+

WO2003050999A1 - Dispositif a passerelle de securite integree et son procede de fonctionnement - Google Patents

Dispositif a passerelle de securite integree et son procede de fonctionnement Download PDF

Info

Publication number
WO2003050999A1
WO2003050999A1 PCT/KR2001/002143 KR0102143W WO03050999A1 WO 2003050999 A1 WO2003050999 A1 WO 2003050999A1 KR 0102143 W KR0102143 W KR 0102143W WO 03050999 A1 WO03050999 A1 WO 03050999A1
Authority
WO
WIPO (PCT)
Prior art keywords
packet
module
servers
security gateway
duplicating
Prior art date
Application number
PCT/KR2001/002143
Other languages
English (en)
Inventor
Young Cho Chung
Sung Chan Kim
Original Assignee
Future Systems, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Future Systems, Inc. filed Critical Future Systems, Inc.
Priority to AU2002216434A priority Critical patent/AU2002216434A1/en
Priority to PCT/KR2001/002143 priority patent/WO2003050999A1/fr
Publication of WO2003050999A1 publication Critical patent/WO2003050999A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/20Arrangements for monitoring or testing data switching networks the monitoring system or the monitored elements being virtualised, abstracted or software-defined entities, e.g. SDN or NFV
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/029Firewall traversal, e.g. tunnelling or, creating pinholes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms

