US20230095354A1 - Methods and systems of a software data diode-tcp proxy with udp across a wan - Google Patents

Methods and systems of a software data diode-tcp proxy with udp across a wan Download PDF

Info

Publication number
US20230095354A1
US20230095354A1 US17/807,669 US202217807669A US2023095354A1 US 20230095354 A1 US20230095354 A1 US 20230095354A1 US 202217807669 A US202217807669 A US 202217807669A US 2023095354 A1 US2023095354 A1 US 2023095354A1
Authority
US
United States
Prior art keywords
wan
point
data diode
protocol
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US17/807,669
Inventor
Ron David Victor
Dhawal Tyagi
Srivatsan Rajagopal
Dhruva Narasimhan
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Iotium Inc
Original Assignee
Iotium Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US16/855,223 external-priority patent/US20210044564A1/en
Application filed by Iotium Inc filed Critical Iotium Inc
Priority to US17/807,669 priority Critical patent/US20230095354A1/en
Publication of US20230095354A1 publication Critical patent/US20230095354A1/en
Assigned to CANTOR FITZGERALD SECURITIES reassignment CANTOR FITZGERALD SECURITIES SECURITY INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: VIEW, INC.
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/029Firewall traversal, e.g. tunnelling or, creating pinholes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/133Protocols for remote procedure calls [RPC]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/563Data redirection of data network streams
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/164Adaptation or special uses of UDP protocol
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/168Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP] specially adapted for link layer protocols, e.g. asynchronous transfer mode [ATM], synchronous optical network [SONET] or point-to-point protocol [PPP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer

