EP1723773A2 - Verfahren zum behandeln eines durch eine in einem computernetz angebrachte einrichtung fliessenden datenflusses - Google Patents

Verfahren zum behandeln eines durch eine in einem computernetz angebrachte einrichtung fliessenden datenflusses

Info

Publication number
EP1723773A2
EP1723773A2 EP05739719A EP05739719A EP1723773A2 EP 1723773 A2 EP1723773 A2 EP 1723773A2 EP 05739719 A EP05739719 A EP 05739719A EP 05739719 A EP05739719 A EP 05739719A EP 1723773 A2 EP1723773 A2 EP 1723773A2
Authority
EP
European Patent Office
Prior art keywords
modules
analysis
data flow
data
application layer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP05739719A
Other languages
English (en)
French (fr)
Inventor
Cécile BUCARI
Rodolphe Hugel
Olivier Schott
Nicolas Stehle
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Everbee Networks SA
Original Assignee
Everbee Networks SA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Everbee Networks SA filed Critical Everbee Networks SA
Publication of EP1723773A2 publication Critical patent/EP1723773A2/de
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms

Definitions

  • the present invention relates to a method and a system for the processing of a data flow passing through a device placed in interruption on a computer network.
  • PRIOR ART The security of computer networks is becoming increasingly necessary and important both for businesses and for individuals. Indeed, the rapid development of the Internet multiplies the fields of application and use of computer networks, thereby increasing the importance of the data exchanged and stored. Although having many advantages, the massive democratization of the Internet, due to its popularity, inevitably leads to a phenomenon of computer crime, growing like the strategic challenges of the network of networks. Thus the interconnection of corporate networks, home networks and the Internet leads to a growing need for security to protect, not only from all existing attacks but also from future attacks which are developing extremely rapidly.
  • the IP layer makes it possible, among other things, to uniquely identify a computerized system thanks to a "network" address (IP address) and the TCP layer makes it possible, among other things, to identify the recipient or sending application of the data within the computerized system thanks to a “system” address (TCP port).
  • IP address IP address
  • TCP port a “system” address
  • the quadruplet IP address of the sending system, TCP port of the sending application, IP address of the receiving system, TCP port of the receiving application totally defines a network communication link. Therefore, it becomes possible to authorize or prohibit network communications according to certain criteria related to IP addresses and TCP ports.
  • IANA Internet Assigned Nu bers Authority
  • the IANA recommends a given port for each application wishing to provide a particular service ("Web" server or email, for example).
  • Web Web
  • email Electronic messages
  • e-mail Electronic messages
  • These conventions • have made it possible to standardize access to Internet services and therefore to speed up their implementation by developers and their adoption by users.
  • chat software commonly called "chats”
  • chats chat software
  • the invention relates to a method for processing a data flow passing through a device cut off in a computer network.
  • the process includes: - an analysis step, consisting, for the device, of recognizing and analyzing simultaneously, in accordance with a security policy, an application protocol structuring an application layer of the data flow, - a modification step, consisting, for the device to modify, according to the security policy and the results of the analysis step, at least part of the application layer contained in the data flow.
  • the analysis and modification steps include: - the sub-step, for the device to implement software, associated with modules, and applying the security policy, - the sub-step of selecting modules determined among the modules, in accordance with the security policy.
  • the modules carry out at least one of the following actions to decode, code, decrypt, encrypt, decompress, compress, on at least part of the data of the application layer contained in the data stream.
  • the modules carry out the analysis step by means of a verification of compliance of the application layer with at least one grammar.
  • the modules carry out the analysis step and / or the modification step on at least part of the data of the application layer contained in the data flow.
  • the modules carry out the analysis step and / or the modification step on the entirety of the data of the application layer contained in the data flow.
  • the method further comprises: the step for the modules to communicate with each other, - the step for the modules to communicate with the software.
  • the method further comprises: - the step of replacing at least part of the application protocol with another application protocol.
  • the method further comprises: the step of prioritize the modules in order to minimize the IT resources, in particular the memory space and the computation time, necessary for processing the data flow.
  • System The invention also relates to a system for processing a data flow passing through a device cut off in a computer network.
  • the device comprises: analysis means carrying out an analysis making it possible to recognize and analyze simultaneously, in accordance with a security policy, an application protocol structuring an application layer of the data flow, - computer processing means making it possible to carry out at at least one modification as a function of said security policy and of the results of said analysis, of at least part of the application layer contained in the data flow.
