EP-4740362-A1 - COMPUTER-IMPLEMENTED METHOD FOR CONFIGURING A FIREWALL, COMPUTER PROGRAM PRODUCT, COMPUTER-READABLE STORAGE MEDIUM, AND VEHICLE

Abstract

The invention relates to a computer-implemented method for configuring a firewall (1). The firewall (1) filters the network traffic in a computer-supported communication network (2) on the basis of a set of rules defined by the configuration, and the rules in the set of rules are defined on the basis of information relating to at least one computing unit (3) connected to the communication network (2). The firewall (1) is provided by a computing unit (3) connected to the communication network (2). The method according to the invention is characterized by the following steps: a) obtaining network design information (NDI) from at least two computing units (3) connected to the communication network (2), said information describing a permissible network communication within the communication network (2); b) forming a network design summary (NDZ) from a union of the content of at least two pieces of information of the related network design information (NDI); c) deriving the rules from the network design summary (NDZ) in accordance with the permissible network communication and combining the rules in order to form the set of rules; and d) configuring the firewall (1) using the set of rules.

Inventors

• YERLIKAYA, METIN LEVENT
• LI, XINYUE

Assignees

• Mercedes-Benz Group AG

Dates

Publication Date

20260513

Application Date

20241210

Claims (10)

1. 1. A computer-implemented method for configuring a firewall (1), wherein the firewall (1) filters network traffic in a computer-supported communications network (2) based on a set of rules defined by the configuration, and wherein rules for the set of rules are determined as a function of information held on at least one computing unit (3) connected to the communications network (2), and wherein the firewall (1) is provided by a computing unit (3) connected to the communications network (2), characterized by the following method steps: a) obtaining network design information (NDI) introduced into at least two computing units (3) connected to the communications network (2), describing permissible network communication within the communications network (2); b) forming a network design summary (NDZ) from a union of the content of at least two of the obtained network design information (NDI); c) deriving the rules from the network design summary (NDZ) in accordance with the permissible network communication and summarizing the rules to form the set of rules; and d) Configuring the firewall (1) with the rule set.
2. 2. Method according to claim 1, characterized in that at least one of the method steps a) to d), preferably all method steps, are carried out by the same computing unit (3) which also provides the firewall (1).
3. 3. Method according to claim 1 or 2, characterized in that properties of the respective network design information (NDI) obtained from the computing units (3) are determined, and only such network design information (NDI) whose properties meet a specified criterion is used to form the network design summary (NDZ).
4. 4. Method according to claim 3, characterized in that a network design information (NDI) for forming the Network Design Summary (NDZ) is used when: - a version of the respective Network Design Information (NDI) is more recent than a specified version threshold; or - an implementation timestamp of the respective network design information (NDI), describing a time of introduction of the network design information (NDI) on the computing unit (3), is more recent than a specified implementation timestamp threshold.
5. 5. Method according to claim 4, characterized in that the specified version threshold is determined by: - a fixed number of versions to be considered, starting with the current version and counting backwards depending on the version; or - the versions of the Network Design Information (NDI) released within a specified period, in particular a rolling period (4) running backwards from the current point in time (to) with a specified consideration period (at).
6. 6. The method according to any one of claims 1 to 5, characterized in that, if two items of network design information (NDI) taken into account to form the network design summary (NDZ) contradict each other in at least one aspect of the permissible network communication, a rule relating to the aspect is determined in agreement with a standard response.
7. 7. Method according to one of claims 1 to 6, characterized in that the firewall (1) filters the network traffic in a vehicle-integrated communication network (2) based on the configuration with the rule set.
8. 8. Computer program product, characterized by computer-interpretable instructions which, when executed by a processor, enable a computing unit (3) to carry out a method according to one of claims 1 to 7.
9. 9. A computer-readable storage medium characterized by a computer program product according to claim 8.
10. 10. Vehicle, characterized by at least one computing unit (3) having at least read access to a computer-readable storage medium according to claim 9.

Description

Computer-implemented method for configuring a firewall, computer program product, computer-readable storage medium, and vehicle The invention relates to a computer-implemented method for configuring a firewall according to the type defined in more detail in the preamble of claim 1, a computer program product, a computer-readable storage medium storing such a computer program product, and a vehicle. With increasing digitalization, the proportion of computer systems in vehicles is also growing. In addition to sensors and actuators, on-board electronics includes a wide variety of computing units for processing corresponding sensor signals, generating control signals, or providing functions. The respective components of the on-board electronics can communicate with each other via a communications network. This involves one or more bus systems, such as a CAN bus, an Ethernet data line, or the like. An in-vehicle computing unit is understood to include, in particular: control units, particularly in the form of a system-on-a-chip (SoC), network devices such as a switch, a central on-board computer, a telecommunications unit, and the like. Like any computer-based communication network, in-vehicle communication networks must also be protected against cyberattacks. A first and central component for increasing cybersecurity is the integration of one or more firewalls into the communication network to filter communication. Data packets sent over the communication network are examined by the firewall before being forwarded to a destination address. The firewall then decides, based on defined rules, whether or not the respective data packets should be allowed to pass to the destination address. Blocked data packets are discarded by the firewall. Rules used by the firewall can be implemented in the form of a whitelist or blacklist. The whitelist can specify trusted destination addresses, source addresses, data packet contents, services, and the like, in connection with which Transmitted data packets are forwarded by the firewall (routed). Accordingly, the blacklist contains information describing the contexts in which data packets are prevented from being forwarded to the destination address and should be discarded. This prevents unauthorized network access. A firewall can apply various filtering techniques, such as packet filtering, stateful packet inspection, a proxy filter, a content filter, deep packet inspection, and the like. A firewall can not only monitor communication between the communications network and external devices, such as a cellular network, the Internet, or any wide area network (WAN) other than the communications network, but can also filter communication within the communications network. External communication is possible, for example, via a cellular connection provided by the telecommunications unit or via Bluetooth, Wi-Fi, NFC, and the like. Typically, a separate firewall is implemented in such a telecommunications unit to filter data exchanged via cellular networks. Vehicles can also exchange information with each other via a so-called vehicle-to-vehicle communication interface, or with infrastructure objects via a vehicle-to-X communication interface. The topography of in-vehicle communication networks can vary between different vehicles, for example, depending on the vehicle model, the vehicle configuration, particularly taking into account special equipment, the vehicle's production period, and the like. Typically, the network topography is described by the vehicle manufacturer using so-called network design information, also known as "Network Communication Design" (NCD). The NCD defines all communication traffic permitted within the vehicle. Typically, the NCD can be stored in the form of a computer-readable file in every computing unit installed in the vehicle. With advancing development, this inevitably leads to different versions of the NCD being available on the various computing units in the vehicle, each of which differs in its content. To define the rules to be applied by a firewall, especially in the form of said whitelists or blacklists, the NCD is typically used described information is used. This allows the rules for the firewall to be defined automatically with little human effort. Typically, the set of rules is generated based on the latest version of the NCD. The latest version or newer versions of the NCD do not necessarily have to be compatible with older versions of the NCD. This can lead to a situation where, if only the latest NCD is taken into account to define the set of rules to be used by the firewall, computing units with a communication process based on an older version of the NCD cannot communicate with each other because messages to be exchanged between the computing units were not included in a resulting whitelist, or a corresponding entry was incorrectly created in a blacklist. If the latest version of the NCD also describes communication that is not actually pe