CN104380686B - Method and system for implementing NG firewall, NG firewall client and NG firewall server - Google Patents

Abstract

The embodiment of the invention provides a method and a system for implementing an NG firewall, an NG firewall client and an NG firewall server. The method comprises the following steps: when the application is started in the terminal equipment configured with the NG firewall client, sending a request message for requesting security information of the application; receiving a response message containing the security information of the application; processing reception or transmission data of the application by using the security information of the application. In the invention, dynamic loading attack prevention can be realized, so that the occupied space of software required by the terminal equipment can be reduced, and the performance of the application installed on the terminal equipment can be improved.

Description

Method and system for implementing NG firewall, NG firewall client and NG fire protection wall server

technical field

The present invention relates to communication technology, in particular to a method and system for implementing NG firewall, an NG firewall client and an NG firewall server.

Background technique

NG Firewall (NG-FW, Next Generation Firewall) unifies security services into a single engine and changes the design of access control and security policies. NG Firewall extends the management of applications and business flows. The functions of NG firewall include: allowing, blocking, recording, monitoring and bandwidth control.

NG Firewall combines first-generation firewalls, such as stateful and stateless network firewalls, application firewalls, NAT-ALG (Network Address Translation Application Layer Gateway), IPS (Intrusion Prevention System)/IDS (Intrusion Detection System), anti-X malicious Software scan. This combination increases the complexity of the NG firewall. The foundation of the NG firewall is deep packet inspection of incoming and outgoing packets correlated with previously received packets.

Smartphones, on the other hand, are a key enabler of BYOD (bring your own device), personal banking, social networking and entertainment in travel. This increases security threats to consumer privacy and leakage of personal and business data.

However, the applicant found that the NG firewall is installed on a dedicated server with high computing power. However, NG Firewall has not yet been implemented on end devices such as smartphones. The software footprint required by the terminal device is therefore not reduced, and the performance of applications installed on the terminal device is not improved.

Contents of the invention

Embodiments of the present invention relate to providing a method and system for implementing an NG firewall, an NG firewall client, and an NG firewall server, so as to reduce the number of NF firewalls and NG firewalls on terminal devices without affecting the anti-attack of the application layer. software takes up space.

According to an aspect of the embodiments of the present invention, a method for implementing an NG firewall (Next Generation Firewall) is provided, the method comprising:

When the application is started in the terminal device, send a request message for requesting the security information of the application to the NG firewall server;

receiving a response message including the security information of the application from the NG firewall server, wherein the security information of the application represents information used as security protection for the application started in the terminal device;

Data of the application is processed by using the security information of the application.

According to another aspect of the embodiments of the present invention, the request message includes identification information of the application, and the identification information of the application is used by the NG firewall server to determine the security information of the application.

According to another aspect of the embodiments of the present invention, the method further includes:

When the application is closed in the terminal device, the security information of the application is cleared.

According to another aspect of the embodiments of the present invention, the response message further includes one or more timer values for maintaining part or all of the security information of the application; and

The method further includes re-requesting the partial security information of the application when one or more of the one or more timer values corresponding to the partial security information of the application expires ,or

Re-requesting the full security information of the application when one or more timers of the one or more timer values corresponding to the full security information of the application expires.

According to another aspect of the embodiments of the present invention, the method further includes:

clearing the partial security information for the application when one or more of the one or more timer values corresponding to the partial security information for the application expires, or

Clearing the entire security information of the application when one or more timers of the one or more timer values corresponding to the entire security information of the application expires.

According to another aspect of the embodiments of the present invention, the security information of the application includes any one or a combination of the following information: message signature information of the application, access control list information of the application, the Malformed packet attack information of the application, stateful firewall library information of the application, and packet rate limit policy information of the application.

According to another aspect of the embodiments of the present invention, there are different timer values for storing any one or combination of the following information: the message signature information of the application, the access control list information of the application, the Malformed packet attack information of the application, stateful firewall library information of the application, and packet rate limit policy information of the application; or

The same timer value is used to store any one or combination of the following information: message signature information of the application, access control list information of the application, malformed message attack information of the application, The stateful firewall database information and the packet rate limit policy information of the application.

According to another aspect of the embodiments of the present invention, processing data of the application by using the security information of the application includes:

processing the data of the application by using the message signature information of the application, or

processing said data of said application by using said access control list information of said application, or

processing said data of said application by using said malformed attack information of said application, or

processing said data of said application by using said stateful firewall repository information of said application, or

Processing the data of the application by using the packet rate limit policy information of the application.

According to another aspect of the embodiments of the present invention, a method for implementing an NG firewall is provided, the method comprising:

receiving a request message for requesting security information of an application from a terminal device, wherein the security information of the application represents information for security protection of the application started in the terminal device;

determining the security information of the application according to the request message;

Sending a response message including the security information of the application to the terminal device.

According to another aspect of the embodiments of the present invention, the request message includes identification information of the application; and

Determining the security information of the application according to the request message includes: acquiring the security information of the application from a database according to the identification information of the application contained in the request message.

According to another aspect of the embodiments of the present invention, before sending a response message including the security information of the application to the terminal device, the method further includes:

authenticating whether the request message is valid;

When the request message is valid, the process of sending the response message including the security information of the application to the terminal device is performed.

According to another aspect of the embodiments of the present invention, the method further includes:

determining one or more timer values for maintaining some or all of the security information for the application;

The sending a response message including the security information of the application to the terminal device includes: sending a response message including the security information of the application, and a message for maintaining part or all of the security information of the application One or more timer values are given to the terminal device.

According to another aspect of the embodiments of the present invention, the security information of the application includes any one or a combination of the following information: message signature information of the application, access control list information of the application, the Malformed packet attack information of the application, stateful firewall library information of the application, and packet rate limit policy information of the application.

According to another aspect of the embodiments of the present invention, an NG firewall client is provided, including:

A sending unit, configured to send a request message for requesting security information of the application to the NG firewall server when the application is started in the terminal device configured with the NG firewall client;

a receiving unit, configured to receive a response message containing the security information of the application from the NG firewall server, wherein the security information of the application represents the security protection for the application started in the terminal device information;

A processing unit for processing data of the application by using the security information of the application.

According to another aspect of the embodiments of the present invention, the sending unit is specifically configured to, when the application is started in the terminal device configured with the NG firewall client, send a request for the application to the NG firewall server The request message of the security information; wherein the request message includes identification information of the application, and the identification information of the application is used by the NG firewall server to determine the security information of the application.

According to another aspect of the embodiments of the present invention, the NG firewall client further includes:

A clearing unit, configured to clear the security information of the application when the application is closed in the terminal device.

According to another aspect of the embodiments of the present invention, the response message further includes one or more timer values for maintaining part or all of the security information of the application; and

The sending unit is further configured to re-request the part of the application when one or more of the one or more timer values corresponding to the part of security information of the application expires security information, or when one or more of the one or more timer values corresponding to the all security information of the application expires, re-requesting the all security information of the application.

According to another aspect of the embodiments of the present invention, the clearing unit is further configured to, when one or more timers among the one or more timer values corresponding to the partial security information of the application expires Clear the part of the security information of the application from time to time, or clear the All security information for the application.

According to another aspect of the embodiments of the present invention, the security information of the application includes any one or a combination of the following information: message signature information of the application, access control list information of the application, the Malformed packet attack information of the application, stateful firewall library information of the application, and packet rate limit policy information of the application.

