set in advance, and the preset label information corresponds to a feedback signal, and the data to be output will be output according to the preset transmission channel For data output, the preset transmission channel is an internal transmission channel set in advance, and the device corresponding to the source ip address of the data to be output can be received through the preset transmission channel, indicating that the network information corresponding to the source ip address can pass through the industrial firewall. The preset tag information is used to send a feedback signal to the control device when the existing device receives the data to be output. Therefore, it is possible to judge whether the feedback signal corresponding to the preset tag information is received within the first preset time, and send the request information and The judgment result is added to the preset access control list, so as to achieve the effect that the industrial firewall can automatically add the requested information.

In another possible implementation manner, the method further includes:

If the request information allows acquisition of the target data, and the importance level is greater than a preset importance level, recording the acquisition time when it is detected that the request information acquires the target data for the first time;

If the acquisition time reaches a second preset time, rejecting the request information to acquire the target data, and outputting the request information.

By adopting the above technical solution, the preset importance level is the importance level set in advance, and is used to judge whether the importance level is an important level with a high level of importance. level, it means that the target data to be accessed by the current request information is of high importance, that is, there may be a risk of information leakage in the industrial control network, so the time for obtaining the requested information can be recorded, and the second preset time is the preset time set in advance Time, the standard used to judge whether the current acquisition time is relatively long. When the acquisition time reaches the second preset time, it means that the device sending the request information is more likely to cause harm to the industrial control network, that is, the request information can be rejected at present Obtain target data and output request information, so that the protection performance of industrial firewalls is better.

In another possible implementation manner, there is at least one piece of historical request information corresponding to the source IP address, and the method further includes:

Judging whether there is an association relationship between the target data and the historical target data corresponding to each piece of historical request information;

Obtaining the total quantity of associated historical target data that has an associated relationship, and the quantity of obtainable data, where the obtainable data is the associated historical target data that is allowed to be acquired in the associated historical target data;

determining a target ratio based on the quantity and the total quantity;

judging whether the target ratio reaches a preset ratio;

Adding the request information and the judgment result to the preset access control list.

By adopting the above technical solution, in the preset access control list, the number of historical request information corresponding to the source ip address may be at least one, and it is judged whether there is an association between the target data and the historical target data corresponding to each historical request information , the available data is the associated historical target data that is allowed to be acquired in the associated historical target data, the total number of associated historical target data that has an associated relationship, and the number of available data are obtained, and the target ratio is determined according to the quantity and the total quantity, In this way, it is convenient to subsequently determine whether the request information allows acquisition of the target data according to the target ratio. The preset ratio is a ratio set in advance as a standard for judging whether the current target ratio is up to standard. When the target ratio reaches the preset ratio, it means that most of the historical request information corresponding to the source IP address in the historical records can be obtained from the respective corresponding Target data, so it can be determined that the current request information allows the acquisition of target data. When the target ratio does not reach the preset ratio, it means that most of the historical request information corresponding to the source IP address in the historical records refuses to obtain the corresponding target data. Therefore, It may be determined that the current request information denies obtaining the target data. That is, the request information and the judgment result can be added to the preset access control list, so that when the request information needs to obtain the target data again, the industrial firewall can judge whether the current request information can obtain the target data according to the preset access control list. So as to achieve the effect that the industrial firewall can automatically add the requested information.

In another possible implementation manner, the determining the historical importance level corresponding to the historical request information further includes:

Based on the historical request information, determine the historical MAC address corresponding to the source IP address;

Obtain the MAC address of the request information;

judging whether the MAC address is the same as the historical MAC address;

If not, it is determined that the source ip address belongs to the modified ip address, and it is determined that the request information refuses to obtain the target data.

By adopting the above technical solution, the historical MAC address corresponding to the source ip address is determined according to the historical request information, and the MAC address of the current request information is obtained, so as to subsequently determine whether the MAC address is the same as the historical MAC address, and then determine the current source ip address Whether it is a modified source ip address, if not the same, it means that the current source ip address is a modified ip address, then determine that the source ip address belongs to the modified ip address, and determine that the request information refuses to obtain the target data, so that The industrial firewall can identify whether the source IP address is a real IP address, thereby improving the protection capability of the industrial firewall.

In the second aspect, the present application provides an industrial firewall protection device, which adopts the following technical solution:

An industrial firewall protection device, comprising:

The first judging module is used to judge whether the request information exists in the preset access control list when the request information is received;

A first determination module, configured to determine the importance level of the requested information when it does not exist;

A second judging module, configured to judge whether the request information allows acquisition of target data based on the importance level, and the target data is the data to be acquired by the request information;

A first adding module, configured to add the request information and the corresponding judgment result to the preset access control list.

By adopting the above technical solution, when the request information is received, it means that the current industrial firewall needs to judge whether the request information can pass through, and the preset access control list is a permission list set in advance, including multiple requests that can pass through the industrial firewall Information and multiple request information that cannot pass through the industrial firewall, the first judging module judges whether the request information exists in the preset access control list, so as to achieve the effect of judging whether the request information can be identified by the industrial firewall. If it exists in the preset access control list, it means that the industrial firewall can identify whether the requested information can pass. If it does not exist in the preset access control list, it means that the industrial firewall cannot identify whether the requested information can pass. Therefore The importance level of the request information can be determined by the first determination module, so that the second judgment module can determine whether the request information allows acquisition of target data according to the importance level, wherein the target data is the data to be acquired by the request information, so that the subsequent The first adding module can add the request information and the corresponding judgment result to the preset access control list, so that when the request information is received again later, the industrial firewall can determine whether the request information can pass according to the preset access control list , so as to achieve the effect that the industrial firewall can automatically add the requested information.

