FI120479B - Procedure and timing for establishing connection to an apparatus - Google Patents

Description

METHOD AND TERMINAL TO CONNECT TO THE DEVICE

FIELD OF THE INVENTION

The present invention relates to telecommunication 5 technology. In particular, the present invention relates to a method and a device for selectively opening a connection message collage connection.

BACKGROUND OF THE INVENTION

10 Various objects, such as real estate, can be controlled in many ways, for example, for burglaries and fires. One type of control is the so-called. remote control, where an object, such as a property, has an automatic surveillance system that transmits alarm information in the event of a burglary or tu-15 attack.

Alarms are transmitted, for example, in a special message transmission system (ISJ), which is traditionally based on a landline network (subscriber cable). · Other public communications networks, such as the Internet, can also be used as alarms.

The Internet network comprises a global network for data transmission and services. It comes with a variety of over-the-top layer (Layer 4) functionality, such as name service, email, 25 network management protocols, VoIP (Voice over IP), and countless applications and protocols. In all of the above cases, the transmission network itself, which routes and connects on L1, L2 and L3 layers, does not comment on the applications to be transported. 30 Applications use a variety of markup languages and protocols to communicate information.

One problem with the Internet is security. There are a number of ways to access information transmitted at the application level. Generally speaking, there are 35 actors from different backgrounds who wish to gain access to information 2 controlled or transmitted by other parties. One such entity is called "hackers". Their main purpose is to cause havoc and trouble to the target of the hacking. Another example is the 5 spy industrial spies: they try to get the information they want online.

Another component of the security problem is the weaknesses of the operating systems and applications in use. Operating systems and application operations may have security holes that allow third parties to access information that was not originally intended for them.

To improve security, there are security methods that are specific to the transmission network, such as VPN (Virtual Private Network), MPLS (Multiprotocol Label Switching), intranet, tunneling, private access point, and device-related methods such as firewall techniques, access lists, virus protection, etc. What is common to all of the above methods is that malicious activity is generally directed to and above L4, especially if the L4 (Transport Layer) protocol is TCP (Transmission Control Protocol).

25 Devices which, for example, monitor various objects and which, in the event of an alarm, transmit information to the monitoring station or receive information, are functionally relatively simple devices. However, the use of such devices must be absolutely safe. In other words, an unauthorized third party may never gain access to control of the device, for example through a data network. Due to the aforementioned security factor, a large part of the monitors operate over a telephone network. In the telephone network, the sender and the recipient have unique identifiers, which are virtually impossible to falsify.

3

On the other hand, monitoring devices can be made more complex and secure to connect to a public information network (such as the Internet). Such a device typically has an operating system and a plurality of applications that provide a more secure way of transmitting information and receiving control information from a public data network. But as mentioned earlier, there are almost always security issues in operating systems and applications. In addition, operating systems and applications need to be constantly updated in practice to maintain a high level of security.

If your device uses the Internet to receive and send information, it must open certain application ports outward. From a security point of view, it is problematic if the application port declares its existence by replying to a message from an unknown source. In the case of the Unstructured Data Protocol (UDP), it is easy to protect against unknown sources, for example, by making the UDP port passive. In other words, it does not respond to the messages it receives in any way.

Connected TCP has slightly 25 different functions. It opens the connection first, and only after that the actual data transfer begins. Further, the TCP port is constantly listening for new connection setup messages. In addition, it is only after the connection is established that the device making the connection can identify itself. In this way, virtually anyone can try to establish a TCP connection to the receiving device. As a result of the connection, the sender becomes aware of the existence of the recipient's IP number / TCP port and may interfere with the port, for example, by sending unlimited SYN floo Ding messages, disrupting the device operation and reserving the connection capacity of the device 4.

The problem with prior art is, inter alia, how to make a device connected to the public telecommunications network 5 safe but at the same time simple in its function. Another problem is how to open a message message protocol connection only with identified parties.

