KR20170075240A - Firewall Apparatus and Driving Method Thereof - Google Patents

Firewall Apparatus and Driving Method Thereof Download PDF

Info

Publication number
KR20170075240A
KR20170075240A KR1020150184639A KR20150184639A KR20170075240A KR 20170075240 A KR20170075240 A KR 20170075240A KR 1020150184639 A KR1020150184639 A KR 1020150184639A KR 20150184639 A KR20150184639 A KR 20150184639A KR 20170075240 A KR20170075240 A KR 20170075240A
Authority
KR
South Korea
Prior art keywords
user
application
information
packet
firewall
Prior art date
Application number
KR1020150184639A
Other languages
Korean (ko)
Other versions
KR101772683B1 (en
Inventor
이종현
Original Assignee
주식회사 시큐아이
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 시큐아이 filed Critical 주식회사 시큐아이
Priority to KR1020150184639A priority Critical patent/KR101772683B1/en
Publication of KR20170075240A publication Critical patent/KR20170075240A/en
Application granted granted Critical
Publication of KR101772683B1 publication Critical patent/KR101772683B1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

FIELD OF THE INVENTION The present invention relates to a firewall device capable of improving security reliability.
A firewall device according to an embodiment of the present invention includes a firewall module for allowing or blocking a packet; A rule storage unit for storing signature information of applications; A first storage unit for storing an application policy for each user; A user information module for receiving login information of a first user from the AD server, searching the first storage application user application policy corresponding to the login information, and providing the first storage application application policy to the firewall module; And an identification engine for receiving the packet from the firewall module and providing the application identification information corresponding to the signature extracted from the packet to the firewall module with reference to the rule storage unit; The firewall module allows or blocks the packet according to the first user application policy and the application identification information.

Description

FIELD APPARATUS AND DRIVING METHOD THEREOF FIELD OF THE INVENTION [0001]

BACKGROUND OF THE INVENTION Field of the Invention [0002] The present invention relates to a firewall apparatus and a method of driving the same, and more particularly, to a firewall apparatus and a driving method thereof that can improve security reliability.

The firewall is installed at the front end of the internal network to prevent malicious codes and the like on the Internet from being propagated to the internal network. That is, the firewall is for protecting the internal network from the external network including the Internet network. For this purpose, policies for controlling packets are set in the firewall, and only the allowed packets are provided to the internal network according to a predetermined policy when the firewall is operated.

Such firewalls generally block or allow packets using five tuples (IP address and port number, etc.). However, if the packet is managed using 5 tuples, the availability of the firewall is limited and the reliability of the security is not high.

Accordingly, the present invention provides a firewall device and a method of driving the same, which can additionally detect an application and improve the reliability of utilization and security.

In addition, the present invention provides a firewall device and a method of driving the same, which can improve the reliability of security by controlling permission or denial of an application for each user.

A firewall device according to an embodiment of the present invention includes a firewall module for allowing or blocking a packet; A rule storage unit for storing signature information of applications; A first storage unit for storing an application policy for each user; A user information module for receiving login information of a first user from the AD server, searching the first storage application user application policy corresponding to the login information, and providing the first storage application application policy to the firewall module; And an identification engine for receiving the packet from the firewall module and providing the application identification information corresponding to the signature extracted from the packet to the firewall module with reference to the rule storage unit; The firewall module allows or blocks the packet according to the first user application policy and the application identification information.

According to the embodiment, the login information includes the ID of the user and the IP address of the computer to which the user is connected.

And a second storage unit connected to the user information module and storing the login information and permission and blocking information of the applications corresponding to the first user.

The identification engine may include a data extracting unit for extracting the signature from the packet, and a rule mapping unit for generating the application identification information by comparing the signature with the signature information stored in the rule storage unit do.

And an SSL proxy for decrypting and supplying the packet to the identification engine when the packet is encrypted according to the embodiment.

According to an embodiment, the first user application policy stores information on at least one of an allowed application and a blocked application.

A method of operating a firewall device according to an exemplary embodiment of the present invention includes: transmitting login information of a first user to a user information module; transmitting a first user application policy to a firewall module corresponding to the login information; The method comprising the steps of: inputting a packet from a computer to which the first user has logged in as a firewall module; identifying an application in response to the packet; and allowing or blocking the packet in response to the first user application policy do.

According to the embodiment, the login information includes the ID of the user and the IP address of the computer to which the user is connected.

The login information and the permission and blocking information of applications corresponding to the first user are additionally stored according to the embodiment.