In another possible implementation manner, when the first determination module determines the importance level of the request information, it is specifically configured to:

Determine the post-level information of the user corresponding to the destination ip address;

determining the address level of the destination IP address based on the post level information;

Determine the process information of the destination port number on the device corresponding to the destination ip address, and the process information corresponds to a preset port level;

Summing the address level and the preset port level to obtain the importance level of the request information.

In another possible implementation manner, the second judging module judges whether the request information allows acquisition of target data based on the importance level, and is specifically used for:

judging whether the source ip address exists in the preset access control list;

If it exists, then determine the historical request information corresponding to the source ip address, and determine the historical importance level corresponding to the historical request information, the historical request information is that the source ip address corresponds to the preset access control list request information;

Determining the historical request information corresponding to the highest historical importance level as the target historical request information;

If the highest historical importance level is not less than the importance level, and the target history request information allows acquisition of target historical target data, it is determined that the request information allows acquisition of the target data, and the target historical target data is the The target data to be obtained for target historical request information;

If the highest historical importance level is smaller than the importance level, and the target history request information allows acquisition of the target historical target data, it is determined that the request information refuses to acquire the target data.

In another possible implementation manner, the device further includes:

A first acquisition module, configured to acquire the target data when it does not exist;

A generating module, configured to generate data to be output based on the target data and preset label information;

A first output module, configured to output the data to be output based on a preset transmission channel, where the preset transmission channel is a transmission channel corresponding to the target data;

A third judging module, configured to judge whether a feedback signal corresponding to the preset tag information is received within the first preset time;

A second adding module, configured to add the request information and the judgment result to the preset access control list.

In another possible implementation manner, the device further includes:

A recording module, configured to record the acquisition time if it is detected that the request information acquires the target data for the first time when the request information allows acquisition of the target data and the importance level is greater than a preset importance level;

The second output module is configured to reject the request information to acquire the target data and output the request information when the acquisition time reaches a second preset time.

In another possible implementation manner, the device further includes:

A fourth judging module, configured to judge whether there is an association between the target data and the historical target data corresponding to each piece of historical request information;

The second acquiring module is used to acquire the total quantity of associated historical target data with associated relationship, and the quantity of obtainable data, where the obtainable data is the associated historical target data allowed to be acquired in the associated historical target data;

A third determining module, configured to determine a target ratio based on the quantity and the total quantity;

The fifth judging module is used to judge whether the target ratio reaches a preset ratio;

A third adding module, configured to add the request information and the judgment result to the preset access control list.

In another possible implementation manner, the device further includes:

A third determining module, configured to determine the historical MAC address corresponding to the source IP address based on the historical request information;

A third obtaining module, configured to obtain the MAC address of the request information;

A sixth judging module, configured to judge whether the MAC address is the same as the historical MAC address;

A fourth determination module, configured to determine that the source ip address belongs to the modified ip address when they are different, and determine that the request information refuses to obtain the target data.

In a third aspect, the present application provides an industrial firewall, which adopts the following technical solution:

An industrial firewall, the industrial firewall includes:

at least one processor;

memory;

At least one application program, wherein the at least one application program is stored in a memory and configured to be executed by at least one processor, and the at least one application program is configured to: execute a program according to any possible implementation manner of the first aspect A method for industrial firewall protection.

In the fourth aspect, the present application provides a computer-readable storage medium, adopting the following technical solution:

A computer-readable storage medium, when the computer program is executed in a computer, it causes the computer to execute the industrial firewall protection method according to any one of the first aspect.

In summary, the present application includes at least one of the following beneficial technical effects:

1. When the request information is received, it means that the current industrial firewall needs to judge whether the request information can pass through. The default access control list is a list of permissions set in advance, including multiple request information that can pass through the industrial firewall and those that cannot Through the multiple request information of the industrial firewall, judge whether the request information exists in the preset access control list, so as to achieve the effect of judging whether the request information can be recognized by the industrial firewall, when it exists in the preset access control list , indicating that the industrial firewall can identify whether the requested information can pass. If it does not exist in the preset access control list, it indicates that the industrial firewall cannot identify whether the requested information can pass. Therefore, the importance of the requested information can be determined. Level, so as to determine whether the request information allows acquisition of target data according to the importance level, wherein the target data is the data to be acquired by the request information, so that the request information and the corresponding judgment result can be added to the preset access control list later, So that when the request information is received again later, the industrial firewall can determine whether the request information can pass according to the preset access control list, and then achieve the effect that the industrial firewall can automatically add the request information;

2. When the source IP address does not exist in the preset access control list, it means that the current industrial firewall cannot judge whether the currently received request information is allowed to obtain the target data according to the request information in the preset access control list. The request information is released, so that when the request information enters the industrial control network to obtain the target data, it may cause an attack on the industrial control network. Therefore, when the firewall cannot judge whether the current request information is safe, the firewall can obtain the target data according to the request information, and according to the The target data and the preset tag information generate the data to be output, wherein the preset tag information is the tag information set in advance, and the preset tag information corresponds to a feedback signal, and the data to be output is output according to the preset transmission channel, and the preset The transmission channel is an internal transmission channel set in advance, and the device corresponding to the source ip address of the data to be output can be received through the preset transmission channel, indicating that the network information corresponding to the source ip address can pass through the industrial firewall. The preset tag information is used to send a feedback signal to the control device when the existing device receives the data to be output. Therefore, it is possible to judge whether the feedback signal corresponding to the preset tag information is received within the first preset time, and send the request information and The judgment result is added to the preset access control list, so as to achieve the effect that the industrial firewall can automatically add the requested information.

