KR20110012479A - Apparatus for managing a fire wall - Google Patents

Abstract

PURPOSE: An apparatus for managing a firewall is provided to correctively manage firewalls of terminals at a remote place. CONSTITUTION: A generating unit(320) creates a policy for at least terminal device, and a firewall is loaded on at least one terminal device. According to the policy, the firewall blocks or allows a received packet. A management unit(360) selects at least one terminal device. The management unit transmits the policy to one or more than one selected terminal device. The management unit manages the terminal device based on policy unit.

Description

Firewall management device {Apparatus for managing a fire wall}

The present invention relates to a firewall management device.

Recently, services based on IP (Internet Procotol) networks such as Internet Prototol TeleVision (IPTV) and Voice over Internet Procotol (VoIP) have begun to be provided on a large scale, and thus, IPTV set-top box (STB) or VoIP There is a need to prepare for security by installing a firewall on the terminal.

Recently, hacking cases of set-top boxes have occurred frequently, and broadcasters and set-top box companies have been hit hard. If the set-top box is hacked, even if the subscriber is not a legitimate subscriber, they may watch the broadcast.

Typically, a firewall is installed in a personal computer (PC), a server, or a network for security. Firewalls are used at the point where your organization and your network connect to prevent attacks from the outside or to enable only certain services when accessing the Internet from within your organization.

However, the conventional firewall is to apply the policy based on the individual firewall (physical (H / W, S / W)). That is, the administrator enters and lists the policies to apply to a specific firewall. In addition, a specific firewall UI is output by selecting a specific firewall in the administrator UI (User Interface). Select from the list of policies that apply to a specific firewall. If there are several firewalls to be managed by the administrator, the above steps should be performed for each fire. If you enter a five-line firewall policy for 100 firewalls, at least 500 entries are required.

Therefore, if a large-scale firewall management such as a network firewall is performed, but management of millions of individual firewalls is required, conventional management based on individual firewalls is inefficient. As of December 2008, the burden on management is significant given that service providers must manage the policies of up to approximately 1 million firewalls.

In addition, the conventional firewall is in operation at the time the administrator manages, so that the application of the policy can be immediately implemented. However, since individual terminals such as STBs or VoIP terminals do not always operate, if a user wants to install and manage a firewall on such individual terminals, the administrator may guarantee that the device is operating at the time of managing the firewall policy of the STB or VoIP terminal. There is a problem that is difficult to manage.

In addition, the existing firewall was generally only to be accessed internally for its management, but since the STB or VoIP terminal should be accessed from the outside for its management, an additional management burden is generated for communication and actions for policy management.

An object of the present invention is to provide an apparatus for managing a firewall on a policy basis.

According to one embodiment of the present invention, a firewall management apparatus is provided. The apparatus includes a generation unit for generating a policy to be applied to one or more terminal devices equipped with a firewall for blocking or allowing packets received from a network according to a policy; And a management unit for selecting one or more terminal devices to which the policy is to be applied, transmitting the policy to the selected one or more terminal devices, and managing the one or more terminal devices on a policy basis.

According to one embodiment of the present invention, the operator can remotely manage the firewall mounted on a large number of individual terminals while minimizing the burden on the administrator.

In addition, although the policy to be applied to each individual firewall had to be managed separately, policy management is simple because the firewall is managed based on the applied policy. For example, if a five-line firewall policy is input to 100 firewalls, at least 500 inputs are required in the conventional method, but according to the proposal, only up to 105 inputs are required. This reduces the input by about 80% when performing the same task, improving management efficiency.

In addition, when checking the policy in the firewall, the individual policy applied to the firewall had to be checked individually, but the policy applied to the firewall was unified into one policy, so that the policy applied as the hash value can be easily checked, thereby reducing the complexity of the system. In addition, in an environment where resource usage should be minimized, the resources required to check the firewall policy can be significantly reduced.

DETAILED DESCRIPTION Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings so that those skilled in the art may easily implement the present invention. The present invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. In the drawings, parts irrelevant to the description are omitted in order to clearly describe the present invention, and similar drawings are attached to similar parts throughout the specification.

Throughout the specification, when a part is said to "include" a certain component, it means that it can further include other components, without excluding other components unless specifically stated otherwise.

Now, a firewall management apparatus according to an embodiment of the present invention will be described in detail with reference to the drawings.

1 is a block diagram of a firewall management system according to an embodiment of the present invention.

