DE10241974B4 - Monitoring of data transmissions - Google Patents

Abstract

Security environment for monitoring network-based data transmissions, with
- at least one control system (FW, PROXY, IDS), each connected to at least one communication link (NW1, NW2) for data transfers between a first network (NW1) and a second network (NW2), respectively for controlling first data transfers between the first network (NWI) and the second network (NW2) and each for outputting characterizing data characterizing each one of the data transfers, and
A monitoring system (AS) for receiving the respective characterizing data and for determining from the characterizing data whether the data transmissions for the at least one control system (FW, PROXY, IDS) respectively fulfill predetermined security requirements,
characterized in that
- Only the monitoring system (AS) has a memory unit (AS-MEM) to store the characterizing data and the data of the respective characterizing data indicating a violation of the specified security requirements.

Description

Territory of invention

The The present invention relates to network-based security data transfers and in particular security aspects of data transfers between at least two networks, also considering of data transmissions within a network that is ready to be transferred to another network are provided.

background the invention

Around the security of data transmissions between two networks to ensure become common as so-called "firewalls" designated systems used. The term "network" as used here includes single or multi-unit arrangements, for example in the form of computer systems to and from which data is transferred can be. Examples of this are the Internet, intranets, individual, for example, as a personal computer running computer units comprehensive arrangements with facilities or related Devices for data transfers to and from other systems and the like.

A Firewall essentially serves unwanted, unauthorized data transfers from one network to another network. In general protects a firewall a network even against unauthorized access from one other network, and this usually for one Access required and / or access-initiating data transfers prevented from another network when they become one lead to unauthorized access would.

In the book "Firewall Systems" by Norbert Pohlman describes a firewall system that has a transmission system with a has separate computer system, which with its own, customized operating system is operated.

Around unwanted, unauthorized data transmissions and to prevent access and desired, allowed data transmissions and to allow access uses a firewall in general a so-called packet filtering. For network-based data transmissions In general, data is transmitted packet by packet, with the packets Information includes, for example, the source of the information to be transmitted Data, the destination to which the data is to be transmitted Creation of the transfer Data used protocols (e.g., protocols for creating Text documents, graphic documents, video / audio documents, executables Softwareco of, for example, in the form of software programs, and the like) etc. specify. Packet filtering becomes rules defines, for example, data transfers from certain sources and / or to prevent certain goals. According to such Rules prevents firewall data transfers from a network to another network or lets such too. As with packet filtering data to be transmitted usually not even be checked it is usual, Define filter rules that define a classification of data content, for example, on the basis of to be transferred at the time of creation Allow data of used protocols. That's the way it is for example possible, using a firewall data transfers while allowing text data Data that has an executable Code or image data include, not be transmitted.

For data transfers between two networks, it is often necessary in a network to use a so-called proxy, which transmits data from this network to another network at all only possible. Consequently, proxy's often used as security systems for data transfers. There a proxy of a computer system that uses the proxy to communicate required with other networks or systems, a prerequisite for data transmission from and to this network, the proxy can also be used only certain data transfers to allow or prevent. For example, it is possible by means of a proxy's Users of a network accesses certain of another Network provided services and / or data. For this purpose can Example related to the services and / or data of the network, to be accessed, logs used become. Examples of this are so-called HTTP proxy's and FTP proxy's that only data transfers according to HTTP or Allow FTP. Furthermore, it is known by means of a proxy for a Virus protection during data transmissions to care.

A Firewall or proxy not that unwanted, not allowed data transfers occur. To such, hereinafter referred to as attack It is known to use so-called "Intrusion Detection" systems (IDS). The task an IDS exists in essence, the violation of safety regulation or requirements and appropriate countermeasures initiate. In order to detect an attack, it is necessary that an IDS should be provided with information indicating what an attack can be recognized. Usually set unauthorized third, certain often repetitive Techniques to perform an attack. That is, attacks on a network are made according to patterns in the field as Signatures are called. Such signatures include TCP port Scans, UDP port scans, IP packets with wrong parameters, tunnels, encapsulate, flood and the same. Since these signatures are known in the art, will be closer to this point Description omitted.

Also if the aforementioned systems for a certain security at data transfers Worry, there are fundamental issues that make security essential affect. For example, so-called log files are created, the individual ones Log data transfer operations. In general, all data transfer operations are recorded in such log files. what it is for makes a system administrator close to impossible in a variety of data transfer operations those identify those who are attacking a network. Furthermore, it is for an attacker possible, to change a log file to disguise an attack.

Of Further, it is in the aforementioned, known security systems does not guarantee that the respective defined safety regulations or rules, from when a data transfer is not to be defined in advance, and when not can. It is possible, Define characteristics of known attack methods and corresponding ones Security monitoring rules set up. This approach does not work if an attacker an attack process unknown to security systems performs.

The mentioned examples of disadvantages of known safety systems during data transfers between networks are to be understood as exemplary only. Since the problems and disadvantages of known security systems, for Control of data transfers between networks, well-known in the field, will be at this Place on a closer Discussion omitted.

State of technology

In the article "Active Content Inspection Protection "by M. Frank in LANLine Special "The secure network ", III / 2001, Year 2001, pages 80-82 is a software application process revealed to Gateway - and Desktop level information flows to monitor. In particular, the method will review contents of data that have already passed a firewall of an internal network. The procedure includes steps that are performed at the gateway level. By means of a policy manager can from a central point, security plans are prepared according to which Data are controlled, pass through the gateways. By means of a Audit viewers can Log files are provided that complete all data verification and specify discovered security breaches. The method comprises further steps that are performed at the desktop level. This data, for example by means of portable storage media or portable Computer can be transferred to the internal network, checked. From the individual safety devices, such. Gateways, fi rewalls, be in the review of Information streams obtained each stored locally.

