KR20030060306A - Using object module, active customized firewall - Google Patents

Using object module, active customized firewall Download PDF

Info

Publication number
KR20030060306A
KR20030060306A KR1020020000953A KR20020000953A KR20030060306A KR 20030060306 A KR20030060306 A KR 20030060306A KR 1020020000953 A KR1020020000953 A KR 1020020000953A KR 20020000953 A KR20020000953 A KR 20020000953A KR 20030060306 A KR20030060306 A KR 20030060306A
Authority
KR
South Korea
Prior art keywords
object module
packet
policy
firewall
module
Prior art date
Application number
KR1020020000953A
Other languages
Korean (ko)
Inventor
신중호
Original Assignee
신중호
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 신중호 filed Critical 신중호
Priority to KR1020020000953A priority Critical patent/KR20030060306A/en
Publication of KR20030060306A publication Critical patent/KR20030060306A/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

PURPOSE: A manager customized dynamic firewall using an object module is provided to enable a manager to express a desired security policy precisely and intentionally by using the object module and defining the relationship between the modules, and to meet a specific situation fast and voluntarily by using an operation object module. CONSTITUTION: A tag(4) is formed by capping a capsule(3) to a packet coming in a firewall computer. If the packet passes the specific object module after the operation module, the tag carries out a specific operation. The processed packet capped by the capsule flows by following a policy object module fixed by the intention of the manager. Each policy object has a result, and the packet flows to different object according to the result. Thus, a different security policy is fixed to each packet.

Description

객체 모듈을 이용한 관리자 맞춤형 동적 방화벽 {Using object module, active customized firewall}Administrator dynamic dynamic firewall using object module {Using object module, active customized firewall}

본 발명은 컴퓨터 네트워크의 보안을 강화하기 위한 보안 시스템에 관한 것으로, 상세하게는 비보안 인터넷( non-secure Internet )과 보안 인트라넷( secure Intranet ) 사이에 위치되는 방화벽 컴퓨터( firewall computer ) 상에서 관리자 맞춤형으로, 동적으로 설정가능한 방법에 관한 것이다.The present invention relates to a security system for enhancing the security of a computer network, and more specifically, to an administrator-customized on a firewall computer located between a non-secure Internet and a secure intranet. It is about a dynamically settable method.

일반적으로 방화벽 컴퓨터는 제 1도에서 보는 것과 같은 방식을 사용한다. 대표적으로 예를 들어, 패킷 필터링( packet filtering ) 방식을 사용하여 패킷의 정보가 보안 정책에 위배되는지 아닌지 만을 검사하여 출입을 결정하거나 또는 어플리케이션 층( application layer )에서의 필터링하는 방식을 사용하여 데이터의 무결성을 검사하여 패킷의 출입을 결정하는 방식이 있다. 이처럼 기존의 방식은 설정된 정책에 위배되는지 아닌지 만을 검사하고 출입을 통제하는 방법만을 취하고 들어오는 패킷에 대해서 모두 동일한 보안 정책을 사용하도록 하여 관리자가 사용하고자 하는 보안 정책을 만드는데 한계를 지닌다는 문제점이 있으며 통제만 하는 방식을 취하고 있어 신속하고 능동적인 대처를 할 수 없다는 문제점이 있다.In general, a firewall computer uses the same method as shown in FIG. Typically, for example, the packet filtering method is used to check whether or not the information of the packet violates the security policy to determine access or to filter the data at the application layer. There is a way to check the integrity and determine the entry and exit of packets. As such, the existing method has a limitation in creating a security policy that the administrator wants to use by only checking whether it is in violation of the established policy and controlling access and only using the same security policy for incoming packets. There is a problem in that it is unable to respond quickly and proactively because it is taking a proper way.