Definitions

  • the present invention relates to a networking system for wide-area networking; and, more particularly, to an integrated security gateway apparatus and an operating method thereof employed in a networking system, wherein the integrated security gateway apparatus is interposed between an internal network and an external network, for integrating a virtual private networking and firewall and intrusion detection functions.
  • Fig. 1 shows an example of a conventional private computer network using dedicated leased lines or packet- based networks to connect corporate branches through routers.
  • private computer networking does not provide the flexibility required for quickly creating new partner links or supporting project teams in the field.
  • the corporate branches can enjoy the security of the private computer network via access control and encryption, while taking advantage of the economies of scale and built-in management facilities of large public networks.
  • a point-to-point tunneling protocol PPTP
  • IP Internet Protocol
  • VPN Virtual Private Network
  • the VPN allows a network manager to connect corporate remote branch sites and/or project teams to the corporate main branch economically and provides remote access to employees, which reduces in-house requirements for equipment and support. That is, an Internet-based VPN uses an open, distributed infrastructure of the Internet to transmit data between the corporate branches .
  • each of the corporate branches is connected to the Internet in the Internet-based VPN
  • information can be exchanged between VPN users and Internet users.
  • This information exchange presents a challenge to protect information located on the corporate branches from unauthorized access by the Internet users and from unauthorized export by the VPN users.
  • hackers have been able to erase files or disks, cancel programs, retrieve sensitive information, and even introduce computer viruses, e.g., Trojan horses, and/or worms into the corporate main branch.
  • a firewall is a technique for keeping a network secure.
  • the firewall is gaining the popularity to separate corporate public resources, e.g., DMZ
  • (Demilitarized Zone) servers including a corporate public web server, mail server, etc., from a corporate internal network as well as to give the VPN users access to the Internet in a secure fashion.
  • Fig. 2 shows an example of a conventional internet- based VPN 200 using the Internet 230 to connect VPN branches 210 and 220 through VPN proxies 260 and 270, firewalls 280 and 290, and routers 240 and 250.
  • Each of the firewalls 280 and 290 is coupled to corresponding one of the VPN proxies 260 and 270, and to corresponding one of corporate DMZ servers 214 and 224.
  • the VPN proxies 260 and 270 generally perform encryption and decryption to protect data against eavesdropping and tampering by unauthorized parties.
  • Each of the firewalls 280 and 290 receives an incoming packet from the corresponding router 240 or 250 and checks whether the incoming packet could be sent to the VPN branches 210 and 220, and the DMZ servers 214 and 224 by using a predetermined rule. For example, the firewalls 280 and 290 check whether the incoming packet is from a valid domain or an IP address, i.e., an identified external resource.
  • Figs. 3A and 3B there are provided other conventional Internet-based VPNs, each of which further comprises an IDS (Intrusion Detection System) 370 interposed between a router 340 and a firewall 350 or an IDS 380 between a VPN branch 310 and a VPN proxy 360. Except that the IDS 370 or 380 is inserted, the VPNs 301 and 302 in Figs. 3A and 3B are substantially identical to the VPN 200 in Fig. 2.
  • the IDSs 370 and 380 perform real-time intrusion detection into the VPN branch 310 by including an intrusion pattern database and an expert system, which can be implemented by software or hardware.
  • the IDSs 370 and 380 perform functions of a traffic control, real-time monitoring and intrusion detection, intrusion blocking, and intrusion analysis and reporting.
  • the IDS 370 can detect an intrusion into the firewall 350 or the VPN branch 310.
  • the IDS 370 itself could be attacked by an external intruder.
  • the IDS 380 is interposed between the VPN branch 310 and the VPN proxy 360, the intrusion detection is done only for a packet that is passed through the firewall 350. That is, the IDS 380 cannot detect an intrusion exactly because the firewall 350 drops packets that are not accepted. Therefore, the external intruder can attack the firewall 350 or the VPN branch 310 and abuse network resources continuously.
  • VPN proxy 360 the firewall 350, and the IDS 370 or 380 are constructed separately, a security hole problem tends to frequently occur as well as costly installation.
  • Another object of the present invention is to provide an integrated security gateway for integrating intrusion detection functions as well as virtual private networking and firewall functions and an operating method thereof .
  • an integrated security gateway apparatus interfacing with an internal network and an external network for blocking a selected packet from one of the internal network and the external network
  • the apparatus comprising: a packet duplicating module for receiving and duplicating an incoming packet from said one of the internal and external networks; a server complex, which is coupled to the packet duplicating module through a port complex, for analyzing the duplicated packet; and an inspection engine, which is connected to the packet duplicating module and to the server complex via the port complex, for inspecting whether or not the incoming packet corresponds to the selected packet to be blocked based on the analysis result and selectively blocking the incoming packet depending on the inspection result.
  • a networking system consisting of at least one internal network and an external network, comprising: an integrated security gateway interfacing with said at least one internal network and said external network, for blocking a selected packet from said at least one internal network and said external network; and black zone servers, which are coupled to the integrated security gateway for analyzing the duplicated packet.
  • a method for blocking a selected packet from one of an internal network and an external network in an integrated security gateway apparatus interfacing with the internal and external networks wherein the integrated security gateway apparatus includes a packet duplicating module for duplicating an incoming packet and an inspection engine, the method comprising the steps of: a) receiving a message packet from a server complex; b) determining whether or not the message packet containing information to be used in the blocking the incoming packet which corresponds to the selected packet, wherein the incoming packet is transmitted from said one of the internal network and the external network; c) determining a type of an attack depending on the message if the packet has the message; and, otherwise, dropping the packet; d) setting access deny time to the incoming packet; e) setting an attacker's address; f) setting a destination address to be attacked by the attacker through the incoming packet; g) determining whether or not there is a session connected to the destination address; h) disconnecting the session, if
  • Fig. 1 is a schematic diagram of a conventional private computer network using dedicated leased lines or packet-based networks.
  • Fig. 2 shows a schematic diagram of an Internet- based VPN (virtual private networking) ;
  • Figs . 3A and 3B offer schematic diagrams of conventional and other Internet-based VPNs
  • Fig. 4 illustrates a schematic diagram of a VPN employing an integrated security gateway apparatus in accordance with the present invention
  • Fig. 5 provides a hardware block diagram of the integrated security gateway apparatus in Fig. 4;
  • Fig. 6 shows a functional block diagram of the integrated security gateway apparatus in Fig. 4;
  • Figs. 7A and 7B depict flow charts for explaining an operating method of the integrated security gateway apparatus in Fig. 4 ;
  • Fig. 8 exemplifies a schematic block diagram of an integrated security gateway apparatus in accordance with a second embodiment of the present invention.
  • Figs . 9A and 9B present flow charts for explaining an operating method of the integrated security gateway apparatus in Fig. 8;
  • Fig. 10 demonstrates a schematic block diagram of an integrated security gateway apparatus in accordance with a third embodiment of the present invention
  • Figs. 11A and 11B give flow charts for explaining an operating method of the integrated security gateway apparatus in Fig. 10;
  • Fig. 12 shows a schematic block diagram of an integrated security gateway apparatus in accordance with a fourth embodiment of the present invention
  • Figs. 13A and 13B are flow charts for explaining an operating method of the integrated security gateway apparatus in Fig. 12;
  • Fig. 14 illustrates a schematic block diagram of an integrated security gateway apparatus in accordance with a fifth embodiment of the present invention.
