[go: up one dir, main page]

TWI899725B - Method of secure compartmentalization for iot application and iot gateway using the same - Google Patents

Method of secure compartmentalization for iot application and iot gateway using the same

Info

Publication number
TWI899725B
TWI899725B TW112146513A TW112146513A TWI899725B TW I899725 B TWI899725 B TW I899725B TW 112146513 A TW112146513 A TW 112146513A TW 112146513 A TW112146513 A TW 112146513A TW I899725 B TWI899725 B TW I899725B
Authority
TW
Taiwan
Prior art keywords
zone
application
iot
service
zones
Prior art date
Application number
TW112146513A
Other languages
Chinese (zh)
Other versions
TW202504289A (en
Inventor
許文龍
高志文
Original Assignee
四零四科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 四零四科技股份有限公司 filed Critical 四零四科技股份有限公司
Priority to US18/534,735 priority Critical patent/US20250007881A1/en
Priority to EP23215465.8A priority patent/EP4485854A1/en
Priority to CN202311704197.2A priority patent/CN119233262A/en
Publication of TW202504289A publication Critical patent/TW202504289A/en
Application granted granted Critical
Publication of TWI899725B publication Critical patent/TWI899725B/en

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method of secure compartmentalization for IoT application and a IoT gateway using the same are provided. The method is adapted to the IoT gateway and includes the following steps. A plurality of zones corresponding to a plurality of subnets are created by partitioning the subnets. An application installed in the IoT gateway is deployed to one of the zones. A conduit policy associated with at least one of the zones is configured. Packet transmission of the zones is managed based on the conduit policy.

Description

物聯網應用安全分區方法與使用該方法的物聯網閘道器Internet of Things application security partitioning method and Internet of Things gateway using the method

本發明是有關於一種網路安全技術,且特別是有關於一種物聯網應用安全分區方法與使用該方法的物聯網閘道器。The present invention relates to a network security technology, and in particular to a method for secure zoning of Internet of Things applications and an Internet of Things gateway using the method.

物聯網(IoT)閘道器為促進IoT通信的解決方案,物聯網閘道器主要作為物聯網設備與雲端伺服器之間的傳輸橋梁。許多物聯網數據可經由物聯網閘道器傳送到雲端伺服器進行實時監控和分析。更進一步來說,物聯網閘道器在物聯網系統的各種操作情境中扮演著關鍵角色,物聯網閘道器更可協助企業管理數據傳輸。物聯網閘道器可以將收集的感測數據經由不可信網路(untrusted network)轉發到雲端伺服器,或者將來自不可信網路的控制命令轉發給IoT設備或控制設備。因此,在物聯網環境中,由於IoT設備和控制設備能夠通過物聯網閘道器直接連接到不可信網絡,因此有必要建立防火牆,以保護物聯網系統中的這些IoT設備、控制設備和物聯網閘道器本身免受網絡攻擊的侵害。IoT gateways are solutions that facilitate IoT communications, primarily serving as a bridge between IoT devices and cloud servers. IoT gateways can transmit a wide range of IoT data to cloud servers for real-time monitoring and analysis. Furthermore, IoT gateways play a critical role in various operational scenarios within IoT systems, helping enterprises manage data transmission. IoT gateways can forward collected sensor data to cloud servers over untrusted networks, or forward control commands from untrusted networks to IoT devices or control equipment. Therefore, in an IoT environment, since IoT devices and control devices can directly connect to untrusted networks through IoT gateways, it is necessary to establish a firewall to protect these IoT devices, control devices, and IoT gateways in the IoT system from network attacks.

然而,隨著物聯網閘道器的功能性不斷發展,物聯網閘道器將負責管理更複雜且數量眾多的應用,例如數據採集與邊緣計算等等。此外,物聯網閘道器還涉及不同安全級別的設備的數據傳輸和自動化控制。因此,對於種種操作情境的需求與安全考量,由傳統的物聯網閘道器或其他網路設備提供的防火牆防護已不再滿足當前的需求。However, as IoT gateway functionality continues to evolve, they will be responsible for managing increasingly complex and diverse applications, such as data collection and edge computing. Furthermore, IoT gateways will involve data transmission and automated control of devices with varying security levels. Therefore, given the demands and security considerations of various operational scenarios, the firewall protection provided by traditional IoT gateways or other network devices no longer meets current needs.

有鑑於此,本發明實施例提供一種物聯網應用安全分區方法與使用該方法的物聯網閘道器,可解決上述技術問題。In view of this, embodiments of the present invention provide a method for secure zoning of IoT applications and an IoT gateway using the method, which can solve the above technical problems.

本發明實施例的物聯網應用安全分區方法適用於物聯網閘道器,並包括(但不僅限於)下列步驟。透過劃分多個子網路(subnet)來建立對應至多個子網路的多個區域。將安裝於物聯網閘道器中的一應用佈署至多個區域其中一者。配置關聯於多個區域其中至少一者的傳輸通道策略(conduit policy)。根據傳輸通道策略管理多個區域的封包傳輸。The IoT application security zoning method of an embodiment of the present invention is applicable to an IoT gateway and includes (but is not limited to) the following steps: Multiple zones corresponding to the multiple subnets are established by dividing the IoT gateway into multiple subnets. An application installed in the IoT gateway is deployed to one of the multiple zones. A conduit policy is configured for at least one of the multiple zones. Packet transmission across the multiple zones is managed based on the conduit policy.

本發明實施例的物聯網閘道器包括收發器、儲存裝置以及處理器。處理器連接收發器與儲存裝置,並配置以執行下列操作。透過劃分多個子網路來建立對應至多個子網路的多個區域。將安裝於物聯網閘道器中的一應用佈署至多個區域其中一者。配置關聯於多個區域其中至少一者的傳輸通道策略。根據傳輸通道策略管理多個區域的封包傳輸。An IoT gateway according to an embodiment of the present invention includes a transceiver, a storage device, and a processor. The processor is connected to the transceiver and the storage device and is configured to perform the following operations: Multiple zones corresponding to the multiple subnets are established by dividing the network into multiple subnets; an application installed in the IoT gateway is deployed to one of the multiple zones; a transmission channel policy is configured for at least one of the multiple zones; and packet transmission in the multiple zones is managed according to the transmission channel policy.

基於上述,於本發明實施例中,在建立對應至多個子網路的多個區域之後,可針對這些區域分別配置用以管理封包傳輸的傳輸通道策略。此外,安裝於物聯網閘道器的多個應用可區分至不同區域。於是,各個應用的封包傳輸可基於其所在區域的傳輸通道策略而被管制。如此一來,不僅可大幅提昇物聯網閘道器的網路安全防禦能力,還可提昇物聯網閘道器的安全管理的彈性與效率。Based on the above, in this embodiment of the present invention, after establishing multiple zones corresponding to multiple subnets, transmission channel policies for managing packet transmission can be configured for each zone. Furthermore, multiple applications installed on the IoT gateway can be divided into different zones. Consequently, packet transmission for each application can be controlled based on the transmission channel policy of the zone in which it is located. This significantly enhances the network security defense capabilities of the IoT gateway and improves the flexibility and efficiency of its security management.

為讓本發明的上述特徵和優點能更明顯易懂,下文特舉實施例,並配合所附圖式作詳細說明如下。In order to make the above features and advantages of the present invention more clearly understood, embodiments are given below and described in detail with reference to the accompanying drawings.

本發明的部份實施例接下來將會配合附圖來詳細描述,以下的描述所引用的元件符號,當不同附圖出現相同的元件符號將視為相同或相似的元件。這些實施例只是本發明的一部份,並未揭示所有本發明的可實施方式。更確切的說,這些實施例只是本發明的專利申請範圍中的方法與裝置的範例。Some embodiments of the present invention are described in detail below with reference to the accompanying drawings. Reference symbols in the following description will identify identical or similar elements when the same symbols appear in different drawings. These embodiments are only a portion of the present invention and do not disclose all possible implementations of the present invention. Rather, these embodiments are merely examples of the methods and apparatus within the scope of the present invention.

本揭露涉及一種物聯網應用安全分區方法以及使用該方法的物聯網(IoT)閘道器。為了增強物聯網的安全性,本揭露提供將物聯網應用劃分為多個區域的分區模型。分區模型可用以管理安裝於物聯網閘道器上的核心服務和應用服務,從而增強現有物聯網應用框架的安全性。IoT閘道器可以建立多個區域,以將各種IoT應用隔離到這些區域中。區域之間的通訊可透過傳輸管道(conduit)進行。在本揭露中,透過建立這些區域的傳輸管道策略,可管理IoT應用的封包傳輸。This disclosure relates to a method for securely zoning IoT applications and an IoT gateway using the method. To enhance IoT security, this disclosure provides a zoning model that divides IoT applications into multiple zones. This zoning model can be used to manage core services and application services installed on an IoT gateway, thereby enhancing the security of existing IoT application frameworks. An IoT gateway can establish multiple zones to isolate various IoT applications within these zones. Communication between zones can be conducted via conduits. In this disclosure, packet transmission for IoT applications can be managed by establishing conduit policies for these zones.

