TW201911101A - Server and firewall rule management therefof - Google Patents

Abstract

A server and a firewall rule management method, which is adapted for managing that a user end equipment to access network services by the server according to a firewall rule, are provided. In the method, a login status that the user end equipment accesses the network services is obtain, where the user end equipment access the network services through the server. The firewall rule is modified dynamically according to the login status. When the user end equipment logs in, the firewall is enabled. When the user end equipment logs out, the firewall is disabled. Therefore, firewall access security would be improved, the complexity for managing the firewall rule can be reduced, and the usage efficiency can be improved.

Description

Server and its firewall rule management method

The present invention relates to a firewall, and more particularly to a server and a firewall rule management method thereof.

Firewall is a security mechanism used to isolate two networks with different security trusts. The existing firewall is a packet filtering method that provides basic functions for network layer packet filtering. Apply defined access rules to each incoming or outgoing Internet Protocol (IP) packet to determine whether to allow or block the entry and exit of packets. However, existing mechanisms often only check header information for packets such as IP, Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP). In addition, the current general firewall system only provides the establishment of IP packet rules, and according to the source/destination IP address of the packet header, the protocol (TCP, UDP, ...), the source/destination nickname (TCP, UDP), etc. Bit to check. Packets that conform to the rules are allowed to pass, and conversely block the packets. This mode of operation is simple, but lacks flexibility, and the firewall rules may be too open. Even, due to the consideration of security, the firewall rules will be fixed at specific sources and destination IPs, resulting in inconvenience in practical application and management.

In addition, usually a firewall device will be provided to many different users, but the firewall rule table is only one. When the number of users is more and more, and the firewall rules increase, the complexity of firewall management will also be It is getting bigger and bigger. In addition, the new deletion and maintenance management of firewall rules will become more and more cumbersome. In the long run, the firewall will accumulate huge rules and regulations, and even become the hot potato of firewall and network equipment management and maintenance.

There are many existing firewall applications, such as:

Prior art 1 (Taiwan patent name: method and device for inspiring firewall discovery, bulletin number: 550921) and prior art 2 (patent name: firewall for filtering communication in a dynamic computer network, publication number: 201407405) have been proposed . While both prior art techniques overcome the shortcomings of conventional firewall security methods and are capable of learning from the data flowing through the network for filtering, providing additional network security.

Prior art 3 (US Patent Name: Firewall Device (FIREWALL DEVICE), publication number: US 2006/0143699 A1), although this patent also uses the end device authentication mechanism, but it uses the user identification code (ID) and the virtual firewall ID Correlation, to manage the user firewall, the user terminal can access the back-end information service through the virtual firewall.

Prior Art 4 (Taiwan Patent Name: Firewall Control System (FIREWALL CONTROL SYSTEM), publication number: 200915093) provides users with a verification plan for the backend server, and allows users to access according to different target servers. Use a specific verification plan for a specific server or activity.

Prior Art 5 (Taiwan Patent Name: Customer Assisted Firewall Configuration CLIENT ASSISTED FIREWALL CONFIGURATION, publication number: 200640206) is a method for providing a communication mechanism between a user and a firewall and dynamically changing firewall rules.

However, the aforementioned conventional firewall management lacks flexibility and efficiency, and is even not in practical use.

In view of this, the present invention provides a server and a firewall rule management method thereof, which enable firewall rules to be dynamically and timely changed.

The invention provides a firewall rule management method, which is suitable for a server to manage a client device to access a network service according to a firewall rule. The firewall rule management method includes the following steps. Get the login status of the client device access server. The client device accesses the network service through the server. The firewall rules are dynamically adjusted according to the login status of the client device.

The present invention further provides a server that manages a client device to access a network service according to a firewall rule. The server includes a storage unit, a communication module, and a processing unit. The storage unit is used to record firewall rules and several modules. The communication module is used to access the network. The processing unit is coupled to the storage unit and the communication module, and accesses and executes the modules stored in the storage unit, and the modules include a firewall connection module and a firewall function module. The firewall connection module obtains the login status of the client device to access the server. The client device accesses the network service through the server. The firewall function module dynamically adjusts firewall rules according to the login status of the client device.

Based on the above, the firewall rule management method dynamically adds or deletes the firewall rule content related to the client device according to the login status of the client device. In this way, the security of the firewall system, the efficiency of the use of firewall rules, and the ease of use of the user can be greatly improved.

