CN1748395A

CN1748395A - Firewall device

Info

Publication number: CN1748395A
Application number: CN 200480003691
Authority: CN
Inventors: 长田和彦; 冈大祐; 铃木亮一; 池川隆司; 市川弘幸; 石川忠司
Original assignee: Nippon Telegraph and Telephone Corp
Current assignee: Nippon Telegraph and Telephone Corp
Priority date: 2003-02-05
Filing date: 2004-02-04
Publication date: 2006-03-15
Anticipated expiration: 2024-02-04
Also published as: CN100471183C

Abstract

A firewall apparatus including plural virtual firewalls, each virtual firewall including a dependent firewall policy, is disclosed. The firewall apparatus includes: a distribution management table for managing a user name and a virtual firewall ID; a part configured to receive authentication information for network connection from a user terminal, and hold a user name included in the authentication information; a part configured to report the authentication information to the authentication server; and a part configured to receive an authentication response from the authentication server, and hold a user ID, included in the authentication response, to be provided to the user terminal. The firewall apparatus registers the user ID in the distribution management table associating the user ID with the user name.

Description

Firewall device

Technical field

This invention relates to the firewall device that is used to protect the user who is connected with external networks such as the Internets.

Background technology

A kind of as in the means of the fail safe of terminal that improves oneself or the network of oneself has fire compartment wall (being also referred to as FW).

Fire compartment wall is configured between oneself the terminal or network of oneself and external network of wanting to improve fail safe, implement following filtration treatment: according to predefined security strategy, judgement from external network to oneself terminal or grouping of network or whether can pass through to the grouping of external network from oneself terminal or network, under situation about can pass through, this grouping is passed through, under situation about can not pass through, abandon this grouping.

Security strategy be in conjunction with address, protocol type, port numbers, direction, could by or other condition as a kind of rule, and compiled multiple strategy that should rule.

In addition, fire compartment wall can be divided into three kinds according to the place is set.

As shown in Figure 1 a kind of, be the mode (below, be called fire compartment wall) that fire compartment wall 10 is remained on the terminal inner of oneself based on terminal, be used for from the terminal 11 of external network (for example the Internet) 12 protections oneself.

Another kind is the edge that fire compartment wall 10 is arranged on the network 13 of oneself as shown in Figure 2, and with external network 12 ways of connecting (below, be called fire compartment wall) based on CPE, be used for from the network 13 of external network 12 protections oneself.

Another as shown in Figure 3; be to make fire compartment wall 10 accommodate independently strategy and want to improve the network 13 or the terminal 11 of fail safe of a plurality of utilizations; and with its be arranged on the locational mode that is connected with external network 12 (below; be called fire compartment wall based on NW), be used for from external network 12 each network 13 of protection or terminals 11.

Along with the increase that often connects the user, and the raising of safety requirement, can solve the viewpoint of the security service of skill deficiency problem with low cost from providing to the not enough user of security knowledge, the fire compartment wall based on NW at network side outfit fire compartment wall in the above-mentioned fire compartment wall is effective.

That is, utilize fire compartment wall, can expect because of intensive economization that obtains of accommodating the user and the work that alleviates the user by outsourcing based on NW.But, need provide security strategy for each user, in the fire compartment wall of this method, the architecture that need on a physics fire compartment wall, construct virtual firewall for each user.

Fig. 4 shows the method for constructing of the virtual firewall of conventional art.Distribution between the user terminal of conventional art or server or user network and the virtual firewall realizes with virtual firewall ID is corresponding by making fixing user ID.

Here, so-called fixed-line subscriber ID is meant user's the terminal or VLAN-ID or user's the terminal or the IP address of server of the network under the server.In Fig. 4, respectively with the IP address [b.b.b.b] of the server 212 of the IP address [a.a.a.a] of the server 211 of user #a, user #b as fixed-line subscriber ID, in addition, respectively they and virtual firewall ID 202 and 203 are mapped, login in advance in allocation manager table 201.

And, for example, when server 211 communicated between the distant terminal 213 with being connected of user #2, for the grouping 221 that sends from server 211, it is sent source IP address [a.a.a.a] as search key, with reference to allocation manager table 201, retrieval sends source IP address [a.a.a.a] corresponding virtual fire compartment wall ID 202 with this, should divide into groups 221 to distribute to virtual firewall 202.In addition, for from connecting the grouping 222 that distant terminal 213 sends, with IP address, its destination b.b.b.b as search key, with reference to allocation manager table 201, retrieval and IP address, this destination b.b.b.b corresponding virtual fire compartment wall ID 203 should divide into groups 222 to distribute to virtual firewall 203.

Putting down in writing the filtering rule that conforms to security strategy that user #a, #b determine in the virtual firewall 202,203 respectively, according to this rule, 221 and 222 pass through or discard processing divides into groups.Like this, can filter out attack packets to server 211 from the malice connector.

The conventional art is mainly used in data center etc., here, owing to use fixing user ID, so, can in advance user ID be signed in in the allocation manager table 201.

In addition, prior art document as relevant with above-mentioned conventional art has " デ one セ Application To おけ Ru セキュアなコ Application デ Application Star Off イ Le リ Application ゲ mode is examined " (Electricity feelings Reported Communications Society's ソサィエティ conference (2002) B-6-38 2002.8.20 distribution).

In addition, another conventional art as the secure communication of setting each user has " セキュリティ communication means, communication システ system and びそ device " 2001-298449 number public Reported of (Te Open).But, this conventional art is mainly supposed IPSec communication, therefore, the verification algorithm that defined each user's secure communication only is identified for communicating by letter according to user's requirement and the intensity of cryptographic algorithm are different with the function of filtering from malice connector's attack packets.

In the Connection Service often that the user utilizes, when setting up being connected of user terminal and network, give user ID (IP address) for the first time.Specifically, establishing PPP (Point to PointProtocol: point-to-point protocol) give for the first time during session.In addition, IP address generally is variable.

Therefore, even want the virtual firewall of above-mentioned conventional art is used for Connection Service often,, be difficult to the virtual firewall of conventional art is used for Connection Service often owing to can not in advance IP address be signed in in the allocation manager table.

In addition, because often the situation of Connection Service compares with the situation that is applied to data center etc. that to accommodate number of users much more, so need increase the number of users of accommodating simultaneously based on the firewall device of NW.

In addition, be different from the such viewpoint in configuration place of fire compartment wall, fire compartment wall carried out the branch time-like, can be divided into following two kinds from the viewpoint of the maintenance method of security strategy.

A kind of is the mode that security strategy is remained on fire compartment wall inside, and common fire compartment wall all uses this method.

Another kind of is the outside that security strategy 15 is remained on fire compartment wall 10 as Fig. 5, Fig. 6, shown in Figure 7, this security strategy is distributed to the mode of a plurality of fire compartment walls 10.

Any one fire compartment wall that before illustrates (based on the fire compartment wall of terminal, based on the fire compartment wall of CPE, based on the fire compartment wall of NW), wherein major part all is that security strategy is remained on fire compartment wall inside.

But, about using the fire compartment wall of the method for distributing security strategy, special table 2002-544607 communique shows based on the application in the fire compartment wall of terminal, in addition, document (" DistributedFirewalls " (in November, 1999, Special lssue 0n Security, ISSN1044-63971)) show based on the application in the fire compartment wall of CPE.

In addition, even in fire compartment wall based on NW, under the situation that connects the network accommodated or terminal statically, carry out with based on the same consideration of the fire compartment wall of CPE.

But, utilizing fire compartment wall based on NW dynamically to connect, cuts off the network or the terminal of being accommodated or changing under the situation based on the fire compartment wall of NW of accommodating, because must be with the connection of network or terminal, cut off and irrespectively keep network or the relevant whole security strategies of terminal that might accommodate with fire compartment wall, therefore the method in the inner maintenance of fire compartment wall security strategy is otiose.

Therefore, under this environment, need a kind of firewall device based on NW, it has according to the connection of network or terminal or cut-out, and the security strategy capacity that keep is carried out the best unit that keeps.

In addition, owing to be connected with a plurality of networks or terminal on the fire compartment wall based on NW, so load in the fire compartment wall based on NW of unit of security strategy in the above-mentioned connection that has according to network or terminal, sometimes load a plurality of security strategies, in this case, loading based on the CPU of the fire compartment wall of NW becomes big with handling, and can not filter and pass on the processing of usefulness, exerts an influence to filtering and passing on performance.

In addition, even in the device of issue security strategy, surpassed in the issue amount under the situation of device performance, can not issue security strategy.

In addition, even at the circuit that is used for issuing security strategy, under the issue amount surpasses the situation of capacity of trunk, also can produce losing or postponing of security strategy.

The firewall device based on NW that therefore, need have the unit that can suppress the security strategy amount that to issue.

Summary of the invention

Even first purpose of the present invention provides a kind of for the communication mode that can not carry out the correspondence of user ID and virtual firewall ID in advance, also can provide the firewall device of service.

In addition, second purpose of the present invention provides a kind of firewall device that can increase user's multiplicity of accommodating simultaneously.

And then the 3rd purpose of the present invention provides a kind of can or the cut-out according to the connection of network of being accommodated or terminal and keeps or abandon required security strategy, and can alleviate the firewall device of the security strategy amount that will load.

Realized above-mentioned first purpose by a kind of firewall device, this firewall device has a plurality of virtual firewalls, each virtual firewall has separately independently filtering policy, and this firewall device has: the allocation manager table of management of usernames and virtual firewall ID; When receive from user terminal be used for authorization information that network connects the time, keep the unit of the user name put down in writing in this information; Authorization information is notified to the unit of authentication server; And, keeping the unit of the user ID that should give above-mentioned user terminal of record in this response when when above-mentioned authentication server receives auth response, wherein above-mentioned user ID and above-mentioned user name are logined accordingly in above-mentioned allocation manager table.

According to the present invention,, dynamically user ID and virtual firewall ID are mapped even, also can be used to the authorization information that is used to connect network from user's terminal for the communication mode that can not carry out the correspondence of user ID and virtual firewall ID in advance.And, for the grouping that user terminal sent or received of this user ID, can be according to using filtering rule with this user terminal corresponding security strategy.

Realized above-mentioned second purpose by a kind of firewall device, this firewall device has: the allocation manager table that user name, user ID, filtration ID is carried out corresponding management; By above-mentioned filtration ID appointment, have separately an independently filter table of filtering policy; When network connects beginning, receive the authorization information that records user name, and keep the unit of this user name by the user terminal distribution; Above-mentioned authorization information is notified to the unit of authentication server; And from the response of above-mentioned authentication server Receipt Validation, and keep the unit of the user ID that should give above-mentioned user terminal put down in writing in this auth response, wherein, above-mentioned user ID and above-mentioned user name are logined accordingly in above-mentioned allocation manager table.

According to the present invention, filter ID owing to import, and utilize and filter the filtering policy that ID discerns each user, so, for example can in each virtual firewall, manage a plurality of independently filtering policys, can improve user's multiplicity.

In addition, because the range of search of each user's grouping is only limited to the consistent table of value with the filtration ID that is given,, make it can not become long so can suppress the retrieval process time.

In addition, in the present invention, above-mentioned filtration ID further is divided into special filtering ID and shared filtration ID, can be documented in the filtering policy of each user's special use in the special filtering table, being documented in the shared filter table by the shared filtering policy of a plurality of users.

Like this, for example, utilize under the situation of 2 identical filtering rules, if use conventional art 10 users, then filter table will be put down in writing 20 rules altogether, and is relative therewith, according to the present invention, filter table is as long as therefore 2 rules of record, can carry out the management of filtering policy efficiently.

Realized above-mentioned the 3rd purpose by a kind of firewall device, this firewall device is arranged between a plurality of user terminals and the network, and a plurality of user terminals are carried out packet filtering, has: the special filtering table that keeps each user's security strategy; The shared filter table that keeps the shared security strategy of a plurality of users; The allocation manager table that user terminal information, shared filter table ID, special filtering Table I D are managed; With the communication unit of judging that authentication server that can user terminal be connected communicates; The communication unit that the identifier management server of shared filter table ID that is associated with management and user and special filtering Table I D communicates; And and the communication unit that communicates of the security policy manager server of intrinsic security strategy of the user that writes in the above-mentioned special filtering table of management and the relation between the user, when above-mentioned filter connects beginning at network, added the connection request of the authorization information that comprises user name from the user terminal reception, keep this user name, and the user name that is kept is notified to authentication server, keep being attached to the user terminal information from the auth response that above-mentioned authentication server receives, above-mentioned user name is notified to above-mentioned identifier management server and above-mentioned Security Policy Server, shared filter table ID that will receive from above-mentioned identifier management server and special filtering Table I D and user terminal information are logged into the above-mentioned allocation manager table accordingly, will be written to the above-mentioned special filtering table from policy information and the above-mentioned special filtering Table I D that above-mentioned Security Policy Server receives.

According to the present invention, can begin to load required security strategy according to the connection of network or terminal.

In addition, when network connects beginning, expression being write the user terminal information of being given on identifier and the network that begins to be connected by checking or the terminal in zone of security strategy associates, when connecting cut-out, according to the user terminal information of network that will cut off or terminal, check identifier, abandon the security strategy in the represented zone of identifier, therefore, can cut off according to the connection of network or terminal and abandon security strategy.

