WO2006041080A1 - ファイアウォールシステム及びファイアウォール制御方法 - Google Patents
ファイアウォールシステム及びファイアウォール制御方法 Download PDFInfo
- Publication number
- WO2006041080A1 WO2006041080A1 PCT/JP2005/018774 JP2005018774W WO2006041080A1 WO 2006041080 A1 WO2006041080 A1 WO 2006041080A1 JP 2005018774 W JP2005018774 W JP 2005018774W WO 2006041080 A1 WO2006041080 A1 WO 2006041080A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- address
- terminal
- information
- communication
- call control
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
Definitions
- the present invention relates to a firewall system and a firewall control method for dynamically controlling a firewall in a network in which communication by a mopile network such as mopile IP is operated.
- a firewall is generally composed of an unauthorized access detection device and a packet filtering device. Unauthorized access detection devices can be attacked by external networks.
- a packet filtering device is a device that allows only packets used for necessary communication to pass among communication performed between an internal network and an external network, and does not allow other packets to pass.
- the unauthorized access detection device detects attacks and unauthorized access performed by attackers by monitoring a series of packet flows. There are two main methods for detecting this attack and unauthorized access.
- the latter is a technique that can be expected to increase the accuracy of detecting unauthorized access because it can detect operations other than normal access.
- the former method is often limited to a limited target. For example, by sending packets to multiple ports of a specific internal terminal, the port scan to be investigated from the external network side as to whether the service is running on that port is detected as a sign of unauthorized access and notified. Has been in operation.
- this method has a drawback in that it is difficult to detect a new attack method because it is necessary to register information on the sign of unauthorized access in the unauthorized access detection system for each unauthorized access method.
- the external network capability also receives communication data, and when the communication data is normal, the communication relay control unit that transfers it to the server and the communication data conditions that contribute to the provision of the service intended by the server are As the feature information of the communication data, the normal access information storage unit storing one type or a plurality of types, and the feature information is read from the normal access information storage unit and compared with the communication data received by the communication relay control unit.
- An unauthorized access blocking system comprising: a normal access identifying unit that determines that only communication data that satisfies all information is normal (see Patent Document 1).
- a protocol specification and Z or access policy for accepting access made by an external force through a communication network as normal access are determined for each target communication system or communication system group, and communication is performed.
- the transmission information distributed through the network captures transmission information addressed to the communication system or communication system group, and the transmission information that does not conform to the central protocol specifications and Z or access policy of the captured transmission information is likely to be unauthorized access.
- a method for determining the access type in a communication network including the process of specifying as a piece of transmission information (see Patent Document 2).
- the packet filtering device allows communication packets performed on the internal network and external network to pass if they comply with a predetermined rule, and does not pass if they do not comply with the rule.
- This rule is, for example, “Allow access from a specific host” and “Allow http (HyperText Transfer Protocol) access from internal network to external network” and “ When ftp (File Transfer Protocol) to the network is activated, ftp access to a specific port from the external network to the internal network is permitted.
- the packet filtering device prevents attacks and unauthorized access from the external network to the internal network by passing only packets that conform to these rules and not passing other packets.
- the unit for controlling the passage of packets is mainly a unit of an IP address unit, an IP address, and a port number.
- Control in units of IP addresses can be realized by a rule that allows all packets transmitted and received between a specific terminal of the external network and a specific terminal of the internal network to pass. Specifically, if the IP address of a PC connected to an external network using dial-up or hotspot is 202.123.12.1, and the IP address of the e-mail server on the internal network is 202.32.
- a rule that permits a packet for communication to can be described as "Allow 202.123.12.1 202.32.21.1". In this rule, Allow is allowed to pass, 202.123.12.1 is the source IP address, and 202.32.21.1 is the destination IP address.
- the packet filtering device passes all packets that meet this rule. Control that passes or does not pass packets specified by a pair of source IP address and destination IP address is called IP address unit control.
- the control of the unit of IP address and port number is set so that data transmitted from a specific port of a specific terminal on the external network is sent to a specific port on which a specific terminal application on the internal network is listening.
- This can be achieved with rules that allow passage.
- the IP address of the IP phone terminal on the external network is 202.123.12.2
- the application that sends voice data is started on this terminal
- the port number is 12345
- the IP address of the IP phone terminal on the internal network is 202.32 .21.2
- 23456 is the port number where the application that receives audio data on this terminal is running.
- the rule for allowing the voice data to pass can be described as “Allow 202.123.12.2 12345 202.32.21.2 2345 6”.
- Allow indicates that permission is allowed.
- 202.123.12.2, 1 2345, 202.32.21.2, and 23456 are the source IP address, source port number, and destination, respectively. Indicates IP address and destination port number.
- the packet filtering device passes all packets that meet this rule. In this way, the control for passing or not passing the packet specified by the combination of the source IP address, source port number, destination IP address, and destination port number is controlled for each unit of the IP address and port number. This is called control.
- IP address unit control In a packet filtering device, if IP address unit control is performed, all services (application
- the packet filter A device located in the middle of the network such as a device, could not easily obtain information on a pair of IP address and port number.
- SIP Session Initiation Protocol
- a control message format for adjusting the IP address and port number, codec (CODEC) type, bandwidth, etc. used for delivery of specific media between two or more terminals that establish communication. And the sequence is defined.
- CODEC codec
- this SIP operation there is a method of installing a call control relay server that relays all call control sequences transmitted and received by terminals belonging to a specific organization.
- FIG. 21 shows a call control sequence (INVITE sequence) for establishing communication using an internal terminal installed in an internal network, an external terminal installed in an external network, and a force call control relay server. It is a thing. Added to the control message in the figure! IN INVITE, TRYING, RINGING, OK, and ACK are control messages defined in SIP. Represents. By exchanging these control messages, information such as IP address and port number, media type, CODEC, bandwidth, etc. used in established communication can be adjusted between terminals, and communication can be established between terminals. It becomes possible.
- the source IP address and source port number, or the destination IP address and destination port number can be set. determine.
- This description method is a description method standardized by the IETF, an organization that standardizes Internet-related protocols as SDP (Session Description Protocol).
- the m line indicates information about the media. Audio is the media type, 49170 is the port number, and RTP / AVP 0 is the transport and payload format.
- the line c indicates the information to be connected. IN is the Internet, IP4 is IPv4, and 224.2.17.12 is the IP address used for connection.
- the call control relay server when the call control relay server receives ACK, it can know the information of the source IP address, the destination IP address and the destination port number.
- the call control relay server can control the packet filtering device by using information including a combination of the source IP address, the destination IP address, and the destination port number.
- This method is called a packet filtering device control method using a call control relay server.
- this method cannot be used in the mono IP environment described below.
- Mopile IP is a technology that enables established communications to continue without being disconnected in situations where the IP address changes due to disconnection or reconnection of movement or network power.
- the mopile IP is standardized by the IETF, and the details of the protocol are defined in RFC3775 (IPv6) and RFC3344 (IPv4).
- FIG. 22 illustrates the operation of mopile IP.
- a mobile terminal also called a mobile node (MN) 201
- a home agent HA (Home Agent)
- a home agent 202 which is a server that performs mobility management
- the Home network 205 external terminal (also known as CN (Correspondent Node)) 203
- external network 204 specific network connected to external network (destination network) 206
- firewall with packet filtering device etc.
- the mobile terminal 201 has an IP address on the home network 205, for example, 2001: 300: c01 ::
- 2/64 is assigned, and this address is called the home address.
- the mobile terminal 201 With the mobile terminal 201 connected to the home network 205, communication with the external terminal 203 is established. It is assumed that the mobile terminal 201 moves to a specific network (destination network) 206 with this communication established. Assume that the IP address assigned when the mobile terminal 201 moves to a specific network (destination network) 206 is, for example, 2001: 300: c01: beef :: 2/64. This address is called a care-of address of the mobile terminal 201.