Definitions

  • This application relates generally to computer networking, and more specifically to a system, article of manufacture and method for implementing a software data diode-TCP proxy with UDP across a WAN.
  • Machines are used in everyday manufacturing, building automation and industrial automation tasks. For security reasons, access to these machines may be restricted to local physical access (e.g. air-gapped). There is a need to reduce costs of machine operations. A model of choice is to do so remotely either via Internet or Private WAN Network. Security by isolation may be prohibitively expensive for this class of application.
  • Traditional IT-Based remote connectivity technologies such as VPN and agent-based solutions have been designed for office and date center and site-to-site environments and does not operationally scale to be developed and managed in a distributed non—IT enabled environments.
  • the control plane overhead on maintaining the Privacy and Authentication aspects of the security is so expensive that largely that is left unmanaged—leading to loss of date plane security to inadequate management
  • data diodes are generally hardware devices used in the industrial environment to restrict and guarantee flow of information one way. Typically, this is used for data extraction from critical infrastructure devices while eliminating the risk of malware traversing in the opposite direction into those devices.
  • Applications are often being hosted in the cloud and similar semantics is currently not available across the WAN/Internet when devices connect to the remote applications.
  • a computerized method for implementing a software data diode-TCP proxy with a User Datagram Protocol (UDP) across a wide area network (WAN) comprising.
  • the method includes the step of providing a WAN data diode using a uni-directional semantics protocol.
  • the method includes the step of providing a set of data diode proxies in either end of a point-to-point WAN link.
  • the method includes the step of providing a symmetric key encryption semantics to extend the WAN data diode securely across a specified WAN, wherein the symmetric key encryption semantics are implemented through the set of data diode proxies on either end of the point-to-point WAN link.
  • the method includes the step of employing a uni-directional protocol in the WAN communication.
  • the method includes the step of, with data diode proxies, terminating one or more data channels on either end of the point-to-point WAN link or transporting a requisite information across the WAN over the uni-directional protocol.
  • FIG. 1 illustrates an example process for implementing a hybrid-cloud OT network, according to some embodiments.
  • FIG. 2 illustrates an example process for implementing OT-Proxies, according to some example embodiments.
  • FIG. 3 illustrates an example process for implementing a WAN data diode with the same uni-directional semantics, according to some embodiments.
  • FIG. 4 illustrates an example process for implementing an automated centralized firewall for industrial IOT wan fabric, according to some embodiments.
  • FIG. 5 illustrates an example process for implementing application migration across the wan, according to some embodiments.
  • FIG. 6 illustrates an example process for zero touch plumbing of independent private networks for scalable hub and spoke IIoT deployments.
  • the schematic flow chart diagrams included herein are generally set forth as logical flow chart diagrams. As such, the depicted order and labeled steps are indicative of one embodiment of the presented method. Other steps and methods may be conceived that are equivalent in function, logic, or effect to one or more steps, or portions thereof, of the illustrated method. Additionally, the format and symbols employed are provided to explain the logical steps of the method and are understood not to limit the scope of the method. Although various arrow types and line types may be employed in the flow chart diagrams, and they are understood not to limit the scope of the corresponding method. Indeed, some arrows or other connectors may be used to indicate only the logical flow of the method. For instance, an arrow may indicate a waiting or monitoring period of unspecified duration between enumerated steps of the depicted method. Additionally, the order in which a particular method occurs may or may not strictly adhere to the order of the corresponding steps shown.
  • Data diode can be a network appliance or device that allows data to travel in only one direction.
  • DNAT Destination network address translation
  • Edge device is a device which provides an entry point into differently managed enterprise or service provider core networks, such as, inter alia: such as an enterprise IT network or Service Provider Core network. Examples include routers, routing switches, integrated access devices (IADs), multiplexers, and a variety of metropolitan area network (MAN) and wide area network (WAN) access devices. Edge devices also provide connections into carrier and service provider networks or connections between OT and Enterprise IT networks.
  • enterprise or service provider core networks such as, inter alia: such as an enterprise IT network or Service Provider Core network. Examples include routers, routing switches, integrated access devices (IADs), multiplexers, and a variety of metropolitan area network (MAN) and wide area network (WAN) access devices. Edge devices also provide connections into carrier and service provider networks or connections between OT and Enterprise IT networks.
  • IIoT Industrial Internet of Things
  • IoT Internet of things
  • IoT Internet of things
  • Key management refers to management of cryptographic keys in a cryptosystem. This can include dealing with the generation, exchange, storage, use, crypto-shredding (e.g. destruction) and replacement of keys. It can include cryptographic protocol design, key servers, user procedures, and/or other relevant protocols.
  • Operational Technology includes the hardware and software dedicated to detecting or causing changes in physical processes through direct monitoring and/or control of physical devices.
  • Operational Technology (OT) Proxies are boundary devices which implement and enforces the necessary protocol translation and security semantics needed for interconnected OT network elements (devices and applications) to talk to each other, often through and over a different network—such as an Enterprise IT network or third-party carrier and service provider networks.
  • Proxy authentication can serve as access-control. Proxy authentication can provide a mechanism that blocks requests for content until a valid access-permission credentials to the proxy is provided.
  • Remote procedure call is when a computer program causes a procedure (e.g. subroutine) to execute in a different address space (e.g. on another computer on a shared network), which is coded as if it were a normal (e.g. local) procedure call, without the programmer explicitly coding the details for the remote interaction.
  • a procedure e.g. subroutine
  • a different address space e.g. on another computer on a shared network
  • Stream is a sequence of data elements made available over time.
  • Transmission Control Protocol is one of the main protocols of the Internet protocol suite. TCP provides reliable, ordered, and error-checked delivery of a stream of octets (bytes) between applications running on hosts communicating via an IP network.
  • Tunneling protocol can be a communications protocol that allows for the movement of data from one network to another. It can involve allowing a private network communication to be sent across a public network.
  • UDP User Datagram Protocol
  • IP Internet Protocol
  • FIG. 1 illustrates an example process 100 for implementing a hybrid-cloud OT network, according to some embodiments.
  • process 100 provides a hybrid-cloud OT network that can scale to n-number segmented communication channels (e.g. hundreds of thousands of segmented communication channels, etc.).
  • process 100 can provide dynamic communication channels for hybrid-cloud OT network. These communication channels are not necessarily always-on.
  • process 100 can implement geographic distribution of the hybrid-cloud OT network. For example, the hybrid-cloud OT network can be distributed to the geographic locations of machines, applications and humans.
  • process 100 can implement auditable access control for hybrid-cloud OT network. This can be done for security and compliance.
  • the hybrid-cloud OT network minimal operational overhead.
  • Process 100 can connect OT networks in one location to those in other locations (e.g. a factory floor, building, public cloud, private data center, etc.