  • Fig. 15 provides a schematic block diagram of an integrated security gateway apparatus in accordance with a sixth embodiment of the present invention.
  • Figs. 16A and 16B depict flow charts for explaining an operating method of the integrated security gateway apparatus in Fig. 15;
  • Fig. 17 exemplifies a schematic block diagram of a built-in security unit employed in the integrated security gateway apparatus of Fig. 4 in accordance with the present invention
  • Figs. 18A and 18B present flow charts for explaining an operating method of the built-in security unit in Fig. 17;
  • Fig. 19 shows a flow chart for explaining an intrusion detection process in accordance with the present invention.
  • Fig. 20 offers a structure of a communication packet transmitted from BZ servers to the integrated security gateway apparatus in accordance with the present invention
  • Figs. 21A and 2IB show flow charts for explaining in detail a method for performing an anti-virus function and an intrusion detection function in accordance with the present invention
  • Fig. 22 presents flow charts for explaining in detail a method for performing a noxious site blocking function in accordance with the present invention.
  • FIG. 4 there is provided a schematic diagram of a VPN (Virtual Private Network) employing an integrated security gateway in accordance with the present invention.
  • the VPN 400 is comprised of a plurality of internal networks, each of which is connected to an external network such as the Internet 450 via a router 440.
  • an external network such as the Internet 450
  • a router 440 For the sake of simplicity, only one internal network 410 is shown in Fig. 4.
  • the internal network 410 is connected to the router 440 through the inventive integrated security gateway apparatus 420 to which a "demilitarized zone (DMZ) " server 414 and a “black zone (BZ) " server 430 are connected.
  • the DMZ server 414 is a web server and/or a mail server.
  • the internal network 410 may be a local area network (LAN) .
  • LAN local area network
  • the internal network 410 is illustrated as including a server computer 411 and two client computers 412 and 413 only, for the sake of simplicity.
  • the integrated security gateway apparatus 420 protects the internal network 410 from outsiders. It also prevents unauthorized transmission of data/information stored in the internal network computers
  • the integrated security gateway apparatus 420 protects the DMZ server 414 from an attack through the external network 450.
  • the integrated security gateway apparatus 420 provides data encryption and decryption for which variable encryption and decryption rules can be applied, depending on IP (Internet Protocol) addresses or ports.
  • IP Internet Protocol
  • a key to data encryption and decryption can be established or updated in the integrated security gateway apparatus 420 by a well-known external input device, e.g., a smart card.
  • the integrated security gateway apparatus 420 provides a packet filtering function by employing a stateful inspection, i.e., by inspecting the state of a current input packet with respect to the state of a previous input packet in an application. And, a number of filtering rules can be applied depending on the IP addresses or the ports.
  • the integrated security gateway apparatus 420 performs a static packet filtering function, i.e., a checking operation on the input packets under a predetermined filtering rule.
  • the integrated security gateway apparatus 420 performs a URL (Uniform Resource Locator) filtering function in a restrictive mode in which selected packets are to be passed or in a permissive mode in which all the packets except for a selected few are to be passed.
  • the integrated security gateway apparatus 420 also performs a packet contents filtering functions.
  • the integrated security gateway apparatus 420 provides a virtual session for a UDP (User Datagram Protocol) application to solve a security problem associated with connectionless packet transfer.
  • the virtual session contains and updates UDP connection information dynamically.
  • the integrated security gateway apparatus 420 generates a session for only a permitted RPC (Remote
  • the integrated security gateway apparatus 420 provides an NAT (network address translation) function.
  • the BZ server 430 coupled to the integrated security gateway apparatus 420 acts as an IDS (Intrusion Detection System) , performing traffic control, real-time monitoring, intrusion detection, intrusion blocking, and intrusion analysis and reporting functions.
  • IDS Intrusion Detection System
  • the BZ server 430 is invisible to the users of the internal network 410 and the external network 450 so as to maximize the security of the VPN 400.
  • the integrated security gateway apparatus 420 duplicates all the incoming packets from the internal network 410, the DMZ server 414, and the external network 450 and sends them to the BZ server 430.
  • the BZ server 430 analyzes each of the duplicated packets from the integrated security gateway apparatus 420 and reports its analysis result to the integrated security gateway apparatus 420, so that the integrated security gateway apparatus 420 can process each of the incoming packets depending on the analysis result.
  • the BZ server 430 may act as an anti-virus system for blocking packets infected with virus and/or as a blocking system for blocking packets from noxious web sites .
  • It may be a hub to which the IDS, the anti-virus system and/or the site blocking system may be coupled, so that intrusion protection, virus checking and/or site blocking functions can be performed.
  • the integrated security gateway apparatus 420 may include a built-in BZ server at which the duplicated packets are analyzed.
  • Fig. 5 provides a hardware block diagram of an embodiment of the integrated security gateway apparatus 420 in Fig. 4. As shown in Fig. 5, the integrated security gateway apparatus 420 includes a firewall processor 10, three network interface cards 20, 21, and
  • the integrated security gateway apparatus 420 further includes a VPN processor 60, a crypto- coprocessor 70, and a second memory 80, all connected to a second bus 2 which in turn is connected to the first bus 1 through a bus bridge 3.
  • Each of the network interface cards 20, 21, and 22 includes a LAN (local area network) connector, a Rx (receiving) buffer, and a Tx (transmitting) buffer, which are not shown in Fig. 5.
  • the network interface cards 20, 21, and 22 are used to interface with the internal network 410, the DMZ server 414, and the external network 450 in Fig. 4, respectively.
  • CSMA/CD Carrier Sense Multiple Access with Collision Detection
  • the Rx buffer is used to store incoming packets received from the internal network 410, the DMZ server 414, or the external network 450 until the incoming packets can be processed by the processor 10 or 60.
  • the Tx buffer is used to store outgoing packets until the outgoing packets can be sent to the internal network 410, the DMZ server 414, or and the external network 450.
  • the BZ port 23 is used to interface with the BZ server 430. Similar to the network interface cards 20,
  • the BZ port 23 includes a LAN (local area network) connector, a Rx (receiving) buffer, and a Tx
  • Each of the firewall processor 10 and the VPN processor 60 can be a dedicated high performance microprocessor. Any microprocessor capable of operating at a speed required to implement the functions as described above and will be described in detail below is appropriate.
  • the first memory 30 is used to store the packets, an OS (operating system) , OS parameters, pre-defined parameters, IP addresses, and etc.
  • the first memory 30 includes several types of high-speed memory devices such as a DIMM (dual in-line memory module) type 64-512 Mbytes SDRAM (Synchronous Dynamic Random Access Memory) and a flash type 4-8 Mbytes ROM (Read only Memory) .
  • the first memory 30 further stores instructions for controlling actions to be taken on the incoming and outgoing packets. These instructions include a predetermined set of criteria based upon the fields of the incoming packets and other information such as the time of day at which the incoming packet was sent or received, and the state of the session.
  • Such criteria can be implemented by inspecting the fields of the incoming packets, by reference to external data such as a connection status and the time of day and by reference to pre-defined tables or other information stored in the first memory 30.
  • the application of the criteria leads one or several predefined actions to be taken on the incoming packets.
  • the VPN processor 60 performs a tunneling function using the IPSec (Internet Protocol Security) protocol, data encryption/decryption, and packet authentication. It should be appreciated that the VPN processor 60 and the firewall processor 10 can be implemented by a single microprocessor or by a multiplicity of microprocessors in the present invention.
  • the crypto-coprocessor 70 is used to perform a computation function for the data encryption/decryption and packet authentication.
