KR20170073289A - Firewall Apparatus and Driving Method Thereof - Google Patents
Firewall Apparatus and Driving Method Thereof Download PDFInfo
- Publication number
- KR20170073289A KR20170073289A KR1020150182015A KR20150182015A KR20170073289A KR 20170073289 A KR20170073289 A KR 20170073289A KR 1020150182015 A KR1020150182015 A KR 1020150182015A KR 20150182015 A KR20150182015 A KR 20150182015A KR 20170073289 A KR20170073289 A KR 20170073289A
- Authority
- KR
- South Korea
- Prior art keywords
- unidentified
- storage unit
- packets
- application
- packet
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/166—Implementing security features at a particular protocol layer at the transport layer
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
FIELD OF THE INVENTION The present invention relates to a firewall device capable of improving security reliability.
A firewall device according to an embodiment of the present invention includes a firewall module for allowing or blocking a packet; A rule storage unit for storing signature information of applications; An identification engine for receiving the packet from the firewall module and identifying an application corresponding to the signature extracted from the packet with reference to the rule storage; An unidentified storage unit in which unidentified packets not identified in the identification engine are stored; And an external storage unit for receiving the unidentified packets and further identifying an application corresponding to the unidentified packets.
Description
BACKGROUND OF THE INVENTION Field of the Invention [0002] The present invention relates to a firewall apparatus and a method of driving the same, and more particularly, to a firewall apparatus and a driving method thereof that can improve security reliability.
The firewall is installed at the front end of the internal network to prevent malicious codes and the like on the Internet from being propagated to the internal network. That is, the firewall is for protecting the internal network from the external network including the Internet network. For this purpose, policies for controlling packets are set in the firewall, and only the allowed packets are provided to the internal network according to a predetermined policy when the firewall is operated.
Such firewalls generally block or allow packets using five tuples (IP address and port number, etc.). However, if the packet is managed using 5 tuples, the availability of the firewall is limited and the reliability of the security is not high.
Accordingly, the present invention provides a firewall device and a method of driving the same, which can additionally detect an application and improve the reliability of utilization and security.
In addition, the present invention provides a firewall device and a method of driving the same that can improve the identification ability of an application.
A firewall device according to an embodiment of the present invention includes a firewall module for allowing or blocking a packet; A rule storage unit for storing signature information of applications; An identification engine for receiving the packet from the firewall module and identifying an application corresponding to the signature extracted from the packet with reference to the rule storage; An unidentified storage unit in which unidentified packets not identified in the identification engine are stored; And an external storage unit for receiving the unidentified packets and further identifying an application corresponding to the unidentified packets.
According to an embodiment, the external storage unit periodically receives the unidentified packets.
According to an embodiment of the present invention, the external storage unit includes a cloud storage unit in which update signatures corresponding to various applications and the unidentified packets are stored, and a cloud storage unit for additionally identifying applications corresponding to the unidentified packets using the update signatures And a discrimination unit.
According to the embodiment, when the application is identified corresponding to the unidentified packets, the determination unit stores the corresponding signature in the rule storage unit.
And an SSL proxy for decrypting and supplying the packet to the identification engine when the packet supplied to the firewall module is encrypted according to the embodiment.
A method of driving a firewall device according to an exemplary embodiment of the present invention includes: inputting a packet to a firewall module; Identifying an application using the signature of the packet and the signature stored in the rule store in the identification engine; Storing in the unidentified storage unit the unidentified packets for which the application is not identified; Supplying unidentified packets stored in the unidentified storage unit to an external storage unit; Comparing the update signatures previously stored in the external storage with the unidentified packets, and further identifying an application of the unidentified packets corresponding to the comparison result.
According to an embodiment, the external storage unit periodically receives the unidentified packets.
According to an embodiment, the external storage unit includes a cloud storage unit in which the update signatures and the unidentified packets are stored, and a determination unit for additionally determining an application of the unidentified packets.
The method further includes storing the signature in the rule storage when an application of the unidentified packets is further determined according to the embodiment.
The method further includes the step of the developer identifying the application by analyzing the unidentified packets and storing the generated signature corresponding to the identified application in the rule storage.
According to the firewall device and the method of driving the firewall device according to the embodiment of the present invention, the firewall device can identify the application and block or allow the packet corresponding to the identified application. That is, in the present invention, a security policy can be set corresponding to each application, thereby improving the usability of the firewall device and the reliability of security.
Further, in the embodiment of the present invention, the signature can be updated (updated) in response to the unidentified packet, thereby improving the identification ability of the application corresponding to the packet.
1 is a diagram illustrating a firewall according to an embodiment of the present invention.
2 is a block diagram showing a configuration of a firewall according to an embodiment of the present invention.
3 is a diagram showing an embodiment of a general packet.
4 is an illustration of an embodiment of the identification engine and external storage shown in FIG.