According to another aspect of the embodiments of the present invention, the processing unit is specifically configured to:

processing the data of the application by using the message signature information of the application, or

processing said data of said application by using said access control list information of said application, or

processing said data of said application by using said malformed attack information of said application, or

processing said data of said application by using said stateful firewall repository information of said application, or

Processing the data of the application by using the packet rate limit policy information of the application.

According to another aspect of the embodiments of the present invention, an NG firewall server is provided, including:

a receiving unit, configured to receive a request message for requesting security information of an application from a terminal device, wherein the security information of the application represents information for security protection of the application started in the terminal device;

a first determining unit, configured to determine the security information of the application according to the request message;

A sending unit, configured to send a response message including the security information of the application to the terminal device.

According to another aspect of the embodiments of the present invention, the request message includes identification information of the application; and

The first determining unit is specifically configured to acquire the security information of the application from a database according to the identification information of the application contained in the request message.

According to another aspect of the embodiments of the present invention, the NG firewall server further includes:

an authentication unit, configured to authenticate whether the request message is valid; and

The sending unit is specifically configured to, when the request message is valid, send the response message including the security information of the application to the terminal device.

According to another aspect of the embodiments of the present invention, the NG firewall server further includes:

a second determining unit, configured to determine one or more timer values for maintaining part or all of the security information of the application;

The sending unit is specifically configured to send a response message including the security information of the application, and one or more timer values for maintaining part or all of the security information of the application to the terminal device.

According to another aspect of the embodiments of the present invention, the security information of the application includes any one or a combination of the following information: message signature information of the application, access control list information of the application, the Malformed packet attack information of the application, stateful firewall library information of the application, and packet rate limit policy information of the application.

According to another aspect of the embodiments of the present invention, a terminal device is provided, including:

a processor and memory coupled to the processor;

where the processor is used to:

When the application is started in the terminal device, sending a request message for requesting the security information of the application to the NG firewall server;

receiving a response message including the security information of the application from the NG firewall server, wherein the security information of the application represents information used as security protection for the application started in the terminal device;

Data of the application is processed by using the security information of the application.

According to another aspect of the embodiments of the present invention, an NG firewall server is provided, including:

a processor and memory coupled to the processor;

where the processor is used to:

receiving a request message for requesting security information of an application from a terminal device, wherein the security information of the application represents information for security protection of the application started in the terminal device;

determining the security information of the application according to the request message;

Sending a response message including the security information of the application to the terminal device.

According to another aspect of the embodiments of the present invention, a system for implementing an NG firewall is provided, including:

one or more terminal devices as described above; and

NG Firewall server as above.

The beneficial effect of the embodiment of the present invention is that: when the application is started in the terminal device, the NG firewall client requests the security information of the application from the NG firewall server. Therefore, the embodiment of the present invention can realize dynamic loading attack defense, so that the software occupation space required by the terminal device can be reduced, and the performance of applications installed on the terminal device can be improved.

In addition, end devices will be protected from new attacks from new applications or services. Since the amount of attack defense directly depends on the number of applications being used by the user, signaling packets will be reduced, which helps to extend the battery life of the mobile terminal.

These and other aspects and features of the present invention will become apparent with reference to the following description and drawings. In the description and drawings, specific embodiments of the invention have been disclosed in detail to indicate the manner in which the principles of the invention may be employed, but it is to be understood that the invention is not limited to the corresponding scope. Rather, the invention includes all changes, modifications and equivalents within the spirit and terms of the appended claims.

Features described and/or illustrated with reference to one embodiment may be used in the same or similar manner in one or more other embodiments and/or in combination with or instead of features of other embodiments.

It should be emphasized that the term "comprising" used in this specification is used to describe the existence of the stated features, integers, steps or components, but does not exclude the existence or addition of one or more other features, integers, steps, components or the above-mentioned items. The combination.

Many aspects of the invention can be better understood with reference to the following figures. The components in the figures are not necessarily to scale, emphasis instead being placed upon clearly illustrating the principles of the invention. To help illustrate and describe some parts of the invention, the dimensions of corresponding parts of the drawings may be exaggerated, eg, relative to other parts, to be larger than an exemplary device actually made according to the invention. Elements and features depicted in one figure or embodiment of the invention may be combined with elements and features depicted in one or more additional figures or embodiments. Furthermore, in the drawings, the same reference numerals designate corresponding parts in the several views, and can be used to refer to the same or similar parts in more than one embodiment.

Description of drawings

The accompanying drawings, which are included to provide a further understanding of the invention, constitute a part of this specification, illustrate preferred embodiments of the invention, and together with the description serve to explain the principle of the invention. Like reference numbers denote like elements throughout the drawings.

In the attached picture:

FIG. 1 is a schematic flow diagram of a method for implementing an NG firewall according to an embodiment of the present invention;

FIG. 2 is a schematic structural diagram illustrating a terminal device and an NG firewall server;

FIG. 3 is a schematic flowchart of a method for implementing an NG firewall according to an embodiment of the present invention;

FIG. 4 is another schematic flowchart of a method for implementing an NG firewall according to an embodiment of the present invention;

FIG. 5 is a schematic flowchart of step 402 according to an embodiment of the present invention;

FIG. 6 is a schematic flowchart of step 403 according to an embodiment of the present invention;

FIG. 7 is a schematic flowchart of step 405 according to an embodiment of the present invention;

FIG. 8 is a schematic flowchart of step 406 according to an embodiment of the present invention;

FIG. 9 is a schematic flowchart of step 407 according to an embodiment of the present invention;

FIG. 10 is a schematic flowchart of a method for implementing an NG firewall according to an embodiment of the present invention;

FIG. 11 is another schematic flowchart of a method for implementing an NG firewall according to an embodiment of the present invention;

FIG. 12 is a schematic structural diagram of a terminal device according to an embodiment of the present invention;

FIG. 13 is a schematic structural diagram of a terminal device according to an embodiment of the present invention;

FIG. 14 is a schematic structural diagram of an NG firewall server according to an embodiment of the present invention;

Fig. 15 is another schematic structural diagram of an NG firewall server according to an embodiment of the present invention;

FIG. 16 is a schematic structural diagram of a terminal device according to an embodiment of the present invention;

FIG. 17 is a schematic structural diagram of an NG firewall server according to an embodiment of the present invention;

Fig. 18 is a schematic structural diagram of a system for implementing an NG firewall according to an embodiment of the present invention.

Detailed ways

The many features and advantages of various embodiments are apparent in the detailed description, and thus, it is intended by the appended claims to cover all such features and advantages of embodiments which fall within their true spirit and scope. Furthermore, since numerous modifications and changes will readily occur to those skilled in the art, it is not desired to limit the inventive embodiments to the exact construction and operation illustrated and described, and therefore all suitable modifications and equivalents may be employed. fall within the corresponding range.

Embodiments of the present invention are described below with reference to the drawings.

Example 1

This embodiment of the present invention provides a method for implementing an NG firewall, which is applied in an NG firewall client.

Fig. 1 is a schematic flowchart of a method for implementing an NG firewall according to Embodiment 1 of the present invention. As shown in Figure 1, the method includes:

Step 101, when the application is started on the terminal device configured with the NG firewall client, the NG firewall client sends a request message to the NG firewall server, wherein the request message is used to request security information of the application.