According to the firewall device and the driving method thereof according to the embodiment of the present invention, it is possible to identify an application in a firewall device and to block or allow a packet corresponding to an application on a user-by-user basis. That is, in the embodiment of the present invention, applications that can be used by each user can be controlled, thereby improving the usability of the firewall device and the reliability of security.

1 is a diagram illustrating a firewall according to an embodiment of the present invention.
2A and 2B are diagrams showing an embodiment of an internal network and an AD server.
3 is a block diagram of a firewall according to an embodiment of the present invention.
4 is a diagram showing an embodiment of a general packet.
5 is a diagram showing an embodiment of the identification engine shown in Fig.
6 is a diagram showing an embodiment of a method of driving an application policy for each user.
7 is a diagram illustrating an embodiment of application-specific application information stored in the second storage unit.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Reference will now be made in detail to embodiments of the present invention and other details necessary for those skilled in the art to understand the present invention with reference to the accompanying drawings. However, the present invention may be embodied in many different forms within the scope of the appended claims, and therefore, the embodiments described below are merely illustrative, regardless of whether they are expressed or not.

That is, the present invention is not limited to the embodiments described below, but may be embodied in various forms. It is to be noted that, in the drawings, the same constituent elements are denoted by the same reference numerals and symbols as possible even if they are shown in different drawings.

1 is a diagram illustrating a firewall according to an embodiment of the present invention.

Referring to FIG. 1, a firewall device 100 according to an embodiment of the present invention is located between an internal network and an external network. Here, the internal network may include various types of devices that are assigned a private IP (Internet Protocol) and / or a public IP. For example, the internal network may include a general computer, a server including virtual machines supported by the operating system, a server connected by a NAT (Network Address Translator) device, and the like. Indeed, in the present invention, the internal network can be implemented in various forms now known.

The firewall device 100 monitors packets between the external network and the internal network, and blocks or permits the packets according to a predetermined policy. In addition, the firewall device 100 additionally detects the application from the packet. In this case, the firewall device 100 may block or allow an application packet on a user-by-user basis in response to a policy.

For example, if the packet supplied from the first user is determined to be a "name on" application, the firewall device 100 may block the packet. In addition, if the packet supplied from the second user is determined to be a "name-on" application, the firewall device 100 may allow the packet. That is, the firewall device 100 according to the embodiment of the present invention can control the permission and blocking of an application for each user, thereby enhancing the reliability of security and expanding the available area.

2A and 2B are diagrams showing an embodiment of an internal network and an AD server.

Referring to FIG. 2A, a plurality of computers (PC1 to PCi: 201 to 20i) (i is a natural number) are located in the internal network. The plurality of computers 201 to 20i are connected to the AD (Active Directory) server 300 via the firewall device 100. [ The AD server 300 is used to authenticate a user when the computers 201 to 20i are booted, and is used as a login server.

The user boots the computers 201 to 20i and inputs a user ID and a password from the booted computers 201 to 20i. The user ID and the password input by the user are authenticated by the AD server 300, and thus the computer 201 (or any of the computers 201 to 20i) can be used.

On the other hand, the AD server 300 stores an IP address or the like corresponding to the user ID as login information. For example, when the user connects using the first computer 201, the AD server 300 is provided with a user ID and an IP address (e.g., "192.168.0.1") corresponding to the first computer 201 Can be stored as login information.

The firewall device 100 receives user-specific login information from the AD server 300. Then, the firewall device 100 accepts or blocks the packet according to the application policy of the user.

For example, the firewall device 100 can receive login information including "Lee" as user information and "192.168.0.1" as the IP address from the AD server 300. After that, the firewall device 100 blocks or permits packets supplied from the first computer 201 (IP address "192.168.0.1") corresponding to the application policy of the corresponding user (i.e., Lee). A detailed description thereof will be given later.

In the present invention, the AD server 300 may be included in the internal network as shown in FIG. 2B. In this case, the firewall device 100 is also supplied with the login information from the AD server 300.

In fact, as long as the AD server 300 can transfer login information to the firewall device 100 in the embodiment of the present invention, its location can be set variously.

3 is a block diagram of a firewall according to an embodiment of the present invention. 4 is a diagram showing an embodiment of a general packet. FIG. 3 and FIG. 4 show only the parts necessary for the description of the present invention, and the configuration of the firewall device is not limited thereto.

3 and 4, a firewall device 100 according to an exemplary embodiment of the present invention includes a firewall module 110, an identification engine 120, a rule storage unit 130, a Secure Sockets Layer (SSL) proxy 140 .

