CN101151842A - Method, apparatus and computer program product enabling negotiation of firewall features by endpoints - Google Patents

Method, apparatus and computer program product enabling negotiation of firewall features by endpoints Download PDF

Info

Publication number
CN101151842A
CN101151842A CNA2006800099326A CN200680009932A CN101151842A CN 101151842 A CN101151842 A CN 101151842A CN A2006800099326 A CNA2006800099326 A CN A2006800099326A CN 200680009932 A CN200680009932 A CN 200680009932A CN 101151842 A CN101151842 A CN 101151842A
Authority
CN
China
Prior art keywords
network security
security enforcement
enforcement node
request
feature
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CNA2006800099326A
Other languages
Chinese (zh)
Inventor
F·勒
Y·P·斯沃米
G·巴日科
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nokia Oyj
Original Assignee
Nokia Oyj
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Oyj filed Critical Nokia Oyj
Publication of CN101151842A publication Critical patent/CN101151842A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Disclosed are examples of a method, system, devices and nodes to conduct communications between a device coupled to a communication network and a network security enforcement node, such as a firewall. An illustrative method includes, with a device coupled to a network security enforcement node through a communication network, requesting from the network security enforcement node information comprised of at least one of supported and enabled features and, in response to receiving the request, sending information descriptive of at least one of network security enforcement node supported and enabled features. The method may further include requesting by the device that at least one network security enforcement node feature be one of enabled or disabled.

