KR20040032461A - Positive contact list firewall and the operating method - Google Patents

Abstract

PURPOSE: A firewall system restricting a connection and an operating method thereof are provided to safely offer Internet education with good quality to a child or a student by basically blocking up that the students connect to a harmful Internet site while receiving the education through the Internet. CONSTITUTION: A storing medium such as a memory or a subsidiary storage stores the fixed connection list information. A list information analysis engine analyzes a packet entered through the Internet by three or more steps of an OSI(Open Systems Interconnection) layer. If the packet is agreed with the list information stored in the storing medium, the list information analysis engine passes the packet. If not, the list information analysis engine interrupts the packet.

Description

Designated connection firewall system and its operation method {POSITIVE CONTACT LIST FIREWALL AND THE OPERATING METHOD}

Until now, the firewall has been formed with the concept of a firewall (hereinafter referred to as a "blocking firewall") in which all the concepts of a firewall limit a connection to be blocked. It defines the concept of harmful site that should be blocked and creates an engine to search for it, and normally searches up to 3rd or 4th stage of OSI for packets containing information coming from the Internet. Blocking method is adopted.

This type of firewall has been recognized for its value in that it provides users with a relatively free Internet environment while restricting users from harmful sites. However, as the technology of handling computers has improved throughout the society, these types of firewalls are not too difficult to be famous by various evasion methods. For example, any site can be accessed by connecting to a website using an IP address. In particular, these methods are fundamentally difficult to fully function as a firewall that basically blocks all malicious sites by analyzing incoming packets that contain only the level of OSI Layer 3 to filter out harmful sites. There are aspects, and if a few can access harmful sites, the effectiveness of the firewall can be easily found, as most malicious sites have similar links with similar sites. There were many cases.

Therefore, this is due to the inherent imperfections of the connection blocking firewall. It is not easy to compensate for this.

Let's look at this more specifically.

First of all, it is possible to consider extending the scope of the blocking-type firewall system to words or sites with a low possibility of harmfulness by reducing the possibility of access to harmful sites. However, in this case, the normal Internet use is also proportionally disturbed, so there is an undesirable aspect, there is a limit in the application, and the speed of the Internet decreases.

Next, what can be thought of as a way to reduce the accessibility of harmful sites is to block the access to harmful sites by searching the contents of the site by raising the level of the packet to 4 levels of OSI. However, this method is also limited in its application because it will greatly slow down the search and site access speeds and significantly reduce the utility value of the Internet.

Therefore, most teachers and parents do not consider students to learn through the Internet because of the possibility of accessing harmful environments even though computers with firewalls are installed. It is difficult to resist all the temptations from harmful sites because of the will.

When the elementary, middle and high school students are educated via the Internet, the school blocks the access to harmful sites on the Internet while the students are studying. It was developed to do that.

In addition, even in the case of a company, if the number of sites to be accessed is relatively small, the application of the designated designated firewall of the present invention can greatly improve the concentration of work.

Through this environment, the Internet business that targets students can block students' access to the site at the source, so that they can concentrate only on learning, and provide parents and teachers to children or students in the Internet learning system with confidence. You can do it.

1 is a block diagram of a designated designated firewall.

2 is a method for constructing fire prevention list information of the prior art;

3 is a method of constructing connection designation list information according to the present invention;

Figure 4 is a method for determining the harmful site judgment engine of the prior art.

5 is a method for determining a connected site determination engine of the present invention.

6 is a user interface.

7 shows four operating environments of the designated designated firewall.

1. Composition of the present invention

Unlike the conventional method, the present invention introduces a connection-specified constant firewall method. The designated firewall is a method that selects only the sites that require access and allows the access to only those sites, and configures the firewall to prohibit access from other sites. "Variable type" is again "manual variable" and "automatic variable", and there is a mixture of manual and automatic methods.

As a medium for storing the contents of the connection designation list, a storage medium such as a memory (ROM, EPROM, etc.) or an auxiliary storage device (diskette, CD, hard disk) can be used. Depending on the storage medium, the stored contents are only allowed to be read and not allowed to be written. The medium can be used for fixed type, in which case the list cannot be changed without exchanging the storage medium. On the other hand, storage media that allow both reading and writing are used in the case of variable type.

