KR20040022709A - Network system for network security service and quality of service - Google Patents

Abstract

PURPOSE: A network system for simultaneously providing a network security service and a QoS(Quality of Service) service is provided to enhance the utilization of network security resources by dividing the network security resources into SFEs(Security Function Entities), distributing and installing the SFEs in network nodes, and centralizing and managing the SFEs. CONSTITUTION: One or more network nodes(11) have a security function block(111) having one or more SFEs(111a). The network nodes(11) have QoS resources. A path control server(10) connects to the network nodes(11), and stores and corrects security resource states and QoS resource states of the network nodes(11). The path control server(10) calculates a path suitable for the QoS and security request item of a client by the security resource states and the QoS resource states according to the connection request of the client.

Description

Network system that provides network security service and service service at the same time {NETWORK SYSTEM FOR NETWORK SECURITY SERVICE AND QUALITY OF SERVICE}

The present invention relates to a network system that provides a network security service simultaneously with a quality of service (QoS) service to a customer in an Internet service provider (ISP) network. It is divided into network nodes in small units called Security Function Entity (SFE), distributed centrally, and centrally manages the Security Function entity to increase the utilization of security resources, and guarantee the QoS of the Security Function entity. The present invention relates to a network system capable of simultaneously providing a QoS service and a security service by allocating in association with a resource.

Various types of data are transmitted between hosts connected to the network, and in particular, certain types of data transmissions require a certain quality of service (QoS) from the network. Such QoS may be defined by bandwidth, transmission delay, or memory or buffer capacity required for data transmission. For example, real-time transmission of multimedia information requires QoS such as high bandwidth and minimal latency on the network.

The network structure and network node structure for implementing such QoS service in the internet service provider network have been actively studied. As a prior patent relating to such QoS, "Quality of service management for source routing multimedia packet networks" is published in US Patent No. 5461611, and "Policy based quality of service" is published in US Patent No. 6104700. In particular, research is being actively conducted on the QoS path control server to establish a connection suitable for the customer's QoS requirements (Ref .: G. Apostolopoulos et al., "Server Based QoS Routing", Global Telecommunication Conference 1999 (pp762-768) and R. Yavatkar et al., "A Framework for Policy-based Admission Control", IETF RFC 2753, Informational, 2000. 1). The QoS path control server aims to accommodate as many connection requests as possible by using the resources of the service provider network as efficiently as possible.

Meanwhile, network security services have been provided by security specialists to corporate networks using security products such as IDS, Firewall, and Anti-virus (Ref .: "Domestic and Overseas Security Control Service Status", Information Security 21c, December 2000). However, the network security of the enterprise network unit has disadvantages such as waste of resources due to redundant equipment installation, neglect of harmful traffic through the public network, and unclear responsibility for security accidents. Accordingly, security is needed at the global network level, not at the corporate network level. Security at the global network level can enable early blocking of harmful traffic, maximum use of equipment, and early detection of security incidents. As an early research for global network security, there is increasing interest in network security service technology of the Internet service provider (ISP) who owns the delivery network. (Reference: Seong Jae Mo, "Internet Worm Countermeasures in ISP- CodeRed Worm Response Cases ", 5th CERTs Consortium Workshop)

However, the technology that provides network security service to each customer network in ISP network is mainly installed by installing network security equipment such as IDS or firewall in gateway between customer network and Internet service provider (ISP) network. This approach has the limitation that each network security device is used only for a given customer network. Due to these limitations, there is a problem in that the utilization of network security equipment, that is, resources for network security falls.

The present invention has been made to solve the above problems, the network system according to the present invention can be used not only for a certain number of customers for the network security resources, but also for a number of different customers to utilize the network security equipment, that is, An object of the present invention is to provide a network system that can increase the utilization and efficiency of resources for network security.

In addition, the network system according to the present invention, the network security resources distributed to the Internet service provider network by allowing the Internet service provider to simultaneously provide network security service and QoS service for the traffic of the customer passing through its own network. It is an object of the present invention to provide a network system capable of efficiently managing and utilizing QoS and QoS resources.

1 is a block diagram illustrating a network system according to the present invention.