  • the crypto- coprocessor 70 is implemented by an ASIC (Application- Specific Integrated Circuit) supporting an algorithm for the data encryption and hash functions for the packet authentication employed in the VPN 400 of the present invention.
  • the second memory 80 is used to store the packets transferred from the first memory 30 through the bus bridge 3, and encryption and decryption rules for each IP address and port .
  • the key memory 40 is used to store the key for encryption/decryption and includes a SRAM (Static Random Assess Memory) type memory device.
  • the key memory 40 is coupled to a battery 41 for protection in a stoppage of electric current .
  • Fig. 6 shows a functional block diagram of the integrated security gateway apparatus 420 in Fig. 4.
  • these modules except for the BZ port 23 connected to the BZ server 430 are program instruction modules stored in the first memory 30 and executed by the processors 10, 60, and 70.
  • the connections shown in Fig. 6 refer to software instructions or hardware instructions or both, depending on the particular physical implementation of the invention.
  • the integrated security gateway apparatus 420 also includes a packet duplicating module 610 and an inspection engine 620. Further included are a rule storage 630, a session table 640, and an action module 650 in the integrated security gateway apparatus 420.
  • the action module 650 contains a number of modules, e.g., a decryption module 652, an encryption module 654, a URL/contents filtering module 656, and an NAT (Network Address Translation) module 658.
  • the packet duplicating module 610 is coupled to the network interface cards 20, 21, and 22 of Fig. 5 to receive incoming packets from the internal network 410, the DMZ server 414, and the external network 450, respectively.
  • the packet duplicating module 610 is coupled to the inspection engine 620 to transfer the received packets thereto.
  • the packet duplicating module 610 duplicates the received packets and transfers them to the BZ server 430 through the BZ port 23.
  • the rule storage 630 is used to store instructions for inspection rules.
  • the session table 640 is used to store session information for states of the sessions.
  • the inspection engine 620 inspects the fields of the packets from the packet duplicating module 610, by using the inspection rules retrieved in the rule storage unit 630 and passes them to one of the action modules 652 to 658 to execute appropriate operations on the packets or to abandon the packets.
  • the inspection engine 620 retrieves the session corresponding to each packet in the session table 640 and extracts IP header information and TCP (Transmission Control Protocol) header information to refer and update the session status .
  • IP header information IP header information
  • TCP Transmission Control Protocol
  • the decryption module 652 performs the decryption function on each packet whose a source is another VPN branch (not shown) connected to the external network 450.
  • the encryption module 654 performs the encryption function on each outgoing packet whose a destination is another VPN branch (not shown) connected to the external network 450.
  • the URL/contents filtering module 656 performs typical URL/contents filtering functions to prevent access to a predetermined group of URLs and to drop the packet containing noxious contents.
  • the NAT module 658 performs a typical NAT function, e.g., by processing a proxy address resolution protocol to translate source and destination addresses between the internal network 410 and the external network 450.
  • Figs. 4 to 6 The operation of the integrated security gateway apparatus 420 as shown in Figs. 4 to 6 will be discussed in detail below in connection with Figs. 7A and 7B, but it should be understood that other embodiments can be proposed without departing the range of the present invention.
  • Each of the operations, actions, or functions can be implemented as program instructions or modules, hardware, e.g., ASIC or other circuitry, ROMs, etc., or some combinations thereof.
  • step S701 when the packet is received by the packet duplicating module 610, it is transferred to the inspection engine 620.
  • step S702 the packet received via one of the network interface cards 20, 21, and 22 is duplicated and transferred to the BZ server 430 through the BZ port 23, and then the procedure proceeds to step S703.
  • step S703 the inspection engine 620 checks whether the packet is encrypted. If the packet is encrypted, the procedure proceeds to step S704; and, otherwise, the procedure proceeds to step S705.
  • step S704 the packet is decrypted at the decryption module 652, and then the procedure proceeds to step S705.
  • the inspection engine 620 retrieves rule and session information corresponding to the packet in the rule storage unit 630 and the session table unit 640, and then the procedure proceeds to step S706.
  • the inspection engine 620 determines whether the packet is to be denied depending on the retrieved rule and the session information. If the packet is to be denied, the procedure proceeds to step S707; and, otherwise, the procedure proceeds to step S708. At step S707, the inspection engine 620 abandons the packet and then the procedure is terminated. At step S708, the inspection engine 620 extracts packet information and updates the session information in the session table unit 640, and then the procedure proceeds to step S709.
  • the inspection engine 620 determines whether a packet content filtering is required. If the packet contents filtering is required, the procedure proceeds to step S710; and, otherwise, the procedure proceeds to step S711 of Fig. 7B through a tap A.
  • step S710 the URL/contents filtering module 656 performs contents filtering for the packet, and then the procedure proceeds to step S711.
  • the inspection engine 620 determines whether the NAT is required. If the NAT is required, the procedure proceeds to step S712; and, otherwise, the procedure proceeds to step S713. At step S712, the NAT module 658 performs the NAT function on the packet, and then the procedure proceeds to step S713.
  • step S713 the inspection engine 620 determines whether the encryption is required. If the encryption is required, the procedure proceeds to step S714; and, otherwise, the procedure proceeds to step S715.
  • step S714 the packet is encrypted at the encryption module 662, and then the procedure proceeds to step S715.
  • the inspection engine 620 determines whether the packet is to be forwarded to outside. If the packet is to be forwarded, the procedure proceeds to step S716; and, if the packet is to be processed within the integrated security gateway apparatus 420, the procedure proceeds to step S718.
  • step S716 the inspection engine 620 checks a corresponding port, and then the procedure proceeds to step S717.
  • the inspection engine 620 forwards the packet to the corresponding port via the corresponding network interface card, e.g., the network interface card 20 connected to the internal network 410, and then the procedure is terminated.
  • the corresponding network interface card e.g., the network interface card 20 connected to the internal network 410
  • the inspection engine 620 processes a predetermined processing, e.g., updating a list of the blocked URLs stored at the rule storage unit 630, and then the procedure proceeds to step S719.
  • the inspection engine 620 forwards the processing result to the destination of the packet through the network interface card 20, 21, and 22.
  • the duplicated incoming packet is provided to the BZ server 430 connected to or included in the integrated security gateway apparatus 420 so as to detect all kinds of intrusions and attacks to the internal network 410 and the integrated security gateway apparatus 420 itself.
  • the VPN 400 of the present invention can enjoy almost complete security.
  • Fig. 8 exemplifies a schematic block diagram of an integrated security gateway apparatus in accordance with a second embodiment of the present invention.
  • the packet duplicating module 610 and the inspection engine 620 are the functional modules as described above; and a hub module 810, a port complex 820, and a server complex 830 are hardware modules.
  • the hub module 810 and the BZ port complex 820 of the hardware modules are included in the integrated security gateway apparatus of the second embodiment .
  • the port complex 820 includes four BZ ports 822 to 828, while the server complex 830 includes four auxiliary security servers 832 to 838.
  • the server complex 830 serves the same functions of the BZ server 430.
  • the hub module 810 simultaneously transmits packets duplicated in the packet duplicating module 610 to each of the auxiliary security servers 832 to 838 through the corresponding BZ port 822, 824, 826, or 828.
  • the auxiliary security servers 832 to 838 may act as one of an IDS system, an anti-virus ' system, and a site blocking system.
  • each of the auxiliary security servers 832 to 838 may act as a different system.
  • the auxiliary security server 832 acts as the IDS system
  • the auxiliary security server 834 serves as the anti-virus system
  • the auxiliary security server 836 acts as the site blocking system
  • the auxiliary security server 838 serves as another security system.