- the packet addressed to the mobile terminal 201 is transmitted toward the home address.
- a packet transmitted to the home address is delivered to the home network 205 via the external network 204.
- the packet delivered to the home network 205 is received by the home agent 202.
- the home agent 202 delivers the packet to the mobile terminal 201 by delivering the received packet to the care-of address of the mobile terminal 201.
- the packet from the mobile terminal 201 to the external terminal 203 is delivered in this reverse order (mobile terminal 201 ⁇ home agent 202 ⁇ external terminal 203).
- the packet addressed to the mobile terminal 201 is directly delivered to the care-of address. In this way, it was delivered to the mobile terminal 201 Packets are delivered to a specific application. That is, communication established by the mobile terminal 201 with the external terminal 203 before moving can be continuously performed even after the mobile terminal 201 moves.
- FIG. 23 illustrates the configuration of this conventional method.
- a first mobile terminal 301 a second mobile terminal 302, a home agent 303, a firewall management host 304, a packet filtering device 305, an external network (Internet) 30 6, an ISP (Internet service provider) 307, Has ISP 307 certification sano 308.
- Internet Internet
- ISP Internet service provider
- the first mobile terminal 301 is taken out to the external network and connected from the first mobile terminal 301 to the second mobile terminal 302 of the internal network.
- the first mobile terminal 301 is connected to an external network via a specific ISP 307 by dial-up or the like.
- the authentication server 308 of the ISP 307 sends user information to the first mobile terminal 301
- the first mobile terminal 301 sends the user information to the firewall management host 304.
- the firewall management host 304 changes the setting of the packet filtering device 305 on the firewall so that communication between the first mobile terminal 301 and the home agent 303 is possible.
- the first mobile terminal 301 can communicate with the second mobile terminal 302 via the home agent 303. That is, the control of the dynamic packet filtering device 305 is realized in a situation where the mopile IP is operated.
- Patent Document 1 JP 2004-38557 A
- Patent Document 2 Japanese Patent Laid-Open No. 2001-313640
- Patent Document 3 Japanese Patent Laid-Open No. 2003-229893
- Patent Document 4 Japanese Unexamined Patent Publication No. 2003-229915
- Patent Document 5 Japanese Patent Laid-Open No. 10-70576
- the conventional method can be applied only when the first mobile terminal 301 is taken out, and there is no framework for establishing communication from an external terminal on an external network. In other words, there is no mechanism for establishing legitimate communications approved by the network administrator of the internal network.
- the present invention has been made in view of the above circumstances, and even when communication by a mopile network is operated !, packet filtering is performed in units of addresses and port numbers. Narrower range, allowing only the communication within the range to be transmitted, and the mobile terminal power of the internal network Not only when moving to the external network, but also other terminal power connected to the external network.
- An object is to provide a firewall system and a firewall control method that can be established.
- the present invention monitors the packet sequence of communication specified by the media type, and detects V ⁇ unauthorized access that does not conform to normal access based on the normal access determination condition defined for each media type. Thus, it is practically possible to detect unknown attacks. It is an object to provide a firewall system and a firewall control method. Means for solving the problem
- the firewall system of the present invention is a firewall system that controls communication between an external network and an internal network, and is a call for establishing communication between the external network or terminals connected to the internal network. Obtained from the call control relay unit that relays the control sequence, the address correspondence information management unit that manages the new / old correspondence relationship of the address of the terminal changed by the movement of the terminal or reconnection to the network, and the call control relay unit Based on the information on the address and port number of the terminal used in the communication and the information on the correspondence between the new and old addresses obtained by the address correspondence information management section, the packet that is allowed to pass between the internal network and the external network. Set a pair of address and port number as filtering condition And a packet filtering unit that allows a packet specified based on a filtering condition including a set of the address and the port number to pass therethrough.
- the call control relay unit includes a relay unit information holding unit that holds information of another reliable call control relay unit,
- the filtering control unit obtains address and port number information in communication between terminals established via the other call control relay unit, and sets filtering conditions based on the combination of the address and port number. It shall be.
- the firewall system described above When at least one of the terminal on the internal network or the terminal on the external network moves and the address information obtained from the call control relay unit or the address correspondence information management unit is changed, Filtering conditions based on the latest address and port number pair shall be set.
- a normal access determination condition storage unit that stores normal access determination conditions defined for each media type of the communication, and the call control relay unit Information on the terminal address, port number, and media type used for the obtained communication, information on the address correspondence information management section, information on the correspondence between the new and old addresses obtained, and the normal access judgment condition storage section obtained normal
- an unauthorized access detection unit that detects an unauthorized access when a passing packet does not conform to the normal access determination condition based on the access determination condition.
- the unauthorized access detection unit moves at least one of a terminal on an internal network or a terminal on an external network, and the call control When the address information obtained from the relay unit or the address correspondence information management unit is changed, the normal access determination condition is determined based on the latest address information.
- a packet filtering device in the firewall system described above, wherein the call control relay unit obtains the terminal address used for communication. Address and port number information, and the address correspondence information management section. Based on the information on the correspondence between new and old addresses, the address and port can be filtered as filtering conditions for packets that are allowed to pass between the internal network and the external network.
- a filtering control unit that sets a set of numbers and a packet filtering unit that passes a packet specified based on a filtering condition including a set of the address and the port number is provided.
- the packet filtering device of the present invention is a packet filtering device of a firewall system that controls communication between an external network and an internal network, and is a communication between terminals connected to the external network or the internal network.
- Terminal information and port number information used for communication obtained from a call control relay unit that relays a call control sequence for establishing communication, and a terminal that is changed by moving the terminal or reconnecting to the network
- Address correspondence information that manages the new and old correspondence relationship of the address of the address
- the address and the filtering condition for packets that are allowed to pass between the internal network and the external network A filter that sets a pair with a port number A control unit, in which and a hurtofu Irutaringu portion for passing the packets is specified based on the filtering condition including a set of the address and port number.
- a normal access determination condition storage unit for storing a normal access determination condition defined for each media type of the communication, which is an unauthorized access detection apparatus in the firewall system described above.
- Information on the terminal address, port number, and media type used for communication obtained from the call control relay unit, information on the correspondence between new and old addresses obtained from the address correspondence information management unit, and the normal access determination Based on the normal access judgment condition obtained from the condition storage unit, if the passed packet does not meet the normal access judgment condition, the illegal cache is detected as unauthorized access.
- a process detection unit is provided with a process detection unit.
- the unauthorized access detection device of the present invention is an unauthorized access detection device of a firewall system that controls communication between an external network and an internal network, and is a normal access determination condition defined for each media type of the communication.
- a terminal used for communication that can also obtain a call control relay unit that relays a call control sequence for establishing communication between a normal access determination condition storage unit that stores the communication and a terminal connected to the external network or the internal network Address and port number and media type information, and address correspondence information management unit that manages the correspondence relationship between the old and new address of the terminal that is changed by moving the terminal or reconnecting to the network. Relationship information and normal obtained from the normal access judgment condition storage Based on the access determination condition, Do adapted to packets that pass through the normal access determination condition, case in which and a fraudulent access detection unit for detecting as the unauthorized access.
- the communication packet of a specific media type established by the call control sequence is monitored, and unauthorized access that does not conform to normal access based on the normal access judgment condition defined for each communication media type. Can be detected.
- the firewall control method of the present invention is a firewall control method for controlling communication between an external network and an internal network, and establishes communication between the external network or terminals connected to the internal network.