The manual variable method is a method of manually setting a range of sites to allow and manually changing a list according to a storage medium.

Automatic variable transformations allow you to search for packets and set the categories to allow automatically. First, there is a method of setting a list of sites that are automatically allowed through a means such as a device or software that determines whether a site to be accessed meets the condition. In practice, however, two or more methods may be used in combination depending on the situation, rather than using any one of the above methods. For example, the list of IP addresses that are allowed to access is divided into parts containing fixed IP addresses and parts that can be easily changed, so that the parts that can be changed can be added or deleted according to specific circumstances. You may be able to add some flexibility to list construction. The variable list may be manually enabled or may be automatically set by software having a specific destination site identification function. This concept is distinguished from the method of filtering a site by a blocked access firewall in a conventional firewall. More specifically

For example, a dedicated computer for special sites to supplement elementary, middle, and high school students may use a read-only storage medium that can block access to harmful sites to help students concentrate on their studies. In some cases, a firewall that cannot be changed without exchanging the storage media (hereinafter referred to as a “fixed access firewall”) is more desirable, and a storage medium that can be read and written is appropriately set up so that changes can be made if necessary. A firewall (hereinafter referred to as a "variable connection designated firewall") may be desirable in some cases.

2. Working principle

The basic principle is that only clients can access the site. Conventionally, a method of pre-defining or creating a list containing specific contents to be blocked by a firewall is made, and blocking the sites including the contents of the list, whereas in the present invention, the list of sites to be connected to is predefined or listed. Only sites that are in or match the defined content are allowed to pass and other sites are blocked. In this case, there is no problem in using a storage medium capable of accessing only the target site address, whether it is a fixed type, a manual variable type, or an automatic variable type. In addition, a method of defining a desired site and automatically accessing it through packet search can be technically implemented by the following method. In short, it analyzes the packet based on the definition of the site to be accessed and allows access if it matches the definition. In addition, the IP address conforming to the definition may be automatically registered or re-checked by a re-checking program and registered on the IP address list which is allowed to access.

If the list of information is described in more detail, the list structure analyzes packets input from the outside to identify IP names, IP addresses, service types through port numbers, and actual data. If it is determined that the site can be accessed by checking the list can be automatically configured by adding to the list. Therefore, in this case, the list is initially null, and sites that may be gradually accessed may be added to the list one by one. Therefore, the list construction method is new from the existing method. That is, in the existing method, the list is predefined or manually added / deleted, but the present method analyzes the packet to determine whether it is a harmful site and automatically constructs the list. In addition, the contents of the list have harmful site information while the existing method has harmful site information.

The control flow is divided into two stages. Step 1 is similar to the existing method at the OSI Layer 3 level, but since the contents of the information list are different, the existing method determines whether it belongs to a harmful site and the method checks whether it belongs to an accessible site. The second step is to check whether the site can be accessed with service type at OSI Layer 4 level and actual data information at OSI Layer 7 level. Update the list.

The present invention focused on the ability to completely block harmful sites. Therefore, in an environment where a large amount of processing per second is required in a large-scale LAN environment, only one step may be used instead of using the part checked in the second step. In addition, the list in the auxiliary storage device can be located in the main storage device to shorten the access time for improving the processing speed, and the package of the present invention can be stored in a personal computer (PC) or a network device (NIC, modem, etc.) or network. By using equipment (switch, router, modem, IP router, etc.) built-in, the desired purpose can be achieved.

3. Implementation method

An active firewall can be implemented in software, hardware, or software and hardware. As shown in Fig. 1, the component of the designated designated firewall is a harmful site that analyzes packets up to OSI Layer 3/4 level or, in some cases, OSI Layer 7 level to determine the harmful site. It consists of a decision engine, a progressively organized list of information with information from the engine, and a user interface to maintain an active firewall. Here, the harmful site determination engine can be configured by hardware or software.

In the method of constructing the information list, as shown in FIG. 2, the existing method is composed of related information, that is, blocking information, on a harmful site, whereas in the present invention, the information list is composed of information on accessible sites.