In step 102, the NG firewall client receives a response message from the NG firewall server; the application security information is included in the response message; the application security information indicates security protection information of the application started in the terminal device.

Step 103, the NG firewall client processes the data of the application by using the security information of the application.

In this embodiment, the NG firewall client may be configured in a terminal device, and the terminal device may be a fixed device or a wireless device, such as a smart phone or a tablet computer. The application may be social software (for example, Skype, youtube), and may already be installed in the terminal device. However, it is not limited thereto, and specific implementation manners can be determined according to actual needs.

In this embodiment, the NG firewall server has an NG-FW database containing data or information of the NG firewall. For details about the NG-FW database, please refer to the prior art. The NG firewall server can be connected through any interface of a terminal device (such as a smart phone), such as Bluetooth, a USP port or any air interface.

In this embodiment, the security information of the application may include: message signature information of the application, access control list information of the application, malformed attack information of the application, stateful firewall database information of the application, and message rate limit policy information of the application. However, it is not limited thereto, and specific implementation manners can be determined according to actual needs.

FIG. 2 is a schematic diagram illustrating an example of a configuration regarding a terminal device and an NG firewall server. It should be noted that this figure is only exemplary and other types of structures may be used to supplement or replace this structure.

As shown in Figure 2, there are some applications in the terminal device configured with the NG-FW client; meanwhile, the security information of these applications (such as attack defense data of the application) exists in the NG-FW server configured with the database.

For example, the database storing application security information can be configured in the NG-FW server; in other words, the database is a local database of the NG-FW server. In another example, the database storing application security information can be configured separately; the NG-GW server can access the database through the communication interface. However, it is not limited to this.

In this embodiment, NG-FW is one of the mandatory requirements for terminal devices (smartphones, etc.) to enable BYOD, obtain personal financial and strategic business information, and secure personal information. Smartphones are battery operated devices and also have limited computing resources.

As the number of mobile VAS (value-added services) grows exponentially, so will the number of attacks, so the software footprint of NG-FW and the use of complex application frameworks to handle each type of attack will be expensive. Obviously, a mobile user will use a very limited number of applications at the same time.

In this embodiment, for example, NG-FW based exhaustive attack defense can be installed on a centralized entity, eg, in a packet core network, secondary storage, or server in the environment. When a smartphone user launches any application, the attack defense request will be sent to the NG-FW database. Smartphones will have application-specific attack defenses, access control lists, and application signatures installed. Any Rx/Tx packets will check the newly installed attack defense, so that the access control of ingress and egress applications can be implemented on the smartphone.

It can be seen from the above embodiments that when the application is started in the terminal device configured with the NG firewall client, the NG firewall client requests the security information of the application from the NG firewall server. Therefore, the embodiment of the present invention can realize dynamic loading attack defense, so that the software occupation space required by the terminal device can be reduced, and the performance of applications installed on the terminal device can be improved.

Example 2

Based on Embodiment 1, this embodiment of the present invention provides a method for implementing an NG firewall; the same content will not be described again.

Fig. 3 is a schematic flowchart of a method for implementing an NG firewall according to an embodiment of the present invention. As shown in Figure 3, the method includes:

Step 301, when the application is started on the terminal device configured with the NG firewall client, the NG firewall client sends a request message to the NG firewall server, wherein the request message is used to request security information of the application.

In this embodiment, the request message may include application identification information, for example, application identifier or application type; the application identification information is used by the NG firewall server to determine application security information. However, it is not limited thereto, and specific implementation manners can be determined according to actual needs.

In step 302, the NG firewall receives a response message containing application security information from the NG firewall server.

In step 303, the NG firewall client processes the data of the application by using the security information of the application.

As shown in Figure 3, the method may further include:

Step 304, when the application is closed in the terminal device, the NG firewall client clears the security information of the application.

In this embodiment, once the smartphone terminates or closes the application (such as Skype), the application's security information (eg, all installed and downloaded data, application access list and signature) is cleared.

Fig. 4 is another schematic flowchart of a method for implementing an NG firewall according to an embodiment of the present invention. The terminal device is configured with the NG-FW client. As shown in Figure 4, the method may include:

Step 401, enable the NG firewall function in the terminal device.

Step 402, configure the IP address and port number of the NG firewall server in the terminal device.

In this step, the terminal device may generate a request message based on the IP address and port number of the NG firewall server.

Step 403, when the application is started in the terminal device, the terminal device sends a request message to the NG firewall server; wherein the request message is used to request security information of the application and includes identification information of the application.

Step 404, after receiving the request message, the NG firewall server determines the security information of the application according to the identification information of the application included in the request message.

In this embodiment, the NG-FW server can send a response message to the terminal device; the security information of the application is included in the response message.

Additionally, one or more timer values for saving some or all of the application's security information may be included in the response message.

For example, there is a timer value in the response message, which is used for all security information of the application; or there is a timer value, which is used for the message signature information of the application; another timer value is used for the access control list information of the application ; and another timer value, which is used for the malformed attack information of the application. However, it is not limited thereto, and specific implementation manners can be determined according to actual needs.

Step 405, the NG firewall receives a response message containing the security information of the application from the NG firewall server.

In step 406, the NG firewall client processes the data of the application by using the security information of the application.

In this embodiment, when one or more timers among the one or more timer values corresponding to the partial security information of the application expire, the terminal device may re-request the partial security information of the application.

Alternatively, when one or more timers among the one or more timer values corresponding to the entire security information of the application expire, the terminal device may re-request the entire security information of the application.

For example, if there is a timer value A for all security information of the application in the response message, when the timer corresponding to the timer value A expires, the terminal device may re-request all security information of the application.

For another example, if there are three timer values in the response message: timer value B for the message signature information of the application, timer value C for the access control list information of the application, and timer value C for the malformed attack information of the application timer value D, then when the timer corresponding to timer value B expires, the terminal device can re-request the message signature information of the application; or when the timer corresponding to timer value C expires, the terminal device can re-request The access control list information of the application; or when the timer corresponding to the timer value D expires, the terminal device may re-request the malformed attack information of the application.

As shown in Figure 4, the method may further include:

Step 407, when the application is closed in the terminal device, the terminal device clears the security information of the application.

In this step, the terminal device may also clear the security information of the application based on the timer. The terminal device will clear the security information of the application when the timer expires.

For example, when one or more timers among the one or more timer values corresponding to the partial security information of the application expire, the terminal device may clear the partial security information of the application. Alternatively, when one or more timers among the one or more timer values corresponding to all security information of the application expire, the terminal device may clear all security information of the application.

In step 401, the NG-FW client (which has the function of NG fire protection) is enabled on the terminal device. Each application may be allowed to choose whether the end device user wants to enable the NG-FW attack application. By default, all applications are not allowed to be downloaded from the NG-FW server.

In step 402, the information of the NG firewall server, such as the port number and IP address of the NG firewall server, can be configured by the user in the terminal device. In addition, the timer value for saving the security information of the application can be configured by the user in the terminal device.

In this embodiment, the security information of the application may include any one or a combination of the following information: message signature information of the application, access control list information of the application, malformed attack information of the application, stateful firewall library information of the application, and application Packet rate limit policy information.

There are different timer values for storing any one or combination of the following information: application message signature information, application access control list information, application malformed attack information, application stateful firewall library information, and application message signature information. Text speed limit policy information.

