CN104380686A

CN104380686A - Method and system used for applying NG firewall, NG firewall client-side and NG firewall servicer

Info

Publication number: CN104380686A
Application number: CN201480001549.0A
Authority: CN
Inventors: 山贾·库马尔·纳维; 德布塔·纳亚克; 章驰
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2013-11-07
Filing date: 2014-04-03
Publication date: 2015-02-25
Anticipated expiration: 2034-04-03
Also published as: CN104380686B

Abstract

The invention provides a method and system used for applying an NG firewall, an NG firewall client-side and an NG firewall servicer. The method comprises steps: when a terminal device equipped with the NG firewall client-side is started, request information used for requesting safe information of application is sent; the response information containing the safe information of the application is received; the received or sent data are processed through the safe information of the application. Dynamic loading attack guard can be achieved, therefore the occupation space of the software required by the terminal device can be reduced, and the performance of the application installed on the terminal device can be raised.

Description

For implementing the method and system of NG fire compartment wall, NG Fire-walled Client and NG SOCKS server

Technical field

The present invention relates to the communication technology, particularly relating to a kind of method and system, a kind of NG Fire-walled Client and a kind of NG SOCKS server for implementing NG fire compartment wall.

Background technology

NG fire compartment wall (NG-FW, fire compartment wall of future generation) will change the design of access control and security strategy in security service unification to single engine.NG fire compartment wall extends the management of application and Business Stream.The function of NG fire compartment wall comprises: permission, interception, record, monitoring and bandwidth control etc.

NG fire compartment wall combines first generation fire compartment wall, such as, state and stateless network firewall, application firewall, NAT-ALG (network address translation ALG), IPS (intrusion prevention system)/IDS (intruding detection system), anti-X scan for malware.This combination adds the complexity of NG fire compartment wall.The basis of NG fire compartment wall is importing into and spreading out of message and carry out deep message detection association previous receipt message.

On the other hand, smart mobile phone is the key enablers of BYOD (carry oneself equipment office) in travelling, Private Banking, social network sites and amusement.Which increase the security threat to consumer privacy and leakage that is individual and business data.

But, applicant find: NG fire compartment wall be arranged on there is high computing capability private server on.But NG fire compartment wall is not also implemented on the terminal equipments such as smart mobile phone.Therefore the software footprint needed for terminal equipment does not reduce, and the performance of the application of installing on the terminal device is not improved.

Summary of the invention

Embodiments of the invention relate to be provided a kind of and implements the method and system of NG fire compartment wall, a kind of NG Fire-walled Client and a kind of NG SOCKS server, with when not affecting application layer attack protection, reduce the software footprint of NF fire compartment wall NG fire compartment wall on terminal equipment.

According to an embodiment of the invention on the one hand, provide a kind of for implementing the method for NG fire compartment wall (fire compartment wall of future generation), described method comprises:

When be applied in be activated in terminal equipment time, send the request message of security information for asking described application to NG SOCKS server;

From the response message of described security information of described NG SOCKS server receiving package containing described application, the described security information of wherein said application represents the information to being used as safeguard protection described in starting in described terminal equipment;

By using the data applied described in the described security information process of described application.

According to an embodiment of the invention on the other hand, described request message comprises the identifying information of described application, and the described identifying information of described application is used for the described security information that described NG SOCKS server determines described application.

According to an embodiment of the invention on the other hand, described method comprises further:

When described be applied in be closed in described terminal equipment time, remove the described security information of described application.

According to an embodiment of the invention on the other hand, described response message comprises one or more timer values of the part or all of security information for safeguarding described application further; And

Described method comprises further: when correspond to described application described portion of security information described one or more timer value in one or more timer expiry time, again ask the described portion of security information of described application, or

When correspond to described application described whole security information described one or more timer value in one or more timer expiry time, again ask described whole security information of described application.

When correspond to described application described portion of security information described one or more timer value in one or more timer expiry time, remove the described portion of security information of described application, or

When correspond to described application described whole security information described one or more timer value in one or more timer expiry time, remove described whole security information of described application.

According to an embodiment of the invention on the other hand, the described security information of described application comprises any one or the combination of following information: the message rate-limiting policy information having status firewall library information and described application of the message signing messages of described application, the access control lists information of described application, the abnormal packet attack information of described application, described application.

According to an embodiment of the invention on the other hand, there is different timer values for preserving any one or the combination of following information: the message rate-limiting policy information having status firewall library information and described application of the message signing messages of described application, the access control lists information of described application, the abnormal packet attack information of described application, described application; Or

There is identical timer value for preserving any one or the combination of following information: the message rate-limiting policy information having status firewall library information and described application of the message signing messages of described application, the access control lists information of described application, the abnormal packet attack information of described application, described application.

According to an embodiment of the invention on the other hand, comprise by using the data applied described in the described security information process of described application:

By using the described data applied described in the described message signing messages process of described application, or

By using the described data applied described in the described access control lists information processing of described application, or

By using the described deformity of described application to attack the described data applied described in information processing, or

By using the described data applied described in the described status firewall library information process of described application, or

By using the described data applied described in the described message rate-limiting policy information process of described application.

According to an embodiment of the invention on the other hand, provide a kind of method for implementing NG fire compartment wall, described method comprises:

Receive for asking the request message of security information applied from terminal equipment, the described security information of wherein said application represents the information to being used as safeguard protection described in starting in described terminal equipment;

The described security information of described application is determined according to described request message;

The response message comprising the described security information of described application is sent to described terminal equipment.

According to an embodiment of the invention on the other hand, described request message comprises the identifying information of described application; And

Determine that the described security information of described application comprises according to described request message: the described security information obtaining described application according to the described identifying information of the described application comprised in described request message from database.

According to an embodiment of the invention on the other hand, before comprising the response message of described security information of described application to described terminal equipment transmission, described method comprises further:

Whether certification described request message is effective;

When described request message is effective, perform the process to comprising the response message of the described security information of described application described in described terminal equipment transmission.

Determine one or more timer values of the part or all of security information safeguarding described application;

Describedly send to described terminal equipment the response message comprising the described security information of described application and comprise: send the response message comprising the described security information of described application, and for one or more timer values of the part or all of security information of safeguarding described application to described terminal equipment.