In addition, firewall device of the present invention is divided into special-purpose security strategy and shared security strategy with security strategy, shared security strategy remains in the firewall device regularly, owing to only load the special filtering strategy in the time of can beginning in the connection of network or terminal, therefore can alleviate the security strategy amount that will load.

In addition, firewall device of the present invention will be issued the device of security strategy and investigate the device of above-mentioned identifier and all firewall devices couple together, can carry out the loading of above-mentioned security strategy, therefore, begin network connection or cut-out even the firewall device of network or terminal is accommodated in change, firewall device also can suitably load security strategy.

Description of drawings

Fig. 1 is a block diagram of representing an example of firewall device in the past.

Fig. 2 is another routine block diagram of representing firewall device in the past.

Fig. 3 is the block diagram of an example again of representing firewall device in the past.

Fig. 4 is the figure of the virtual firewall method for constructing in the expression conventional art.

Fig. 5 is a block diagram of representing an example of the firewall device that externally keeps security strategy in the past.

Fig. 6 is another routine block diagram of representing the firewall device that externally keeps security strategy in the past.

Fig. 7 is the block diagram of an example again of representing the firewall device that externally keeps security strategy in the past.

Fig. 8 is the figure of the structure of the firewall device among the expression embodiments of the invention 1-1.

Fig. 9 is the precedence diagram of the action of the firewall device among the expression embodiment 1-1.

Figure 10 is the precedence diagram of the action of the firewall device among the expression embodiment 1-2.

Figure 11 is the figure of the example of the allocation manager table among the expression embodiment 1-3.

Figure 12 is the precedence diagram of the action of the firewall device among the expression embodiment 1-3.

Figure 13 is the figure of the example of the allocation manager table among the expression embodiment 1-4.

Figure 14 is the precedence diagram of the action of the firewall device among the expression embodiment 1-4.

Figure 15 is the precedence diagram of the action of the firewall device among the expression embodiment 1-5.

Figure 16 is the figure of the example of the allocation manager table among the expression embodiment 1-5.

Figure 17 is the block diagram of schematic configuration of the firewall device of expression embodiments of the invention 2-1.

Figure 18 is the figure of the structure of the filter table in the virtual firewall of firewall device of expression embodiment 2-1.

Figure 19 is the precedence diagram of action of the firewall device of expression embodiment 2-1.

Figure 20 is the block diagram of schematic configuration of the firewall device of expression embodiments of the invention 2-2.

Figure 21 is the precedence diagram of action of the firewall device of expression embodiment 2-2.

Figure 22 is the figure of initial condition of the allocation manager table of expression embodiment 2-3.

Figure 23 be expression embodiment 2-3 the allocation manager table login the figure of state of IP address.

Figure 24 is the figure of the structure of the filter table in the virtual firewall of firewall device of expression embodiment 2-3.

Figure 25 is the precedence diagram of action of the firewall device of expression embodiment 2-4.

Figure 26 is the figure of content of the allocation manager table of expression embodiment 2-5.

Figure 27 is the precedence diagram of action of the firewall device of expression embodiment 2-5.

Figure 28 is the figure of content of the allocation manager table of expression embodiment 2-6.

Figure 29 is the precedence diagram of action of the firewall device of expression embodiment 2-6.

Figure 30 is the figure of content of the allocation manager table of expression embodiment 2-7.

Figure 31 is the precedence diagram of action of the firewall device of expression embodiment 2-7.

Figure 32 is the figure of the content of expression filter table.

Figure 33 is the figure of the content of expression special filtering table.

Figure 34 be expression embodiments of the invention 3-1 firewall device schematic configuration and use the block diagram of the network model of this firewall device.

Figure 35 is the figure of the details of the authorization information in the expression authentication server shown in Figure 34.

Figure 36 is the figure of the details of the deposit table (pool table) that kept in the user terminal information portion in the expression authentication server shown in Figure 34.

Figure 37 is the figure of the details of the identifier management table in the expression identifier management server shown in Figure 34.

Figure 38 is the figure of the details of the security strategy table in the expression Security Policy Server shown in Figure 34.

Figure 39 is the figure of details of the allocation manager table of the initial condition in the expression firewall device shown in Figure 34.

Figure 40 is the figure of an example of order of action of the network model of expression Figure 34.

Figure 41 is the figure of an example of order of action of the network model of expression Figure 34.

Figure 42 be expression embodiment 3-2 firewall device schematic configuration and use the block diagram of the network model of this firewall device.

Figure 43 is the figure of an example of order of action of the network model of expression Figure 42.

Figure 44 be expression embodiment 3-3 firewall device schematic configuration and use the block diagram of the network model of this firewall device.

Figure 45 is the figure of an example of order of action of the network model of expression Figure 44.

Figure 46 be expression embodiment 3-4 firewall device schematic configuration and use the block diagram of the network model of this firewall device.

Figure 47 is the figure of an example of order of action of the network model of expression Figure 46.

Figure 48 be expression embodiment 3-5 firewall device schematic configuration and use the block diagram of the network model of this firewall device.

Figure 49 is the figure of an example of order of action of the network model of expression Figure 48.

Figure 50 be expression embodiment 3-6 firewall device schematic configuration and use the block diagram of the network model of this firewall device.

Figure 51 is the figure of the details of the authorization information in the expression authentication server shown in Figure 50 1.

Figure 52 is the figure of the details of the deposit table that kept in the user terminal information portion in the expression authentication server shown in Figure 50 1.

Figure 53 is the figure of the details of the authorization information in the expression authentication server shown in Figure 50 2.

Figure 54 is the figure of the details of the deposit table that kept in the user terminal information portion in the expression authentication server shown in Figure 50 2.

Figure 55 is expression user (2015-1) shown in Figure 50 sends to the user name of firewall device by user terminal (2002-1) figure.

Figure 56 is expression user (2015-2) shown in Figure 50 sends to the user name of firewall device by user terminal (2002-2) figure.

Figure 57 is the figure of the details of the identifier management table in the expression identifier management server shown in Figure 50.

Figure 58 is the figure of the details of the security strategy table in the expression Security Policy Server shown in Figure 50.

Figure 59 is the figure of an example of order of action of the network model of expression Figure 50.

Figure 60 is the figure of an example of order of action of the network model of expression Figure 50.

Figure 61 is the figure of the structure example of expression computer system.

Embodiment

Below, with reference to accompanying drawing various embodiments of the present invention are described.

(embodiment 1-1～embodiment 1-5)

[embodiment 1-1]

At first, use Fig. 8 and Fig. 9 that embodiments of the invention 1-1 is described.In this example, the connected mode of supposing user and network is PPP, and checking is RADIUS with communication.

Firewall device 100 has virtual firewall at each user.For example, exist in firewall device 100: the security strategy of use user #a is protected the virtual firewall 102 of the terminal 111 of user #a; The security strategy of use user #b is protected the virtual firewall 103 of the terminal 112 of user #b.

In addition, login has the user name and the virtual firewall ID that can set in advance in the allocation manager table 101.That is, login the corresponding relation that user name #a and virtual firewall ID 102, user name #b and virtual firewall ID 103 are arranged in the allocation manager table 101.But, because the IP address as user ID of each user terminal is definite, so can not login (state of allocation manager table 101-1) this moment.

In this example, the terminal 111 of supposing user #a is carried out network with the Internet 110 and is connected, and then, and is connected distant terminal 113 and carries out IP and communicate by letter.At first, as network connecting request, between user terminal 111 and firewall device 100, exchange LCP (LinkControl Protocol: information (139) LCP) from user terminal 111.By after the exchange 140 of the authorization information of carrying out, firewall device 100 is extracted the user name #a that sends from user terminal 111 out, keeps user name #a (process points 150).

Then, authorization information (username and password) is notified to radius server 130 (141).When being verified by radius server 130, and receive it and respond at 142 o'clock, firewall device 100 keeps giving the IP address of the user terminal of putting down in writing in this response 142.Suppose that this IP address is [a.a.a.a].Then, be search key with user name #a, this IP address [a.a.a.a] is signed in to (process points 151 on the row of having put down in writing user name #a in the allocation manager table 101.The state of allocation manager table 101-2).

In addition, meanwhile, firewall device 100 exchanges NCP (Network Control Protocol: Network Control Protocol) during information (143) between user terminal 111 and firewall device 100, [a.a.a.a] sends to user terminal 111 with IP address, and the IP address that user terminal 111 identifies oneself is [a.a.a.a].

After NCP finishes, between user terminal and network, set up PPP and connect.Then, when firewall device 100 receives from user terminal 111 when connecting the grouping 121 of distant terminal 113 transmissions, to send source IP address as it and put down in writing [a.a.a.a] as search key, with reference to allocation manager table 101, the virtual firewall ID=102 that extraction is put down in writing in the row of [a.a.a.a] should divide into groups 121 to distribute to virtual firewall 102 (process points 152).Like this, can according to the corresponding filtering rule of security strategy of user #a regulation, to divide into groups 121 carry out by or discard processing.

In addition, when firewall device 100 receives from communication counterpart terminal 113 during to grouping 122 that user terminal 111 sends, to put down in writing [a.a.a.a] as search key as IP address, its destination, with reference to allocation manager table 101, the virtual firewall ID=102 that extraction is put down in writing in the row of [a.a.a.a] should divide into groups 122 to distribute to virtual firewall 102 (process points 153).Like this, can according to the corresponding filtering rule of security strategy of user #a regulation, to divide into groups 122 carry out by or discard processing.

Carrying out network in the terminal 112 of user #b with the Internet 110 is connected, then be connected distant terminal 113 and carry out under the situation that IP communicates by letter, also can be by identical step, give virtual firewall 103 with the packet allocation of terminal 112 transmitting-receivings, and can according to the corresponding filtering rule of security strategy of user #b regulation, carry out by or discard processing.

[embodiment 1-2]

Use Figure 10 that embodiments of the invention 1-2 is described.This example shows following situation: in embodiment 1-1, because of there are reasons such as mistake in user name or the password that sends from user #a, make by the combination of notifying 141 username and passwords that send of username and password inconsistent with the combination of the username and password of login in radius server 130.

In addition, owing to notify 141 processing identical with embodiment 1-1 from what LCP 139 sent username and password, so, the omission explanation.

For the above reasons, when having sent authentication error from radius server 130 and notify 642, firewall device 100 notifies 643 to send to user terminal 111 authentication error, finishes the foundation of PPP and handles.At this moment, firewall device 100 does not carry out any processing to allocation manager table 101.

[embodiment 1-3]

Use Fig. 8, Figure 11 and Figure 12 that the 3rd embodiment of the present invention is described.This example shows following mode: in embodiment 1-1, the terminal 114 of not logining the user #c of firewall services is carried out network with the Internet 110 and is connected, and then, and is connected distant terminal 113 and carries out IP and communicate by letter.In addition, the user #c that does not login firewall services does not login user name and virtual firewall in allocation manager table 101-3, but, can enjoy the communication service of the Internet 110 by terminal 114, username and password is signed in in the radius server 130.

In Figure 12, IP address notify the action before 142 identical with embodiment 1-1, the omission explanation.

When receive IP address notify 142 the time, firewall device 100 keeps giving the IP address [c.c.c.c] that IP address is notified the user terminal of record in 142.Then, as search key, 101-3 carries out the retrieval of user name #c to the allocation manager table with user name, still, owing to do not have user name #c, and so IP address [c.c.c.c] is not signed in among the allocation manager table 101-3.

In addition, meanwhile, when firewall device 100 exchanged NCP information (143) between user terminal 114 and firewall device 100, [c.c.c.c] sent to user terminal 114 with IP address, and the IP address that user terminal 114 identifies oneself is [c.c.c.c].

After NCP finishes, between user terminal and network, set up PPP and connect.Then, when firewall device 100 receives from user terminal 114 when connecting the grouping 121 of distant terminal 113 transmissions, to send source IP address as it and put down in writing [c.c.c.c] as search key, with reference to allocation manager table 101, its result can distinguish and not login this transmission source IP address.

Under the situation of not logining this transmission source IP address, as be positioned at allocation manager table 101-3 shown in Figure 11 the most descending, the virtual firewall that should distribute is put down in writing into virtual firewall 104, so will divide into groups 121 to distribute to the virtual firewall 104 (process points 152) that login user is not used.

Equally, for the grouping 122 that sends from communication counterpart terminal 113, also with its destination IP address [c.c.c.c] as search key, with reference to allocation manager table 101, the result is when distinguishing when not logining IP address, this destination, and the virtual firewall 104 (process points 153) that login user is not used is distributed in this grouping 122.

In addition, the virtual firewall 104 used of login user is not put down in writing filtering rule, and all groupings can unconditionally be passed through, and is perhaps putting down in writing the not all shared filtering rules of login user.

[embodiment 1-4]

Use Fig. 8, Figure 13 and Figure 14 that the 4th embodiment of the present invention is described.This example shows following mode: as the condition identical with embodiment 1-3, the terminal 114 of not logining the user #c of firewall services is carried out network with the Internet 110 and is connected, and then, and is connected distant terminal 113 and carries out IP and communicate by letter.In addition, the user #c that does not login firewall services does not have login username and virtual firewall in allocation manager table 101-4, but, can enjoy the communication service of the Internet 110 by terminal 114, username and password is signed in in the radius server 130.

In Figure 14, IP address notify the action before 142 identical with embodiment 1-1, the omission explanation.