WHERE 00/73876 A2 discloses a proxy server with a database, a Network interface, a processor and a memory. Database stores information about User. The network interface connects the proxy server a network for exchanging data with a computer User and a destination server. The processor is connected to the network interface card, connected to the database and the memory. The memory has executable control commands for the Processor on to intercept a data request sent to the destination server is directed to read user information from the database, to encrypt the user information, the data request enlarge by the encrypted Added user information and the enlarged data request to send to the destination server. By means of the added user information is it comparable to a cookie possible to the destination server information provide.

DE 198 20 252 A1 discloses methods and apparatus for forwarding packets of completed packet sequences of packet-switched networks. There are packages of a completed Pa assuming information is transported in sequences and in each of which the first packet can be recognized as the beginning. The packets are analyzed on the basis of at least the corresponding first packet, if the transported information is so completely available that it can be compared with a predetermined criterion. If this is not the case, the packets are not forwarded. If this is the case, however, the transported content is compared to the at least one predetermined criterion. If this comparison succeeds, while the packets are forwarded; If this comparison fails, no forwarding takes place. As criteria, data type, addresses to which packets are to be forwarded, and the like may be used.

US 2003/0069356 A1 discloses an integrated safety device for gateways. The security device connects an internal network and a external network so that transmitted from one network to the other network Data can be blocked. Data to be checked are duplicated by means of a module. Using a server, neither for the internal network still for the external network is visible, an analysis of the duplicated Data performed. If data or information associated with the data is detected, which pose a security risk, the transmission of the data is prevented.

US 2003/0093527 A1 discloses a user interface for a network security system and a corresponding method. This will include all available data logged by a central software device.

Task of invention

The The object of the present invention is generally Disadvantages of known security measures and procedures Data transfers, especially between networks. In particular, it should enable the present invention the known security systems called firewall, proxy and IDS avoid existing disadvantages to security during data transfers between networks and above out for application-specific, customizable and easy-to-use security solutions to care.

Summary the invention

Of the the solution the underlying task of the present invention It generally consists of systems for monitoring, control and analysis of data transmissions to share between networks in a way that it does allows the individual security measures of different systems as well as their own system security increase and on the other hand security measures different systems to combine and synergy effects to use that security is increased overall and also, preferably ongoing, can be adjusted. In particular, it allows the present Invention, individual security systems depending on each other and under consideration of security measures, Data monitoring results (e.g., in the form of corresponding protocols) and the like Security systems to the currently required and required security requirements adapt.

Regarding The security of security systems per se follows the present Invention the approach to run individual security systems so that they are essentially just the means (e.g., hardware and software) have, for their intended operation are immediately required. So is for example, according to the present Invention provided that for commissioning ("booting") and the actual operation required Data not stored locally in individual security devices, but be provided centrally. Furthermore, it is provided according to the invention software programs required for operation, for example in the form of operating systems, reduced to a minimum required for actual operation are. About that In addition, the following invention teaches data and information that of individual security systems with regard to data transmissions determined by networks, not in the corresponding ones Security systems locally, but centrally log. In this case, a unit comparable to a database can be used become.

In order to implement the approach on which the present invention is based, individual security systems are provided, as defined in the claims, which, depending on their task, are designed according to the invention with regard to the security of data transmissions between networks. To build of an overall security system according to the invention, one or more security systems according to the invention can be used. Alternatively, it is possible to modify an existing overall security system in such a way that it works according to the invention as a whole or at least as regards safety-relevant components. The same applies to the process of the invention as defined in the claims.

Especially the present invention provides a security system according to claim 1 and a method according to claim 31 ready.

Each of the terms below includes: Computer system: Individual computer systems, personal computers, computer clusters, computer networks, etc. Network: networked data connections, communication systems, computer systems, routers, nodes, etc; the Internet; Connections between at least two networks; Etc. Data characterizing data transfers: Security logs, log files, scripts, connection data, control information, communication requests, etc. Safety requirements: Definitions of permissible data transmissions, file types, transmission times, transmission rates, data sources, data contents, transmission destinations, connection confirmations, control of connections, data destinations, data sources, etc. Storage unit: non-volatile memory, hard drives, streamer, databases, skin memory, caches, storage media, etc. Storage subunit: see storage unit different safety conditions characterizing information: Data indicating attacks, assault attempts, burglaries and the like; Attack patterns, signatures; Etc. Input unit: Keyboard, mouse, microphone, data interfaces, (ISDN cards, modems), scanners, character input devices, light pens, etc. Instructions for controlling the operation of a system by a user: Software code, input of individual / multiple commands, interactive use of a control program, etc. Interface Unit: Modems, network cards, interface devices and devices, etc. Operating data: Operating software, software code (parts), operating system (parts), parameters for software and hardware, scripts, database construction, database contents, database control, drivers, process data, process control, logs, user and application data, etc. Safety requirements characterizing safety requirements: Data that defines security requirements (see above)

Furthermore The present invention provides software products according to claims 54 and 55 ready to carry out the single or multiple steps of one or more methods according to the invention enable.

Further Features and advantages of the present invention will be apparent from corresponding, dependent on the above claims claims.

Brief description of the drawings

In the following description of preferred embodiments of the present invention is on the attached figures, of which show:

1 a schematic representation of a security environment according to the invention,

2 a schematic representation of a data type control system according to the invention,

3 a schematic representation of a data content control system according to the invention,

4 a schematic representation of a data transmission control system according to the invention,

5 a schematic representation of a monitoring system according to the invention,

6 to 15 schematic representations of different views of inventive graphical user interfaces, and

16 a schematic representation of a control system according to the invention.

description preferred embodiments

As in 1 schematically illustrated, a security environment SU is used for data transfers between a first network NW1 and a second network NW2. Data transfers can be made both from network NW1 to network NW2 and vice versa. It should be noted, however, that there is no direct data connection between the networks NW1 and NW2, as can be seen from the following.

in the The following is intended, without intending to be limiting, the first network NW1 is an intranet network is. In addition to a for the first network NW1 used router R1 comprises the first network NW1 multiple as client CL1, ... CLn designated computing devices. data transfers from and to the client's CL1, ..., CLn take place with respect to the second network NW2 via the Router R1. data transfers between the client's CL1, ..., CLn occur within the first network NW1 via the in this figure, not shown connections between the client's CL1, ..., CLn.