According to an embodiment of the invention on the other hand, provide a kind of NG Fire-walled Client, comprising:

Transmitting element, for when be applied in be activated in the terminal equipment being configured with NG Fire-walled Client time, send the request message of security information for asking described application to NG SOCKS server;

Receiving element, for from the response message of described security information of described NG SOCKS server receiving package containing described application, the described security information of wherein said application represents the information to being used as safeguard protection described in starting in described terminal equipment;

Processing unit, for the data applied described in the described security information process by the described application of use.

According to an embodiment of the invention on the other hand, described transmitting element specifically for, when be applied in be activated in the terminal equipment being configured with described NG Fire-walled Client time, send the described request message of the described security information for asking described application to described NG SOCKS server; Wherein said request message comprises the identifying information of described application, and the described identifying information of described application is used for the described security information that described NG SOCKS server determines described application.

According to an embodiment of the invention on the other hand, described NG Fire-walled Client comprises further:

Clearing cell, for when described in be applied in be closed in described terminal equipment time, remove the described security information of described application.

Described transmitting element is further used for, when correspond to described application described portion of security information described one or more timer value in one or more timer expiry time, again the described portion of security information of described application is asked, maybe when correspond to described application described whole security information described one or more timer value in one or more timer expiry time, again ask described whole security information of described application.

According to an embodiment of the invention on the other hand, described clearing cell is further used for, when correspond to described application described portion of security information described one or more timer value in one or more timer expiry time, remove the described portion of security information of described application, maybe when correspond to described application described whole security information described one or more timer value in one or more timer expiry time, remove described whole security information of described application.

According to an embodiment of the invention on the other hand, described processing unit specifically for:

According to an embodiment of the invention on the other hand, provide a kind of NG SOCKS server, comprising:

Receiving element, for receiving for asking the request message of security information applied from terminal equipment, the described security information of wherein said application represents the information to being used as safeguard protection described in starting in described terminal equipment;

First determining unit, for determining the described security information of described application according to described request message;

Transmitting element, for sending the response message comprising the described security information of described application to described terminal equipment.

Described first determining unit specifically for obtaining the described security information of described application from database according to the described identifying information of the described application comprised in described request message.

According to an embodiment of the invention on the other hand, described NG SOCKS server comprises further:

Whether authentication ' unit is effective for certification described request message; And

Described transmitting element specifically for, when described request message is effective, send comprise the described security information of described application described response message to described terminal equipment.

Second determining unit, for determining one or more timer values of the part or all of security information safeguarding described application;

Described transmitting element comprises the response message of the described security information of described application specifically for sending, and for one or more timer values of the part or all of security information of safeguarding described application to described terminal equipment.

According to an embodiment of the invention on the other hand, a kind of terminal equipment is provided, comprises:

Processor and the memory being coupled to described processor;

Wherein said processor is used for:

When be applied in be activated in described terminal equipment time, send the request message of security information for asking described application to NG SOCKS server;

Processor and the memory being coupled to described processor;

Wherein said processor is used for:

According to an embodiment of the invention on the other hand, providing a kind of system for implementing NG fire compartment wall, comprising:

One or more terminal equipment as above; And

NG SOCKS server as above.

The beneficial effect of embodiments of the invention is: when be applied in be activated in terminal equipment time, NG Fire-walled Client is to the security information applied described in the request of NG SOCKS server.Therefore, embodiments of the invention can realize dynamic load attack-defending, thus the software footprint needed for terminal equipment can reduce, and the performance of installing application on the terminal device can be improved.

In addition, terminal equipment will be protected, and exempt from the new attack from new opplication or service.Quantity due to attack-defending directly depends on the quantity of the application that user is using, so signaling message will reduce, contributes to the battery life extending mobile terminal like this.

By reference to the following description and accompanying drawing, these and other aspects of the present invention and feature will be apparent.In description and accompanying drawing, disclose specific embodiment of the present invention in detail, to indicate some modes that principle of the present invention can adopt, but should be understood that the present invention is not limited to corresponding scope.On the contrary, the present invention includes all changes in the spirit of appended claims and item, amendment and equivalent.

The feature described with reference to an embodiment and/or illustrate can adopt same way or similar fashion for other embodiments one or more, and/or uses with the integrate features of other embodiments or substitute these features.

It is emphasized that term used in this specification " comprises " for illustration of there are described feature, entirety, step or parts, but do not get rid of the combination that there is or add other features one or more, entirety, step, parts or above-mentioned item.

Many aspects that the present invention may be better understood with reference to the following drawings.Parts in accompanying drawing need not be drawn in proportion, but focus on and clearly illustrate in principle of the present invention.In order to contribute to illustrating and describe some parts of the present invention, the size of corresponding part in accompanying drawing can be amplified, such as, for other parts, make it than large according to the exemplary means of actual fabrication of the present invention.The element described in an accompanying drawing of the present invention or embodiment and feature can combine with the element described in one or more extra accompanying drawing or embodiment and feature.In addition, in the accompanying drawings, identical reference numerals refers to the corresponding part in some views, and can be used to refer to the identical or similar portions in generation more than one embodiment.

Accompanying drawing explanation

Accompanying drawing is included to provide a further understanding of the present invention, and accompanying drawing forms the part of this specification, and the preferred embodiments of the present invention are described, and is used from illustrates principle of the present invention with description content one.Ref. No. identical in accompanying drawing represents identical element all the time.

In the accompanying drawings:

Fig. 1 is according to an embodiment of the invention for implementing the schematic flow sheet of the method for NG fire compartment wall;

Fig. 2 is the structural representation illustrated about terminal equipment and NG SOCKS server;

Fig. 3 is according to an embodiment of the invention for implementing the schematic flow sheet of the method for NG fire compartment wall;

Fig. 4 is according to an embodiment of the invention for implementing another schematic flow sheet of the method for NG fire compartment wall;

Fig. 5 is the schematic flow sheet of step 402 according to an embodiment of the invention;

Fig. 6 is the schematic flow sheet of step 403 according to an embodiment of the invention;

Fig. 7 is the schematic flow sheet of step 405 according to an embodiment of the invention;

Fig. 8 is the schematic flow sheet of step 406 according to an embodiment of the invention;

Fig. 9 is the schematic flow sheet of step 407 according to an embodiment of the invention;

Figure 10 is according to an embodiment of the invention for implementing the schematic flow sheet of the method for NG fire compartment wall;

Figure 11 is according to an embodiment of the invention for implementing another schematic flow sheet of the method for NG fire compartment wall;

Figure 12 is the structural representation of terminal equipment according to an embodiment of the invention;

Figure 13 is the structural representation of terminal equipment according to an embodiment of the invention;

Figure 14 is the structural representation of NG SOCKS server according to an embodiment of the invention;

Figure 15 is another structural representation of NG SOCKS server according to an embodiment of the invention;

Figure 16 is the structural representation of terminal equipment according to an embodiment of the invention;

Figure 17 is the structural representation of NG SOCKS server according to an embodiment of the invention;

Figure 18 is according to an embodiment of the invention for implementing the structural representation of the system of NG fire compartment wall.