When receive IP address notify 142 the time, firewall device 100 keeps giving the IP address [c.c.c.c] that IP address is notified the user terminal of record in 142.And as search key, 101-4 carries out the retrieval of user name #c to the allocation manager table user name, still, does not have user name #c.Under the situation that does not have user name, as shown in figure 13, with IP address [c.c.c.c] and not the ID=104 of the virtual firewall 104 used of login user sign in among the allocation manager table 101-4.

After NCP finishes, between user terminal and network, set up PPP and connect.Then, when firewall device 100 receives from user terminal 114 when connecting the grouping 121 of distant terminal 113 transmissions, to send source IP address as it and put down in writing [c.c.c.c] as search key, with reference to allocation manager table 101, retrieval sends source IP address corresponding virtual fire compartment wall ID=104 with this, and the virtual firewall 104 (process points 152) that login user is not used is distributed in this grouping 121.

Equally, for the grouping 122 that sends from communication counterpart terminal 113, also with its destination IP address [c.c.c.c] as search key, with reference to allocation manager table 101-4, retrieval sends source IP address corresponding virtual fire compartment wall ID=104 with this, and the virtual firewall 104 (process points 153) that login user is not used is distributed in this grouping 122.

In addition, the virtual firewall used of login user 104 is not same with embodiment 1-3, does not put down in writing filtering rule, and all groupings can unconditionally be passed through, and is perhaps putting down in writing the not all shared filtering rules of login user.

In addition, under the situation of not logining this transmission source IP address, as be positioned at allocation manager table 101-4 shown in Figure 13 the most descending, abandon grouping.Like this, attack by IP Spoofing etc. at certain malicious user under the situation of a large amount of groupings that send IP address, can abandon these groupings by firewall device 100 with the Any user of not being given to.

[embodiment 1-5]

Use Fig. 8, Figure 15 and Figure 16 that embodiments of the invention 1-5 is described.This example shows following mode: in embodiment 1-1, the terminal 115 of not logining the user #d of firewall services is carried out network with the Internet 110 and is connected, and then, and is connected distant terminal 113 and carries out IP and communicate by letter.In addition, user #d was the user that should login firewall services originally, but, in this example, because of the manager of firewall device 100 has forgotten to sign in to it among allocation manager table 101-5 or carried out reasons such as wrong login, become user name #d and correctly do not signed in to state among the allocation manager table 101-5.In addition, user name #d and password have correctly signed in in the radius server 130.

In Figure 15, IP address notifies the action before 142 identical with embodiment 1-1, omits explanation.

When receive IP address notify 142 the time, firewall device 100 keeps giving the IP address [d.d.d.d] that IP address is notified the user terminal of record in 142.Then, as search key, 101-5 carries out the retrieval of user name #d to the allocation manager table with user name, still, does not have user name #d.Under the situation that does not have user name, firewall device 100 sends authentication error to user terminal 115 and notifies 943, finishes the foundation of PPP and handles.

(effect of embodiment 1-1～1-5)

The firewall device of embodiment 1-1 has following means: for as Connection Service often, when the connection of setting up between user terminal and the network, give the IP address for the first time, and the situation that the value of IP address is variable dynamically signs in to IP address in the allocation manager table.In addition, the corresponding firewall device of dynamic user identifiers of the present invention has virtual firewall at each user.

Like this, for the communication mode that can not carry out the correspondence of user ID and virtual firewall ID in advance, can be used to connect the authorization information of usefulness from the network of user's terminal, dynamically IP address and virtual firewall ID are mapped, for the grouping that this user terminal sends or receives, can use the filtering rule corresponding with this user-defined security strategy.In addition, can realize because of intensive economization that obtains of accommodating the user and the work that alleviates the user by outsourcing.

In addition, there is mistake in the firewall device of embodiment 1-2 at the user name or the password that send from the user, and has sent from radius server under the situation of authentication error notice, the allocation manager table is not carried out any processing, sends the authentication error notice to user terminal.Like this, got rid of the retrieval and the login process of the allocation manager table when the network connection is rejected, its remaining disposal ability can have been focused in other the processing.

In addition, the firewall device of embodiment 1-3 and embodiment 1-4 also can be accommodated the user's who goes without firewall services user terminal, can get rid of the trouble of accommodating replacement of each user physical connection of generation when each enjoyment is served of going without this firewall services.

In addition, under the situation of the means shown in the embodiment 1-3, because not inciting somebody to action not, login user signs in in the allocation manager table, but automatically will be not the transmitting-receiving packet allocation of the login user virtual firewall of using for login user not, so, the number of packages of logining in the allocation manager table is only limited to the current login user that network connects of having set up, for contribution has been made in the shortening of retrieval time.

On the other hand, under the situation of the means shown in the embodiment 1-4, the login user login is not in the allocation manager table, the virtual firewall that login user is not used is automatically distributed in the transmitting-receiving grouping of login user not, in addition, in the allocation manager table, do not have under the situation of login, owing to abandon grouping, so attack by IP Spoofing etc. at certain malicious user under the situation of a large amount of groupings that send IP address, can utilize firewall device to abandon these groupings with the Any user of not giving.

Like this, each means of embodiment 1-3 and embodiment 1-4 can separately be used according to purposes.

The firewall device of embodiment 1-5 can have been forgotten the manager of firewall device and sign in to user name and virtual firewall in the allocation manager table or carried out under the situation of wrong login, for the viewpoint of safety, force to finish invalid communication.

(embodiment 2-1～embodiment 2-7)

Next, embodiment 2-1～embodiment 2-7 is described.

Action according to embodiment 1-1, for the communication mode that can not carry out the correspondence of IP address and virtual firewall ID in advance, can be used to connect the authorization information of usefulness from the network of user's terminal, dynamically IP address and virtual firewall ID are mapped, for the grouping that this user terminal sends or receives, can use the filtering rule corresponding with this user-defined security strategy.

But often situation about using in the situation of Connection Service and the data center etc. compares that to accommodate number of users many significantly.

As the scale of supposition, the number of users of accommodating during with data center is that hundreds of～several thousand are relative, and often the number of users of accommodating during Connection Service is several ten thousand～hundreds of thousands.

Current, most of deviceizations and be data-oriented center and developing as the high virtual firewall device of reliability that service imports, the number of users of in fact accommodating is hundreds of～several thousand as mentioned above.

Exploitation accommodate the scale of number of users different, during towards the virtual firewall device of Connection Service often, from the efficient of exploitation with utilize the viewpoint of prior art, be that the basis is continued to use exploitation or append the method for exploitation very effective with the virtual firewall device at above-mentioned data-oriented center.

Therefore, provide towards the problem of the virtual firewall device of Connection Service often and be to improve user's multiplicity.

In addition, because user's multiplicity is many in Connection Service often, so guaranteeing each user provided under the service situation of security strategy independently, the sum of filtering rule also increases pro rata with user's multiplicity.

But, in fact, owing to have the shared rule of a lot of users in each user's the filtering rule, so the viewpoint of slave firewall device integral body sees that repeating of rule is inefficent.Consequently cause the increase of filter table amount.

As mentioned above, want to develop towards the virtual firewall device of Connection Service often, the efficient that improves user's multiplicity and filter table becomes problem.

In embodiment 2-1～embodiment 2-7, to improving user's multiplicity and realizing that the firewall device of the efficient activity of filter table describes.

[embodiment 2-1]

Figure 17 is the block diagram of schematic configuration of the firewall device of expression embodiments of the invention 2-1, and Figure 18 is the figure of the structure of the filter table in the virtual firewall of expression present embodiment.

In addition, in the present embodiment, the internetwork connection mode of supposing the user is PPP (Point toPoint Protocol), and checking is RADIUS with communication.

Firewall device 300 have a plurality of virtual firewalls (302,303 ..., 304).

In addition, as shown in figure 18, in each virtual firewall (302,303), exist respectively, putting down in writing the independently one or more filtering policy of each user in each filter table (561,562,563) by a plurality of filter table (561,562,563) of filtering the ID appointment.

In the present embodiment, user #a and the definite security strategy of user #b are kept in the virtual firewall 302, the security strategy that user #d is determined is kept in the virtual firewall 303.

In addition, in virtual firewall 302, it is in the filter table 561 of α that user #a is documented in filtration ID with security strategy, it is in the filter table 562 of β that user #b is documented in filtration ID with security strategy, in virtual firewall 303, it is in the filter table 563 of γ that user #d is documented in filtration ID with security strategy.

Here, the reason that user #a and user #b are housed in the identical virtual firewall 302 for example can list following situation: user #a should shared filtering policy be identical with user #b; Construct virtual firewall at each the Internet provider, and user #a belongs to identical the Internet provider with user #b.

Login has user name, the virtual firewall ID that can set in advance and filters ID in the allocation manager table 301.

That is, login in the allocation manager table 301 and have: user name #a, virtual firewall ID (302) and filter the corresponding relation of ID (α); The corresponding relation of user name #b, virtual firewall ID (302) and filtration ID (β); The corresponding relation of user name #d, virtual firewall ID (303) and filtration ID (γ).

But, because the IP address as user ID of each user terminal is definite, so can not login (state of allocation manager table 301-1 shown in Figure 19) this moment.

As long as IP address does not sign in in the allocation manager table 301, just can not give each virtual firewall with packet allocation from each user, can not give and filter ID.

In the present embodiment, the terminal 311 of supposing user #a is carried out network with the Internet 310 and is connected, then be connected distant terminal 313 and carry out IP and communicate by letter.

Below, use Figure 19, the action of the firewall device of present embodiment is described.Figure 19 is the precedence diagram of action of the firewall device of expression present embodiment.

At first, as network connecting request, between user terminal 311 and firewall device 300, exchange LCP (Link Control Protocol, LCP) information (Figure 19 839) from user terminal 311.

By after the exchange (Figure 19 840) of the authorization information of carrying out, firewall device 300 is extracted the user name #a that sends from user terminal 311 out, and keeps user name #a (process points 850 of Figure 19).

Then, authorization information (username and password) is notified to RADIU server S 330 (Figure 19 841).

When being verified by radius server 330, and when receiving its response (Figure 19 842), firewall device 300 keeps giving the IP address of the user terminal of putting down in writing in this response.Suppose that this IP address is [a.a.a.a].

Then, be search key with user name #a, this IP address [a.a.a.a] is signed in to user name in the allocation manager table 301 be recited as in the row of #a (process points 851 of Figure 19, the state of the allocation manager table 301-2 of Figure 19).

In addition, meanwhile, firewall device 300 exchanges NCP (Network Control Protocol between user terminal 311 and firewall device 300, Network Control Protocol) during information (843), [a.a.a.a] sends to user terminal 311 with IP address, and the IP address that user terminal 311 identifies oneself is [a.a.a.a].

NCP has set up the PPP connection after finishing between user terminal 311 and the Internet 310.

Then, when firewall device 300 receives from user terminal 311 when connecting the grouping 321 of distant terminal 313 transmissions, to send source IP address as it and put down in writing [a.a.a.a] as search key, retrieval allocation manager table (301-2 of Figure 19), the virtual firewall ID (ID=302) that extraction is put down in writing in the row of [a.a.a.a], filtration ID (ID=α), should divide into groups 321 to distribute to virtual firewall 302, and, give this grouping 321 (process points 852 of Figure 19) with the filtration ID of α.

As shown in figure 18, in the virtual firewall 302 that is distributed, according to the corresponding filtering rule of security strategy that filters the user #a of record in the filter table 561 that ID is α, to be endowed the grouping 322 of filtering ID carry out by or discard processing.

In addition, when firewall device 300 receives from communication counterpart terminal 313 during to grouping 323 that user terminal 311 sends, to put down in writing [a.a.a.a] as its destination-address as search key, retrieval allocation manager table (301-2 of Figure 19), the virtual firewall ID (ID=302) that extraction is put down in writing in the row of [a.a.a.a], filtration ID (ID=α), should divide into groups 323 to distribute to virtual firewall 302, and, give this grouping 323 (process points 853 of Figure 19) with the filtration ID of α.

In the virtual firewall 302 that is distributed, according to the corresponding filtering rule of security strategy that filters the user #a of record in the filter table 561 that ID is α, to be endowed the grouping 324 of filtering ID carry out by or discard processing.

Carrying out network in the terminal 312 of user #b with the Internet 310 is connected, then be connected distant terminal 313 and carry out under the situation that IP communicates by letter, also by same step, give virtual firewall 302 with the packet allocation of terminal 312 transmitting-receivings, then, according to filter table 562 in the corresponding filtering rule of security strategy of user #b of record, carry out by or discard processing.

As described above such, in the present embodiment, filter ID (α, beta, gamma) by importing, can in each virtual firewall (302,303,304), manage a plurality of independently filtering policys, can improve user's multiplicity.

[embodiment 2-2]

The firewall device of embodiments of the invention 2-2 is not having on the virtual firewall this point, and is different with the firewall device of the foregoing description 2-1.

Below, be the center with difference with the firewall device of the foregoing description 2-1, the firewall device of present embodiment is described.

In addition, in an embodiment, the internetwork connection mode of also supposing the user is PPP, and checking is RADIUS with communication.

As shown in figure 20, the firewall device 300 of present embodiment has the specified a plurality of filter table (561,562) of the ID of filtration, is putting down in writing independently filtering policy of each user in each filter table.