- a terminal that acquires information on the address and port number of a terminal used for communication from a call control relay unit that relays the call control sequence of the terminal, and a terminal that is changed by moving the terminal or reconnecting to the network From the address correspondence information management section that manages the old / old correspondence relationship of the address, the address address / port number information of the terminal used for the communication, and the old / new correspondence of the address.
- the path that is allowed to pass between the internal network and the external network And a step of setting a pair of an address and a port number as packet filtering conditions, and a step of passing a packet specified based on the filtering condition including the pair of the address and port number.
- the address and port number of the terminal used for the communication obtained by the call control relay section It is possible to control packet filtering by specifying a pair of address and port number based on the information on the issue and the information on the correspondence between the old and new addresses obtained by the address correspondence information management unit.
- the firewall control method of the present invention is a firewall control method for controlling communication between an external network and an internal network, in order to establish communication between the external network or terminals connected to the internal network. It is changed by the step of acquiring the address, port number, and media type information of the terminal used for communication from the call control relay unit that relays the call control sequence, and the movement of the terminal or reconnection to the network A step of obtaining information on the address correspondence between the old and new addresses from the address correspondence information management unit that manages the correspondence between the old and new addresses of the terminal, information on the address, port number, and media type of the terminal used for the communication; Information on the correspondence between new and old addresses and the communication media type. Based on the normal access determination condition are stored in a normal access determination condition storage unit and, when a packet passes is incompatible with the normal access determination condition is to have the steps of detecting the unauthorized access.
- the communication packet of a specific media type established by the call control sequence is monitored, and the unauthorized access that does not conform to the normal access based on the normal access judgment condition defined for each communication media type. Can be detected.
- ⁇ 1 A diagram showing the configuration of the firewall system according to the first embodiment of the present invention.
- ⁇ 2 A diagram showing a call control sequence in the first embodiment of the present invention.
- FIG.3 A diagram showing an example of the configuration of a table showing the correspondence between new and old IP addresses
- FIG. 4 A diagram showing a filtering process sequence in the first embodiment of the present invention.
- ⁇ 5 A diagram showing a first operation example of the firewall system according to the first embodiment.
- ⁇ 6 According to the first embodiment.
- Fig. 7 shows a second operational example of the firewall system.
- Fig. 8 shows the configuration of the firewall system according to the second embodiment of the present invention.
- Fig. 8 shows the call control sequence in the second embodiment of the present invention.
- FIG. 9 is a diagram showing a sequence of unauthorized access monitoring control in the second embodiment of the present invention.
- FIG. 10 is a flowchart showing the procedure of unauthorized access monitoring processing in the second embodiment of the present invention.
- FIG. 12 A diagram showing an operation example of the firewall system according to the second embodiment.
- ⁇ 13 A diagram showing a functional configuration example of the firewall in the operation example of the second embodiment.
- FIG. 14 is a diagram showing a configuration example of a normal access sign holding table
- FIG. 15 A diagram showing a configuration of a firewall system according to the third embodiment of the present invention.
- FIG. 16 is a diagram showing a block configuration of main parts of a firewall system according to a third embodiment of the present invention.
- ⁇ 17 Diagram showing an example of call control when a conference by group communication is performed between a plurality of terminals.
- ⁇ 18 Diagram showing an example of a sequence at the time of conference participation in the third embodiment of the present invention.
- FIG. 19 A diagram showing a configuration of a firewall system in a fourth embodiment of the present invention.
- ⁇ 20 A diagram showing a configuration of a firewall system in a fifth embodiment of the present invention.
- FIG. 21 shows a call control sequence using a call control relay server.
- FIG. 1 is a diagram showing a configuration of a firewall system according to the first embodiment of the present invention.
- the first embodiment shows a configuration for dynamically controlling a packet filtering device in a network in which data communication based on mopile IP is operated as a monophonic network.
- a call control relay server 11, a home agent (HA) 12, and an address management server 13 are connected to an external network 10 such as the Internet outside the network of a company or the like.
- the external terminal 14 is connected to the external network 10.
- the internal terminal 15 is connected to an internal network 16 provided in a company or the like, and a firewall 17 is installed between the internal network 16 and the external network 10.
- FIG. 2 is a diagram showing a call control sequence in the first embodiment of the present invention.
- FIG. 2 shows a call control sequence (INVITE sequence) for establishing communication using the internal terminal 15 in the internal network 16 and the external terminal 14 in the external network 10 using the call control relay server 11. .
- the IN VITE, TRYING, RINGING, OK, and ACK attached to the control message in the figure represent the control messages defined in SIP.
- information such as the IP address and port number, media type, codec (CODEC), and bandwidth used in the established communication is adjusted between terminals, and communication is established between terminals. It becomes possible.
- the address management response unit 13a of the address management server 13 searches for the address of the external terminal 14 registered in the address holding unit 13b, and performs call control for a message that returns the address of the external terminal 14 It is sent to the relay server 11 (S4).
- the call control relay unit 1 la of the call control relay server 11 sends an INVITE message requesting connection to the call control processing unit 14a of the external terminal 14 (S5).
- the call control processing unit 14a of the external terminal 14 returns a RINGING message (S6). This RINGING message is sent to the call control processing unit 15a of the internal terminal 15 via the call control relay unit 1la of the call control relay server 11 (S7).
- the call control processing unit 14a of the external terminal 14 sends an OK message (S8).
- This OK message is sent to the call control processing unit 15a of the internal terminal 15 via the call control relay unit 11a of the call control relay server 11 (S9).
- the call control processing unit 15a of the internal terminal 15 sends an ACK message in response to the OK message (S10).
- This ACK message is sent to the call control processing unit 14a of the external terminal 14 via the call control relay unit 11a of the call control relay server 11 (Sl l).
- the call control relay unit 11 a of the call control relay server 11 receives the ACK message from the call control processing unit 15 a of the internal terminal 15 (S 10), the internal terminal Because the address (IP address) and port number information used for communication between 15 and the external terminal 14 are fixed, the IP address and port number pair information used for communication is temporarily stored in the address' port management unit l ib Let Then, the filtering control request unit 11c of the call control relay server 11 supplies a filtering control request message including pair information of the IP address and port number used for communication to the home agent 12 (S21). This activates the filtering control process.
- the home agent 12 has an IP address correspondence information management unit 12a, and the IP address correspondence information management unit 12a moves the external terminal 14 or reconnects to the network. It manages the old and new correspondence of the IP address to be changed.
- Figure 3 shows an example of the table structure that shows the new and old IP address correspondence.
- the home address column 12a 1 is an item for holding the home address of the terminal of the internal network.
- the care-of address column 12a2 is an item for holding the current care-of address of the same terminal.
- the filtering control instruction unit 12b specifies a pair of the latest IP address and the port number with the care-of address as the latest IP address. Then, the latest IP address / port number pair information is sent to the firewall 17. If the search is not successful, the filtering control instruction unit 12b sends the pair information of the IP address and port number included in the filtering control request message to the firewall 17.
- the packet transmission / reception management unit 17a of the firewall 17 receives the set information of the latest IP address and the port number, the packet transmission / reception management unit 17a supplies the set information to the filtering control unit 17b.
- the filtering control unit 17b controls the packet forwarding operation (packet filtering operation) of the packet forwarding unit (filtering unit) 17c so as to pass the IP packet specified by the pair information of the latest IP address and port number. To do.
- FIG. 4 is a diagram showing a filtering process sequence according to the first embodiment of the present invention.
- the filtering control request unit 11c of the call control relay server 11 sends a filtering request including the pair information of the IP address and port number used for communication to the filtering control instruction unit 12b of the home agent 12 (S51).
- the filtering control instruction unit 12b confirms that the IP address is the latest, and sends a filtering request including the latest IP address and port number pair information to the filtering control unit 17b of the firewall 17 (S52).