Embodiment

Many feature and advantage of each embodiment are apparent in detail specifications, and therefore, appended claims intention contains these type of feature and advantage all of the embodiment belonged in its true spirit and scope.In addition, because those skilled in the art easily will expect numerous modifications and variations, thus do not wish the exact configuration and the operation that invention embodiment are limited to illustrated also description, therefore, all suitable amendment that can take and equivalent all belong in respective range.

Hereinafter with reference accompanying drawing describes embodiments of the invention.

Embodiment 1

This embodiment of the present invention provides a kind of method for implementing NG fire compartment wall, and the method is applied in NG Fire-walled Client.

Fig. 1 is the schematic flow sheet of the method for implementing NG fire compartment wall according to embodiments of the invention 1.As shown in Figure 1, described method comprises:

Step 101, when be applied in be activated in the terminal equipment being configured with NG Fire-walled Client time, NG Fire-walled Client sends a request message to NG SOCKS server, wherein, request message for ask apply security information.

Step 102, NG Fire-walled Client receives response message from NG SOCKS server; The security message wherein applied comprises in the response message; The safety information table of application is shown in the information of the safeguard protection of the application started in terminal equipment.

Step 103, NG Fire-walled Client is by using the data of the security information process application of application.

In this embodiment, NG Fire-walled Client can be configured in terminal equipment, and terminal equipment can be permanent plant or wireless device, such as, and smart mobile phone, panel computer.Application can be social software (such as, Skype, youtube), and may be arranged in terminal equipment.But, be not limited to this, particular implementation can be determined according to actual needs.

In this embodiment, NG SOCKS server has one containing the data of NG fire compartment wall or the NG-FW database of information.About the details of NG-FW database, please refer to prior art.NG SOCKS server can pass through any interface of terminal equipment (such as smart mobile phone), and such as, bluetooth, USP port or any air interface connect.

In this embodiment, the security information of application can comprise: the deformity of the message signing messages of application, the access control lists information of application, application attacks information, the status firewall library information of application and the message rate-limiting policy information of application.But, be not limited to this, particular implementation can be determined according to actual needs.

Fig. 2 is the schematic diagram of diagram about the example of the structure of terminal equipment and NG SOCKS server.It should be noted that this figure is only exemplary, the structure of other types can be used for supplementing or replacing this structure.

As shown in Figure 2, be configured with in the terminal equipment of NG-FW client and there are some application; Be configured with in the NG-FW server of database the security information (the attack-defending data such as applied) that there are these application simultaneously.

Such as, the database storing the security information of application can be configured in NG-FW server; In other words, database is the local data base of NG-FW server.In another example, the database storing the security information of application can configure separately; NG-GW server can access this database by communication interface.But, be not limited to this.

In this embodiment, NG-FW be one of mandatory requirement of terminal equipment (smart mobile phone etc.) to realize BYOD, obtain management of personal money and strategic business information and secure personal information.Smart mobile phone is battery operated device, also has limited computational resource.

Along with the quantity exponentially level growth of mobile VAS (value-added service), the quantity of attack also will exponentially level increase, and therefore the software footprint of NG-FW and the attack of the every type of use complicated applications framework process will be very expensive.Obviously, mobile subscriber is simultaneously by application that usage quantity is very limited.

In this embodiment, such as, the limit attack-defending based on NG-FW can be arranged in centralized entities, such as, and packet-based core networks in the environment, additional storage, or in server.When smart phone user starts any application, attack-defending request will be sent to NG-FW database.Smart mobile phone is by the strick precaution of installation application particular attack, access control lists and application signature.Any Rx/Tx message will check the new attack-defending installed, and the access control of such entrance and exit application just can realize on smart mobile phone.

As can be seen from above-described embodiment: when be applied in be activated in the terminal equipment being configured with NG Fire-walled Client time, the security information that NG Fire-walled Client is applied to the request of NG SOCKS server.Therefore, embodiments of the invention can realize dynamic load attack-defending, thus the software footprint needed for terminal equipment can reduce, and the performance of installing application on the terminal device can be improved.

Embodiment 2

Based on embodiment 1, this embodiment of the present invention provides a kind of method for implementing NG fire compartment wall; Identical content will no longer be described.

Fig. 3 is according to an embodiment of the invention for implementing the schematic flow sheet of the method for NG fire compartment wall.As shown in Figure 3, the method comprises:

Step 301, when be applied in be activated in the terminal equipment being configured with NG Fire-walled Client time, NG Fire-walled Client sends a request message to NG SOCKS server, and wherein this request message is for asking the security information of described application.

In this embodiment, request message can comprise the identifying information of application, such as, and the identifier of application or the kind of application; The identifying information of application is used for determining the security information applied by NG SOCKS server.But, be not limited to this, particular implementation can be determined according to actual needs.

Step 302, NG fire compartment wall contains the response message of the security information of application from NG SOCKS server receiving package.

Step 303, NG Fire-walled Client is by using the data of the security information process application of application.

As shown in Figure 3, the method can comprise further:

Step 304, when be applied in close in terminal equipment time, NG Fire-walled Client remove application security information.

In this embodiment, once smart mobile phone terminates or closes application (such as Skype), the security information of application (such as, the data of all installations and download, application access list and signature) is cleared.

Fig. 4 is according to an embodiment of the invention for implementing another schematic flow sheet of the method for NG fire compartment wall.Terminal equipment configuration has NG-FW client.As shown in Figure 4, the method can comprise:

Step 401, enables NG firewall functionality in terminal equipment.