본 발명은 상기와 같은 문제점을 해결하기 위한 것으로 각각의 보안 정책을 정책 객체 모듈로 만들며 객체 모듈간의 관계를 정의하는 방법으로 전체적인 보안 정책을 설계할 수 있도록 하며 각 객체 모듈을 거쳐 간 결과에 따라서 뒤에 나아갈 객체 모듈이 달라지므로 관리자가 생각하는 보안정책을 표현하는데 한계를 없애고, 객체 모듈의 결과에 따르는 동작 객체 모듈(6)을 설정하도록 하여 특정한 상황에 놓여질 때에 자체적으로 동작하도록 하여 신속하고 능동적인 대처를 하는 것을 목적으로 한다.The present invention is to solve the above problems to make each security policy as a policy object module and to design the overall security policy by defining a relationship between the object modules, depending on the result after passing through each object module As the object module to be changed is different, it removes the limitation in expressing the security policy that the administrator thinks, and sets the operation object module 6 according to the result of the object module so that it can operate itself when it is placed in a specific situation, and responds quickly and actively. The purpose is to.

이와 같은 목적을 달성하기 위한 본 발명은, 세부적인 정책과 동작을 객체 모듈로 만들고 객체 모듈간의 관계를 정의해서 전체적인 보안 정책을 완성시키며동작을 지정하여 능동적인 대처를 한다는 특징이 있다.In order to achieve the above object, the present invention is characterized in that detailed policies and actions are made into object modules, define relationships between object modules, complete the overall security policy, and specify actions to proactively deal with them.

도 1은 일반적인 방화벽의 보안 정책이 적용되는 방법을 나타낸 개념도1 is a conceptual diagram showing how a security policy of a general firewall is applied;

도 2는 캡슐을 씌운( 또는 가공된 ) 패킷의 구조도2 is a structural diagram of an encapsulated (or processed) packet.

도 3은 객체 모듈의 보안 정책이 적용되는 방법을 나타낸 개념도3 is a conceptual diagram illustrating a method of applying a security policy of an object module

도 4는 객체 모듈을 정하고 관계를 정의하기 위한 도표4 is a diagram for defining object modules and defining relationships

<도면의 주요부분에 대한 부호의 설명><Description of the symbols for the main parts of the drawings>

1 : 보안 정책2 : 패킷( packet )1: Security Policy 2: Packet

3 : 캡슐( capsule )4 : 꼬리표3: capsule 4: tag

5 : 정책 객체 모듈6 : 동작 객체 모듈5: policy object module 6: action object module

이하의 첨부된 도면에 의해 상세히 설명하면 다음과 같다.When described in detail by the accompanying drawings as follows.

제 2도는 패킷을 가공한 모습을 나타내는 구조도로서, 방화벽 컴퓨터로 들어온 패킷에는 캡슐( capsule, 3 )을 씌워서 꼬리표(4)를 만든다. 이 꼬리표는 패킷이 거쳐 간 객체 모듈을 표시하기 위한 것으로 이후 동작 모듈에서 특정한 객체 모듈을 거친 패킷이 들어올 경우에 특정한 동작을 하게 하기 위한 것이다.2 is a structural diagram showing the processing of a packet. A packet 4 is formed by encapsulating a packet entering a firewall computer 3. This tag is used to indicate the object module through which a packet has been passed, and to allow a specific action when a packet passing through a specific object module comes in from the operation module.

그리고 나서 캡슐이 씌워진 가공된 패킷은 제 3도에서와 같이 관리자의 의도대로 설정된 정책 객체 모듈을 따라서 흐르게 된다. 각 정책 객체 모듈(5)은 결과를 가지며 그 결과에 따라서 패킷이 다른 객체 모듈로 흘러서 패킷마다 다른 보안 정책을 지정할 수 있다.The encapsulated processed packet then flows along the policy object module set as the administrator intended, as in FIG. Each policy object module 5 has a result and, according to the result, the packet flows to another object module so that a different security policy can be specified for each packet.