Alternatively, the same timer value is used to store any one or combination of the following information: message signature information of the application, access control list information of the application, malformed attack information of the application, stateful firewall library information of the application, and Packet rate limit policy information.

In this embodiment, the process of processing the data of the application by using the security information of the application may include: processing the data of the application by using the message signature information of the application, or processing the data of the application by using the access control list information of the application, or Process application data by using application malformed attack information, process application data by using application stateful firewall library information, or process application data by using application packet rate limit policy information.

FIG. 5 is a schematic flowchart of step 402 according to an embodiment of the present invention. As shown in FIG. 5 , the terminal device judges whether there is any change in the existing policy; for example, judges whether the security configuration is the default configuration (step 501 ).

When the configuration is not the default configuration, configure the port number and IP address in the terminal device (step 502). In addition, a timer for saving the security information of the application can be configured.

In step 403, for example, the user of the terminal device starts an application such as "Skype" to perform social activities. Events will be sent to the NG-FW client running on the terminal device. The end device will generate a request message to request security information for the application. The request message can be based on any transport mechanism.

In the implementation, the security information of the application may include: the message signature information of the application, the access control list information of the application, the malformed attack of the application, the stateful firewall database information of the application, and the message rate limit policy information of the application, etc.

FIG. 6 is a schematic flowchart of step 403 according to an embodiment of the present invention. As shown in FIG. 6, the terminal device may determine whether the security information is a default configuration (step 601). When the configuration is not the default configuration, the terminal device may trigger an event (step 602), such as sending a message to the NG-FW client configured in the terminal device.

Subsequently, the terminal device can determine whether the NG-FW database exits the application (step 603). When the NG-FW database has not exited the application, the terminal device sends a request message requesting the security information of the application (step 604).

As shown in Figure 6, the terminal device can determine whether a timeout occurs or whether a confirmation message is received (step 605); if not, the terminal device will continue to download the security information of the application and update the existing policy (step 606). Then, use existing application policies and security mechanisms (ie, attack prevention mechanisms) (step 607).

In step 403, the request message may be generated based on UDP (User Datagram Protocol) as the transfer protocol. The format of the request message is as follows.

In step 405, the NG firewall server sends application security information, for example, all attack prevention policies, NG-FW applications and signatures.

FIG. 7 is a schematic flowchart of step 405 according to an embodiment of the present invention. As shown in FIG. 7, the NG firewall server receives a request message from a terminal device (step 701). Subsequently, the NG firewall server may determine whether to authenticate the terminal device (step 702).

As shown in Fig. 7, when the terminal device is authenticated as a valid user, the NG firewall server will determine the security information of the application (step 703), such as the latest attack prevention strategy and library. Subsequently, the NG firewall server can determine whether the NG-FW database exits the application (step 704). When the NG-FW database has not exited the application, the NG firewall server will send the application's security information (for example, application-specific attack defense and updated existing policies) to the terminal device (step 705). Subsequently, the NG firewall server may send an acknowledgment message (step 706).

In step 405, a response message containing the security information of the application may be generated based on UDP as the transfer protocol. The format of the response message is as follows.

In step 406, the terminal device downloads the NG-FW application and installs the application access list and signature in the data plane. Any received/sent messages from/to the application of the end device will be handled by the application's security information.

FIG. 8 is a schematic flowchart of step 406 according to an embodiment of the present invention. As shown in FIG. 8 , the terminal device receives application security information from the NG-FW server (step 801 ), such as application-specific attack defense. Subsequently, the terminal device judges whether to authenticate the NG firewall server (step 802). When the NG firewall server is authenticated, the terminal device downloads all security information of the application, such as all attack prevention mechanisms.

In step 407, once the user of the terminal device terminates or closes the application (such as Skype), the security information of the application (including all installed and downloaded application access lists and signatures) will be cleared.

FIG. 9 is a schematic flowchart of step 407 according to an embodiment of the present invention. As shown in FIG. 9, the terminal device may further determine whether it times out (step 901); when it times out, the terminal device sends a message to clear the downloaded data (step 902).

It can be seen from the above embodiments that when the application is started in the terminal device configured with the NG firewall client, the NG firewall client requests the security information of the application from the NG firewall server. Therefore, the embodiment of the present invention can realize dynamic loading attack defense, so that the software occupation space required by the terminal device can be reduced, and the performance of applications installed on the terminal device can be improved.

In addition, end devices will be protected from new attacks from new applications or services. Since the amount of attack defense directly depends on the number of applications being used by the user, signaling packets will be reduced, which helps to extend the battery life of the mobile terminal.

Example 3

This embodiment of the present invention provides a method for implementing an NG firewall, which is applied in an NG firewall server. This embodiment corresponds to Embodiment 1 or 2 described above, and the same content will not be described again.

Fig. 10 is a schematic flowchart of a method for implementing an NG firewall according to an embodiment of the present invention. As shown in Figure 10, the method includes:

In step 1001, the NG firewall server receives a request message from a terminal device, wherein the request message is used to request application security information; the application security information indicates security protection information of an application started in the terminal device.

Step 1002, the NG firewall server determines the security information of the application according to the request message.

In step 1003, the NG firewall server sends a response message including application security information to the terminal device.

In this embodiment, the security information of the application includes: message signature information of the application, access control list information of the application, malformed attack information of the application, stateful firewall database information of the application, and message rate limit policy information of the application. However, it is not limited thereto, and specific implementation manners can be determined according to actual needs.

Fig. 11 is another schematic flowchart of a method for implementing an NG firewall according to an embodiment of the present invention. As shown in Figure 11, the method includes:

In step 1101, the NG firewall server receives a request message from the terminal device, wherein the request message is used to request application security information; the application security information indicates security protection information of the application started in the terminal device.

Step 1103, the NG firewall server determines the security information of the application according to the request message.

In this embodiment, the process of determining the security information of the application according to the request message may include: obtaining the security information of the application from the database according to the identification information of the application included in the request message.

For example, the database storing application security information can be configured in the NG-FW server; in other words, the database is a local database of the NG-FW server. In another example, the database storing application security information can be configured separately; the NG-GW server can access the database through the communication interface. However, it is not limited to this.

Step 1104, the NG firewall server sends a response message including the security information of the application to the terminal device.

As shown in Figure 11, the method may further include:

Step 1102, whether the NG firewall server authentication request message is valid. When the request message is valid, a process of sending a response message containing the security information of the application to the terminal device is performed.

In this embodiment, one or more timer values for saving some or all of the application's security information may be included in the response message.

The method may further include: determining one or more timer values for storing part or all of the security information of the application; sending a response message containing the security information of the application to the terminal device (step 1104) may include: sending a response message containing the security information of the application The response message of the information, and one or more timer values used to save part or all of the security information of the application are given to the terminal device.

It should be noted that in the above network environment, the security information of the application sent back by the NG-FW server may be different for different applications of the terminal device. Alternatively, the NG-FW server may send back different security information for different request messages of the terminal device. However, it is not limited thereto, and specific implementation manners can be determined according to actual needs.

It can be seen from the above embodiments that when the application is started in the terminal device configured with the NG firewall client, the NG firewall client requests the security information of the application from the NG firewall server. Therefore, the embodiment of the present invention can realize dynamic loading attack defense, so that the software occupation space required by the terminal device can be reduced, and the performance of applications installed on the terminal device can be improved.