Of Further, it is assumed below that the second network NW2 the internet is, being for data transfers from and to the second network NW2 a router R2 is provided.

Deviating from 1 it is possible that the router R1 and / or router R2 is (are) integrated into the security environment SU as a component.

Dates, transmitted from the second network NW2 to the first network NW1 become a data type control system from the router R2 FW transferred.

The Data type control system FW serves i.a. for packet filtering of data transmissions from the second network NW2 used data packets. Therefore, can the data type control system FW in this regard with a firewall be compared.

One Data content control system cooperating with the data control system FW PROXY is considered a proxy server for network services and / or protocols such as e.g. HTTP, HTTPS, DNS, SMTP, FTP and the like. Therefore, the data content control system PROXY in this regard be compared with a proxy server. Furthermore, this serves Data content control system PROXY to separate IP data streams over the Data type control system FW transmitted To control the content of the content (for example pornographic Content) to provide antivirus protection with regard to data transmissions Log activities performed by and to the second network NW2 and the same. Outward, i.e. from the second network NW2 is just the IP address of the outside Routers R2 recognizable. The data content control system PROXY performs, from the point of view of the second network NW2, its services anonymous. This may also apply to the first network NW1.

A data transmission analysis system IDS encompassed by the security environment SU that is connected to the Data type control system FW and the data content control system PROXY cooperates, is used for detecting unauthorized accesses or attacks from the second network NW2 on the first network NW1 used attack patterns or signatures. In this regard, the data transfer analysis system IDS is comparable to a known intrusion detection system.

through a surveillance system AS become log entries the data type control, content control and data transfer analysis systems FW, PROXY, IDS, for example in the form of log files and saved. Therefor uses the monitoring system AS one in this figure, only as an example as a unitary integrated database containing a log of Data and / or information regarding data transmission be logged. Such, among others, by the legislature required logging includes attacks / burglaries and Burglary / attack attempts, data transfers to the first Network NW1 as well as from this over the security environment SU to another network, for example into the second network NW2 and the like.

by virtue of his task may be the monitoring system AS also be referred to as an audit server. The monitoring system AS communicates with the previously mentioned systems FW, PROXY and IDS via internal bus system BUS-INT or a comparable communication connection, the e.g. can be designed as a communication network. The internal Bus system BUS-INT is physically of communication links, for example, in the form of buses, cables and the like used for data transmissions between the networks NW1 and NW2 and the routers R1 and R2 be physically separated.

The central management and control of the aforementioned systems of Safety environment SU done by means of a control system BM. Accordingly, the control system BM can also be used as a boot and management server for the security environment SU are designated. Also the control system BM communicates within the security environment SU via the internal bus system BUS-INT with the other components.

To increase security can, in contrast to 1 , the security environment SU be at least partially redundant. For example, two data type control systems, two data content control systems, two can be used. The communication connections within the security environment SU used for internal communication purposes can also be implemented redundantly by means of two internal bus systems. By means of two routers instead of the routers R1 and R2, the security environment SU can also be executed redundantly in this respect.

In the following, the individual components of a security environment SU are described in more detail with respect to their structure, their operation and their interaction. It is based on the non-redundant security environment SU according to 1 With reference to the following statements apply mutatis mutandis for two or more running security environments accordingly.

DATA TYPE CONTROL SYSTEM ( "Firewall")

The Data type control system FW controls data streams between the second network NW2 and the first network NW1. Here are Data packets with certain types of data (e.g., real audio) and data packets, that can not be identified not by default forwarded. These are then not controllable. Indeed the data packets are logged and analyzed, in particular in terms of attack detection. Complete blocking Data is also possible. The data type control system FW leaves only such data packets by whose origin, their content and their purpose Comply with rules.

The Data type control system FW is comparable to a traffic light. The traffic light controls only the traffic flow, but controls not the contents of the car (here data). That accomplishes that Data type control system FW also not, because then the traffic flow (Data transmissions) no longer possible. A Content control during data transfers takes place here by means of the data content control system PROXY and the Data transfer analysis system IDS.

As in 2 1, the data type control system FW comprises a computer system FW-RS (eg with a single CPU (800 MHz, 512 MB), two external NICs, an internal "boot" NIC and an internal "proxy" NIC). Here, data transmission speeds of 2 Mbit to 2 Gbit (fiber optic cabling) are provided.

When Operating system is for the data type control system FW uses a special, very small Unixkernel, where almost all nonessential services are removed are. In the first line only one network type driver is supported. As running down, is also generally not support for playback and input devices (e.g., monitor, mouse, keyboard, etc.). This will be the Kernel very fast and very stable and can be updated quickly become ("Update"). Furthermore, can The kernel also does not execute any foreign code (for example, in an attack) the kernel for this no services available. Rather, only known software and hardware are supported. The resulting inflexibility of the data type control system FW leads to an increased Safety.

Of Furthermore, the data type control system FW can be an interface unit FW-INT, e.g. in the form of a modem or a computer interface. This allows for support of the data type control system FW e.g. via phone. To prevent, that on the data type control system FW from one of the networks NW1 and NW2, in particular from the network NW2 as an external network, can be accessed, the interface unit FW-INT so accomplished be that they do not over one of these networks NW1 and NW2 can be reached. Such a "remote" access is only with permission and support a user possible, because the interface unit FW-INT normally switched off is. If required, the user must use the interface unit FW-INT enable access to the data type control system FW. Therefor can also be the transmission a password will be required. To control such operations as well by means of the monitoring system AS logs. Upon completion, the interface unit becomes FW-INT deactivated again to prevent further access.