Description of drawings

Fig. 1 is a schematic flowchart of a method for protecting an industrial firewall in an embodiment of the present application.

Fig. 2 is a schematic structural diagram of an industrial firewall protection device in an embodiment of the present application.

Fig. 3 is a schematic structural diagram of an industrial firewall in an embodiment of the present application.

Detailed ways

The present application will be described in further detail below in conjunction with accompanying drawings 1-3.

After reading this specification, those skilled in the art can make modifications to this embodiment without creative contribution according to needs, but as long as they are within the scope of the claims of this application, they are all protected by the patent law.

In order to make the purposes, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below in conjunction with the drawings in the embodiments of the present application. Obviously, the described embodiments It is a part of the embodiments of this application, not all of them. Based on the embodiments in this application, all other embodiments obtained by persons of ordinary skill in the art without creative efforts fall within the protection scope of this application.

In addition, the term "and/or" in this article is only an association relationship describing associated objects, which means that there may be three relationships, for example, A and/or B may mean: A exists alone, A and B exist at the same time, There are three cases of B alone. In addition, the character "/" in this article, unless otherwise specified, generally indicates that the contextual objects are an "or" relationship.

The embodiments of the present application will be further described in detail below in conjunction with the accompanying drawings.

The embodiment of the present application provides a method for industrial firewall protection, which is executed by an industrial firewall. As shown in FIG. 1 , the method includes: step S101, step S102, step S103, and step S104, wherein,

Step S101, when request information is received, it is judged whether the request information exists in the preset access control list.

For the embodiment of this application, when the request information is received, it means that the current industrial firewall needs to judge whether the request information can pass through, and the preset access control list is a permission list set in advance, including multiple requests that can pass through the industrial firewall Information and multiple request information that cannot pass through the industrial firewall, and judge whether the request information exists in the preset access control list, so as to achieve the effect of judging whether the request information can be recognized by the industrial firewall. Assume that the received request information is request information A.

Step S102, if it does not exist, determine the importance level of the requested information.

For the embodiment of this application, if it does not exist in the preset access control list, it means that the industrial firewall cannot identify whether the request information can pass through, so the importance level of the request information can be determined, so that the subsequent information can be accessed according to the importance level. It is judged whether the request information allows acquisition of the target data. Taking step S101 as an example, the request information is request information A, and the preset access control list includes request information B, request information C, and request information D, then there is no request information A in the preset access control list, that is, the request information can be determined The importance level of A, so that the follow-up can judge whether the request information A is allowed to obtain the target data according to the importance level.

In the embodiment of this application, when it exists in the preset access control list, it means that the industrial firewall can identify whether the request information can pass through. Assume that the currently received request information is request information B, and the default access control list If there is request information B, and the request information B can obtain the target data, it can be determined that the received request information B allows the target data to be obtained.

Step S103, based on the importance level, it is judged whether the request information allows acquisition of the target data.

Wherein, the target data is the data to be acquired for the requested information.

For this embodiment of the application, the target data is the data to be obtained by the request information, assuming that the target data to be obtained by the request information A is data A, and according to the importance level of the request information A, it is judged whether the request information A is allowed to obtain the data A, so as to facilitate subsequent The request information A and the corresponding judgment result can be added to the preset access control list.

Step S104, adding the request information and the corresponding judgment result to the preset access control list.

For this embodiment of the application, the judgment result includes permission to obtain the target data and refusal to obtain the target data, and the request information and the corresponding judgment result are added to the preset access control list, so that when the request information is received again later, the industrial firewall can According to the preset access control list, it is judged whether the requested information can pass, and then the effect that the industrial firewall can automatically add the requested information is achieved.

A possible implementation of the embodiment of the present application, when determining the importance level of the request information in step S102, specifically includes step S1021 (not shown in the figure), step S1022 (not shown in the figure), step S1023 (not shown in the figure) not shown) and step S1024 (not shown in the figure), wherein,

Step S1021, determine the post level information of the user corresponding to the destination ip address.

For the embodiment of this application, the request information includes the destination ip address and the destination port number. The destination ip address is used to clarify that the target data to be obtained by the current request information specifically belongs to the device information. Each port number has corresponding process information, and the destination port number The data used to specify the target data as the process information corresponding to the target port. Determine and use the post level information of the user corresponding to the destination ip address in the request information, so as to determine the address level corresponding to the destination ip address according to the post level information. Assume that the device corresponding to the destination ip address in the currently received request information A is device A, the user using device A is user A, and the post level information of user A is p1 level. The higher the p level is at work, the corresponding post level higher.

Step S1022, determine the address level of the destination IP address based on the post level information.

For this embodiment of the application, taking step S1021 as an example, if the post level information is level p1, then it can be determined that the address level of the destination ip address is level 1.

Step S1023, determine the process information of the destination port number on the device corresponding to the destination ip address.

Wherein, the process information corresponds to a preset port level.

For the embodiment of this application, the process information corresponds to the preset port level, and the process information of the destination port number on the device corresponding to the destination ip address is determined, so that the request information can be determined later according to the preset port level corresponding to the destination port number importance level. Assume that the process information corresponding to the destination port number is process A, and the default port level corresponding to process A is level 1.

Step S1024, summing the address level and the preset port level to obtain the importance level of the request information.