In the present embodiment, it is in the filter table 561 of α that user #a is documented in filtration ID with security strategy, and it is in the filter table 562 of β that user #b is documented in filtration ID with security strategy.

Login has the user name that can set in advance and filters ID in the allocation manager table 301.

That is, login in the allocation manager table 301 and have: user name #a and filter the corresponding relation of ID α; The corresponding relation of user name #b and filtration ID β.

But, because the IP address as user ID of each user terminal is definite, so can not login (state of allocation manager table 301-1 shown in Figure 21) this moment.

As long as IP address does not sign in in the allocation manager table 301, just can not filter ID to giving from each user's grouping.

Below, use Figure 21, the action of the firewall device of present embodiment is described.Figure 21 is the precedence diagram of action of the firewall device of expression present embodiment.

From identical to the action till exchange NCP information user terminal 311 and the firewall device 300 (Figure 21 843), so omission explanation once more with embodiment 2-1 in exchange LCP information between user terminal 311 and the firewall device 300 (Figure 21 839).

NCP has set up the PPP connection after finishing between user terminal 311 and the Internet 310.Then, when firewall device 300 receives from user terminal 311 when connecting the grouping 321 of distant terminal 313 transmissions, to send source IP address as it and put down in writing [a.a.a.a] as search key, retrieval allocation manager table (301-2 of Figure 21), the filtration ID that extraction is put down in writing in the row of [a.a.a.a] (ID=α) gives this grouping 321 (process points 852 of Figure 21) with the filtration ID of α.

According to the corresponding filtering rule of security strategy that filters the user #a of record in the filter table 561 that ID is α, to be endowed the grouping 322 of filtering ID carry out by or discard processing.

In addition, when firewall device 300 receives from communication counterpart terminal 313 during to grouping 323 that user terminal 311 sends, to put down in writing [a.a.a.a] as search key as IP address, its destination, retrieval allocation manager table (301-2 of Figure 21), the filtration ID that extraction is put down in writing in the row of [a.a.a.a] (ID=α) gives this grouping 323 (process points 853 of Figure 21) with the filtration ID of α.

According to the corresponding filtering rule of security strategy that filters the user #a of record in the filter table 561 that ID is α, to be endowed the grouping 324 of filtering ID carry out by or discard processing.

Carrying out network in the terminal 312 of user #b with the Internet 310 is connected, then be connected distant terminal 313 and carry out under the situation that IP communicates by letter, also by same step, according to filter table 562 in the corresponding filtering rule of security strategy of user #b of record, to the grouping of terminal 312 transmitting-receivings carry out by or discard processing.

[embodiment 2-3]

The firewall device of embodiments of the invention 2-3 is divided on special filtering ID and the shared filtration ID this point will filtering ID, and is different with the firewall device of the foregoing description 2-1.

Below, being the center with the difference with the firewall device of the foregoing description 2-1 describes the firewall device of present embodiment.

In addition, the schematic configuration of the firewall device of present embodiment 2-3 is identical with Figure 17.In addition, in this example, the internetwork connection mode of also supposing the user is PPP, and checking is RADIUS with communication.

In the firewall device of present embodiment, the filtration ID of the foregoing description 2-1 further is divided into special filtering ID and shared filtration ID, the filtering policy of each user's special use is documented in the special filtering table, and a plurality of users can be documented in the shared filter table by shared filtering policy.

Therefore, in the present embodiment, allocation manager table 301 shown in Figure 17 and allocation manager table (301-1) shown in Figure 19 are replaced as allocation manager table 601 shown in Figure 22, allocation manager table (301-2) shown in Figure 19 are replaced as the allocation manager table 1101 of Figure 23.

Figure 24 is the figure of the structure of the filter table in the virtual firewall of firewall device of expression present embodiment.

The firewall device 300 of present embodiment have a plurality of virtual firewalls (302,303 ..., 304).

In addition, as shown in figure 24, there are a plurality of filter table (561,562,563) in each virtual firewall (302,303) respectively by special filtering ID appointment, and by shared a plurality of filter table (571,572) of filtering the ID appointment.

The filtering policy of each user's special use is documented in the special filtering table (561,562,563), and a plurality of users can be documented in the shared filter table (571,572) by shared filtering policy.

In addition, thereupon as shown in figure 22, allocation manager table 601 pair user name, virtual firewall ID, special filtering ID and shared filtration ID manage.

In the present embodiment, user #a and the definite security strategy of user #b are kept in the virtual firewall 302, the security strategy that user #d is determined is kept in the virtual firewall 303, in addition, in virtual firewall 302, the special filtering strategy of user #a is documented in and filters ID is in the filter table 561 of α, the special filtering strategy of user #b is documented in and filters ID is in the filter table 562 of β, in virtual firewall 303, the special filtering strategy of user #d is documented in and filters ID is in the filter table 563 of γ.

In addition, user #a and user #b also use and filter the filtering policy of ID as record in the shared filter table 571 of I.

Equally, user #d also uses and filters the filtering policy of ID as record in the shared filter table 572 of II.

Login has user name, virtual firewall ID, special filtering ID and the shared filtration ID that can set in advance in the allocation manager table 601.

That is, login in the allocation manager table 601 and have: the corresponding relation of user name #a, virtual firewall ID (302), special filtering ID (α) and shared filtration ID (I); The corresponding relation of user name #b, virtual firewall ID (302), special filtering ID (β) and shared filtration ID (I); The corresponding relation of user name #d, virtual firewall ID (303), special filtering ID (γ) and shared filtration ID (II).

But, because the IP address as user ID of each user terminal is definite, so can not login (state of allocation manager table 601 shown in Figure 22) this moment.

As long as IP address does not sign in in the allocation manager table 601, just can not give each virtual firewall with packet allocation from each user, can not give special filtering ID and shared filtration ID.

Below, use Figure 19, the action of the firewall device of present embodiment is described.

From identical to the action till exchange NCP information user terminal 311 and the firewall device 300, so omit explanation once more with embodiment 2-1 in exchange LCP information between user terminal 311 and the firewall device 300.

NCP has set up the PPP connection after finishing between user terminal 311 and the Internet 310.Then, as shown in figure 17, when firewall device 300 receives from user terminal 311 when connecting the grouping 321 of distant terminal 313 transmissions, to send source IP address as it and put down in writing [a.a.a.a] as search key, retrieval allocation manager table 1101, virtual firewall ID (ID=302), special filtering ID (ID=α) and shared filtration ID (ID=I) that extraction is put down in writing in the row of [a.a.a.a], should divide into groups 321 to distribute to virtual firewall 302, and give the special filtering ID of α and the shared filtration ID (process points 852 of Figure 19) of I.

As shown in figure 24, in virtual firewall 302, according to special filtering ID be the corresponding filtering rule of security strategy of the user #a of record in the special filtering table 561 of α, to the grouping 322 that has been endowed special filtering ID and shared filtration ID carry out by or discard processing.

If do not have the rule that will use in the filtering policy of record in the special filtering table 561, be the security strategy of putting down in writing in the shared filter table 571 of I next then according to shared filtration ID, 322 execution are passed through or discard processing to dividing into groups.

In addition, when firewall device 300 receives from communication counterpart terminal 313 during to grouping 323 that user terminal 311 sends, to put down in writing [a.a.a.a] as its destination-address as search key, retrieval allocation manager table 1101, virtual firewall ID (ID=302), special filtering ID (ID=α) and shared filtration ID (ID=I) that extraction is put down in writing in the row of [a.a.a.a], should divide into groups 323 to distribute to virtual firewall 302, and give the special filtering ID of α and the shared filtration ID (process points 853 of Figure 19) of I.

According to special filtering ID be the corresponding filtering rule of security strategy of the user #a of record in the special filtering table 561 of α, to the grouping 324 that has been endowed special filtering ID and shared filtration ID carry out by or discard processing.

If do not have the rule that will use in the filtering policy of record in the special filtering table 561, be the security strategy of putting down in writing in the shared filter table 571 of I next then according to shared filtration ID, 324 execution are passed through or discard processing to dividing into groups.

As described above such, according to present embodiment, for example, utilize under the situation of 2 identical filtering rules 10 users, if use conventional art, then filter table will be put down in writing 20 rules altogether, relative therewith, in the present embodiment, as long as filter table is 2 rules of record.

That is, by importing shared filtration ID and shared filter table, managing and filtering strategy efficiently.

In addition, even in the mode of not using virtual firewall of embodiment 2-2, also can import the special filtering table of present embodiment, shared filter table.In this case, in embodiment 2-2, special filtering ID and the shared filtration ID identical with present embodiment is set in the allocation manager table replaces filtering ID, in addition, replacement filter table and have special filtering table identical and shared filter table with present embodiment.

[embodiment 2-4]

The firewall device of present embodiment is the execution mode of following situation: in the firewall device of the foregoing description 2-1,2-2, owing to there are reasons such as mistake in the user name of sending from user #a or password, make that the combination of the username and password logined in combination and the radius server 330 of user name that notice by username and password sends or password is inconsistent.

Use Figure 25 that the action of the firewall device of embodiment 2-4 is described.Figure 25 is the precedence diagram of action of the firewall device of expression embodiment 2-4.

In addition, the processing till the notice from LCP (Figure 25 339) to username and password (Figure 25 341) is identical with embodiment 2-1, so omit explanation once more.

According to aforesaid reason, when as at response to radius server 330 notice username and passwords (Figure 25 341), when radius server 330 has sent the authentication error notice (Figure 25 1242), firewall device 300 sends authentication error notice (Figure 25 1243) to user terminal 311, finishes the foundation of PPP and handles.

At this moment, firewall device 300 does not carry out any processing to allocation manager table 301.

[embodiment 2-5]

The firewall device of embodiments of the invention 2-5 is the execution mode of following situation: in the firewall device of the foregoing description 2-1, the terminal 314 of not logining the user #c of firewall services is carried out network with the Internet 310 and is connected, then be connected distant terminal 313 and carry out IP and communicate by letter.

The schematic configuration of the firewall device of present embodiment 2-5 is identical with Figure 17, and Figure 26 is the figure of content of the allocation manager table of expression present embodiment.

In addition, there be not login username and virtual firewall in allocation manager table (301-3) though login the user #c of firewall services, but can enjoy the communication service of the Internet 110 by terminal 314, in radius server 130, login username and password.

Below, use Figure 27 that the action of the firewall device of present embodiment is described.Figure 27 is the precedence diagram of action of the firewall device of expression present embodiment.

In Figure 27, because the action till the notice (Figure 27 342) is identical with embodiment 2-1 from LCP (Figure 27 339) to IP address, so omission explanation once more.

When receiving IP address notice (Figure 27 342), firewall device 300 keeps giving the IP address [c.c.c.c] of the user terminal of record in the IP address notice.

Then, as search key, (301-3) carries out the retrieval of user name #c to the allocation manager table with user name, still, owing to do not have user name #c, and so IP address [c.c.c.c] is not signed in in the allocation manager table (301-3).

In addition, meanwhile, when firewall device 300 exchanged NCP information (Figure 27 343) between user terminal 314 and firewall device 300, [c.c.c.c] sent to user terminal 314 with IP address, and the IP address that user terminal 314 identifies oneself is [c.c.c.c].

NCP has set up the PPP connection after finishing between user terminal 314 and network 310.Then, when firewall device 300 receives from user terminal 314 when connecting the grouping 321 of distant terminal 313 transmissions, to send source IP address as it and put down in writing [c.c.c.c] as search key, retrieval allocation manager table (301-3), its result can distinguish and not login this transmission source IP address.

Under the situation of not logining this transmission source IP address, allocation manager table (301-3) as shown in figure 26 the most descending like that, the virtual firewall that will distribute is put down in writing into virtual firewall 304, so will divide into groups 321 to distribute to the virtual firewall 304 (process points 352 of Figure 27) that login user is not used.

Equally, for the grouping 323 that sends from communication counterpart terminal 313, also with its destination IP address [c.c.c.c] as search key, retrieval allocation manager table (301-3), the result is when distinguishing when not logining IP address, this destination, and the virtual firewall 304 (process points 353 of Figure 27) that login user is not used is distributed in this grouping 323.

In addition, the virtual firewall 304 used of login user is not put down in writing filtering rule, and all groupings can unconditionally be passed through, and is perhaps putting down in writing the not all shared filtering rules of login user.

In addition, the firewall device of present embodiment also can be applied to the firewall device of the foregoing description 2-2.In this case, from the grouping of the terminal 314 of the user #c that does not login firewall services, be that the grouping of destination is by circuitous path 305 shown in Figure 20 with the terminal 314 of the user #c that do not login firewall services.

[embodiment 2-6]

The firewall device of embodiments of the invention 2-6 is following mode: the condition same with the firewall device of the foregoing description 2-5, the terminal 314 of not logining the user #c of firewall services is carried out network with the Internet 310 and is connected, then be connected distant terminal 313 and carry out IP and communicate by letter.

The schematic configuration of the firewall device of present embodiment is identical with Figure 17, and Figure 28 is the figure of content of the allocation manager table of expression present embodiment.

In addition, though not logining the user #c of firewall services does not login user name and virtual firewall in allocation manager table (301-4), but can enjoy communication service with the Internet 110 by terminal 314, in radius server 330, login username and password.

Below, use Figure 29 that the action of the firewall device of present embodiment is described.Figure 29 is the precedence diagram of action of the firewall device of expression present embodiment.