The above described features and advantages of the invention will be apparent from the following description.

1 is a network architecture diagram of a communication system according to an embodiment of the present invention. The communication system 1 includes at least but not limited to a client device 100 and a server.

The client device 100 of this embodiment may be a device with an IP address networking function such as a desktop computer, a notebook computer, a personal digital assistant (PDA), a smart phone, or a thin client. The client device 100 includes a storage unit 101, a communication module 103, a display unit 105, and a processing unit 107.

The storage unit can be any type of fixed or removable random access memory (RAM), read only memory (ROM), flash memory or the like or a combination of the above. In this embodiment, the storage unit 101 is used to record related information and various types of the client device 100 such as the client terminal 101_3, the user interface module 101_5, and the client software 101_1 related programs and network service information. Data files, etc.

The communication module 103 can be a WiFi standard, a third generation wireless communication (3G), a fourth generation wireless communication (4G) or other wireless network interface module with wireless transmission function, or can support the Ethernet network. Ethernet, optical fiber, or any other type of wired network interface module with wired transmission capability, or a combination of the foregoing. The communication module 103 is used to access the network A 11.

The display unit 105 is, for example, a liquid crystal display (LCD), a light emitting diode (LED) display, a field emission display (FED) or other type of display screen, and optionally has a touch function (capacitive, resistive, and optical). ), such as touch technology, or with input devices such as a mouse and keyboard. The display unit 105 is used to display any type of user interface (UI).

The processing unit 107 is connected to the storage unit 101, the communication module 103, and the display unit 105. The processing unit 107 can be a central processing unit (CPU) or other programmable general purpose or special purpose microprocessor (Microprocessor). A digital signal processor (DSP), a programmable controller, an application specific integrated circuit (ASIC) or other similar component or a combination of the above. In the embodiment of the present invention, the processing unit 107 is configured to execute all the operations of the client device 100, and can access and execute the modules recorded in the storage unit 101.

It should be noted that, for convenience of description, only one client device 100 is listed in this embodiment. However, in other embodiments, the communication system 1 may include more client devices 100, but not limited thereto.

The server 200 is a server device including a storage unit 201, a communication module 203, and a processing unit 207. For the same or similar components of the server 200 and the client device 100, reference may be made to the foregoing description, and details are not described herein again. In addition, the storage unit 201 records the firewall connection module 201_1, the firewall function module 201_2, the database module 201_3 and the like, user information, user IP and other identity authentication related information. The database module 203 stores the network service information 204, and the network service information 204 refers to the network firewall rule belonging to the specific client device 100 in the firewall system (ie, the server 200), and the user equipment 100 and the use thereof Relevant.

The server 200 can access the network A 11 and the network B 12 , and the client device 100 is on the network A 11 , and the client device 100 needs to access the network B 12 through the server 200 . It should be noted that the communication system 1 further includes one or more service servers (not shown) at the network B 12 to provide the network service 300 (for example, the network services A~D respectively represent the personnel service system). , library management system, document processing system or service access of a subnet segment, and so on.

Please refer to FIG. 2, which is a flowchart illustrating a dynamic firewall rule management method according to an embodiment of the present invention, which is assumed to be in a TCP/IP network environment:

Step S21: The processing unit 107 of the client device 100 loads and executes the client software 101_1.

Step S22: The user interface module 101_5 is activated. For example, FIG. 3 is a diagram illustrating a main graphical user interface (GUI) 301 presented by the user interface module 101_5 through the display unit 105. The main GUI 301 includes a user authentication GUI 304 and a web service display GUI 305.

Step S23: The user can input the user account and password through the user authentication GUI 304 to perform an operation of the identity authentication program. It should be noted that the information required for identity authentication is not limited to the account password, and other such as the PIN code quick response (QR) code, special code, etc. can be applied.

Step S24: The user terminal connection module 101_3 performs the connection operation of the identity program authentication via the communication module 103 via the communication module 203 of the server 200 and the firewall connection module 201_1. The firewall connection module 201_1 of the server 200 confirms whether the client device 100 passes the identity authentication program. If the authentication result is correct (passes or matches the user information recorded by the storage unit 201), the firewall connection module 201_1 sets the login status of the client device 100 to log in. If the authentication error (failed or does not match the user information recorded by the storage unit 201), the firewall connection module 201_1 will reply the authentication error message to the client connection mode via the communication module 203 via the communication module 203. Group 101_5, and setting the login status of the client device 100 is not logged in. At this time, the program returns to step S23, and the client device 100 may request the user to re-submit the authentication information (for example, the user account and password).