PURPOSE OF THE INVENTION

The object of the invention is to eliminate or at least significantly alleviate the above disadvantages. In particular, it is an object of the invention to provide a method and apparatus for opening a protocol protocol connection 15 (e.g., TCP) to a terminal so that the port used for the final opening of the connection is still closed at the initial stage of the connection opening process.

SUMMARY OF THE INVENTION

In accordance with one aspect of the invention, there is provided a method of opening a connection protocol protocol. The method comprises storing at least one sender identification information in the device and opening a passive offline message protocol application device from the device. The term "passive" means that, when open, a port does not in any way respond to messages sent to it, and that all other unused ports in the various protocols do not respond in any way to messages (packets) sent to them. Typical applications include different protocol and port scanners, which are based on the fact that in normal situations, if the port is not open, it is notified to the sender (including Internet Cont-35 rol Message Protocol). In the embodiment of the invention, all 5 of these are preferably blocked, so that no unexpected is answered in any way.

A message with content data comprising the identity of the sender 5 is received in the application port of the offline message protocol. From the received message, the sender identity is checked, and if the identification information contained in the offline message protocol message matches the sender identification information pre-stored in the device, the IP-10 source address of the message sender is stored in the device memory and the predetermined port of the connection message protocol is opened. The context-free message protocol is preferably UDP and context-sensitive TCP, respectively. However, one of ordinary skill in the art will appreciate that other protocols may be applicable to the invention.

In one embodiment of the invention, said open port of the on-line message protocol receives a message, checks the IP address of the message sender, and responds to the message if the IP address corresponds to the IP address stored in the device memory in step 20 of storage. If the IP address does not match the IP address stored in the machine's memory at the time of recording, the message will be rejected.

In one embodiment of the invention, the port of the connection 25 message protocol is closed after a predetermined period of time after the port has been opened.

In one embodiment of the invention, the sender's IP address contained in the message is deleted from the device memory after said predetermined period of time.

In one embodiment of the invention, the received message of the offline message protocol is encrypted and the message of the offline message protocol is decrypted before the checking step.

According to another aspect of the invention, there is provided a device for opening a protocol protocol connection. The device comprises an interface for connecting the device to a public telecommunications network. The device further 6 comprises a first memory arranged to store the identity of the at least one sender, and processing means arranged to open a passive offline message protocol application 5, wherein the application port is arranged to receive the offline message protocol message containing the sender information. The processing means are further arranged to check the sender identification information of the received message and 10 store the sender IP source address of the message contained in the second memory if the identification information contained in the message corresponds to the predefined sender identification information in the device and open a predetermined connection message port 15.

In an embodiment of the invention, the opened port of the communicative message protocol is arranged to receive the message, and the processing means are arranged to check the IP address of the sender 20 contained in the message and reply to the message if the IP address matches the IP address stored in the device memory. corresponds to the IP address stored in the device memory during the recording phase.

In one embodiment of the invention, the processing means are arranged to close the gateway message protocol port for a predetermined period of time after opening the port.

In one embodiment of the invention, the processing means 30 are arranged to delete the sender's IP address contained in the message from the device memory after said predetermined period of time.

In one embodiment of the invention, the received offline message protocol message is encrypted, and the processing means 35 are arranged to decrypt the offline message protocol message before checking the transmitted identification information.

7

The device disclosed in the invention has a global static address in a public telecommunications network, such as the Internet. Due to the present invention, the terminal device can be made very simple in structure and function and inexpensive. Further, the terminal automatically rejects messages received from unknown parties and does not contain elements that automatically communicate to the network. In other words, the terminal can be connected to 10 public telecommunication networks (Internet) without the fear that the terminal would be vulnerable to attacks against it.

In addition, to summarize the invention, the TCP-15 application port of the device is closed when opening the TCP connection. The terminal requesting the TCP connection first identifies itself using the UDP protocol. Only then does the device of the invention open the TCP port and verify the sender of the message arriving at the TCP port.

The method of the invention is able to establish a connection-based message protocol (e.g., TCP) connection to a device according to the invention, although the device initially does not comprise any open port of the connection-based message protocol. This will prevent the port from appearing on the public telecommunications network to the wrong parties.