從另一個角度來看,本揭露提供了一種IoT閘道器,其具備基於分區模型來將IoT閘道器內部的資料、應用與服務進行隔離的能力。通過將多個應用分隔到多個區域中,可以禁止對部署在IoT閘道器中的一些重要系統設定檔的訪問。在一些實施例中,本揭露提供的分區模型可以無縫構建在現有物聯網應用的資訊技術(IT)框架上,而無需修改現有的IT框架,從而使得在工業環境中對運行技術(OT)領域的安全管理變得更為健壯和高效。From another perspective, the present disclosure provides an IoT gateway capable of isolating data, applications, and services within the IoT gateway based on a partitioning model. By separating multiple applications into multiple zones, access to critical system configuration files deployed in the IoT gateway can be prohibited. In some embodiments, the partitioning model provided by the present disclosure can be seamlessly built onto the existing information technology (IT) framework for IoT applications without requiring modification, thereby making security management of the operational technology (OT) domain in industrial environments more robust and efficient.

圖1是依據本發明一實施例的物聯網系統的示意圖。參照圖1,IoT系統10包括IoT閘道器110、本地網路120和外部網路130。IoT系統10可以是工業物聯網(IIoT)系統。IIoT是物聯網在工業領域的拓展與使用。Figure 1 is a schematic diagram of an Internet of Things (IoT) system according to one embodiment of the present invention. Referring to Figure 1 , IoT system 10 includes an IoT gateway 110, a local network 120, and an external network 130. IoT system 10 may be an Industrial Internet of Things (IIoT) system. The IIoT is the expansion and application of the IoT in the industrial sector.

本地網路120可能包括多個IoT設備、一個或多個控制設備和一個或多個網路設備。IoT設備可以是感測器、攝像頭、工業設備、測量設備等。控制設備可以是電腦、可程式設計邏輯控制器(PLC)等。本地網路120中的設備可以直接或間接連接到IoT閘道器110。例如,控制設備可以通過合適的通訊協定(例如乙太網協定、IP或其他資料包協定等)與IoT閘道器110進行通信。IoT設備可以通過有線或無線通訊鏈路連接到控制設備、網路設備或IoT閘道器110,上述有線或無線通訊鏈路例如支援Wi-Fi、藍牙、WirelessHART、HART-IP等通訊協議。Local network 120 may include multiple IoT devices, one or more control devices, and one or more network devices. IoT devices may include sensors, cameras, industrial equipment, measurement equipment, etc. Control devices may include computers, programmable logic controllers (PLCs), etc. Devices in local network 120 may be directly or indirectly connected to IoT gateway 110. For example, control devices may communicate with IoT gateway 110 via a suitable communication protocol (e.g., Ethernet, IP, or other packet-based protocols). IoT devices may connect to control devices, network devices, or IoT gateway 110 via wired or wireless communication links, such as those supporting Wi-Fi, Bluetooth, WirelessHART, HART-IP, and other communication protocols.

IoT閘道器110連接在本地網路120和外部網路130之間。在一些實施例中,多個應用可部署與安裝於IoT閘道器110中。基於在IoT閘道器110中部署的多個應用,IoT閘道器110可以提供各種IoT功能,如數據收集、邊緣計算、安全認證等。這些應用可以是系統服務(system service)、Docker容器(docker container)等。從另一個角度看,這些應用可以由雲端計算平臺提供,例如Azure平臺、亞馬遜網路服務(AWS)平臺等,這些應用允許使用者在IoT閘道器110上運行雲端智能(cloud intelligence)。The IoT gateway 110 is connected between the local network 120 and the external network 130. In some embodiments, multiple applications can be deployed and installed on the IoT gateway 110. Based on the multiple applications deployed on the IoT gateway 110, the IoT gateway 110 can provide various IoT functions, such as data collection, edge computing, and security authentication. These applications can be system services, Docker containers, etc. From another perspective, these applications can be provided by cloud computing platforms, such as the Azure platform and the Amazon Web Services (AWS) platform. These applications allow users to run cloud intelligence on the IoT gateway 110.

外部網路130可能包括私有伺服器或由雲端計算平臺提供的公共伺服器。值得注意的是,IoT閘道器110可以通過不可信網路連接到外部網路130的設備。換句話說,外部網路130可包括不可信網路(untrusted network)。The external network 130 may include a private server or a public server provided by a cloud computing platform. It is worth noting that the IoT gateway 110 can connect to devices on the external network 130 via an untrusted network. In other words, the external network 130 may include an untrusted network.

圖2是依據本發明一實施例的IoT閘道器的方塊圖。請參照圖2,IoT閘道器110包括收發器113、記憶體112與處理器111。FIG2 is a block diagram of an IoT gateway according to an embodiment of the present invention. Referring to FIG2 , the IoT gateway 110 includes a transceiver 113 , a memory 112 , and a processor 111 .

記憶體112可用以儲存指令、程式碼、軟體模組等等資料,其可以例如是任意型式的固定式或可移動式隨機存取記憶體(random access memory,RAM)、唯讀記憶體(read-only memory,ROM)、快閃記憶體(flash memory)或其他類似裝置、積體電路及其組合。The memory 112 can be used to store data such as instructions, program codes, software modules, etc. It can be, for example, any type of fixed or removable random access memory (RAM), read-only memory (ROM), flash memory, or other similar devices, integrated circuits, and combinations thereof.

處理器111可以是中央處理單元(Central Processing Unit,CPU)、通用處理器或是其他可程式化之一般用途或特殊用途的微處理器(Microprocessor)、數位信號處理器(Digital Signal Processor,DSP)、可程式化控制器、現場可程式化邏輯閘陣列(Field Programmable Gate Array,FPGA)、特殊應用積體電路(Application-Specific Integrated Circuit,ASIC)或其他類似元件或上述元件的組合。The processor 111 may be a central processing unit (CPU), a general-purpose processor, or other programmable general-purpose or special-purpose microprocessor, a digital signal processor (DSP), a programmable controller, a field programmable gate array (FPGA), an application-specific integrated circuit (ASIC), or other similar components or a combination of the above components.

於不同實施例中,記憶體112可為獨立於處理器111的分離裝置,或者可整合於處理器111內。In different embodiments, the memory 112 may be a separate device from the processor 111 or may be integrated into the processor 111.

處理器111可存取並執行記錄在記憶體112中的軟體模組,以實現本發明實施例中的物聯網應用安全分區方法。上述軟體模組可廣泛地解釋為意謂指令、指令集、代碼、程式碼、程式、應用程式、軟體套件、執行緒、程序、功能等,而不管其是被稱作軟體、韌體、中間軟體、微碼、硬體描述語言亦或其他者。Processor 111 can access and execute software modules stored in memory 112 to implement the IoT application security partitioning method according to an embodiment of the present invention. The term "software module" can be broadly interpreted as meaning instructions, instruction sets, code, program code, program, application, software suite, thread, procedure, function, etc., regardless of whether it is referred to as software, firmware, middleware, microcode, hardware description language, or otherwise.

收發器113具有發射機(例如,傳輸電路)和接收機(例如,接收電路)。於一些實施例中,收發器113可用以收發時頻分割資訊。收發器113可以執行低雜訊放大(LNA)、阻抗匹配、模數轉換(ADC)、數模轉換(DAC)、頻率混合、上下頻率轉換、濾波、放大和/或類似操作。例如,收發器113可能是符合802.xx標準的WiFi或藍牙收發器。例如,收發器113可能包含在USB埠或用於建立有線連結的介面中。Transceiver 113 includes a transmitter (e.g., transmit circuitry) and a receiver (e.g., receive circuitry). In some embodiments, transceiver 113 may be used to transmit and receive time-frequency segmented information. Transceiver 113 may perform low-noise amplification (LNA), impedance matching, analog-to-digital conversion (ADC), digital-to-analog conversion (DAC), frequency mixing, up/down frequency conversion, filtering, amplification, and/or similar operations. For example, transceiver 113 may be a WiFi or Bluetooth transceiver compliant with the 802.xx standard. For example, transceiver 113 may be included in a USB port or an interface for establishing a wired connection.

圖3是依據本發明一實施例的物聯網應用安全分區方法的流程圖。請參照圖3,本實施例的方法可由圖1的IoT閘道器110執行,以下即搭配圖1與圖2所示的元件說明圖3各步驟的細節。Figure 3 is a flowchart of a method for securely partitioning an IoT application according to an embodiment of the present invention. Referring to Figure 3 , the method of this embodiment can be executed by IoT gateway 110 in Figure 1 . The following details each step of Figure 3 using the components shown in Figures 1 and 2 .

於步驟S302,處理器111透過劃分多個子網路來建立對應至多個子網路的多個區域。本揭露對於區域的數量並不限制,其可以根據實際需求進行配置。於一些實施例中,處理器111透過建立虛擬網路介面來劃分多個子網路,而各個子網路對應至一個IP位址範圍。換句話說,這些區域可透過產生虛擬橋接器(virtual bridges)或虛擬網路而創建,且每個區域可以與對應子網路的IP位址範圍相關聯。In step S302, processor 111 divides the network into multiple subnets to create multiple zones corresponding to the subnets. The present disclosure does not limit the number of zones; zones can be configured based on actual needs. In some embodiments, processor 111 divides the subnets by establishing a virtual network interface, where each subnet is mapped to an IP address range. In other words, these zones can be created by generating virtual bridges or virtual networks, and each zone can be associated with an IP address range corresponding to the subnet.