  • auxiliary security servers 832 to 838 are process the same duplicated packet at the same time so that total load of the server complex 830 can be dramatically reduced.
  • Figs. 9A and 9B present flow charts for explaining an operating method of the integrated security gateway apparatus in Fig . 8.
  • step S902 when a packet is received by the packet duplicating module 610, it is transferred to the inspection engine 620.
  • step S904 the inspection engine 620 checks whether the packet is encrypted. If the packet is encrypted, the procedure proceeds to step S906; and, otherwise, the procedure goes to step S908. At step S906, the packet is decrypted at the decryption module 652, and then procedure proceeds to step S908.
  • step S908 the inspection engine 620 determines whether a session exists on the packet depending on session information retrieved from the session table unit 640. If the session exists on the packet, the procedure proceeds to step S914; and, otherwise, the procedure goes to step S910.
  • the inspection engine 620 determines whether a rule exists on the packet depending on rule information retrieved from the rule storage unit 630. If the rule does not exist on the packet, the procedure proceeds to step S932 of Fig. 9B through a tap B; and, otherwise, the procedure goes to step S912. At step S912, the inspection engine 620 creates a session to the packet, and the procedure proceeds to step S 914 .
  • the inspection engine 620 determines whether the packet is to be denied depending on the retrieved rule and the session information. If the packet is to be denied, the procedure proceeds to step S932 of Fig. 7B through the tap B; and, otherwise, the procedure goes to step S916.
  • step S916 the inspection engine 620 determines whether the NAT is required. If the NAT is required, the procedure proceeds to step S918; and, otherwise, the procedure goes to step S920 of Fig. 9B through a tap A.
  • the NAT module 658 performs the NAT function on the packet, and then the procedure proceeds to step S920 through the tap A.
  • the inspection engine 620 extracts packet information and updates the session information in the session table 640, and then the procedure proceeds to step S922 and step S932.
  • the inspection engine 620 processes the packet; and, in case that the procedure goes to step S932 through PATH 1, the packet duplicating module 610 duplicates the packet in order to perform subsequent processes on the duplicated packet.
  • the inspection engine 620 determines whether a packet content filtering is required. If the packet contents filtering is required, the procedure proceeds to step S924; and, otherwise, the procedure goes to step S926.
  • the URL/contents filtering module 656 performs contents filtering on the packet, and then the procedure proceeds to step S926.
  • step S926 the inspection engine 620 determines whether the encryption is required. If the encryption is required, the procedure proceeds to step S928; and, otherwise, the procedure proceeds to step S930.
  • step S928 the packet is encrypted at the encryption module 654, and the procedure proceeds to step S930.
  • the inspection engine 620 forwards the packet to its destination via the corresponding network interface card 20, 21, or 22, and then the procedure is terminated.
  • step S932 the packet duplicating module 610 determines whether a BZ port exists. If the BZ port exists, the procedure proceeds to step S936; and, otherwise, the procedure goes to step S934.
  • step S934 the inspection engine 620 abandons the packet and then the procedure is terminated.
  • the packet duplicating module 610 duplicates the packet with the same number of the BZ ports 822 to 828, and then the procedure proceeds to step S938.
  • the packet duplicating module 610 forwards the duplicated packet to the auxiliary security server complex 830 through the hub module 810 and the BZ port complex 820, and then the procedure is terminated.
  • Fig. 10 demonstrates a schematic block diagram of an integrated security gateway apparatus in accordance with a third embodiment of the present invention.
  • the packet duplicating module 610, the inspection engine 620, and a load balancing module 1000 are functional modules.
  • the load balancing module 1000 may be implemented by a hardware.
  • a BZ port complex 1010 and a server complex 1020 are hardware modules.
  • the server complex 1020 serves the same functions of the BZ server 430.
  • the BZ port complex 1010 includes four BZ ports 1012 to 1018, while the server complex 1020 includes four auxiliary security servers 1022 to 1028.
  • the servers 1022 to 1028 perform the same function. That is, all the auxiliary security servers 1022 to 1028 act as one of the IDS system, the anti-virus system, and the site blocking system.
  • the load balancing module 1000 transmits a duplicated packet from the packet duplicating module 610 to the auxiliary security servers 1022 to 1028 through the BZ port complex 1010, depending on the load of each server 1022 to 1028.
  • Such scheme may be used in enhancing a specific function of the IDS, anti-virus, and site blocking functions according to the security policy.
  • Figs . 11A and 11B give flow charts for explaining an operating method of the integrated security gateway apparatus in Fig. 10.
  • steps S1102 to S1130 of Figs. 11A and 11B perform the same operations of steps S902 to S930 of Figs. 9A and 9B, the description for step S1102 to S1130 will be omitted herein, for the sake of simplicity.
  • the packet duplicating module 610 checks a session to the packet, and then the procedure proceeds to step S113 .
  • the load balancing module 1000 determines one of the BZ ports 1012 to 1028 for transmitting the packet, and then the procedure proceeds to step S1136.
  • the packet duplicating module 610 duplicates the packet to transmit it to the load balancing module 1000, and then the procedure proceeds to step S1138.
  • Fig. 12 shows a schematic block diagram of an integrated security gateway apparatus in accordance with a fourth embodiment of the present invention. It is noted that the structure of the integrated security gateway apparatus in Fig. 12 is identical to that of the integrated security gateway apparatus in Fig. 10, except for a traffic control module 1200.
  • the traffic control module 1200 may be implemented by software or hardware.
  • the traffic control module 1200 is connected to a server complex 1220 through a port complex 1210.
  • the server complex 1220 includes four auxiliary security servers 1222 to 1228; and the port complex 1210 includes BZ ports 1212 to 1218.
  • each of users connected to the internal network 410 performs various works at the same time so that packets having various protocols exist on the internal network 410.
  • the role of the traffic control module 1200 is to collect packets having an identical protocol among the duplicated packets from the packet duplicating module 610 and to send the identical protocol packets to the port complex 1210 depending on the priority of protocol predetermined by the network management policy or the security policy of the integrated security gateway apparatus .
  • the integrated security gateway apparatus in Fig. 12 may include one BZ port only, instead of the port complex 1210.
  • a hub module or a load balancing module is disposed between the BZ port and the server complex 1220.
  • Fig. 13A and 13B are flow charts for explaining an operating method of the integrated security gateway apparatus in Fig. 12.
  • step S1302 to S1330 of Figs. 13A and 13B perform the same operations of steps S902 to S930 of Figs. 9A and 9B, the description for step S1302 to S1330 will be omitted herein, for the sake of simplicity.
  • the inspection engine 620 analyzes a service of the packet and transmits the analyzed result to the packet duplicating module 610.
  • the traffic control module 1200 determines a BZ port among the BZ ports 1212 to 1218 depending on a load of each of the auxiliary security servers 1222 to 1228 to transmit the packet to the server complex 1220, and then the procedure proceeds to step S1336.
  • the packet duplicating module 610 duplicates the packet to transmit it to the traffic control module 1200, and then the procedure proceeds to step S1338.
  • the traffic control module 1200 forwards the duplicated packet to one of the auxiliary security servers 1222 to 1228 via the determined BZ port of the port complex 1210, and the procedure is terminated.
  • Fig. 14 illustrates a schematic block diagram of an integrated security gateway apparatus in accordance with a fifth embodiment of the present invention. As shown in
  • a switching module 1400 is included in the integrated security gateway apparatus.
  • a port complex 1410 includes four BZ ports 1412 to 1418; and a server complex 1420 includes an auxiliary server 1422, a site blocking server 1424, an anti-virus server 1426, and an intrusion detecting server 1428. That is, the server complex 1420 includes servers having different functions to each other.
  • the integrated security gateway apparatus analyzes duplicated packets and transmits each of the duplicated packets, by using the switching module 1400, to corresponding server of the server complex 1420 according to a protocol of each packet .