LIST OF FIGURES

In the following, the invention will be described in detail by way of example embodiments, in which: Figure 1 illustrates an embodiment of an arrangement according to the invention; Figure 2a illustrates an embodiment of the method according to the invention; Figure 2b shows an embodiment of the method according to the invention; and FIG. 3 shows an embodiment of a terminal according to the invention.

DETAILED DESCRIPTION OF THE INVENTION

Figure 1 shows an embodiment of the arrangement according to the invention.

Figure 1 comprises three access terminals 104, 110 and 112 and one access terminal 100 to which connection is made. The terminal 100 is connected to the public communications network 102 through which the terminal 100 can be addressed. The telecommunications network 102 is preferably an Internet network. In the case of the Internet, the terminal 100 is assigned a static IP address (IP, Internet Protocol).

Terminals 104, 110, and 112 shown in Figure 1 illustrate with each other different examples of terminals and situations that are being connected to terminal 100. The terminal 104, like terminal 100, is assigned a global static IP address. In other words, the terminal 100 then sees the sender's source address as the actual IP address (197.56.1.208). The terminal 110 is the terminal behind the mobile communication network 106. In such a situation, the terminal 110 is assigned a dynamic global IP address (62.11.144.65) by the mobile communication network 25 106. In other words, the IP address allocated to the terminal 110 is temporary but at the same time global on the network 102. When the terminal 110 sends a message to the terminal 100, the actual (dynamic) IP address of the terminal 110 is displayed as the source-30 address. The terminal 112, in turn, is connected to the corporate network 108. Within the corporate network, the terminal 112 is assigned a non-global IP address (192.168.1.28). When the terminal 112 sends a message 35 to the terminal 100, the source address, for example, is the IP address of the corporate firewall (212.16.22.112) and not the internal IP address of the corporate network 9108 (192.168.1.28) allocated to the terminal 112. The corporate network 108 performs the "addressing" (NAT) of the address of the terminal 112 (Network Address Translation).

The operation of the invention will now be described in more detail with reference to Figure 2a, which shows an example of a method according to the invention. 2a, the reference numeral of FIG.

The device 100 according to the invention stores one or more identification data of the sender's terminal device en-10. For example, pre-recording refers to the fact that in the configuration step of the device 100, information about the parties (other devices) authorized to communicate with the device 100 is stored therein. In another embodiment of the invention, the identity of the transmitting terminals may be stored in the device after the actual initial configuration. Preferably, the identifier is any identifier other than the sender's IP address, e.g., a numeric sequence, a series of letters, or a combination thereof.

The purpose of the identifier is to identify the correct sender of the message containing the identifier, regardless of the IP address from which the message actually originates. Further, one or more application port 25 of the offline application protocol is opened from device 100. In this example, the offline application protocol is UDP, but one skilled in the art will appreciate that any current or future offline protocol may be used as the protocol. The opened application port is preferably predetermined so that the transmitting terminal (e.g., terminal 112) knows which port 100 of the device to send information to.

In step 200, the device 100 receives a UDP message. In this example, it is assumed that the UDP message 35 is derived from Figure 2a, the terminal device 112. The UDP packet contains identification information of the sending party. As described above, the identification information does not refer to the source IP address contained in the packet, but to the individual identification information contained in the packet content data. In step 202, the device 100 checks the UDP packet content data for said sender identification. If the identification information 5 is not found in the memory of the device 100, the received UDP message is automatically rejected (steps 204 and 210). The absence of identification information from the device 100 means that the sender of a UDP packet containing such an identifier is not authorized to send 10 data to the device 100. If the sender identification information contained in the UDP packet is found in the device 100 in step 204, the source address of the UDP message ) is stored in the device memory (step 206). In this example, device 100 tal-15 would fly into its memory the IP address 212.16.22.112. Note that the device 100 stores in its memory the source address of the UDP message (in this case, the firewall's IP address) and not the actual IP address of the terminal 112. In fact, the device 100 cannot even know which IP address is assigned to the terminal 112, since the IP address of the terminal 112 is not a global but only locally determined address.