於步驟S304,處理器111將安裝於IoT閘道器110中的一應用佈署至多個區域其中一者。進一步來說,每個區域可視為具有相似安全需求的應用的邏輯分群。安裝在IoT閘道器110中的應用可能是容器(containers)、服務(services)或常駐程式(daemons)。此外,在一些實施例中,根據每個應用的分區標籤,部署在IoT閘道110中的每個應用可能被分配到相應的區域。應用的分區標籤可以根據預定義的規則或使用者操作進行設置。In step S304, processor 111 deploys an application installed in IoT gateway 110 to one of multiple zones. Specifically, each zone can be considered a logical grouping of applications with similar security requirements. Applications installed in IoT gateway 110 may be containers, services, or daemons. Furthermore, in some embodiments, each application deployed in IoT gateway 110 may be assigned to a corresponding zone based on its assigned zone tag. An application's zone tag can be set based on predefined rules or user actions.

舉例來說,關於資訊技術(Operational Technology,IT)服務的一些應用可部署至第一區域內,且關於操作技術(Operational Technology,OT)服務的一些應用可部署至第二區域內。此外,關於核心服務的一些應用可部署至第三區域內。For example, some applications related to information technology (IT) services can be deployed in the first region, some applications related to operational technology (OT) services can be deployed in the second region, and some applications related to core services can be deployed in the third region.

於一些實施例中,處理器111可指派某一子網路(即多個子網路其中一者)的IP位址範圍內的特定IP位址予一應用,以將此應用佈署至對應於多個子網路其中一者的多個區域其中一者。更具體來說,當處理器111決定將一應用佈署至第一區域,處理器111可指派第一區域對應的子網路的IP位址範圍內的IP位址給該應用。在此應用被指派此特定IP位址的情況下,此應用可視為被劃分至對應的區域。In some embodiments, processor 111 may assign a specific IP address within the IP address range of a subnet (i.e., one of multiple subnets) to an application to deploy the application to one of multiple zones corresponding to one of the multiple subnets. More specifically, when processor 111 determines to deploy an application to a first zone, processor 111 may assign the application an IP address within the IP address range of the subnet corresponding to the first zone. When the application is assigned this specific IP address, the application can be considered to be assigned to the corresponding zone.

於步驟S306,處理器111配置關聯於多個區域其中至少一者的傳輸通道策略。於步驟S308,處理器111根據傳輸通道策略(conduit policy)管理多個區域的封包傳輸。傳輸通道策略可包括多個區域其中至少一者的存取規則。在本揭露中,傳輸通道(conduit)可代表不同區域之間的受控通訊路徑或溝通通道。對應的,傳輸通道策略可用於管理區域之間的封包傳輸。例如,傳輸通道策略可以阻止從第一區域到第二區域的封包傳輸。此外,傳輸通道策略可用於管理包括IoT閘道器110中一些應用的區域與不可信網路(即外部網路)之間的封包傳輸。In step S306, processor 111 configures a conduit policy associated with at least one of the multiple zones. In step S308, processor 111 manages packet transmission in the multiple zones based on the conduit policy. The conduit policy may include access rules for at least one of the multiple zones. In the present disclosure, a conduit may represent a controlled communication path or channel between different zones. Accordingly, the conduit policy may be used to manage packet transmission between zones. For example, the conduit policy may prevent packet transmission from a first zone to a second zone. Furthermore, the conduit policy may be used to manage packet transmission between zones, including some applications in IoT gateway 110, and untrusted networks (i.e., external networks).

於一些實施例中,處理器111建立的多個區域可包括IT服務區域與OT服務區域。IT服務區域包括至少一IT服務應用,且OT服務區域包括至少一OT服務應用。此外,處理器111建立的多個區域還可包括管理區域,且管理區域包括至少一安全服務(secure service)應用。In some embodiments, the multiple zones established by processor 111 may include an IT service zone and an OT service zone. The IT service zone includes at least one IT service application, and the OT service zone includes at least one OT service application. Furthermore, the multiple zones established by processor 111 may also include a management zone, and the management zone includes at least one secure service application.

圖4是依據本發明一實施例的分區模型的示意圖。請參照圖4,IoT閘道器410可以將應用部署到三個區域Z1~Z3。於本實施例中,區域Z1為OT服務區域,而區域Z2為IT服務區域。區域Z3為管理區域。Figure 4 is a schematic diagram of a partitioning model according to one embodiment of the present invention. Referring to Figure 4 , IoT gateway 410 can deploy applications into three zones: Z1 through Z3. In this embodiment, zone Z1 is the OT service zone, zone Z2 is the IT service zone, and zone Z3 is the management zone.

與OT服務相關的OT服務應用,像是資料獲取應用,可被部署到區域Z1。與IT服務相關的IT服務應用,像是邊緣計算應用和資料傳輸應用,可會部署到區域Z2。與核心服務相關的應用程式,例如安全服務應用、設備管理服務應用和憑證服務應用,可被部署到區域Z3。OT service applications related to OT services, such as data acquisition applications, can be deployed in zone Z1. IT service applications related to IT services, such as edge computing applications and data transmission applications, can be deployed in zone Z2. Applications related to core services, such as security service applications, device management service applications, and certificate service applications, can be deployed in zone Z3.

區域Z1中的應用和區域Z3中的應用可以通過本地區域網路(LAN)與工業自動化和控制系統(IACS)區域42內的設備通信,以執行與IACS區域42內設備相關的功能,像是從IoT設備收集資料或控制工業設備等等。區域Z2中的應用和區域Z3中的應用程式可以通過廣域網路(WAN)與不可信網路41通信,以執行與不可信網路41內設備相關的功能,例如將資料傳輸到雲端伺服器或自外部伺服器接收用以控制IACS區域42內設備的控制命令等等。值得注意的是,區域Z1和區域Z2之間的通信是被禁止的。通過將IoT閘道410的多個應用劃分到區域Z1~Z3之中,可以有效地管理IoT閘道410內部服務的封包傳輸,從而提高物聯網安全性。Applications in Zone Z1 and Zone Z3 can communicate with devices in Zone 42, an Industrial Automation and Control System (IACS), via a local area network (LAN) to perform functions related to the devices in Zone 42, such as collecting data from IoT devices or controlling industrial equipment. Applications in Zone Z2 and Zone Z3 can communicate with Untrusted Network 41 via a Wide Area Network (WAN) to perform functions related to the devices in Untrusted Network 41, such as transmitting data to a cloud server or receiving control commands from an external server to control devices in Zone 42. It is important to note that communication between Zone Z1 and Zone Z2 is prohibited. By dividing multiple applications of IoT Gateway 410 into zones Z1 to Z3, packet transmission of services within IoT Gateway 410 can be effectively managed, thereby improving IoT security.

圖5是依據本發明一實施例的佈署應用至區域的示意圖。請參照圖5,在創建區域Z1~Z3之後,這些區域Z1~Z3之間的傳輸通道可被設計來管理存取、防止未經授權的活動、阻止威脅或惡意軟體的傳播,並維護網路傳輸的完整性和機密性。Figure 5 is a diagram illustrating deploying applications to zones according to an embodiment of the present invention. Referring to Figure 5 , after zones Z1-Z3 are created, the transmission channels between these zones can be designed to manage access, prevent unauthorized activity, block the spread of threats or malware, and maintain the integrity and confidentiality of network transmissions.

在一些實施例中,IoT閘道器510可配置關聯於區域Z1~Z3其中至少一者有關的傳輸通道策略。具體而言,IoT閘道器510可以為一個或多個傳輸通道配置傳輸通道策略,從而可以根據傳輸通道的傳輸通道策略來管理應用的封包傳輸。IoT閘道器510可以為區域Z1和IACS區域52之間的傳輸通道配置傳輸通道策略CP1_1,且IoT閘道器510可以為區域Z3和IACS區域52之間的傳輸通道配置另一傳輸通道策略CP1_2,以管理和監控區域Z1中的應用與IACS區域52之間的封包傳輸以及區域Z3中的應用與IACS區域52之間的封包傳輸。傳輸通道策略CP1_1和CP1_2可以相同也可以不同,本揭露對此不限制。In some embodiments, the IoT gateway 510 can configure a transmission channel policy associated with at least one of zones Z1-Z3. Specifically, the IoT gateway 510 can configure a transmission channel policy for one or more transmission channels, thereby managing application packet transmission based on the transmission channel policy. The IoT gateway 510 can configure a transmission channel policy CP1_1 for the transmission channel between zone Z1 and the IACS zone 52, and another transmission channel policy CP1_2 for the transmission channel between zone Z3 and the IACS zone 52. These policies manage and monitor packet transmission between applications in zone Z1 and the IACS zone 52, as well as between applications in zone Z3 and the IACS zone 52. The transmission channel policies CP1_1 and CP1_2 may be the same or different, and this disclosure does not limit this.