2 is a diagram illustrating an example of an Internet service provider (ISP) network and a customer network.

3A is an exemplary diagram illustrating one of the shortest paths between two customers in FIG. 2.

3B is an exemplary diagram illustrating another one of the shortest paths between the two customers in FIG. 2.

4 is a flow chart showing the operation of the network system according to the present invention.

* Description of the symbols for the main parts of the drawings *

10: path control server 101: path calculator

102: security resource information base 103: QoS resource information base

104: secure resource manager 105: QoS resource information manager

106: information modification agent 107: resource reservation agent

11, N1-N7: network node 111: security function block

111a: Security Function Entity (SFE) 20: Internet Service Provider (ISP) Network

As a technical means for achieving the above object of the present invention, the present invention, in the network system for providing a network security service and QoS services at the same time in an Internet service provider (ISP) network,

At least one network node comprising a security function block having at least one Security Function Entity (SFE) as a security resource, and a QoS resource; And a path control server that is connected to the network node, stores and modifies the security resource state and the QoS resource state in the network node, and calculates and provides a path suitable for the customer's QoS and security requirements when the customer requests a connection. It provides a network system comprising a.

Hereinafter, with reference to the accompanying drawings will be described in detail the configuration of the network system according to the present invention.

1 is a block diagram of a network system according to the present invention. Referring to FIG. 1, a network system according to the present invention includes at least one network node 11 and the network node 11 constituting an Internet Service Provider (ISP) network. It is composed of a path control server 10 connected to. The network node 11 includes a security function block 111 including at least one Security Function Entity (SFE) 111a and a QoS resource. The network node 11 may be a router or a switch.

The network node 11 has QoS resources such as bandwidth of adjacent links, transmission delay, or memory or buffer capacity required for data transmission. In addition, the security function entity 111a included in the security function block 111 of each network node 11 is a resource for network security and enables network security services through the network node 11. As traffic passing through the service provider network passes through several types of security function entities 111a in the course of passing through each network node, a customer using the Internet service provider network can receive a desired level of network security service.

Hereinafter, the security function entity 111a will be described in more detail, for example. There are three types of security service grades provided by Internet service providers, such as Grade A, Grade B, and Grade C. The types of security function entities 111a include anomaly detectors (ADs) and misuse detectors. If there are four types of (Misuse Detector, MD), Packet Dropper (PD), and Anti-virus Checker (AV), each of the four security levels is as shown in Table 1 below. Can be satisfied by a functional entity.

Rating Required Security Function Entities Grade a AD, MD, PD, AV Grade b AD, MD Grade c PD

In other words, if a customer of an Internet service provider requests a security service of Grade A, the traffic can receive the security service by passing through a network node containing AD, MD, PD, and AV security function entities on the path. If you require a Grade B security service, the traffic can receive that security service by passing through a network node that contains the AD and MD security function entities on the path. The security service can be obtained by passing through the network node containing the PD's security function entity. A description of the determination of the path of the above traffic will be described later in more detail.

The path control server 10 constituting the network system according to the present invention together with the network node described above includes a security resource information base 102 for storing state information of the security function block 111 of the network node; A security resource manager 104 for managing the resource information base 102, a QoS resource information base 103 for storing QoS resource status information of the network node, and a QoS resource for managing the QoS resource information base 103. A resource information modification agent 106 for receiving status information of a network node from the manager 105, the network node 11, and updating the security resource information base and the QoS resource information base; and the network node 11; Resource reservation agent 107 for reserving resources of the resource and the secure resource manager and the QoS resource manager receives the information to calculate the path suitable for the customer's QoS and security requirements Includes a path calculator 101.

The state information of the security function block 111 stored in the security resource information base 102 refers to the information of the security function entities of all network nodes connected to the path control server 10, and the information of the security function entity. Is the name of the security function entity, the network node to which the security function entity belongs, the type according to the function of the security function entity described above, the maximum capacity (limit capacity) of the security function entity, and the capacity currently used for the security function entity. And usable capacity among the maximum capacity of the security function entity. Information of such a security function entity is stored in the secure resource information database 102. Table 2 below is an example of the security resource information base 102, the security resource information base 102 that stores the information of the security function entities included in each network node in the Internet service provider network configured as shown in FIG. An example is shown.