정책 객체 모듈(5)을 거쳐서 들어온 가공된 패킷은 지정된 동작 객체 모듈이 있을 경우에는 동작을 수행한다. 모든 객체 모듈을 거치고 나면 통과시킬 패킷에 대해서만 가공 이전의 모양으로 되돌린다.The processed packet coming in through the policy object module 5 performs an action if there is a designated action object module. After passing through all the object modules, only the packets to be passed back to their pre-processing appearance.

이를 통해서 통제만을 하는 방식이 아닌 능동적인 형태의 방화벽 시스템이 될 수 있게 된다.Through this, it is possible to become an active type of firewall system, not just control.

다음으로 관리자가 객체 모듈을 가지고 보안 정책을 설정하는 과정으로서, 관리자는 설정하고자 하는 보안 정책을 ‘192.168.3.2에서 오는 패킷에 대해서는 데이터에 문제가 없는지 검사를 하겠다.’ 또는 ‘129.37.34.4에서 211.155.32.3으로 오는 패킷에 대해서는 신뢰가 있으므로 그냥 통과시키겠다.’라는 예처럼 정하고 이를 바탕으로 제 4도에 있는 표를 바탕으로, 객체 모듈을 설정하고 정의하는 것이 방화벽 컴퓨터에 들어온 시간, 발신 주소, 수신 주소, 패킷이 해당되는 서비스, 수행될 동작, 객체 모듈 수행 결과들로, 체계적으로 정리하여 정책 객체 모듈(5)이나 동작 객체 모듈(6)의 흐름을 파악해서 객체 모듈을 설정한다. 그래서 관리자는 원하는 보안 정책을 의도대로 표현할 수 있게 된다.Next, as the administrator sets the security policy with the object module, the administrator checks the security policy to be set as' the packet from 192.168.3.2 is checked for data problems' or '129.37.34.4 to 211.155. Based on the table in Figure 4, setting up and defining an object module is based on the time, originating address, and reception of the firewall computer. The object module is set by grasping the flow of the policy object module 5 or the operation object module 6 by systematically arranging the address, the service corresponding to the packet, the operation to be performed, and the result of performing the object module. So administrators can express their desired security policies as intended.

이상에서 상술한 바와같이 본 발명은, 객체 모듈을 사용하고 그 모듈간의 관계를 정의하여 보안 정책을 세우는 방법으로 관리자가 원하는 보안 정책을 세밀하고 의도한 바대로 표현할 수 있게 되고 동작 객체 모듈을 사용하여 특정 상황에 신속하고 능동적인 대처를 할 수 있게 된다.As described above, the present invention can express the security policy desired by the administrator in a detailed and intended manner by using the object module and define the relationship between the modules to establish the security policy. Be able to respond quickly and actively to specific situations.

Claims (2)

컴퓨터 방화벽에 있어서, 객체 모듈을 사용하여 그 결과에 따라서 패킷마다 다른 보안 정책이 적용되고 나아가서는 동작으로 연결되는 형태의 네트워크 보안 방법In a computer firewall, a network security method using an object module in which different security policies are applied to each packet according to the result, and then connected to an action. 제 1항에 있어서, 객체 모듈을 설정하고 정의하는 것이 방화벽 컴퓨터에 들어온 시간, 발신 주소, 수신 주소, 패킷이 해당되는 서비스, 수행될 동작, 객체 모듈 수행 결과들로 이루어진 구조인 것2. The method of claim 1, wherein configuring and defining an object module is a structure consisting of a time entered into a firewall computer, a source address, a destination address, a service corresponding to a packet, an operation to be performed, and a result of performing an object module.
KR1020020000953A 2002-01-08 2002-01-08 Using object module, active customized firewall KR20030060306A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020020000953A KR20030060306A (en) 2002-01-08 2002-01-08 Using object module, active customized firewall

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020020000953A KR20030060306A (en) 2002-01-08 2002-01-08 Using object module, active customized firewall

Publications (1)