The Central control and management of the data type control system FW takes place via the control system BM. In particular, the user management can of the data type control system FW only locally on the control system BM itself be made. Alternatively it is also possible this directly on the data type control system FW, for which additional Devices such as a keyboard, a monitor, and the like, can be used. In both cases It is necessary, directly to the control system BM or to get the data type control system FW, which is already physically an unauthorized modification makes the data type control system FW more difficult. As additional Security can further measures be taken, such. a collection of biometric data ("fingerprint") and input of Passwords or codewords.

The Data type control system FW starts ("booted") from the control system BM. New Settings, modes of operation, rule and the like for the data type control system FW can be made centrally by means of the control system BM. A Special feature is that in a memory of the data type control system FW existing settings, operating parameters and the like Boats are not used. Like any computer system, so is it required to operate the data type control system, files, Parameters, data, information, etc. for an operating system of the data type control system FW to use this to operate. For example Files that contain user information, usernames, Passwords and the like are included in a control of data transmissions be used by the data type control system FW. These files can for example, an attack. This will try this Modify files. Should be a modification by an attack successfully performed It is still necessary that the data type control system FW will restart ("rebooted") the changes of these files. In conventional Security systems serving as firewalls would then be based on the modified Files are used which makes it possible for an attacker, due to the changed Control rules to overcome the firewall.

This is prevented in the security environment SU, that the Information required to operate the data type control system FW not stored locally but by the control system BM available be put. In particular, the operation of the data type control system required information in a memory of the control system BM saved. When booting the data type control system FW becomes then resorted to such data. Due to the use of the internal bus system BUS-INT, which is used for data transfers between communication networks NW1 and NW2 physically separated, it is not possible for an attacker the control system BM and in particular to access its memory.

For the data type control system, rules or rule sets are defined according to which the data type control system FW allows or prevents data transmissions from the second network NW2. Such rule sets define who can transmit which data from where, where and which data to access. Usually such rules are stored in a so-called flat file. A disadvantage of this Vorge It is a fact that the protection defined by means of such rules stored in such a file can not be subdivided into individual rules. This generally means that a security device serving as a firewall can not be administrated differently by different users.

This This prevents the operation of the data type control system FW provided rule sets in a database associated with the control system BM are. In this rule set database, for example, for multiple Security environments SU available is, individual rules or rule sets are defined according to which corresponding data type control systems FW monitor data transmissions or check. Furthermore, it is envisaged that the individual Rules and rule sets of Rule set database information is associated with which Security environment using rules and / or rule sets may. This also applies to changes of rules and rulesets the ruleset database, as described below in the context of changes of rules and rulesets for the data type control system FW are described.

regulate and rulesets are created application-specific. By means of a graphic User interface of the control system BM can rules and rulesets be entered. The rules and rule sets are generally considered so-called script files stored by the control system BM. A change of rules and rules generally can not be directly related to the data type control system FW performed become.

From Logs created for the data type control system FW become unlike known firewalls, also not stored locally. Rather, over the internal bus system BUS-INT Log information of the data type control system FW, for example in the form of log files, to the monitoring system Transfer AS and stored there in a database for later use. This makes it impossible for an attacker to rely on the data type control system FW created logs and to change them. that is, that an attacker is unable to recover his "traces", i. logging his attack, to change or delete. It is envisaged that the logging takes place in real time and the data is encrypted to the monitoring system Transfer AS become.

As below closer explains allows the combination of logging by means of the monitoring system AS safety-relevant processes better to recognize than with conventional firewalls is possible (For example: Mr. Müller allows HTTP transfers through the data type control system FW. In a conventional Firewall would Mr. Müller issuing attackers can penetrate the firewall, though at all no data transfers from the real Mr. Müller are derived, this e.g. does not work at his workplace (PC). However, this is recognized by the security environment SU.).

in the Case of an attack has the utilization of the data type control system FW a crucial meaning, since thereby the computer system FW calculation time needed for processing the data packets. The more resources available the better and the more attacks can be made by the data type control system FW are repelled. Therefore, it is envisaged that the data type control system FW normally in a range of 5-10% and in terms of its Memory is used up to 15%. This provides enough reserves for attacks to disposal.

at Using multiple data type control systems FW load distribution takes place via IP routing. In a load distribution, it should be noted in particular that the available power in case of an attack of the data type control system FW is sufficient to attack recognize and ward off if necessary.

SPECIFICATIONS CONTENTS CONTROL SYSTEM ( "Proxy server")

As explained above, the data content control system PROXY enables the connections from outside to inside and vice versa, ie from the second network NW2 to the first network NW1 and vice versa. The data content control system PROXY receives all data passed by the data type control system FW, eg as HTTP, FTP, SMTP and DNS packets. These are examined by the data content control system PROXY with respect to their content and filtered if necessary. Static filtering techniques may be used to identify, for example, words and phrases that may or may have special meaning (eg, words of pornographic meaning, words of business relevance such as "business report,""internal,""confidential," etc.). to recognize. Data packets with such "dirty" and internal contents can then be recognized by the data content control system PROXY. This does not just apply to data transfers from the second network NW2 to the first network NW1, but also in the reverse direction. Another task of the data content control system PROXY is virus protection.

From Logs created for the data content control system PROXY are also not stored locally. Rather, over the internal bus system BUS-INT Log information of the data content control system PROXY, for example in the form of log files, to the monitoring system Transfer AS and stored there in a database for later use. This makes it impossible for an attacker to get off the data content control system PROXY created logs and to change them. This will be added still aggravated by this for provided the data content control system PROXY local firewalls are. It is envisaged that the logging takes place in real time and the data is encrypted to the monitoring system Transfer AS become.

As below closer explains allows the combination of logging by means of the monitoring system AS safety-relevant processes better to recognize than is possible with conventional proxy servers.