Name of the SFE Member of network node Kinds Maximum (limit) capacity Current usage Usable capacity N1.E1 N1 AD 2 Mbps 1 Mbps 1 Mbps N1.E2 N1 MD 5 Mbps 1 Mbps 4 Mbps N2.E3 N2 PD 10 Mbps 3 Mbps 7 Mbps N3.E4 N3 PD 5 Mbps 4.5 Mbps 0.5 Mbps N4.E5 N4 MD 6 Mbps 0 Mbps 6 Mbps N5.E6 N5 AV 5 Mbps 4.5 Mbps 0.5 Mbps N6.E7 N6 AV 6 Mbps 0 Mbps 6 Mbps N7.E8 N7 PD 7 Mbps 6 Mbps 1 Mbps

As shown in Table 2, the security resource information base includes a security function entity named N1.E1 in a network node named N1. The type of security function is an abnormal behavior detector (AD) as a maximum (limit) capacity. Is 2 Mbps and currently 1 Mbps is in use, so the available capacity is 1 Mbps, and the security function entity named N1.E2 is included in the network node named N1. Since the capacity is 5 Mbps and 1 Mbps is in use, the available capacity is 4 Mbps. The security function entity named N2.E3 is included in the network node named N2. The type of security function is maximum as a packet blocker (PD). (Limit) The capacity is 10Mbps, and 3Mbps is in use, so the available capacity is 7Mbps now, and the security function named N3.E4 Titi is included in the network node called N3. The type of security function is packet blocker (PD). The maximum (limit) capacity is 5Mbps and 4.5Mbps is in use, so the available capacity is 0.5Mbps, and N4.E5 The security function entity of the name is included in the network node named N4. The security function is a misuse detector (MD) with a maximum (limit) capacity of 6 Mbps and 0 Mbps currently in use. The available capacity is 6 Mbps, and N5. The security function entity named E6 is included in the network node N5. The type of security function is a virus detector (AV) with a maximum (limit) capacity of 5 Mbps and 4.5 Mbps currently in use. The security function entity named N6.E7 is included in the network node named N6. The type of security function is virus detection. As AV, the maximum capacity is 6Mbps and 0Mbps is in use, so the available capacity is 6Mbps.The security function entity named N7.E8 is included in N7 network node. As a packet blocker (PD), the maximum (limit) capacity is 7Mbps and currently 6Mbps is in use, so the available capacity currently available is 1Mbps and stores information on each security function entity.

As described above, the state information of the security function block of the network node, that is, the information about the security function entity, stored in the security resource information base 102 is managed by the security resource manager 104. The security resource manager 104 modifies the security resource information base 102 if there is a change in the information on the security function entity, and the path calculator 101 is required to calculate a path suitable for the security requirements of the customer. It serves to provide information on the security function entity to the path calculator 101.

The QoS resource information base 103 stores QoS resource state information such as bandwidth, transmission delay, or memory or buffer capacity required for data transmission, of each adjacent network node 11, and the QoS resource manager. 105 serves to provide the path calculator 101 with the QoS resource status information necessary for modifying the QoS resource status information stored in the QoS resource information base 103 and calculating a path suitable for the QoS request of the customer. .

The path calculator 101 calculates a path that satisfies the customer's QoS requirements and security requirements, which are requested together with the customer's connection request. Referring to FIG. 2, when the connection from the customer A 21 connected to the Internet service provider network 20 to the customer B 22 is requested, the route calculator 101 uses the secure resource manager 104. Through the QoS resource manager 105, the information about the security function entity stored in the security resource information base 102 is identified, and the QoS stored in the QoS resource information base 103 stored in the QoS resource information base 103 through the QoS resource manager 105. By grasping the state information, the customer determines the path that satisfies the QoS requirements and security requirements that are required together with the connection request.