  • Machine Access Firewall Comprehensive Access Control for Mission Critical Industrial Machines by Humans and Applications
  • OT-Proxies can be implemented. OT-Proxies provide a scalable solution and utilize a converged firewall. OT-Proxies can be used to connect people, applications and machines in a secure, controlled and auditable manner in a distributed, micro-network, multi-tenanted environment. OT-Proxies can be implemented in brownfield networks and/or device environments with no additional forklift upgrade of the already functional end devices and applications. In addition, OT-Proxies can increase operational efficiency of a system where the privacy and authentication aspects of security for the system are covered automatically.
  • Example of OT technologies include, inter alia: converting one type of network (e.g. a serial network to ethernet) to another, converting Modbus based messages to time series based JSON messages, enforcing that only specific protocols are allowed and rest are blocked etc.
  • network e.g. a serial network to ethernet
  • Modbus based messages to time series based JSON messages
  • FIG. 2 illustrates an example process 200 for implementing machine identify firewall, according to some example embodiments.
  • process 200 can implement a bi-directional RPC-style channels within a uni-directional HTTPS tunnel. This model can be used for both locale and remote connectivity. Tunnel end points are at each application and with which to connect in a peer-to-peer format. Peer-to-peer communication channels lends itself well to both segmented and scalable implementation.
  • process 200 can implement a proxy authentication and stream-binder on behalf of entities which cannot embed a native-tunnel endpoints.
  • the proxy end points convert one authentication format to another and bridges one communication path to the next. This can be used for an implementation in brownfield environments (e.g. an asset base of millions of machines, legacy applications, etc.).
  • process 200 can implement key management infrastructure for security key management. This can eliminate IT department's overhead associated with it.
  • process 200 can implement a stream firewall.
  • the stream firewall provides access control on a segmented per-stream basis (e.g. a human access stream, an application stream for each end device, etc.).
  • data diodes are hardware devices used in an industrial environment to restrict and guarantee flow of information one way.
  • data diodes can be used for data extraction from critical infrastructure devices while eliminating the risk of malware traversing in the opposite direction into those devices.
  • Applications can be hosted in a cloud-computing platform and similar semantics may not be available across a WAN/Internet when devices connect to the remote applications.
  • FIG. 3 illustrates an example process 300 for implementing a WAN data diode with the same uni-directional semantics, according to some embodiments.
  • process 300 can implement a WAN data diode with uni-directional semantics.
  • process 300 can provide symmetric key encryption semantics to extend the WAN data diode securely across a specified WAN.
  • a semantic network can be a knowledge base that represents semantic relations between concepts in a network (e.g. in terms of a diode semantic, a secure proxy semantic, etc.).
  • process 300 can implement this through data diode proxies in either end of the point to point WAN link.
  • a point-to-point WAN link can provide basic network connectivity between two sites, for example.
  • the proxies at both ends communicate with each other across the WAN via an encapsulating Uni-directional protocol.
  • Bi-directional protocols such as TCP is inherently is bi-directional (e.g. with Acks flowing the other direction).
  • the WAN communication employ a uni-directional protocol in step 308 .
  • An example uni-directional protocol can include UDP.
  • Process 300 can pack/unpack the data formats into the uni-directional protocol encapsulation.
  • the data diode proxies terminate data channels on either end and/or transport requisite information across the WAN over this pre-agreed upon uni-directional protocol.
  • This change in carrier can be used to eliminate direct communication between the two ends (e.g. a device end and application end) and thereby enforcing both a diode semantic and a secure proxy semantic (e.g. including additional encryption).
  • FIG. 4 illustrates an example process 400 for implementing an automatic centralized firewall for industrial IOT WAN fabric, according to some embodiments.
  • Process 400 can provide a centralized cloud-managed auto-learning micro-network firewalls for large scale WAN distributed machine and application networks.
  • process 400 provides that the automatic centralized firewall strictly operates in a white-listed manner.
  • process 400 automatically discovers various subnet end points and their network address ranges for each network.
  • process 400 creates flow rules at both ends of the network. This can be from the machine network end and from the remote access networks.
  • process 400 implements a bookended firewall.
  • Process 400 can eliminate DDOS of the WAN fabric while providing appropriate access control to machines and applications.
  • Process 400 can have a low rollout and low deployment costs.
  • Process 400 can be implemented with COTS hardware.
  • Process 400 can centralize control and distributes enforcement.
  • Process 400 can provide both firewall and DDOS protection at the same time.
  • FIG. 5 illustrates an example process 500 for implementing application migration across the wan, according to some embodiments.
  • Process 500 provides a mechanism for secure application migration.
  • Process 500 can leverage the same channels used to migrate data securely.
  • Process 500 can automatically reuse cloud-based applications at an edge device and vice versa.
  • Process 500 can implement application migration in an industrial context.
  • process 500 can migrate Windows®-based applications from a factory floor to a central DC/Cloud platform.
  • process 500 can migrate cloud-native microservices applications to edge device.
  • Process 500 does not mandate changes/rewrite of the applications.
  • Process 500 does not implement invasive changes to network planning or configuration.
  • Process 500 can provide OT-Proxies integrated with edge compute system to facilitate migration of applications across the WAN.
  • Process 500 can facilitate the management and operations of such applications is the separation of the infrastructure layer from the Application runtime.
  • Process 500 provides a multi-tenant management such that the data scientist can own and manage the application without having to take on additional ownership and management overhead of the infrastructure in the factory floor (e.g. can be left to the network and security teams, etc.).
  • FIG. 6 illustrates an example process 600 for zero touch plumbing of independent private networks for scalable hub and spoke IIoT deployments (e.g. discovery and mutual Static Network Address Translation (SHA1)/GNAT).
  • process 600 can discover a subnet addressing across two networks.
  • process 600 can automatically configure representational address to plumb machines to central applications.
  • Process 600 provides a scalable deployment model for IPv4 based large scale building networks.
  • Process 600 can represent remote networks differently.
  • Process 600 can prevent/reduce cost of forklift upgrade to IPv6 for scale.
  • Late binding labels for rapid deployment at scale can be implemented. This can be done by decoupling actual resources from configuration schemas to allow for late bind deployments.
  • Per machine independent keys for data plane and management plane can be implemented.
  • Edge strategy can be implemented to solve this problem in locations where physical device security is solved as opposed to per device keys.
  • Machine management can be decoupled from data acquisition. There can be complete separation of the operation plane and data plane.
  • OT-Proxies for IIoT can be provided as a secure model for onboarding air-gapped brownfield assets to the Internet/WAN.
  • the various operations, processes, and methods disclosed herein can be embodied in a machine-readable medium and/or a machine accessible medium compatible with a data processing system (e.g., a computer system), and can be performed in any order (e.g., including using means for achieving the various operations). Accordingly, the specification and drawings are to be regarded in an illustrative rather than a restrictive sense.
  • the machine-readable medium can be a non-transitory form of machine-readable medium.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