Description

Realize negotiation method, device and the computer program of end point to firewall features
Technical field
Various embodiment of the present invention mainly relates to communication network security procedures and relates to the safety of Internet protocol (IP) network particularly.
Background technology
Along with the number that threatens grows with each passing day in the internet, fire compartment wall plays a key effect in protection terminal use and Internet resources.In the cdma2000 network, specify to adopt and utilize these network entities, 3GPP2 standard to have realized that their importance (referring to the requirement of the 3GPP2Network Firewall Configuration and Control-Stage 1 in November, 2004) by decision.By limiting several agreements such as MIDCOM (http://ietf.brg/html.charters/midcom-charter.html) and the NAT FW NSLP (http://www.ietf.org/internet-drafts/draft-ietf-nsis-nslp-natfw-04.txt) that allows firewall configuration, IETF also admits the value of these network entities and need to exist these network entities in IP network.
In current fire compartment wall, developed and implemented several security features to prevent the generation that service-denial (DoS) is attacked.Although these features provide a certain protection to target machine, these features may have problems when considering new application and situation.The existence of these problems may cause and abandon packet or stop data communication.
In many current fire compartment walls, implement following several features: TCP sequence checker SYN relaying and 3 1) burst integrity check, 2)).
The burst integrity check
Illustrated in the CheckPoint NG of Syngress Publishing Inc.2003 VPN-1/FireWall-1 as people such as Jim Nobe, if a certain attack is become less sheet by burst, some fire compartment walls and IDS system will detect less than this attack.Why this point takes place is because be to be examined individually when the current process of each grouping equipment, and a certain burst of assailant's data can be identified as attack.For fear of this problem, fire compartment wall is collected all bursts and was checked the grouping that re-assemblies in transmission information before the destination.
The TCP sequence checker
Same illustrated as people such as Nobe, each in the TCP session is grouped in the TCP header information and comprises sequence number.This sequence number is why important to be because it is the mechanism that is used for allowing reliable communication between the main frame.Each data acquisition system of sequence number identification data makes that receiving main frame can re-assembly stream with correct order and can confirm this grouping when receiving that each divides into groups separately.If do not confirm sequence number in the time period that is provided with, then transmit leg is known and is resend unacknowledged grouping.Resending and confirming under situation about mutually transmitting on the network, receiving main frame and will know and abandon number of repeated packet, because it had observed sequence number.
Most fire compartment wall supports monitor all Business Streams through gateway and keep TCP sequence checker to the tracking of sequence number in the grouping.If fire compartment wall is observed the grouping that receives with incorrect sequence number, then EP (enforcement point) thinks this Packet State mistake and abandon this grouping.The network manager can be forbidden this feature, because do not support this feature in some configuration such such as the firewall cluster that uses asymmetric route.
The SYN relaying
Designed the SYN trunking method and transmitted the flood threat (about the description of type malicious attack that TCP SYN is flooded, referring to http://www.cert.org/advisories/CA-1996-21.html) of (flooding) of control protocol (TCP) SYN with solving
On behalf of (protected by firewall) server, fire compartment wall will response is made in all SYN groupings to client computer by sending SYN/ACK in use.In case receive ACK from client computer, fire compartment wall leads to transmission the connection of server.Utilize this method, server will can not receive invalid connection and attempt, because fire compartment wall will can not transmit original SYN grouping at it before client computer receives corresponding ACK.This method provides good protection for destination server, but has the obvious expense that is associated with its use, because require fire compartment wall that all connection requests of current process are made response.In connecting, TCP also needs to relate to fire compartment wall.Why be in fact to end at fire compartment wall and fire compartment wall is set up then with another TCP of server and is connected like this because connect from the TCP of client computer.
With reference to Fig. 1, malicious node 1 can send traffic to cellular network 4 via external network 2 as the internet by fire compartment wall 3.Malicious traffic is current in air interface 5 arrival aggrieved party wireless terminals 6 from cellular network 4.Assumed wireless terminal 6 is associated with cellular network subscriber.This may cause the variety of issue in the cellular network 4, such as with excessive charging, the aggrieved party's shorter battery life and unnecessarily consume the relevant problem of air interface bandwidth.
Design above-mentioned burst integrity checking and TCP sequence checker and attempt attack or the false business (flooding) of trial injection that starting is hidden to prevent malicious node.Using the SYN trunking method to protect target machine to avoid TCP SYN when carrying out (exceed a certain attack and attempt threshold value) usually when EP detects active attack floods.
Yet when considering new application and situation, these features that can only be enabled by the network manager/forbid may be introduced the new problem of many very difficult solutions usually.
For example, just in IETF under the standardized situation, node may have a plurality of interfaces and ask its peer-to-peer to send business by different routes (for example wireless lan (wlan) and general packet radio service (GPRS)) simultaneously for the purpose of reliability in many ownership.Quality on different links is decided, and can receive some groupings by link 1, and can receive other grouping from link 2.If enabling, burst integrity check and TCP sequence checker can prevent that delivery of packets is to end point 1.The TCP sequence checker can also resend " omission " grouping by the request sending node and increase extra delay.