  • the analysis means and the computer processing means implementing software, associated with modules, make it possible: - to apply the security policy, - to select determined modules from among the modules , in accordance with the security policy.
  • the modules make it possible to carry out at least one of the following actions: decode, code, decipher, encrypt, decompress, compress, at least part of the data of the application layer contained in the data flow.
  • the modules make it possible to carry out the analysis by means of a verification of compliance of the application layer with at least one grammar.
  • the modules perform the analysis and / or the modification on at least part of the data of the application layer contained in the data flow.
  • the modules perform the analysis and / or the modification on the entirety of the data of the application layer contained in the data flow.
  • the modules have means of communication allowing the modules to communicate with each other and with the software.
  • the computer processing means also make it possible to replace at least part of the application protocol by another application protocol.
  • the computer processing means and / or the analysis means also make it possible to establish a hierarchy of modules in order to minimize the computer resources, in particular the memory space and the computation time, necessary. processing the data flow.
  • the invention relates to a device cut off in a computer network and used to recognize and analyze all of the application data of a network data flow. The cut-off device is intended to process all of the data passing through it.
  • the processing carried out consists in analyzing this data and, according to the results of this analysis, in modifying it, in particular at the application level. These treatments can go as far as a complete modification of the application protocol on the data flow.
  • the system is capable of interpreting a security policy and of organizing all of the research so as to optimize its performance. He can modify the data flow according to this security policy.
  • the device is capable of modifying the content of the application data and, if necessary, of changing the entire application protocol transiting on the flow.
  • the system, object of the present invention makes it possible to perfectly realize all the functionalities of the method described above. In order to better understand the invention, various examples will be described.
  • FIG. 1 represents the general diagram of the device as well as its interconnection in a computer network.
  • the device D is placed in the cut-off of any computer R network: it can be the Internet, an Intranet network, a home network or even only two stations linked together. By cutting is meant the physical separation of the network R into two subnetworks linked together using the device D.
  • R network can be the Internet, an Intranet network, a home network or even only two stations linked together.
  • cutting is meant the physical separation of the network R into two subnetworks linked together using the device D.
  • all the data flow FD passing from one subnetwork to the other subnetwork must pass through the device D.
  • the device D makes it possible to analyze in detail the application flow passing over the network.
  • Level 7 Application layer Level 6: Presentation layer Level 5: Session layer Level 4: Transport layer Level 3: Network layer Level 2: Data link layer Level 1: Physical layer
  • Application protocols which allow applications to understand the flow of data.
  • PA application protocols There are many PA application protocols and the challenge for device D is to be able to recognize them.
  • the analysis of the device D is controlled by a security policy PS with which it is in permanent communication through software L implemented by the computer processing means MTI, software L which orchestrates all of the functions of the device .
  • the device D may or may not deepen its analysis depending on what the security policy PS requests.
  • This security policy can either be in the device itself or be remote, this does not limit the scope of our invention.
  • the device makes it possible to apply an extremely fine security policy PS, authorizing or prohibiting for each user of the device D, the use of a defined network application. We can therefore differentiate access to the Internet for simple searches with a web browser and access to the Internet for file sharing, even if the port of the two services is the same.
  • the IT processing means MTI and the analysis means MA implementing the software L, select detection modules M and application protocol analysis.
  • These modules M execute their task inside the device D and are controlled by the device itself by means of the software L.
  • These modules can be an integral part of the device or else be deported outside the device D, in such a In this case, the device D requires access to all of the modules M that it has available in order to be able to download and execute them.
  • the M modules are responsible for recognizing and analyzing the protocol, which operate simultaneously, in order to deduce each of the elements that constitute it.
  • the mechanism for recognizing and analyzing the components of the application protocol can be carried out through a search for compliance with a grammar.