IoT閘道器510可以為區域Z1和區域Z2之間的傳輸通道配置傳輸通道策略CP2,因此可以管理和監控區域Z1中的應用與區域Z2中的應用之間的封包傳輸。在一些實施例中,基於傳輸通道策略CP2,區域Z1中的應用和區域Z2中的應用將無法相互通信。在一些實施例中,IoT閘道器510可省略為區域Z2和區域Z1之間的傳輸通道配置傳輸通道策略。當然,如果在某些情況下需要封包傳輸,則可以相應地設置區域Z2和區域Z1之間的傳輸通道策略CP2。IoT gateway 510 can configure a transmission channel policy CP2 for the transmission channel between zones Z1 and Z2, thereby managing and monitoring packet transmission between applications in zone Z1 and Z2. In some embodiments, based on transmission channel policy CP2, applications in zone Z1 and Z2 cannot communicate with each other. In some embodiments, IoT gateway 510 may omit configuring a transmission channel policy for the transmission channel between zones Z2 and Z1. However, if packet transmission is required in certain situations, a transmission channel policy CP2 between zones Z2 and Z1 can be configured accordingly.

此外,IoT閘道器510可以為區域Z1和區域Z3之間的傳輸通道以及區域Z2和區域Z3之間的傳輸通道配置傳輸通道策略CP3。因此,可以管理和監控區域Z2中的應用與區域Z3中的應用之間的封包傳輸,以及管理和監控區域Z1中的應用與區域Z3中的應用之間的封包傳輸。Furthermore, the IoT gateway 510 can configure a transmission channel policy CP3 for the transmission channel between zone Z1 and zone Z3, and for the transmission channel between zone Z2 and zone Z3. This allows for management and monitoring of packet transmission between applications in zone Z2 and zone Z3, as well as management and monitoring of packet transmission between applications in zone Z1 and zone Z3.

IoT閘道器510可以為區域Z2和不可信網路51之間的傳輸通道配置傳輸通道策略CP4,因此可以管理和監控區域Z2中的應用與不可信網路51之間的封包傳輸。IoT閘道器510還可以為區域Z3和不可信網路51之間的傳輸通道配置傳輸通道策略CP5,因此可以管理和監控區域Z3中的應用與不可信網路51之間的封包傳輸。 值得注意的是,不同區域Z1至Z3中的應用可能屬於由雲端平臺提供的單個服務模組。例如,服務模組“IoTedge”的應用可能分配到不同的區域Z1至Z3。如圖5所示,“IoTedge”服務模組的應用501至503可能分配到區域Z3。服務模組“IoTedge”的應用504可能分配到區域Z1,而服務模組“IoTedge”的應用505可能分配到區域Z2。也就是說,本公開的方法可以在現有的IoT應用程式框架上實現。 IoT gateway 510 can configure transmission channel policy CP4 for the transmission channel between zone Z2 and untrusted network 51, thereby managing and monitoring packet transmission between applications in zone Z2 and untrusted network 51. IoT gateway 510 can also configure transmission channel policy CP5 for the transmission channel between zone Z3 and untrusted network 51, thereby managing and monitoring packet transmission between applications in zone Z3 and untrusted network 51. It is worth noting that applications in different zones Z1 through Z3 may belong to a single service module provided by the cloud platform. For example, applications of the "IoTedge" service module may be assigned to different zones Z1 through Z3. As shown in Figure 5, applications 501 through 503 of the "IoTedge" service module may be assigned to zone Z3. Application 504 of the "IoTedge" service module might be assigned to zone Z1, while application 505 of the "IoTedge" service module might be assigned to zone Z2. In other words, the disclosed method can be implemented on existing IoT application frameworks.

於一些實施例中,IoT閘道器510可獲取由一雲端服務平台提供的服務模組,其中此服務模組包括一或多個應用。當服務模組的應用屬於高資料安全等級,IoT閘道器510將此應用佈署至管理區域。當此服務模組的應用屬於低資料安全等級,IoT閘道器510將應用佈署至IT服務區域或OT服務區域。更具體而言,雲端服務平台提供的服務模組可包括多個應用,而這些應用根據其所處理之資料安全等級而可被區分至不同區域。雲端平臺提供的單個服務模組的多個應用可包括對應至高資料安全等級的應用與對應至低資料安全等級的應用。於圖5的實施範例中,當安裝雲端服務平台提供的服務模組於IoT閘道器510上的時候,對應至高資料安全等級的應用(例如應用501至503)可部署到區域Z3,而屬於同一服務模組之對應至低資料安全等級的其他應用(例如應用504或505)可依照場景需求而部署到區域Z1或Z2。In some embodiments, the IoT gateway 510 may obtain a service module provided by a cloud service platform, wherein the service module includes one or more applications. When the application of the service module belongs to a high data security level, the IoT gateway 510 deploys the application to the management area. When the application of the service module belongs to a low data security level, the IoT gateway 510 deploys the application to the IT service area or the OT service area. More specifically, the service module provided by the cloud service platform may include multiple applications, and these applications can be divided into different areas according to the data security level they handle. The multiple applications of a single service module provided by the cloud platform may include applications corresponding to a high data security level and applications corresponding to a low data security level. In the embodiment of FIG. 5 , when a service module provided by a cloud service platform is installed on IoT gateway 510 , applications corresponding to a high data security level (e.g., applications 501 to 503) can be deployed to zone Z3, while other applications belonging to the same service module and corresponding to a low data security level (e.g., applications 504 or 505) can be deployed to zones Z1 or Z2 depending on scenario requirements.

在一些實施例中,可為在IoT閘道器510中部署的某一應用指派一個分區標籤。因此,可以根據分區標籤將該應用部署到相應的區域。應用的分區標籤可以根據使用者操作或預定義規則進行指派。例如,區域Z1中的一或多個應用可以被指派相同的分區標籤,以便被分組到同一區域Z1中。例如,對於一個Docker容器,分區標籤可以通過設置參數“--network”進行指派。對於Azure IoT Edge模組,分區標籤可以通過設置參數“NetworkMode”進行指派。對於Linux系統服務,分區標籤可以通過設置參數“RestrictNetworkInterfaces”進行指派。In some embodiments, a partition tag may be assigned to an application deployed in the IoT gateway 510. Therefore, the application can be deployed to the corresponding zone based on the partition tag. The partition tag of the application can be assigned based on user operations or predefined rules. For example, one or more applications in zone Z1 can be assigned the same partition tag so as to be grouped into the same zone Z1. For example, for a Docker container, the partition tag can be assigned by setting the parameter "--network". For the Azure IoT Edge module, the partition tag can be assigned by setting the parameter "NetworkMode". For Linux system services, the partition tag can be assigned by setting the parameter "RestrictNetworkInterfaces".

圖6是依據本發明一實施例的建立區域的示意圖。請參照圖6,IoT閘道器610可以使用子網路劃分工具61來創建多個區域(例如,區域Z6)。上述子網路劃分工具61可建立虛擬網路介面(virtual net interface)而產生對應至一IP位址範圍的子網路。IoT閘道器610可通過劃分IP位址範圍或使用網路命名空間(network namespace)來創建多個區域。例如,IoT閘道器610可以通過建立Docker橋接或虛擬網路(Vnets)來創建分別對應至不同IP位址範圍的多個區域。IoT閘道器610可以為部署在IoT閘道器610中的特定應用指派某一子網路內的IP位址,從而將特定應用分配到與該子網路對應的區域。舉例來說,區域Z6中所有應用的IP位址位於區域Z6對應子網路的IP位址範圍內(例如,192.168.*)。FIG6 is a schematic diagram illustrating establishing zones according to an embodiment of the present invention. Referring to FIG6 , the IoT gateway 610 can use a subnet partitioning tool 61 to create multiple zones (e.g., zone Z6). The subnet partitioning tool 61 can create a virtual network interface (VNI) to generate subnets corresponding to an IP address range. The IoT gateway 610 can create multiple zones by partitioning IP address ranges or using network namespaces. For example, the IoT gateway 610 can create multiple zones corresponding to different IP address ranges by establishing a Docker bridge or virtual networks (Vnets). The IoT gateway 610 can assign an IP address within a subnet to a specific application deployed in the IoT gateway 610, thereby assigning the specific application to the zone corresponding to the subnet. For example, the IP addresses of all applications in zone Z6 are within the IP address range of the subnet corresponding to zone Z6 (e.g., 192.168.*).

此外,透過使用封包管理工具62,例如iptables、nftables或防火牆,可以管理網際網路區域63與區域Z6之間的傳輸通道以及私有區域64與區域Z6之間的傳輸通道的通訊。也就是說,可通過使用iptables、nftables或防火牆來配置每個傳輸通道的傳輸通道策略。因此,基於使用iptables、nftables或防火牆配置的傳輸通道策略,可根據預定義規則和策略控制和管理網路流量而增強物聯網系統的網路安全性。Furthermore, by using a packet management tool 62, such as iptables, nftables, or a firewall, it is possible to manage communications in the transmission channel between the internet zone 63 and zone Z6, as well as the transmission channel between the private zone 64 and zone Z6. In other words, a transmission channel policy can be configured for each transmission channel using iptables, nftables, or a firewall. Therefore, based on the transmission channel policy configured using iptables, nftables, or a firewall, network traffic can be controlled and managed according to predefined rules and policies, thereby enhancing the network security of the IoT system.