The resource reservation agent 107 reserves a portion of the available capacity of the security function entity included in the network node forming the route according to the route determined by the route calculator 101 as much as the security requirements of the customer. It reserves the node's QoS resources according to customer's request. In addition, the resource information modification agent 106 monitors the change of the resource state to keep the security resource information base 102 and the QoS resource information base 103 up-to-date, and if there is a change, the security resource manager 104. And transmitting the change to the QoS resource manager 105 to modify the security resource information base 102 and the QoS resource information base 103, respectively. The resource information modifying agent 106 monitors the change of the resource state, and each time the resource reservation agent 107 reserves a resource, the resource information modifying agent 106 changes the resource state according to the reservation. In another method, the information modification agent 106 sends a message requesting a change in resource status to all network nodes 11 managed by the path control server 10 at regular intervals. There is a way to get the answer.

Hereinafter, the operation of the network system according to the present invention configured as described above will be described as a preferred embodiment with reference to Figs.

First, in the operation of the network system of the present invention, the first step (S41, S42) is a path calculator 101 of the path control server 10 when a connection request of a customer including QoS requirements and security requirements occurs. Computing a path that satisfies the QoS requirements and security requirements.

For example, in the network configured as shown in FIG. 2, the connection from the customer A 21 to the customer B 22 is requested, but as the security requirements, Grade A of Table 1 is required as a security requirement, and a bandwidth of 1 Mbps as a QoS requirement. If this is required, the path calculator 101 is configured with an abnormal behavior detector AD, a misuse detector MD, a packet blocker PD, on the path from the customer A 21 to the customer B 22; The path must be calculated to include a network node including a security function entity having the function of a virus detector (AV), and a path must be calculated to secure 1 Mbps for each security function entity.

In this case, the path from the customer A 21 to the customer B 22 may include a path through N1-N3-N5-N7 as shown in FIG. 3A and a path through N1-N3-N6-N7 as shown in FIG. 3B. . In the network configured as shown in FIG. 2, if the security resource information database 102 of the route server 10 stores the information as shown in Table 2, the AD, MD, and PD may be secured by 1Mbps in the path shown in FIG. The AV fails to secure 1 Mbps of AV by securing only 0.5 Mbps in N5. Thus, the path according to FIG. 3A does not meet the requirements of the customer. Meanwhile, in the path shown in FIG. 3B, AD, MD, PD, and AD can be secured by 1 Mbps while passing through each network node, thereby satisfying customer requirements. That is, the path calculator 101 stores the information on the type and available capacity of the security function entity existing in each network node on the possible path stored in the security resource information database 102 as described above. Calculate the path suitable for the customer's requirements by inputting through, and select the path suitable for the customer's requirements as shown in Figure 3b.

The second step (S43, S44, S46) is the QoS resource and security of the network node on the path determined by the resource reservation agent 107 in the first step after the path suitable for the customer's requirements is determined in the first step. The function entity 111a is reserved, and if it fails to calculate a path that satisfies the requirements of the customer, a failure processing is performed and the failure processing result is transmitted to the network manager. In other words, when the path competing with the requirements of the customer in the first step is determined as the path shown in FIG. 3B, QoS resources are reserved for each network node N1, N3, N6, N7 and the security function entity 111a. Reserves 1 Mbps of available capacity. If there is no path that satisfies the requirements of the customer, the path decision failure process is performed and the information on the failure process is transmitted to the network manager.

Next, in the third step S45, when the path determination is successful in the third step and the resource reservation agent 107 reserves the QoS resources of the corresponding network node and reserves the security function entity, the changed QoS resource information and the The information on the security function entity is recognized by the information modification agent 106 to modify the security resource information base 102 through the security resource manager 104 and to modify the QoS resource information manager 103 through the QoS resource manager 105. do. The resource reservation agent 107 reserves the security function entity of the corresponding network node through the path shown in FIG. 3B, and the modified resource is modified to reflect the change. That is, the security resource information database, which stores the contents as shown in Table 2 before the connection request of the customer, determines the path according to the requirements of the customer and reserves the resources according to the determined path. The modification is saved.