- the filtering control unit 17b retains the filtering information that also has the information power of the latest IP address and port number, performs a consistency check, and sends a filtering setting instruction to the packet forwarding unit (filtering unit) 17c (S53).
- the packet transfer unit (filtering unit) 17c indicates that the filtering condition has been set.
- An answer message is returned (S54). This response message is sent to the filtering control request unit 11c via the filtering control unit 17b and the filtering control instruction unit 12b (S55, S56).
- FIG. 5 is a diagram showing a first operation example of the firewall system according to the first embodiment.
- the firewall system of the first operation example includes an internal terminal 401, an external terminal 402 that is a mobile terminal (MN), a call control relay server 403 having a function of a call control relay unit, and a home agent having a function of an address correspondence information management unit. (HA) 404, a firewall 405 including a packet filtering device 400, an external network 406 such as the Internet, an internal network 407 provided in a company, etc., and a router 408.
- the call control relay sano 03 and the home agent 404 are installed in a DMZ (demilitarized zone) in the internal network 407 and are accessible from the external network 406.
- the internal terminal 401 connected to the internal network 407 can access the external network 406 via the firewall 405 and the router 408! /.
- the internal terminal 401 exchanges a call control sequence via the call control relay server 403 in order to establish communication with the external terminal 402.
- the external terminal 402 is a mobile terminal (MN) and has moved to the external network 406 and has acquired a care-of address.
- MN mobile terminal
- the call control relay server 403 determines the IP address and port number of the internal terminal 401 and the IP address of the external terminal 402, which are determined in the sequence of call control shown in FIG. And call information of the destination port number is notified to the home agent 404.
- the IP address and port number of the internal terminal 401 and the call information of the IP address and port number of the external terminal 402 acquired by the home agent 404 from the call control relay sano 03 are 2001: 300: c01: l :: l, 12345, 2001: 300: c01: l :: 2, 23456.
- the home agent 404 has the care-of address of the external terminal 402 of 2001: 300: beaf :: 2 based on the nodding update information (BU message) notified from the external terminal 402 to the home agent 404. Information is being acquired. As a result, the home address and care-of address of the external terminal 402 are held in association with each other, and it is understood that the latest address of the external terminal 402 is the care-of address. [0075]
- the home agent 404 notifies the firewall 405 including the packet filtering device 400 of information used for communication between the internal terminal 401 and the external terminal 402.
- the packet filtering device 400 sets the filtering condition based on the acquired information of the combination of the IP address and the port number, and uses the combination of the IP address and the port number so that the IP packet used for the communication can be transmitted. Control the passage of packets.
- the packet filtering device 400 uses (2001: 300: c01: l :: l, 12345) and (2001: 300: beaf :) based on the information from the home agent 404. : 2, 23456).
- filter l (Allow 2001: 300x01: 1 :: 1 * 2001: 300: beaf :: 2 23456) and filter 2 (Allow 001: 300: beaf :: 2 * 2001: 300x0 1: 1 :: 1 12345) can be set by setting two filters.
- * in the source port number is a symbol that means all port numbers.
- the packet of communication with 2001: 300: beaf :: 2 should be transmitted instead of 2001: 300: c01: l :: 2.
- the packet filtering device 400 is controlled.
- the home agent 404 can communicate between the new care-of address of the external terminal 402 and the internal terminal 401.
- the packet filtering device 400 is controlled so that communication with the terminal 401 is not possible.
- the home agent 404 assumes that the care-of address of the external terminal 402 notified by the new BU message is 2001: 300: beaf :: 2 (2001: 300: c01: l :: l, 12345) And (2001: 300: beaf :: 2, 23456) are transparent, and (2001: 300: c01: l :: l, 12345) and (2001: 300: c01: l :: 2, The packet filtering device 400 is controlled so as to cut off communication with the terminal 23456).
- the call control relay server 403 detects the end of communication between the internal terminal 401 and the external terminal 402, the internal terminal 401 or the external terminal 402 ends communication via the call control relay server 403.
- the call control sequence is executed.
- the call control relay sano 03 notifies the home agent 402 to that effect.
- the home agent 402 controls the packet filtering device 400 so as to allow transmission of the internal terminal 401 and the external terminal 402 until then and block the IP packet.
- the packet filtering apparatus 400 monitors the communication packet between the internal terminal 401 and the external terminal 402 and determines that the communication has ended, the internal packet 401 and the external terminal automatically It is also possible to control the packet filtering device 400 so as to allow transmission of the terminal 402 to establish communication and block the packet.
- packet filtering can be dynamically controlled in units of IP address and port number in a situation where data communication using mopile IP is in operation. It becomes possible.
- FIG. 6 is a diagram showing a second operation example of the firewall system according to the first embodiment.
- the second operation example shows an example of data communication using mopile IP in the internal network.
- 6 includes an internal home network 605, an internal destination network 606, and an external network 604 such as the Internet, and an external terminal (CN) 603 is connected to the external network 604.
- the home network 605 and the movement destination network 606 are connected via routers 605R and 606R.
- a packet filtering device 607 as a firewall is installed between each router 605R, 606R and the external network 604.
- a mobile terminal (MN) 601, a home agent (HA) 602, and a call control relay server 608 are connected to the home network 605!
- a connection between the mobile terminal on the home network 605 and the external terminal 603 on the external network 604 is established via the call control relay server 608. Further, the mobile terminal 601 moves to the destination network 606 while the filtering condition of the packet filtering device 607 is set via the home agent 602 and communication between the mobile terminal 601 and the external terminal 603 is performed. Assume that
- the mobile terminal 601 acquires a destination address (care-of address) in the destination network 606 and notifies the home agent 602 of the destination address. Then, the home agent 602 supplies a filtering request including the latest IP address (that is, the care-of address) of the mobile terminal 601 to the packet filtering device 607, and between the mobile terminal 601 and the external terminal 603 in the destination network 606. Change the packet filtering conditions so that communication is possible. As a result, even when the mobile terminal 601 moves, the external terminal 603 Can continue to communicate with. That is, the filtering process sequence shown in FIG. 4 is executed with the address change notification sent from the mobile terminal 601 to the home agent 602 as a trigger.
- the packet control device 607 is notified of the filtering information including the latest set of IP address and port number information from the call control relay server 608 via the home agent 602 and the router 605R. As a result, even when the mobile terminal 601 moves, communication with the external terminal 603 can be continued.
- the packet filtering operation can be dynamically controlled in units of pairs of IP addresses and port numbers in a situation where data communication using mono IP is operated. It becomes possible. Further, the call control relay server 11 can establish communication from an external terminal approved by the network manager or the like, and can perform packet filtering of communication related to this terminal.
- the call control relay server 11 holds information on other call control relay servers that are trusted by the network manager or the like.
- the call control relay server 11 starts a call control sequence for establishing communication between the internal terminal and the external terminal, the call control relay server 11 performs the call control sequence only when it is via another reliable call control relay server. Mechanisms can be introduced.
- an external resource expressed as URI Unified Resource Identifier
- [email protected] A method of holding multiple host parts in the resource notation on the network, i.e., sip.acompany.co.jp part, a method of holding a list of host parts, and sip. *.
- the call control relay server 11 and the home agent 12 There is an operation method in which both or one of them is installed in the external network 10 and an operation method in which it is installed in the internal network 16 of the company.
- the communication between the call control relay server 11 and the home agent 12 and the communication between the home agent 12 and the firewall 17 including the packet filtering device are authenticated using TLS (Transport Level Security), IPSEC (IP security), etc.