For this embodiment of the application, taking steps S1022 and S1023 as an example, the preset port level is 1, and the address level is 1, and the address level and the preset port level are summed to obtain the importance level of the request information as 2. In this way, the effect of determining the importance level of the requested information A is achieved.

In a possible implementation of the embodiment of the present application, step S103 specifically includes step S1031 (not shown in the figure) and step S1032 (not shown in the figure) when judging whether the request information allows acquisition of target data based on the importance level , step S1033 (not shown in the figure), step S1034 (not shown in the figure) and step S1035 (not shown in the figure), wherein,

Step S1031, judging whether the source ip address exists in the preset access control list.

For this embodiment of the application, the request information includes the source ip address, and it is determined whether the source ip address exists in the preset access control list, so as to determine whether the device corresponding to the source ip address has request information in the history. Assuming that the source ip address of the request information A is the address A, judge whether there is an address A in the preset access control list, so as to judge whether there is any request information from the address A in the history.

Step S1032, if it exists, determine the historical request information corresponding to the source ip address, and determine the historical importance level corresponding to the historical request information.

Wherein, the historical request information is the request information corresponding to the source IP address in the preset access control list.

For the embodiment of this application, when it exists, it means that there is request information corresponding to the source ip address in the history, so the historical request information corresponding to the source ip address can be determined, and the historical importance level corresponding to the historical request information can be determined , so that it can be determined whether the request information is allowed to access the target process according to the historical importance level and the importance level. Taking step S1031 as an example, the preset access control list includes the request information of A's address, including request information B and request information C. The importance level corresponding to request information B is level 1, and the importance level corresponding to request level C is level 5.

Step S1033, determining the historical request information corresponding to the highest historical importance level as the target historical request information.

For this embodiment of the application, the higher the importance level corresponding to the request information, the higher the importance of the data that the request information can obtain, and since there may be more than one historical request information corresponding to the source ip address in the preset control list, Therefore, the historical request information corresponding to the highest historical importance level can be determined as the target historical request information. Taking step S1032 as an example, the target historical request information is request information C.

Step S1034, if the highest historical importance level is not less than the importance level, and the target history request information allows acquisition of target historical target data, then determine that the request information allows acquisition of target data.

Wherein, the target historical target data is the target data to be obtained for the target historical request information.

For the embodiment of this application, when the highest historical importance level is not less than the important level, and the highest historical request information allows acquisition of target historical target data, it means that the source IP address allows acquisition of target data greater than the current importance level in history, so it can be determined This request message allows acquisition of target data. Taking step S1032 as an example, the highest historical importance level is 5, and the request information C is allowed to obtain the target data corresponding to the request information C, the importance level of the request information A is 2, and the highest historical importance level is not less than the importance level, that is, the request information The A address corresponding to A can obtain data with an importance level of 5, then the request information A with an importance level of 2 is also allowed to obtain the target data, so as to achieve the effect of determining that the current request information can allow the target data to be obtained.

Step S1035, if the highest historical importance level is less than the importance level, and the target history request information allows acquisition of target historical target data, then determine that the request information refuses to acquire target data.

For the embodiment of this application, assuming that the highest historical importance level is level 1, it is assumed that the importance level of request information A is level 2, that is, the highest level of importance visited in the history of the source ip address A corresponding to request information A is level 1, However, since the current importance level of the request information A is level 2, which is higher than the highest historical importance level, it can be determined that the request information A refuses to obtain the target data. In this way, the effect of determining that the request information A cannot obtain the target data is achieved.

A possible implementation of the embodiment of the present application, after step S1031, further includes step S105 (not shown in the figure), step S106 (not shown in the figure), step S107 (not shown in the figure), step S108 ( not shown in the figure) and step S109 (not shown in the figure), wherein,

Step S105, if it does not exist, acquire the target data.

For this embodiment of the application, when the source ip address does not exist in the preset access control list, it means that the current industrial firewall cannot judge whether the currently received request information is allowed to obtain the target data according to the request information in the preset access control list, and when The industrial firewall releases the request information, so that when the request information enters the industrial control network to obtain the target data, it may cause an attack on the industrial control network. Therefore, when the industrial firewall cannot judge whether the current request information is safe, the industrial firewall can obtain the target data based on the request information. data. Assuming that the target data to be acquired by request information A is data A, in order to prevent request information A from entering the industrial control network, the industrial firewall can obtain data A in the industrial control network, so that data A can be output later, and then the request information A can be determined Is it allowed to pass through the industrial firewall and obtain data A.

Step S106, generating data to be output based on the target data and preset label information.

For the embodiment of the present application, the preset tag information is the tag information set in advance, and the preset tag information corresponds to a feedback signal, and the data to be output is generated according to the target data and the preset tag information, so that subsequent judgment can be made based on the data to be output Whether the current request information allows to obtain the target data. Assume that the feedback signal corresponding to the tag information is "I have received it".

Step S107, outputting the data to be output based on the preset transmission channel.

Wherein, the preset transmission channel is a transmission channel corresponding to the target data.

For the embodiment of this application, the preset transmission channel is an internal transmission channel set in advance, and the device corresponding to the source ip address of the data to be output can be received through the preset transmission channel, indicating that the network information corresponding to the source ip address can pass through Industrial firewall. The preset tag information is used for the control device to send a feedback signal when the existing device receives the data to be output. Therefore, the data to be transmitted is output according to the preset transmission channel, so as to subsequently determine whether the request information A allows the acquisition of the data A. Assuming that the preset transmission channel corresponding to data A is channel 1, if the device can receive the data output by channel 1, it means that the device is allowed to obtain data, so the data to be output generated based on data A and the preset label information A is output through 1 channel, and it can be judged whether request information A is allowed to obtain data A.