Disclosed herein are various systems, apparatuses, software, and methods relating to data diode-TCP proxy with a User Datagram Protocol (UDP) across a wide area network (WAN) providing a WAN data diode using a uni-directional semantics protocol, providing a set of data diode proxies in either end of a point-to-point WAN link, providing a symmetric key encryption semantics to extend the WAN data diode securely across a WAN that is specified, wherein the symmetric key encryption semantics are implemented through the set of data diode proxies on either end of the point-to-point WAN link, employing a unidirectional protocol in communication transmitted using the WAN and, with data diode proxies, terminating one or more data channels on either end of the point-to-point WAN link or transporting a requisite information across the WAN over the uni-directional protocol.

Description

    CROSS-REFERENCE TO RELATED APPLICATIONS
  • This application is a continuation of U.S. application Ser. No. 16/876,115, titled METHODS AND SYSTEMS OF A SOFTWARE DATA DIODE-TCP PROXY WITH UDP ACROSS A WAN, and filed 18 May 2020, which is a continuation of U.S. Application No. 1685525, titled METHODS AND SYSTEMS OF A MACHINE ACCESS FIREWALL filed on 22 Apr. 2020. U.S. Application No. 1685525 claims priority to U.S. Provisional Application No. 62/837,038, titled METHODS AND SYSTEMS OF A HYBRID-CLOUD OT NETWORK filed on 22 Apr. 2019. These applications are incorporated by reference in their entirety.
  • BACKGROUND 1. Field
  • This application relates generally to computer networking, and more specifically to a system, article of manufacture and method for implementing a software data diode-TCP proxy with UDP across a WAN.
  • 2. Related Art
  • Machines are used in everyday manufacturing, building automation and industrial automation tasks. For security reasons, access to these machines may be restricted to local physical access (e.g. air-gapped). There is a need to reduce costs of machine operations. A model of choice is to do so remotely either via Internet or Private WAN Network. Security by isolation may be prohibitively expensive for this class of application. Traditional IT-Based remote connectivity technologies such as VPN and agent-based solutions have been designed for office and date center and site-to-site environments and does not operationally scale to be developed and managed in a distributed non—IT enabled environments. The control plane overhead on maintaining the Privacy and Authentication aspects of the security is so expensive that largely that is left unmanaged—leading to loss of date plane security to inadequate management
  • Moreover; data diodes are generally hardware devices used in the industrial environment to restrict and guarantee flow of information one way. Typically, this is used for data extraction from critical infrastructure devices while eliminating the risk of malware traversing in the opposite direction into those devices. Applications are often being hosted in the cloud and similar semantics is currently not available across the WAN/Internet when devices connect to the remote applications.
  • BRIEF SUMMARY OF THE INVENTION
  • In one aspect, a computerized method for implementing a software data diode-TCP proxy with a User Datagram Protocol (UDP) across a wide area network (WAN) comprising. The method includes the step of providing a WAN data diode using a uni-directional semantics protocol. The method includes the step of providing a set of data diode proxies in either end of a point-to-point WAN link. The method includes the step of providing a symmetric key encryption semantics to extend the WAN data diode securely across a specified WAN, wherein the symmetric key encryption semantics are implemented through the set of data diode proxies on either end of the point-to-point WAN link. The method includes the step of employing a uni-directional protocol in the WAN communication. The method includes the step of, with data diode proxies, terminating one or more data channels on either end of the point-to-point WAN link or transporting a requisite information across the WAN over the uni-directional protocol.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 illustrates an example process for implementing a hybrid-cloud OT network, according to some embodiments.
  • FIG. 2 illustrates an example process for implementing OT-Proxies, according to some example embodiments.
  • FIG. 3 illustrates an example process for implementing a WAN data diode with the same uni-directional semantics, according to some embodiments.
  • FIG. 4 illustrates an example process for implementing an automated centralized firewall for industrial IOT wan fabric, according to some embodiments.
  • FIG. 5 illustrates an example process for implementing application migration across the wan, according to some embodiments.
  • FIG. 6 illustrates an example process for zero touch plumbing of independent private networks for scalable hub and spoke IIoT deployments.
  • The Figures described above are a representative set and are not an exhaustive with respect to embodying the invention.
  • DESCRIPTION
  • Disclosed are a system, method, and article of manufacture of a software data diode-TCP proxy with UDP across a WAN. the following description is presented to enable a person of ordinary skill in the art to make and use the various embodiments. Descriptions of specific devices, techniques, and applications are provided only as examples. Various modifications to the examples described herein can be readily apparent to those of ordinary skill in the art, and the general principles defined herein may be applied to other examples and applications without departing from the spirit and scope of the various embodiments.
  • Reference throughout this specification to “one embodiment,” “an embodiment,” ‘one example,’ or similar language means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Thus, appearances of the phrases “in one embodiment,” “in an embodiment,” and similar language throughout this specification may, but do not necessarily, all refer to the same embodiment.
  • Furthermore, the described features, structures, or characteristics of the invention may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided, such as examples of programming, software modules, user selections, network transactions, database queries, database structures, hardware modules, hardware circuits, hardware chips, etc., to provide a thorough understanding of embodiments of the invention. One skilled in the relevant art can recognize, however, that the invention may be practiced without one or more of the specific details, or with other methods, components, materials, and so forth. In other instances, well-known structures, materials, or operations are not shown or described in detail to avoid obscuring aspects of the invention.
  • The schematic flow chart diagrams included herein are generally set forth as logical flow chart diagrams. As such, the depicted order and labeled steps are indicative of one embodiment of the presented method. Other steps and methods may be conceived that are equivalent in function, logic, or effect to one or more steps, or portions thereof, of the illustrated method. Additionally, the format and symbols employed are provided to explain the logical steps of the method and are understood not to limit the scope of the method. Although various arrow types and line types may be employed in the flow chart diagrams, and they are understood not to limit the scope of the corresponding method. Indeed, some arrows or other connectors may be used to indicate only the logical flow of the method. For instance, an arrow may indicate a waiting or monitoring period of unspecified duration between enumerated steps of the depicted method. Additionally, the order in which a particular method occurs may or may not strictly adhere to the order of the corresponding steps shown.