- TLS Transport Level Security
- IPSEC IP security
- both the call control relay server 11 and the home agent 12 can be installed in the external network 10 even in an operation method in which both the call control relay server 11 and the home agent 12 are installed in the internal network 16 of the company or the like. It becomes possible to operate in the same way as the installed operation method.
- FIG. 7 is a diagram showing the configuration of a firewall system according to the second embodiment of the present invention.
- the firewall system according to the second embodiment is obtained by adding an unauthorized access monitoring function to the firewall system according to the first embodiment shown in FIG.
- the firewall 130 includes a normal access regulation database 131 serving as a normal access determination condition storage unit, an unauthorized access detection unit 132, a packet transfer unit 133, and an unauthorized access notification unit 134.
- the call control relay server 110 includes an unauthorized access monitoring control request unit 111, a call control relay unit 11a, and an address' port management unit l ib.
- the home agent (HA) 120 includes an unauthorized access monitoring control instruction unit 121 and an IP address correspondence information management unit 12a. Other configurations are the same as those of the first embodiment shown in FIG.
- FIG. 8 is a diagram showing a call control sequence in the second embodiment. This is a partial modification of the call control sequence shown in Figure 2.
- the second embodiment when an ACK message is supplied from the call control processing unit 15a of the internal terminal 15 to the call control relay unit 11a of the call control relay server 110 (S10), the IP address used for communication, Port number and media type information are confirmed.
- the unauthorized access monitoring control request unit 111 of the call control relay server 110 supplies an unauthorized access monitoring control request message including IP address, port number, and media type information to the home agent 12 (S22). As a result, the unauthorized access monitoring control process is started.
- Others are the same as in the first embodiment.
- FIG. 9 is a diagram showing a sequence of unauthorized access monitoring control in the second embodiment.
- the unauthorized access monitoring control request unit 111 of the call control relay server 110 sends an unauthorized access monitoring control request (IDS Ontrusion Detection System request) to the home agent.
- IDS Ontrusion Detection System request an unauthorized access monitoring control request
- Supply to 120 SI 11
- the unauthorized access monitoring control instructing unit 121 of the home agent 120 checks whether the IP address is the latest one and checks the unauthorized access monitoring control request (IDS) including the latest IP address, port number, and media type information. Request) is supplied to the unauthorized access detection unit 132 (S112).
- the unauthorized access detection unit 132 acquires the packet indication data of the normal access of the corresponding media in the normal access regulation database 131 and monitors whether there is no packet indication deviating from the normal access packet indication. If there is a packet sign that deviates, the occurrence of unauthorized access is notified to the administrator or the like via the unauthorized access notification unit 134, for example, by e-mail (S113).
- FIG. 10 is a flowchart showing the procedure of unauthorized access monitoring processing in the second embodiment of the present invention.
- the unauthorized access detection unit 132 obtains packet indication data of normal access of the corresponding media in the normal access regulation database 131 (step S 12 Do, and the unauthorized access detection unit 132 detects the packet captured by the packet transfer unit 133. (Step S122), and calculates the sign (signature) of the captured packet (Step S123) The unauthorized access detection unit 132 calculates the packet sign of the normal media packet and the sign of the captured packet of the corresponding media.
- step S124 if it does not match the sign of the packet of normal access, the occurrence of unauthorized access is notified to the administrator or the like via the unauthorized access notification unit 134 (step S125), and the communication ends. Steps S2 and after are repeated.
- FIG. 11 shows an example of a packet format for voice delivery.
- a combination of one or more of the following conditions is used as a packet sign of normal access in this voice packet (G.711 format).
- L The sequential number in the RTP header is increasing (or wrapping).
- the timestamp value in the RTP header increases (or laps).
- Payload length is constant (G .711 is 160 bytes).
- the average arrival interval of the past N (for example, 20) packets is 20 ms (20 milliseconds).
- FIG. 12 is a diagram illustrating an operation example of the firewall system according to the second embodiment.
- the firewall system of this operation example is obtained by adding an unauthorized access monitoring function to the first operation example of the firewall system according to the first embodiment shown in FIG.
- the firewall 700 includes the packet filtering device 400 and the unauthorized access monitoring device 701 shown in FIG.
- some functions related to media type information acquisition have been added to Home Agent (HA) 404A and Call Control Relay Server 03A.
- HA Home Agent
- Call Control Relay Server 03A Other configurations are the same as those of the first operation example of the first embodiment shown in FIG.
- the home agent 404A obtains a pair of IP address and port number used for communication and a media type from the call control relay server 403A, and determines the latest IP address based on the new and old correspondence relationship of the IP address.
- the first item (2001: 300: c01 :: 1) is the source IP address
- the second item (12345) is the source port number
- the third item (20 01: 300: c01 :: 2 ) Is the destination IP address
- the fourth item (23456) is the destination port number
- SDP Session Description Protocol
- the unauthorized access monitoring apparatus 701 changes the inspection operation according to the media type. Specifically, the character string indicating the media type of the IP address and port number pair and media type information described above is interpreted with the meaning specified in SDP. For example, when communication between terminals is an IP phone and G.711 is used as the voice coding method, it is detected as an illegal access when it does not conform to the conditions of voice delivery (G.711) packet, E-mail, instant messaging, IP Report using stories.
- voice delivery G.711
- FIG. 13 is a diagram illustrating a functional configuration example of the firewall in the operation example of the second embodiment.
- the filtering and inspection control unit 702 in the firewall 700 Upon receiving notification of the media type, IP address, and port number from the home agent 404A, the filtering and inspection control unit 702 in the firewall 700 gives an inspection instruction to the packet inspection unit 703 having an illegal access detection function. Then, a filter setting instruction is given to the packet filtering unit 704.
- a normal access pattern storage unit 705 having a function of storing a normal access determination condition holds a normal access sign (normal access determination condition) for each media type. Specifically, it is held in a normal access sign holding table as exemplified below.
- FIG. 14 is a diagram illustrating a configuration example of a normal access indication holding table.
- a media type column 705a is a key item that holds a media type.
- the pointer field 705b to the symptom check function is an item for storing a normal access determination condition.
- the media type column 705a stores the media type described in SDP.
- a pointer to the function and an argument to be applied to the function are specified as information for starting a function (process) for checking the packet.
- the packet inspection unit 703 obtains a function and an argument for inspecting the normal access indication holding table power packet of the normal access pattern storage unit 705 using the media type as a key, and processes the function and argument using the packet. By applying it every time, packets that deviate from the normal access sign of the media are monitored for each IP address and port.
- An unauthorized access sign notification unit (unauthorized access notification means) 706 notifies the network administrator or the like of the occurrence of a packet that deviates from the normal access sign by using e-mail, instant message, IP phone, or the like.
- the target communication media voice and video
- the normal access pattern for each media type is created as described in the example of the packet format for voice delivery in Fig. 11. It's easy to do. For example, if audio and video conform to the RTP (ReaH: ime Transport Protocol) AVP format, inspection rules corresponding to that format can be created. For example, the consistency between the header data item and the packet length, etc. is maintained, so a normal access pattern using this property can be created.
- RTP Real-ime Transport Protocol
- inspection rules corresponding to that format can be created. For example, the consistency between the header data item and the packet length, etc. is maintained, so a normal access pattern using this property can be created.
- the second embodiment described above based on the IP address, port number, and media type information obtained by the call control sequence, it conforms to the normal access judgment condition defined in advance for each media type. If it does not match, it can be detected as unauthorized access and notified to the network administrator.
- FIG. 15 is a diagram showing a configuration of a firewall system according to the third embodiment of the present invention
- FIG. 16 is a diagram showing a block configuration of a main part of the firewall system in the third embodiment.
- a group communication control SIP server (MCU) 150 can be automatically added to an access control function in units of SIP call control relay servers (SIP sano).