  • the packet For example, if the packet is e-mail, the packet uses POP 3 (Post Office Protocol 3) so that it is possible that the packet was infected with a virus.
  • POP 3 Post Office Protocol 3
  • the switching module 1400 transmits the packet to the anti-virus server 1426 through the BZ port 1416. Since the packet is processed according to its protocol, the performance of the server complex 1420 can be increased.
  • Fig. 15 provides a schematic block diagram of an integrated security gateway apparatus in accordance with a sixth embodiment of the present invention.
  • the packet duplicating module 610 is coupled to a hub module 1500.
  • the hub module 1500 is connected to two BZ ports 1522 and 1524 of a port complex 1520.
  • the hub module 1500 is connected to two BZ ports 1526 and 1528 of the port complex 1520 through a load balancing module 1510.
  • the BZ port 1522 connected to an anti-virus server 1532; the BZ port 1524 is to a site blocking server 1534; the BZ port 1526 is to an intrusion detecting server 1536; and the BZ port 1528 is to an intrusion detecting server 1538.
  • Fig. 16A and 16B depict flow charts for explaining an operating method of the integrated security gateway apparatus in Fig. 15.
  • steps S1602 to S1630 of Figs. 16A and 16B perform the same operations of steps S902 to S930 of Figs. 9A and 9B, the description for step S1602 to S1630 will be omitted herein, for the sake of simplicity.
  • the inspection engine 620 checks the setting of the BZ ports 1522 to 1528, and the procedure proceeds to step S1634. That is, each of the BZ ports 1522 to 1528 is connected to one of the servers 1532 to 1538.
  • the load balancing module 1510 determines whether a load balancing is required for the packet. If the load balancing is required, the procedure proceeds to step S1636; and, otherwise, the procedure goes to step S1640.
  • step S1636 the packet duplicating module 610 checks a session of the packet, and the procedure proceeds to step S1638.
  • the packet duplicating module 610 selects one of the BZ ports to the session of the packet, and the procedure proceeds to step S1640.
  • the packet duplicating module 610 duplicates the packet to transmit it to the hub module 1500, and the procedure proceeds to step S1642.
  • the hub module 1500 forwards the packet to the BZ ports 1522 and 1524 and the load balancing module 1510.
  • The, the load balancing module 1510 forwards the packet to one of the BZ ports 1526 and 1528, depending on the load of the intrusion detecting servers 1536 and 1538.
  • Fig. 17 exemplifies a schematic block diagram of a built-in security unit employed in the integrated security gateway apparatus 420 of Fig. 4 in accordance with the present invention.
  • the built-in security unit 1700 comprises a network interface module 1710, a TCP/IP protocol stack module 1720, a first memory 1730, a processing module 1740, and a second memory 1750.
  • the built-in security unit 1700 is used in the integrated security gateway apparatus 420 instead of the BZ port 23.
  • the built-in security unit 1700 may be implemented in the form of a card capable of being inserted on a slot provided in the integrated security gateway apparatus 420.
  • the network interface module 1710 includes a LAN connector, a Rx buffer, and a Tx buffer and is connected to the first bus 1.
  • the network interface module 1710 operates in promiscuous mode and receives duplicated packets from the packet duplicating module 610.
  • the TCP/IP protocol stack module 1720 transforms the state of the duplicated packets from physical layer to application layer.
  • the duplicated packets from the packet duplicating module 610 are transmitted to the first memory 1730 through the TCP/IP protocol stack module 1720, thereby being stored on the first memory 1730 in application layer state.
  • the first memory 1730 may be implemented by a DRAM (Direct Random Access Memory) .
  • the first memory 1730 receives the duplicated packets and transmits it to the processing module 1740.
  • the second memory 1750 stores information and acts as the BZ server 430.
  • the processing module 1740 processes the duplicated packets and transmits the processed result to the processor 10 or 60, in order to take action on the packets .
  • Figs. 18A and 18B present flow charts for explaining an operating method of the built-in security unit 1700 in Fig. 17.
  • steps S1802 to S1830 of Figs. 18A and 18B perform the same operations of steps S902 to S930 of Figs. 9A and 9B, the description for step S1802 to S1830 will be omitted herein, for the sake of simplicity.
  • the processing module At step S1832 of Fig. 18B, the processing module
  • step S1834 analyzes a service type of the duplicated packet, and the procedure proceeds to step S1834.
  • the processing module 1740 determines whether pattern information exists on the second memory 1750, wherein the pattern information includes attack and virus patterns. If the pattern information exists on the second memory 1750, the procedure proceeds to step S1836; and, otherwise, the procedure returns to step S1802. At step S1836, the processing module 1740 compares the duplicated packet with the pattern information on the second memory 1750, and the procedure proceeds to step S1838.
  • the processing module 1740 takes action on the packet depending on the comparison result, and the procedure is terminated.
  • the action includes a session blocking, an alarm, a log, and the like.
  • Fig. 19 shows a flow chart for explaining an intrusion detection process in accordance with the present invention.
  • the inspection engine 620 receives a packet, and the procedure proceeds to step S1904.
  • the inspection engine 620 determines whether the packet is transmitted from the BZ server 430, the server complex 830, 1020, 1220, 1420, or 1530, or the built-in security unit 1700. That is, the inspection engine 620 determines whether the packet has an IDS message. If the packet has the IDS message, the procedure proceeds to step S1908; and, otherwise, the procedure goes to step S1906. At step S1906, the inspection engine 620 drops the packet, and the procedure is terminated.
  • step S1908 the inspection engine 620 determines the type of an attack for a current packet to be processed therein depending on the IDS message, and procedure proceeds to step S1910.
  • step S1910 the inspection engine 620 sets access deny time to the current packet, and the procedure proceeds to step S1912.
  • step S1912 the inspection engine 620 sets an address of an attacker, and the procedure proceeds to step S1914.
  • the inspection engine 620 sets a destination address to be attacked, and the procedure proceeds to step S1916.
  • the inspection engine 620 determines whether there is a session connected to the destination address. If there is the session connected to the destination address, the procedure proceeds to the step S1918; and, otherwise, the procedure goes to step S1920.
  • the inspection engine 620 disconnects the session, and the procedure proceeds to step S1920.
  • the inspection engine 620 sets a timer to the current packet depending on the access deny time, and the procedure proceeds to step S1922.
  • the inspection engine 620 denies a connection from the attacker to the destination address and vice versa, and the procedure proceeds to step S1924.
  • the inspection engine 620 determines whether the access deny time has been passed. If the access deny time has been passed, the procedure proceeds to step S1926; and, otherwise, the procedure returns to step S1922..
  • step S1926 the inspection engine 620 releases the timer, and the procedure proceeds to step S1928.
  • step S1928 the inspection engine 620 permits a connection from the attacker to the destination and vice versa, and the procedure is terminated.
  • Fig. 20 offers a structure of a communication packet transmitted from the BZ server 430, the server complex 830, 1020, 1220, 1420, or 1530, or the built-in security unit 1700 to the inspection engine 620 in accordance with the present invention.
  • the communication packet includes various fields.
  • the fields includes a source IP, a destination IP, a source port, a destination port, a protocol, a filer, a risk, a hackcodel, a hackcode2 , a lasting time, and a description, and are not limited thereto.
  • the source IP field represents to an attacker's IP address; the destination IP field is to an IP address of destination; the source port field is to a port number of the attacker; the destination port field is to a port number of the destination; the protocol field is to an attack protocol; the filter field is to an action for attack; the risk field is to a risk for the attack; the hackcodel and hackcode2 are to the type of the attack; the lasting time is to an access deny time; and the description is to a description for the attack.
  • Figs. 21A and 21B show flow charts for explaining in detail a method for performing an anti-virus function and an .intrusion detection function in accordance with the present invention.
  • the inventive integrated security gateway apparatus receives an incoming packet from the internal network or the external network, and the procedure proceeds to step S2104.