The harmful site determination engine uses the IP name / address information of the packet source at the OSI Layer 3 level when the packet comes in as shown in FIG. Check if it exists and accept the packet if it exists. In another case, if it does not exist in the list, it is determined in step 2 whether it is a harmful site through service type at the OSI Layer 4 level, which is the detailed information of the packet, and actual data information at the OSI Layer 7 level. If the malicious site is checked, the packet is blocked. If the malicious site is not, the IP address / address of the packet may be registered in the list and the packet may be received. Here, if it is necessary to make a more accurate decision when checking whether the harmful site is based on the packet details, it can be used if there is information about the harmful site in advance. In addition, if the list does not need to be supplemented, step 2 of analyzing the detailed information of the packet may be skipped. Therefore, the conventional control flow blocks only if the IP name of the packet exists in the predefined list at the OSI Layer 3 level, but the present method does not allow the IP name of the packet. If it exists in the list, it is accepted. In the case of automatic variable access designated firewall, if it does not exist, it analyzes the packet details at OSI Layer 4 and OSI Layer 7 level to determine whether it is a harmful site and decide whether to connect and update the list automatically. .

The user interface is composed of a GUI part, an information list management part, and a harmful site determination engine management part as shown in FIG. The GUI part uses a Java applet or graphics to make a browser for managing information lists and harmful site determination engines for easy and convenient use by users. This allows the user to manually configure or change the information list and to set up start, end, and policy decisions (1st, 2nd, or both) for the malicious site determination engine.

4. Operating Environment

The operation environment of the designated designated firewall can be divided into four as shown in FIG. Firstly, it is installed directly in the personal computer (PC) equipment. In this case, the firewall system is composed of software. Second, it is embedded in network devices such as NICs and modems in personal computers. The third is to embed it in network equipment such as switches, routers, and IP routers. Lastly, it is composed of independent hardware and located at the front end of the personal computer (PC). Here, the scope of the firewall is limited to all equipment in the personal computer (PC) or home only according to the designated location of the installation firewall. First, in the case of software, it is necessary to directly install a personal computer (PC), an IP (IP) router, a switch, etc., to install an active firewall. If only the personal computer (PC) wants to be protected from an external harmful site, it can be installed on the personal computer (PC). If you want to extend the range of your firewall, you can install it on an IP router or switch rather than on a personal computer (PC), so that all devices connected to these paths are protected from harmful sites.

The primary purpose of the application environment of designated designated firewall is to block harmful sites from students in the environment that connects to educational system in small environment such as home or reading room. Therefore, this approach focuses on protecting students from harmful sites more securely rather than on processing power. Traditionally, firewalls mainly focus on processing power and availability per second in large Internet environments with hundreds to thousands of personal computers (PCs) such as corporations, governments, and research institutes. In this method, the OSI Layer 7 or OSI Layer 4 level as well as OSI Layer 3 or OSI Layer 4 level are focused on stability. By analyzing the packet information, the firewall can be actively executed.

In the case of internet learning and education projects for students, students can block the access to harmful sites so that users can concentrate on learning only, and parents and teachers can be provided to their children or students on the Internet learning system with confidence. You can do it.

Claims (5)

In order to prevent learners from accessing sites that are not related to learning, such as harmful sites, when learners learn through Internet learning means and education means through internet access means such as computers, A storage medium such as a memory or auxiliary storage device in which connection designation list information is stored; A list information analysis engine that analyzes packets received through the Internet in three or more steps of the OSI layer, and passes them if they match the list information recorded on the storage medium, and blocks the others. A designated firewall system installed on or in the line of Internet access. The storage medium of claim 1, wherein the storage medium is a storage medium capable of reading and writing; A variable access designated firewall system that includes a list information analysis engine with the ability to analyze the packet at least four levels of the OSI layer to determine whether it is suitable as a designated site, and to add the site information to the list information. . The designated designated firewall system according to any one of claims 1 and 2, installed directly in an Internet connection means such as a computer in the form of software or a hardware device, or installed in a network device in the Internet connection means. The designated designated firewall system according to any one of claims 1 and 2, which is installed directly in the front end of the Internet access means such as a computer in the form of software or hardware device, or installed in a network device located in the front end of the Internet access means. . In order to prevent learners from accessing sites that are not related to learning, such as harmful sites, when learners learn through Internet learning means and education means through internet access means such as computers, The packet entering the designated firewall system connected to the connection; Analyzing the packet in three or more steps of an OSI layer to determine whether the connection matches the designated list information; Connecting if matched and disconnecting if not matched.