5 is a diagram showing an embodiment of a process of updating signature information of a rule storage unit.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Reference will now be made in detail to embodiments of the present invention and other details necessary for those skilled in the art to understand the present invention with reference to the accompanying drawings. However, the present invention may be embodied in many different forms within the scope of the appended claims, and therefore, the embodiments described below are merely illustrative, regardless of whether they are expressed or not.
That is, the present invention is not limited to the embodiments described below, but may be embodied in various forms. It is to be noted that, in the drawings, the same constituent elements are denoted by the same reference numerals and symbols as possible even if they are shown in different drawings.
1 is a diagram illustrating a firewall according to an embodiment of the present invention.
Referring to FIG. 1, a
The
For example, the
2 is a block diagram showing a configuration of a firewall according to an embodiment of the present invention. 3 is a diagram showing an embodiment of a general packet. FIG. 2 and FIG. 3 show only the parts necessary for the description of the present invention, and the configuration of the firewall device is not limited thereto.
2 and 3, a
The
The
In more detail, a packet is generally set to a predetermined size, for example, 1460 bytes. Such a packet is divided into a header and data as shown in FIG. Here, five tuple information is stored in the header of the packet. In other words, the header stores the source IP, the destination IP, the source port, the destination port, and the protocol information. Here, the source IP is the address of the computer that transmitted the packet, the destination IP is the address of the computer receiving the packet, the source port is the port to which the packet is transmitted, the destination port is the port to which the packet is to be transmitted, IP communication protocol.
The data of the packet includes the information to be transmitted including the signature. Here, the signature is used as information for identifying an application. For example, when the application is set to "Nate on ", the data of the packet includes signature information such as" REQS ". In addition, when the application is set to a web site, for example, "Naver ", the data of the packet includes signature information such as" Host: www.naver.com ".
The signature information is included in the packets supplied in the early part of the consecutive packets. In fact, the signature information is included in the first or second packet among consecutively supplied packets.
The
On the other hand, if the application is not identified, the
Additionally, unidentified information includes unknown and insufficient-data. Unknown means that the signature information corresponding to the packet is not stored in the
The
The
On the other hand, in order to apply various policies corresponding to the application in the
The
The
In detail, various applications (including web sites) are created over time. In addition, applications (e.g., authentication programs, in-house messengers, etc.) used only in a specific internal network may be added. Signatures are stored and periodically updated in the
The
If the application of unidentified and / or insufficient-data is identifiable by the update signatures, the
That is, in the present invention, the application corresponding to the unidentified information can be further identified by using the
4 is an illustration of an embodiment of the identification engine and external storage shown in FIG.
Referring to FIG. 4, an
The
The
The
The
The
The
In more detail, the developer stores update signatures in the
The
In addition, the
5 is a diagram showing an embodiment of a process of updating signature information of a rule storage unit.
Referring to FIG. 5, the
Then, the
The
In addition, if the application is not identified in step S502, the
After the unidentified packets are stored in the
After the unidentified packets are stored in the
After the unidentified data is selected in step S512, the
The packets with the corresponding signature can then be identified in the
Additionally, at step S514, the developer (or an expert) may undergo further analysis of the unidentified data. The developer can analyze the unidentified data and identify the application in response to the analysis result. When the application is specified, the
While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed exemplary embodiments. It will be apparent to those skilled in the art that various modifications may be made without departing from the scope of the present invention.
The scope of the present invention is defined by the following claims. The scope of the present invention is not limited to the description of the specification, and all variations and modifications falling within the scope of the claims are included in the scope of the present invention.
100: firewall device 110: firewall module
120: Identification engine 122: Data extraction unit
124: rule mapping unit 130: rule storage unit
140: SSL proxy 150: Unidentified storage unit
160: external storage unit 162: cloud storage unit
164:
Claims (10)
A rule storage unit for storing signature information of applications;
An identification engine for receiving the packet from the firewall module and identifying an application corresponding to the signature extracted from the packet with reference to the rule storage;
An unidentified storage unit in which unidentified packets not identified in the identification engine are stored;
And an external storage unit for receiving the unidentified packets and further identifying an application corresponding to the unidentified packets.
Wherein the external storage unit periodically receives the unidentified packets.
The external storage unit
A cloud storage unit in which update signatures corresponding to various applications and the unidentified packets are stored;
And a discriminator for additionally identifying an application corresponding to the unidentified packets using the update signatures.
Wherein when the application is identified corresponding to the unidentified packets, the determination unit stores the corresponding signature in the rule storage unit.
Further comprising an SSL proxy for decrypting and supplying the packet to the identification engine when the packet supplied to the firewall module is encrypted.
Identifying an application using the signature of the packet and the signature stored in the rule store in the identification engine;
Storing in the unidentified storage unit the unidentified packets for which the application is not identified;
Supplying unidentified packets stored in the unidentified storage unit to an external storage unit;
Comparing the update signatures previously stored in the external storage with the unidentified packets, and further identifying an application of the unidentified packets corresponding to the comparison result.
Wherein the external storage unit periodically receives the unidentified packets.