- an address management server 13, an external terminal 14, and a group communication control SIP sano (MCU) 150 are connected.
- the call control relay server 140 and the home agent 12 are installed in a DMZ (demilitarized zone) in the internal network 16 and are accessible from the external network 10.
- the internal terminal 15 connected to the internal network 16 can access the external network 10 through the firewall 17.
- the call control relay server 140 includes a permitted SIP server list holding unit 141 having a function of holding information on a reliable SIP server as a permitted SIP server list.
- the call control relay server 140 has a call control relay unit 142, an address' port management unit l lb, and a filtering control request unit 1 lc together with the permitted SIP server list holding unit 141.
- the call control relay unit 142 interprets a call signal when performing group communication between a plurality of terminals such as holding a conference, and adds / deletes the group communication control SIP server 150 to / from the permitted SIP list.
- the functions of the address / port management unit l ib, the filtering control request unit l lc, the home agent 12, and the firewall 17 of the call control relay server 140 are the same as those in the first embodiment shown in FIG.
- FIG. 17 is a diagram showing an example of call control when a conference is performed by group communication between a plurality of terminals.
- Figure 17 shows call control when terminal B-1 joins terminal B-1 while participating in a conference, and terminal B-1 joins terminal B-2 to the conference. .
- call control relay server A140A, terminal B-1, and terminal B-2 accessed by terminal A-1
- the call control relay server B140B to be accessed and the loop communication control SIP server 150 to control the group communication of this conference are used.
- the communication indicated by the arrows indicated by the numbers “1”, “3”, and “5” represents a conference control signal related to control such as addition of media or addition of participants, for example, and the numbers “2” and “4”.
- the communication indicated by the arrow indicates notification (invitation) of the URI of the conference.
- the terminal A—l ([email protected]) force also notifies [email protected] as a URI via the call control relay server A140A, and this URI is transmitted to the terminal via the call control relay server B140B.
- B-1 ([email protected]) is notified and terminal B-1 joins the conference.
- this URI is notified from the terminal B-1 to the terminal B-2 ([email protected]), and the process in which the terminal B-2 participates is performed.
- FIG. 18 is a diagram showing an example of a sequence at the time of conference participation in the third embodiment of the present invention.
- the terminal A-1 is participating in the conference, and the communication control of the conference is performed between the terminal A-1, the call control relay server A140A, and the group communication control SIP server 150.
- the call control relay server A140A sends the call control relay server A140A to the call control relay server B140B.
- the REFER message is transferred (S172 2).
- the call control relay server B140B sends a REFER message to the terminal B-1 (S173).
- the terminal B-1 When the terminal B-1 receives the REFER message, the terminal B-1 returns an INVITE message indicating participation in the conference (S174).
- the call control relay server B 140B power NVITE message When the call control relay server B 140B power NVITE message is received, it notifies the group communication control SIP server 150 (S175), and the group communication control SIP server 150 controls the communication of the conference with the terminal B-1. Is started. This allows terminal B-1 to participate in the conference.
- the call control relay server B140B identifies the group communication control SIP server (MCU) from the conference URI and permits it.
- the SIP server list holding unit 141 stores group communication control SIP server information as reliable SIP server information.
- the added SIP server Obtained IP address, port number, media type Packet filtering and unauthorized access detection can be performed based on such information.
- FIG. 19 is a diagram showing a configuration of a firewall system in the fourth exemplary embodiment of the present invention.
- the fourth embodiment shows an example in which the call control relay home agent (HA) and the packet filtering device in the first embodiment are realized in one home router.
- Home router 508 is connected to IPv6 external network 510A, IPv4 external network 510B, and internal network 509, and relays communication between terminals.
- An internal terminal 501 is connected to the internal network 509, and an external terminal 502 is connected to the IPv6 external network 510A.
- the home router 508 includes an IPv4 'IPv6 packet classifier 511, an IPv6 packet processing unit 512, an IPv4 packet processing unit 513, a NAT unit 514 that implements a NAT function, a DHCPS unit 515 that implements a DHCP server function, and the like.
- the IPv6 packet processing unit 512 includes a call control relay server 503, a home agent 504, a firewall 500 having a packet filtering device 505 and an unauthorized access detection device 506, and a reliable call control relay server information holding unit 507.
- the reliable call control relay server information holding unit 507 holds information of other call control relay servers trusted by the network administrator or the like. Then, when the call control relay server 503 starts a call control sequence for establishing communication between the internal terminal 501 and the external terminal 502, the call control relay server information holding unit 507 holds the call control The call control sequence is executed by accepting only the call control signal from the relay server. As a result, access control in the management unit (SIP management unit) of the call control relay server becomes possible. With this configuration, the packet filtering device 505 can be dynamically controlled in units of IP address and port number units in the situation where data communication using mopile IP is operated in the home router 508.
- the call control relay server 503 acquires the media type used in the communication. . Then, using this media type, the unauthorized access detection device 506 corresponding to the media type is activated. In the unauthorized access detection device 506, data defining a normal access pattern for each media type. Tabas are ready for bullying.
- the unauthorized access detection device 506 uses the media type information and the normal access information database acquired from the call control relay server 503 to connect between the external terminal 502 on the external network and the internal terminal 501 on the internal network 509. The packet sequence of communication performed in is monitored. In this monitoring, when a packet sequence deviating from normal access is detected, the unauthorized access detection device 506 notifies the network administrator or the like by e-mail or IP phone.
- the unauthorized access detection device 506 can monitor the packet sequence and detect unauthorized access due to a deviation from normal access capability. Furthermore, since it is only necessary to define signs of normal access for each media type, it is easy to specify normal access. For example, audio and video used for communication between external terminals and internal terminals are delivered according to a pre-defined RTP payload format. Therefore, it is easy to specify normal access using information such as the packet length, sequence number, and time stamp in the payload format. Therefore, the unauthorized access detection device 506 that detects the departure from normal access can be practically operated.
- the present embodiment is a mobile phone having a router function and a bridge function having the same configuration as the power obtained by applying the packet filtering device and the unauthorized access detection device control method of the present invention to the home router 508. It can also be applied to mobile terminals such as PDAs.
- FIG. 20 is a diagram showing a configuration of a firewall system in the fifth exemplary embodiment of the present invention.
- the fifth embodiment is an example in which the firewall system according to the present invention is applied to an IP mobile phone.
- An address management server 13 and an external terminal 14 are connected to an external network 510 such as the Internet.
- This external network 510 is a mobile communications carrier. It can be connected to the IP mobile phone 800 via the wireless network 520 or the wireless LAN network 530.
- IP mobile phone 800 is connected to internal terminal 550 via PAN (Personal Area Network) network 540.
- PAN Personal Area Network
- the IP mobile phone 800 has a router function.
- the RF unit 801, the wireless LAN—IF unit 802, the PAN—IN unit 803, the IPv4 'IPv6 packet classifier 804, the IPv4 packet processing unit 805, IP v6 A packet processing unit 806, a main signal processing unit 807, a call control processing unit 808, and the like are included.
- the IPv6 packet processing unit 806 includes a firewall 816 including an IP address correspondence information management unit 811, a call control relay unit 812, an address' port management unit 813, a filtering control unit 814, a packet forwarding unit (filtering unit) 815, and the like. .
- IP mobile phone 800 which is a mobile terminal
- the filtering control unit 814 performs dynamic bucket filtering in units of IP address and port number pairs.
- the IP mobile phone 800 can be controlled to receive only a call to the internal terminal 550 such as an IP phone in the PAN network 540 through the firewall 816. It is also possible to detect unauthorized access based on normal access determination conditions defined in advance for each media type using the media type information obtained from the call control relay unit 812.