In Figure 29, because the action till the notice (Figure 29 342) is identical with embodiment 2-1 from LCP (Figure 29 339) to IP address, so omission explanation once more.

When receiving IP address notice (Figure 29 342), firewall device 300 keeps giving the IP address [c.c.c.c] of the user terminal of record in the IP address notice.

Then, as search key, (301-4) carries out the retrieval of user name #c to the allocation manager table with user name, still, do not have user name #c.

Under the situation that does not have user name, as shown in figure 28, with IP address [c.c.c.c] and not the ID (ID=304) of the virtual firewall 304 used of login user sign in in the allocation manager table (301-4).

In addition, meanwhile, when firewall device 300 exchanged NCP information (Figure 29 343) between user terminal 314 and firewall device 300, [c.c.c.c] sent to user terminal 314 with IP address, and the IP address that user terminal 314 identifies oneself is [c.c.c.c].

NCP has set up the PPP connection after finishing between user terminal 314 and the Internet 310.Then, when firewall device 300 receives from user terminal 314 when connecting the grouping 321 of distant terminal 313 transmissions, to send source IP address as it and put down in writing [c.c.c.c] as search key, retrieval allocation manager table (301-4), extract out with this and send source IP address corresponding virtual fire compartment wall ID (ID=304), the virtual firewall 304 (process points 352 of Figure 29) that login user is not used is distributed in this grouping 321.

Equally, for the grouping 323 that sends from communication counterpart terminal 313, also with IP address, its destination [c.c.c.c] as search key, retrieval allocation manager table (301-4), extract out with this and send IP address, destination corresponding virtual fire compartment wall ID (ID=304), the virtual firewall 304 (process points 353 of Figure 29) that login user is not used is distributed in this grouping 323.

In addition, the virtual firewall used of login user 304 is not same with the foregoing description 2-5, does not put down in writing filtering rule, and all groupings can unconditionally be passed through, and is perhaps putting down in writing the not all shared filtering rules of login user.

In addition, send under the situation of source IP address in login not, allocation manager table 3014 as shown in figure 28 the most descending like that, abandon grouping.

Like this, attack by IP Spoofing etc. at certain malicious user under the situation of a large amount of groupings that send IP address, can abandon these groupings by firewall device 300 with the Any user of not being given to.

In addition, the firewall device of present embodiment also is applicable to the firewall device of the foregoing description 2-2.

In this case, login user IP address [c.c.c.c] and the filtration ID that uses of login user not in allocation manager table (301-4).And, be that the grouping of destination is through circuitous path 305 shown in Figure 20 from the grouping of the terminal 314 of the user #c that does not login firewall services, with the terminal 314 of the user #c that do not login firewall services.

[embodiment 2-7]

The mode that the firewall device of embodiments of the invention 2-7 is expressed as follows: in the firewall device of the foregoing description 2-1, the terminal 315 of not logining the user #d of firewall services is carried out network with the Internet 310 and is connected, then be connected distant terminal 313 and carry out IP and communicate by letter.

The schematic configuration of the firewall device of present embodiment is identical with Figure 17, and Figure 30 is the figure of content of the allocation manager table of expression present embodiment.

In addition, user #d was the user that should login firewall services originally, but, in this example, because of the manager of firewall device 300 has forgotten to sign in to it in allocation manager table (301-5) or carried out reasons such as wrong login, become user name #d and correctly do not signed in to state in the allocation manager table (301-5).

In addition, user name #d and password are correctly signed in in the radius server 330.

Below, use Figure 31 that the action of the firewall device of present embodiment is described.Figure 31 is the precedence diagram of action of the firewall device of expression present embodiment.

In Figure 31, because the action till the notice (Figure 31 342) is identical with the foregoing description 2-1 from LCP (Figure 31 339) to IP address, so omission explanation once more.

When receiving IP address notice (Figure 31 342), firewall device 300 keeps giving the IP address [d.d.d.d] of the user terminal of record in the IP address notice.

Then, as search key, (301-5) carries out the retrieval of user name #d to the allocation manager table with user name, still, do not have user name #d.

Under the situation that does not have user name, firewall device 300 sends authentication error notice (Figure 31 1743) to user terminal 315, and the foundation of the PPP that is through with is handled.

In addition, the firewall device of present embodiment also goes for the firewall device of the foregoing description 2-2.

Usually, shown in figure 32, make filter table according to subscriber terminal side and the IP address, the subscriber terminal side that are connected the distant terminal side and port numbers of being connected the distant terminal side etc.

As mentioned above, under the situation of Connection Service often, subscriber terminal side IP address connects with each PPP and changes.

Therefore, the subscriber terminal side IP address that should login in the filter table 1961 of Figure 32 must connect dynamically with each PPP to be set, and it sets treating capacity and regular number increases pro rata.

Relative therewith, shown in Figure 33 gives special filtering ID to grouping based on special filtering table of the present invention in allocation manager table 2001, in special filtering table 2061, replaces subscriber terminal side IP address and uses special filtering ID.

Because special filtering ID does not depend on the value of subscriber terminal side IP address, but fixed value, so, can not exert an influence fully to special filtering table 2061 no matter repeating how many times PPP connects yet.

Changing subscriber terminal side IP address when connecting because of each PPP, to bring the place of influence be the subscriber terminal side IP address of allocation manager table 2001 and the counterpart of special filtering ID, it does not depend on the regular number of special filtering table 2061, gets final product and only need change 1 row.

Like this, the importing of filtration ID also contributes to the treating capacity that suppresses filter inside.

In addition,, a plurality of users can be concentrated into 1 by shared filtering policy, can all provide filter table to corresponding user, therefore, the filter table amount of cutting down firewall device integral body be contributed in shared mode by importing shared filtration ID of the present invention.

(effect of embodiment 2-1～2-7)

According to the filter of embodiment 2-1～2-7, can improve user's multiplicity, and, can realize the high efficiency of filter table.

(embodiment 3-1～3-6)

Below, with reference to accompanying drawing embodiment 3-1～3-6 is described in detail.

[embodiment 3-1]

Figure 34 is that the checking cooperating of expression embodiments of the invention 3-1 disperses the schematic configuration of firewall device and the block diagram of the network model of the checking cooperating dispersion firewall device that uses embodiments of the invention 3-1.

Checking cooperating dispersion firewall device (below, abbreviate firewall device as) 501 contain the employed user terminal of user (515-1) (502-1), the employed user terminal of user (515-2) (502-2) that begins to connect by checking, and connect with external network (for example, the Internet) 503.

In addition, firewall device 501 is connected with identifier management server 505 with Security Policy Server 504, and wherein, Security Policy Server 504 has the security strategy table 511 that keeps the intrinsic security strategy of user; Identifier management server 505 has the identifier management table 512 that maintenance is distributed to the identifier of firewall device 501.

In addition, firewall device 501 is connected with the authentication server 506 with user authentication information 513 and user terminal information portion 514, and wherein, user terminal information portion 514 gives the deposit table that the user terminal information of user terminal constitutes when keeping by checking.

Here, above-mentioned authentication server for example can use RAIDUS (RemoteAuthentication Dial-in User Service: remote dial-in user's service for checking credentials) server, and the user terminal information of preserving in the user terminal information portion 514 can use the IP address of giving user terminal.

In addition, from user terminal (502-1,502-2) use PPP (Pointto Point Protocol to the connection of network, PAP) or CHAP (ChallengeHandshake Authentication Protocol: the inquiry handshake authentication protocol) point-to-point protocol), checking can be used PAP (PasswordAuthentication Protocol:.

In addition, firewall device 501 has and will be attached to the user terminal information that receives in the grouping and allocation manager table 507 of indicating the identifier that docks the filter table that the contracture group filters to associate and the fire compartment wall portion 508 that carries out actual filtration.

In addition, fire compartment wall portion 508 has the shared filter table 509 of the shared security strategy of maintenance user (515-1) and user (515-2) and as the special filtering table section in the zone of the special-purpose security strategy that is used to keep user (515-1) or user (515-2).

This special filtering table section 510 can be divided into: write the zone of identifying information and the zone that writes security strategy that is associated with this zone that writes identifying information.

Figure 35 is the figure of the details of the authorization information 513 in the expression authentication server shown in Figure 34, and Figure 36 is the figure of the details of the deposit table that kept in the user terminal information portion 514 in the expression authentication server shown in Figure 34.

In addition, Figure 37 is the figure of the details of the identifier management table 512 in the expression identifier management server shown in Figure 34, Figure 38 is the figure of the details of the security strategy table 511 in the expression Security Policy Server shown in Figure 34, and Figure 39 is the figure of the details of the allocation manager table under the interior initial condition of expression firewall device shown in Figure 34.

Figure 40, Figure 41 are the figure of an example of processing sequence of action of the network model of expression Figure 34, show following processing sequence: after user (515-1) is connected on the external network 503, cut off, then, after user (515-2) is connected on the external network 503, cut off.

At first, user's (515-1) connection being begun to handle sequence describes.

At first, user (515-1) by user terminal with user name (user 515-1) and password (α) send to firewall device 501 (11-1 of Figure 40,11-2).

The firewall device 501 that receives this user name (user 515-1) and password (α) keeps user name (user 515-1) (11-3 of Figure 40), and user name (user 515-1) and password (α) are sent to authentication server 506 (11-4 of Figure 40).

In authentication server 506,, be judged to be and verify (11-5 of Figure 40) according to received user name (user 515-1) and password (α) retrieval authorization information 513.

In addition, from the deposit table of user terminal information portion 514, extract the spendable user terminal information (IP_1) that is masked as " 0 " in using out, but the service marking of being extracted out is made as " 1 ", and with the user terminal information of being extracted out (IP) _ 1) with the checking by the notice be notified in the lump firewall device 501 (11-6 of Figure 40,11-7).

The user terminal information (IP_1) that firewall device 501 maintenances are received, this user terminal information is associated (11-8 of Figure 40) with the circuit that user terminal is connected, and the user name (user 515-1) of above-mentioned maintenance is sent to identifier management server 505 (11-9 of Figure 40).

Identifier management server 505 is according to the user name that is received (user 515-1) searching mark symbol admin table 512, extract shared filter table ID (shared 509) and the special filtering Table I D (special-purpose 510-1) be associated with user name out, and this identifier (shared 509, special-purpose 510-1) is sent to firewall device 501 (11-10 of Figure 40,11-11).

Firewall device 501 keeps the special filtering Table I D (special-purpose 510-1) that received, and shared filter table ID (shared 509), special filtering Table I D (special-purpose 510-1) that is received and the user terminal information (IP_1) that is kept are written to (11-12 of Figure 40) in the allocation manager table 507 shown in Figure 39.

In addition, the user name (user 515-1) that is kept is sent to Security Policy Server 504 (11-13 of Figure 40).

The Security Policy Server 504 security strategy table 512 that retrieval is kept according to the user name that is received (user 515-1), extract the special-purpose security strategy (regular 1-1～regular 1-m) (11-14 of Figure 40) that is associated with user name out, and send to firewall device 501 (11-15 of Figure 40).

Firewall device 501 is written to the special filtering Table I D (special-purpose 510-1) that is kept in the identifying information of special filtering table section 510, and, the special-purpose security strategy (regular 1-1～regular 1-m) that is received is written to (11-16 of Figure 40) in the security strategy zone.

Implemented after this a series of processing, what comprise the user terminal information (IP_1) that kept to user terminal (502-1) notice is proved to be successful notice (11-17 of Figure 40).

Then, connection begins to handle EOS, and like this, user (515-1) can pass through user terminal (502-1) and be connected with external network 503.

Next, the communication process sequence to user terminal (502-1) and external network 503 describes.

From user terminal (502-1) under the situation of external network 503 forward packets, user terminal (502-1) will connect and begin to handle in the sequence last received user terminal information (IP_1) as the address of self, give grouping with this address, and transfer to firewall device 501 (11-18 of Figure 40).

Firewall device 501 is extracted user terminal information (IP_1) out from the grouping that is received, and with this user terminal information (IP_1) as keyword, retrieval allocation manager table 507 is extracted shared filter table ID (shared 509) and special filtering Table I D (special-purpose 510-1) (11-19 of Figure 40) out.

Then, in fire compartment wall portion 508, use the shared filter table ID (shared 509) and the represented filter table of special filtering Table I D (special-purpose 510-1) of being extracted out, grouping is filtered (11-20 of Figure 40,11-21) afterwards, be transferred to external network 503 (11-22 of Figure 40).

In addition, in the grouping (11-23 of Figure 40) that receives from external network 503 at user terminal (502-1), and transfer under the situation of user terminal (502-1), owing to give grouping as destination-address from external network 503 with user terminal information (IP_1), so, firewall device 501 is extracted this user terminal information (IP_1) (11-24 of Figure 40) out from received grouping, by with the identical processing sequence of grouping of passing on to external network 503 from above-mentioned user terminal (502-1), (the 11-25 of Figure 40 is filtered in grouping, 11-26), then grouping is transferred to user terminal (502-1) (11-27 of Figure 40).

The firewall device 501 of present embodiment is by above processing, and filtration treatment is carried out in the grouping that sends from subscriber terminal side and external network side two directions, and forward packets.

Then describe handling sequence from user's (515-1) cut-out.

When cutting off, cut off request (11-28 of Figure 40,11-29) from user (515-1) to firewall device 501 notices by user terminal (502-1).