  • Definitions
  • Example definitions for some embodiments are now provided.
  • Data diode can be a network appliance or device that allows data to travel in only one direction.
  • Destination network address translation (DNAT) is a technique for transparently changing the destination IP address of an end route packet and performing the inverse function for any replies. Any router situated between two endpoints can perform this transformation of the packet.
  • Edge device is a device which provides an entry point into differently managed enterprise or service provider core networks, such as, inter alia: such as an enterprise IT network or Service Provider Core network. Examples include routers, routing switches, integrated access devices (IADs), multiplexers, and a variety of metropolitan area network (MAN) and wide area network (WAN) access devices. Edge devices also provide connections into carrier and service provider networks or connections between OT and Enterprise IT networks.
  • Industrial Internet of Things (IIoT) refers to interconnected sensors, instruments, and other devices networked together with computers' industrial applications, including, but not limited to, manufacturing and energy management. This connectivity enables data collection, exchange and analysis, potentially facilitating improvements in productivity and efficiency as well as other economic benefits.
  • Internet of things (IoT) extends Internet connectivity into physical devices and various objects. Embedded with electronics, Internet connectivity, and other forms of hardware (e.g. sensors), these devices can communicate and interact with others over the Internet, and they can be remotely monitored and controlled.
  • Key management refers to management of cryptographic keys in a cryptosystem. This can include dealing with the generation, exchange, storage, use, crypto-shredding (e.g. destruction) and replacement of keys. It can include cryptographic protocol design, key servers, user procedures, and/or other relevant protocols.
  • Operational Technology (OT) includes the hardware and software dedicated to detecting or causing changes in physical processes through direct monitoring and/or control of physical devices.
  • Operational Technology (OT) Proxies are boundary devices which implement and enforces the necessary protocol translation and security semantics needed for interconnected OT network elements (devices and applications) to talk to each other, often through and over a different network—such as an Enterprise IT network or third-party carrier and service provider networks.
  • Proxy authentication can serve as access-control. Proxy authentication can provide a mechanism that blocks requests for content until a valid access-permission credentials to the proxy is provided.
  • Remote procedure call (RPC) is when a computer program causes a procedure (e.g. subroutine) to execute in a different address space (e.g. on another computer on a shared network), which is coded as if it were a normal (e.g. local) procedure call, without the programmer explicitly coding the details for the remote interaction.
  • Stream is a sequence of data elements made available over time.
  • Transmission Control Protocol (TCP) is one of the main protocols of the Internet protocol suite. TCP provides reliable, ordered, and error-checked delivery of a stream of octets (bytes) between applications running on hosts communicating via an IP network.
  • Tunneling protocol can be a communications protocol that allows for the movement of data from one network to another. It can involve allowing a private network communication to be sent across a public network.
  • User Datagram Protocol (UDP) is one of the core members of the Internet protocol suite used by computer applications to send messages (e.g. datagrams) to other hosts on an Internet Protocol (IP) network. Prior communications are not required in order to set up communication channels or data paths.
  • Example Methods
  • FIG. 1 illustrates an example process 100 for implementing a hybrid-cloud OT network, according to some embodiments. In step 102, process 100 provides a hybrid-cloud OT network that can scale to n-number segmented communication channels (e.g. hundreds of thousands of segmented communication channels, etc.). In step 104, process 100 can provide dynamic communication channels for hybrid-cloud OT network. These communication channels are not necessarily always-on. In step 106, process 100 can implement geographic distribution of the hybrid-cloud OT network. For example, the hybrid-cloud OT network can be distributed to the geographic locations of machines, applications and humans. In step 108, process 100 can implement auditable access control for hybrid-cloud OT network. This can be done for security and compliance. The hybrid-cloud OT network minimal operational overhead. Process 100 can connect OT networks in one location to those in other locations (e.g. a factory floor, building, public cloud, private data center, etc.
  • Machine Access Firewall: Comprehensive Access Control for Mission Critical Industrial Machines by Humans and Applications
  • It is noted that OT-Proxies can be implemented. OT-Proxies provide a scalable solution and utilize a converged firewall. OT-Proxies can be used to connect people, applications and machines in a secure, controlled and auditable manner in a distributed, micro-network, multi-tenanted environment. OT-Proxies can be implemented in brownfield networks and/or device environments with no additional forklift upgrade of the already functional end devices and applications. In addition, OT-Proxies can increase operational efficiency of a system where the privacy and authentication aspects of security for the system are covered automatically.
  • Example of OT technologies include, inter alia: converting one type of network (e.g. a serial network to ethernet) to another, converting Modbus based messages to time series based JSON messages, enforcing that only specific protocols are allowed and rest are blocked etc.
  • FIG. 2 illustrates an example process 200 for implementing machine identify firewall, according to some example embodiments. In step 202, process 200 can implement a bi-directional RPC-style channels within a uni-directional HTTPS tunnel. This model can be used for both locale and remote connectivity. Tunnel end points are at each application and with which to connect in a peer-to-peer format. Peer-to-peer communication channels lends itself well to both segmented and scalable implementation.
  • In step 204, process 200 can implement a proxy authentication and stream-binder on behalf of entities which cannot embed a native-tunnel endpoints. The proxy end points convert one authentication format to another and bridges one communication path to the next. This can be used for an implementation in brownfield environments (e.g. an asset base of millions of machines, legacy applications, etc.).
  • In step 206, process 200 can implement key management infrastructure for security key management. This can eliminate IT department's overhead associated with it.
  • In step 208, process 200 can implement a stream firewall. The stream firewall provides access control on a segmented per-stream basis (e.g. a human access stream, an application stream for each end device, etc.).