- the present invention performs packet filtering in units of address and port numbers in a situation where communication via a mopile network is in operation, and allows only a narrower range of communication to be transmitted. Not only when moving to an external network, it is also possible to establish communication from another terminal connected to the external network to a terminal on the internal network. In addition, by monitoring the communication packet sequence specified by the media type and detecting unauthorized access that does not conform to normal access based on the normal access judgment conditions defined for each media type, unknown attacks can be detected. This has the effect that it can be detected substantially. INDUSTRIAL APPLICABILITY The present invention is useful for a firewall system and a firewall control method that dynamically control a firewall in a network or the like in which data communication by mopile IP is operated.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
Claims
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2005800346441A CN101040497B (zh) | 2004-10-12 | 2005-10-12 | 防火墙***和防火墙控制方法 |
US11/575,310 US7950053B2 (en) | 2004-10-12 | 2005-10-12 | Firewall system and firewall control method |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2004297872A JP4405360B2 (ja) | 2004-10-12 | 2004-10-12 | ファイアウォールシステム及びファイアウォール制御方法 |
JP2004-297872 | 2004-10-12 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2006041080A1 true WO2006041080A1 (ja) | 2006-04-20 |
Family
ID=36148368
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2005/018774 WO2006041080A1 (ja) | 2004-10-12 | 2005-10-12 | ファイアウォールシステム及びファイアウォール制御方法 |
Country Status (4)
Country | Link |
---|---|
US (1) | US7950053B2 (ja) |
JP (1) | JP4405360B2 (ja) |
CN (1) | CN101040497B (ja) |
WO (1) | WO2006041080A1 (ja) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2011199883A (ja) * | 2011-05-12 | 2011-10-06 | Buffalo Inc | 無線lanアクセスポイント装置、不正マネジメントフレーム検出方法 |
JP2013192160A (ja) * | 2012-03-15 | 2013-09-26 | Nippon Telegraph & Telephone West Corp | 携帯端末在圏検知に基づくポート開閉制御方法 |
US11627040B1 (en) * | 2021-08-18 | 2023-04-11 | Juniper Networks, Inc. | Processing unmodified configuration data with a network device application |
Families Citing this family (35)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN100563246C (zh) * | 2005-11-30 | 2009-11-25 | 华为技术有限公司 | 一种基于ip的语音通信边界安全控制***及方法 |
JP4545085B2 (ja) * | 2005-12-08 | 2010-09-15 | 富士通株式会社 | ファイアウォール装置 |
JP4224084B2 (ja) | 2006-06-26 | 2009-02-12 | 株式会社東芝 | 通信制御装置、通信制御方法および通信制御プログラム |
WO2008023424A1 (fr) | 2006-08-24 | 2008-02-28 | Duaxes Corporation | Système de gestion de communication et procédé de gestion de communication associé |
WO2008023423A1 (fr) * | 2006-08-24 | 2008-02-28 | Duaxes Corporation | Système de gestion de communication et procédé de gestion de communication associé |
JP5035006B2 (ja) * | 2007-07-25 | 2012-09-26 | 富士通株式会社 | 通信装置の制御方法及び通信装置 |
JP2009044230A (ja) * | 2007-08-06 | 2009-02-26 | Toshiba Corp | 通信装置およびネットワーク接続管理プログラム |
CN101662457A (zh) * | 2008-08-28 | 2010-03-03 | 黄金富 | 一种设有网络数据过滤装置的笔记本型计算机 |
JP5055237B2 (ja) * | 2008-09-30 | 2012-10-24 | 株式会社日立製作所 | セキュア通信装置 |
CN101931635B (zh) * | 2009-06-18 | 2014-05-28 | 北京搜狗科技发展有限公司 | 网络资源访问方法及代理装置 |
US8170182B2 (en) * | 2009-08-19 | 2012-05-01 | Avaya Inc. | Enhanced call tracing |
US8886773B2 (en) | 2010-08-14 | 2014-11-11 | The Nielsen Company (Us), Llc | Systems, methods, and apparatus to monitor mobile internet activity |
US8910259B2 (en) | 2010-08-14 | 2014-12-09 | The Nielsen Company (Us), Llc | Systems, methods, and apparatus to monitor mobile internet activity |
US9124920B2 (en) | 2011-06-29 | 2015-09-01 | The Nielson Company (Us), Llc | Methods, apparatus, and articles of manufacture to identify media presentation devices |
US8594617B2 (en) | 2011-06-30 | 2013-11-26 | The Nielsen Company (Us), Llc | Systems, methods, and apparatus to monitor mobile internet activity |
JP2013098676A (ja) * | 2011-10-31 | 2013-05-20 | Buffalo Inc | 通信システム、通信方法及びコネクションサーバ |
WO2013110341A1 (en) * | 2012-01-27 | 2013-08-01 | Nokia Siemens Networks Oy | Session termination in a mobile packet core network |
US8700019B2 (en) * | 2012-08-27 | 2014-04-15 | Avaya Inc. | Method and apparatus for dynamic device pairing |
US9301173B2 (en) | 2013-03-15 | 2016-03-29 | The Nielsen Company (Us), Llc | Methods and apparatus to credit internet usage |
US10356579B2 (en) | 2013-03-15 | 2019-07-16 | The Nielsen Company (Us), Llc | Methods and apparatus to credit usage of mobile devices |
US20160239230A1 (en) * | 2013-08-28 | 2016-08-18 | Hitachi, Ltd. | Storage system and method for controlling storage system |
US20150113588A1 (en) * | 2013-10-22 | 2015-04-23 | Cisco Technology, Inc. | Firewall Limiting with Third-Party Traffic Classification |
JP5962690B2 (ja) | 2014-02-21 | 2016-08-03 | コニカミノルタ株式会社 | 管理サーバー、接続支援方法および接続支援プログラム |
JP6102845B2 (ja) * | 2014-07-10 | 2017-03-29 | コニカミノルタ株式会社 | 接続制御システム、管理サーバー、接続支援方法および接続支援プログラム |
JP6507572B2 (ja) * | 2014-10-31 | 2019-05-08 | 富士通株式会社 | 管理サーバの経路制御方法、および管理サーバ |
US9762688B2 (en) | 2014-10-31 | 2017-09-12 | The Nielsen Company (Us), Llc | Methods and apparatus to improve usage crediting in mobile devices |
US11423420B2 (en) | 2015-02-06 | 2022-08-23 | The Nielsen Company (Us), Llc | Methods and apparatus to credit media presentations for online media distributions |
US10554683B1 (en) | 2016-05-19 | 2020-02-04 | Board Of Trustees Of The University Of Alabama, For And On Behalf Of The University Of Alabama In Huntsville | Systems and methods for preventing remote attacks against transportation systems |
JP6869203B2 (ja) * | 2018-03-28 | 2021-05-12 | ソフトバンク株式会社 | 監視システム |
DE102019116510A1 (de) * | 2019-06-18 | 2020-12-24 | Beckhoff Automation Gmbh | Netzwerkteilnehmer und Automatisierungsnetzwerk |
JP7338272B2 (ja) * | 2019-07-03 | 2023-09-05 | 富士フイルムビジネスイノベーション株式会社 | 情報処理装置及び情報処理プログラム |
CN110912936B (zh) * | 2019-12-20 | 2022-02-18 | 东软集团股份有限公司 | 媒体文件安全态势感知方法和防火墙 |
CN113612753A (zh) * | 2021-07-27 | 2021-11-05 | 北京卫达信息技术有限公司 | 数据的远程引导***及方法 |
CN113596023A (zh) * | 2021-07-27 | 2021-11-02 | 北京卫达信息技术有限公司 | 数据中继和远程引导设备 |