Finally, in step 208, a predetermined application port of the context-sensitive message protocol is opened. The preferred message protocol of Yh-25 is preferably TCP, but one skilled in the art will appreciate that any current or future connection protocol may be used as the protocol.

In one embodiment, the TCP port opened in the manner shown in Figure 2a is kept open only for a predetermined period of time. If the terminal that previously sent the message to the UDP port does not send a message to the TCP port during the predetermined time period, the port will be closed.

In the embodiment of the invention shown in Figure 2a, the TCP port is opened only if the device receives an 11 UDP message containing the identity of the transmitting terminal and if the same credential is previously stored on the receiving device.

In one embodiment of Figure 2a, the UDP packet received by the device 100 from the terminal 112 is encrypted by some predetermined encryption method, for example, time-bound encryption. Devices 100 and 112 may have previously been synchronized to the same time domain, and the encryption used (encryption key) is based on the fact that the devices run in substantially the same time-10 socket. In other words, in one embodiment of the invention, the UDP message received by the device 100 is time dependent, i.e., the UDP message is "valid" for a predetermined period of time. When a time-bound encryption procedure is used, no other device in practice can send an acceptable UDP message. And even if the UDP message could be copied, the copied message is useless due to time-relatedness, and the device 100 rejects such a message. The receiving terminal generates a decryption key, utilizing the value of the time counter of the terminal 20 at the time of receiving the message, and decrypts by means of a decryption key formed on the basis of the value of the time counter.

In one embodiment, the terminal must first be synchronized with the time reference terminal 25. The time reference terminal operates at some time reference which is incremented at regular intervals. The time ferrule may be maintained, for example, by a UCT clock, a DCF77 receiver, a GPS receiver (GPS, Global Positioning System) or any other suitable arrangement. The counting interval is, for example, 0.1 s or any other suitable time interval. The absolute value of time does not matter in this case.

When the terminal starts up and initializes itself, it sends a UDP message to the time reference terminal. 35 The message net data contains a time request and a reference (sender identifier) to the recipient's IP address table. The reference is defined because the time reference terminal 12 responds only to those terminals specified in the table. If the time reference terminal receives an unrecognized message, the message may be automatically rejected. Similarly, if someone "pretends" to 5 senders, they will not receive an answer to the message they sent.

In response to the receipt of the time reference request, the time reference terminal transmits its current time reference value to the terminal 10 requesting the time reference. For example, if the transmission of the message to the terminal takes 20 ms, the terminal clock is thus 20 ms behind the clock of the time reference terminal. Such a small time difference is not essential to the operation of the method.

When the terminal receives the time reference message from the time reference terminal, the terminal sets its time counter according to the time reference in the message. The time reference message may further include a sender identifier which allows the terminal 20 to ascertain definitively that the time reference message actually came from the time reference terminal. If, for any reason, the terminal receives a time reference message even though it has not requested a time reference, the received message may be automatically rejected. 25 Messages related to obtaining a time reference can be encrypted, but encryption is not necessary.

The terminal memory may have stored a predetermined order of terminals to which the time-30 reference request can be sent. If the time reference request sent to the upstream terminal does not respond, the time reference may be requested from the next upstream terminal. It will be apparent to those skilled in the art that any technology or algorithm based on, for example, symmetric and asymmetric encryption may be used to encrypt the messages.

Figure 2b shows an embodiment of the invention which continues the execution of Figure 2a.

2a, after the UDP message has been sent to the device 100 according to Fig. 2a and the UDP message has been accepted, the sender (e.g., the terminal 112) initiates the TCP connection opening process to the device 100. According to step 250, the device 100 receives port. Preferably, the message is a TCP connection initiation message (SYN request). The device 110 then checks the message sender IP address (step 252). The IP address is checked from the sender field 15 (protocol frame) of the TCP message structure. In this case, the IP address 212.16.22.112 (the firewall IP address of the corporate network 108) is displayed as the transmission address of the TCP message. Because the terminal 112 is on a corporate network and has only a unique IP address within the corporate network (192.168.1.28), the correct IP address of the 20 terminals 112 is converted, for example, to the firewall IP address (ex 212.16.22.112) when leaving the corporate network 108.