  • Software Data Diode—TCP Proxy with UDP Across the WAN—Extending Conceptual Data Diodes Across the Internet
  • It is noted that data diodes are hardware devices used in an industrial environment to restrict and guarantee flow of information one way. For example, data diodes can be used for data extraction from critical infrastructure devices while eliminating the risk of malware traversing in the opposite direction into those devices. Applications can be hosted in a cloud-computing platform and similar semantics may not be available across a WAN/Internet when devices connect to the remote applications.
  • FIG. 3 illustrates an example process 300 for implementing a WAN data diode with the same uni-directional semantics, according to some embodiments. In step 302, process 300 can implement a WAN data diode with uni-directional semantics. In step 304, process 300 can provide symmetric key encryption semantics to extend the WAN data diode securely across a specified WAN. A semantic network can be a knowledge base that represents semantic relations between concepts in a network (e.g. in terms of a diode semantic, a secure proxy semantic, etc.).
  • In step 306, process 300 can implement this through data diode proxies in either end of the point to point WAN link. A point-to-point WAN link can provide basic network connectivity between two sites, for example. The proxies at both ends communicate with each other across the WAN via an encapsulating Uni-directional protocol. Bi-directional protocols such as TCP is inherently is bi-directional (e.g. with Acks flowing the other direction). In order to eliminate any back channel, the WAN communication employ a uni-directional protocol in step 308. An example uni-directional protocol can include UDP. Process 300 can pack/unpack the data formats into the uni-directional protocol encapsulation.
  • In step 310, the data diode proxies terminate data channels on either end and/or transport requisite information across the WAN over this pre-agreed upon uni-directional protocol. This change in carrier can be used to eliminate direct communication between the two ends (e.g. a device end and application end) and thereby enforcing both a diode semantic and a secure proxy semantic (e.g. including additional encryption).
  • Automatic Centralized Firewall for Industrial IOT WAN Fabric
  • FIG. 4 illustrates an example process 400 for implementing an automatic centralized firewall for industrial IOT WAN fabric, according to some embodiments. Process 400 can provide a centralized cloud-managed auto-learning micro-network firewalls for large scale WAN distributed machine and application networks. In step 402, process 400 provides that the automatic centralized firewall strictly operates in a white-listed manner. In step 404, process 400 automatically discovers various subnet end points and their network address ranges for each network. In step 406, process 400 creates flow rules at both ends of the network. This can be from the machine network end and from the remote access networks. In step 408, process 400 implements a bookended firewall. Process 400 can eliminate DDOS of the WAN fabric while providing appropriate access control to machines and applications. Process 400 can have a low rollout and low deployment costs. Process 400 can be implemented with COTS hardware. Process 400 can centralize control and distributes enforcement. Process 400 can provide both firewall and DDOS protection at the same time.
  • Application Migration Across the WAN
  • FIG. 5 illustrates an example process 500 for implementing application migration across the wan, according to some embodiments. Process 500 provides a mechanism for secure application migration. Process 500 can leverage the same channels used to migrate data securely. Process 500 can automatically reuse cloud-based applications at an edge device and vice versa. Process 500 can implement application migration in an industrial context. In step 502, process 500 can migrate Windows®-based applications from a factory floor to a central DC/Cloud platform. In step 504, process 500 can migrate cloud-native microservices applications to edge device. Process 500 does not mandate changes/rewrite of the applications. Process 500 does not implement invasive changes to network planning or configuration. Process 500 can provide OT-Proxies integrated with edge compute system to facilitate migration of applications across the WAN.
  • It is noted that application migration across the WAN (e.g. from factory to Cloud and vice versa) can be enforced without changes to management and ownership of the application. Process 500 can facilitate the management and operations of such applications is the separation of the infrastructure layer from the Application runtime. Process 500 provides a multi-tenant management such that the data scientist can own and manage the application without having to take on additional ownership and management overhead of the infrastructure in the factory floor (e.g. can be left to the network and security teams, etc.).
  • Additional Methods and Systems
  • FIG. 6 illustrates an example process 600 for zero touch plumbing of independent private networks for scalable hub and spoke IIoT deployments (e.g. discovery and mutual Static Network Address Translation (SHA1)/GNAT). In step 602, process 600 can discover a subnet addressing across two networks. In step 604, process 600 can automatically configure representational address to plumb machines to central applications. Process 600 provides a scalable deployment model for IPv4 based large scale building networks. Process 600 can represent remote networks differently. Process 600 can prevent/reduce cost of forklift upgrade to IPv6 for scale.
  • Late binding labels for rapid deployment at scale can be implemented. This can be done by decoupling actual resources from configuration schemas to allow for late bind deployments.
  • Per machine independent keys for data plane and management plane can be implemented. Edge strategy can be implemented to solve this problem in locations where physical device security is solved as opposed to per device keys. Machine management can be decoupled from data acquisition. There can be complete separation of the operation plane and data plane.
  • Risk mitigation and incremental migration of automation services to a cloud-platform can be provided. Single-click network sharing across disparate organizations/third parties and machine interfaces can be extended across untrusted networks. OT-Proxies for IIoT can be provided as a secure model for onboarding air-gapped brownfield assets to the Internet/WAN.
  • CONCLUSION
  • Although the present embodiments have been described with reference to specific example embodiments, various modifications and changes can be made to these embodiments without departing from the broader spirit and scope of the various embodiments. For example, the various devices, modules, etc. described herein can be enabled and operated using hardware circuitry, firmware, software or any combination of hardware, firmware, and software (e.g., embodied in a machine-readable medium).
  • In addition, it can be appreciated that the various operations, processes, and methods disclosed herein can be embodied in a machine-readable medium and/or a machine accessible medium compatible with a data processing system (e.g., a computer system), and can be performed in any order (e.g., including using means for achieving the various operations). Accordingly, the specification and drawings are to be regarded in an illustrative rather than a restrictive sense. In some embodiments, the machine-readable medium can be a non-transitory form of machine-readable medium.