CN115277119B (zh) * | 2022-07-12 | 2024-02-09 | 深圳市电子商务安全证书管理有限公司 | 内部网络的访问方法、装置、设备及存储介质 |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2000151677A (ja) * | 1998-11-11 | 2000-05-30 | Toshiba Corp | 移動ipシステムのアクセス認証装置及び記憶媒体 |
JP2004180155A (ja) * | 2002-11-28 | 2004-06-24 | Ntt Docomo Inc | 通信制御装置、ファイアウォール装置、通信制御システム、及び、データ通信方法 |
Family Cites Families (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP3662080B2 (ja) * | 1996-08-29 | 2005-06-22 | Kddi株式会社 | ファイアウォール動的制御方法 |
US6523696B1 (en) * | 1996-10-15 | 2003-02-25 | Kabushiki Kaisha Toshiba | Communication control device for realizing uniform service providing environment |
SE513828C2 (sv) * | 1998-07-02 | 2000-11-13 | Effnet Group Ab | Brandväggsapparat och metod för att kontrollera nätverksdatapakettrafik mellan interna och externa nätverk |
US6684329B1 (en) * | 1999-07-13 | 2004-01-27 | Networks Associates Technology, Inc. | System and method for increasing the resiliency of firewall systems |
JP2001313640A (ja) | 2000-05-02 | 2001-11-09 | Ntt Data Corp | 通信ネットワークにおけるアクセス種別を判定する方法及びシステム、記録媒体 |
DE60139883D1 (de) * | 2001-11-29 | 2009-10-22 | Stonesoft Oy | Kundenspezifische Firewall |
JP2003229893A (ja) | 2002-02-06 | 2003-08-15 | Nippon Telegr & Teleph Corp <Ntt> | 事業者ipネットワークにおけるインターネット電話サービス提供方法、およびシステム |
JP3790166B2 (ja) | 2002-02-06 | 2006-06-28 | 日本電信電話株式会社 | 事業者ipネットワークにおけるip電話サービス提供方法、およびシステム |
JP2004038557A (ja) | 2002-07-03 | 2004-02-05 | Oki Electric Ind Co Ltd | 不正アクセス遮断システム |
GB0226289D0 (en) * | 2002-11-11 | 2002-12-18 | Orange Personal Comm Serv Ltd | Telecommunications |
US8286237B2 (en) * | 2003-02-25 | 2012-10-09 | Ibm International Group B.V. | Method and apparatus to detect unauthorized information disclosure via content anomaly detection |
US7453852B2 (en) * | 2003-07-14 | 2008-11-18 | Lucent Technologies Inc. | Method and system for mobility across heterogeneous address spaces |
US7668145B2 (en) * | 2003-12-22 | 2010-02-23 | Nokia Corporation | Method to support mobile IP mobility in 3GPP networks with SIP established communications |
-
2004
- 2004-10-12 JP JP2004297872A patent/JP4405360B2/ja not_active Expired - Fee Related
-
2005
- 2005-10-12 US US11/575,310 patent/US7950053B2/en active Active
- 2005-10-12 CN CN2005800346441A patent/CN101040497B/zh not_active Expired - Fee Related
- 2005-10-12 WO PCT/JP2005/018774 patent/WO2006041080A1/ja active Application Filing
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2000151677A (ja) * | 1998-11-11 | 2000-05-30 | Toshiba Corp | 移動ipシステムのアクセス認証装置及び記憶媒体 |
JP2004180155A (ja) * | 2002-11-28 | 2004-06-24 | Ntt Docomo Inc | 通信制御装置、ファイアウォール装置、通信制御システム、及び、データ通信方法 |
Non-Patent Citations (1)
Title |
---|
KURITA ET AL: "Session Layer Architecture ni okeru Flow Joho o Mochiita Tsushin Shigen Kanri Kiko. (Communication Resource Management Using.....)", THE INSTITUTE OF ELECTRONICS, INFORMATION AND COMMUNICATION ENGINEERS GIJUTSU KENKYU HOKOKU., vol. 105, no. 80, 18 May 2005 (2005-05-18), pages 31 - 36, XP002999209 * |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2011199883A (ja) * | 2011-05-12 | 2011-10-06 | Buffalo Inc | 無線lanアクセスポイント装置、不正マネジメントフレーム検出方法 |
JP2013192160A (ja) * | 2012-03-15 | 2013-09-26 | Nippon Telegraph & Telephone West Corp | 携帯端末在圏検知に基づくポート開閉制御方法 |
US11627040B1 (en) * | 2021-08-18 | 2023-04-11 | Juniper Networks, Inc. | Processing unmodified configuration data with a network device application |
Also Published As
Publication number | Publication date |
---|---|
CN101040497B (zh) | 2010-05-12 |
US20070214501A1 (en) | 2007-09-13 |
US7950053B2 (en) | 2011-05-24 |
JP4405360B2 (ja) | 2010-01-27 |
JP2006114991A (ja) | 2006-04-27 |
CN101040497A (zh) | 2007-09-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP4405360B2 (ja) | ファイアウォールシステム及びファイアウォール制御方法 | |
US9515995B2 (en) | Method and apparatus for network address translation and firewall traversal | |
US7680120B2 (en) | Connected communication terminal, connecting communication terminal, session management server and trigger server | |
JP5143125B2 (ja) | ドメイン間情報通信のための認証方法、システム、およびその装置 | |
EP1792468B1 (en) | Connectivity over stateful firewalls | |
EP2991292B1 (en) | Network collaborative defense method, device and system | |
US7519738B2 (en) | Method for moving of flows in communication networks | |
KR20080032114A (ko) | 이동 장치의 네트워크 어드레스 변경을 위한 방법 및 장치 | |
US20070011731A1 (en) | Method, system & computer program product for discovering characteristics of middleboxes | |
WO2004114631A1 (en) | System and method for dynamically creating pinholes in a firewall of a sip-based | |
JP3698698B2 (ja) | Dmzを介したイントラネットおよび外部ネットワーク上の呼の確立 | |
US20080126455A1 (en) | Methods of protecting management frames exchanged between two wireless equipments, and of receiving and transmitting such frames, computer programs, and data media containing said computer programs | |
US8312530B2 (en) | System and method for providing security in a network environment using accounting information | |
Ackermann et al. | Vulnerabilities and Security Limitations of current IP Telephony Systems | |
JP2009258965A (ja) | 認証システム、認証装置、通信設定装置および認証方法 | |
KR100660123B1 (ko) | Nat 통과를 위한 브이.피.엔 서버 시스템 및 브이.피.엔클라이언트 단말기 | |
EP3044929B1 (en) | A mobile-device based proxy for browser-originated procedures | |
Zhang et al. | A comparison of migration and multihoming support in IPv6 and XIA | |
US20060185009A1 (en) | Communication apparatus and communication method | |
JP4893279B2 (ja) | 通信装置および通信方法 | |
JP2007281811A (ja) | ゲートウェイ装置、情報共有システム及び情報共有方法 | |
JP4381190B2 (ja) | Dmzを介した外部ネットワークからイントラネット上のサーバへの端末識別の登録 | |
JP4977646B2 (ja) | サーバ装置および通信制御方法 | |
Gopal et al. | User plane firewall for 3G mobile network | |
EP2084885B1 (en) | Address translation |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS KE KG KM KP KR KZ LC LK LR LS LT LU LV LY MA MD MG MK MN MW MX MZ NA NG NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU LV MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 11575310 Country of ref document: US Ref document number: 2007214501 Country of ref document: US |
|
WWE | Wipo information: entry into national phase |
Ref document number: 200580034644.1 Country of ref document: CN |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWP | Wipo information: published in national office |
Ref document number: 11575310 Country of ref document: US |
|
122 | Ep: pct application non-entry in european phase |