於一些實施例中,這些區域可包括第一區域與第二區域。第一區域的傳輸通道策略包括多個規則,這些規則包括允許封包自第一區域傳遞至不可信網路、拒絕封包自第一區域經由本地區域網路傳遞至工作場域、拒絕封包自不可信網路傳遞至第一區域,或條件性允許封包自不可信網路傳遞至第一區域。In some embodiments, the zones may include a first zone and a second zone. The transmission channel policy for the first zone includes a plurality of rules, including allowing packets from the first zone to pass to an untrusted network, denying packets from the first zone to pass to a workplace via a local area network, denying packets from an untrusted network to pass to the first zone, or conditionally allowing packets from an untrusted network to pass to the first zone.

舉例來說,圖7A是依據本發明一實施例的區域的傳輸通道策略的示意圖。請參照圖7A,IoT閘道器710可為區域Z2和不受信任網路區之間配置傳輸通道策略CP71。區域Z2可為IT服務區域。區域Z2的傳輸通道策略CP71可包括規則a、規則b、規則c與規則d其中至少一項。For example, Figure 7A illustrates a zone-specific transmission channel policy according to an embodiment of the present invention. Referring to Figure 7A , IoT gateway 710 may configure a transmission channel policy CP71 between zone Z2 and an untrusted network zone. Zone Z2 may be an IT service zone. Zone Z2's transmission channel policy CP71 may include at least one of rule a, rule b, rule c, and rule d.

規則a:允許封包自區域Z2傳遞至不可信網路71。規則b:拒絕封包自區域Z2經由本地區域網路LAN傳遞至工作場域72。規則c:拒絕封包自不可信網路71傳遞至區域Z2。規則d:條件性允許來自不受信任網路71的封包到達區域Z2。基此,可以監視和管理IT服務區域與不受信任網路區71之間的傳輸通道,以防止來自不受信任網路71的網路攻擊(例如分散式拒絕服務(DDoS))。Rule a: Allow packets from zone Z2 to untrusted network 71. Rule b: Deny packets from zone Z2 to workplace 72 via the local area network (LAN). Rule c: Deny packets from untrusted network 71 to zone Z2. Rule d: Conditionally allow packets from untrusted network 71 to reach zone Z2. This allows monitoring and management of the transmission channel between the IT service zone and untrusted network zone 71 to prevent network attacks (such as distributed denial of service (DDoS)) originating from untrusted network 71.

於一些實施例中,這些區域包括第一區域、第二區域與第三區域。關聯於第三區域的傳輸通道策略包括多個規則。多個規則包括拒絕第一區域或第二區域中的第一應用與第三區域的第二應用之間的封包傳輸,或允許第一區域或第二區域中的第一應用與第三區域的第三應用之間的封包傳輸。多個規則更包括拒絕封包自不可信網路傳遞至第三區域。In some embodiments, the zones include a first zone, a second zone, and a third zone. The transmission channel policy associated with the third zone includes a plurality of rules. The plurality of rules include denying packet transmission between a first application in the first zone or the second zone and a second application in the third zone, or allowing packet transmission between the first application in the first zone or the second zone and a third application in the third zone. The plurality of rules further include denying packets from an untrusted network to the third zone.

舉例來說,圖7B是依據本發明一實施例的區域的傳輸通道策略的示意圖。請參照圖7B,IoT閘道器710可為區域Z2和區域Z3之間的傳輸通道與區域Z1和區域Z3之間的傳輸通道配置傳輸通道策略CP72。區域Z1可為OT服務區域。區域Z2可為IT服務區域。區域Z3可為管理區域。關聯於區域Z3的傳輸通道策略CP72可包括規則e與規則f其中至少一項。For example, Figure 7B illustrates a zone-specific transmission channel policy according to an embodiment of the present invention. Referring to Figure 7B , IoT gateway 710 may configure transmission channel policy CP72 for the transmission channel between zones Z2 and Z3, and for the transmission channel between zones Z1 and Z3. Zone Z1 may be an OT service zone. Zone Z2 may be an IT service zone. Zone Z3 may be a management zone. Transmission channel policy CP72 associated with zone Z3 may include at least one of rule e and rule f.

規則e:拒絕區域Z1或區域Z2中的第一應用與區域Z3的第二應用之間的封包傳輸。規則f:允許區域Z1或區域Z2中的第一應用與區域Z3的第三應用之間的封包傳輸。第二應用與第三應用為區域Z3中的不同的應用。換言之,區域Z1或區域Z2中的第一應用可透過許可權控制來訪問區域Z3,亦即傳輸通道策略CP72可僅允許區域Z1與區域Z3之間的經授權封包流與區域Z2與區域Z3之間的經授權封包流。例如,藉由利用容器安全設定檔(container security profiles),區域Z1和區域Z2中的應用可訪問管理區域Z3。此外,傳輸通道策略CP72可允許雲端平臺提供的某一服務模組的應用訪問管理區域Z3中同一服務模組的應用。例如,傳輸通道策略CP72可允許區域Z1和Z2中的應用訪問管理區域Z3中具有特定埠的應用。此外,需要注意的是,傳輸通道策略CP72可拒絕管理區域Z3中的一些應用被區域Z1和Z2中的應用訪問。也就是說,區域Z3中的一些應用可被隔離,從而提高管理服務與安全服務的安全性。Rule e: Deny packet transmission between a first application in zone Z1 or zone Z2 and a second application in zone Z3. Rule f: Allow packet transmission between a first application in zone Z1 or zone Z2 and a third application in zone Z3. The second and third applications are different applications in zone Z3. In other words, the first application in zone Z1 or zone Z2 can access zone Z3 through permission control. That is, the transmission channel policy CP72 can only allow authorized packet flows between zone Z1 and zone Z3, and authorized packet flows between zone Z2 and zone Z3. For example, by utilizing container security profiles, applications in zone Z1 and zone Z2 can access the management zone Z3. Furthermore, transmission channel policy CP72 can allow applications from a specific service module provided by the cloud platform to access applications from the same service module in management zone Z3. For example, transmission channel policy CP72 can allow applications in zones Z1 and Z2 to access applications with specific ports in management zone Z3. Furthermore, it should be noted that transmission channel policy CP72 can deny access to some applications in management zone Z3 from applications in zones Z1 and Z2. This allows some applications in zone Z3 to be isolated, thereby improving the security of management and security services.

舉例來說,圖7C是依據本發明一實施例的區域的傳輸通道策略的示意圖。請參照圖7C,IoT閘道器710可為不可信網路71和區域Z3之間的傳輸通道配置傳輸通道策略CP73。區域Z1可為OT服務區域。區域Z2可為IT服務區域。區域Z3可為管理區域。關聯於區域Z3的傳輸通道策略CP73可包括規則g與規則h其中至少一項。For example, Figure 7C illustrates a zone-specific transmission channel policy according to an embodiment of the present invention. Referring to Figure 7C , IoT gateway 710 may configure a transmission channel policy CP73 for the transmission channel between untrusted network 71 and zone Z3. Zone Z1 may be an OT service zone. Zone Z2 may be an IT service zone. Zone Z3 may be a management zone. The transmission channel policy CP73 associated with zone Z3 may include at least one of rule g and rule h.

規則g:允許區域Z3的資料包與不受信任網路71中的受信任服務進行通信。規則h:拒絕來自不受信任網路71的封包到達區域Z3。這樣,可以監視和區域Z3與不受信任網路71之間的傳輸通道,以防止來自不受信任網路71的網路攻擊(例如分散式拒絕服務(DDoS))。Rule g: Allows packets from zone Z3 to communicate with trusted services on untrusted network 71. Rule h: Denies packets from untrusted network 71 from reaching zone Z3. This allows monitoring of the transmission channel between zone Z3 and untrusted network 71 to prevent network attacks (such as distributed denial of service (DDoS)) from untrusted network 71.

於一些實施例中,這些區域包括第一區域、第二區域與第三區域。第二區域的傳輸通道策略包括多個規則。多個規則包括拒絕封包自第二區域傳遞至不可信網路,或允許封包自第二區域傳遞至本地區域網路。In some embodiments, the zones include a first zone, a second zone, and a third zone. The transmission channel policy of the second zone includes a plurality of rules. The plurality of rules include denying packets from the second zone to be transmitted to an untrusted network, or allowing packets from the second zone to be transmitted to a local area network.