Step 402, configures IP address and the port numbers of NG SOCKS server in terminal equipment.

In this step, terminal equipment can generate request message based on the IP address of NG SOCKS server and port numbers.

Step 403, when be applied in be activated in terminal equipment time, terminal equipment sends a request message to NG SOCKS server; Wherein request message is for asking the security information applied and comprising the identifying information of application.

Step 404, NG SOCKS server determines the security information applied after receiving request message according to the identifying information of the application comprised in request message.

In this embodiment, NG-FW server can send response message to terminal equipment; The security information of application comprises in the response message.

In addition, the one or more timer values for the part or all of security information of preserving application can comprise in the response message.

Such as, there is a timer value in response message, for all security information applied; Or there is a timer value, for the message signing messages applied; Another timer value, for the access control lists information applied; And another timer value, attack information for the deformity applied.But, be not limited to this, particular implementation can be determined according to actual needs.

Step 405, NG fire compartment wall contains the response message of the security information of application from NG SOCKS server receiving package.

Step 406, NG Fire-walled Client is by using the data of the security information process application of application.

In this embodiment, when correspond to application portion of security information one or more timer values in one or more timer expiry time, terminal equipment can again ask apply portion of security information.

Or, when correspond to application whole security information one or more timer values in one or more timer expiry time, terminal equipment can again ask apply whole security information.

Such as, if there is the timer value A for the whole security information applied in response message, then when corresponding to the timer expiry of timer value A, terminal equipment can ask the whole security information applied again.

Again such as, if there are three timer values in response message: for the message signing messages applied timer value B, attack the timer value D of information for the timer value C of access control lists information that applies and the deformity for applying, then when corresponding to the timer expiry of timer value B, terminal equipment can ask the message signing messages applied again; Maybe when corresponding to the timer expiry of timer value C, terminal equipment can ask the access control lists information applied again; Maybe when corresponding to the timer expiry of timer value D, terminal equipment can ask the deformity applied to attack information again.

As shown in Figure 4, the method can comprise further:

Step 407, when be applied in close in terminal equipment time, terminal equipment remove application security information.

In this step, terminal equipment also can remove the security information of application based on timer.Terminal equipment will remove the security information of application when timer expiry.

Such as, when correspond to application portion of security information one or more timer values in one or more timer expiry time, terminal equipment can remove the portion of security information of application.Or, when correspond to application whole security information one or more timer values in one or more timer expiry time, terminal equipment can remove whole security information of application.

In step 401, NG-FW client (it has NG fire prevention powerful) is enabled on the terminal device.Each should being used for can be allowed to select terminal user whether to want to enable NG-FW attack application.Give tacit consent to all application not allow to download from NG-FW server.

In step 402, NG SOCKS server information, the port numbers of such as NG SOCKS server and IP address, can be configured in terminal equipment by user.In addition, the timer value for preserving the security information of application can be configured in terminal equipment by user.

In this embodiment, the security information of application can comprise any one or the combination of following information: the deformity of the message signing messages of application, the access control lists information of application, application attacks information, the status firewall library information of application and the message rate-limiting policy information of application.

Wherein there is different timer values for preserving any one or the combination of following information: the deformity of the message signing messages of application, the access control lists information of application, application attacks information, the status firewall library information of application and the message rate-limiting policy information of application.

Or, there is identical timer value for preserving any one or the combination of following information: the deformity of the message signing messages of application, the access control lists information of application, application attacks information, the status firewall library information of application and the message rate-limiting policy information of application.

In this embodiment, can be comprised by the process of the data using the security information process of application application: by using the data of the message signing messages process application of application, or by using the data of the access control lists information processing application of application, or the data by using the deformity of application to attack information processing application, or by using the data of the status firewall library information process application of application, or by using the data of the message rate-limiting policy information process application of application.

Fig. 5 is the schematic flow sheet of step 402 according to an embodiment of the invention.As shown in Figure 5, terminal equipment judges whether there is any change in Existing policies; Such as, judge whether security configuration is default configuration (step 501).

When configure be not default configuration time, configured port number and IP address (step 502) in terminal equipment.In addition, the timer of the security information of preserving application can be configured for.

In step 403, such as, the user of terminal equipment starts application such as " Skype " and carries out doings.Event will be sent to the NG-FW client run on the terminal device.Terminal equipment will generate request message to ask the security information applied.This request message can based on any transfer mechanism.

In force, the security information of application can comprise: the deformity of the message signing messages of application, the access control lists information of application, application is attacked, the status firewall library information of application and the message rate-limiting policy information etc. of application.

Fig. 6 is the schematic flow sheet of step 403 according to an embodiment of the invention.As shown in Figure 6, terminal equipment can judge whether security information is default configuration (step 601).When configure be not default configuration time, terminal equipment can trigger event (step 602), such as, send message to the NG-FW client configured in terminal equipment.

Subsequently, terminal equipment can judge whether NG-FW database exits application (step 603).When NG-FW database does not exit application, terminal equipment sends request the request message (step 604) of the security information of application.

As shown in Figure 6, terminal equipment can judge whether time-out occurs or whether receives the confirmation message (step 605); If not, terminal equipment will continue the security information of down load application and upgrade Existing policies (step 606).Subsequently, existing application strategy and security mechanism (that is, attack-defending mechanism) (step 607) is used.

In step 403, request message can generate based on the UDP (User Datagram Protoco (UDP)) as transportation protocol.The form of request message is as follows.

In step 405, NG SOCKS server sends the security information of application, such as, and all attack-defending strategies, NG-FW application and signature.

Fig. 7 is the schematic flow sheet of step 405 according to an embodiment of the invention.As shown in Figure 7, NG SOCKS server receives request message (step 701) from terminal equipment.Subsequently, NG SOCKS server can judge whether to carry out certification (step 702) to terminal equipment.

As shown in Figure 7, when terminal device authentication is validated user, NG SOCKS server will determine the security information (step 703) applied, such as up-to-date attack-defending strategy and storehouse.Subsequently, NG SOCKS server can judge whether NG-FW database exits application (step 704).When NG-FW database does not exit application, NG SOCKS server will send the security information (such as, applying the Existing policies that particular attack is taken precautions against and upgraded) of application to terminal equipment (step 705).Subsequently, NG SOCKS server can send acknowledge message (step 706).