The situation of the TCP business when Fig. 2 shows current on the different paths through two differences and the fire compartment wall (for example WLAN fire compartment wall and GPRS (honeycomb) fire compartment wall) that may have nothing to do.
As above saying, in the SYN trunking method, TCP connects and in fact is divided into two different connections; One from client computer 1 to fire compartment wall 3 and a slave firewall 3 to server 6, each connects the sequence number with it.Client computer 1 and server 6 are not understood the sequence number of other peer-to-peer.If client computer 1 and server 6 want to use IPsec, then the IPsec module at end point 1 place can abandon grouping because TCP sequence number may cause IPsec check and deviation.
May cause extra delay when in some situation, using or even abandon grouping although firewall security features design is used for improving the fail safe of data communication.In addition, end point 1 (client-server) may not understood the problem source, because they usually do not know what security feature one or more fire compartment wall 3 is implementing.In addition, end point is to not control of the operation of fire compartment wall, because have only the network manager can enable/forbid one or more used security feature of fire compartment wall 3 at present.
Avoid the personal fire wall of different DoS attacks and can implement the fail safe in the hope of strengthening in the hope of extra reliability or enforcement IPsec of many ownership although end point 1 and 6 can have in order to protection equipment, the normal running of one or more fire compartment wall 3 may stop and data communication occur.
At present, the inventor does not think that the mechanism of current use allows end point to know that network firewall 3 supporting and/or what feature is implemented, and does not think that currently used mechanism allows end point to enable/forbid firewall features such as TCP sequence checker, burst integrity check and/or SYN relay feature yet.
Although the current appointment of IETF is in order to the agreement of configuring firewalls, such as people such as M.Shore in " MiddleboxCommunications (midcom) " of http://ietf.org/html.charters/midcom-charter.html and the agreement of describing among " the NAT/Firewall NSIS Signaling Layer Protocol (NSLP) " of people at http://www.ietf.org/internet-drafts/draft-ietf-nsis-nslp-natfw-04.txt such as M.Stiemerling, but these agreements of advising are limited to basically with source IP address, IP address, destination, agreement and port numbers are the installation rule on basis.Although these agreements allow to create pin hole usually or the packet filtering device are installed to stop undesirable business, they do not solve the problem of above being discussed fully.
Summary of the invention
Overcome aforementioned and other problem and realize other advantage according to the example of the embodiment of the invention.
An example of the present invention provides a kind of method in order to communicate between the equipment that is coupled to communication network and network security enforcement node such as fire compartment wall.This method comprises: utilize the equipment that is coupled to the network security enforcement node by communication network to comprise the information of the feature that at least one is supported and enables to the request of network security enforcement node; And in response to receiving request, the information of the feature that at least one network security enforcement node of transmission description is supported and enabled.
Another example of the present invention provides a kind of device, the data processor that this device comprises radio network interface and can be used for communicating with the network security enforcement node, wherein communication comprises to the transmission of network security enforcement node determining the request of at least one feature of supporting and enabling.
Another example of the present invention provides a kind of computer program that is implemented on the computer-readable medium, wherein the execution of computer program guides the data processor and the network security enforcement node of wireless device to communicate, and comprises following operation: send determining the request of at least one feature of supporting and enabling to the network security enforcement node.
Another example of the present invention provides a kind of device, this device comprises that network interface and can operating is used for the data processor that communicates by network interface and equipment, and wherein data processor is in response to the information of the feature of supporting and enabling from first request of the equipment pair information relevant with the network security enforcement ability of device and at least one network security enforcement of equipment transmission description.Data processor can also in response to from equipment, to enable selectively or forbid at least one network security enforcement feature second the request.
Another example of the present invention provides a kind of computer program that is implemented on the computer-readable medium, and wherein the execution of computer program guides the data processor of network security enforcement node and the equipment that is coupled to the network security enforcement node by network interface to communicate.Performed operation comprises: slave unit receives first request to the information relevant with the ability of described network security enforcement node; And information from the feature that at least one network security enforcement node supports and enable to equipment that send to describe.Second request that receives in response to slave unit also can be arranged and the operation of carrying out, enable or forbid at least one network security enforcement node diagnostic selectively for the handled devices communicating of network security enforcement node.
Another example of the present invention provides a kind of device, this device comprises radio network interface and data processor, this data processor can be operated in order to sending request to the information of describing at least one feature of supporting and enabling via radio network interface to the network security enforcement node, and this data processor also can be operated in order in response to from network security enforcement node reception information and select communication protocol.
Description of drawings
Make in the following embodiment when reading in conjunction with the accompanying drawings that the aforementioned and others of currently preferred embodiments of the invention are more obvious, in the accompanying drawings:
Fig. 1 has described via the air interface of external network, fire compartment wall, cellular network and cellular network malicious traffic to be sent to the example of wireless terminal and illustrates the problem that the preferred embodiment of the present invention solves;
The example of the TCP business when Fig. 2 shows current on the different paths through two differences and the fire compartment wall that may have nothing to do;
Fig. 3 has described according to the present invention the example of the logical flow chart of an example;
Fig. 4 illustrates as the cdma network example of implementing therein according to a suitable environment of instruction of the present invention; And
Fig. 5 and Fig. 6 illustrate the more example of the logical flow chart of many cases of the present invention.
Embodiment
In the specific descriptions to some examples of the present invention, network security enforcement node such as fire compartment wall will be called as fire compartment wall 40 (see figure 4)s so that it is different from the conventional fire compartment wall of discussing above with reference to Fig. 13.
In addition, the end point that is also referred to as equipment or node or client computer here will be expressed as end point 41 (see figure 4)s for example so that the fire compartment wall 40 that it is different from shortage various examples according to the present invention is found and/or the conventional terminal point 1 of feature modification request ability.
Various example of the present invention relates to fire compartment wall 40 configuration protocols and provides the additional capabilities of fire compartment wall 40 configuration protocols support so that support application and situation in the future.
Various example of the present invention provides in order to find the technology of fire compartment wall 40 and ability thereof for end point 41, wherein make end point 41 can find following entity (the manager 40A of fire compartment wall 40 or fire compartment wall 40, this manager can be positioned at fire compartment wall 40), end point 41 can send the relevant more requests of being supported with fire compartment wall 40 of feature to this entity.These technological selection ground allow end point 41 to understand the feature that supported by fire compartment wall 40 that 41 of end point can enable or forbid at least.Preferably these technology allow end point 41 to understand the feature that fire compartment wall 40 is supported in addition, even end point 41 can not be revised one or more feature.As an example, if fire compartment wall 40 is implemented the burst integrity check and end point 41 these functions of uncommitted forbidding, the chance that still provides discovery carrying out the verification of burst integrity check to end point 41 then is because it can revise its factum based on this understanding.
Various example of the present invention also provides in order to consulting and may be modified in the feature that one or more network firewall 40 is implemented, thereby end point 41 can be enabled at one or more fire compartment wall 40/feature of forbidden networks operator authorization terminal point 41 modifications.
Various example of the present invention can be used for selecting to be used for the mechanism and/or the agreement of end-to-end communication by end point 41.
Following paragraph has been described in order to implementing the nonrestrictive technology of example of the present invention (for example how finding fire compartment wall 40 abilities), and the details of underlying protocol depends on the development in future of the feature and the applied code of involved network very much.Also the logical flow chart of Fig. 3 is carried out reference now.
First process (piece 3A) causes optional firewall 40 discovery procedures, the process of being carried out such as client node shown in Fig. 4 41.As the example of several non-limiting, can use name server (DNS) or carry out fire compartment wall 40 discoveries by use DHCP (DHCP) or by sending any broadcasting message.
For example, the conventional purpose of DHCP be to make independent computer on the IP network can be at one or more (' Dynamic Host Configuration Protocol server '), particularly do not possess about extract their configuration before this information of server requests of the accurate information of independent computer from server.The whole purpose of this process is to reduce the necessary work of the large-scale IP network of management.Fen Fa a most important information is the IP address in this way.
Still with reference to Fig. 3, end point 41 is to fire compartment wall 40 (such as the fire compartment wall of finding 40) the request feature that (piece 3B) supported and enabled.The feature that one or more fire compartment wall 40 can be supported and enable then by enumerating is made answer (piece 3C).Generally feature of Shi Yonging such as burst integrity check, TCP sequence checker, SYN relaying (as nonrestrictive example) can divide and be equipped with standardized value (for example being respectively 01,02,03), and fire compartment wall distributors can ask specifically to sell quotient at the distinctive feature of some distributors.Each feature of being announced with fire compartment wall 40 is associated, and sign can notify end point 41 these end point 41 whether can enable/forbid this feature or whether network firewall 40 implements this feature when end point 41 does not possess the ability of revising this feature.Another sign can be notified the default conditions of end point 41 these features, and promptly this feature is defaulted as and enables still forbidding.The request cnable or forbid some or some features (piece D) if end point 41 can allow then.Although in essence can applying unit or the sign of multidigit, also can utilize other technology such as simple text strings to pass on this information.
To enable or the request of disablement feature in, end point 41 can indicate it what feature is attempting revising, such as by being provided with in order to indicate it to want to enable or forbid the sign of target signature.Preferably, make end point 41 dispose one or more feature with regard to each request.Network firewall 40 is preferably made answer (piece 3E) then, and the request of notice end point 41 these end point 41 is successfully still failure.
Should be noted that sequence from piece 3B to piece 3E can change and can comprise the modification of additional process or disclosed process.Should be noted that also each process in these processes is the atomic operation that is independent of each other basically.