When firewall device 501 receives when cutting off request, check receiving lines, connecting when beginning to handle sequence, derive the user terminal information (IP_1) that is associated.

According to this user terminal information, from allocation manager table 507 and clauses and subclauses that user terminal information (IP_1) is associated, extract special filtering Table I D (special-purpose 510-1) out, then, delete these clauses and subclauses (11-30 of Figure 40).

In the special filtering table section 510 of fire compartment wall portion 508, the identifying information of the special filtering Table I D (special-purpose 510-1) that deletion record is extracted out to some extent and the security strategy zone (11-31 of Figure 40) that is associated with it.

In addition, the user terminal information (IP_1) of being derived is sent to authentication server 506 (11-32 of Figure 40), indicate in the use in the clauses and subclauses of the deposit table of the user terminal information portion 514 that authentication server 506 will be associated with received user terminal information to revert to " 0 " (11-33 of Figure 40).

Like this, the various table content recoveries that will carry out change in the connection processing sequence become to connect preceding state, and end is cut off and handled sequence.

Then, adopt and the same method of user (515-1), the connection of implementing user (515-2) begins to handle sequence, communication process sequence, cut off and handle the sequence (11-34 of Figure 41～11-66).

User's (515-2) processing sequence is characterised in that: because sequence is handled in user's (515-1) cut-out, the allocation manager table 507 of firewall device 501, do not have and the relevant information of user (515-1) in the special filtering table section 510, so can in same-zone, write relevant information with user (515-2), in addition, also can use the employed user terminal information of user terminal (515-1) (IP_1), even user terminal information is the user terminal information (IP_1) identical with user (515-1), also can filter according to the security strategy of user (515-2) usefulness.

Like this, in problem to be solved by this invention, use special filtering table section 510, shared filter table 509, only load the security strategy that writes in the special filtering table section 510, load load thereby can alleviate.

In addition, only when connecting user terminal, use the zone of special filtering table section 510 and allocation manager table 507, and when cutting off, do not use this zone, thereby can only keep the special filtering table section 510 of the firewall device 501 suitable and the content of allocation manager table 507 with the user terminal number that is connected simultaneously, therefore, can reduce the capacity of the security strategy that needs maintenance.

In addition, associate,, also can implement the filtration corresponding with using the user even repeat with the user terminal information of other user terminal in past by the user terminal information and the security strategy of being given in will connecting at every turn.

[embodiment 3-2]

Figure 42 be expression embodiments of the invention 3-2 firewall device schematic configuration and use the block diagram of network model of the firewall device of embodiments of the invention 3-2.

In network model shown in Figure 42, the user terminal 1202 that network model shown in Figure 34 has newly been appended firewall device 1201, has been connected with this firewall device 1201.

In addition, user (515-1) can be connected on this firewall device 1201, and firewall device 1201 is connected with external network 503, Security Policy Server 504, identifier management server 505, authentication server 506.

The fire compartment wall portion 1208 that firewall device 1201 has allocation manager table 1207 and carries out actual filtration, allocation manager table 1207 has kept being attached to the user terminal information that receives in the grouping and the information of indicating the identifier that docks the table that the contracture group filters to associate.

In addition, fire compartment wall portion 1208 has the shared security strategy table 1209 of the shared security strategy of a plurality of users of keeping comprising user (515-1) and as the special filtering table section 1210 in the zone of the special-purpose security strategy that is used to keep user (515-1).

This special filtering table section 1210 can be divided into: the zone that writes the zone of identifying information and write security strategy.

Figure 43 is the figure of an example of processing sequence of the network model of expression Figure 42, it shows following processing sequence: after processing sequence shown in Figure 40, user (515-1) is connected on the external network 503 once more from the user terminal 1202 that is connected with firewall device 1201, communicates, cuts off.

Because the user (515-1) shown in 12-1～12-33 of Figure 43 moves to user terminal 1202, the connection processing sequence that connects again, the processing sequence that communicates and the processing sequence cut off are identical with the processing sequence that firewall device 501 shown in Figure 40 is carried out, so omit explanation once more.

In addition, in firewall device 1201, the special-purpose security strategy of user (515-1) usefulness that sends from Security Policy Server 504, the various identifiers that send from identifier management server 505 are all identical with the information that sends to firewall device 501 among Figure 40.

Like this, in the present embodiment,, also can use and this user's corresponding security strategy even the user has changed the firewall device of being accommodated.

[embodiment 3-3]

Figure 44 be expression embodiments of the invention 3-3 firewall device schematic configuration and use the block diagram of network model of the firewall device of embodiments of the invention 3-3.

Present embodiment is different with the foregoing description 3-1 aspect following: the inside that the identifier management table 512 that is kept in the identifier management server 505, user name and various identifier are mapped is remained on firewall device 501.

Figure 45 is the figure of an example of processing sequence of the network model of expression Figure 44, its processing sequence with shown in Figure 40 aspect following is different: the communications portion of deletion and identifier management server 505, the processing sequence of newly having added the firewall device 501 inner identifier management tables 512 that keep.

The processing sequence of the change part different with the processing sequence of Figure 40 is: in the 11-8 of Figure 45, the user profile that maintenance receives from authentication server 506, after the connection line of user terminal (502-1) and this user information correlation are got up, the user name that will keep in the 11-3 of Figure 45 is as search key, searching mark symbol admin table 512, and extract out shared filter table ID, special filtering Table I D (15-9 of Figure 45,15-10,15-11).

In the present embodiment, because firewall device 501 must keep comprising the identifier management table 512 of the various identifiers of all users with the possibility of accommodating, therefore, the memory span that needs especially many firewall devices 501, perhaps reduce the number of users that to accommodate, but, need not just to communicate and can work with the identifier management server.

[embodiment 3-4]

Figure 46 be expression embodiments of the invention 3-4 firewall device schematic configuration and use the block diagram of network model of the firewall device of embodiments of the invention 3-4.

Present embodiment is different with the foregoing description 3-1 aspect following: the inside that the security strategy table 511 that is kept in the Security Policy Server 504, user name and special-purpose security strategy are mapped is remained on firewall device 501.

Figure 47 is the figure of an example of processing sequence of the network model of expression Figure 46, its processing sequence with shown in Figure 40 aspect following is different: the communications portion of deletion and Security Policy Server 504, the processing sequence of newly having added the firewall device 501 inner security strategy tables 511 that keep.

The processing sequence of the change part different with the processing sequence of Figure 40 is: in the 11-12 of Figure 47, after being written to various identifiers in the allocation manager table 507, the user name that will keep in the 11-3 of Figure 47 is as search key, retrieval security strategy table 511, and extraction and the user name corresponding security strategy (17-13 of Figure 47,17-14,17-15).

In the present embodiment, because firewall device 501 must keep comprising the security strategy table 511 of the special-purpose security strategy of all users with the possibility of accommodating, therefore, the memory span that needs especially many firewall devices 501, perhaps reduce the number of users that to accommodate, but, need not just to communicate and can work with Security Policy Server.

[embodiment 3-5]

Figure 48 be expression embodiments of the invention 3-5 firewall device schematic configuration and use the block diagram of network model of the firewall device of embodiments of the invention 3-5.

Present embodiment is different with the foregoing description 3-1 aspect following: the inside that the identifier management table 512 that user name and various identifier are mapped that is kept in making of being kept in the Security Policy Server 504 security strategy table 511 that user name and special-purpose security strategy be mapped and the identifier management server 505 is remained on firewall device 501.

Figure 49 is the figure of an example of processing sequence of the network model of expression Figure 48, its processing sequence with shown in Figure 40 aspect following is different: the communications portion of deletion and Security Policy Server 504 and with the communications portion of identifier management server 505, newly added the firewall device 501 inner security strategy tables 511 that keep and the processing sequence of identifier management table 512.

The processing sequence of the change part different with the processing sequence of Figure 40 is: in the 11-8 of Figure 49, the user profile that maintenance receives from authentication server 506, after the connection line of user terminal (502-1) and this user information correlation are got up, the user name that keeps among the 11-3 with Figure 49 is as search key, searching mark symbol admin table 512, and extract out shared filter table ID, special filtering Table I D (19-9 of Figure 49,19-10,19-11); In the 11-12 of Figure 49, be written to various identifiers in the allocation manager table 507 after, the user name that will keep in the 11-3 of Figure 49 is as search key, retrieval security strategy table 511, and extraction and user name corresponding security strategy (19-13 of Figure 49,19-14,19-15).

In the present embodiment, because firewall device 501 must keep comprising the security strategy table 511 of the special-purpose security strategy of all users with the possibility of accommodating, therefore, the memory span that needs especially many firewall devices 501, perhaps reduce the number of users that to accommodate, and, must keep comprising the identifier management table 512 of the various identifiers of all users with the possibility of accommodating, therefore, the memory span that needs especially many firewall devices 501, the number of users that perhaps further minimizing can be accommodated still, need not and Security Policy Server, the identifier management server just communicates and can work.

[embodiment 3-6]

Figure 50 be expression embodiments of the invention 3-6 firewall device schematic configuration and use the block diagram of network model of the firewall device of embodiments of the invention 3-6.

Firewall device 2001 contains: by contract network 1 (for example, ISP:InternetService Provider: ISP) (2016-1) be connected with external network 2003 and begin the user terminal (2002-1) that the user (2015-1) of this connection uses by checking; And the user terminal (2002-2) that is connected and begins user (2015-2) use of this connection by contract network 2 (2016-2) with external network 2003 by checking.

In addition, firewall device 2001 is connected with identifier management server 2005 with Security Policy Server 2004, and wherein, Security Policy Server 2004 has the security strategy table 2011 that keeps the intrinsic security strategy of user; Identifier management server 2005 has the identifier management table 2012 that maintenance is distributed to the identifier of firewall device 2001.

In addition, firewall device 2001 is connected with authentication server 1 (2006-1), and this authentication server 1 (2006-1) has: user's authorization information (2013-1); Give the user terminal information portion (2014-1) of the deposit table that the user terminal information of user terminal constitutes when keeping, and this authentication server 1 (2006-1) is verified to the user who is connected with external network by contract network 1 by checking.

In addition, firewall device 2001 also is connected with authentication server 2 (2006-2), and this authentication server 2 (2006-2) has: user's authorization information (2013-2); Give the user terminal information portion (2014-2) of the deposit table that the user terminal information of user terminal constitutes when keeping, and this authentication server 2 (2006-2) is verified to the user who is connected with external network by contract network 2 by checking.

In addition, firewall device 2001 have be attached to the user terminal information that receives in the grouping, virtual firewall that butt joint contracture group is filtered (2014-1,2014-2) and the allocation manager table 2007 that associates of the identifier of indication filter table.

In addition, firewall device 2001 has the fire compartment wall portion 2008 that carries out actual filtration, and this fire compartment wall 2008 has: to the virtual firewall 1 (2014-1) that filters with the related grouping of user terminal that is connected with external network 2003 by contract network 1 (2016-1); And virtual firewall 2 (2014-2) to filtering with the related grouping of user terminal that is connected with external network 2003 by contract network 2 (2016-2).

Virtual firewall 1 (2014-1) has: the shared filter table (2009-1) that maintains the shared security strategy of a plurality of users of utilizing virtual firewall 1 (2014-1) to filter; And the special filtering table section (2010-1) in the zone of the security strategy of each user's special use of conduct maintenance.

In addition, special filtering table section (2010-1) is divided into: write the zone of identifying information and the zone that writes security strategy that is associated with this zone that writes identifying information.

Same with virtual firewall 1 (2014-1), virtual firewall 2 (2014-2) also has shared filter table (2009-2) and special filtering table section (2010-2), and special filtering table section (2010-2) is divided into: write the zone of identifying information and the zone that writes security strategy that is associated with this zone that writes identifying information.

Figure 51 is the figure of the details of the authorization information (2013-1) in the expression authentication server shown in Figure 50 1, and Figure 52 is the figure of the details of the interior deposit table that is kept of user terminal information portion (2014-1) in the expression authentication server shown in Figure 50 1.

Similarly, Figure 53 is the figure of the details of the authorization information (2013-2) in the expression authentication server shown in Figure 50 2, and Figure 54 is the figure of the details of the interior deposit table that is kept of user terminal information portion (2014-2) in the expression authentication server shown in Figure 50 2.

Figure 55 is that expression user (2015-1) sends to the figure of the user name of firewall device 2001 by user terminal (2002-1), and Figure 56 represents that user (2015-2) sends to the figure of the user name of firewall device 2001 by user terminal (2002-2).

Figure 57 is the figure of the details of the identifier management table 2012 in the expression identifier management server shown in Figure 50, and Figure 58 is the figure of the details of the security strategy table 2011 in the expression Security Policy Server shown in Figure 50.

Figure 59, Figure 60 are the figure of an example of processing sequence of action of the network model of expression Figure 50, and it shows following processing sequence: after user (2015-1) is connected on the external network 2003 by contract network 1 (2016-1), cut-out; And user (2015-2) be connected on the external network 2003 by contract network 2 (2016-2) after, cut off.

At first, user's (2015-1) connection being begun to handle sequence describes.

At first, user (2015-1) by user terminal (2002-1) with user name (user 2015-1 2016-1) and password (α) send to firewall device 2001 (21-1 of Figure 59,21-2).