Example 4

This embodiment of the present invention further provides an NG firewall client configured in a terminal device. This embodiment corresponds to the method of Embodiment 1 above, and the same content will not be described again.

Fig. 12 is a schematic structural diagram of an NG firewall client according to an embodiment of the present invention. As shown in FIG. 12 , the NG firewall client 1200 includes: a sending unit 1201 , a receiving unit 1202 and a processing unit 1203 . Other components of the NG firewall client can refer to the prior art and will not be described in the present invention. However, it is not limited thereto, and specific implementation manners can be determined according to actual needs.

The sending unit 1201 is used to send a request message to request the security information of the application when the application is started in the terminal device configured with the NG firewall client; the receiving unit 1202 is used to receive the response message containing the security information of the application; the processing unit 1203 is used to process data of the application by using the security information of the application.

In this embodiment, the sending unit 1201 can be specifically configured to, when the application is started in the terminal device configured with the NG firewall client, send a request message for requesting the security information of the application to the NG firewall server; wherein the request message includes The identification information of the application, and the identification information of the application are used by the NG firewall server to determine the security information of the application.

It can be seen from the above embodiments that when the application is started in the terminal device configured with the NG firewall client, the NG firewall client requests the security information of the application from the NG firewall server. Therefore, the embodiment of the present invention can realize dynamic loading attack defense, so that the software occupation space required by the terminal device can be reduced, and the performance of applications installed on the terminal device can be improved.

Example 5

This embodiment of the present invention further provides an NG firewall client configured in a terminal device. This embodiment corresponds to the method of Embodiment 2 above, and the same content will not be described again.

Fig. 13 is a schematic structural diagram of an NG firewall client according to an embodiment of the present invention. As shown in FIG. 13 , the NG firewall client 1300 includes: a sending unit 1201 , a receiving unit 1202 and a processing unit 1203 , as described in Embodiment 4 above.

As shown in FIG. 13 , the NG firewall client 1300 may further include: a clearing unit 1304 . The clearing unit 1304 is configured to clear the security information of the application when the application is closed in the terminal device.

As shown in FIG. 13 , the NG firewall client 1300 may further include: an opening unit 1305 , a configuring unit 1306 and a generating unit 1307 . Wherein, the enabling unit 1305 is used for enabling the NG firewall function; the configuring unit 1306 is used for configuring the IP address and port number of the NG firewall server; the generating unit 1307 is used for generating a request message.

In this embodiment, the response message may further include one or more timer values for storing part or all of the security information of the application; and the sending unit is further configured to, when one or more When one or more of the timer values expires, re-request part of the application's security information, or when one or more of the one or more timer values corresponding to the entire application's security information expires, Re-request all security information for the app.

In this embodiment, the clearing unit may be further configured to, when one or more timers among the one or more timer values corresponding to the partial security information of the application expires, clear the partial security information of the application, or when the corresponding When one or more timers in the one or more timer values of all security information of the application expire, all security information of the application is cleared.

In this embodiment, the security information of the application may include any one or a combination of the following information: message signature information of the application, access control list information of the application, malformed attack information of the application, stateful firewall library information of the application, and application Packet rate limit policy information.

The processing unit 1203 may be specifically configured to: process data of the application by using message signature information of the application, process data of the application by using access control list information of the application, or process data of the application by using malformed attack information of the application, Or process the data of the application by using the stateful firewall library information of the application, or process the data of the application by using the packet rate limit policy information of the application.

It can be seen from the above embodiments that when the application is started in the terminal device configured with the NG firewall client, the NG firewall client requests the security information of the application from the NG firewall server. Therefore, the embodiment of the present invention can realize dynamic loading attack defense, so that the software occupation space required by the terminal device can be reduced, and the performance of applications installed on the terminal device can be improved.

In addition, end devices will be protected from new attacks from new applications or services. Since the amount of attack defense directly depends on the number of applications being used by the user, signaling packets will be reduced, which helps to extend the battery life of the mobile terminal.

Example 6

This embodiment of the invention further provides an NG firewall server. This embodiment corresponds to the method of Embodiment 3 above, and the same content will not be described again.

Fig. 14 is a schematic structural diagram of an NG firewall server according to an embodiment of the present invention. As shown in FIG. 14 , a terminal device 1400 includes: a receiving unit 1401 , a first determining unit 1402 , and a sending unit 1403 . Other components of the NG firewall client can refer to the prior art and will not be described in the present invention. However, it is not limited thereto, and specific implementation manners can be determined according to actual needs.

Wherein, the receiving unit 1401 is used to receive a request message from the terminal device to request the security information of the application; the first determining unit 1402 is used to determine the security information of the application according to the request message; the sending unit 1403 is used to send a response message containing the security information of the application to the terminal device.

FIG. 15 is another schematic diagram of an NG firewall server according to an embodiment of the present invention. As shown in FIG. 15 , the NG firewall server 1500 includes: a receiving unit 1401 , a first determining unit 1402 and a sending unit 1403 , as described in the above embodiments.

In this embodiment, the request message may include identification information of the application; and the first determining unit 1402 is specifically configured to obtain the security information of the application from the database according to the identification information of the application contained in the request message.

As shown in FIG. 15, the NG firewall server 1500 may further include: an authentication unit 1503; the authentication unit 1503 is used to authenticate whether the request message is valid. The sending unit 1403 is specifically configured to, when the request message is valid, send a response message including the security information of the application to the terminal device.

In this embodiment, the NG firewall server 1500 may further include: a second determining unit 1504, configured to determine one or more timer values for storing part or all of the security information of the application.

The sending unit 1403 is specifically configured to send a response message including the security information of the application, and one or more timer values for storing part or all of the security information of the application to the terminal device.

In this embodiment, the security information of the application may include any one or a combination of the following information: message signature information of the application, access control list information of the application, malformed attack information of the application, stateful firewall library information of the application, and application Packet rate limit policy information.

It can be seen from the above embodiments that when the application is started in the terminal device configured with the NG firewall client, the NG firewall client requests the security information of the application from the NG firewall server. Therefore, the embodiment of the present invention can realize dynamic loading attack defense, so that the software occupation space required by the terminal device can be reduced, and the performance of applications installed on the terminal device can be improved.

In addition, end devices will be protected from new attacks from new applications or services. Since the amount of attack defense directly depends on the number of applications being used by the user, signaling packets will be reduced, which helps to extend the battery life of the mobile terminal.

Example 7

This embodiment of the present invention further provides a terminal device configured with an NG-FW client. This embodiment corresponds to the method of Embodiment 1-2 above, and the same content will not be described again.

In this embodiment, a terminal device includes a processor and a memory coupled to the processor.

Fig. 16 is a schematic structural diagram of a terminal device according to an embodiment of the present invention. As shown in FIG. 16 , there is a processor 41 and a memory 42 coupled to the processor 41 .

The memory 42 is used to store programs. Specifically, the programs may include program codes, and the program codes include computer operation instructions.

The processor 41 is configured to: when the application is started in the terminal device, send a request message for requesting the security information of the application to the NG firewall server; receive a response message containing the security information of the application from the NG firewall server; Secure information handles application data.

Memory 42 may include high-speed RAM and non-volatile memory. Processor 41 may be a central processing unit (CPU), or may be an application specific integrated circuit (ASIC), or may be used in one or more ASICs.