Step S108, judging whether a feedback signal corresponding to preset tag information is received within a first preset time.

For the embodiment of this application, the first preset time is the time set in advance, assuming that the first preset time is 10s (seconds), taking step S106 as an example, assuming that the "I have received" signal is received within 10s , it means that the request information A allows the acquisition of the target data A. If the "I have received" signal is not received within 10S, it means that the request information A refuses to obtain the data A.

Step S109, adding the request information and the judgment result to the preset access control list.

For this embodiment of the application, the request information and the judgment result are added to the preset access control list, so as to achieve the effect that the industrial firewall can automatically add the request information. Assuming that the judgment result is that a feedback signal is received, indicating that the device with the source ip address corresponding to the current request information A has obtained data A, it can be determined that the request information A allows the acquisition of the target data A, that is, the request information A and the data A allowed to be obtained can be added to the default access control list. If the judgment result is that the feedback signal has not been received, it means that the device with the source ip address corresponding to the current request information A has not obtained the data A, then it can be determined that the request information A refuses to obtain the target data A, then the request information A and the refusal to obtain the data can be sent to A is added to the default access control list. In this way, when the request information A is received again, it is convenient to quickly determine whether the request information A is allowed to obtain the data A, and then achieve the effect that the industrial firewall can automatically add the request information.

A possible implementation of the embodiment of the present application further includes step S110 (not shown in the figure) and step S111 (not shown in the figure) after step S104, wherein,

Step S110, if the request information allows acquisition of the target data, and the importance level is greater than the preset importance level, when it is detected that the request information acquires the target data for the first time, record the acquisition time.

For the embodiment of the present application, the preset importance level is the importance level set in advance, and is used to judge whether the importance level is an important level with a high degree of importance, assuming that the preset importance level is 5, when the request information allows the acquisition of target data, and When the importance level of the requested information is greater than level 5, it means that the target data to be accessed by the current requested information is of high importance, that is, there may be a danger of information leakage in the industrial control network. Obtain the time to judge whether there is a danger such as information leakage. Suppose the acquisition time is 10min (minutes).

In step S111, if the acquisition time reaches the second preset time, deny the request information to acquire the target data, and output the request information.

For the embodiment of the present application, the second preset time is a preset time set in advance, which is used to judge whether the current acquisition time is longer. Assuming that the second preset time is 10 minutes, taking step S110 as an example, the acquisition time reaches The second preset time indicates that the device sending the request information is more likely to cause harm to the industrial control network, that is, the request information can be rejected to obtain the target data at present, and the request information can be output, so that the network management personnel can check the existing information in time. Request information for permission changes, so that the protection performance of industrial firewalls is better.

A possible implementation of the embodiment of this application also includes step S112 (not shown in the figure), step S113 (not shown in the figure), step S114 (not shown in the figure), step S115 (not shown in the figure) shown) and step S116 (not shown in the figure), wherein, step S112 can be performed before step S104, wherein,

Step S112, judging whether there is an association relationship between the target data and the historical target data corresponding to each piece of historical request information.

For this embodiment of the application, in the preset access control list, there may be at least one piece of historical request information corresponding to the source ip address, and it is judged whether there is an association relationship between the target data and the historical target data corresponding to each piece of historical request information , so as to subsequently determine the total number of request information that has an association relationship and the number of request information that allows data acquisition.

Assume that the source ip address of request information A is address A, and the request information corresponding to address A in the preset access control list includes request information B, request information C, request information D, and request information E, and the corresponding target data are data B, data C, data D and data E. It is judged whether there is an association relationship between data A and data B, data C, data D, and data E respectively.

Step S113, acquiring the total quantity of associated historical target data and the quantity of obtainable data.

Wherein, the obtainable data is associated historical target data that is allowed to be acquired in the associated historical target data.

For this embodiment of the application, the data that can be obtained is the associated historical object data that is allowed to be obtained in the associated historical object data, the total number of associated historical object data that has an associated relationship, and the amount of data that can be obtained, so that the follow-up can be based on the total Quantity and Quantity determine whether the current request information allows to obtain the target data. Taking step S112 as an example, it is assumed that data A is associated with data B, data C, data D, and data E respectively. Then the total number is 4, assuming that data B, data C, and data D can be obtained by their corresponding request information, then the number of data that can be obtained is 3.

Step S114, based on the quantity and the total quantity, determine the target ratio.

For the embodiment of the present application, taking step S113 as an example, the quantity 3 can be divided by the total quantity 4 to obtain a target ratio of 75%. In order to facilitate subsequent judgment based on 75% whether the current request information A is allowed to obtain data A.

Step S115, judging whether the target ratio reaches the preset ratio.

For the embodiment of this application, the preset ratio is the ratio set in advance, as the standard for judging whether the current target ratio reaches the standard. When the target ratio reaches the preset ratio, it means that most of the historical request information corresponding to the source IP address in the historical records The corresponding target data can be obtained, so it can be determined that the current request information allows the acquisition of the target data. When the target ratio does not reach the preset ratio, it means that most of the historical request information corresponding to the source IP address in the historical records refuses to obtain the respective target data. The corresponding target data, so it can be determined that the current request information refuses to obtain the target data.

Taking step S114 as an example, assuming that the preset ratio is 70%, and the currently calculated target ratio is 75% to reach the preset ratio, it can be explained that the A address of the request information A is allowed to obtain the target among the many corresponding request information in history. data are more likely. Therefore, it can be determined that the request information A allows data A to be acquired.