  • the inventive integrated security gateway apparatus duplicates the incoming packet, and the procedure proceeds to step S2106. In this time, the incoming packet is transmitted to its destination.
  • the inventive integrated security gateway transmits the duplicated packet to the BZ server performing an anti-virus function or the server complex serving as the BZ server (hereinafter, referred to the anti-virus server) , and the procedure proceeds to step S2108.
  • the anti-virus server collects the duplicated packets from the inventive integrated security gateway apparatus to produce an assembled message, and the procedure proceeds to step S2110.
  • the anti-virus server determines whether the packet collection is completed. If the packet collection is completed, the procedure proceeds to step S2112; and, otherwise, the procedure returns to step S2108.
  • the anti-virus server checks that a virus exists in the assembled message with reference to virus information stored on a virus database 2100.
  • the virus database is provided in the anti-virus server.
  • the anti-virus server determines whether the assembled message is infected with the virus.
  • step S2118 If the assembled message is infected with the virus, the procedure proceeds to step S2118; and, otherwise, the procedure goes to step S2116.
  • the anti-virus server drops the duplicated packets, and the procedure is terminated.
  • the anti-virus server determines whether it is possible to cure the virus depending on the virus information. If it is possible to cure the virus, the procedure proceeds to step S2122; and, otherwise, the procedure goes to step S2120.
  • the anti-virus server deletes a portion of the assembled message, which is infected with the virus, and the procedure proceeds to step S2124.
  • step S2122 the anti-virus server cures the virus, and the procedure proceeds to step S2124.
  • the anti-virus server determines whether a session corresponding to the assembled message exists. If the session exists, the procedure proceeds to step S2126. Otherwise, the procedure goes to step S2128 of Fig. 2IB through a tap A.
  • the anti-virus server deletes the session, and the procedure is terminated.
  • the anti-virus server determines whether an integrated center exists.
  • the integrated center may be provided in case that a plurality of integrated security gateway apparatus is employed in a VPN and controls the operations of the integrated security gateway apparatus. If the integrated center exists, the procedure proceeds to step S2136; and, otherwise, the procedure goes to step S2130.
  • the anti-virus server determines whether the intrusion detection system exists. If the intrusion detection system exists, the procedure proceeds to step S2132; and, otherwise, the procedure goes to step S2134.
  • the anti-virus server transmits a warning message to the intrusion detection system, and the procedure proceeds to step S2138.
  • the warning message includes information related to the virus.
  • the anti-virus server transmits the warning message to the inventive integrated security gateway apparatus, and the procedure proceeds to step S2138.
  • the anti-virus server transmits the warning message to the integrated center, and the procedure proceeds to step S2138.
  • the anti-virus server identifies a service type of the assembled message, and the procedure proceeds to step S2140.
  • the anti-virus server determines whether the assembled message uses an SMTP (simple mail transfer protocol) . If the assembled message uses the SMTP, the procedure proceeds to step S2148; and, otherwise, the procedure proceeds to step S2142.
  • SMTP simple mail transfer protocol
  • the anti-virus server deletes a service session corresponding to the assembled message, and the procedure proceeds to step S2144.
  • the anti-virus server transmits a result message related to the deletion, and the procedure is terminated.
  • the anti-virus server determines whether a mail session exists. If the mail session exists, the procedure proceeds to step S2152; and, otherwise, the procedure goes to step S2150.
  • the anti-virus server transmits a warning mail to a mail receiver account, and the procedure is terminated.
  • the anti-virus server inserts a warning message in a last portion of the assembled message, i.e., a mail to be forwarded to the mail receiver, and the procedure is terminated.
  • Fig. 22 presents flow charts for explaining in detail a method for performing a noxious site blocking function in accordance with the present invention.
  • the inventive integrated security receives an incoming packet from the internal network or the external network, and the procedure proceeds to step S2204.
  • the inventive integrated security gateway apparatus compares a destination address of the incoming packet with noxious site addresses stored in a built-in database 2200, and the procedure proceeds to step S2206.
  • the built-in database 2200 is provided in the inventive security gateway apparatus.
  • the inventive integrated security gateway apparatus determines whether the destination address corresponds to one of the noxious site addresses. If the destination address corresponds to one of the noxious site addresses, the procedure proceeds to step S2208; and, otherwise, the procedure goes to step S2212.
  • the inventive integrated security gateway apparatus transmits a warning packet to a user, and the procedure proceeds to step S2210.
  • the warning packet includes a warning message and uses an HTTP
  • the inventive integrated security gateway apparatus deletes a session corresponding to the destination address, and the procedure is terminated.
  • the inventive integrated security gateway apparatus hold a communication between the destination address and an origination address of the incoming packet, and the procedure proceeds to step S2214. In other words, the incoming packet is transmitted to its destination.
  • step S2214 the inventive integrated security gateway apparatus duplicates the incoming packet, and the procedure proceeds to step S2216.
  • the inventive integrated security gateway apparatus transmits the duplicated packet to a server for performing a noxious site blocking function (hereinafter, referred to a noxious site blocking server) , and the procedure proceeds to step S2218.
  • a server for performing a noxious site blocking function hereinafter, referred to a noxious site blocking server
  • the noxious site blocking server receives the duplicated packet and compares the destination address of the duplicated packet with noxious site addresses stored on a noxious sites database 2210, and the procedure proceeds to step S2220.
  • the noxious sites database 2210 is provided in the noxious site blocking server.
  • the noxious site blocking server determines whether the destination address corresponds to one of the noxious site addresses stored on the database 2210. If the destination address corresponds to one of the noxious site addresses, the procedure proceeds to step S2226; and, otherwise, the procedure goes to step S2222.
  • the noxious site blocking server maintains a session related to the destination address, and the procedure proceeds to step S2224.
  • the noxious site blocking server permits a communication related to the destination address and notifies the permission result to the inventive integrated security gateway apparatus, and the procedure is terminated.
  • the noxious site blocking server transmits a warning packet including a warning message to the user, and the procedure proceeds to step S2228.
  • the noxious site blocking server deletes the session related to the destination address and notifies the deletion result to the inventive integrated security gateway apparatus, and the procedure proceeds to step S2230.
  • the inventive integrated security gateway apparatus updates the noxious site addresses on the built-in database 2200 with reference to the deletion result, and the procedure is terminated.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne un système de mise en réseau associé à une passerelle de sécurité intégrée permettant d'intégrer des fonctions de mise en réseau privé virtuel, de pare-feu et de surveillance de réseau. Un double d'un paquet reçu est fourni à un système de surveillance de réseau connecté audit système ou compris dans celui-ci en vue d'une détection de tous les types d'intrusions et d'attaques menées contre un réseau privé virtuel et la passerelle de sécurité intégrée elle-même. Par ailleurs, la mise en oeuvre d'une pluralité de fonctions et de services dans le système de surveillance de réseau permet à ce système de mise en réseau de bénéficier d'une sécurité quasi complète.
PCT/KR2001/002143 2001-12-11 2001-12-11 Dispositif a passerelle de securite integree et son procede de fonctionnement WO2003050999A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
AU2002216434A AU2002216434A1 (en) 2001-12-11 2001-12-11 Integrated security gateway apparatus and operating method thereof
PCT/KR2001/002143 WO2003050999A1 (fr) 2001-12-11 2001-12-11 Dispositif a passerelle de securite integree et son procede de fonctionnement