  • the L software can prioritize the different modules selected in order to optimize the processing.
  • the M modules are complementary in the recognition and detection of application protocols because these are very often nested within one another as shown in the following example:
  • HTTP HyperText Transfer Protocol
  • This application protocol makes it possible to request files (texts, images, sounds or HTML documents).
  • the device will analyze the application layer of the data flow to deduce the application protocol (HTTP) and understand all of the application data of the protocol. Thus it will know the address of the requested document and the different options relating to this request (HTTP protocol, RFC 2616).
  • the device may request an additional analysis, but the HTTP protocol detection and analysis module will not be able to continue the analysis of the requested file. According to the file, other specialized modules will have to be called.
  • HTML page a classic page of an Internet site
  • the document is made up of several entities: text formatted using HTML language, the latter language itself calling upon more advanced languages to allow you to create dynamic pages using languages like Java Script or using style sheets.
  • the device will therefore be able to prioritize the “http”, “HTML”, “Java Script” and “Style sheet” modules.
  • the "http” module can call the "HTML” module which can in turn call the "Java Script” and “Style sheet” modules.
  • All the results of the modules M are communicated to the software L which can, depending on the security policy PS, take the actions necessary for securing the flow. Likewise, the modules can communicate with each other, this making it possible to share all of the information relating to the flow, thus facilitating the various searches and analyzes.
  • the ens' emblem dice communications between modules and software L is bidirectional, that is to say, when a command is sent, the response can either be received immediately because the information is already available, is received more late once the necessary action has been taken.
  • communications can be managed by an interrupt system, to allow in critical cases to speed up the transmission of information.
  • the communication system by status, that is to say by requesting the status of the different information (available or not), remains available.
  • the communications can be of different natures, it can be the activation of a module M on a part of the flow, the request for information to one of the modules on the analysis in progress or a request for action on the flux. Indeed, the M modules are capable of acting on the flow and are even the main actors in modifying the flow.
  • the M modules simultaneously record during the recognition and analysis stage, the location of each element of the protocol and are therefore able to access this information very quickly, whether for consultation or for modification.
  • the modules therefore offer the software L, in addition to the detection of the protocols, functions for accessing the information of the recognized protocol, as well as functions for modifying the elements of the protocol.
  • the protocol modification functions are divided into two families; the first allows the modification of the content of each field making up the protocol, for example one can change in an HTTP request for a Web page the address of the desired site and thus change ww. prohibited.corn in ww. authorized.
  • the second family makes it possible to add, modify or delete protocol fields, we can therefore for example delete options that are considered to be dangerous (in the case of http all user data, often given as options, which allow to know the software used by the user as well as all the pages visited!), or add additional options to the protocol to better define the limits of the application that we are trying to protect.
  • the functionality of the M modules is, however, even more extensive. Indeed many protocols are compressed, or coded or even encrypted. There are therefore modules M dedicated to the management of these particular cases which decode, decrypt and decompress the data of the application flow.
  • the ZIP compression / decompression module will call depending on the files present in the archive of analysis modules for executable files, or for Scripts files or image files; when all of the modules called by the compression / decompression module have finished their tasks, the compression / decompression module can recompress the flow taking into account the modifications made to the decompressed flow. All of the treatments described above are performed on the entire flow. However, the security policy can decide to stop processing and protocol recognition on a connection in progress, if it has rules certifying it that the connection does not require additional analysis. The software L can therefore activate or deactivate each of the modules M dynamically throughout the flow.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Communication Control (AREA)
EP05739719A 2004-03-01 2005-03-01 Verfahren zum behandeln eines durch eine in einem computernetz angebrachte einrichtung fliessenden datenflusses Withdrawn EP1723773A2 (de)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FR0450403A FR2867003B1 (fr) 2004-03-01 2004-03-01 Procede de traitement d'un flux de donnees traversant un dispositif place en coupure sur un reseau informatique
PCT/FR2005/050136 WO2005083969A2 (fr) 2004-03-01 2005-03-01 Procede de traitement d'un flux de donnees traversant un dispositif place en coupure sur un reseau informatique