Step S116, adding the request information and the judgment result to the preset access control list.

For this embodiment of the application, the judgment result includes that the target ratio reaches the preset ratio, indicating that the current request information allows acquisition of the target data, and that the target ratio does not reach the preset ratio, indicating that the current request information refuses to obtain the target data, and the request information and the corresponding judgment The result is added to the preset access control list, so that when the request information is received again later, the industrial firewall can judge whether the request information can pass through according to the preset access control list, so that the industrial firewall can automatically add the request information Effect. Taking step S115 as an example, if the target ratio reaches the preset ratio, it means that the request information A allows data A to be obtained, then the request information A allows data A to be obtained and the request information A can be added to the preset access control list, so that when the request information A is allowed to be obtained again When receiving the request information A, the industrial firewall can determine that the request information A is allowed to obtain the data A according to the preset access control list, so as to achieve the effect that the industrial firewall can automatically add the request information A.

A possible implementation of the embodiment of the present application, after step S1032, further includes step S117 (not shown in the figure), step S118 (not shown in the figure), step S119 (not shown in the figure) and step S120 ( not shown in the figure), where,

Step S117, based on the historical request information, determine the historical MAC address corresponding to the source ip address.

For the embodiment of this application, because many hackers are attacking the industrial control network at present, they may encapsulate their own ip address to change their own ip address into an ip address that can be recognized by the industrial firewall, so as to pass through the industrial firewall and enter the industrial control network the goal of. The MAC address is the gateway address of the device corresponding to the ip address, which belongs to the geographic location address. According to the historical request information, it is determined that the historical MAC address corresponding to the A address is the A1 address, so that the subsequent judgment can be made based on the A1 address. Whether the current A address is modified the address of.

Step S118, acquiring the MAC address of the requested information.

For this embodiment of the application, the MAC address of the request information A is obtained, so as to subsequently determine whether the MAC address is the same as the historical MAC address. Assume that the MAC address of request information A is A2 address.

Step S119, judging whether the MAC address is the same as the historical MAC address.

For this embodiment of the application, when the MAC address is the same as the historical MAC address, it means that the A address in the current request information A is the same address as the A address in the history, and has not been modified. When the MAC address is different from the historical MAC address, it means that the A address in the current request information A may not be the A address in the real situation, but may be the B address. The hacker used some means to change the B address to the A address to disturb The identification result of the industrial firewall.

Step S120, if not the same, determine that the source ip address belongs to the modified ip address, and determine that the request information refuses to obtain the target data.

For this embodiment of the application, taking step S118 as an example, the MAC address is the A2 address, and the historical MAC address is the A1 address. The address is a modified address, and the request for information A to obtain data A is denied.

The above-mentioned embodiment introduces an industrial firewall protection method from the perspective of method flow, and the following embodiments introduce an industrial firewall protection device 20 from the perspective of a virtual module or virtual unit. For details, refer to the following embodiments.

The embodiment of the present application provides an industrial firewall protection device 20, as shown in Figure 2, the industrial firewall protection device 20 may specifically include:

The first judging module 201 is configured to judge whether the request information exists in the preset access control list when the request information is received;

The first determination module 202 is configured to determine the importance level of the requested information when it does not exist;

The second judging module 203 is used to judge whether the request information allows acquisition of target data based on the importance level, and the target data is the data to be acquired by the request information;

The first adding module 204 is configured to add the request information and the corresponding judgment result to the preset access control list.

By adopting the above technical solution, when the request information is received, it means that the current industrial firewall needs to judge whether the request information can pass through, and the preset access control list is a permission list set in advance, including multiple requests that can pass through the industrial firewall Information and multiple request information that cannot pass through the industrial firewall, the first judging module 201 judges whether the request information exists in the preset access control list, so as to achieve the effect of judging whether the request information can be identified by the industrial firewall. If it exists in the preset access control list, it means that the industrial firewall can identify whether the requested information can pass through; if it does not exist in the preset access control list, it means that the industrial firewall cannot identify whether the requested information can pass through, Therefore, the importance level of the request information can be determined by the first determination module 202, so that the second determination module 203 can determine whether the request information is allowed to acquire target data according to the importance level, wherein the target data is the data to be acquired by the request information, Therefore, the subsequent first adding module 204 can add the request information and the corresponding judgment result to the preset access control list, so that when the request information is received again later, the industrial firewall can determine the request according to the preset access control list Whether the information can pass, and then achieve the effect that the industrial firewall can automatically add the requested information.

In a possible implementation of the embodiment of the present application, when the first determination module 202 determines the importance level of the request information, it is specifically used to:

Determine the post level information of the user corresponding to the destination ip address;

Determine the address level of the destination IP address based on the post level information;

Determine the process information of the destination port number on the device corresponding to the destination ip address, and the process information corresponds to a preset port level;

Add the address class and the preset port class to get the importance class of the requested information.

In a possible implementation of the embodiment of the present application, the second judging module 203 judges whether the request information is allowed to obtain the target data based on the importance level, specifically for:

Determine whether the source ip address exists in the preset access control list;

If it exists, determine the historical request information corresponding to the source ip address, and determine the historical importance level corresponding to the historical request information, where the historical request information is the corresponding request information of the source ip address in the preset access control list;

Determining the historical request information corresponding to the highest historical importance level as the target historical request information;

If the highest historical importance level is not less than the importance level, and the target historical request information allows acquisition of target historical target data, then it is determined that the request information allows acquisition of target data, and the target historical target data is the target data that needs to be obtained for the target historical request information;

If the highest historical importance level is smaller than the importance level, and the target historical request information allows acquisition of the target historical target data, it is determined that the request information refuses to acquire the target data.