Claims (2)

1. A computerized method for implementing a software data diode-TCP proxy with a User Datagram Protocol (UDP) across a wide area network (WAN) comprising:
providing a WAN data diode using a uni-directional semantics protocol;
providing a set of data diode proxies in either end of a point-to-point WAN link;
providing a symmetric key encryption semantics to extend the WAN data diode securely across a specified WAN, wherein the symmetric key encryption semantics are implemented through the set of data diode proxies on either end of the point-to-point WAN link;
employing a uni-directional protocol in the WAN communication; and
with data diode proxies, terminating one or more data channels on either end of the point-to-point WAN link or transporting a requisite information across the WAN over the uni-directional protocol.
2.-16. (canceled)
US17/807,669 2019-04-22 2022-06-17 Methods and systems of a software data diode-tcp proxy with udp across a wan Abandoned US20230095354A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US17/807,669 US20230095354A1 (en) 2019-04-22 2022-06-17 Methods and systems of a software data diode-tcp proxy with udp across a wan

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US201962837038P 2019-04-22 2019-04-22
US16/855,223 US20210044564A1 (en) 2019-04-22 2020-04-22 Methods and systems of a machine access firewall
US16/876,115 US11394812B2 (en) 2019-04-22 2020-05-18 Methods and systems of a software data diode-TCP proxy with UDP across a WAN
US17/807,669 US20230095354A1 (en) 2019-04-22 2022-06-17 Methods and systems of a software data diode-tcp proxy with udp across a wan

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US16/876,115 Continuation US11394812B2 (en) 2019-04-22 2020-05-18 Methods and systems of a software data diode-TCP proxy with UDP across a WAN

Publications (1)

Publication Number Publication Date
US20230095354A1 true US20230095354A1 (en) 2023-03-30

Family

ID=74869939

Family Applications (2)

Application Number Title Priority Date Filing Date
US16/876,115 Active US11394812B2 (en) 2019-04-22 2020-05-18 Methods and systems of a software data diode-TCP proxy with UDP across a WAN
US17/807,669 Abandoned US20230095354A1 (en) 2019-04-22 2022-06-17 Methods and systems of a software data diode-tcp proxy with udp across a wan

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US16/876,115 Active US11394812B2 (en) 2019-04-22 2020-05-18 Methods and systems of a software data diode-TCP proxy with UDP across a WAN

Country Status (1)

Country Link
US (2) US11394812B2 (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060195592A1 (en) * 2005-02-28 2006-08-31 Alcatel HTTP use for bidirectional communication
US20100290476A1 (en) * 2009-05-18 2010-11-18 Tresys Technology, Llc One-Way Router
US20150264056A1 (en) * 2014-03-17 2015-09-17 Saudi Arabian Oil Company Systems, methods, and computer medium to securely transfer business transactional data between networks having different levels of network protection using barcode technology with data diode network security appliance
US20170374027A1 (en) * 2014-01-30 2017-12-28 Sierra Nevada Corporation Bi-directional data security for control systems
US20190327086A1 (en) * 2018-04-24 2019-10-24 Bartosz Slowik Reciprocal data mirror system and method of data security
US20200033839A1 (en) * 2017-03-31 2020-01-30 Abb Schweiz Ag Rule-based communicating of equipment data from an industrial system to an analysis system using uni-directional interfaces