The firewall module 110 blocks or permits packets on a user-by-user basis according to a predetermined policy. That is, the firewall module 110 plays a role of controlling traffic in accordance with a preset policy.

The identification engine 120 receives packets from the firewall module 110 and / or the SSL proxy 140 and extracts data from the received packets. The identification engine 120 then identifies the application by extracting the signature from the data and comparing the extracted signature with the signatures stored in the rule store 130.

In more detail, a packet is generally set to a predetermined size, for example, 1460 bytes. Such a packet is divided into a header and a data as shown in FIG. Five tuple information is stored in the header of the packet. In other words, the header stores the source IP, the destination IP, the source port, the destination port, and the protocol information. Here, the source IP is the address of the computer that transmitted the packet, the destination IP is the address of the computer receiving the packet, the source port is the port to which the packet is transmitted, the destination port is the port to which the packet is to be transmitted, IP communication protocol.

The data of the packet includes the information to be transmitted including the signature. Here, the signature is used as information for identifying an application. For example, when the application is set to "Nate on ", the data of the packet includes signature information such as" REQS ". In addition, when the application is set to a web site, for example, "Naver ", the data of the packet includes signature information such as" Host: www.naver.com ".

The signature information is included in the packets supplied in the early part of the consecutive packets. In fact, the signature information is included in the first or second packet among consecutively supplied packets.

The identification engine 120 extracts signature information from the data of the packet and compares the extracted information with information stored in the rule storage unit 130 (i.e., pre-stored signatures). Then, the identification engine 120 supplies the comparison result, i.e., the result of the application identification, to the firewall module 110. In one example, the identification engine 120 may supply "Nate-on" information to the firewall module 110 as application information. Then, the firewall module 110 accepts or blocks the corresponding packet according to the user-specific policy.

On the other hand, if the application is not identified, the identification engine 120 supplies the unidentified information to the firewall module 110. Then, the firewall module 110 accepts or blocks the corresponding packet according to the user-specific policy.

Additionally, unidentified information includes unknown and insufficient-data. Unknown means that the signature information corresponding to the packet is not stored in the rule storage unit 130. [ Also, insufficient-data means a packet that is too small to be determined as Unknwon. For example, if a 100-byte packet is transmitted in a specific session, the packet may be determined as insufficient data.

The rule storage unit 130 stores signature information of applications. For example, the rule storage unit 130 stores signature information corresponding to messengers (e.g., NateOn, Yahoo Messenger, etc.), signature information corresponding to Web sites (Naver, Next, etc.), signature information , And signature information corresponding to the file transfer programs can be stored.

The SSL proxy 140 decrypts a packet encrypted and transmitted through SSL, and supplies the decrypted packet to the identification engine 120. The identification engine 120 then extracts the signature from the decrypted packet and identifies the application in response to the extracted signature.

In addition, the firewall device 100 according to an embodiment of the present invention includes a user information module 150, a first storage unit 160, and a second storage unit 170 for authenticating a user.

The first storage unit 160 stores a policy for each user. In other words, application information that can be allowed for each user and / or application information to be blocked may be stored in the first storage unit 160.

The user information module 150 receives login information from the AD server 300. Here, when the first user logs in to the first computer 201, the login information may include the IP address "192.168.0.1" of the first user and the first computer 201. [

The user information module 150 receiving the login information retrieves the first user's policy from the first storage unit 160 and supplies the search result to the firewall module 110. Then, the firewall module 110 applies the first user policy to the packet supplied from the IP address of "192.168.0.1 ". In other words, the firewall module 110 allows or blocks packets supplied from the first computer 201 in response to the first user policy.

For example, the firewall module 110 may know that the packet transmitted from the first computer 201 corresponds to the specific messenger in response to the identification information from the identification engine 120. [ In response to the user policy transmitted from the user information module 150, the firewall module 110 can know whether the specific messenger is allowed or blocked by the first user. Then, the firewall module 110 blocks or permits the packet corresponding to the specific messenger in response to the user policy. That is, in the present invention, an application can be blocked or allowed for each user, thereby enhancing security reliability.

The second storage unit 170 stores application statistics information for each user. In other words, the IP address of the computer used by the user, the application information (blocked or allowed list), and the like may be stored in the second storage unit 170. Accordingly, the application usage information for each user can be known by the information stored in the second storage unit 170.

5 is a diagram showing an embodiment of the identification engine shown in Fig.

Referring to FIG. 5, an identification engine 120 according to an embodiment of the present invention includes a data extraction unit 122 and a rule mapping unit 124.