In step 405, the response message comprising the security information of application can generate based on the UDP as transportation protocol.The form of response message is as follows.

In a step 406, terminal equipment is downloaded NG-FW application and is installed application access list and signature in the dataplane.From/to reaching the message of any reception/transmission of application of terminal equipment by by the security information process of applying.

Fig. 8 is the schematic flow sheet of step 406 according to an embodiment of the invention.As shown in Figure 8, terminal equipment receives the security information (step 801) of application from NG-FW server, such as, apply particular attack and take precautions against.Subsequently, terminal equipment judges whether to carry out certification (step 802) to NG SOCKS server.When NG SOCKS server is certified, all security information of terminal equipment down load application, such as all attack-defending mechanism.

In step 407, once the user of terminal equipment terminates or closes application (such as Skype), the security information of application will be cleared (comprising application access list and the signature of all installations and download).

Fig. 9 is the schematic flow sheet of step 407 according to an embodiment of the invention.As shown in Figure 9, whether terminal equipment can judge its overtime (step 901) further; When its time-out, terminal equipment sends message to remove the data (step 902) downloaded.

Embodiment 3

This embodiment of the present invention provides a kind of method for implementing NG fire compartment wall, and the method is applied in NG SOCKS server.This embodiment corresponds to above-described embodiment 1 or 2, and identical content will no longer be described.

Figure 10 is according to an embodiment of the invention for implementing the schematic flow sheet of the method for NG fire compartment wall.As shown in Figure 10, the method comprises:

Step 1001, NG SOCKS server receives request message from terminal equipment, and wherein request message is for asking the security information applied; The safety information table of application is shown in the information of the safeguard protection of the application started in terminal equipment.

Step 1002, NG SOCKS server determines the security information applied according to request message.

Step 1003, the transmission of NG SOCKS server comprises the response message of the security information of application to terminal equipment.

In this embodiment, the security information of application comprises: the deformity of the message signing messages of application, the access control lists information of application, application attacks information, the status firewall library information of application and the message rate-limiting policy information of application.But, be not limited to this, particular implementation can be determined according to actual needs.

Figure 11 is according to an embodiment of the invention for implementing another schematic flow sheet of the method for NG fire compartment wall.As shown in figure 11, described method comprises:

Step 1101, NG SOCKS server receives request message from terminal equipment, and wherein request message is for asking the security information applied; The safety information table of application is shown in the information of the safeguard protection of the application started in terminal equipment.

Step 1103, NG SOCKS server determines the security information applied according to request message.

In this embodiment, determine that according to request message the process of the security information applied can comprise: the security information obtaining application according to the identifying information of the application comprised in request message from database.

Step 1104, the transmission of NG SOCKS server comprises the response message of the security information of application to terminal equipment.

As shown in figure 11, the method can comprise further:

Step 1102, whether NG SOCKS server authentication request message is effective.When request message is effective, performs transmission and comprise the response message of the security information of application to the process of terminal equipment.

In this embodiment, the one or more timer values for the part or all of security information of preserving application can comprise in the response message.

The method can comprise further: the one or more timer values determining the part or all of security information of preserving application; Send the response message comprising the security information of application can comprise to terminal equipment (step 1104): send and comprise the response message of the security information of application, and for one or more timer values of the part or all of security information of preserving application to terminal equipment.

It should be noted that in above-mentioned network environment, the security information of the application of being beamed back by NG-FW server may be different for the different application of terminal equipment.Or NG-FW server can beam back the different request messages of different security information for terminal equipment.But, be not limited to this, particular implementation can be determined according to actual needs.

Embodiment 4

This embodiment of the present invention is provided in the NG Fire-walled Client configured in terminal equipment further.This embodiment corresponds to the method for above-described embodiment 1, and identical content will no longer be described.

Figure 12 is the structural representation of NG Fire-walled Client according to an embodiment of the invention.As shown in figure 12, NG Fire-walled Client 1200 comprises: transmitting element 1201, receiving element 1202 and processing unit 1203.The miscellaneous part of NG Fire-walled Client no longer can be described in the present invention with reference to prior art.But, be not limited to this, particular implementation can be determined according to actual needs.

Wherein transmitting element 1201 for, when be applied in be activated in the terminal equipment being configured with NG Fire-walled Client time, send a request message to ask the security information applied; Receiving element 1202 is for the response message of receiving package containing the security information of application; Processing unit 1203 is for the data of the security information process application by using application.

In this embodiment, transmitting element 1201 can be specifically for, when be applied in be activated in the terminal equipment being configured with NG Fire-walled Client time, send for asking the request message of the security information applied to NG SOCKS server; Wherein request message comprises the identifying information of application, and the identifying information of application is used for determining the security information applied by NG SOCKS server.

Embodiment 5

This embodiment of the present invention is provided in the NG Fire-walled Client configured in terminal equipment further.This embodiment corresponds to the method for above-described embodiment 2, and identical content will no longer be described.

Figure 13 is the structural representation of NG Fire-walled Client according to an embodiment of the invention.As shown in figure 13, NG Fire-walled Client 1300 comprises: transmitting element 1201, receiving element 1202 and processing unit 1203, as described in above-described embodiment 4.

As shown in figure 13, NG Fire-walled Client 1300 can comprise further: clearing cell 1304.Clearing cell 1304 for, when be applied in close in terminal equipment time, remove application security information.

As shown in figure 13, NG Fire-walled Client 1300 can comprise further: open unit 1305, dispensing unit 1306 and generation unit 1307.Wherein, unit 1305 is opened for enabling NG firewall functionality; Dispensing unit 1306 is for configuring IP address and the port numbers of NG SOCKS server; Generation unit 1307 is for generating request message.

In this embodiment, response message can comprise one or more timer values of the part or all of security information for preserving application further; And transmitting element is further used for, when correspond to application portion of security information one or more timer values in one or more timer expiry time, again the portion of security information applied is asked, maybe when correspond to application whole security information one or more timer values in one or more timer expiry time, again ask apply whole security information.

In this embodiment, clearing cell can be further used for, when correspond to application portion of security information one or more timer values in one or more timer expiry time, remove the portion of security information of application, maybe when correspond to application whole security information one or more timer values in one or more timer expiry time, remove application whole security information.

