Search

EP-4740363-A1 - COMPUTER-IMPLEMENTED METHOD FOR CONFIGURING A FIREWALL, COMPUTER PROGRAM PRODUCT, COMPUTER-READABLE STORAGE MEDIUM, AND VEHICLE

EP4740363A1EP 4740363 A1EP4740363 A1EP 4740363A1EP-4740363-A1

Abstract

The invention relates to a computer-implemented method for configuring a firewall (1). The firewall (1) filters the network traffic in a computer-supported communication network (3) on the basis of a set of rules (2) defined by the configuration, and the rules in the set of rules (2) are defined on the basis of information relating to at least one computing unit (4) connected to the communication network (3). The method according to the invention is characterized by the following steps: a) collecting connection information, including the allocation of computing units (4) connected to the communication network (3) to a respective network connection (5) of a network device (6) integrated into the communication network (3); b) obtaining network design information (7) from each computing unit (4) connected to the communication network (6), said information describing a permissible network communication at least on the basis of the topography of the communication network (3); c) for each computing unit (4): defining a subset of rules (8) on the basis of the network design information (7) relating to the respective computing unit (4), said subset of rules defining at least the network device (6) network connections (5) via which data packets transmitted from the respective computing unit (4) may be sent and/or via which data packets addressed to the respective computing unit (4) may be received; d) combining all of the subsets of rules (8) in order to form the set of rules (2); and e) configuring the firewall (1) using the set of rules (2).

Inventors

  • LI, XINYUE
  • YERLIKAYA, METIN LEVENT

Assignees

  • Mercedes-Benz Group AG

Dates

Publication Date
20260513
Application Date
20241220

Claims (9)

  1. 1. A computer-implemented method for configuring a firewall (1), wherein the firewall (1) filters the network traffic in a computer-supported communications network (3) based on a set of rules (2) defined by the configuration, wherein rules for the set of rules (2) are determined as a function of information obtained from at least one computing unit (4) connected to the communications network (3), and wherein the firewall (1) is provided by a computing unit (3) connected to the communications network (2), characterized by the following method steps: a) collecting connection information, comprising an assignment between computing units (4) connected to the communications network (3) to a respective network connection (5) of a network device (6) integrated into the communications network (3); b) obtaining network design information (7) from each computing unit (4) connected to the network device (6), describing permissible network communication at least as a function of a topography of the communications network (3); c) for each computing unit (4): defining a sub-rule set (8) based on the network design information (7) obtained from the respective computing unit (4), specifying at least those network ports (5) of the network device (6) via which data packets sent by the respective computing unit (4) may be sent and/or via which data packets addressed to the respective computing unit (4) may be received; d) combining all sub-rule sets (8) to form the rule set (2); and e) configuring the firewall (1) with the rule set (2).
  2. 2. Method according to claim 1, characterized in that a firewall (1) integrated into the network device (6) is configured.
  3. 3. Method according to claim 1 or 2, characterized in that a computing unit (4) integrated into the communication network (3) carries out at least one of the method steps a) to e), preferably all method steps.
  4. 4. The method according to claim 3, characterized in that the network device (6) carries out the at least one method step.
  5. 5. The method according to one of claims 1 to 4, characterized in that the firewall (1) filters the network traffic in a vehicle-integrated communication network (3) based on the configuration with the rule set (2).
  6. 6. Computer program product, characterized by computer-interpretable instructions which, when executed by a processor, enable a computing unit (4) to carry out a method according to one of claims 1 to 5.
  7. 7. A computer-readable storage medium, characterized by a computer program product according to claim 6.
  8. 8. Vehicle, characterized by at least one computing unit (4) having at least read access to a computer-readable storage medium according to claim 7.
  9. 9. Vehicle according to claim 8, characterized in that the computing unit (4) is designed as a network device (6).

Description

Computer-implemented method for configuring a firewall, computer program product, computer-readable storage medium, and vehicle The invention relates to a computer-implemented method for configuring a firewall according to the type defined in more detail in the preamble of claim 1, a computer program product, a computer-readable storage medium and a vehicle. With increasing digitalization, the proportion of computer systems in vehicles is also growing. In addition to sensors and actuators, on-board electronics includes a wide variety of computing units for processing corresponding sensor signals, generating control signals, or providing functions. The respective components of the on-board electronics can communicate with each other via a communications network. This involves one or more bus systems, such as a CAN bus, an Ethernet data line, or the like. An in-vehicle computing unit is understood to include, in particular: control units, particularly in the form of a system-on-a-chip (SoC), network devices such as a switch, a central on-board computer, a telecommunications unit, and the like. Like any computer-based communications network, in-vehicle communications networks must also be protected against cyberattacks. A first and central component for increasing cybersecurity is the integration of one or more firewalls into the communications network to filter communications. Data packets sent over the communications network are examined by the firewall before being forwarded to a destination address. The firewall then decides, based on defined rules, whether or not the respective data packets should be allowed to pass to the destination address. Data packets to be blocked are discarded by the firewall. Rules used by the firewall can be implemented in the form of a whitelist or blacklist. The whitelist can specify trusted destination addresses, source addresses, data packet contents, services, and the like, in connection with which transmitted data packets are forwarded (routed) by the firewall. Accordingly, the blacklist contains information that describes in which contexts data packets should be prevented from being forwarded to the destination address and should be discarded. This prevents unauthorized network access. A firewall can apply various filtering techniques, such as packet filtering, stateful packet inspection, a proxy filter, a content filter, deep packet inspection, and the like. A firewall can not only monitor communication between the communications network and external devices, such as a cellular network, the Internet, or any wide area network (WAN) other than the communications network, but can also filter communication within the communications network. External communication is possible, for example, via a cellular connection provided by the telecommunications unit or via Bluetooth, Wi-Fi, NFC, and the like. Typically, a separate firewall is implemented in such a telecommunications unit to filter data exchanged via cellular networks. Vehicles can also exchange information with each other via a so-called vehicle-to-vehicle communication interface, or with infrastructure objects via a vehicle-to-X communication interface. The topography of in-vehicle communication networks can vary between different vehicles, for example, depending on the vehicle model, the vehicle configuration, particularly taking into account special equipment, the vehicle's production period, and the like. Typically, the network topography is described by the vehicle manufacturer using so-called network design information, also known as "Network Communication Design" (NCD). The NCD defines all communication traffic permitted within the vehicle. Typically, the NCD can be stored in the form of a computer-readable file in every computing unit installed in the vehicle. With advancing development, this inevitably leads to different versions of the NCD being available on the various computing units in the vehicle, each of which differs in its content. To define the rules to be applied by a firewall, especially in the form of whitelists or blacklists, the information described by the NCD is typically used. This allows the rules for the firewall to be Automated with minimal human effort. Typically, the rule set is generated based on the latest version of the NCD. The latest version, or newer versions, of the NCD are not necessarily compatible with older versions of the NCD. This can result in processing units with a communication flow based on an older version of the NCD not being able to communicate with each other if only the latest NCD is used to define the rule set to be used by the firewall. This can result in processing units with a communication flow based on an older version of the NCD not being able to communicate with each other because messages to be exchanged between the processing units were not included in a resulting whitelist, or a corresponding entry was incorrectly created in a blacklist. If the latest vers