舉例來說,圖7D是依據本發明一實施例的區域的傳輸通道策略的示意圖。請參照圖7D,IoT閘道器710可為區域Z1與工作場域72之間的傳輸通道配置傳輸通道策略CP74。區域Z1可為OT服務區域。區域Z2可為IT服務區域。區域Z3可為管理區域。關聯於區域Z1的傳輸通道策略CP74可包括規則i與規則j其中至少一項。規則i:拒絕封包自區域Z1傳遞至不可信網路71。規則j:允許封包自區域Z1傳遞至經由本地區域網路中的工作場域72。For example, Figure 7D is a schematic diagram of a transmission channel policy for a zone according to an embodiment of the present invention. Referring to Figure 7D , IoT gateway 710 may configure a transmission channel policy CP74 for the transmission channel between zone Z1 and workplace 72. Zone Z1 may be an OT service zone. Zone Z2 may be an IT service zone. Zone Z3 may be a management zone. The transmission channel policy CP74 associated with zone Z1 may include at least one of rule i and rule j. Rule i: Deny packets from zone Z1 to be transmitted to untrusted network 71. Rule j: Allow packets from zone Z1 to be transmitted to workplace 72 via the local area network.

在採用Linux核心的IoT閘道器的一些實施例中,區域Z1~Z3和傳輸通道策略在應用層實現。據此,Linux核心中的netfilter可以根據傳輸通道策略過濾封包。In some embodiments of an IoT gateway using the Linux kernel, zones Z1-Z3 and transmission channel policies are implemented at the application layer. Netfilter in the Linux kernel can then filter packets based on the transmission channel policies.

於一些實施例中,IoT閘道器可獲取應用的分區標籤,其中分區標籤對應至多個區域其中一者。當安裝應用至物聯網閘道器,IoT閘道器可根據應用的分區標籤將應用佈署至多個區域其中一者。In some embodiments, the IoT gateway can obtain a partition tag for an application, where the partition tag corresponds to one of multiple regions. When installing an application on the IoT gateway, the IoT gateway can deploy the application to one of the multiple regions based on the partition tag.

圖8是依據本發明一實施例的根據分區標籤佈署應用至區域的示意圖。請參照圖8,於步驟S81,管理者U1可決定不同應用各自對應的分區標籤L1。於步驟S82,管理者U1設置的分區標籤L1可儲存至物聯網中心(IoT Hub)H1。於步驟S83,當要安裝應用至IoT閘道器801,不同應用對應的分區標籤L1可自物聯網中心H1傳遞至IoT閘道器801中的分區模組M1,以實現遠端部屬IoT閘道器801的多個區域內的應用的結果。於步驟S84,分區模組M1可將分區標籤L1提供給IoT閘道器801中的安裝模組M2。於步驟S85,安裝模組M2自服務供應伺服器SS1(例如雲端服務平台)下載應用A1、A2。於步驟S86與S87,於應用A1、A2的安裝過程中,安裝模組M2根據分區標籤L1指派不同子網路的IP位址給應用A1、A2,以將不同應用A1、A2分別部屬至區域Z1與區域Z2。此外,透過如同前述實施例說明的傳輸通道的傳輸通道策略的配置,企業伺服器SS2與應用A2之間的封包傳輸是允許的。然而,攻擊者B1與IoT閘道器801內部任一區域的封包傳輸是拒絕的。Figure 8 illustrates how applications are deployed to regions based on partition tags, according to one embodiment of the present invention. Referring to Figure 8 , in step S81, administrator U1 determines the partition tags L1 corresponding to different applications. In step S82, the partition tags L1 configured by administrator U1 are stored in the IoT Hub H1. In step S83, when installing applications on IoT gateway 801, the partition tags L1 corresponding to the different applications are transmitted from IoT Hub H1 to the partition module M1 within IoT gateway 801, enabling remote application deployment across multiple regions of IoT gateway 801. In step S84, partition module M1 provides partition label L1 to installation module M2 in IoT gateway 801. In step S85, installation module M2 downloads applications A1 and A2 from service provision server SS1 (e.g., a cloud service platform). During the installation process, in steps S86 and S87, installation module M2 assigns IP addresses of different subnets to applications A1 and A2 based on partition label L1, thereby deploying applications A1 and A2 to zones Z1 and Z2, respectively. Furthermore, by configuring the transmission channel policy for the transmission channel as described in the previous embodiment, packet transmission between enterprise server SS2 and application A2 is permitted. However, packet transmission between attacker B1 and any area within IoT gateway 801 is denied.

須說明的是,本申請各個實施例的任意內容,以及同一實施例的任意內容,均可以自由組合。對上述內容的任意組合均在本申請的範圍之內。It should be noted that any content of each embodiment of this application, as well as any content of the same embodiment, can be freely combined. Any combination of the above content is within the scope of this application.

綜上所述,本揭露適用於IoT系統中的IoT閘道器,並通過建立區域和傳輸通道來增強物聯網(IoT)設備的安全性。具體而言,部署在IoT閘道器中的應用可以被分區至多個區域。每個區域可以關聯不同的傳輸通道策略和許可權控制,確保只有經授權的實體可以訪問和執行特定功能。也就是說,通過為區域建立傳輸通道策略,可以限制和控制應用之間的通信。這些傳輸通道策略可能管理特定類型流量的流動、過濾和阻止,確保只有經授權的通信在不同區域之間發生。因此,本公開的方法可以保護物聯網系統免受未經授權的訪問和潛在威脅,從而提高物聯網環境的整體安全性和可信度。此外,由於可以區域為主體來設置傳輸通道策略,可大幅提昇封包管理策略的配置效率與彈性,更可提昇遠端部屬應用服務的可行性。In summary, the present disclosure is applicable to IoT gateways in IoT systems and enhances the security of Internet of Things (IoT) devices by establishing zones and transmission channels. Specifically, applications deployed in the IoT gateway can be partitioned into multiple zones. Each zone can be associated with different transmission channel policies and permission controls, ensuring that only authorized entities can access and execute specific functions. In other words, by establishing transmission channel policies for zones, communication between applications can be restricted and controlled. These transmission channel policies can manage the flow, filtering, and blocking of specific types of traffic, ensuring that only authorized communication occurs between different zones. Therefore, the disclosed method can protect IoT systems from unauthorized access and potential threats, thereby improving the overall security and trustworthiness of the IoT environment. Furthermore, since transmission channel policies can be configured on a region-by-region basis, the efficiency and flexibility of packet management policy configuration can be significantly improved, further enhancing the feasibility of remote application services.

雖然本發明已以實施例揭露如上,然其並非用以限定本發明,任何所屬技術領域中具有通常知識者,在不脫離本發明的精神和範圍內,當可作些許的更動與潤飾,故本發明的保護範圍當視後附的申請專利範圍所界定者為準。Although the present invention has been disclosed above by way of embodiments, they are not intended to limit the present invention. Any person having ordinary skill in the art may make slight modifications and improvements without departing from the spirit and scope of the present invention. Therefore, the scope of protection of the present invention shall be determined by the scope of the attached patent application.

10:物聯網系統 120:本地網路 130:外部網路 110,410,510,610,710,810:IoT閘道器 113:收發器 112:記憶體 111:處理器 Z1,Z2,Z3,Z6:區域 41,51,71,81:不可信網路 42,52,72:IACS區域 CP1_1,CP1_2,CP2,CP3,CP4,CP5,CP71,CP72,CP73,CP74:傳輸通道策略 501,502,503,504,505,A1,A2:應用 61:子網路劃分工具 62:封包管理工具 63:網際網路區域 64:私有區域 U1:管理者 L1:分區標籤 H1:物聯網中心 M1:分區模組 M2:安裝模組 B1:攻擊者 SS1:服務供應伺服器 SS2:企業伺服器 S302~S308、S81~S87:步驟 10: IoT System 120: Local Network 130: External Network 110, 410, 510, 610, 710, 810: IoT Gateway 113: Transceiver 112: Memory 111: Processor Z1, Z2, Z3, Z6: Zones 41, 51, 71, 81: Untrusted Networks 42, 52, 72: IACS Zones CP1_1, CP1_2, CP2, CP3, CP4, CP5, CP71, CP72, CP73, CP74: Transmission Channel Policy 501, 502, 503, 504, 505, A1, A2: Applications 61: Subnet Segmentation Tool 62: Packet Management Tool 63: Internet Zones 64: Private Zone U1: Administrator L1: Partition Label H1: IoT Center M1: Partition Module M2: Installation Module B1: Attacker SS1: Service Provider Server SS2: Enterprise Server S302-S308, S81-S87: Steps

圖1是依據本發明一實施例的物聯網系統的示意圖。 圖2是依據本發明一實施例的物聯網閘道器的方塊圖。 圖3是依據本發明一實施例的物聯網應用安全分區方法的流程圖。 圖4是依據本發明一實施例的分區模型的示意圖。 圖5是依據本發明一實施例的佈署應用至區域的示意圖。 圖6是依據本發明一實施例的建立區域的示意圖。 圖7A至7D是依據本發明一實施例的區域的傳輸通道策略的示意圖。 圖8是依據本發明一實施例的根據分區標籤佈署應用至區域的示意圖。 Figure 1 is a schematic diagram of an Internet of Things system according to an embodiment of the present invention. Figure 2 is a block diagram of an Internet of Things gateway according to an embodiment of the present invention. Figure 3 is a flow chart of a method for secure zoning of Internet of Things applications according to an embodiment of the present invention. Figure 4 is a schematic diagram of a zoning model according to an embodiment of the present invention. Figure 5 is a schematic diagram of deploying applications to zones according to an embodiment of the present invention. Figure 6 is a schematic diagram of establishing zones according to an embodiment of the present invention. Figures 7A to 7D are schematic diagrams of transmission channel policies for zones according to an embodiment of the present invention. Figure 8 is a schematic diagram of deploying applications to zones based on zone labels according to an embodiment of the present invention.