As in 3 the data content control system PROXY comprises a computer system PROXY-RS. The operating system used for the data content control system PROXY is a special, very small Unix kernel, which removes almost all non-essential services. As discussed below, support for playback and input devices (eg, monitor, mouse, keyboard, etc.) is generally not provided. This makes the kernel very fast and very stable and can be updated quickly ("Update"). Furthermore, the kernel can not execute any foreign code (eg during an attack) because the kernel does not hold any services for it. Rather, only known software and hardware are supported. The resulting inflexibility of the data content control system PROXY leads to increased security.

Of Further, the data content control system PROXY may have an interface unit Include PROXY-INT, e.g. in the form of a modem or a computer interface. This allows a support the data content control system PROXY e.g. via phone. To prevent, that on the data content control system PROXY from one of the networks NW1 and NW2, in particular from the network NW2 as an external network, can be accessed, the interface unit PROXY-INT so executed be that they do not over one of these networks NW1 and NW2 can be reached. Such a "remote" access is only with permission and support a user possible, because the interface unit PROXY-INT normally switched off. If necessary, the user must use the interface unit PROXY-INT enable and access the data content control system PROXY to allow. Therefor can also be the transmission a password will be required. To control such operations as well by means of the monitoring system AS logs. Upon completion, the interface unit becomes PROXY-INT deactivated again to prevent further access.

The Central control and management of the data content control system PROXY is done via the control system BM, which only locally to the control system BM yourself. Alternative it is also possible this directly on the data content control system PROXY, for which additional facilities, such as a keyboard, a monitor, and the like can be. In both cases It is necessary, directly to the control system BM or the data content control system PROXY, which is already physical an unauthorized modification of the data content control system PROXY difficult. As additional Security can further measures be taken, such. a collection of biometric data ("fingerprint") and input of Passwords or codewords.

The Data content control system PROXY starts ("booted") from the control system BM. New Settings, operating modes, rule and the like for the data content control system PROXY can be made centrally by means of the control system BM. A Special feature is that in a memory of the data content control system PROXY existing settings, operating parameters and the like not be used when booting.

DATA TRANSFER CONTROL SYSTEM ("IDS")

The data transfer control system IDS comprises, as in 4 1 illustrates a computer system IDS-RE with protocol instances, not shown, and a memory unit (eg in the form of a database) with attack patterns and signatures provided therein.

From the data transfer control system Logs created by IDS are also not saved locally. Rather, the monitoring system serves AS as superior "guard", for which protocol information of the Data transmission control system IDS, for example in the form of log files, via the internal bus system BUS-INT to the monitoring system Transfer AS and stored there in a database for later use become. This makes it impossible for an attacker to get off the data transfer control system IDS created to access and modify logs. This will be added still aggravated by this for the data transfer control system IDS local firewalls are provided. It is intended that the Logging is done in real time and the data is encrypted to the monitoring system Transfer AS become. It is envisaged that the data transfer control system IDS Detects attack patterns based on a dynamic database that is in predetermined intervals, e.g. every four hours, is updated. Advantageously done an update automatically.

Recognizes the data transfer control system IDS an attack, this can be done by means of the data transfer control system IDS and the data type control system FW are prevented. attacks characterizing data are prefiltered if necessary or desired to the surveillance system Transfer AS, by e.g. also for an information of the user or operator of the security environment SU to worry.

When Operating system is for the data transfer control system IDS uses a special, very small Unixkernel in which almost all not essential services are removed. As running down, is also generally not support for playback and input devices (e.g., monitor, mouse, keyboard, etc.). This will be the Kernel very fast and very stable and can be updated quickly become ("Update"). Furthermore, can The kernel also does not execute any foreign code (for example, in an attack) the kernel for this no services available. Rather, only known software and hardware are supported. The resulting inflexibility of the data transfer control system IDS leads to an increased Safety.

Of another includes the data transfer control system IDS an interface unit IDS-INT, e.g. in the form of a modem or a computer interface. This allows support of the Data transmission control system IDS e.g. via phone. To prevent the data transfer control system IDS of one of the network NW1 and NW2, in particular of the network NW2 can be accessed as an external network, the interface unit IDS-INT so executed be that they do not have one of these networks NW1 and NW2 can be reached. Such a "remote" access is only with permission and support a user possible, because the interface unit IDS-INT is normally switched off. at The user must activate the interface unit IDS-INT and access to the data transfer control system To enable IDS. Therefor can also be the transmission a password will be required. To control such operations as well by means of the monitoring system AS logs. Upon completion, the interface unit becomes IDS-INT deactivated again to prevent further access.

MONITORING SYSTEM ("Audit Server")

The main task of in 5 surveillance system AS illustrated is the storage and analysis of the received logging of the data type control system FW, the data content control system PROXY and the data transfer control system IDS. Furthermore, the monitoring system AS receives logging from the control system control system BM, which can be used to check the information provided by the aforementioned control systems FW, PROXY and IDS for accuracy, consistency and the like.

loggers are stored in a storage unit comparable to a database AS-MEM written. The memory unit AS-MEM comprises a first Memory subunit AS-MEM-RT, serves as a "real-time" database. By means of this logging of a first period are stored and analyzed. This period can e.g. for current logging ("inert of the last 1, 2, 5, 10, .... minutes ") be defined. By means of a second memory subunit AS-MEM-LT can Logging a second period to be stored, for example for one Period of the last 1, 2, 5, 10, 12 ... months. For the analysis of Logs can the first and second memory sub-units AS-MEM-RT and AS-MEM-LT are separated or be used in combination.