In those networks of the configuration of forbidding 41 pairs of fire compartment walls 40 of end point, end point 41 still can be benefited to be possessed the enforcement that receives fire compartment wall 40 and enables this ability of feature.For example, implement under the situation of SNY relay feature at fire compartment wall 40, end point 41 should preferably avoid using IPsec, because IPsec is with inoperative.End point 41 can replace a certain other upper strata security mechanism of using transport layer security (TLS) or can working with the SYN relay feature.Thus, make information that end point 41 can find based on slave firewall 40, by such as selecting to be suitable for guaranteeing that the agreement of reliable end-to-end communication revises its operation.
Here not having specifically described other fire compartment wall 40 features can have the security/transport/application layer similar to the SYN relay feature involves.Still enable the understanding of a certain concrete feature for forbidding in fire compartment wall 40 and can select one or more appropriate protocol for end-to-end communication by accessory terminal point 41 thus.
According to example of the present invention, the agreement of using with fire compartment wall 410 for the configuration purpose of fire compartment wall 40 also can be used for:
1. obtain the feature that fire compartment wall 40 is supported; And/or
2. these features are enabled/forbidden to (by end point 41) in fire compartment wall 40.
Notice that fire compartment wall 40 can support 10 features, and may wish only to enable a certain subclass (for example may only five) of these 10 features.This point is why useful to be because the feature that fire compartment wall 40 has been enabled is many more, and the processing load of fire compartment wall 40 is just big more and it is just low more in order to the capacity of handling stream of packets.In addition, if enable some features, then they may stop or hinder the communication of one or more particular type.Therefore as an example, node can be forbidden one or more concrete feature and begin this concrete communication in fire compartment wall 40.When this sign off, node 41 can reconfigure fire compartment wall 40 and reactivate this one or more concrete feature (see figure 5).
In Fig. 5, ask and receive those features that fire compartment wall 40 is supported in piece 5A place end point 41.Forbid at least one feature (for example, if use IPsec then forbid the SYN relay feature) selectively in piece 5B place end point 41.Begin and carry out being supposed current a certain concrete communication in piece 5C place hypothesis end point 41 through fire compartment wall 40.End point 41 can reactivate the feature (for example can open the SNY relay feature once more) of one or more forbidding in fire compartment wall 40 when piece 5D is in sign off.
Notice that fire compartment wall 40 may be not configurable (at least can not by end point node 41 configurations).In this case, node 41 can be selected another communication mode.For example and as preceding institute say, end point node 41 can select to use another protocol suite, such as operate with the following concrete feature of fire compartment wall 40 or with the security protocol of this concrete feature compatibility, but these concrete fire compartment wall 40 features can not be disabled still than the more weak (see figure 6) of out of use feature.
In Fig. 6, at the supported feature of 41 requests of piece 6A place end point and reception fire compartment wall 40.Notice with the incompatible fire compartment wall 40 of specifically communicating by letter in piece 6B place end point 41 and to enable feature.Select to enable feature compatible protocols collection so that successfully communicate in piece 6C place end point 41 with fire compartment wall 40.
The utilization of example of the present invention is provided and middle boxes (for example fire compartment wall 40) the relevant additional information of handle data communication and also providing in order to the configuration middle boxes means of handle data communication how for end point 41 how.
Utilization to the various examples of the present invention provides additional flexibility, information and control for end point 41.Yet meanwhile, Virtual network operator can determine that still what fire compartment wall 40 and other security feature preferably are implemented in the given cellular network.
In addition thus, can carry out reference, the figure shows and be suitable for the wireless communication system that in implementing instruction of the present invention, uses, the simplified block diagram that is specially CDMA 20001x network Fig. 4.Provide description to Fig. 4 so that instruction of the present invention is placed under the suitable technical background.Yet will be appreciated that shown in Fig. 4 that the concrete network architecture and topology should not be understood that the restrictive meaning of instruction tool of the present invention, because can in the network that has with frameworks different shown in Fig. 4 and topology, implement instruction of the present invention.In addition, also can move the universal of implementing embodiments of the invention in the TCP/IP network with other, so these universals are not limited to only use in the CMDA network at network based on TDMA.GSN and wideband CDMA (WCDMA) network all can be benefited from the utilization to the various examples of the present invention.Reading the while as described below, be that cdma network is peculiar although should be noted that some aspects of this description, to the description of Fig. 4 be not intended to read to separate for to according to the enforcement of instruction of the present invention, use and/or implement restrictive meaning.
Wireless communication system shown in Fig. 4 comprises at least one mobile radio station (MS) 10.MS 10 can be or can comprise the portable terminal (MT) or the mobile node (MN) of cell phone or any kind or more generally be the equipment with wireless communication interface and ability, the equipment that includes but not limited to pocket computer, personal digital assistant (PDA), internet equipment, game station, imaging device and have the combination of these and/or other function.Suppose physical layer that MS 10 and network 12 are used and more highest level signal form and protocol-compliant and can be coupled via Radio Link 11 that comprises air interface and network 12.In currently preferred embodiment of the present invention, Radio Link 11 is radio frequency (RF) links, yet Radio Link 11 can be or comprise optical link in utilization other example of the present invention, and the radio network interface of MS 10 and a class or two class Radio Links, 11 compatibilities.The equipment of implementing MS 10 can be regarded as wireless device.