The firewall device 2001 that receives this user name (user 2015-12016-1) and password (α) keeps the first half (user 2015-1) (21-3 of Figure 59) of user name, and latter half of (2016-1) according to user name determines to send authorization information to authentication server 1 (2006-1), sends the first half (user 2015-1) and the password (α) (21-4 of Figure 59) of user name.

In authentication server 1 (2003-1), first half (user 2015-1) and password (α) retrieval authorization information (2013-1) according to received user name are judged to be and can verify (21-5 of Figure 59).

In addition, from the deposit table of user terminal information portion (2014-1), extract the spendable user terminal information (IP_1) (21-6 of Figure 59) that is masked as " 0 " in using out, but the service marking of being extracted out is made as " 1 ", and this user terminal information (IP_1) and checking are notified to firewall device 2001 (21-7 of Figure 59) in the lump by notice.

The user terminal information (IP_1) (21-8 of Figure 59) that firewall device 2001 maintenances are received, this user terminal information (IP_1) is associated with the circuit that user terminal (2002-1) is connected, and the first half (user 2015-1) of the user name that kept is sent to identifier management server 2005 (21-9 of Figure 59).

Identifier management server 2005 first halfs (user 2015-1) searching mark symbol admin table 2012 according to the user name that is received, extract virtual firewall ID (virtual 2014-1), the shared filter table ID (shared 2009-1) and the special filtering Table I D (special-purpose 2010-1) (21-10 of Figure 59) that are associated with the first half (user 2015-1) of user name out, and this identifier is sent to firewall device 2001 (21-11 of Figure 59).

Firewall device 2001 keeps the special filtering Table I D (special-purpose 2010-1) that received, and the virtual firewall ID (virtual 2014-1) that is received, shared filter table ID (shared 2009-1), special filtering Table I D (special-purpose 2010-1) and the user terminal information (IP_1) that kept are written to (21-12 of Figure 59) in the allocation manager table 2007.

In addition, the first half (user 2015-1) with the user name that kept sends to Security Policy Server 2004 (21-13 of Figure 59).

The security strategy table 2011 that Security Policy Server 2004 first halfs according to the user name that is received (user 2015-1) retrieval is kept, extract the special-purpose security strategy (regular 1-1～regular 1-m) (21-14 of Figure 59) that is associated with the first half (user 2015-1) of user name out, and send to firewall device 2001 (21-15 of Figure 59).

Firewall device 2001 is written to the special filtering Table I D (special-purpose 2010-1) that is kept in the identifying information zone of special filtering table section (2010-1), and, the special-purpose security strategy that is received is written to (21-16 of Figure 59) in the security strategy zone.

Implemented after this a series of processing, what comprise the user terminal information (IP_1) that kept to user terminal (2002-1) notice is proved to be successful notice (21-17 of Figure 59).

Then, connection begins to handle EOS, and like this, user (2015-1) can pass through user terminal (2002-1) and be connected with external network 2003.

Next, the communication process sequence to user terminal (2002-1) and external network 2003 describes.

From user terminal (2002-1) under the situation of external network 2003 forward packets, user terminal (2002-1) will connect and begin to handle in the sequence last received user terminal information (IP_1) as the address of self, give grouping with this address, and transfer to firewall device 2001 (21-18 of Figure 59).

Firewall device 2001 is extracted user terminal information (IP_1) out from the grouping that is received, and with this user terminal information (IP_1) as keyword, retrieval allocation manager table 2007 is extracted virtual firewall ID (virtual 2014-1), shared filter table ID (shared 2009-1) and special filtering Table I D (special-purpose 2010-1) (21-19 of Figure 59) out.

Then, give the virtual firewall of representing by the virtual firewall ID that is extracted out (virtual 2014-1) (2014-1) with the packet allocation that is received, and, use is by filter table in the filter table of the virtual firewall of the virtual firewall ID that is extracted out (virtual 2014-1) expression, that represented by shared filter table ID that is extracted out (shared 2009-1) and special filtering Table I D (special-purpose 2010-1), (21-20 of Figure 59,21-21) filtered in grouping, then, be transferred to external network 2003 (21-22 of Figure 59) by contract network 1 (2016-1).

In addition, receiving with user terminal (2002-1) from external network 2003 by contract network 1 (2016-1) is the grouping (21-23 of Figure 59) of destination, and transfer under the situation of user terminal (2002-1), give grouping from external network 2003 as destination-address with user terminal information (IP_1), firewall device 2001 is extracted this user terminal information (IP_1) (21-24 of Figure 59) out from received grouping, by with the processing sequence identical from above-mentioned user terminal (2002-1) to the grouping of external network 2003, (the 21-25 of Figure 59 is filtered in grouping, 21-26), then grouping is transferred to user terminal (2002-1) (21-27 of Figure 59).

The firewall device 2001 of present embodiment is by above processing, and filtration treatment is carried out in the grouping that sends from subscriber terminal side and external network side two directions, and forward packets.

Then, sequence being handled in user's (2015-1) cut-out describes.

When cutting off, cut off request (21-28 of Figure 59,21-29) from user (2015-1) to firewall device 2001 notices by user terminal (2002-1).

When firewall device 2001 receives the cut-out request, check receiving lines, when connection begins to handle sequence, derive the user terminal information (IP_1) that is associated.

According to this user terminal information (IP_1), from allocation manager table 2007 and clauses and subclauses that user terminal information (IP_1) is associated, extract virtual firewall ID (virtual 2014-1) and special filtering Table I D (special-purpose 2010-1) out, then, delete these clauses and subclauses (21-30 of Figure 59).

Then, in the special filtering table section (2010-1) of the virtual firewall of representing by the virtual firewall ID that is extracted out (virtual 2014-1) 1 (2014-1), the identifying information of the special filtering Table I D (special-purpose 2010-1) that deletion record is extracted out to some extent and the security strategy zone (21-31 of Figure 59) that is associated with it.

In addition, send to authentication server 1 (2006-1) (21-32 of Figure 59) with having received the user terminal information (IP_1) that cuts off request and derive.

Indicate in the use in the clauses and subclauses of the deposit table of the user terminal information portion (2014-1) that authentication server 1 (2006-1) will be associated with received user terminal information (IP_1) and revert to " 0 " (21-33 of Figure 59).

Then, by with the same method of user (2015-1), the connection of implementing user (2015-2) begins to handle sequence, communication process sequence, cut off and handle the sequence (21-34 of Figure 60～21-66).

Like this, in the present embodiment, make firewall device 2001 come work, at each fire compartment wall, by special-purpose authentication server (2006-1 as a plurality of fire compartment walls, 2006-2) verify the user, can be at each fire compartment wall, (2016-1 2016-2) is connected with external network 2003 by the contract network, and, can load security strategy at each user.

In addition, in above stated specification, to Security Policy Server (504,2004) and identifier management server (505,2005) be that one situation is illustrated, but each firewall device of present embodiment also can connect with 2 Security Policy Servers with identical security strategy table or 2 Security Policy Servers with identical identifier admin table.

(effect of embodiment 3-1～3-6)

Firewall device according to embodiment 3-1～3-6, under the situation that dynamically connects, cuts off the firewall device that the network of being accommodated or terminal or change accommodated, can guarantee best the security strategy capacity that will keep to alleviate the security strategy amount that is loaded in the firewall device.

In addition, the firewall device among each embodiment that before illustrates for example can be installed in the computer system with communicator by the program that will carry out the processing that illustrates in each embodiment and realize.This computer system for example shown in Figure 61, has CPU 600, memory 601, hard disk 601, input/output unit 603, communicator 604.The data that keep in the processing of each embodiment for example remain in the memory 601.In addition, communicator 604 is used as the communication unit that communicates with other server.In addition, in aforementioned calculation machine system, also comprise router etc.

In addition, the invention is not restricted to the foregoing description, can carry out various changes, application within the scope of the claims.

Claims

1, a kind of firewall device has a plurality of virtual firewalls, and each virtual firewall has separately independently filtering policy, it is characterized in that, has:

The allocation manager table of management of usernames and virtual firewall ID;

Receive from user terminal be used for authorization information that network connects the time, keep the unit of the user name put down in writing in this information;

Authorization information is notified to the unit of authentication server; And

When described authentication server receives auth response, keep the unit of the user ID that should give described user terminal of record in this response,

Wherein, described user ID and described user name are logined accordingly in described allocation manager table.

2, firewall device according to claim 1 is characterized in that, described firewall device

After the connection of having set up between described user terminal and the network, for the grouping that sends from described user terminal, it is sent source user ID comes with reference to described allocation manager table as search key, retrieval sends the corresponding virtual firewall ID of source user ID with this, and gives the virtual firewall with this virtual firewall ID with this packet allocation;

For the grouping that sends from the communication counterpart terminal of described user terminal, its destination user ID is come with reference to described allocation manager table as search key, retrieve and the corresponding virtual firewall ID of this destination user ID, and give virtual firewall with this virtual firewall ID with this packet allocation.

3, firewall device according to claim 1 is characterized in that,

Described authentication server verifies the user that the request network connects,

The user ID that should give described user terminal is notified to described user terminal,

Described user terminal is endowed user ID for the first time by the notice of described user ID.

4, firewall device according to claim 1 is characterized in that,

When the auth response from described authentication server is authentication error, described user ID is not signed in in the described allocation manager table, but to described user terminal notice authentication error.

5, firewall device according to claim 1 is characterized in that,

In described allocation manager table not under the situation that is used for the user name that authorization information that network connects puts down in writing of login from described user terminal, the user ID of putting down in writing in will the auth response from described authentication server signs in in the described allocation manager table,

After the connection of having set up between described user terminal and the network, the virtual firewall that the packet allocation that described user terminal sent that will be corresponding with described user ID is used to login user not,

The virtual firewall that the packet allocation that the communication counterpart terminal of described user terminal that will be corresponding with described user ID is sent is used to login user not.

6, firewall device according to claim 1 is characterized in that,

In described allocation manager table not under the situation that is used for the user name that authorization information that network connects puts down in writing of login from described user terminal, the user ID of putting down in writing in will auth response from described authentication server and not the virtual firewall ID that uses of login user sign in in the described allocation manager table.

7, firewall device according to claim 1 is characterized in that,

In described allocation manager table, do not login under the situation of the user name of putting down in writing from the authorization information that is used for the network connection of described user terminal, to described user terminal notice authentication error.

8, according to any described firewall device in the claim 1 to 7, it is characterized in that,

Described authentication server is the Radius server, and described user ID is an IP address, and described network is the Internet, and the network of described user terminal connects the point-to-point ppp protocol of use.

9, a kind of firewall device is characterized in that, has:

User name, user ID, filtration ID are carried out the allocation manager table of corresponding management;

By described filtration ID appointment, have separately an independently filter table of filtering policy;

When network connects beginning, received by the record of user terminal distribution the authorization information of user name, and kept the unit of this user name;

Described authorization information is notified to the unit of authentication server; And

From the response of described authentication server Receipt Validation, and keep the unit of the user ID that should give described user terminal put down in writing in this auth response,

10, firewall device according to claim 9 is characterized in that,

After the connection of having set up between described user terminal and the network, for the grouping that sends from described user terminal, it is sent source user ID retrieve described allocation manager table as search key, extract out with this and send the corresponding filtration ID of source user ID, and give the grouping that described user terminal sends the filtration ID of described extraction;

For the grouping that sends from the communication counterpart terminal of described user terminal, its destination user ID is retrieved described allocation manager table as search key, extract the filtration ID corresponding out, and give the grouping that the communication counterpart terminal of described user terminal is sent the filtration ID of described extraction with this destination user ID;

According to the filtering policy of putting down in writing in the specified filter table of the described filtration ID that gives, make be endowed the grouping of filtering ID by or abandon.

11, a kind of firewall device is characterized in that, has:

User name, user ID, special filtering ID, shared filtration ID are carried out the allocation manager table of corresponding management;

The special filtering table corresponding with described special filtering ID;

With the corresponding shared filter table of described shared filtration ID;

12, firewall device according to claim 11 is characterized in that, described firewall device

After the connection of having set up between described user terminal and the network, for the grouping that sends from described user terminal, it is sent source user ID retrieve described allocation manager table as search key, extract out with this and send corresponding special filtering ID and the shared filtration ID of source user ID, and give the grouping that described user terminal sends the special filtering ID and the shared filtration ID of described extraction;

For the grouping that sends from the communication counterpart terminal of described user terminal, its destination user ID is retrieved described allocation manager table as search key, extract special filtering ID corresponding and shared filtration ID out with this destination user ID, and the grouping that the communication counterpart terminal that the special filtering ID and the shared filtration ID of described extraction gives described user terminal is sent;

According to the filtering policy of putting down in writing in the specified special filtering table of the described special filtering ID that gives, and the filtering policy of putting down in writing in the specified shared filter table of the described shared filtration ID that gives, make the grouping that has been endowed special filtering ID and shared filtration ID by or abandon.

13, firewall device according to claim 9 is characterized in that, described firewall device

When network connects beginning, in described allocation manager table, do not have to login under the situation of the user name that is comprised in the authorization information by the user terminal distribution, the user ID of putting down in writing in will the auth response from described authentication server signs in in the described allocation manager table

The filtering policy of using according to login user is not handled the grouping that the communication counterpart terminal of the grouping that described user terminal sent corresponding with described user ID or this user terminal is sent.