Around unacceptable Preventing database access also communicates the monitoring system AS over the internal bus system BUS-INT. A physical access to the surveillance system AS only exists on the monitoring system AS itself ("in the EDP cabinet")

Further, the monitoring system comprises AS a computer system AS-RS (for example, an Intel ^® compatible CPU, may be performed in a multiple processor system including at least a RAID 5, an internal NIC, a plurality of external NICs, a VGA support, a support UNIX ^® -based Software applications and the like). To operate the monitoring system AS, a locally arranged input unit AS-IN is used, which may include, for example, a keyboard, a mouse, a microphone and the like. For the graphic reproduction of logging itself and / or of control and analysis results with regard to logging to be utilized, the monitoring system AS has a playback unit AS-DIS (eg a VGA monitor) and a graphical user interface AS-GUI that can be displayed thereon. Examples of different views of the graphical user interface AS-GUI are in 6 to 15 to see.

to Storage of logging required storage media (e.g. Hard drives) but, in contrast to known safety systems, this can only be done locally controlled. Furthermore, it is necessary when taking out of the monitoring system AS, the entire Shut down security environment SU. Data transfers to and from the first network NW1 are then not possible. This also applies to a decommissioning the other components of the security environment SU.

The monitoring system AS combines the log entries of the various systems and thus can attack, attack attempts and burglaries occurred due to logging of individual of said systems FW, PROXY, IDS and BM, but also by combination of logging several of the mentioned systems FW, PROXY, IDS and BM. Logs ("log files") of different conventional Systems are generally out of sync in time, which is why relationships between protocols separated system so far not be recognized could.

This is through the monitoring system AS and in particular by its property allows, comparable to a Database to act. The combination of different logging the control systems FW, PROXY and IDS, possibly in combination with protocols of the control system BM can so far unrecognizable dips be identified.

The Rulebook is very complex and will be released in cooperation with the Users arise. After installing the security environment SU is supposed to be the surveillance system AS log all data. This allows all systems FW, PROXY, IDS and BM using the surveillance system AS work together during operation in terms of safety during data transfers to optimize. If, for example, the first network NW1 no FTP data packet may be communicated, the data type control system FW may also do not pass FTP data packets. Sets the monitoring system AS afterwards nevertheless a transmission of such data turns into an error or an attack closed. As for such conditions to respond is defined in policies that the security environment and / or the users and users of the security environment, how to react.

The Rules for the surveillance system AS can be changed after installation. This can be done automatically through the safety envelope SU itself, e.g. under the control of Control system BM, and / or by external changes take place at the security environment SU. External changes at the security environment SU, as described below security restrictions subjected.

often it is the target of an attack, the communication possibilities prevent the security environment SU, for example their Disable e-mail server. In this case, information about attacks, Assault attempts and break-ins can be communicated (e.g. to one for the safety environment SU competent Administrator), the monitoring system can AS corresponding information about transmit multiple communication paths. For example, a communication unit is one mobile, cellular Telephone network e.g. provided by SMS and / or voice messages. Further transmission options include digital and analog video, audio, and fax transmissions and the same. At what time does the surveillance system AS respond to attacks, Attack attempts and made burglaries is generally responded with users or users of the security environment SU, even for individuals same and / or for different attacks, attack attempts and burglary occurred individually Are defined.

The stored data of the monitoring system AS characterize the entire first network NWI, its user and their behavior. Therefore, these data are highly worth protecting, for which advantage legally the highest possible level of security is defined. In the field, security levels from 0 to 5. 5 are defined as the maximum value. For example, the security level of the surveillance system AS can be defined as 4.

Of Another is the monitoring system AS have an interface unit AS-INT, e.g. in form of Modems or a computer interface. This allows support of the monitoring system AS e.g. via phone. To prevent the monitoring system AS from one of the networks NW1 and NW2, in particular from the network NW2 can be accessed as an external network, the interface unit AS-INT so executed be that they do not over one of these networks NW1 and NW2 can be reached.

CONTROL SYSTEM ("Boot and Management Server")

As in 16 represented, the control system BM comprises a computer system BM-RS, which can be accessed only locally. In addition to the above-mentioned local access restrictions (eg collection of biometric data, codes, etc.), the BM control system is protected against misuse because there is no physical possibility of access from the outside.

The Control system BM communicates in the security environment SU via the internal bus system BUS-INT. All modifications and operation Required data is, as stated above, by the control system BM provided or at least under its control and control initiated or transmitted. Required data is stored in a memory unit BM-MEM of the control system BM saved. For entering, for example, required for system modifications Data and / or information may be the locally provided input unit BM-IN can be used.

Of Further, the control system BM may be an interface unit BM-INT, e.g. in the form of a modem or a computer interface. This allows for support of the control system BM e.g. via phone. To prevent that to the control system BM of one of the networks NW1 and NW2, especially from the network NW2 as an external network can be executed, the interface unit BM-INT can be designed that they do not over one of these networks NW1 and NW2 can be reached.

Claims (55)