Publications (1)

Publication Number Publication Date
EP1723773A2 true EP1723773A2 (de) 2006-11-22

Family

ID=34834271

Family Applications (1)

Application Number Title Priority Date Filing Date
EP05739719A Withdrawn EP1723773A2 (de) 2004-03-01 2005-03-01 Verfahren zum behandeln eines durch eine in einem computernetz angebrachte einrichtung fliessenden datenflusses

Country Status (3)

Country Link
EP (1) EP1723773A2 (de)
FR (1) FR2867003B1 (de)
WO (1) WO2005083969A2 (de)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8254381B2 (en) * 2008-01-28 2012-08-28 Microsoft Corporation Message processing engine with a virtual network interface

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
ATE444614T1 (de) * 1997-07-24 2009-10-15 Axway Inc E-mail firewall
US6170012B1 (en) * 1997-09-12 2001-01-02 Lucent Technologies Inc. Methods and apparatus for a computer network firewall with cache query processing
US20020161848A1 (en) * 2000-03-03 2002-10-31 Willman Charles A. Systems and methods for facilitating memory access in information management environments
WO2002060150A2 (en) * 2001-01-24 2002-08-01 Broadcom Corporation Method for processing multiple security policies applied to a data packet structure
US7284269B2 (en) * 2002-05-29 2007-10-16 Alcatel Canada Inc. High-speed adaptive structure of elementary firewall modules

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
None *

Also Published As

Publication number Publication date
WO2005083969A3 (fr) 2005-12-15
WO2005083969A2 (fr) 2005-09-09
FR2867003B1 (fr) 2006-09-08
FR2867003A1 (fr) 2005-09-02

Similar Documents

Publication Publication Date Title
EP2819052B1 (de) Verfahren und Server zur Bearbeitung einer Zugriffsanfrage von einem Endgerät auf eine IT-Ressource
EP2692089B1 (de) Eingehender umleitungsmechanismus auf einem reverse-proxy
US20030204719A1 (en) Application layer security method and system
NZ527915A (en) Application layer security method and system
JP2010536216A (ja) Ipネットワーク内のトラフィックを分類するための方法およびユニット
FR2850503A1 (fr) Procede et systeme dynamique de securisation d'un reseau de communication au moyen d'agents portables
WO2009147163A1 (fr) Procède de traçabilité et de résurgence de flux pseudonymises sur des réseaux de communication, et procède d'émission de flux informatif apte a sécuriser le trafic de données et ses destinataires
FR3028373A1 (fr) Delegation d'intermediation sur un echange de donnees chiffrees.
EP1983722A2 (de) Verfahren und System zur Internetzugangssicherung bei Mobiltelefonen sowie entsprechendes Mobiltelefon und Endgerät
WO2004086719A2 (fr) Systeme de transmission de donnees client/serveur securise
EP1723773A2 (de) Verfahren zum behandeln eines durch eine in einem computernetz angebrachte einrichtung fliessenden datenflusses
CA2357909A1 (fr) Dispositf et procede de traitement d'une sequence de paquets d'information
Parsons Deep packet inspection and its predecessors
FR2940695A1 (fr) Serveur passerelle a micronoyau
FR2865337A1 (fr) Systeme et procede de securite pour coupe-feu et produit associe
FR3076638A1 (fr) Procede de gestion d'un acces a une page web d'authentification
CA2357896A1 (fr) Procede de transport de paquets entre une interface d'acces d'une installation d'abonne et un reseau partage, et interface d'acces mettant en oeuvre un tel procede
FR2834407A1 (fr) Procede de securisation deportee d'un telechargement de donnees actives dans un terminal
FR2897965A1 (fr) Procede de filtrage de donnees numeriques et dispositif mettant en oeuvre ce procede
Holtkamp The role of XML firewalls for web services
EP2472818B1 (de) Datenverarbeitungsverfahren zur Kontrolle des Zugriffs auf Internetinhalte
EP1239647A1 (de) Verfahren und Vorrichtungen zur Sicherung einer Kommunikationssitzung
WO2005015876A1 (fr) Dispositif de personnalisation du traitement de communications
FR2778290A1 (fr) Procede et dispositif d'interconnexion securisee entre des ordinateurs, organises en reseau, par pilotage d'un module de filtrage residant dans la couche de communication ip
FR3024008A1 (fr) Procede et dispositifs de controle parental

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20061002

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LI LT LU MC NL PL PT RO SE SI SK TR

17Q First examination report despatched

Effective date: 20070111

RIN1 Information on inventor provided before grant (corrected)

Inventor name: STEHLE, NICOLAS

Inventor name: HUGEL, RODOLPHE

Inventor name: BUCARI, CECILE

Inventor name: SCHOTT, OLIVIER

DAX Request for extension of the european patent (deleted)
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20070724