In step 252, device 100 checks if device 100 has previously stored the same IP-25 address in its memory (step 206 of FIG. 2a). If no IP address is found, the TCP connection start message is rejected (steps 254 and 258). If the IP address is found in the memory of the device 100, the device 100 responds to the TCP connection start message (steps 254 and 256), thereby establishing a TCP connection between the devices 100 and 30112. Firewall of enterprise network 108 may establish a so-called firewall for terminal 112. a reflex port on which the device 100 forms a so-called. socket (blind = IP address + port). This way you can use TCP in both directions. Note, however, that only terminal 112 can act as a TCP connection opener in this example because it does not have a global IP address in this example.

14

The functionality with regard to the sockets themselves (creation, maintenance, etc.) is not described in detail herein, as one skilled in the art is aware of this functionality.

After establishing a TCP connection, the device 100 may periodically control the existence of a connection to the terminal 112 by sending a test packet over the connection. In this way, the function of both the formed socket and the formed reflex port must be tested. 10 It is possible that the TCP connection between the devices is lost for one reason or another. For example, a firewall may have a connection timeout that terminates the connection if the connection has not been in traffic for a certain period of time. In this case, if it is noticed that the connection between the devices 15 has been interrupted, the terminal 112 will resume the connection to the device 100 as shown in Fig. 2a.

Figure 3 illustrates an example of a device 308 according to the invention. In practice, device 308 may be any device whose operation involves only predetermined second terminals being able to communicate with it.

The device 308 comprises processing means 300 connected to the memory 302 and the interface 304. The terminal 308 may, if desired, be very simple to construct and not necessarily require the most common operating systems. In one application, it is sufficient to have both UDP and TCP protocol stacks on the device. The processing means 300 control the operation of the device 308 under the control of one or more applications stored in the memory 302. The memory 302 further includes one or more credentials referring to other terminals from which messages are allowed. The memory 302 itself may carry 35 or more separate memories. In addition, one of the memories may also be the internal memory of the processing means 300. Any suitable volatile or nonvolatile memory type may be used as the memory type.

Via message interface 304, device 308 receives UDP and TCP messages from a communication network.

Interface 304 may refer only to a physical device interface towards a communication network or a combination of a physical and software interface. Via the message boundary interface 304, other terminals can access the device 308 via UDP and TCP ports. As explained above, the UDP port or UDP port opened from the device 308 is inactive and does not send any response to the received messages. Further, as previously described, in a preferred embodiment, no TCP port is open outwardly from the device in normal mode, but the TCP port is opened following the procedure outlined in Figure 2a above.

Figure 3 also shows that device 308 may include a second interface 306, for example, to a target to be monitored (if device 308 is used as a monitoring device). In this case, when received through the monitoring interface 306, the signals can be transmitted over a TCP connection established. However, one of ordinary skill in the art will appreciate that the device can be used in any other application environment. In one embodiment of the invention, the device 100 may function as a monitoring device and in another embodiment of the invention, the device may not include any specific monitoring limit.

In addition, one of ordinary skill in the art will appreciate that the device disclosed in the invention is not limited to applications where the terminal acts as a monitoring device or as a receiving device for monitoring information. In contrast, the device according to the invention voidaa application 35-TAA in any environment where it is desirable to establish a TCP connection between two parties which identify each other. Applications of the invention may include, for example, servers, workstations, laptops, PDAs (Personal Digital Assistant), mobile devices, mobile phones, wireless devices, and the like, capable of performing exemplary applications of the invention. The devices, applications, or systems used in the embodiments of the invention may communicate with each other using any suitable protocol.