Security environment for monitoring network-based data transmissions, comprising - at least one control system (FW, PROXY, IDS), each connected to at least one communication link (NW1, NW2) for data communications between a first network (NW1) and a second network (NW2), respectively for controlling first data transmissions between the first network (NWI) and the second network (NW2) and respectively for outputting characterizing data characterizing each one of the data transmissions, and - a monitoring system (AS) for receiving the respective characterizing data and for determining from the characterizing data, whether the data transmissions for the at least one control system (FW, PROXY, IDS) meet predetermined security requirements, characterized in that - only the monitoring system (AS) has a memory unit (AS-MEM) to provide the characterizing data and the data of the respective store characterizing data indicating a violation of the specified security requirements. Security environment according to claim 1, comprising at least a communication connection (BUS-INT) for data transmission between the at least one control system (FW, PROXY, IDS) and the surveillance system (AS), from for data transfers between the first network (NW1) and the second network (NW2) used communication links is physically separated. Security environment according to claim 1 or 2, with the monitoring system (AS) to determine if the given initial security requirements are injured by combining different characterizing data Control Systems (FW, PROXY, IDS). Security environment according to one of the preceding claims, with the monitoring system (AS) for controlling the at least one control system (FW, PROXY, IDS) such that in the event of faulty operation and / or failure of the monitoring system (AS) the at least one control system (FW, PROXY, IDS) prevents data transfers between the first network (NW1) and the second network (NW2). Security environment according to one of the preceding claims, with the memory unit (AS-MEM) for storing all respective characterizing ones Dates. Security environment according to one of the preceding claims, in the memory unit (AS-MEM) a first memory subunit (AS-MEM-RT) for storing within a first period (RT) characterizing data and a second memory subunit (AS-MEM-LT) for storing characterizing within a second period (LT) Dates. Security environment according to one of the preceding claims, with the surveillance system (AS) for controlling accesses to the memory unit (AS-MEM). Security environment according to one of the preceding claims, in the surveillance system (AS) a playback unit (AS-DIS) for playing data of the characterizing data that is a violation of the given Specify security requirements. Security environment according to claim 8, comprising the playback unit (AS-DIS) of the monitoring system (AS) for displaying information that has different security states Data transfers between characterize the first network (NW1) and the second network (NW2). Security environment according to claim 8 or 9, at the playback unit (AS-DIS) of the monitoring system (AS) a graphical user interface (AS-GUI). Security environment according to one of the preceding claims, in the surveillance system (AS) an input unit (AS-IN) for entering instructions for Control the operation of the monitoring system (AS) by a user who is immediately near one Computer system (AS-RS) of the monitoring system (AS) is arranged, with only control instructions over the Input unit (AS-IN) of the monitoring system (AS) from the monitoring system (AS) can be used. Security environment according to one of the preceding claims, in the surveillance system (AS) an interface unit (AS-INT) for access to the monitoring system (AS). Security environment according to one of the preceding claims, in the monitoring system (AS) as an audit server is. Security environment according to one of the preceding claims, with the at least one control system (FW, PROXY, IDS) in each case for Creation of characterizing data in real time. Security environment according to one of the preceding claims, in the at least one control system (FW, PROXY, IDS) respectively an operating system that only has one operation in immediate Connection with network-based data transmissions. Security environment according to one of the preceding claims, in the at least one control system (FW, PROXY, IDS) respectively an input unit (FW-IN, PROXY-IN, IDS-IN) for inputting instructions to control the operation by a user who immediately near of a computer system (FW-RS, PORXY-RS, IDS-RS) of a corresponding one of at least one control system (FW, PROXY, IDS) is arranged, in each case only control instructions via the corresponding input unit (FW-IN, PROXY-IN, IDS-IN). Security environment according to one of the preceding claims at the at least one control system is a data type control system (FW) for controlling network-based data transmissions as a function of Data types is to data transfers between the first network (NW1) and the second network (NW2) according to the data type control system (FW) to verify given safety requirements in order to characterize as respective Data single of the checked data transmissions to generate characterizing type control data and around the characterizing one Type control data to the monitoring system (AS). Security environment according to claim 17, wherein the Data type control system (FW) is executed as a firewall. Security environment according to one of the preceding claims, in the at least one control system is a data content control system (PROXY) for controlling content of network-based data transmissions is to data transfers between the first network (NW1) and the second network (NW2) according to the data content control system (PROXY) to verify given security requirements as respective characterizing data, individual of the data transfers to generate characterizing content control data and the characterizing content control data to the monitoring system (AS). Security environment according to claim 19, wherein the Data content control system (PROXY) is executed as a proxy server. Security environment according to one of the preceding claims, in the at least one control system is a data transfer control system (IDS) for analyzing network-based data transfers is to data transfers between the first network (NW1) and the second network (NW2) according to the data transfer control system (IDS) to analyze given security requirements to be as respective characterizing data individual of the analyzed data transmissions characterizing transmission control data and characterizing the transmission control data the surveillance system (AS). Security environment according to claim 21, wherein the Data transmission control system (IDS) as IDS server is. Security environment according to one of the preceding claims, with - one Control system (BM) for controlling the at least one control system (FW, PROXY, IDS) and the monitoring system (AS) and - of the at least one communication link (BUS-INT) for data transmission between the at least one control system (FW, PROXY, IDS), the monitoring system (AS) and the control system (BM), for data transfers between the first Network (NW1) and the second network (NW2) used communication links physically separated. Security environment according to claim 23, wherein the Control system (BM) a memory unit (BM-MEM) for storage the control data includes. Security environment according to claim 24, with the storage unit (BM-MEM) of the control system (BM) for storing the for at least a control system respectively given safety requirements, and the control system (BM) for transmitting the stored Safety requirements in each case to the at least one control system over the at least one physically separate communication link (BUS INT). Security environment according to one of claims 23 to 25, with the control system (BM) for controlling a commissioning the at least one control system (FW, PROXY, IDS) and the monitoring system (AS) according to data, the desired Conditions for a permissible one Characterize commissioning. Security environment according to one of claims 23 to 26, with the control system (BM) for controlling a commissioning the at least one control system (FW, PROXY, IDS) and the monitoring system (AS) such that during Commissioning only one control system (FW, PROXY, IDS) and the monitoring system (AS) is put into operation. Security environment according to claim 26 or 27, with the memory unit (BM-MEM) for storing the desired Conditions for a permissible one Commissioning characterizing data. Security environment according to one of claims 23 to 28, in