The external storage unit
A cloud storage unit in which the update signatures and the unidentified packets are stored, and a determination unit for additionally determining an application of the unidentified packets.
Further comprising the step of storing the signature in the rule storage when an application of the unidentified packets is further identified.
Further comprising the step of the developer identifying the application by analyzing the unidentified packets and storing the generated signature corresponding to the identified application in the rule storage unit.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150182015A KR101772681B1 (en) | 2015-12-18 | 2015-12-18 | Firewall Apparatus and Driving Method Thereof |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150182015A KR101772681B1 (en) | 2015-12-18 | 2015-12-18 | Firewall Apparatus and Driving Method Thereof |
Publications (2)
Publication Number | Publication Date |
---|---|
KR20170073289A true KR20170073289A (en) | 2017-06-28 |
KR101772681B1 KR101772681B1 (en) | 2017-09-12 |
Family
ID=59280784
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020150182015A KR101772681B1 (en) | 2015-12-18 | 2015-12-18 | Firewall Apparatus and Driving Method Thereof |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR101772681B1 (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR102353130B1 (en) * | 2020-07-21 | 2022-01-18 | 충북대학교 산학협력단 | System and method for Defense of Zero-Day Attack about High-Volume based on NIDPS |
KR102353131B1 (en) * | 2020-07-21 | 2022-01-18 | 충북대학교 산학협력단 | System and method for defense of zero-day attack |
US20220329565A1 (en) * | 2021-04-09 | 2022-10-13 | Palo Alto Networks, Inc. | Increased coverage of application-based traffic classification with local and cloud classification services |
US20230231829A1 (en) * | 2021-04-09 | 2023-07-20 | Palo Alto Networks, Inc. | Increased coverage of application-based traffic classification with local and cloud classification services |
-
2015
- 2015-12-18 KR KR1020150182015A patent/KR101772681B1/en active IP Right Grant
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR102353130B1 (en) * | 2020-07-21 | 2022-01-18 | 충북대학교 산학협력단 | System and method for Defense of Zero-Day Attack about High-Volume based on NIDPS |
KR102353131B1 (en) * | 2020-07-21 | 2022-01-18 | 충북대학교 산학협력단 | System and method for defense of zero-day attack |
US20220329565A1 (en) * | 2021-04-09 | 2022-10-13 | Palo Alto Networks, Inc. | Increased coverage of application-based traffic classification with local and cloud classification services |
US11616759B2 (en) * | 2021-04-09 | 2023-03-28 | Palo Alto Networks, Inc. | Increased coverage of application-based traffic classification with local and cloud classification services |
US20230231829A1 (en) * | 2021-04-09 | 2023-07-20 | Palo Alto Networks, Inc. | Increased coverage of application-based traffic classification with local and cloud classification services |
US11949658B2 (en) * | 2021-04-09 | 2024-04-02 | Palo Alto Networks, Inc. | Increased coverage of application-based traffic classification with local and cloud classification services |
Also Published As
Publication number | Publication date |
---|---|
KR101772681B1 (en) | 2017-09-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11956338B2 (en) | Correlating packets in communications networks | |
US10423774B1 (en) | System and method for establishing secure communication channels between virtual machines | |
US8266286B2 (en) | Dynamic key management server discovery | |
US9942050B2 (en) | Method and apparatus for bulk authentication and load balancing of networked devices | |
KR101772681B1 (en) | Firewall Apparatus and Driving Method Thereof | |
US20040210754A1 (en) | Shared security transform device, system and methods | |
JP2020017809A (en) | Communication apparatus and communication system | |
JP6793056B2 (en) | Communication equipment and systems and methods | |
Orevi et al. | DNS-DNS: DNS-based de-nat scheme | |
CN113347198B (en) | ARP message processing method, device, network equipment and storage medium | |
KR20210045562A (en) | Method of shareing cyber threat information based on anonymized network traffic and system using the same | |
EP3718284B1 (en) | Extending encrypted traffic analytics with traffic flow data | |
KR101772683B1 (en) | Firewall Apparatus and Driving Method Thereof | |
US12021837B2 (en) | Network access system for detecting intrusions over a network | |
JP2019532601A (en) | Network mapping using fingerprints | |
KR101404161B1 (en) | Network separation device using one time password, network separation system and method thereof | |
KR101749074B1 (en) | Firewall System and Driving Method Thereof | |
KR20180003132A (en) | Method to identifying authorized clients in dhcp environments | |
CN107066874B (en) | Method and device for interactively verifying information between container systems | |
KR101490227B1 (en) | Method and apparatus for controlling traffic | |
KR20180101907A (en) | Method and apparatus for log data magement | |
JP6721542B2 (en) | Traffic control device, method, and program | |
JP6781109B2 (en) | Traffic controls and methods | |
JP2019176273A (en) | Communication controller, client device, communication control method, and program | |
JP2008227805A (en) | Router device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
A201 | Request for examination | ||
E902 | Notification of reason for refusal | ||
E701 | Decision to grant or registration of patent right | ||
GRNT | Written decision to grant |