MS 10 can or can not come work as the server that is used for client node, and this client node can be regarded as end point 41 discussed above (also can be another wireless device).
On conventional meaning, network 12 comprises the mobile switching centre (MSC) 14 of being coupled to visitor location register (VLR) 16 by the IS-41 Map Interface.VLR 16 is coupled to the 7th switching system (SS-7) network 18 by the IS-41 Map Interface again and is coupled to thus with the ownership of MS 10 and inserts the attaching position register (HLR) 20 that provider's network is associated.MSC 14 also is coupled to first radio net (RN) 22A by A1 interface (being used for circuit switching (CS) and packet switching (PS) business) and by A5/A2 interface (only being used for the CS service).The one RN 22A comprises base station (BS) 24A, and this BS comprises base transceiver stations (BTS) and the base station center (BSC) that is coupled to Packet Control Function (PCF) 26A by the A8/A9 interface.PCF 26A is coupled to first packet data serving node (PDSN) 28A and is coupled to IP network 30 (via the Pi interface) thus via R-P (PDSN/PCF) interface 27 (being also referred to as the A10/A11 interface).Also show PDSN 28A and be coupled to the access of being interviewed, authorization and accounting (AAA) node 32 via Pi and remote verification dialing service (RADIUS) interface, this AAA node 32 is coupled to IP network 30 via the RADIUS interface again.Also show home IP network A AA node 34 and Agent IP network A AA node 36 and be coupled to IP network 30 via the RADIUS interface.The home IP network/home inserts provider's network/private network home agent 38 and is coupled to IP network via the mobile IPv 4 interface.According to RFC3220, home agent 38 is the routers on the home network of mobile node (in this description for MS 10), and the datagram that this router will be used to send during away from ownership place at mobile node sends to mobile node with tunnel style and is that mobile node is safeguarded current location information.
In Fig. 4, also show the 2nd RN 22B and be coupled to a RN22A via the A3/A7 interface.The 2nd RN 22A comprises BS 24B and PCF 26B and is coupled to the 2nd PDSN28B.PDSN 28A and PDSN 28B are coupled by P-P interface 29 (PDSN that limits in IS835C is to the PDSN interface).
Can incorporate among the PDSN 28 or incorporate another network node that is arranged in before the Radio Link of PCF 26 (air interface) 11 for example into according to the function (for example seeing Fig. 3) of the fire compartment wall 40 of example of the present invention, wherein have the TCP grouping of being paid close attention at for example Radio Link of PCF 26 (air interface) 11 places.In the wireless system of other type, can use the packet transaction node of equivalent function.Say as preceding institute, also can have firewall manager (FM) 40A function.
For purposes of the present invention, fire compartment wall 40 can be regarded as placing any network system or the node between server (for example MS10) and the node (end point) 41 (can be another MS), and can be assumed to be and comprise at least one data processor (DP), this DP is such as disk, work so that implement example of the present invention and variation thereof on the such computer-readable medium of tape and/or semiconductor memory (M) or under the control of the computer program of storing in this computer-readable medium, make response such as discovery request to fire compartment wall 40, enable or forbid institute's requested feature selectively and may report success or failure, described with reference to Fig. 3 as mentioned.Suitable network interface (NI) also is provided.At least one end point 41 node can construct in a similar manner and also be assumed to be and comprise at least one data processor (DP), this DP is such as disk, work so that implement example of the present invention and variation thereof on the such computer-readable medium of tape and/or semiconductor memory (M) or under the control of the computer program of storing in this computer-readable medium, such as the discovery procedure that starts fire compartment wall 40, if operation then carry out the request of one or more feature of the fire compartment wall 40 enabling selectively or forbid and suitable communication protocol that the fire compartment wall of being found 40 features that may select to be used for can not forbidding with end point 41 are used is as mentioned with reference to Fig. 3, Fig. 5 and Fig. 6 are described.The network interface (NI) that is used for end point 41 nodes can be wired or wave point.
Based on above description, should be apparent that to disclose a kind of agreement.In example according to the present invention, this agreement should allow client computer to understand the feature of implementing in fire compartment wall 40 and enable or forbidden those features.This agreement should allow client computer such as by enabling in fire compartment wall 40 or disablement feature is come configuring firewalls 40.These abilities are useful in many situations, such as providing to the understanding in advance of the feature implemented in the fire compartment wall 40 so that help node to select sufficient agreement and continue end-to-end communication.
More than describing provides the best approach of inventor's current design in order to implement the present invention and both suggestive descriptions of tool fully of device by exemplary and nonrestrictive example.Yet, according to the above description when reading with claims in conjunction with the accompanying drawings, various modifications and transform for those skilled in the art that personnel can become obvious.As just some examples, those skilled in the art can attempt other the similar or equivalent information receiving form and the utilization of agreement.Yet, will still fall within the scope of the present invention all such and similar modifications of the present invention's instruction.In addition, though some features in the example of the present invention still can advantageously do not used under the corresponding application to further feature.Therefore, more than describe and to be regarded as only illustrating principle of the present invention, instruction and various nonrestrictive example and embodiment and to be not that they are limited.The protocol suite that holds