Publication Number Publication Date
KR20030060306A true KR20030060306A (en) 2003-07-16

Family

ID=32217288

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020020000953A KR20030060306A (en) 2002-01-08 2002-01-08 Using object module, active customized firewall

Country Status (1)

Country Link
KR (1) KR20030060306A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR200451770Y1 (en) * 2008-07-28 2011-01-12 한국철도공사 Hydraulic jack for repairing railroad

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1995005044A1 (en) * 1993-08-09 1995-02-16 Grand Junction Networks, Inc. Improved packet filtering for data networks
WO1997000471A2 (en) * 1993-12-15 1997-01-03 Check Point Software Technologies Ltd. A system for securing the flow of and selectively modifying packets in a computer network
KR19990038044A (en) * 1997-11-03 1999-06-05 정선종 How to Manage Security Information for Distributed Object System Resources
WO1999044115A2 (en) * 1998-02-26 1999-09-02 Sun Microsystems, Inc. Per-method designation of security requirements
KR20020075601A (en) * 2001-03-26 2002-10-05 주식회사데이콤 Linux System and Operating Method of the Linux System having improved access control function

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1995005044A1 (en) * 1993-08-09 1995-02-16 Grand Junction Networks, Inc. Improved packet filtering for data networks
WO1997000471A2 (en) * 1993-12-15 1997-01-03 Check Point Software Technologies Ltd. A system for securing the flow of and selectively modifying packets in a computer network
KR19990038044A (en) * 1997-11-03 1999-06-05 정선종 How to Manage Security Information for Distributed Object System Resources
WO1999044115A2 (en) * 1998-02-26 1999-09-02 Sun Microsystems, Inc. Per-method designation of security requirements
KR20020075601A (en) * 2001-03-26 2002-10-05 주식회사데이콤 Linux System and Operating Method of the Linux System having improved access control function

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR200451770Y1 (en) * 2008-07-28 2011-01-12 한국철도공사 Hydraulic jack for repairing railroad

Similar Documents

Publication Publication Date Title
US10129287B2 (en) Automatic detection and mitigation of security weaknesses with a self-configuring firewall
CN113169975B (en) Automatic generation of security rules for network micro-and nano-segments
US6584508B1 (en) Advanced data guard having independently wrapped components
US7882540B2 (en) System and method for on-demand dynamic control of security policies/rules by a client computing device
US7284269B2 (en) High-speed adaptive structure of elementary firewall modules
EP0658837A2 (en) Method for controlling computer network security
CN111709023B (en) Application isolation method and system based on trusted operating system
EP4222920A1 (en) Dynamic optimization of client application access via a secure access service edge (sase) network optimization controller (noc)
CN110166459B (en) Protection method, device and equipment for deserialization loophole and readable storage medium
TW201600997A (en) Method, appliance and computer program product of dynamically generating a packet inspection policy for a policy enforcement point in a centralized management environment
US20200236086A1 (en) Score-based dynamic firewall rule enforcement
CN110012016B (en) Method and system for controlling resource access in hybrid cloud environment
WO2017004918A1 (en) Security control method and device, and computer storage medium
CN105897766B (en) A kind of virtual network traffic security control method and device
CN114885332A (en) Traffic processing method and device, storage medium and electronic equipment
CN106375206A (en) Message forwarding method and device
CN111328395A (en) Method for providing limited access to a hardware component interface of a network device
JP2003505934A (en) Secure network switch
KR20030060306A (en) Using object module, active customized firewall
RU2580004C2 (en) Automatic firewall
CN110351275A (en) A kind of host port flux monitoring method, system, device and storage equipment
US20020194358A1 (en) Method and system for controlling transmission of information
US11425092B2 (en) System and method for analytics based WAF service configuration
CN107528847A (en) A kind of guard method based on MAC shuntings
EP3566169B1 (en) Asymmetrical system and network architecture

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal
E601 Decision to refuse application
E601 Decision to refuse application