According to the terminal device described above, the request message contains identification information of the application, and the identification information of the application is used by the NG firewall server to determine the security information of the application.

According to the above terminal device, the processor 41 is further configured to: clear the security information of the application when the application is closed in the terminal device.

According to the terminal device above, the response message further includes one or more timer values for storing part or all of the security information of the application.

The processor 41 is further configured to: when one or more timers in the one or more timer values corresponding to the partial security information of the application expires, re-request the partial security information of the application, or when the corresponding security information of the entire application When one or more of the one or more timer values of the information expires, all security information of the application is re-requested.

According to the above-mentioned terminal device, the processor 41 is further configured to: clear the partial security information of the application when one or more timers among the one or more timer values corresponding to the partial security information of the application expire, or when the corresponding When one or more timers in the one or more timer values of all security information of the application expire, all security information of the application is cleared.

According to the terminal device above, the security information of the application includes any one or a combination of the following information: message signature information of the application, access control list information of the application, malformed attack information of the application, stateful firewall library information of the application, and message signature information of the application. Text speed limit policy information.

According to the above-mentioned terminal equipment, there are different timer values for storing any one or combination of the following information: message signature information of the application, access control list information of the application, malformed attack information of the application, stateful firewall library information of the application and the packet rate limit policy information of the application; or, the same timer value is used to save any one or combination of the following information: packet signature information of the application, access control list information of the application, malformed attack information of the application , application stateful firewall database information and application packet rate limit policy information.

According to the above-mentioned terminal device, in the step of processing the data of the application by using the security information of the application, the processor 41 is further configured to: process the data of the application by using the message signature information of the application, or by using the access control list information of the application Process application data, or process application data by using application malformed attack information, or process application data by using application stateful firewall library information, or process application data by using application packet rate limit policy information.

In addition, as shown in FIG. 16 , there may also be a communication interface 43 for completing the communication between the terminal device and the NG firewall server or other devices.

As shown in FIG. 16 , the terminal device may further include a disk 44 for storing the program to be tested and the status information of the process of the program to be tested.

Or, in a specific embodiment, if the memory 42, the processor 41, the communication interface 43 and the disk 44 can be implemented separately, the memory 42, the processor 41, the communication interface 43 and the disk 44 can be connected through BUS for communication. The BUS may be an Industry Standard Architecture (ISA) BUS, a Peripheral Component Interconnect (PCI) BUS, or an Extended Industry Standard Architecture (EISA) BUS, among others. BUS can be divided into address BUS, data BUS and control BUS and so on. For ease of representation, the BUS is only represented by a single thick line, but it does not mean that there is only one BUS or one type of BUS.

Or, in a specific embodiment, if the memory 42, the processor 41, the communication interface 43 and the magnetic disk 44 can be integrated in a single chip, then the memory 42, the processor 41, the communication interface 43 and the magnetic disk 44 can be communicated through the internal interface. .

The beneficial effect of the embodiment of the present invention is that: when the application is started in the terminal device, the terminal device requests the security information of the application from the NG firewall server. Therefore, the embodiment of the present invention can realize dynamic loading attack defense, so that the software occupation space required by the terminal device can be reduced, and the performance of applications installed on the terminal device can be improved.

In addition, end devices will be protected from new attacks from new applications or services. Since the amount of attack defense directly depends on the number of applications being used by the user, signaling packets will be reduced, which helps to extend the battery life of the mobile terminal.

The present invention also provides a non-transitory computer-readable storage medium containing computer program codes, causing the computer processor to execute the method for implementing the NG firewall according to the embodiment of the present invention when the computer processor executes the computer program codes.

Through the embodiments described above, those skilled in the art can clearly understand that the present invention can be implemented by software and necessary general-purpose hardware. Specifically, the present invention may also be implemented by hardware only. However, the former is the preferred mode of implementation. According to such an understanding, the essence of the technical solution of the present invention or the part of the technical solution of the present invention that contributes to the prior art can be implemented in the form of software products. The computer software product is stored in a readable storage medium, such as computer floppy disk, hard disk or optical disk, and includes a plurality of computer equipment (which can be a personal computer, server or network equipment) to execute the methods described in the embodiments of the present invention.

Example 8

This embodiment of the invention provides an NG-FW server. This embodiment corresponds to the method of Embodiment 3 above, and the same content will not be described again.

In this embodiment, the NG-FW server includes: a processor and a memory coupled to the processor.

Fig. 17 is a schematic structural diagram of an NG-FW server according to an embodiment of the present invention. As shown in FIG. 17 , there is a processor 51 and a memory 52 coupled to the processor 51 .

The memory 52 is used to store programs. Specifically, the programs may include program codes, and the program codes include computer operation instructions.

The processor 51 is configured to: receive a request message from the terminal device for requesting the security information of the application, wherein the security information of the application represents the security protection information of the application started in the terminal device; determine the security information of the application according to the request message; send A response message containing the security information of the application is sent to the terminal device.

Memory 52 may include high-speed RAM and non-volatile memory. Processor 51 may be a central processing unit (CPU), or may be an application specific integrated circuit (ASIC), or may be used in one or more ASICs.

According to the above NG-FW server, the request message includes the identification information of the application; in the step of determining the security information of the application according to the request message, the processor 51 is further configured to: acquire the application from the database according to the identification information of the application contained in the request message safety information.

According to the above NG-FW server, the processor 51 is further configured to: verify whether the request message is valid; when the request message is valid, perform a process of sending a response message containing application security information to the terminal device.

According to the above-mentioned NG-FW server, the processor 51 is further used to: determine one or more timer values for storing part or all of the security information of the application; and in the step of sending a response message, the processor 51 is further used to: Send a response message including the security information of the application, and one or more timer values for storing part or all of the security information of the application to the terminal device.

According to the above NG-FW server, the security information of the application includes any one or a combination of the following information: message signature information of the application, access control list information of the application, malformed attack information of the application, stateful firewall library information of the application, and application Packet rate limit policy information.

In addition, as shown in FIG. 17 , there may also be a communication interface 53 for completing the communication between the NG-FW server and the terminal device or other devices.

As shown in FIG. 17, the NG-FW server may further include a disk 54 for storing the program to be tested and the state information of the process of the program to be tested.

Or, in a particular implementation, if the memory 52, the processor 51, the communication interface 53, and the disk 54 can be implemented separately, the memory 52, the processor 51, the communication interface 53, and the disk 54 can be communicatively connected through the BUS. The BUS may be an Industry Standard Architecture (ISA) BUS, a Peripheral Component Interconnect Standard BUS, or an Extended Industry Standard Architecture (EISA) BUS, among others. BUS can be divided into address BUS, data BUS and control BUS and so on. For ease of representation, the BUS is only represented by a single thick line, but it does not mean that there is only one BUS or one type of BUS.

Or, in a particular implementation, if the memory 52, the processor 51, the communication interface 53, and the magnetic disk 54 can be integrated in a single chip, then the memory 52, the processor 51, the communication interface 53, and the magnetic disk 54 can be communicatively connected through an internal interface. .

The beneficial effect of the embodiment of the present invention is that: when the application is started in the terminal device, the terminal device requests the security information of the application from the NG firewall server. Therefore, the embodiment of the present invention can realize dynamic loading attack defense, so that the software occupation space required by the terminal device can be reduced, and the performance of applications installed on the terminal device can be improved.