Wherein processing unit 1203 can be specifically for: by using the data of the message signing messages process application of application, or by using the data of the access control lists information processing application of application, or the data by using the deformity of application to attack information processing application, or by using the data of the status firewall library information process application of application, or by using the data of the message rate-limiting policy information process application of application.

Embodiment 6

This embodiment of the present invention provides NG SOCKS server further.This embodiment corresponds to the method for above-described embodiment 3, and identical content will no longer be described.

Figure 14 is the structural representation of NG SOCKS server according to an embodiment of the invention.As shown in figure 14, terminal equipment 1400 comprises: receiving element 1401, first determining unit 1402 and transmitting element 1403.The miscellaneous part of NG Fire-walled Client no longer can be described in the present invention with reference to prior art.But, be not limited to this, particular implementation can be determined according to actual needs.

Wherein, receiving element 1401 is for receiving request message to ask the security information applied from terminal equipment; First determining unit 1402 is for determining the security information applied according to request message; Transmitting element 1403 is for sending the response message of the security information comprising application to terminal equipment.

Figure 15 is another schematic diagram of NG SOCKS server according to an embodiment of the invention.As shown in figure 15, NG SOCKS server 1500 comprises: receiving element 1401, first determining unit 1402 and transmitting element 1403, as described in above-described embodiment.

In this embodiment, request message can comprise the identifying information of application; And first determining unit 1402 specifically for obtaining the security information of application from database according to the identifying information of the application comprised in request message.

As shown in figure 15, NG SOCKS server 1500 can comprise further: authentication ' unit 1503; Whether authentication ' unit 1503 is effective for authentication request message.Transmitting element 1403 specifically for, when request message is effective, send comprise the security information of application response message to terminal equipment.

In this embodiment, NG SOCKS server 1500 may further include: the second determining unit 1504, for determining one or more timer values of the part or all of security information of preserving application.

Transmitting element 1403 comprises the response message of the security information of application specifically for sending, and for one or more timer values of the part or all of security information of preserving application to terminal equipment.

Embodiment 7

This embodiment of the present invention provides the terminal equipment being configured with NG-FW client further.This embodiment corresponds to the method for above-described embodiment 1-2, and identical content will no longer be described.

In this embodiment, terminal equipment comprises processor and is coupled to the memory of processor.

Figure 16 is the schematic configuration diagram of terminal equipment according to an embodiment of the invention.As shown in figure 16, there is processor 41 and the memory 42 being coupled to processor 41.

Memory 42 is for storage program.Specifically, program can comprise program code, and program code comprises computer-managed instruction.

Processor 41 for: when be applied in be activated in terminal equipment time, send for asking the request message of security information applied to NG SOCKS server; The response message of the security information of application is contained from NG SOCKS server receiving package; By using the data of the security information process application of application.

Memory 42 can comprise high-speed RAM and nonvolatile memory.Processor 41 can be CPU (CPU), can be maybe application-specific integrated circuit (ASIC) (ASIC), or may be used for one or more ASIC.

According to above-mentioned terminal equipment, request message comprises the identifying information of application, and the identifying information of application is used for determining the security information applied by NG SOCKS server.

According to above-mentioned terminal equipment, processor 41 is further used for: when be applied in close in terminal equipment time, remove application security information.

According to above-mentioned terminal equipment, response message comprises one or more timer values of the part or all of security information for preserving application further.

Processor 41 is further used for: when correspond to application portion of security information one or more timer values in one or more timer expiry time, again the portion of security information applied is asked, maybe when correspond to application whole security information one or more timer values in one or more timer expiry time, again ask apply whole security information.

According to above-mentioned terminal equipment, processor 41 is further used for: when correspond to application portion of security information one or more timer values in one or more timer expiry time, remove the portion of security information of application, maybe when correspond to application whole security information one or more timer values in one or more timer expiry time, remove application whole security information.

According to above-mentioned terminal equipment, the security information of application comprises any one or the combination of following information: the deformity of the message signing messages of application, the access control lists information of application, application attacks information, the status firewall library information of application and the message rate-limiting policy information of application.

According to above-mentioned terminal equipment, there is different timer values for preserving any one or the combination of following information: the deformity of the message signing messages of application, the access control lists information of application, application attacks information, the status firewall library information of application and the message rate-limiting policy information of application; Or, there is identical timer value for preserving any one or the combination of following information: the deformity of the message signing messages of application, the access control lists information of application, application attacks information, the status firewall library information of application and the message rate-limiting policy information of application.

According to above-mentioned terminal equipment, in the step of the data of the security information process application by using application, processor 41 is further used for: by using the data of the message signing messages process application of application, or by using the data of the access control lists information processing application of application, or the data by using the deformity of application to attack information processing application, or by using the data of the status firewall library information process application of application, or by using the data of the message rate-limiting policy information process application of application.

In addition, as shown in figure 16, also communication interface 43 can be there is, for completing the communication between terminal equipment and NG SOCKS server or other equipment.

As shown in figure 16, terminal equipment also can comprise disk 44, for storing the status of processes information of program to be tested and program to be tested.

Or in certain embodiments, if memory 42, processor 41, communication interface 43 and disk 44 can be implemented separately, then memory 42, processor 41, communication interface 43 and disk 44 can be communicated to connect by BUS.BUS can be industrial standard architectures (ISA) BUS, Peripheral Component Interconnect (PCI) BUS or Extended Industry Standard Architecture (EISA) BUS etc.BUS can be divided into address BUS, data BUS and control BUS etc.For the ease of representing, BUS is only represented by single thick wire, but does not mean that this only exists an a BUS or class BUS.

Or in certain embodiments, if memory 42, processor 41, communication interface 43 and disk 44 can be integrated in one single chip, then memory 42, processor 41, communication interface 43 and disk 44 can be communicated to connect by internal interface.

The beneficial effect of embodiments of the invention is: when be applied in be activated in terminal equipment time, the security information that terminal equipment is applied to the request of NG SOCKS server.Therefore, embodiments of the invention can realize dynamic load attack-defending, thus the software footprint needed for terminal equipment can reduce, and the performance of installing application on the terminal device can be improved.

Present invention also offers a kind of non-transitory computer-readable storage medium, comprise computer program code, when computer processor performs computer program code, causing computer processor to perform the method for implementing NG fire compartment wall according to embodiments of the invention.