S302~S308:步驟 S302~S308: Steps

Claims (22)

一種物聯網應用安全分區方法,適用於一物聯網閘道器,所述方法包括:透過劃分多個子網路(subnet)來建立對應至所述多個子網路的多個區域;將安裝於所述物聯網閘道器中的一應用佈署至所述多個區域其中一者;配置關聯於所述多個區域其中至少一者的傳輸通道策略(conduit policy);以及根據所述傳輸通道策略管理所述多個區域的封包傳輸,其中透過劃分所述多個子網路來建立對應至所述多個子網路的所述多個區域的步驟包括:透過建立虛擬網路介面來劃分所述多個子網路,其中各所述多個子網路對應至一IP位址範圍。A method for secure zoning of Internet of Things (IoT) applications, applicable to an IoT gateway, includes: establishing multiple zones corresponding to multiple subnets by dividing the IoT gateway; deploying an application installed in the IoT gateway to one of the multiple zones; configuring a conduit policy associated with at least one of the multiple zones; and managing packet transmission in the multiple zones based on the conduit policy. The step of establishing the multiple zones corresponding to the multiple subnets by dividing the multiple subnets includes: dividing the multiple subnets by establishing virtual network interfaces, wherein each of the multiple subnets corresponds to an IP address range. 如請求項1所述的物聯網應用安全分區方法,其中將安裝於所述物聯網閘道器中的所述應用佈署至所述多個區域其中所述一者的步驟包括:指派所述多個子網路其中一者的所述IP位址範圍內的一特定IP位址予所述應用,以將所述應用佈署至對應於所述多個子網路其中所述一者的所述多個區域其中所述一者。In the method for secure zoning of IoT applications as described in claim 1, the step of deploying the application installed in the IoT gateway to one of the multiple zones includes: assigning a specific IP address within the IP address range of one of the multiple subnets to the application to deploy the application to one of the multiple zones corresponding to one of the multiple subnets. 如請求項1所述的物聯網應用安全分區方法,其中所述多個區域包括資訊技術(Information Technology,IT)服務區域與操作技術(Operational Technology,OT)服務區域,所述IT服務區域包括至少一IT服務應用,且所述OT服務區域包括至少一OT服務應用。A method for secure zoning of Internet of Things applications as described in claim 1, wherein the multiple zones include an information technology (IT) service zone and an operational technology (OT) service zone, the IT service zone includes at least one IT service application, and the OT service zone includes at least one OT service application. 如請求項3所述的物聯網應用安全分區方法,其中所述多個區域還包括管理區域,且所述管理區域包括至少一安全服務應用。The method for secure zoning of Internet of Things applications as described in claim 3, wherein the multiple zones further include a management zone, and the management zone includes at least one security service application. 如請求項4所述的物聯網應用安全分區方法,其中將安裝於所述物聯網閘道器中的所述應用佈署至所述多個區域其中一者的步驟包括:獲取由一雲端服務平台提供的服務模組,其中此服務模組包括所述應用;當所述應用屬於高資料安全等級,將所述應用佈署至所述管理區域;以及當所述應用屬於低資料安全等級,將所述應用佈署至所述IT服務區域或所述OT服務區域。As described in claim 4, the method for secure zoning of Internet of Things applications, wherein the step of deploying the application installed in the Internet of Things gateway to one of the multiple areas includes: obtaining a service module provided by a cloud service platform, wherein the service module includes the application; when the application belongs to a high data security level, deploying the application to the management area; and when the application belongs to a low data security level, deploying the application to the IT service area or the OT service area. 如請求項1所述的物聯網應用安全分區方法,所述方法更包括:獲取所述應用的分區標籤,其中所述分區標籤對應至所述多個區域其中所述一者。The method for secure zoning of Internet of Things applications as described in claim 1 further comprises: obtaining a partition tag of the application, wherein the partition tag corresponds to one of the multiple zones. 如請求項6所述的物聯網應用安全分區方法,其中將安裝於所述物聯網閘道器中的所述應用佈署至所述多個區域其中所述一者的步驟包括:當安裝所述應用至所述物聯網閘道器,根據所述應用的所述分區標籤將所述應用佈署至所述多個區域其中所述一者。As described in claim 6, the IoT application security zoning method, wherein the step of deploying the application installed in the IoT gateway to one of the multiple zones includes: when installing the application to the IoT gateway, deploying the application to one of the multiple zones according to the partition label of the application. 如請求項1所述的物聯網應用安全分區方法,其中所述多個區域包括第一區域與第二區域,關聯於所述第一區域的所述傳輸通道策略包括多個規則,所述多個規則包括允許封包自所述第一區域傳遞至不可信網路、拒絕封包自第一區域經由本地區域網路傳遞至工作場域、拒絕封包自所述不可信網路傳遞至所述第一區域,或條件性允許封包自所述不可信網路傳遞至所述第一區域。A method for secure zoning of Internet of Things applications as described in claim 1, wherein the multiple zones include a first zone and a second zone, and the transmission channel policy associated with the first zone includes multiple rules, wherein the multiple rules include allowing packets to be transmitted from the first zone to an untrusted network, denying packets to be transmitted from the first zone to a workplace via a local area network, denying packets to be transmitted from the untrusted network to the first zone, or conditionally allowing packets to be transmitted from the untrusted network to the first zone. 如請求項1所述的物聯網應用安全分區方法,其中所述多個區域包括第一區域、第二區域與第三區域,關聯於所述第三區域的所述傳輸通道策略包括多個規則,所述多個規則包括拒絕所述第一區域或所述第二區域中的第一應用與所述第三區域的第二應用之間的封包傳輸,或允許所述第一區域或所述第二區域中的所述第一應用與所述第三區域的第三應用之間的封包傳輸。A method for secure zoning of Internet of Things applications as described in claim 1, wherein the multiple zones include a first zone, a second zone, and a third zone, and the transmission channel policy associated with the third zone includes multiple rules, and the multiple rules include denying packet transmission between a first application in the first zone or the second zone and a second application in the third zone, or allowing packet transmission between the first application in the first zone or the second zone and a third application in the third zone. 如請求項9所述的物聯網應用安全分區方法,其中所述多個規則還包括拒絕封包自不可信網路傳遞至所述第三區域。The method for applying secure zoning to the Internet of Things as described in claim 9, wherein the plurality of rules further include denying packets from an untrusted network from being transmitted to the third zone. 如請求項1所述的物聯網應用安全分區方法,其中所述多個區域包括第一區域、第二區域與第三區域,關聯於所述第二區域的所述傳輸通道策略包括多個規則,所述多個規則包括拒絕封包自所述第二區域傳遞至不可信網路,或允許封包自所述第二區域傳遞至本地區域網路。A method for secure zoning of Internet of Things applications as described in claim 1, wherein the multiple zones include a first zone, a second zone, and a third zone, and the transmission channel policy associated with the second zone includes multiple rules, wherein the multiple rules include denying packets from the second zone to be transmitted to an untrusted network, or allowing packets from the second zone to be transmitted to a local area network. 一種物聯網閘道器,包括:一收發器;一儲存裝置;以及一處理器,連接所述收發器與所述儲存裝置,經配置以:透過劃分多個子網路來建立對應至所述多個子網路的多個區域;將安裝於所述物聯網閘道器中的一應用佈署至所述多個區域其中一者;配置關聯於所述多個區域其中至少一者的傳輸通道策略;以及根據所述傳輸通道策略管理所述多個區域的封包傳輸,其中所述處理器更經配置以:透過建立虛擬網路介面來劃分所述多個子網路,其中各所述多個子網路對應至一IP位址範圍。An Internet of Things (IoT) gateway includes a transceiver, a storage device, and a processor connected to the transceiver and the storage device, and configured to: establish multiple zones corresponding to multiple subnets by dividing the network; deploy an application installed in the IoT gateway to one of the multiple zones; configure a transmission channel policy associated with at least one of the multiple zones; and manage packet transmission in the multiple zones based on the transmission channel policy. The processor is further configured to: divide the multiple subnets by establishing virtual network interfaces, wherein each of the multiple subnets corresponds to an IP address range. 如請求項12所述的物聯網閘道器,其中所述處理器更經配置以:指派所述多個子網路其中一者的所述IP位址範圍內的一特定IP位址予所述應用,以將所述應用佈署至對應於所述多個子網路其中所述一者的所述多個區域其中所述一者。The IoT gateway of claim 12, wherein the processor is further configured to: assign a specific IP address within the IP address range of one of the multiple subnets to the application to deploy the application to one of the multiple zones corresponding to the one of the multiple subnets. 如請求項12所述的物聯網閘道器,其中所述多個區域包括資訊技術服務區域與操作技術服務區域,所述IT服務區域包括至少一IT服務應用,且所述OT服務區域包括至少一OT服務應用。An IoT gateway as described in claim 12, wherein the multiple areas include an information technology service area and an operational technology service area, the IT service area includes at least one IT service application, and the OT service area includes at least one OT service application. 如請求項14所述的物聯網閘道器,其中所述多個區域還包括管理區域,且所述管理區域包括至少一安全服務應用。The Internet of Things gateway as described in claim 14, wherein the multiple zones further include a management zone, and the management zone includes at least one security service application. 如請求項15所述的物聯網閘道器,其中所述處理器更經配置以:獲取由一雲端服務平台提供的服務模組,其中此服務模組包括所述應用;當所述應用屬於高資料安全等級,將所述應用佈署至所述管理區域;以及當所述應用屬於低資料安全等級,將所述應用佈署至所述IT服務區域或所述OT服務區域。An IoT gateway as described in claim 15, wherein the processor is further configured to: obtain a service module provided by a cloud service platform, wherein the service module includes the application; when the application belongs to a high data security level, deploy the application to the management area; and when the application belongs to a low data security level, deploy the application to the IT service area or the OT service area. 如請求項12所述的物聯網閘道器,其中所述處理器更經配置以:獲取所述應用的分區標籤,其中所述分區標籤對應至所述多個區域其中所述一者。The Internet of Things gateway of claim 12, wherein the processor is further configured to: obtain a partition tag of the application, wherein the partition tag corresponds to one of the multiple zones. 如請求項17所述的物聯網閘道器,其中所述處理器更經配置以:當安裝所述應用至所述物聯網閘道器,根據所述應用的所述分區標籤將所述應用佈署至所述多個區域其中所述一者。The IoT gateway of claim 17, wherein the processor is further configured to: when installing the application on the IoT gateway, deploy the application to one of the multiple zones according to the partition tag of the application. 如請求項12所述的物聯網閘道器,其中所述多個區域包括第一區域與第二區域,關聯於所述第一區域的所述傳輸通道策略包括多個規則,所述多個規則包括允許封包自所述第一區域傳遞至不可信網路、拒絕封包自第一區域經由本地區域網路傳遞至工作場域、拒絕封包自所述不可信網路傳遞至所述第一區域,或條件性允許封包自所述不可信網路傳遞至所述第一區域。An Internet of Things gateway as described in claim 12, wherein the multiple zones include a first zone and a second zone, and the transmission channel policy associated with the first zone includes multiple rules, and the multiple rules include allowing packets to be transmitted from the first zone to an untrusted network, denying packets to be transmitted from the first zone to a workplace via a local area network, denying packets to be transmitted from the untrusted network to the first zone, or conditionally allowing packets to be transmitted from the untrusted network to the first zone. 如請求項12所述的物聯網閘道器,其中所述多個區域包括第一區域、第二區域與第三區域,關聯於所述第三區域的所述傳輸通道策略包括多個規則,所述多個規則包括拒絕所述第一區域或所述第二區域中的第一應用與所述第三區域的第二應用之間的封包傳輸,或允許所述第一區域或所述第二區域中的所述第一應用與所述第三區域的第三應用之間的封包傳輸。An IoT gateway as described in claim 12, wherein the multiple zones include a first zone, a second zone, and a third zone, and the transmission channel policy associated with the third zone includes multiple rules, and the multiple rules include denying packet transmission between a first application in the first zone or the second zone and a second application in the third zone, or allowing packet transmission between the first application in the first zone or the second zone and a third application in the third zone. 如請求項20所述的物聯網閘道器,其中所述多個規則還包括拒絕封包自不可信網路傳遞至所述第三區域。The Internet of Things gateway of claim 20, wherein the plurality of rules further include denying packets from an untrusted network from being delivered to the third zone. 如請求項12所述的物聯網閘道器,其中所述多個區域包括第一區域、第二區域與第三區域,關聯於所述第二區域的所述傳輸通道策略包括多個規則,所述多個規則包括拒絕封包自所述第二區域傳遞至不可信網路,或允許封包自所述第二區域傳遞至本地區域網路。An Internet of Things gateway as described in claim 12, wherein the multiple zones include a first zone, a second zone, and a third zone, and the transmission channel policy associated with the second zone includes multiple rules, and the multiple rules include denying packets from the second zone to be transmitted to an untrusted network, or allowing packets from the second zone to be transmitted to a local area network.
TW112146513A 2023-06-30 2023-11-30 Method of secure compartmentalization for iot application and iot gateway using the same TWI899725B (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
US18/534,735 US20250007881A1 (en) 2023-06-30 2023-12-11 Method of secure compartmentalization for iot application and iot gateway using the same
EP23215465.8A EP4485854A1 (en) 2023-06-30 2023-12-11 Method of secure compartmentalization for iot application and iot gateway using the same
CN202311704197.2A CN119233262A (en) 2023-06-30 2023-12-12 Internet of things application security partitioning method and Internet of things gateway