Claims (35)

1. method comprises:
Utilization can be coupled to the equipment of network security enforcement node by communication network, comprises the information of the feature that at least one is supported and enables to the request of described network security enforcement node; And
In response to the reception of this request, the information of the feature that at least one network security enforcement node of transmission description is supported and enabled.
2. the method for claim 1, wherein said transmission comprises sign is associated with feature to notify described equipment whether to allow described equipment to enable/forbid this feature.
3. the method for claim 1, wherein said transmission comprise sign are associated to notify the default conditions of described this feature of equipment with feature.
4. the method for claim 1 also comprises by described device request and enables or forbid at least one network security enforcement node diagnostic.
5. the method for claim 1 also comprises and notifies the request successfully still failure of described equipment to enabling or forbid at least one firewall features.
6. the method for claim 1, wherein said transmission is carried out by described network security enforcement node.
7. the method for claim 1, wherein said transmission is carried out by the manager of described network security enforcement node.
8. the method for claim 1 also comprises following initial operation: start the discovery procedure of this node by the network security enforcement node, wherein ask described information to comprise to the network security enforcement node of finding and send request.
9. the method for claim 1 also comprises at least one communication protocol of selecting described equipment to use in response to the reception of described information.
10. the method for claim 1 also comprises:
Forbid at least one network security enforcement node diagnostic by described device request;
Communicate by described network security enforcement node; And
Request reactivates described at least one network security enforcement node diagnostic when described sign off.
11. a device comprises that radio network interface and can operating is used for the data processor that communicates with the network security enforcement node, described communication comprises to described network security enforcement node and sending determining the request of at least one feature of supporting and enabling.
12. device as claimed in claim 11, described communication comprise that also transmission is to enabling or forbid the request of at least one network security enforcement node diagnostic.
Carry out the discovery procedure of network security enforcement node 13. device as claimed in claim 11, described communication also comprise, described data processor starts described communication of carrying out with the network security enforcement node of finding.
14. device as claimed in claim 11, described data processor can be operated in order to select at least one communication protocol according to the information that receives in response to described request.
15. device as claimed in claim 11, described communication comprise that also described data processor can be operated in order to communicate by described network security enforcement node subsequently to forbidding the request of at least one network security enforcement device characteristic.
16. device as claimed in claim 11, wherein described communication also comprises reactivating the request of described at least one network security enforcement node diagnostic when described sign off.
17. computer program that is implemented on the computer-readable medium, the execution of described computer program guides the data processor and the network security enforcement node of wireless device to communicate, and the execution of described computer program comprises following operation: send determining the request of at least one feature of supporting and enabling to described network security enforcement node.
18. computer program as claimed in claim 17, the execution of described computer program also comprises following operation: send enabling or forbid the request of at least one network security enforcement node diagnostic.
19. computer program as claimed in claim 17, the execution of described computer program also comprises following operation: carry out the discovery procedure of network security enforcement node; And startup is communicated by letter with the described of finding of network security enforcement node.
20. computer program as claimed in claim 17, the execution of described computer program also comprises following operation: select communication protocol according to the information that receives in response to described request.
21. computer program as claimed in claim 17, the execution of described computer program also comprises following operation: at least one network security enforcement node diagnostic of request forbidding, described data processor can be operated in order to communicate by described network security enforcement node subsequently.
22. as claim 21 described computer program, the execution of described computer program also comprises following operation: request reactivates described at least one network security enforcement node diagnostic when described sign off.
23. device, comprise that radio network interface and can operating is used for the data processor that communicates by described network interface and equipment, described data processor is in response to from information described equipment, first request of the information relevant with the network security enforcement ability of described device sent the feature that at least one network security enforcement of description supports and enable to described equipment.
24. device as claimed in claim 23, described data processor also in response to from described equipment, to enable selectively or forbid at least one network security enforcement feature second the request.
25. computer program that is implemented on the computer-readable medium, the execution of described computer program guides the data processor of network security enforcement node and the equipment that is coupled to described network security enforcement node by network interface to communicate, and the execution of described computer program comprises following operation: receive from described equipment first of the information relevant with the ability of described network security enforcement node is asked; And send the information of describing the feature that at least one network security enforcement node supports and enable to described equipment.
26. computer program as claimed in claim 25 also comprises the operation of carrying out, enable or forbid at least one network security enforcement node diagnostic selectively for the handled devices communicating of described network security enforcement node in response to second request that receives from described equipment.
27. device, comprise being used for interface to the device of wireless network be used for the device that communicates with the network security enforcement node, described communicator can be operated and be used for sending determining the request of at least one feature of supporting and enabling to described network security enforcement node.
28. also can operating, device as claimed in claim 27, described communicator be used to send to enabling or forbid the request of at least one network security enforcement node diagnostic.
29. device as claimed in claim 27, described communicator also can be operated and be used to carry out the discovery procedure of network security enforcement node and be used to start and the network security enforcement node found carries out communicates by letter.
30. device as claimed in claim 27 also comprises the device that is used for selecting according to the information that receives in response to described request at least one communication protocol.
31. device, comprise being used for interface to the device of network with as lower device, this device be used for via described Network Interface Unit communicate with equipment and in response to from described equipment, send the information of describing the feature that at least one network security enforcement supports and enable to first request of the information relevant and to described equipment with the network security enforcement ability of described device.
32. device as claimed in claim 31, described communicator also in response to from described equipment, to enable selectively or forbid at least one network security enforcement feature second the request.
33. device, comprise radio network interface and data processor, this data processor can be operated in order to sending request to the information of describing at least one feature of supporting and enabling via described radio network interface to the network security enforcement node, and described data processor also can be operated in order in response to receiving described information and select communication protocol from described network security enforcement node.
34. device as claimed in claim 33, described data processor also can be operated in order to send enabling or forbid the request of at least one network security enforcement node diagnostic to described network security enforcement node.
35. device as claimed in claim 33, described data processor also can be operated in order to startup network security enforcement node discovery procedure and in order to send the described request to the information of describing at least one feature of supporting and enabling to the network security enforcement node of finding.
CNA2006800099326A 2005-02-11 2006-02-02 Method, apparatus and computer program product enabling negotiation of firewall features by endpoints Pending CN101151842A (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US65213705P 2005-02-11 2005-02-11
US60/652,137 2005-02-11
US11/129,273 2005-05-12