By above-described embodiment, those skilled in the art clearly can understand that the present invention can be implemented by software and necessary common hardware.Specifically, the present invention also can only by hardware implementation.But the former is preferred Implementation Modes.According to such understanding, the essence of the technical solution of the present invention or form of software product can be adopted to implement to the portion of techniques solution of the present invention that prior art contributes.Computer software product is stored in readable storage medium storing program for executing, such as, in computer format floppy, hard disk or CD, and comprise multiple computer equipment (it can be personal computer, server or the network equipment) that makes and perform the method described in embodiments of the invention.

Embodiment 8

This embodiment of the present invention provides NG-FW server.This embodiment corresponds to the method for above-described embodiment 3, and identical content will no longer be described.

In this embodiment, NG-FW server comprises: processor and the memory being coupled to processor.

Figure 17 is the schematic configuration diagram of NG-FW server according to an embodiment of the invention.As shown in figure 17, there is processor 51 and the memory 52 being coupled to processor 51.

Memory 52 is for storage program.Specifically, program can comprise program code, and program code comprises computer-managed instruction.

Processor 51 for: receive for asking the request message of security information applied from terminal equipment, the safety information table wherein applied is shown in the information of the safeguard protection of the application started in terminal equipment; The security information applied is determined according to request message; Transmission comprises the response message of the security information of application to terminal equipment.

Memory 52 can comprise high-speed RAM and nonvolatile memory.Processor 51 can be CPU (CPU), can be maybe application-specific integrated circuit (ASIC) (ASIC), or may be used for one or more ASIC.

According to above-mentioned NG-FW server, request message comprises the identifying information of application; In the step determining the security information applied according to request message, processor 51 is further used for: the security information obtaining application according to the identifying information of the application comprised in request message from database.

According to above-mentioned NG-FW server, processor 51 is further used for: whether authentication request message is effective; When request message is effective, performs transmission and comprise the response message of the security information of application to the process of terminal equipment.

According to above-mentioned NG-FW server, processor 51 is further used for: the one or more timer values determining the part or all of security information of preserving application; And in the step sending response message, processor 51 is further used for: send and comprise the response message of the security information of application, and for one or more timer values of the part or all of security information of preserving application to terminal equipment.

According to above-mentioned NG-FW server, the security information of application comprises any one or the combination of following information: the deformity of the message signing messages of application, the access control lists information of application, application attacks information, the status firewall library information of application and the message rate-limiting policy information of application.

In addition, as shown in figure 17, also communication interface 53 can be there is, for completing the communication between NG-FW server and terminal equipment or other equipment.

As shown in figure 17, NG-FW server also can comprise disk 54, for storing the status of processes information of program to be tested and program to be tested.

Or in certain embodiments, if memory 52, processor 51, communication interface 53 and disk 54 can be implemented separately, then memory 52, processor 51, communication interface 53 and disk 54 can be communicated to connect by BUS.BUS can be industrial standard architectures (ISA) BUS, Peripheral Component Interconnect BUS or Extended Industry Standard Architecture (EISA) BUS etc.BUS can be divided into address BUS, data BUS and control BUS etc.For the ease of representing, BUS is only represented by single thick wire, but does not mean that this only exists an a BUS or class BUS.

Or in certain embodiments, if memory 52, processor 51, communication interface 53 and disk 54 can be integrated in one single chip, then memory 52, processor 51, communication interface 53 and disk 54 can be communicated to connect by internal interface.

Embodiment 9

This embodiment of the present invention provides a kind of system for implementing NG fire compartment wall.This embodiment corresponds to above-described embodiment 7 and 8, and identical content will no longer be described.

In this embodiment, the system for implementing NG fire compartment wall comprises: one or more terminal equipment as described in Example 7 and as described in Example 8 NG SOCKS server.

Figure 18 is according to an embodiment of the invention for implementing the schematic configuration diagram of the system of NG fire compartment wall.As shown in figure 18, in the system for implementing NG fire compartment wall 1800, at least there is terminal equipment 1801 and a NG-FW server 1803 that one is configured with NG-FW client 1802.

As can be seen from above-described embodiment: beneficial effect and the advantage that can realize embodiment:

(1) the taking up room of NG firewall software for terminal equipment (such as smart mobile phone and other-end equipment) is reduced;

(2) if an application be of little use, NG fire compartment wall can not response limiting message, and such terminal need not process, can extending battery life;

(3) reduce the size of the specific access list of application (such as white list or blacklist), better performance can be realized like this;

(4) when Mission critical applications starts, the NG firewall services on terminal equipment (such as smart mobile phone) is used by forcing.

(5) by using other interfaces (such as, bluetooth, USB port etc.) to control key message;

(6) run application time by use safety apply, data and application access control.

Should be understood that each several part of the present invention can be implemented by hardware, software, firmware or its combination.In the above-described embodiments, multiple step or method can be realized by the software stored in memory or firmware, and are performed by suitable instruction execution system.Such as, if realized by hardware, so can be realized by the arbitrary technology in the known following technology in affiliated field or its combination as in another embodiment: there is the discrete logic of the logic function for realizing data-signal of logic gates, the application-specific integrated circuit (ASIC) with suitable combinational logic gate circuit, programmable gate array (PGA), and field programmable gate array (FPGA) etc.

Description in schematic flow sheet or block or adopt other forms of any process or method to be understood as that to show to comprise one or more module, fragment or part, for the code of executable instruction realizing step in specific logical function or process, and the scope of the preferred embodiments of the present invention comprises other embodiments, wherein these functions can adopt and perform from those different modes shown or described, comprise according to correlation function in substantially synchronous mode or perform these functions in reverse order, those skilled in the relevant art of the present invention should understand foregoing.

Such as, the logic illustrated in schematic flow sheet or otherwise describe herein and/or step should be construed as the sequence list of the executable instruction realizing logic function, it can implement in any computer-readable media, for instruction execution system, equipment or device (such as, comprise system for computer, comprise the system of processor, or instruction can be extracted from instruction execution system, equipment or device and perform the other system of these instructions) use, or and instruction executive system, equipment or device are combined.