14, firewall device according to claim 9 is characterized in that,

When network connects beginning, do not have in described allocation manager table under the situation of the user name put down in writing in the authorization information of login by the distribution of described user terminal, the user ID that described firewall device is put down in writing in will the auth response from described authentication server, the filtration ID that uses of login user does not sign in in the described allocation manager table.

15, a kind of firewall device is characterized in that, has:

User name, user ID, virtual firewall ID, filtration ID are carried out the corresponding allocation manager table of managing;

By a plurality of virtual firewalls described virtual firewall ID appointment, that have at least one specified filter table of described filtration ID;

16, firewall device according to claim 15 is characterized in that, described firewall device

After the connection of having set up between described user terminal and the network, for the grouping that sends from described user terminal, it is sent source user ID retrieve described allocation manager table as search key, extract out with this and send source user ID corresponding virtual fire compartment wall ID and filter ID, to the specified virtual firewall of the virtual firewall ID of described extraction, and give the grouping that described user terminal sends with packet allocation that described user terminal sent with the filtration ID of described extraction;

For the grouping that sends from the communication counterpart terminal of described user terminal, its destination user ID is retrieved described allocation manager table as search key, extract out and this destination user ID corresponding virtual fire compartment wall ID and filtration ID, the packet allocation that the communication counterpart terminal of described user terminal is sent is to the specified virtual firewall of the virtual firewall ID of described extraction, and gives the grouping that the communication counterpart terminal of described user terminal is sent with the filtration ID of described extraction;

In the virtual firewall of described distribution, according to the filtering policy of putting down in writing in the specified filter table of the described filtration ID that gives, make be endowed the grouping of filtering ID by or abandon.

17, a kind of firewall device is characterized in that, has:

User name, user ID, virtual firewall ID, special filtering ID, shared filtration ID are carried out the allocation manager table of corresponding management;

Have the special filtering table corresponding with described special filtering ID, with the virtual firewall of the corresponding shared filter table of described shared filtration ID;

18, firewall device according to claim 17 is characterized in that, described firewall device

After the connection of having set up between described user terminal and the network, for the grouping that sends from described user terminal, it is sent source user ID retrieve described allocation manager table as search key, extract out with this and send source user ID corresponding virtual fire compartment wall ID, special filtering ID and shared filtration ID, to the specified virtual firewall of the virtual firewall ID of described extraction, and give the grouping that described user terminal sends with packet allocation that described user terminal sent with the special filtering ID and the shared filtration ID of described extraction;

For the grouping that sends from the communication counterpart terminal of described user terminal, its destination user ID is retrieved described allocation manager table as search key, extract out and this destination user ID corresponding virtual fire compartment wall ID, special filtering ID and shared filtration ID, the packet allocation that the communication counterpart terminal of described user terminal is sent is to the specified virtual firewall of described virtual firewall ID, and the grouping that the communication counterpart terminal that the special filtering ID and the shared filtration ID of described extraction gives described user terminal is sent;

In the virtual firewall of described distribution, according to the filtering policy of putting down in writing in the specified shared filter table of the filtering policy of putting down in writing in the specified special filtering table of the described special filtering ID that gives and the described shared filtration ID that gives, make the grouping that has been endowed described special filtering ID and shared filtration ID by or abandon.

19, firewall device according to claim 15 is characterized in that, described firewall device

The filtering policy of using according to login user is not handled to the grouping that described user terminal sent corresponding with described user ID or with the grouping that the communication counterpart terminal of the corresponding described user terminal of described user ID is sent.

20, firewall device according to claim 15 is characterized in that,

When network connects beginning, do not have in described allocation manager table under the situation of the user name put down in writing in the authorization information of login by the distribution of described user terminal, the user ID that described firewall device is put down in writing in will the auth response from described authentication server, the virtual firewall ID that uses of login user does not sign in in the described allocation manager table.

21, firewall device according to claim 9 is characterized in that,

When the auth response from described authentication server was authentication error, described firewall device did not sign in to described user ID in the described allocation manager table, but to described user terminal notice authentication error.

22, firewall device according to claim 9 is characterized in that,

When network connects beginning, in described allocation manager table, do not have to login under the situation of the user name of being put down in writing in the authorization information by described user terminal distribution, described firewall device is to described user terminal notice authentication error.

23, according to any described firewall device in the claim 9 to 22, it is characterized in that,

Described filter table does not comprise the user ID that should the give described user terminal key element as its filtering policy.

24, according to any described firewall device in the claim 9 to 23, it is characterized in that,

Described authentication server is a radius server, and described user ID is an IP address, and described network is the Internet, and the network of described user terminal connects use PPP.

25, a kind of firewall device is set between a plurality of user terminals and the network, and a plurality of user terminals are implemented packet filtering, it is characterized in that having:

The special filtering table that keeps each user's security strategy;

The shared filter table that keeps the shared security strategy of a plurality of users;

The allocation manager table that user terminal information, shared filter table ID, special filtering Table I D are managed;

With the communication unit of judging that authentication server that user terminal could be connected communicates;

The communication unit that the identifier management server of shared filter table ID that is associated with management and user and special filtering Table I D communicates; And

And the communication unit that the security policy manager server of managing the inherently safe strategy of user that writes in the described special filtering table and the relation between the user communicates,

Wherein, described filter

When network connects beginning, added the connection request of the authorization information that comprises user name from the user terminal reception, keep this user name, and the user name that is kept is notified to authentication server,

Keep being attached to the user terminal information in the auth response that receives from described authentication server,

Described user name is notified to described identifier management server and described Security Policy Server,

Shared filter table ID that will receive from described identifier management server and special filtering Table I D and user terminal information are mapped and are logged into the described allocation manager table,

To be written to the described special filtering table from policy information and the described special filtering Table I D that described Security Policy Server receives.

26, firewall device according to claim 25, it is characterized in that, after the connection of described firewall device between the user terminal of having issued described connection request and network set up, receive grouping that this user terminal sends or be the grouping of destination with this user terminal

As search key,, extract the user terminal information that comprises in the grouping that is received out shared filter table ID and the special filtering Table I D corresponding with this user terminal information with reference to described allocation manager table,

Utilize shared filter table corresponding and the special filtering table corresponding, the grouping of described reception is filtered with special filtering Table I D with the shared filter table ID that is extracted out.

27, firewall device according to claim 25 is characterized in that, described firewall device

When cutting off with being connected of network, receive the request of cut-out from user terminal, with described user terminal information as search key, with reference to described allocation manager table, from the clauses and subclauses corresponding, extract special filtering Table I D out with this user terminal information, and, make the clauses and subclauses corresponding invalid with this user terminal information

Make the content invalid of the special filtering table corresponding with the special filtering Table I D of described extraction.

28, a kind of firewall device is set between a plurality of user terminals and the network, and a plurality of user terminals are implemented packet filtering, it is characterized in that having:

A plurality of users are implemented at least one virtual firewall of packet filtering;

At least one the special filtering table that keeps each user's security strategy;

At least one the shared filter table that keeps the shared security strategy of a plurality of users;

The allocation manager table that user terminal information, virtual firewall ID, shared filter table ID, special filtering Table I D are managed;

The communication unit that the identifier management server of the virtual firewall ID that is associated with management and user, shared filter table ID and special filtering Table I D communicates; And

Wherein, described filter

Described user name is notified to described identifier management server and Security Policy Server,

Virtual firewall ID, shared filter table ID that will receive from described identifier management server and special filtering Table I D and described user terminal information are mapped and are logged into the described allocation manager table,

To be written to the special filtering table of the indicated described virtual firewall of described virtual firewall ID from policy information and the described special filtering Table I D that described Security Policy Server receives.

29, firewall device according to claim 28 is characterized in that, described firewall device

After connection between the user terminal of having issued described connection request and network is set up, receive grouping that this user terminal sends or be the grouping of destination with this user terminal,

The user terminal information that comprises in the grouping that is received as search key, with reference to described allocation manager table, is extracted out and this user terminal information corresponding virtual fire compartment wall ID, shared filter table ID and special filtering Table I D,

The described packet allocation that receives is given the indicated virtual firewall of virtual firewall ID of described extraction, and, utilize filter table corresponding and the special filtering table corresponding, this grouping is filtered with special filtering Table I D with the shared filter table ID of described extraction.

30, firewall device according to claim 28 is characterized in that, described firewall device

When cutting off with being connected of network, receive the request of cut-out from user terminal, with the user terminal information of described maintenance as search key, with reference to described allocation manager table, from the clauses and subclauses corresponding, extract virtual firewall ID and special filtering Table I D out with this user terminal information, and, make the clauses and subclauses corresponding invalid with this user terminal information

Keep in the virtual firewall ID corresponding virtual fire compartment wall that makes and extracted out, with the content invalid of the corresponding special filtering table of described special filtering Table I D.

31, firewall device according to claim 28 is characterized in that,

Described virtual firewall is corresponding one by one with the contract network that connects described network,

Described firewall device contains the described contract network suitable with the number of described virtual firewall.

32, firewall device according to claim 31 is characterized in that,

For each described contract network settings a plurality of described authentication servers are arranged,

According to the user name that comprises in the connection request that described user terminal sent, determine the authentication server verified, to verify processing.

33, firewall device according to claim 25 is characterized in that,

Described Security Policy Server has the security strategy table that user name and at least one security strategy are mapped,

Described firewall device communicates with at least one Security Policy Server with identical security strategy table.

34, firewall device according to claim 25 is characterized in that,

Described identifier management server has the identifier management table that user name, shared filter table ID, special filtering Table I D are mapped,

Described firewall device communicates with at least one station identification symbol management server with identical identifier admin table.

35, firewall device according to claim 28 is characterized in that,

Described identifier management server has the identifier management table that user name, virtual firewall ID, shared filter table ID, special filtering Table I D are mapped,

36, a kind of firewall device is set between a plurality of user terminals and the network, and a plurality of user terminals are implemented packet filtering, it is characterized in that having:

The special filtering table that keeps each user's security strategy;

The security strategy table that user name and at least one security strategy are mapped;

With the communication unit of judging that authentication server that user terminal could be connected communicates; And

The communication unit that the identifier management server of shared filter table ID that is associated with management and user and special filtering Table I D communicates,

Wherein, described filter

Described user name is notified to described identifier management server,

With the user of described maintenance keyword by name, with reference to described security strategy table, extract out and this user name corresponding strategy information, and the policy information that will extract out and described special filtering Table I D are written in the described special filtering table.

37, a kind of firewall device is set between a plurality of user terminals and the network, and a plurality of user terminals are implemented packet filtering, it is characterized in that having:

The special filtering table that keeps each user's security strategy;

The identifier management table that user name, shared filter table ID, special filtering Table I D are mapped;

Wherein, described filter

Described user name is notified to described Security Policy Server,

With the user of described maintenance keyword by name, with reference to described identifier management table, extract shared filter table ID and the special filtering Table I D corresponding out, and the shared filter table ID that will extract out and special filtering Table I D and user terminal information are mapped and are written in the described allocation manager table with this user name

38, a kind of firewall device is set between a plurality of user terminals and the network, and a plurality of user terminals are implemented packet filtering, it is characterized in that having:

The special filtering table that keeps each user's security strategy;

The identifier management table that user name, shared filter table ID, special filtering Table I D are mapped; And

With the communication unit of judging that authentication server that user terminal could be connected communicates,

Wherein, described filter

With the user of described maintenance keyword by name, with reference to described identifier management table, extract shared filter table ID and the special filtering Table I D corresponding out, and the shared filter table ID that will extract out and special filtering Table I D and user terminal information are mapped and are logged in the described allocation manager table with this user name

39, a kind of firewall device is set between a plurality of user terminals and the network, and a plurality of user terminals are implemented packet filtering, it is characterized in that having:

The communication unit that the identifier management server of the virtual firewall ID that is associated with management and user, shared filter table ID and special filtering Table I D communicates,

Wherein, described filter

Described user name is notified to described identifier management server,

With the user of described maintenance keyword by name, with reference to described security strategy table, extract out and this user name corresponding strategy information, and the policy information that will extract out and described special filtering Table I D are written in the special filtering table of the indicated described virtual firewall of described virtual firewall ID.

40, a kind of firewall device is set between a plurality of user terminals and the network, and a plurality of user terminals are implemented packet filtering, it is characterized in that having:

The identifier management table that user name, virtual firewall ID, shared filter table ID, special filtering Table I D are mapped;

Wherein, described filter

Described user name is notified to described Security Policy Server,

With the user of described maintenance keyword by name, with reference to described identifier management table, extract out and this user name corresponding virtual fire compartment wall ID, shared filter table ID and special filtering Table I D, and the virtual firewall ID that will extract out, shared filter table ID and special filtering Table I D and described user terminal information are mapped and are logged in the described allocation manager table

41, a kind of firewall device is set between a plurality of user terminals and the network, and a plurality of user terminals are implemented packet filtering, it is characterized in that having:

The identifier management table that user name, virtual firewall ID, shared filter table ID, special filtering Table I D are mapped; And

Wherein, described filter

With the user of described maintenance keyword by name, with reference to described security strategy table, extract out and this user name corresponding strategy information, and policy information and the described special filtering Table I D that is extracted out is written in the special filtering table of the indicated described virtual firewall of described virtual firewall ID.

42, according to any described firewall device in the claim 25 to 41, it is characterized in that,

Described authentication server is the RAIDUS server, and described user terminal information is the IP address of giving user terminal, and the connection from described user terminal to network is PPP, and PAP or CHAP are used in checking.