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US202363524226P 2023-06-30 2023-06-30
US63/524,226 2023-06-30

Publications (2)

Publication Number Publication Date
TW202504289A TW202504289A (en) 2025-01-16
TWI899725B true TWI899725B (en) 2025-10-01

Family

ID=95152635

Family Applications (1)

Application Number Title Priority Date Filing Date
TW112146513A TWI899725B (en) 2023-06-30 2023-11-30 Method of secure compartmentalization for iot application and iot gateway using the same

Country Status (1)

Country Link
TW (1) TWI899725B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180213002A1 (en) * 2017-01-23 2018-07-26 Hysolate Ltd. Techniques for controlling and regulating network access on air-gapped endpoints
EP3425873B1 (en) * 2017-07-05 2020-07-29 Wipro Limited Method and system for processing data in an internet of things (iot) environment
US10812526B2 (en) * 2017-04-24 2020-10-20 Caligo Systems Ltd. Moving target defense for securing internet of things (IoT)
EP3557463B1 (en) * 2018-04-16 2020-10-21 Siemens Aktiengesellschaft Method and execution environment for executing program code on a control device
EP3907969A1 (en) * 2020-05-08 2021-11-10 Rockwell Automation Technologies, Inc. Configuration of security event management in an industrial environment
US20230152988A1 (en) * 2021-11-15 2023-05-18 Samsung Electronics Co., Ltd. Storage device and operation method thereof

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180213002A1 (en) * 2017-01-23 2018-07-26 Hysolate Ltd. Techniques for controlling and regulating network access on air-gapped endpoints
US10812526B2 (en) * 2017-04-24 2020-10-20 Caligo Systems Ltd. Moving target defense for securing internet of things (IoT)
EP3425873B1 (en) * 2017-07-05 2020-07-29 Wipro Limited Method and system for processing data in an internet of things (iot) environment
EP3557463B1 (en) * 2018-04-16 2020-10-21 Siemens Aktiengesellschaft Method and execution environment for executing program code on a control device
EP3907969A1 (en) * 2020-05-08 2021-11-10 Rockwell Automation Technologies, Inc. Configuration of security event management in an industrial environment
US20230152988A1 (en) * 2021-11-15 2023-05-18 Samsung Electronics Co., Ltd. Storage device and operation method thereof

Also Published As

Publication number Publication date
TW202504289A (en) 2025-01-16

Similar Documents

Publication Publication Date Title
Alam et al. A survey of network virtualization techniques for Internet of Things using SDN and NFV
US12506790B2 (en) Adaptive access control management
US20240372883A1 (en) Anomaly detection including property changes
EP3725054B1 (en) Contextual risk monitoring
US12289294B2 (en) Dynamic segmentation management
Kuipers et al. Control systems cyber security: Defense in depth strategies
EP4022865B1 (en) Autonomous policy enforcement point configuration for role based access control
AU2015296791B2 (en) Method and system for providing a virtual asset perimeter
Osman et al. Transparent microsegmentation in smart home {IoT} networks
Cunha et al. 5 Growth: Secure and reliable network slicing for verticals
CN107579993B (en) Network data flow safety processing method and device
TWI899725B (en) Method of secure compartmentalization for iot application and iot gateway using the same
JP2005236394A (en) Network system and network control method
EP4485854A1 (en) Method of secure compartmentalization for iot application and iot gateway using the same
US12407697B2 (en) Network access control from anywhere
Hesselman et al. SPIN: a user-centric security extension for in-home networks
Shaghaghi et al. Towards policy enforcement point as a service (peps)
KR20210012902A (en) I2nsf registration interface yang data model
AU2019347611A1 (en) Segmentation management including translation
Szigeti et al. INTENT-BASED NETWORKING FROM THE IOT EDGE TO THE APPLICATION SERVER
Raihan et al. Securing a Network by Using VLAN, Port Security and Access Control List
Varadharajan et al. Security Architecture for IoT
Waithaka Configuring High Availability for a Data Center Using Palo Alto Next Generation Firewall