1, in the firewall management system, a plurality of terminal devices 100 ′ and 100 ″ are connected to a management server (or firewall management device) 300 through an IP (Internet Procotl) network 200. (Or firewall management device) 300) remotely manages a plurality of terminal devices (100 ', 100 ").

The plurality of terminal apparatuses 100 'and 100 "are communication terminal apparatuses installed in a wide range of locations connected to the IP network 200 to transmit and receive data. The number of terminals may be dedicated terminals for receiving a service provided by a specific operator. For example, it may be a set-top box 100 ′ for receiving data broadcast or a voice over internet protocol (VoIP) terminal 100 ″ providing an internet telephony service. In this case, the plurality of terminal devices 100 ′, 100 ″ are provided with firewalls 120, respectively.

The management server (or firewall management device) 300 identifies each of the plurality of terminal devices 100 'and 100 ", and remotely controls the firewall 120 mounted in each of the plurality of terminal devices 100' and 100". To control. The management server (or firewall management device) 300 generates a policy and selects one or more terminal devices to which the policy is to be applied among the plurality of terminal devices 100 'and 100 ". Transmits and manages a terminal device to which a policy is applied on a policy basis.

Next, a detailed configuration of the plurality of terminal devices 100 ′, 100 ″ and the management server (or firewall management device 300) will be described with reference to FIGS. 2 and 3.

2 is a block diagram showing a detailed configuration of a terminal device according to an embodiment of the present invention.

Referring to FIG. 2, each of the plurality of terminal devices 100 ′ and 100 ″ includes a firewall 120, an agent 140, a policy DB 160, and a communication unit 180.

The firewall 120 blocks or allows the packet received from the IP network 200 according to the policy. That is, the firewall 120 collects the information of the received packet and compares it with the policies stored in the policy DB 160 to block the packet if it is not an authorized packet. The firewall 120 monitors the presence or absence of various abnormal data, malicious codes, spyware, and the like in the received packet to block an attack on the plurality of terminal devices 100 'and 100 ".

The agent 140 controls the operation of the firewall 120 and communicates with the management server (or firewall management device) 300 to apply the policy or update the previously applied policy. That is, a new or updated policy is received from the management server (or firewall management device) 300 and applied to the firewall 120 to actually implement it.

Agent 140 performs the function shown in Table 1 below.

function Explanation Policy reception function (passive update function) Depending on the network environment and situation, the terminal needs to actively request a policy or manually converge the policy update command of the management server. Policy request feature (active update feature) Policy request scheduling feature Update at the time that the device is actively scheduled Policy deletion function This function deletes all currently applied policies and is used to apply new policies or update existing policies.
The reason why the current policy is deleted even when updating the existing policy is to reduce the parsing of the existing policy for the update, so that the terminal resource can be efficiently used, and when the terminal failure occurs during the policy update, it is updated and stopped. The reason is to prevent the terminal from going wrong. Policy ID Verification Function ㅇ Check the currently applied policy
ㅇ The management server can check the policy currently applied to the terminal. Check hash value of policy ㅇ Confirmed that the policy applied to the terminal was not tampered with
ㅇ The management server checks the integrity of the policy currently applied to the terminal. New policy application success check function Respond to a request to confirm that the policy passed by the management server was applied correctly. Alive signal communication function Alive signal confirms management server and agent are alive Respond to firewall confirmation request signals Check if the firewall is installed on the agent and automatically register the terminal as a managed terminal on the management server Automatic update function at abnormal end When the terminal is rebooted due to system failure, the policy is automatically updated for safety.

In addition, the agent 140, in addition to the functions listed in Table 1, the security information of the policy generated by itself, that is, the hash value and the hash value of the already calculated policy received together with the policy from the management server (or firewall management device) 300). Compare and determine whether to apply the policy based on the match. In other words, if it does not match, it returns a null value to the management server (or firewall management device) 300 without storing the policy. However, if there is a match, the policy is stored in the policy DB 160 and applied to the firewall 120.

The policy DB 160 stores policy information for controlling the operation of the firewall. The policy information includes a policy name, policy identification information, policy details, and security information of a policy received together with the policy from the management server (or firewall management device) 300, and security information of a policy calculated by itself. At this time, the security information of the policy is a value calculated by the hash algorithm based on the policy name, the policy identification information, and the details of the policy.