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/KR2001/002143 WO2003050999A1 (fr) 2001-12-11 2001-12-11 Dispositif a passerelle de securite integree et son procede de fonctionnement

Publications (1)

Publication Number Publication Date
WO2003050999A1 true WO2003050999A1 (fr) 2003-06-19

Family

ID=19198491

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2001/002143 WO2003050999A1 (fr) 2001-12-11 2001-12-11 Dispositif a passerelle de securite integree et son procede de fonctionnement

Country Status (2)

Country Link
AU (1) AU2002216434A1 (fr)
WO (1) WO2003050999A1 (fr)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5864683A (en) * 1994-10-12 1999-01-26 Secure Computing Corporartion System for providing secure internetwork by connecting type enforcing secure computers to external network for limiting access to data based on user and process access rights
JPH11205388A (ja) * 1998-01-19 1999-07-30 Hitachi Ltd パケットフィルタ装置、認証サーバ、パケットフィルタリング方法及び記憶媒体
US6189104B1 (en) * 1996-08-01 2001-02-13 Harris Corporation Integrated network security access control system
JP2001160828A (ja) * 1999-12-03 2001-06-12 Matsushita Electric Ind Co Ltd セキュリティ・ゲートウェイ装置におけるvpn通信方法
KR20010112633A (ko) * 2000-06-12 2001-12-20 김광택 통합형 보안 장치 및 그 동작 방법

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5864683A (en) * 1994-10-12 1999-01-26 Secure Computing Corporartion System for providing secure internetwork by connecting type enforcing secure computers to external network for limiting access to data based on user and process access rights
US6189104B1 (en) * 1996-08-01 2001-02-13 Harris Corporation Integrated network security access control system
JPH11205388A (ja) * 1998-01-19 1999-07-30 Hitachi Ltd パケットフィルタ装置、認証サーバ、パケットフィルタリング方法及び記憶媒体
JP2001160828A (ja) * 1999-12-03 2001-06-12 Matsushita Electric Ind Co Ltd セキュリティ・ゲートウェイ装置におけるvpn通信方法
KR20010112633A (ko) * 2000-06-12 2001-12-20 김광택 통합형 보안 장치 및 그 동작 방법

Also Published As

Publication number Publication date
AU2002216434A1 (en) 2003-06-23

Similar Documents

Publication Publication Date Title
KR100695827B1 (ko) 통합형 보안 장치 및 그 동작 방법
US7441262B2 (en) Integrated VPN/firewall system
Bellovin Distributed firewalls
US6154839A (en) Translating packet addresses based upon a user identifier
US7051365B1 (en) Method and apparatus for a distributed firewall
US7386889B2 (en) System and method for intrusion prevention in a communications network
US7536715B2 (en) Distributed firewall system and method
US6003084A (en) Secure network proxy for connecting entities
Douligeris et al. Network security: current status and future directions
US7596806B2 (en) VPN and firewall integrated system
CN1968272B (zh) 通信网络中用于缓解拒绝服务攻击的方法和系统
EP1574009B1 (fr) Systemes et dispositifs utilisant des donnees d'identification lors des communications reseau
Saad et al. A study on detecting ICMPv6 flooding attack based on IDS
Foltz et al. Enterprise considerations for ports and protocols
EP3085044B1 (fr) Procédé pour fournir une connexion entre un fournisseur de service de communication et un serveur de protocole internet, ip, fournissant un service, ainsi que réseau périmétrique, comprenant le serveur ip, et serveur ip fournissant le service
JP4271478B2 (ja) 中継装置及びサーバ
WO2001091418A2 (fr) Systeme et procede pare-feu reparti
WO2003050999A1 (fr) Dispositif a passerelle de securite integree et son procede de fonctionnement
Keromytis et al. Designing firewalls: A survey
Simpson et al. Enterprise Considerations for Ports and Protocols
Wiebelitz et al. Transparent identity-based firewall transition for eScience
Zeng Network security and implementation based on IPV6
Mariani Firewall strategies using network processors
Ma et al. A Novel Network Security Solution
Ouyang et al. MLCC: A Multi Layered Correlative Control Mechanism for the VPN Topology

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PH PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP

点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载