The data extracting unit 122 receives the packet from the firewall module 110 or the SSL proxy 140 and extracts the signature from the data of the received packet.

The rule mapping unit 124 compares the signatures stored in the rule storage unit 130 with the signatures extracted from the data extraction unit 122 and outputs application identification information and / or unidentified identification information (unrecognized Unknown, insufficient-data) to the data extracting unit 122. Then, the data extraction unit 122 supplies the application identification information and / or the unidentified information from the rule mapping unit 124 to the firewall module 110.

The firewall module 110, which receives the application identification information and / or the unidentified information, blocks or permits the packet according to the policy for each user. For example, the firewall module 110 may block a packet corresponding to a first application corresponding to a first user and allow a packet corresponding to a first application corresponding to a second user. On the other hand, when the unidentified information is transmitted to the data extracting unit 122, the data extracting unit 122 blocks or permits the packet for each user corresponding to the unidentified information.

6 is a diagram showing an embodiment of a method of driving an application policy for each user.

Referring to FIG. 6, a user inputs a user ID and a password using one of the computers 201 to 20i. The user ID and the password input by the user are authenticated by the AD server 300. (S600) For convenience of explanation, the user ID is "Lee ", and the computer to which the user is logged in is the IP address" 192.168.0.1 " And the first computer 201 having the first computer 201 as shown in FIG.

After the user logs in, the AD server 300 transmits the information of the logged-in user to the user information module 150 via the firewall module 110. (S602) Then, Searches for an application policy corresponding to the user ID "Lee " from the application unit 160, and supplies the retrieved application policy to the firewall module 110. [ Then, the firewall module 110 applies the application policy corresponding to the "Lee" user in response to the packet supplied from the first computer 201 (S604)

The packet supplied from the first computer 201 is supplied to the identification engine 120 or decrypted in the SSL proxy 140 and supplied to the identification engine 120. [ The identification engine 120 receiving the packet extracts the data, that is, the signature, from the packet (S606)

The identification engine 120 that has extracted the signature identifies the application by referring to the signature stored in the rule storage unit 130. In step S608, the identification engine 120 identifies or identifies the application in the firewall module 110, (S610)

The firewall module 110 receiving the identification information or the unidentified information determines whether or not to allow the application (for example, including unknown and insufficient-data) corresponding to the policy of the "Lee & (S612)

For example, if the user "Lee" is a computer person in charge, various applications can be used and the application under development can be tested. In this case, the policy of "Lee" may be set to allow all applications, including Unknown and insufficient-data. Also, the user "Lee" may be a developer who develops a specific product. In this case, as a policy of "Lee ", only applications necessary for development can be set to be allowed.

Meanwhile, the user information module 150 receives application-specific application information from the firewall module 110 and stores the received application information in the second storage unit 170. (S614) In other words, the user information module 150 May store application information used by the user "Lee ", the computer 201 connected to the user (e.g., IP address) and the user" Lee " in the second storage unit 170.

7 is a diagram illustrating an embodiment of application-specific application information stored in the second storage unit.

Referring to FIG. 7, the developer can check the application statistics for each user using the information stored in the second storage unit 170. For example, the developer can check the IP addresses of the computers that "Kim" and "Lee" users access, and the application information that they used on their computers.

In particular, in the present invention, permitted application information and blocked application information can be confirmed for each user. These statistics can be used to re-tune application policies or enhance security. For example, if the developer "Lee" tries to connect to the Chinese server using an unauthorized messenger (wechat, qq), the security policy for the "Lee" user can be added.

On the other hand, when the IP address "192.168.0.1" is assumed to be a public computer installed in a conference room or the like, different application policies are applied to each user (i.e., Kim, Lee) connected to the public computer. In other words, even when different users are connected to the same computer, the applications that can be used are set differently from each other, so that the reliability of security can be ensured.

Further, in the present invention, even if the computer IP address of the "Kim" user is changed by department movement, the application policy of the "Kim" user can be applied without changing the policy corresponding to the IP address. That is, since the application policy is applied using the login information of the user, the application policy can be applied to each user regardless of the computer used.

As described above, in the present invention, it is possible to set an application that can be used by each user, thereby improving the security and usability of the firewall device 100.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed exemplary embodiments. It will be apparent to those skilled in the art that various modifications may be made without departing from the scope of the present invention.

The scope of the present invention is defined by the following claims. The scope of the present invention is not limited to the description of the specification, and all variations and modifications falling within the scope of the claims are included in the scope of the present invention.