In a possible implementation manner of the embodiment of the present application, the device 20 further includes:

The first acquisition module is used to acquire the target data when it does not exist;

A generating module, configured to generate data to be output based on target data and preset label information;

The first output module is configured to output data to be output based on a preset transmission channel, where the preset transmission channel is a transmission channel corresponding to the target data;

The third judging module is used to judge whether the feedback signal corresponding to the preset tag information is received within the first preset time;

The second adding module is used to add the request information and the judgment result to the preset access control list.

In a possible implementation manner of the embodiment of the present application, the device 20 further includes:

A recording module, configured to record the acquisition time if it is detected that the request information acquires the target data for the first time when the request information allows acquisition of the target data and the importance level is greater than the preset importance level;

The second output module is configured to reject the request information to acquire the target data and output the request information when the acquisition time reaches a second preset time.

In a possible implementation manner of the embodiment of the present application, the device 20 further includes:

The fourth judging module is used to judge whether there is a relationship between the target data and the historical target data corresponding to each piece of historical request information;

The second obtaining module is used to obtain the total quantity of associated historical target data with associated relationship and the quantity of obtainable data, the obtainable data is the associated historical target data that is allowed to be acquired in the associated historical target data;

The third determination module is used to determine the target ratio based on the quantity and the total quantity;

The fifth judging module is used to judge whether the target ratio reaches the preset ratio;

The third adding module is used to add the request information and the judgment result to the preset access control list.

In a possible implementation manner of the embodiment of the present application, the device 20 further includes:

The third determination module is used to determine the historical MAC address corresponding to the source IP address based on the historical request information;

The third obtaining module is used to obtain the MAC address of the requested information;

The sixth judging module is used to judge whether the MAC address is the same as the historical MAC address;

The fourth determination module is used to determine that the source ip address belongs to the modified ip address when they are different, and determine that the request information refuses to obtain the target data.

Those skilled in the art can clearly understand that for the convenience and brevity of description, the specific working process of the above-mentioned industrial firewall protection device 20 can refer to the corresponding process in the foregoing method embodiments, and details are not repeated here.

An embodiment of the present application provides an industrial firewall. As shown in FIG. 3 , the industrial firewall 30 shown in FIG. 3 includes: a processor 301 and a memory 303 . Wherein, the processor 301 is connected to the memory 303 , such as through a bus 302 . Optionally, the industrial firewall 30 may further include a transceiver 304 . It should be noted that in practical applications, the transceiver 304 is not limited to one, and the structure of the industrial firewall 30 does not limit the embodiment of the present application.

The processor 301 may be a CPU (Central Processing Unit, central processing unit), a general-purpose processor, a DSP (Digital Signal Processor, a data signal processor), an ASIC (Application Specific Integrated Circuit, an application specific integrated circuit), an FPGA (Field Programmable Gate Array, field programmable gate array) or other programmable logic devices, transistor logic devices, hardware components, or any combination thereof. It can implement or execute the various illustrative logical blocks, modules and circuits described in connection with the present disclosure. The processor 301 may also be a combination that implements computing functions, for example, a combination of at least one microprocessor, a combination of a DSP and a microprocessor, and the like.

Bus 302 may include a path for communicating information between the components described above. The bus 302 may be a PCI (Peripheral Component Interconnect, Peripheral Component Interconnect Standard) bus or an EISA (Extended Industry Standard Architecture, Extended Industry Standard Architecture) bus or the like. The bus 302 can be divided into address bus, data bus, control bus and so on. For ease of representation, only one thick line is used in FIG. 3 , but it does not mean that there is only one bus or one type of bus.

The memory 303 can be ROM (Read Only Memory, read-only memory) or other types of static storage devices that can store static information and instructions, RAM (Random Access Memory, random access memory) or other types of static storage devices that can store information and instructions Dynamic storage devices can also be EEPROM (Electrically Erasable Programmable Read Only Memory, Electrically Erasable Programmable Read-Only Memory), CD-ROM (Compact DiscRead Only Memory, CD-ROM) or other CD storage, CD storage (including compact CD, laser discs, compact discs, digital versatile discs, blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium capable of carrying or storing desired program code in the form of instructions or data structures that can be accessed by a computer media, but not limited to this.

The memory 303 is used to store application program codes for executing the solutions of the present application, and the execution is controlled by the processor 301 . The processor 301 is configured to execute the application program code stored in the memory 303, so as to realize the contents shown in the foregoing method embodiments.

Among them, industrial firewalls include but are not limited to: mobile phones, notebook computers, digital broadcast receivers, PDA (personal digital assistant), PAD (tablet computer), PMP (portable multimedia player), vehicle-mounted terminals (such as vehicle-mounted navigation terminals), etc. Mobile terminals such as digital TVs, desktop computers, etc. and fixed terminals. Also for servers etc. The industrial firewall shown in FIG. 3 is only an example, and should not limit the functions and scope of use of this embodiment of the present application.