The communication unit 180 performs data communication with the management server (or firewall management device) 300 and performs Transmission Control Protocol (TCP) communication. The communication unit 180 performs secure communication with the management server (or firewall management device) 300 to perform mutual authentication with the management server (or firewall management device) 300. It allows for as many connection sessions as the number of session limits allowed. The communication unit 180 is always connected to the management server (or firewall management device) 300 and always receives the policy and control signals received from the management server (or firewall management device) 300 to the agent 140. To pass.

3 is a block diagram showing a detailed configuration of a management server according to an embodiment of the present invention.

Referring to FIG. 3, the management server (or firewall management device) 300 includes a generation unit 320, a policy management DB 340, and a management unit 360.

The generation unit 320 generates a policy, selects one or more terminal devices to which the policy is applied from among the plurality of terminal devices 100 ', 100 ", and transmits the policy to the selected one or more terminal devices. The generation unit 320 Generates policy management information mapped with identification information of one or more terminal devices to which one or more policies generated for each identification information of the generated one or more policies are applied.

In addition, the generation unit 320 may generate a policy set composed of one or more policies. The policy management information may be generated by mapping identification information of at least one terminal device for each identification information of the policy set.

The policy management DB 340 stores management target terminal information, policy information, and policy management information generated by the generation unit 320. In this case, the management target terminal information stores identification information of terminal devices that the firewall is installed and controlled by the management server (or firewall management device) 300 and the detailed information of each terminal device. The policy information generated by the generation unit 320 may be configured as shown in Table 2 below.

Policy name Security Policy 1 Policy ID 10001 Creation date 2009-05-08 Constructor Hong Gil Dong Renewer withdrawal Policy
Details 1.ALLOW FROM 10.10.10.1:ALL TO 211.10.10.112:1010
2.ALLOW FROM 10.10.10.2:ALL TO 211.10.10.112:1011
3.DROP ALL Policy hash Sakjg2038twdsvknsf024nfwodsd

The policy name is the name of a policy written arbitrarily in the administrator. Policy policy identification information (ID, Identification) is automatically generated and created with new value regardless of whether it is new or updated. This is to clearly distinguish the policy applied to the terminal. The creation date and creator are the dates when the policy is new or updated. The creator is the name of the administrator who newly registered the policy. The updater is the name of the person who last updated the policy. The policy details are the contents of a policy that is substantially applied to the firewall, and may vary depending on the type and manufacturer of the firewall. A policy hash is security information computed by a hash algorithm based on policy name, policy ID, and policy details. It is used to manage policy integrity, and it is automatically generated.

The management unit 360 is a means for performing policy management of the firewall 120 including changing a policy, changing a policy application target, and checking whether a policy is valid.

If it is necessary to change the policy, the management unit 360 searches the policy management DB 340 and transmits the changed policy to the terminal device corresponding to the identification information of the terminal device mapped to the identification information of the policy to be changed. In addition, when the policy application target is to be changed, the policy application target is changed by adding or deleting the identification information of the specific terminal apparatus from the identification information of the policy and the terminal apparatus mapped.

In addition, the management unit 360 checks the security information of the policy stored in the terminal devices (100 ', 100 ") stored in the management target terminal information and compares with the security information of the policy stored in the policy management DB (340) or not. Accordingly, the validity of the policy stored in the terminal devices 100 'and 100 "is checked.

Now, a description will be given of how the firewall management system described above manages the firewall.

4 is a flowchart illustrating a firewall management method according to a first embodiment of the present invention.

Referring to FIG. 4, the management server (or firewall management device) 300 (FIGS. 1 and 3) selects one or more terminal devices (100 ′ and 100 ″ in FIGS. 1 and 2) to apply the policy after generating the policy. do.

On the other hand, the plurality of terminal devices (100 ', 100 ") determines whether the update type is passive or active or whether the abnormal termination state (S105).

In this case, when the update type is manual, the plurality of terminal devices 100 'and 100 "are in a waiting state for reception.

However, if the update type is active, it is determined whether a cycle arrives (S107). That is, it is determined whether the reservation time requested in advance from the management server (or firewall management device) 300 has arrived.

Then, when the cycle arrives in step S107 and when it is determined that the abnormal termination state in step S105, the management server (or firewall management device) 300 requests a policy update (S109).

The management server (or firewall management apparatus) 300 transmits a policy in response to a request of a plurality of terminal apparatuses 100 'and 100 "(S111). If the update type is manual, the policy is transmitted as soon as the policy is generated or according to the time schedule of the management server (or firewall management apparatus 300) itself (S111). Here, in step S111, a policy including identification information of the policy, detailed information of the policy, and security information may be transmitted.