Publications (1)

Publication Number Publication Date
CN101151842A true CN101151842A (en) 2008-03-26

Family

ID=39251329

Family Applications (1)

Application Number Title Priority Date Filing Date
CNA2006800099326A Pending CN101151842A (en) 2005-02-11 2006-02-02 Method, apparatus and computer program product enabling negotiation of firewall features by endpoints

Country Status (1)

Country Link
CN (1) CN101151842A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106249704A (en) * 2015-06-05 2016-12-21 费希尔-罗斯蒙特系统公司 For the method and apparatus controlling the communication of the end points in industrial undertaking's system based on integrity
CN107547504A (en) * 2017-06-16 2018-01-05 新华三信息安全技术有限公司 Intrusion prevention method and device

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106249704A (en) * 2015-06-05 2016-12-21 费希尔-罗斯蒙特系统公司 For the method and apparatus controlling the communication of the end points in industrial undertaking's system based on integrity
CN107547504A (en) * 2017-06-16 2018-01-05 新华三信息安全技术有限公司 Intrusion prevention method and device
CN107547504B (en) * 2017-06-16 2020-12-04 新华三信息安全技术有限公司 Intrusion prevention method and device

Similar Documents

Publication Publication Date Title
US11159361B2 (en) Method and apparatus for providing notification of detected error conditions in a network
US8762450B2 (en) Apparatus and method for reducing frequent server messages
JP3464664B2 (en) How to check the amount of data sent
US7613193B2 (en) Apparatus, method and computer program product to reduce TCP flooding attacks while conserving wireless network bandwidth
KR20090079999A (en) Method, apparatus and computer program product enabling negotiation of firewall features by endpoints
ES2374341T3 (en) METHOD, SYSTEM AND DEVICE FOR PROCESSING ACCESS REQUEST INFORMATION.
US20070240209A1 (en) Session persistence on a wireless network
JP2007505553A (en) Wireless networking system and method
CN104660573A (en) Low information interaction multi-base station device for SCTP (stream control transmission protocol)
US20060009197A1 (en) Call setting method for packet exchange network
WO2002019739A2 (en) Overload protection in packet communication networks
US20070211752A1 (en) Method of establishing a PPP session over an air interface
WO2006051501A1 (en) Mobile node (mn) discovery using the protocol for carrying authentication for network access (pana) in a telecommunications network
CN101151842A (en) Method, apparatus and computer program product enabling negotiation of firewall features by endpoints
CN114765805A (en) Communication method, network equipment, base station and computer readable storage medium
JP2010537604A (en) Mobile node location update
Samaniego Wireless Sensors Networks (WSN) monitoring: application to secure interoperability
KR101148889B1 (en) Mobile terminal having self security function and security intensification method thereof
KR20050063608A (en) Peer state machine mechanism of diameter base protocol
CN101213816A (en) Multiple PANA sessions
KR20120019206A (en) Server system for preventing a cut in using tls of the diameter protocol and controlling method therefor
JP2008016957A (en) Wireless communication system and handover method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication

Open date: 20080326