Above-mentioned text description and accompanying drawing show various feature of the present invention.Should be understood that those skilled in the art can prepare suitable computer code, to perform each step mentioned above and shown in the drawings and process.Should also be understood that all terminals, computer, server and network can be any types, and preparing computer code can be carried out according to the present invention, to implement the present invention by use relevant device.

There is disclosed herein specific embodiment of the present invention.Those skilled in the art will easily recognize, the present invention can be applied to other environment.In fact, there is many embodiments and embodiment.Appended claims is not intended to scope of the present invention to be limited to above-mentioned specific embodiment.In addition, any to " for ... equipment " to quote be all add function at explanation facilities, to describe element and claim, and do not wish by any unreferenced " for ... equipment " element be interpreted as the element of means-plus-function, even if it is also like this that claim comprises word " equipment ".

Although shown a specific embodiment and described the present invention, clearly those skilled in the art is reading and can expect equivalent modifications and modification after understanding foregoing description and accompanying drawing.Particularly for the various functions performed by said elements (partly, assembly, equipment and form etc.), unless otherwise prescribed, otherwise wish that (namely the term (comprising quoting " equipment ") describing these elements corresponds to any element of the specific function performing these elements, functional equivalent), even if this element is different from perform the element of the present invention with regard to the function of the one or more exemplary embodiment illustrated by dependency structure.In addition, although only describe special characteristic of the present invention with reference to one or more in described embodiment, this category feature can as required and in view of any given or application-specific favourable aspect and combine with other features one or more of other embodiments.

Claims

1. for implementing a method for NG fire compartment wall (fire compartment wall of future generation), it is characterized in that, described method comprises:

2. method according to claim 1, is characterized in that, described request message comprises the identifying information of described application, and the described identifying information of described application is used for the described security information that described NG SOCKS server determines described application.

3. method according to claim 1, is characterized in that, described method comprises further:

4. the method according to any one of claims 1 to 3 claim, is characterized in that, described response message also comprises one or more timer values of the part or all of security information for safeguarding described application; And

5. method according to claim 4, is characterized in that, described method comprises further:

6. the method according to any one of claim 1 to 5 claim, is characterized in that, the described security information of described application comprises any one or the combination of following information:

The message rate-limiting policy information having status firewall library information and described application of the message signing messages of described application, the access control lists information of described application, the abnormal packet attack information of described application, described application.

7. method according to claim 6, it is characterized in that there is different timer values for preserving any one or the combination of following information: the message rate-limiting policy information having status firewall library information and described application of the message signing messages of described application, the access control lists information of described application, the abnormal packet attack information of described application, described application; Or

8. method according to claim 6, is characterized in that, comprises by using the data applied described in the described security information process of described application:

9. for implementing a method for NG fire compartment wall, it is characterized in that, described method comprises:

10. method according to claim 9, is characterized in that, described request message comprises the identifying information of described application; And

Describedly determine that the described security information of described application comprises according to described request message: the described security information obtaining described application according to the described identifying information of the described application comprised in described request message from database.

11. methods according to claim 9 or 10, is characterized in that, before sending to described terminal equipment and comprising the response message of described security information of described application, described method comprises further:

Whether certification described request message is effective;

12. methods according to claim 9 or 10, it is characterized in that, described method comprises further:

Describedly send to described terminal equipment the response message comprising the described security information of described application and comprise: send the response message comprising the described security information of described application to described terminal equipment, and for one or more timer values of the part or all of security information of safeguarding described application.

13. methods according to any one of claim 9 to 12 claim, it is characterized in that, the described security information of described application comprises any one or the combination of following information: the message rate-limiting policy information having status firewall library information and described application of the message signing messages of described application, the access control lists information of described application, the abnormal packet attack information of described application, described application.

14. 1 kinds of NG Fire-walled Client, is characterized in that, comprising:

15. NG Fire-walled Client according to claim 14, it is characterized in that, described transmitting element specifically for, when be applied in be activated in the terminal equipment being configured with described NG Fire-walled Client time, send the described request message of the described security information for asking described application to described NG SOCKS server; Wherein said request message comprises the identifying information of described application, and the described identifying information of described application is used for the described security information that described NG SOCKS server determines described application.

16. NG Fire-walled Client according to claim 14, is characterized in that, described NG Fire-walled Client comprises further:

17., according to claim 14 to the NG Fire-walled Client described in 16 any one claims, is characterized in that, described response message comprises one or more timer values of the part or all of security information for safeguarding described application further; And

18. NG Fire-walled Client according to claim 17, it is characterized in that, described clearing cell is further used for, when correspond to described application described portion of security information described one or more timer value in one or more timer expiry time, remove the described portion of security information of described application, maybe when correspond to described application described whole security information described one or more timer value in one or more timer expiry time, remove described whole security information of described application.

19. according to claim 14 to the NG Fire-walled Client described in 18 any one claims, it is characterized in that, the described security information of described application comprises any one or the combination of following information: the message rate-limiting policy information having status firewall library information and described application of the message signing messages of described application, the access control lists information of described application, the abnormal packet attack information of described application, described application.

20. NG Fire-walled Client according to claim 19, is characterized in that, described processing unit specifically for:

21. 1 kinds of NG SOCKS servers, is characterized in that, comprising:

22. NG SOCKS servers according to claim 21, it is characterized in that, described request message comprises the identifying information of described application; And

23. NG SOCKS servers according to claim 21 or 22, it is characterized in that, described NG SOCKS server comprises further:

24. NG SOCKS servers according to claim 21 or 22, it is characterized in that, described NG SOCKS server comprises further:

25. NG SOCKS servers according to any one of claim 21 to 24 claim, it is characterized in that, the described security information of described application comprises any one or the combination of following information: the message rate-limiting policy information having status firewall library information and described application of the message signing messages of described application, the access control lists information of described application, the abnormal packet attack information of described application, described application.

26. 1 kinds of terminal equipments, is characterized in that, comprising:

Processor and the memory being coupled to described processor;

Wherein said processor is used for:

27. 1 kinds of NG SOCKS servers, is characterized in that, comprising:

Processor and the memory being coupled to described processor;

Wherein said processor is used for:

28. 1 kinds, for implementing the system of NG fire compartment wall, is characterized in that, described method comprises:

One or more terminal equipment as claimed in claim 26; And

NG SOCKS server as claimed in claim 27.