When a plurality of terminal apparatuses 100 'and 100 "are received, the plurality of terminal apparatuses 100' and 100" determine whether a pre-stored policy exists (S113). If there is a pre-stored policy, the terminal device 100 'or 100 "deletes the pre-stored policy (S115). Generate security information of the received policy (S117).

The security information generated in step S117 and the security information received in step S111 are compared to determine whether they match (S119). If there is a match, the received policy is stored (S121). If it does not match, the null value is transmitted to the management server (or firewall management device) 300 (S123).

5 is a flowchart illustrating a firewall management method according to a second embodiment of the present invention. In particular, it is a flowchart illustrating the firewall management operation of the management server (or firewall management device) 300 in detail.

Referring to FIG. 5, the management server (or the firewall management device) (300 in FIGS. 1 and 3) may include one or more terminal devices (100 ′ and 100 ″ in FIGS. 1 and 2) to which the corresponding policy is applied for each identification information of one or more policies. The policy management information mapped with the identification information is generated (S201).

Thereafter, when the policy needs to be changed (S203), the identification information of the changed policy is checked (S205). In operation S207, identification information of one or more terminal devices 100 ', 100 "mapped to identification information of the checked policy is searched, and one or more terminal devices 100', 100" corresponding to the searched identification information are searched for. The changed policy is transmitted (S209).

In addition, when it is necessary to change the terminal device to which the policy is applied (S211), it is determined whether the change is deletion or addition (S213).

In the case of the deletion, the identification information of the policy mapped to the identification information of the terminal device that needs to be deleted is searched (S215) and the identification information of the terminal device is deleted (S217). The terminal requests the policy deletion to the terminal device corresponding to the deleted identification information (S219).

In addition, when the policy change addition determined in step S213 is added, the identification information of the policy to be added is searched for (S221), and the identification information of the terminal device is added (S223). The terminal requests the addition of a policy to the terminal device corresponding to the added identification information (S225).

6 is a flowchart illustrating a firewall management method according to a third embodiment of the present invention.

Referring to FIG. 6, the management server (or firewall management apparatus) 300 (FIGS. 1 and 3) requests policy confirmation from a plurality of terminal apparatuses 100 ′ and 100 ″ of FIGS. 1 and 2 (S301).

The plurality of terminal apparatuses 100 ′ and 100 ″ search for stored policies (S303), generate security information (S305), and transmit them to the management server (or firewall management apparatus) 300 (S307).

The management server (or firewall management device) 300 compares the security information received in step S307 with previously stored security information of the mapped policy and the identification information of the terminal device (S309). In operation S309, it is determined whether the comparison results match.

If there is a match, the security information confirmation indicating that the security information verification result is successful is transmitted (S313). However, if it does not match, it is assumed that there is a problem in the integrity of the terminal device to perform a predefined operation (S315). In this case, the predefined operation may request the deletion of all policies stored in the terminal device and request the download of a new policy. Alternatively, the service may be suspended by the terminal device.

Through this process, in addition to checking the inconsistency between the policy actually applied to the plurality of terminal devices 100 'and 100 "and the contents on the management server (or firewall management device) 300, the policy may be changed due to external intrusion. You can also prepare for the case.

7 is a flowchart illustrating an access procedure between a terminal device and a management server according to an exemplary embodiment of the present invention.

Referring to FIG. 7, a plurality of terminal apparatuses 100 ′ and 100 ″ in FIGS. 1 and 2 request a connection to a management server (or a firewall managing apparatus) (300 in FIGS. 1 and 3) (S401). The terminal device (100 ', 100 ") informs the management server (or firewall management device) 300 of the operation of the agent 140 (Ready). If there is no connection attempt from the management server (or firewall management device) 300 for a specified time, the connection request is made again.

When the connection response is received from the management server (or firewall management device 300) (S403), the plurality of terminal devices (100 ', 100 ") and the management server (or firewall management device) 300) mutual authentication ( Mutual Aion) is performed (S405 and S407), and a session is connected (S409) to a state of waiting for policy signaling.

Thereafter, the management server (or firewall management apparatus) 300 periodically checks whether sessions with the plurality of terminal apparatuses 100 'and 100 "are in an alive state, that is, the management server (or firewall management apparatus). When the alive check time arrives (S409), the alive check signal is transmitted to the plurality of terminal devices 100 ′ and 100 ″ (S411).