In addition, end devices will be protected from new attacks from new applications or services. Since the amount of attack defense directly depends on the number of applications being used by the user, signaling packets will be reduced, which helps to extend the battery life of the mobile terminal.

The present invention also provides a non-transitory computer-readable storage medium containing computer program codes, causing the computer processor to execute the method for implementing the NG firewall according to the embodiment of the present invention when the computer processor executes the computer program codes.

Example 9

This embodiment of the invention provides a system for implementing an NG firewall. This embodiment corresponds to Embodiments 7 and 8 described above, and the same content will not be described again.

In this embodiment, the system for implementing the NG firewall includes: one or more terminal devices as described in Embodiment 7 and the NG firewall server as described in Embodiment 8.

Fig. 18 is a schematic structural diagram of a system for implementing an NG firewall according to an embodiment of the present invention. As shown in FIG. 18 , there is at least one terminal device 1801 configured with an NG-FW client 1802 and one NG-FW server 1803 in the system for implementing the NG firewall 1800 .

The beneficial effect of the embodiment of the present invention is that: when the application is started in the terminal device, the terminal device requests the security information of the application from the NG firewall server. Therefore, the embodiment of the present invention can realize dynamic loading attack defense, so that the software occupation space required by the terminal device can be reduced, and the performance of applications installed on the terminal device can be improved.

In addition, end devices will be protected from new attacks from new applications or services. Since the amount of attack defense directly depends on the number of applications being used by the user, signaling packets will be reduced, which helps to extend the battery life of the mobile terminal.

Through the embodiments described above, those skilled in the art can clearly understand that the present invention can be implemented by software and necessary general-purpose hardware. Specifically, the present invention may also be implemented by hardware only. However, the former is the preferred mode of implementation. According to such an understanding, the essence of the technical solution of the present invention or the part of the technical solution of the present invention that contributes to the prior art can be implemented in the form of software products. The computer software product is stored in a readable storage medium, such as computer floppy disk, hard disk or optical disk, and includes a plurality of computer equipment (which can be a personal computer, server or network equipment) to execute the methods described in the embodiments of the present invention.

As can be seen from the foregoing embodiments: the beneficial effects and advantages of the embodiments can be realized:

(1) Reduce the footprint of NG firewall software for terminal devices (such as smartphones and other terminal devices);

(2) If it is an application that is not commonly used, the NG firewall will not respond to the control message, so that the terminal does not need to deal with it, which can prolong the battery life;

(3) Reduce the size of application-specific access lists (such as whitelists or blacklists), which can achieve better performance;

(4) When a business-critical application starts, it will be mandatory to use the NG firewall service on the terminal device (such as a smartphone).

(5) Control key information by using other interfaces (for example, bluetooth, USB port, etc.);

(6) Secure application, data, and application access control will be used when running the application.

It should be understood that various parts of the present invention may be implemented by hardware, software, firmware or a combination thereof. In the above-mentioned embodiments, a plurality of steps or methods may be implemented by software or firmware stored in memory, and executed by a suitable instruction execution system. For example, if implemented in hardware, it may, as in another embodiment, be implemented by any one or combination of the following techniques known in the art: Logical functions with logic gates for implementing data signals Discrete logic circuits, application-specific integrated circuits with appropriate combinational logic gates, programmable gate arrays (PGAs), and field-programmable gate arrays (FPGAs), etc.

Descriptions or blocks in flow diagrams or any process or method in other forms should be understood as indicating codes of executable instructions comprising one or more modules, segments or parts for implementing specific logical functions or steps in a process, Furthermore, the scope of the preferred embodiment of the present invention includes other implementations in which the functions may be performed differently than those shown or described, including performing these functions in a substantially simultaneous manner or in reverse order depending on the relevant functions. Those skilled in the art related to the present invention should understand the above content.

For example, logic and/or steps illustrated in flow diagrams or otherwise described herein should be understood as a sequence of executable instructions for implementing logical functions, which can be embodied in any computer-readable medium for instruction Execution system, device or device (for example, a system including a computer, a system including a processor, or other system capable of extracting instructions from an instruction execution system, device or device and executing those instructions), or in conjunction with an instruction execution system, device or a combination of devices.

The foregoing description and drawings illustrate various features of the invention. It should be understood that suitable computer codes can be prepared by those skilled in the art to perform each step and process described above and shown in the accompanying drawings. It should also be understood that all terminals, computers, servers, and networks may be of any type, and computer codes may be prepared according to the present invention to implement the present invention by using the corresponding devices.

Specific embodiments of the invention are disclosed herein. Those skilled in the art will readily recognize that the present invention may be applied in other environments. In fact, there are many examples and implementations. It is not intended by the appended claims to limit the scope of the invention to the specific embodiments described above. Furthermore, any reference to "means for" is interpreting means plus function to describe the element and the claims, and any element not cited "means for" is not intended to be construed as a device plus function even if the word "means" is included in the claims.

While a particular embodiment has been shown and the invention has been described, it is obvious that equivalent modifications and alterations will occur to others skilled in the art upon the reading and understanding of the foregoing description and accompanying drawings. In particular, with respect to the various functions performed by the elements (parts, components, devices, compositions, etc.) Any element (ie, a functional equivalent) of a specified function of an element, even if the element is different from an element that performs the function of one or more exemplary embodiments described herein in relation to the structure. Furthermore, although certain features of the invention have been described with reference to only one or more of the described embodiments, such features may be combined with one or more of the other embodiments as desired and in view of any given or particular application's advantage. combined with several other features.

Claims (28)

1. method of the one kind for implementing NG fire walls (next generation firewall), which is characterized in that the method includes：

When apply be activated in terminal device when, sent to NG SOCKS servers for asking the corresponding peace of the application The request message of full information；

The response message that the security information comprising the application is received from the NG SOCKS servers, wherein the application The security information indicate to make the application started in the terminal device the information of safeguard protection；

The data of the application are handled by using the security information of the application.

2. according to the method described in claim 1, it is characterized in that, the request message includes the identification information of the application, And the identification information of the application determines the security information of the application for the NG SOCKS servers.

3. according to the method described in claim 1, it is characterized in that, the method further includes：

When it is described apply be closed in the terminal device when, remove the security information of the application.

4. according to the method described in any one of claims 1 to 3 claim, which is characterized in that the response message further includes One or more timer values for safeguarding some or all of application security information；And

The method further includes：When one or more of timings of the portion of security information corresponding to the application When one or more of device value timer expiry, the portion of security information applied described in re-request, or

When one or more of one or more of timer values of whole security information corresponding to the application When timer expiry, whole security information for being applied described in re-request.

5. according to the method described in claim 4, it is characterized in that, the method further includes：

When corresponding to one or more of one or more of timer values of the portion of security information of the application When timer expiry, the portion of security information of the application is removed, or

When one or more of one or more of timer values of whole security information corresponding to the application When timer expiry, whole security information of the application are removed.

6. according to the method described in any one of claims 1 to 3 claim, which is characterized in that the safety of the application Information includes any one or the combination of following information：

The message signing messages of the application, the access control lists information of the application, the application abnormal packet attack The message rate-limiting policy information of information, the stateful fire wall library information of the application and the application.