An embodiment of the present application provides a computer-readable storage medium, on which a computer program is stored, and when it is run on a computer, the computer can execute the corresponding content in the foregoing method embodiments. Compared with the related technology, in the embodiment of the present application, when the request information is received, it means that the current industrial firewall needs to judge whether the request information can pass through, and the preset access control list is a permission list set in advance, including the Multiple request information of the industrial firewall and multiple request information that cannot pass through the industrial firewall, judge whether the request information exists in the preset access control list, so as to achieve the effect of judging whether the request information can be recognized by the industrial firewall, When it exists in the preset access control list, it means that the industrial firewall can identify whether the requested information can pass; when it does not exist in the preset access control list, it means that the industrial firewall cannot identify whether the requested information can pass , so the importance level of the request information can be determined, so as to determine whether the request information is allowed to obtain the target data according to the importance level. The result is added to the preset access control list, so that when the request information is received again later, the industrial firewall can determine whether the request information can pass according to the preset access control list, so that the industrial firewall can automatically add the request information Effect.

It should be understood that although the various steps in the flow chart of the accompanying drawings are displayed sequentially according to the arrows, these steps are not necessarily executed sequentially in the order indicated by the arrows. Unless otherwise specified herein, there is no strict order restriction on the execution of these steps, and they can be executed in other orders. Moreover, at least some of the steps in the flowcharts of the accompanying drawings may include multiple sub-steps or multiple stages, and these sub-steps or stages may not necessarily be executed at the same time, but may be executed at different times, and the order of execution is also It is not necessarily performed sequentially, but may be performed alternately or alternately with at least a part of other steps or sub-steps or stages of other steps.

The above are only some implementations of the present application. It should be pointed out that for those of ordinary skill in the art, some improvements and modifications can be made without departing from the principle of the application, and these improvements and modifications should also be considered as For the scope of protection of this application.

Claims (10)

1. A method of industrial firewall protection comprising:

when receiving request information, judging whether the request information exists in a preset access control list;

If not, determining the importance level of the request information;

judging whether the request information allows acquisition of target data or not based on the importance level, wherein the target data is data which needs to be acquired by the request information;

and adding the request information and the corresponding judgment result into the preset access control list.

2. The method of claim 1, wherein the request information includes a destination ip address and a destination port number; the determining the importance level of the request information includes:

judging the post information of the user corresponding to the destination ip address;

determining an address level of the destination ip address based on the post level information;

determining process information of the destination port number on equipment corresponding to the destination ip address, wherein the process information corresponds to a preset port level;

and summing the address grade and the preset port grade to obtain the importance grade of the request information.

3. The method of claim 1, wherein the request message includes a source ip address, and wherein the determining whether the request message allows acquisition of target data based on the importance level comprises:

Judging whether the source ip address exists in the preset access control list;

if so, determining history request information corresponding to the source ip address, and determining a history importance level corresponding to the history request information, wherein the history request information is request information corresponding to the source ip address in the preset access control list;

determining history request information corresponding to the highest history importance level as target history request information;

if the highest historical importance level is not less than the importance level and the target historical request information allows acquisition of target historical target data, determining that the request information allows acquisition of the target data, wherein the target historical target data is the target data to be acquired by the target historical request information;

and if the highest historical importance level is smaller than the importance level and the target historical request information allows the target historical target data to be acquired, determining that the request information refuses to acquire the target data.

4. A method for protecting an industrial firewall according to claim 3, wherein said determining whether said source ip address exists in said preset access control list further comprises:

If not, acquiring the target data;

generating data to be output based on the target data and preset tag information;

outputting the data to be output based on a preset transmission channel, wherein the preset transmission channel is a transmission channel corresponding to the target data;

judging whether a feedback signal corresponding to the preset tag information is received in a first preset time;

and adding the request information and the judging result into the preset access control list.

5. A method of industrial firewall protection according to claim 3, further comprising:

if the request information allows the target data to be acquired and the importance level is greater than a preset importance level, recording acquisition time when the request information is detected to acquire the target data for the first time;

and if the acquisition time reaches a second preset time, rejecting the request information to acquire the target data, and outputting the request information.

6. A method of protecting an industrial firewall according to claim 3, wherein said source ip address corresponds to at least one piece of history request information, said method further comprising:

Judging whether an association relationship exists between the target data and the historical target data corresponding to each piece of historical request information;

acquiring the total number of the associated historical target data with the associated relation and the number of the acquirable data, wherein the acquirable data is the associated historical target data which is allowed to be acquired in the associated historical target data;

determining a target ratio based on the number and the total number;

judging whether the target proportion reaches a preset proportion or not;

and adding the request information and the judging result into the preset access control list.

7. A method of industrial firewall protection according to claim 3, wherein said determining a historical importance level corresponding to said historical request information further comprises:

based on the history request information, determining a history MAC address corresponding to the source ip address;

acquiring the MAC address of the request information;

judging whether the MAC address is the same as the historical MAC address;

if the source ip addresses are different, the source ip addresses are determined to belong to the modified ip addresses, and the request information is determined to refuse to acquire the target data.

8. An apparatus for industrial firewall protection comprising:

The first judging module is used for judging whether the request information exists in a preset access control list or not when the request information is received;

a first determining module, configured to determine, when the request information does not exist, an importance level of the request information;

the second judging module is used for judging whether the request information allows acquisition of target data or not based on the importance level, wherein the target data is the data which the request information needs to acquire;

and the first adding module is used for adding the request information and the corresponding judging result into the preset access control list.

9. An industrial firewall, comprising:

at least one processor;

a memory;

at least one application program, wherein the at least one application program is stored in the memory and configured to be executed by the at least one processor, the at least one application program configured to: a method of performing industrial firewall protection according to any one of claims 1 to 7.

10. A computer readable storage medium having stored thereon a computer program, characterized in that the computer program, when executed in a computer, causes the computer to perform the method of industrial firewall protection according to any one of claims 1-7.

Images