The management server (or firewall management device) 300 determines whether the alive check response is successful by determining whether an alive check response is received from the plurality of terminal devices 100 ′ and 100 ″ that have transmitted the alive check signal in step S411. (S413).

At this time, if successful, the session is maintained (S417). If it fails, it repeatedly requests the alive check repeatedly (S411) until the preset number of repetitions expires (S419). If it fails, the session connection procedure is performed again by requesting a session connection (S419). Through such a procedure, a plurality of terminal devices 100 ', 100 "and a management server (or firewall management device 300) are always on.

8 illustrates a communication protocol structure between a terminal device and a management server according to an embodiment of the present invention.

Referring to FIG. 8, a signal protocol 400 for transmitting a policy by a management server (or firewall management device) (300 of FIGS. 1 and 3) to a plurality of terminal devices (100 ′ and 100 ″ of FIGS. 1 and 2). It shows the structure of.

Signal protocol 400 includes a signal header 401, policy ID 403, policy size 405, policy data 407, policy hash value 409, and payload hash 411.

The signal header 401 contains predefined information of the transport protocol 400. Signaling time including the time of generating the signal mainly, source IP including the sender IP, that is, the IP address of the management server (or the firewall management device 300), the receiver IP, that is, the IP of the terminal device 100 ', 100 ". It consists of a destination IP containing the address, a signal type that indicates the type of signal, allowing the receiver to parse the signal, and a hash of values from the signaling time to the signal type.

The payload of the signal protocol 400 has its size and type determined according to the signal type. The policy ID 403 indicating the ID assigned to the policy, the policy size 405 indicating the size of the field containing the policy data, the policy data 407 containing the content of the policy actually transmitted, and the policy hash value 409. And a payload hash 411 representing a hash value from the policy ID to the policy hash value.

As such, between the plurality of terminal apparatuses 100 ′ and 100 ″ and the management server (or firewall management apparatus 300), a protocol including a hash value in the header and the payload part is always used to ensure communication integrity.

Embodiments of the present invention are not implemented only through the above-described apparatus and / or method, but may be implemented through a program for realizing a function corresponding to the configuration of the embodiments of the present invention, a recording medium on which the program is recorded, and the like. It may be.

Although the embodiments of the present invention have been described in detail above, the scope of the present invention is not limited thereto, and various modifications and improvements of those skilled in the art using the basic concepts of the present invention defined in the following claims are also provided. It belongs to the scope of rights.

1 is a block diagram of a firewall management system according to an embodiment of the present invention.

2 is a block diagram showing a detailed configuration of a terminal device according to an embodiment of the present invention.

3 is a block diagram showing a detailed configuration of a management server according to an embodiment of the present invention.

4 is a flowchart illustrating a firewall management method according to a first embodiment of the present invention.

5 is a flowchart illustrating a firewall management method according to a second embodiment of the present invention.

6 is a flowchart illustrating a firewall management method according to a third embodiment of the present invention.

7 is a flowchart illustrating an access procedure between a terminal device and a management server according to an exemplary embodiment of the present invention.

8 illustrates a communication protocol structure between a terminal device and a management server according to an embodiment of the present invention.

Claims (5)

A generation unit for generating a policy to be applied to at least one terminal device equipped with a firewall that blocks or allows packets received from the network according to the policy; And A management unit for selecting one or more terminal devices to which the policy is to be applied, transmitting the policy to the selected one or more terminal devices, and managing the one or more terminal devices on a policy basis; Firewall management device comprising a. The method of claim 1, The generation unit, And generating policy management information mapped with identification information of the terminal device to which the generated one or more policies are applied for each identification information of the generated one or more policies. The method of claim 2, The management unit, When the policy is changed, the firewall management device for retrieving the identification information of the terminal device mapped to the identification information of the changed policy from the policy management information, and transmits the changed policy to the terminal device corresponding to the retrieved identification information. The method of claim 3, The management unit, If it is necessary to add or delete the terminal device to which the policy is applied, the identification information of the terminal device that needs to be deleted is deleted from the identification information of the policy and the mapped terminal device or the identification information of the mapped terminal device is deleted. Firewall management device for adding identification information of the terminal device that needs to be added. The method according to any one of claims 1 to 4, The management unit, A firewall management apparatus that receives a policy update request from the at least one terminal device abnormally terminated, retrieves identification information of the at least one terminal device and identification information of the mapped policy, and transmits the mapped policy to the at least one terminal device. .

Images