7. according to the method described in claim 6, it is characterized in that, there are different timer values for preserving following information Any one or combination：The message signing messages of the application, the access control lists information of the application, the application it is abnormal The message rate-limiting policy information of shape message aggression information, the stateful fire wall library information of the application and the application；Or

There are any one or combinations that identical timer value is used to preserve following information：The message A.L.S. of the application Breath, the access control lists information of the application, the abnormal packet attack information of the application, the application stateful fire prevention Wall library information and the message rate-limiting policy information of the application.

8. according to the method described in claim 6, it is characterized in that, the security information by using the application handles institute The data for stating application include：

The data of the application are handled by using the message signing messages of the application, or

The data applied described in the access control lists information processing by using the application, or

The data applied described in the deformity attack information processing by using the application, or

The data applied described in status firewall library information processing by using the application, or

The data of the application are handled by using the message rate-limiting policy information of the application.

9. a kind of method for implementing NG fire walls, which is characterized in that the method includes：

It is received from terminal device for asking the request message using corresponding security information, wherein the peace of the application Full information indicates to make the application started in the terminal device the information of safeguard protection；

The security information of the application is determined according to the request message；

The response message of the security information comprising the application is sent to the terminal device.

10. according to the method described in claim 9, it is characterized in that, the request message includes the identification information of the application； And

It is described to determine that the security information of the application includes according to the request message：Include according in the request message The identification information of the application security information of the application is obtained from database.

11. method according to claim 9 or 10, which is characterized in that answered comprising described being sent to the terminal device Before the response message of the security information, the method further includes：

Whether request message described in certification is effective；

When the request message is effective, execute to the security information for including the application described in terminal device transmission Response message process.

12. method according to claim 9 or 10, which is characterized in that the method further includes：

Determine one or more timer values for safeguarding some or all of application security information；

It is described to send the response message of the security information comprising the application to the terminal device and include：To the terminal Equipment sends the response message of the security information comprising the application, and for safeguarding some or all of described application One or more timer values of security information.

13. according to the method described in any one of claim 9 to 10 claim, which is characterized in that the peace of the application Full information includes any one or the combination of following information：The message signing messages of the application, the access control of the application List information, the abnormal packet attack information of the application, the stateful fire wall library information of the application and the application Message rate-limiting policy information.

14. a kind of NG Fire-walled Clients, which is characterized in that including：

Transmission unit, for when apply be activated in the terminal device configured with NG Fire-walled Clients when, to NG fire walls Server is sent for asking the request message using corresponding security information；

Receiving unit, the response for receiving the security information comprising the application from the NG SOCKS servers disappear Breath, wherein the security information of the application indicates to make the application started in the terminal device in the letter of safeguard protection Breath；

Processing unit, the data for handling the application by using the security information of the application.

15. NG Fire-walled Clients according to claim 14, which is characterized in that the transmission unit is specifically used for, when It applies when being activated in the terminal device configured with the NG Fire-walled Clients, sends and use to the NG SOCKS servers In the request message for the security information for asking the application；The wherein described request message includes the identification of the application Information and the identification information of the application determine the safety letter of the application for the NG SOCKS servers Breath.

16. NG Fire-walled Clients according to claim 14, which is characterized in that the NG Fire-walled Clients are further Including：

Clearing cell, for when it is described apply be closed in the terminal device when, remove the application it is described safety letter Breath.

17. according to the NG Fire-walled Clients described in any one of claim 14 to 16 claim, which is characterized in that the sound Message is answered to further comprise one or more timer values for safeguarding some or all of application security information；And

The transmission unit is further used for, one or more of when the portion of security information corresponding to the application When one or more of timer value timer expiry, the portion of security information applied described in re-request, or when pair One or more of the one or more of timer values for the whole security information applied described in Ying Yu timer is super Constantly, the whole security information applied described in re-request.

18. NG Fire-walled Clients according to claim 17, which is characterized in that

The NG Fire-walled Clients further comprise：

Clearing cell, for when it is described apply be closed in the terminal device when, remove the application it is described safety letter Breath；

The clearing cell is further used for, one or more of when the portion of security information corresponding to the application When one or more of timer value timer expiry, the portion of security information of the application is removed, or work as and correspond to When one or more of one or more of timer values of whole security information of application timer expiry, Remove whole security information of the application.

19. according to the NG Fire-walled Clients described in any one of claim 14 to 16 claim, which is characterized in that described to answer The security information includes any one or the combination of following information：The message signing messages of the application, the application Access control lists information, the abnormal packet attack information of the application, the stateful fire wall library information of the application with And the message rate-limiting policy information of the application.

20. NG Fire-walled Clients according to claim 19, which is characterized in that the processing unit is specifically used for：

The data of the application are handled by using the message signing messages of the application, or

The data applied described in the access control lists information processing by using the application, or

The data applied described in the deformity attack information processing by using the application, or

The data applied described in status firewall library information processing by using the application, or

The data of the application are handled by using the message rate-limiting policy information of the application.

21. a kind of NG SOCKS servers, which is characterized in that including：

Receiving unit, for being received from terminal device for asking the request message using corresponding security information, wherein institute The security information for stating application indicates to make the application started in the terminal device the information of safeguard protection；

First determination unit, the security information for determining the application according to the request message；

Transmission unit, the response message for sending the security information comprising the application to the terminal device.

22. NG SOCKS servers according to claim 21, which is characterized in that the request message includes the application Identification information；And

First determination unit be specifically used for according to the identification information of the application for including in the request message from The security information of the application is obtained in database.

23. the NG SOCKS servers according to claim 21 or 22, which is characterized in that the NG SOCKS servers into One step includes：

Whether authentication unit is effective for request message described in certification；And

The transmission unit is specifically used for, and when the request message is effective, sends the security information for including the application The response message give the terminal device.

24. the NG SOCKS servers according to claim 21 or 22, which is characterized in that the NG SOCKS servers into One step includes：

Second determination unit, for determining one or more timings for safeguarding some or all of application security information Device value；

The transmission unit is specifically used for sending the response message of the security information comprising the application, and for safeguarding One or more timer values of some or all of application security information give the terminal device.

25. according to the NG SOCKS servers described in any one of claim 21 to 22 claim, which is characterized in that described to answer The security information includes any one or the combination of following information：The message signing messages of the application, the application Access control lists information, the abnormal packet attack information of the application, the stateful fire wall library information of the application with And the message rate-limiting policy information of the application.

26. a kind of terminal device, which is characterized in that including：

Processor and the memory for being coupled to the processor；

The wherein described processor is used for：

When apply be activated in the terminal device when, to NG SOCKS servers send for ask it is described application it is corresponding Security information request message；

The response message that the security information comprising the application is received from the NG SOCKS servers, wherein the application The security information indicate to make the application started in the terminal device the information of safeguard protection；

The data of the application are handled by using the security information of the application.

27. a kind of NG SOCKS servers, which is characterized in that including：

Processor and the memory for being coupled to the processor；

The wherein described processor is used for：

It is received from terminal device for asking the request message using corresponding security information, wherein the peace of the application Full information indicates to make the application started in the terminal device the information of safeguard protection；

The security information of the application is determined according to the request message；

The response message of the security information comprising the application is sent to the terminal device.

28. a kind of system for implementing NG fire walls, which is characterized in that the system comprises：

One or more terminal device as claimed in claim 26；And

NG SOCKS servers as claimed in claim 27.