Step S25: If the login status is logged in, the firewall connection module 201_1 obtains the network service information 204 to which the user equipment 100 belongs according to the user ID (ie, the identification code corresponding to the user equipment 100) to the database module 201_3. .

For example, Table (1) is an example of the contents of the network service information 204. The network service information 204 is a collection of firewall rules plus user information. The content of a single (column) sub-rule includes (but is not limited to User ID, source, destination, source nickname, destination nickname, service agreement, service action. The source and destination can be a single IP or a network segment. Service protocols are TCP, UDP, ICMP, etc. network protocols. The service action is either ACCEPT or DENY. Table 1)

Step S26: The firewall function module 201_2 turns on (or enables) the network service information 204 (the sub-rule corresponding to the firewall rule) to which the client device 100 belongs. The firewall function module 201_2 adds the address information and network service information of the client device 100 to the firewall rule.

For example, Table (2) is an example of a firewall rule. Table 2)

When the login status of the client device 100 is logged in, the firewall function module 201_2 fills (replaces) the address information (for example, the IP address) of the client device 100 into the user IP field in the table (1), and then The network service information 204 corresponding to the client device 100 is written into the firewall rule (Table (2)) of the firewall function module 201_2, thereby forming a table (3). table 3)

Step S27: The firewall connection module 201_1 transmits the (encrypted) network service information 204 to which the client device 100 belongs to the client connection module 101_3 via the communication module 103 via the communication module 203.

For example, Table (4) is an example of the network service information 204 that is adjusted and sent to the client device 100, which includes the service name, the service action as the accepted service, and the content of the single service, and the content includes the source end. IP, destination IP, source nickname, destination nickname and service agreement. Table 4)

Step S28: After the client connection module 101_3 receives the network service information 204, the user interface module 101_5 displays the network service information 204 on the network service, for example, in FIG. 3 through the display unit 105 (after decryption). Display on GUI 305.

Step S29: The client device 100 can connect and access the network service 300 of the firewall backend (ie, the network B 12 end) according to the firewall rule on the network service information 204. In other words, if the login status is logged out or not logged in, the client device 100 cannot access the network service through the server 200 (the firewall rule does not allow the client device 100 to access).

In addition, the client software 101_1 can further provide a function corresponding to the network service information 204 to access the network service 300. For example, a corresponding GUI hyperlink (Hyperlink) is generated according to the content of the network service 300 to provide a user click. The client software 101_1 can also launch a corresponding application according to the service type (for example, the 80/443 port service browser), and determine the URL of the URL to be connected by the application according to the service URL IP and the service nickname ( Uniform Resource Locator).

However, the login status is not limited to the foregoing scenario in which the client device 100 logs in. The following describes the logout scenario. Please refer to FIG. 4 for a flowchart of a method for managing a dynamic firewall rule according to another embodiment of the present invention. The scenario is a flowchart for operating the client device 100 to log out of the firewall system of the server 200:

Step S41: The client device 100 executes the client software 101_1, and the login state is the login.

Step S42: The client software 101_1 performs a logout operation and transmits the logout message through the communication module 103.

Step S43: The firewall connection module 201_1 of the server 200 receives the logout message from the client device 100.

Step S44: The firewall function module 201_3 closes (or disables) the network service information 204 (sub-rule corresponding to the firewall rule) to which the client device 100 belongs.

Step S45: The firewall connection module 201_1 modifies the login status of the client device 100 in the database module 201_3 to log out (or not log in). The firewall function module 201_3 removes the sub-rules related to the client device 100 from the firewall rules.

Step S46: The client connection module 101_3 changes the login status to logout (or not logged in) and presents the changed login status on the display unit 105 through the user interface module 101_5.

The above is only the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention; that is, the equivalent variations and modifications made by the scope of the present invention are covered by the scope of the present invention.

Features and effects

When other conventional technologies are compared with each other, they have the following advantages:

1. The present invention can be improved for existing fixed firewall rules, so that the user can open the firewall rule after being authenticated and logged in. When the user is in the logout state, the user's firewall rules are turned off, which can greatly improve the security of the firewall network.