One or more interface mechanisms may be used in embodiments of the invention, including, for example, the Internet, in any form of communication using any suitable communication network. The telecommunications networks or links used may include one or more wireless networks, a 3G-15 mobile network, a public switched telephone network (PSTN), a packet data network, the Internet, an intranet, or a combination thereof.

It will be appreciated by those skilled in the art that the embodiments of the invention disclosed are exemplary only, and that one or more components of the exemplary embodiment may be implemented by one or more hardware and / or software. Exemplary applications may store information related to various processes, for example, in one or more memory, such as a hard disk, optical disk, or the like.

All or some of the exemplary embodiments may be implemented using one or more general-purpose processors, microprocessors, micro-controllers, or the like, programmed to implement embodiments of the invention. Further, exemplary embodiments of the invention may be implemented, for example, with Application Specific Integrated Circuits (ASICs). Thus, exemplary embodiments 35 of the invention are not limited to a particular combination of hardware and / or software.

17

Exemplary applications of the invention, stored on one or more data storage media, may include software for controlling components of exemplary applications. Such software may include, for example, hardware drivers, firmware applications, operating systems, and the like.

As noted above, the components of exemplary applications may include computer or other device readable means or memories for storing instructions programmed in accordance with the present invention. The readable medium or memory may be any known storage medium.

The invention is not limited solely to the above exemplary embodiments, but many other modifications are possible within the scope of the inventive idea defined by the claims.

Claims (10)

A method of opening a protocol protocol connection, characterized in that the method comprises 5 steps: storing at least one sender identification information in the device; opening a passive application-free word-mapping protocol application port from the device; 10 receiving, at the application port of the offline message protocol, a message whose content data comprises the sender's identification information; verifying, from the received message, the identity of the sender; and if the identifier-15 information contained in the message corresponds to the sender's identification information pre-stored in the device; storing the IP address of the message sender in the device memory; and opening a predetermined port of the on-line message protocol. The method of claim 1, further comprising: receiving a message at said opened communication message protocol port; 25 verifying the IP address of the message sender; replying to a message if the IP address matches the IP address stored in the device memory during the recording step; or discard the message if the IP address does not match the IP address stored in the device memory during the save phase. The method of claim 1 or 2, further comprising: closing port 35 of the on-line message protocol after a predetermined period of time after opening the port. The method of claim 3, further comprising: deleting the sender's IP address contained in the offline message protocol message from the device memory after said predetermined period of time. The method according to any one of claims 1 to 4, wherein the received offline message protocol message is encrypted and the method further comprises: decrypting the offline message protocol message before the checking step. An apparatus for opening a protocol protocol connection, the apparatus (308) comprising: an interface (304) for connecting the apparatus (308) to the public communications network (102); characterized in that the device (308) further comprises: a first memory (302) arranged to store at least one sender identification information; 20 processing means (300) configured to open the passive offline message protocol application port, wherein the application port is arranged to receive the offline message protocol message whose content data comprises sender identifier information; and wherein the processing means (300) are configured to check the sender identification information of the received offline message protocol message and store the message sender IP address memory (302) 30 if the identification information contained in the message matches the predefined sender identity information stored in the device. The apparatus of claim 6, wherein: the opened port of the on-line message protocol is arranged to receive the message; and processing means (300) arranged to check the IP address of the message sender of the connection message protocol and reply to the message if the IP address matches the IP address stored in the device memory 5 (302), or to reject the message if the IP address does not match the device and an IP address stored in the memory (302). Device according to Claim 6 or 7, characterized in that: 10 processing means (300) are arranged to close the port of a land-based message protocol after a predetermined period of time after the port has been opened. The device of claim 8, characterized in that: 15 processing means (300) are arranged to remove the IP address of the sender of the land-based message protocol message from the device memory (302) after said predetermined period of time. Device according to any one of the preceding claims 6 to 20, characterized in that if the received offline message protocol message is encrypted, the processing means (300) are arranged to decrypt the offline message protocol message before checking the transmitted identification information. 25