100: firewall device 110: firewall module
120: Identification engine 122: Data extraction unit
124: rule mapping unit 130: rule storage unit
140: SSL Proxy 150: User Information Module
160,170 storage unit 201,202,20i computer
300: AD server

Claims (9)

A firewall module for allowing or blocking packets;
A rule storage unit for storing signature information of applications;
A first storage unit for storing an application policy for each user;
A user information module for receiving login information of a first user from the AD server, searching the first storage application user application policy corresponding to the login information, and providing the first storage application application policy to the firewall module;
And an identification engine for receiving the packet from the firewall module and providing the application identification information corresponding to the signature extracted from the packet to the firewall module with reference to the rule storage unit;
Wherein the firewall module permits or blocks the packet according to the first user application policy and the application identification information. The method according to claim 1,
Wherein the login information includes a user ID and an IP address of a computer to which the user is connected. The method according to claim 1,
And a second storage unit connected to the user information module and storing the login information and permission and blocking information of applications corresponding to the first user. The method according to claim 1,
The identification engine
A data extracting unit for extracting the signature from the packet;
And a rule mapping unit for generating the application identification information by comparing the signature with the signature information stored in the rule storage unit. The method according to claim 1,
Further comprising an SSL proxy for decrypting and supplying the packet to the identification engine when the packet is encrypted. The method according to claim 1,
Wherein at least one of the permitted application and the blocked application is stored in the first user application policy. Wherein the login information of the first user is transmitted to the user information module,
Sending a first user application policy to the firewall module in response to the login information;
Inputting a packet from a computer to which the first user has logged into the firewall module;
Identifying an application in response to the packet;
And allowing or blocking the packet according to the first user application policy. 8. The method of claim 7,
Wherein the login information includes a user ID and an IP address of a computer to which the user is connected. 8. The method of claim 7,
Further comprising storing the login information and permission and blocking information of applications corresponding to the first user.
KR1020150184639A 2015-12-23 2015-12-23 Firewall Apparatus and Driving Method Thereof KR101772683B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020150184639A KR101772683B1 (en) 2015-12-23 2015-12-23 Firewall Apparatus and Driving Method Thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150184639A KR101772683B1 (en) 2015-12-23 2015-12-23 Firewall Apparatus and Driving Method Thereof

Publications (2)

Publication Number Publication Date
KR20170075240A true KR20170075240A (en) 2017-07-03
KR101772683B1 KR101772683B1 (en) 2017-08-29

Family

ID=59357589

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150184639A KR101772683B1 (en) 2015-12-23 2015-12-23 Firewall Apparatus and Driving Method Thereof

Country Status (1)

Country Link
KR (1) KR101772683B1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102020178B1 (en) * 2019-03-21 2019-09-09 김상환 Fire wall system for dynamic control of security policy

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102020178B1 (en) * 2019-03-21 2019-09-09 김상환 Fire wall system for dynamic control of security policy

Also Published As

Publication number Publication date
KR101772683B1 (en) 2017-08-29

Similar Documents

Publication Publication Date Title
US10776489B2 (en) Methods and systems for providing and controlling cryptographic secure communications terminal operable to provide a plurality of desktop environments
US10652226B2 (en) Securing communication over a network using dynamically assigned proxy servers
US7366902B2 (en) System and method for authenticating a storage device for use with driver software in a storage network
JP5029701B2 (en) Virtual machine execution program, user authentication program, and information processing apparatus
US20120084566A1 (en) Methods and systems for providing and controlling cryptographic secure communications across unsecured networks
EP3605948B1 (en) Distributing overlay network ingress information
WO2009097313A1 (en) Network access control
KR102020178B1 (en) Fire wall system for dynamic control of security policy
US12074863B2 (en) Dynamic bypass
CN101488950A (en) Symmetric key distribution framework for the internet
US8799645B2 (en) Scalable distributed web-based authentication
EP2974121A1 (en) Secure network communication
JP2012178010A (en) Information processing system and information processing method
US20220345491A1 (en) Systems and methods for scalable zero trust security processing
US20080263126A1 (en) Internet bridge for applications and web servers
KR101772681B1 (en) Firewall Apparatus and Driving Method Thereof
KR101772683B1 (en) Firewall Apparatus and Driving Method Thereof
CN110875903A (en) Security defense method and device
KR101404161B1 (en) Network separation device using one time password, network separation system and method thereof
KR101749074B1 (en) Firewall System and Driving Method Thereof
Kerai Tracing VNC and RDP Protocol Artefacts on Windows Mobile and Windows Smartphone for Forensic Purpose

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal
E701 Decision to grant or registration of patent right
GRNT Written decision to grant