2. The invention can provide the use management and scheduling capability of the firewall service, and can achieve the effect of elastic scheduling of the firewall rules and improving the quality of the network service.

3. The invention can provide a user firewall service list display function, and the user can clearly understand the use of the service authority to achieve the control function of the user service.

The detailed description of the present invention is intended to be illustrative of a preferred embodiment of the invention, and is not intended to limit the scope of the invention. The patent scope of this case.

1‧‧‧Communication system

11‧‧‧Network A

12‧‧‧Network B

100‧‧‧Customer equipment

101‧‧‧ storage unit

101_1‧‧‧User software

101_3‧‧‧Customer connection module

101_5‧‧‧User Interface Module

103, 203‧‧‧Communication Module

105‧‧‧Display unit

107, 207‧‧‧Processing unit

200‧‧‧Firewall server

201_1‧‧‧Firewall connection module

201_2‧‧‧Firewall function module

201_3‧‧‧Database Module

204‧‧‧Internet Service Information

300‧‧‧Internet services

S21~S29‧‧‧Steps

301‧‧‧Main graphical user interface

304‧‧‧User authentication graphical user interface

305‧‧‧Web service display graphical user interface

S41~S46‧‧‧Steps

1 is a network architecture diagram of a communication system according to an embodiment of the invention; FIG. 2 is a flowchart illustrating a firewall rule management method according to an embodiment of the invention; FIG. 3 is a diagram illustrating a main graphical user interface; FIG. 4 is a flowchart of a method for managing a firewall rule according to another embodiment of the present invention.

Claims (10)

A firewall rule management method is applicable to a server managing at least one client device to access at least one network service according to a firewall rule. The firewall rule management method includes: obtaining the at least one client device to access the server login state. The at least one client device accesses the at least one network service through the server; and dynamically adjusts the firewall rule according to the login status of the at least one client device. The method for managing a firewall rule according to claim 1, wherein the step of dynamically adjusting the firewall rule according to the login status of the at least one client device comprises: obtaining the at least one client device if the login status is logged in Corresponding network service information; and setting the firewall rule according to the network service information. The method for managing a firewall rule according to claim 1, wherein the step of obtaining the login status of the at least one client device to access the server comprises: determining whether the at least one client device passes an identity authentication procedure; The at least one user equipment passes the identity authentication procedure, and the login status is logged in; and if the at least one client device fails the identity authentication procedure, the login status is not logged in. The firewall rule management method of claim 2, wherein the step of setting the firewall rule according to the network service information comprises: adding the address information of the at least one user equipment and the network service information to The firewall rule, and the firewall rule to which the at least one client device belongs is enabled. The method for managing a firewall rule according to claim 2, wherein the step of dynamically adjusting the firewall rule according to the login status of the at least one client device comprises: moving the firewall rule if the login status is logged out In addition to the sub-rule associated with the at least one client device, and turning off the firewall rule to which the at least one client device belongs. The firewall rule management method according to claim 1, wherein the firewall rule includes at least one sub-rule, and each of the sub-rules includes a user identification code field, and the content corresponding to the user identification code field. The sub-rule is specified to be specific to the user equipment; if the user identifier field content corresponds to all the client devices, it indicates that the sub-rule is applicable to all the client devices. The method for managing a firewall rule according to claim 2, wherein after the step of obtaining the network service information corresponding to the at least one user equipment, the method further comprises: transmitting the network service information; and the user equipment provides the The function corresponding to the network service information to access the at least one network service. The method for managing a firewall rule according to claim 1, wherein the step of dynamically adjusting the firewall rule according to the login status of the at least one client device further comprises: if the login status is a login, the at least one The client device can access the network service corresponding to the firewall through the server; and if the login status is not the login, the at least one client device cannot access the firewall to access the at least one network service through the server. A server for managing at least one client device to access at least one network service according to a firewall rule, the server further comprising: a storage unit, recording the firewall rule and the plurality of modules; a communication module, accessing the network And a processing unit coupled to the storage unit and the communication module, and accessing and executing the modules stored in the storage unit, the modules comprising: a firewall connection module, obtaining the at least a client device accessing a login status of the server, wherein the at least one client device accesses the at least one network service through the server; and a firewall function module, according to the login of the at least one client device The state dynamically adjusts the firewall rules. The server of claim 9, wherein if the login status is login, the at least one client device can access the corresponding network service through the server; and if the login status is not the login, The at least one client device cannot access the at least one network service through the server.