which the control system (BM) has an input unit (BW-IN) for inputting instructions for controlling the operation of the control system (BM) by a user who is immediately near one Computer system (BM-RS) of the control system (BM) is arranged, being only control statements about the input unit (BM-IN) used by the control system (BM) become. Security environment according to one of claims 23 to 29, where the control system (BM) as a boot management server accomplished is. Procedure for monitoring the security of network-based data transfers, with the following steps: - Check by means of at least one control system (FW, PROXY, IDS), respectively at least with a communication link (NW1, NW2) for data transmissions between a first network (NW1) and a second network (NW2) of data transfers between the first network (NW1) and the second network (NW2), - Output by means of the at least one control system (FW, PROXY, IDS) of characterizing data, each one of the data transfers characterize, - receive by means of a monitoring system (AS) of the respective characterizing data, and - Determine by means of the monitoring system (AS) from the characterizing data, whether the first data transfers for the at least one control system (FW, PROXY, IDS) each predetermined Meet safety requirements, marked by - To save from the characterizing data and the data of the respective characterizing one Data that violates the specified security requirements specify only in a memory unit (AS-MEM) of the monitoring system (AS). The method of claim 31, further comprising the step of: Transfer of data between the at least one control system (FW, PROXY, IDS) and the monitoring system (AS) about at least one communication link (BUS-INT) used for data transmissions between the first network (NW1) and the second network N (NW2) used communication links is physically separated. The method of claim 31 or 32, further comprising Step: Determine by means of the monitoring system (AS) whether the given first security requirements are violated, by combining characterizing data of different Control Systems (FW, PROXY, IDS). Method according to one of claims 31 to 33, with the following Step: Controlling the at least one control system (FW, PROXY, IDS) such that in the event of erroneous operation and / or a failure of the monitoring system (AS) the at least one control system (FW, PROXY, IDS) data transmissions between the first network (NW1) and the second network (NW2) prevented. A method according to any one of claims 31 to 34, further comprising Step: Storing all respective characterizing data in the memory unit (AS-MEM). Method according to one of claims 31 to 35, comprising the following steps: - To save of data characterizing within a first period (RT) in a first memory subunit (AS-MEM-RT) of the memory unit (AS-MEM) and - To save of data characterizing within a second period (LT) in a second memory subunit (AS-MEM-RT) of the memory unit (AS-MEM). A method according to any one of claims 31 to 36, further comprising Step: Controlling Accesses to the Storage Unit (AS-MEM) by means of the monitoring system (AS). A method according to any one of claims 31 to 37, further comprising Step: Reproducing data of the characterizing data, specify a violation of the given security requirements, by means of a playback unit (AS-DIS) of the monitoring system (AS). The method of claim 38, further comprising the step of: reproduce of statements that different security conditions of Data transmissions between the first network (NW1) and the second network (NW2) characterized by the playback unit (AS-DIS) of the monitoring system (AS). Method according to one of claims 31 to 39, wherein the input of instructions by means of an input unit (AS-IN) of the monitoring system (AS), the immediate vicinity a computer system (AS-RS) of the monitoring system (AS) is to control the operation of the monitoring system (AS) a user, with only control instructions via the input unit (AS-IN) of the monitoring system (AS) from the monitoring system (AS) can be used. A method according to any one of claims 31 to 40, further comprising Step: Creating the characterizing data using the at least one control system (FW, PROXY, IDS) each in real time. A method according to any one of claims 31 to 41, with the following Step: Operating the at least one control system (FW, PROXY, IDS) only directly related to network-based Data transfers. A method according to any one of claims 31 to 42, wherein the Control of network-based data transfers by means of a Data type control system (FW) is performed depending on data types data transfers between the first network (NW1) and the second network (NW2) according to the data type control system (FW) to verify given safety requirements in order to characterize as respective Data single of the checked data transmissions to generate characterizing type control data and around the characterizing one Type control data to the monitoring system (AS). Method according to one of the preceding claims 31 to 43, where the control of network-based data transmissions by means of a data content control system (PROXY) for the control of Content performed will be to data transfers between the first network (NW1) and the second network (NW2) according to the data content control system (PROXY) to verify given security requirements as respective characterizing data, individual of the data transfers to generate characterizing content control data and the characterizing content control data to the monitoring system (AS). A method according to any one of claims 31 to 44, wherein the Control of network-based data transfers by means of a Data transmission control system (IDS) for analyzing network-based data transmissions, to data transfers between the first network (NW1) and the second network (NW2) according to the data transfer control system (IDS) to analyze given security requirements as respective characterizing data of individual analyzed data transmissions characterizing transmission control data and characterizing the transmission control data the surveillance system (AS). Method according to one of claims 31 to 45, comprising the following steps: - Taxes the at least one control system (FW, PROXY, IDS) and the monitoring system (AS) by means of a control system (BM), and - Transfer of data between the at least one control system (FW, PROXY, IDS), the monitoring system (AS) and the control system (BM) via the at least one communication link (BUS-INT), the from for data transfers between the first network (NW1) and the second network N (NW2) used communication links is physically separated. The method of claim 46, further comprising the step of: to save control data in a memory unit (BM-MEM) of the control system (BM). A method according to claim 47, comprising the following steps: - To save the for the at least one control system each predetermined safety requirements in the memory unit (BM-MEM) of the control system (BM), and - Transfer the stored security requirements respectively to the at least a control system over the at least one physically separate communication link (BUS INT). A method according to any one of claims 46 to 48, further comprising Step: Controlling a start-up of the at least one Control system (FW, PROXY, IDS) and the monitoring system (AS) by means of of the control system (BM) according to data, the desired Conditions for a allowed Characterize commissioning. Method according to one of the preceding claims 46 to 48, with the following step: Controlling a commissioning of the at least one control system (FW, PROXY, IDS) and the monitoring system (AS) such that during Commissioning only one control system (FW, PROXY, IDS) and the monitoring system (AS) is put into operation. A method according to claim 49 or 50, comprising the following step: Storing the data characterizing the desired conditions for a permissible start-up in the memory unit (BM-MEM). The method of any one of claims 46 to 51, further comprising Step: Enter instructions to control operation of the control system (BM) by a user into an input unit (BW-IN) of the control system (BM), which is immediately near a Computer system (BM-RS) of the control system (BM) is arranged, being only control statements about this input unit (BM-IN) is used by the control system (BM) become. Method according to one of claims 30 to 52 for the control The security environment of any one of claims 1 to 30. Software product with program code parts for executing the Steps according to one of the claims 31 to 53. Software product according to claim 54, which is based on a computer readable storage medium or in a computer readable storage device is stored.