Name of the SFE Member of network node Kinds Maximum (limit) capacity Current usage Usable capacity N1.E1 N1 AD 2 Mbps 2 Mbps 0 Mbps N1.E2 N1 MD 5 Mbps 2 Mbps 3 Mbps N2.E3 N2 PD 10 Mbps 3 Mbps 7 Mbps N3.E4 N3 PD 5 Mbps 4.5 Mbps 0.5 Mbps N4.E5 N4 MD 6 Mbps 0 Mbps 6 Mbps N5.E6 N5 AV 5 Mbps 4.5 Mbps 0.5 Mbps N6.E7 N6 AV 6 Mbps 1 Mbps 5 Mbps N7.E8 N7 PD 7 Mbps 7 Mbps 0 Mbps

In Table 3, a security function entity named N1.E1, N1.E2, N6.E7, N7.E8 has a 1 Mbps increase in capacity due to a 1 Mbps reservation of the resource reservation agent 107. It can be seen that the available capacity is reduced by 1 Mbps.

In the manner as described above, the network system according to the present invention may simultaneously provide a security service and a QoS service to a customer in the course of passing through an internet service provider network.

According to the present invention as described above, the network system according to the present invention can use the network security equipment, that is, the network security resources, so that the specific network security resources can be utilized for a plurality of various customers, rather than only for a predetermined number of customers. There is an excellent effect of increasing the utilization and efficiency of the.

In addition, the network system according to the present invention, the network security resources distributed in the Internet service provider network by allowing the Internet service provider to simultaneously provide network security services and QoS services for the traffic of customers passing through their network. And there is an excellent effect to efficiently manage and utilize QoS resources.

The above description is only a description of specific embodiments of the present invention, and the present invention is not limited to these specific embodiments, and various changes and modifications of the configuration are possible from the above-described specific embodiments of the present invention. It will be apparent to those skilled in the art to which the present invention pertains.

Claims (9)

In an Internet service provider (ISP) network, a network system that provides network security services and QoS services simultaneously, A security function block 111 having at least one Security Function Entity (SFE) 111a as a security resource, and at least one network node 11 including a QoS resource; And It is connected to the network node 11, stores and modifies the security resource state and QoS resource state in the network node 11, and the QoS of the customer by using the security resource state and QoS resource state in accordance with the customer's connection request And a path control server (10) for calculating and providing a path suitable for security requirements. The method of claim 1, wherein the security function entity (111a) is A network system that simultaneously provides a network security service and a service service, which is one of a misuse detector, an anomaly detector, a packet dropper, and an anti-virus checker. The method according to claim 1 or 2, wherein the security function entity (111a) is A network system for providing a network security service corresponding to each security function entity for traffic passing through the network node (11) to which each security function entity (111a) belongs. The method according to claim 1 or 2, The security function entity (111a) has a limited capacity, characterized in that the network system. The method of claim 1, wherein the path control server 10 A security resource information base 102 for storing state information of the security function block 111 of the network node; A secure resource manager 104 for modifying and outputting the secure resource information base 102; A QoS resource information base 103 for storing QoS resource status information of the network node; A QoS resource manager 105 for modifying and outputting the QoS resource information base 103; Receives the information stored in the secure resource information base 102 and the QoS resource information base 103 outputted through the secure resource manager 104 and the QoS resource manager 105 to receive the customer's QoS and security requirements. A path calculator 101 for calculating paths between suitable network nodes; A resource reservation agent (107) for reserving security resources and QoS resources of a network node included in the path calculated by the path calculator (101); And Receives state information of the network node from the network node 11 or the resource reservation agent 107, and transmits the state information to the secure resource manager 104 and the QoS resource information manager 105 to transmit the secure resource information. And a resource information modification agent (106) for modifying the base and the QoS resource information base. The method of claim 5, wherein the security resource information base 102 Information including the name of the security function entity 111a included in the security function block 111 of the network node connected to the path control server 10, the belonging network node, the function, the maximum capacity, the current capacity and the available capacity are stored. Network system characterized in that the. The resource reservation agent 107 of claim 5, wherein And a portion of the available capacity of the security function entity in the network node included in the route calculated and formed by the route calculator (101). The method of claim 7, wherein the resource reservation agent 107 is A network system for notifying the resource information modification agent of a reservation change whenever a part of available capacity of a security function entity is reserved. 6. The resource information modifying agent (106) of claim 5, wherein The network system, characterized in that for sending a message for requesting a change in resource status to all network nodes (11) connected to the path control server (10) at regular intervals.