Family Cites Families (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020112181A1 (en) * 2000-12-12 2002-08-15 Smith Mark Elwin Multilevel secure network access system
US7486695B1 (en) 2003-12-22 2009-02-03 Sun Microsystems, Inc. Method and apparatus for data communication tunneling channels
US7603696B2 (en) 2005-06-10 2009-10-13 Intel Corporation Hybrid distributed firewall apparatus, systems, and methods
US20070022289A1 (en) 2005-07-20 2007-01-25 Mci, Inc. Method and system for providing secure credential storage to support interdomain traversal
US20100027563A1 (en) 2008-07-31 2010-02-04 Microsoft Corporation Evolution codes (opportunistic erasure coding) platform
US10177933B2 (en) 2014-02-05 2019-01-08 Apple Inc. Controller networks for an accessory management system
US9392053B2 (en) 2014-02-21 2016-07-12 Dell Products L.P. Generic transcoding service with library attachment
US11343226B2 (en) 2016-02-26 2022-05-24 Cable Television Laboratories, Inc. Systems and methods for micro network segmentation
US10243926B2 (en) 2016-04-08 2019-03-26 Cisco Technology, Inc. Configuring firewalls for an industrial automation network
ES2699202T3 (en) 2016-09-06 2019-02-07 Siemens Ag Data processing system for data acquisition from a network of devices using remote platform gateways and method to operate a data processing system for data acquisition from a device network by remote platform gateways
US10270745B2 (en) 2016-10-24 2019-04-23 Fisher-Rosemount Systems, Inc. Securely transporting data across a data diode for secured process control communications
US11258681B2 (en) 2016-12-16 2022-02-22 Nicira, Inc. Application assessment and visibility for micro-segmentation of a network deployment
US10038671B2 (en) 2016-12-31 2018-07-31 Fortinet, Inc. Facilitating enforcement of security policies by and on behalf of a perimeter network security device by providing enhanced visibility into interior traffic flows
US20190394170A1 (en) 2017-02-27 2019-12-26 Alireza Shameli-Sendi Firewall rule set composition and decomposition
US10785190B2 (en) 2017-12-13 2020-09-22 Adaptiv Networks Inc. System, apparatus and method for providing a unified firewall manager
WO2019123447A1 (en) 2017-12-24 2019-06-27 Arilou Information Security Technologies Ltd. System and method for tunnel-based malware detection
US20190260831A1 (en) 2018-02-22 2019-08-22 General Electric Company Distributed integrated fabric
US11057433B2 (en) 2018-08-01 2021-07-06 Jpmorgan Chase Bank, N.A. System for and method of determining data connections between software applications
US20210084012A1 (en) * 2019-04-22 2021-03-18 Ronald David Victor Methods and systems of an automatic centralized firewall for industrial iot wan fabric

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060195592A1 (en) * 2005-02-28 2006-08-31 Alcatel HTTP use for bidirectional communication
US20100290476A1 (en) * 2009-05-18 2010-11-18 Tresys Technology, Llc One-Way Router
US20170374027A1 (en) * 2014-01-30 2017-12-28 Sierra Nevada Corporation Bi-directional data security for control systems
US20150264056A1 (en) * 2014-03-17 2015-09-17 Saudi Arabian Oil Company Systems, methods, and computer medium to securely transfer business transactional data between networks having different levels of network protection using barcode technology with data diode network security appliance
US20200033839A1 (en) * 2017-03-31 2020-01-30 Abb Schweiz Ag Rule-based communicating of equipment data from an industrial system to an analysis system using uni-directional interfaces
US20190327086A1 (en) * 2018-04-24 2019-10-24 Bartosz Slowik Reciprocal data mirror system and method of data security

Also Published As

Publication number Publication date
US11394812B2 (en) 2022-07-19
US20210084124A1 (en) 2021-03-18

Similar Documents

Publication Publication Date Title
EP3522485B1 (en) Application-aware firewall policy enforcement by data center controller
US10887220B2 (en) Application identifier in service function chain metadata
EP3700132B1 (en) Supporting compilation and extensibility on unified graph-based intent models
CN107409089B (en) Method implemented in network engine and virtual network function controller
US10171590B2 (en) Accessing enterprise communication systems from external networks
US20150049631A1 (en) Topology aware provisioning in a software-defined networking environment
US20230254221A1 (en) Model driven intent policy conflict detection and resolution through graph analysis
US11611474B2 (en) Edge controller with network performance parameter support
JP5679343B2 (en) Cloud system, gateway device, communication control method, and communication control program
US11178041B1 (en) Service chaining with physical network functions and virtualized network functions
US11153228B1 (en) Synchronizing device resources for element management systems
EP3952212B1 (en) Using a programmable resource dependency mathematical model to perform root cause analysis
US20210084012A1 (en) Methods and systems of an automatic centralized firewall for industrial iot wan fabric
EP3817293B1 (en) Bulk discovery of devices behind a network address translation device
US20210044564A1 (en) Methods and systems of a machine access firewall
US20240022537A1 (en) Edge device for source identification using source identifier
US20230095354A1 (en) Methods and systems of a software data diode-tcp proxy with udp across a wan
Nimkar et al. Towards full network virtualization in horizontal IaaS federation: security issues
KR20170006950A (en) Network flattening system based on sdn and method thereof
US11700181B2 (en) Topology compiler for network management system
Lee et al. Network Working Group I. Bryskin Internet-Draft Individual Intended status: Informational X. Liu Expires: September 10, 2020 Volta Networks
Rozanak et al. I2NSF BOF S. Hares Internet-Draft Huawei Intended status: Standards Track H. Moskowitz Expires: December 7, 2015 HTT Consulting

Legal Events

Date Code Title Description
STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

AS Assignment

Owner name: CANTOR FITZGERALD SECURITIES, NEW YORK

Free format text: SECURITY INTEREST;ASSIGNOR:VIEW, INC.;REEL/FRAME:065266/0810

Effective date: 20231016

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION