TWI254533B - A method of data communication control applying package-oriented filtering mechanism - Google Patents
A method of data communication control applying package-oriented filtering mechanism Download PDFInfo
- Publication number
- TWI254533B TWI254533B TW93123900A TW93123900A TWI254533B TW I254533 B TWI254533 B TW I254533B TW 93123900 A TW93123900 A TW 93123900A TW 93123900 A TW93123900 A TW 93123900A TW I254533 B TWI254533 B TW I254533B
- Authority
- TW
- Taiwan
- Prior art keywords
- rule
- data
- packet
- communication
- filtering mechanism
- Prior art date
Links
Abstract
Description
1254533 --—--- 五、發明說明(1) 【發明所屬之技術領域】 的方法,為防止+1 & 灸 〜…叭&刺貝竹遇汛 補认 業内部員工透過網路通訊方彳推轩杳抖 方法。 傳下載為防止洩密而採用的管制 本發明係為一種μ七道A、占 的方法,為防止企紫i 濾機制管制資料通訊 。為防業内部員工透過網路通訊方式進行資料 將貝料上傳下載’為防止洁宓品松田从总土丨 L先前技術】 網路服務 而易見的,因 問題。溝通程 提升,成本自 電腦性能與運 入侵的頻率。 内部員工所可 根據國際 出,僅1 5 %來^ 企業内部。據 眾多的攻擊行 資訊洩漏事件 部的駭客等攻 接式儲存設備 不易控管事後 問題更是不可 是最主要的是 的應用為企 為公司不必 序越簡化, 然降低。也 异能力越來 但為了防止 能帶來的傷 電腦安全協 I外部入侵, 國際權威機 為和事件中 ’攻擊者主 擊者。企業 或網路傳輸 不易察覺, 輕忽。安全 内部人員有 業節省成本與提高生產力是最顯 再去煩惱彼此系統間如何溝通的 就越能提高生產力。生產力一旦 由於網路系統比以前更加便利, 越強,越來越好用,則提高非法 企業外來的入侵,卻忽略了公司 害。 會(ICSA Security Report)指 但卻有6 0〜8 0 %的洩密事件來自 構CS I /FB I提供的統計資料,在 ’最主要的、最多的安全事件是 要來自企業内部,而不是來自外 内部懷有惡意的員工,可透過外 方式即可輕易帶走資料,且事先 因此對企業而言,内部資訊安全 事件造成的經濟損失最大的,也 意或無意的資訊洩漏事件造成的1254533 ------ V. Description of the invention (1) The method of the invention belongs to the method of preventing +1 & moxibustion ~... &&; 刺 竹 竹 汛 汛 内部 内部 内部 内部Fang Xuan Xuan Xuan method. The invention is a method for preventing the leakage of the present invention. The present invention is a method for controlling the data communication. In order to prevent the internal employees from carrying out information through the network communication method, uploading and downloading the bait material to prevent the cleansing of the product from the general bandit L previous technology] network service is easy to see, due to problems. The communication process is improved, and the cost is from the performance of the computer and the frequency of the invasion. The internal staff can be based on the international out, only 15% to the inside of the enterprise. According to numerous attack lines, information leakage incidents, such as hackers and other attack-based storage devices, are not easy to control afterwards. The problem is that the most important application is that the company is more simplistic and less effective. It is also the ability to get different but to prevent the injury. Computer security association I external invasion, the international authority and the attacker's attacker. Enterprise or network transmission is not easy to detect and ignore. Safety Internal staff saves costs and increases productivity is the most important thing to worry about how to communicate with each other's systems. Productivity Once the network system is more convenient, stronger, and better used than before, it increases the intrusion of illegal enterprises, but ignores the company's harm. The ICSA Security Report refers to the fact that there are 60 to 80% of the leaks from the statistics provided by CS I / FB I. The 'most important and most security incidents are from inside the company, not from The inside of the company has malicious employees who can easily take away the information through external means, and in advance, for the enterprise, the internal information security incident caused the greatest economic loss, and the intentional or unintentional information leakage caused by the incident.
1254533 五、發明說明(2) 經濟損失。 另一方面,所有個人電腦上的使用程式或軟體,皆採 用網路系統’於是所有存取的資料皆由企業内部區域網路 (Local Area Network ; LAN)上的伺服器端而來。而一般 人上網的活動包括收發郵件(如使用〇11_1:1〇〇1^ Express • ·.郵件伺服器)、瀏覽網頁(如使用Internet Expl〇rer • · ·網頁瀏覽器)、上傳下載檔案(如使用CuteFTp· · ·資 料傳輸應用私式)。其中又以邊〗覽網頁使用最廣泛,透過 瀏覽器,除了 「瀏覽網頁i ,、等1 μ 「 八 ^ , v u ττ見 Μ」 遇可兼做「收發郵件」(例 登入士口 Yahoo 、Hotmail 等人 鄱俨安沾丁从 i寻入口網站收發郵件)和Γ上傳下 載棺案」的工作。再者,最备 v , u 々近流行的如MSN Messenger 、Yah〇Q Messenger 等應用齡蘗 Messenger 槽案、視訊對話等等。 ~可以聊天、傳簡訊、傳 上述這些網路應用程式 便,同時也構成了企業資訊a =能,雖帶給企業很大的方 能上網瀏覽非工作範圍的網^全的重大危機。企業員工可 的重要文件輕易傳送到企、酱[’可以聊天,更可以將公司 山从丄 系外面。 此外,由於軟體有著作 企業令每一部門所需要催保護以及版權的問題,不是 企業主便會針對需求進行弯=軟體都相同,為避免侵權, 下自行安裝未授權之軟體、毒\但有時員工會為求方便私 如此’若以各部門的^衫響企業的形象與聲譽。 發部、技術部的員工, 丨而言,市場部、業務部、研 ;會計部、倉儲部、行政部料是屬正常之工作中行為 _ 貝工,若上網傳輸資料則應1254533 V. Description of invention (2) Economic loss. On the other hand, all programs or software used on personal computers use the network system', so all access data is from the server on the local area network (LAN). The average person's online activities include sending and receiving emails (such as using 〇11_1:1〇〇1^ Express • ·. Mail server), browsing the web (such as using Internet Expl〇rer • · · web browser), uploading and downloading files (such as Use CuteFTp···Data Transfer Application Private). Among them, the webpage is the most widely used. Through the browser, in addition to "browsing webpage i, etc. 1 μ "8^, vu ττ see Μ" can also be used as "sending and receiving mail" (for example, logging in to Yahoo, Hotmail) Waiting for someone to pick up the e-mail from the i-search portal, and upload and download the file. In addition, the most v, u are popular, such as MSN Messenger, Yah〇Q Messenger and other application-aged Messenger slots, video conversations and so on. ~ Can chat, send newsletters, pass these web applications, and also constitute corporate information a = can, although it gives companies a large degree to browse the non-working network of the major crisis. The important documents that can be sent by the employees of the company can be easily transferred to the company, the sauce [' can chat, and the company can be outside the company. In addition, because the software has a company that requires each department to protect and copyright issues, not the business owner will bend the demand for the same = the software is the same, in order to avoid infringement, install the unauthorized software, poison, but have At the time, employees will be so convenient and private as to "if the image of each department is the image and reputation of the company." The staff of the Ministry of Development and the Ministry of Technology, in other words, the marketing department, the business department, the research department, the accounting department, the warehousing department, and the administrative department are expected to be in the normal work behavior _ beigong, if the information is transmitted online,
IHK 1254533 五、發明說明(3) 非屬其正常之工作行為。所以,為了讓員工在正蜂的上班 時間内進行有生產力的行為,更可針對部門與工作性質設 定其使用權限的功能,且為了避免上述狀況的發生進而如 何克服諸如此類之問題,實為一具有實用性之思考方向。 【發明内容】 有鑑於此,本發明提出一種運用封包導向過濾機制管 制資料通訊的方法’其主要目的在於解決習知技術中為防 止企業内部員工透過網路通訊方式即可輕易將資料上傳下 載’為防止泡密而採用的措施造成伺服器端負荷過大、付 出較多的管理成本等問題。 而本發明的第二目的在於解決防止企業内員工利用網 路的便利性或者使用其他程式/軟體以進行與自身工作職 務無關的網路通訊等問題。本發明所提之網路資料通訊管 制機制’係針對區域網路(L 〇 c a 1 a r e a N e t w 〇 r k ; L A N )對 外部網路之通訊連接埠(por t)及特定網域名稱 (Universal Resource Locator,URL)或對應的 IP 位址等 進行管制’當企業員工於工作中,使用到受管制的網路通 訊行為則會被記錄並禁止其使用,以進而方便企業管理者 查詢及管理。 本發明的第三目的,提供依資料封包的傳輸協定設定 資料封包傳輸規則,針對以超文件傳輸協定(hypertext ti'ansmission protocol,http)傳送資料封包或以安全資 料傳輸層(Secure Socket Layer,SSL)之網路安全協定傳IHK 1254533 V. INSTRUCTIONS (3) Not a normal work behavior. Therefore, in order to allow employees to conduct productive behavior during the working hours of the bee, it is also possible to set the function of the use authority for the department and the nature of the work, and in order to avoid the above situation and how to overcome such problems, it has one Practical thinking direction. SUMMARY OF THE INVENTION In view of this, the present invention provides a method for controlling data communication by using a packet-oriented filtering mechanism. The main purpose of the present invention is to solve the problem in the prior art that the internal employees can easily upload and download data through network communication. The measures taken to prevent the bubble are caused by problems such as excessive load on the server end and high management costs. The second object of the present invention is to solve the problem of preventing the convenience of employees in the enterprise from using the network or using other programs/software to perform network communication irrelevant to their own work duties. The network data communication control mechanism proposed by the present invention is directed to a communication connection (por t) and a specific domain name (Universal Resource) of a local network (L 〇ca 1 area Netw 〇rk; LAN) to an external network. Locator, URL) or the corresponding IP address is regulated. When a company employee is at work, the use of controlled network communication behavior is recorded and prohibited from being used, so that the enterprise manager can query and manage it. A third object of the present invention is to provide a data packet transmission rule according to a data packet transmission protocol, and to transmit a data packet or a secure data transmission layer (Secure Socket Layer, SSL) for a hypertext ti'ansmission protocol (http). Network security protocol
1254533 -------- 五、發明說明(4) 送資料封包 輸的容量大 網路通訊傳 便企業管理 本發明 對每一位使 料通訊,及 網域之使用 彈性,再者 資料通訊, 態。 根據本 1. 於一 規則; 2. 設定 3. 將一 4 ·該伺 纟罔路通訊; 5.該伺 有關本發明 之管制方 小,同時 輸資料封 者查詢及 更提出一 用者,甚 針對每一 者,建立 ,可準確 更易於管 式,並限定 當企業員工 包的行為皆 管理。 種使用權限 至是外來訪 位使用者所 適用之使用 的讓每個部 理企業内員 資料封 於工作 可被記 規則的 客於特 屬之部 權限規 門與特 工使用 發明所揭露之方法,其至少 伺服器端没定一通訊連接淳 一資料封包傳輸規則; 資料通訊管制規則儲存於該 包傳輸的方式或傳 中,所進行的任何 錄存檔,以進而方 觀念,也就是可針 定時段使用網路資 門、編組、及所屬 則,以增加管理的 定員工能使用網路 網路資料通訊的狀 包含下列步驟: 規則及一網址瀏覽 服器端接受至少 及 伺服器端資料庫; 個一使用者端之登入以進行 服器端管制經由閘道器之網 之詳細内容及技術,茲就配 路通訊。 合圖式說明如下: 【實施方式】 的本發明係為一種運用封包導向過濾機制管制資料通訊 法在紹本發明的方法前,先陳述本發明的基本系1254533 -------- V. Description of invention (4) Capacity for sending data packets and large network communication and communication enterprise management The present invention is flexible for each material communication and the use of the domain, and further information Communication, state. According to this 1. in a rule; 2. set 3. will be a 4 · the servo link communication; 5. the server related to the invention is small, while the data block reader query and more to present a user, even For each, the establishment can be accurate and easier to manage, and the behavior of the employee package is managed. The right to use is the method used by the externally-visited user to make the information of each departmental enterprise member sealed in the workable rules, and the method disclosed by the invention is used by the special department. At least the server end does not have a communication connection and a data packet transmission rule; the data communication control rule is stored in the manner or transmission of the packet transmission, and any recorded recording is performed in a further concept, that is, the time period can be used. Network resources, grouping, and affiliates, to increase the management of the staff can use the network data communication, the following steps: The rules and a URL browser server accept at least the server-side database; The user's login is used to control the details and technology of the network through the gateway device. The drawing is as follows: [Embodiment] The present invention is a method for controlling the data communication method by using a packet-oriented filtering mechanism, and the basic system of the present invention is stated before the method of the present invention.
第9頁 1254533 五、發明說明(5) 統架構,請參照第1圖,為本發明運用封包導向過濾機制 管制資料通訊的方法之系統架構圖,其說明如下·· 本發明之系統架構係由設置於閘道器(Gateway )之一 伺服器端1 0 0與至少一個一使用者端2 0 〇所構成,而該使用 者端2 0 0與該伺服器端100係透過企業内部區域網路(Local A r e a N e ΐ w 〇 r k ; L A N )加以連結,並透過區域網路的設定以 限定該使用者端2 0 0必需經由該伺服器端1 0 0所管制的閘道 器(Gat eway )連結至外部網路與進行資料傳輸,藉由該伺 服器端1 0 0對每個一使用者端2 〇 〇建立管制規則並存入該伺 服T端資料庫1 1 0 ’管制該使用者端2 0 0利用可連接至網路 之資訊處理裝置經由閘道器(Gateway)進行網路通訊的操 限盆限制個別員工所能瀏覽的網站及上傳下載檔案的 腦]&其中忒可連接至網路資訊處理裝置,玎從桌上型電 掌ij型,恥(N B )、個人數位助理(PD A )、行動電話及 =訊置的組合中任意擇-。 料傳輪提使用者端2 0 0經由閘道器進行資 網路通訊,如透過、'剔ί 1理者查詢,藉此以防土貝工利用 機密資料外洩。11 器或使用資料傳輸應用輕式將企業 有了上述的系绥銘 的使用進行管理,接ί i便可針對企業内的資訊處理袭置 濾機制管制資料通旬&來就針對本發明之運用封包導向過 丄請參照第2圖,係发=法流程,做更進一梦詳細之說明 貝料通訊的方法之逮二發明運用封包導向過濾機制警制Page 9 1254533 V. Description of the invention (5) System architecture, please refer to FIG. 1 , which is a system architecture diagram of a method for controlling data communication using a packet-oriented filtering mechanism according to the present invention, which is explained as follows: The server terminal 100 is configured to be connected to one of the server terminals 100 and the at least one user terminal 20, and the server terminal 100 and the server terminal 100 are transmitted through the internal network of the enterprise. (Local A rea N e ΐ w 〇rk ; LAN ) is connected, and through the setting of the local area network to define the gateway device (Gat eway) controlled by the server terminal 1 0 0 Linking to the external network and performing data transmission, the server terminal 1 0 0 establishes a control rule for each user terminal 2 and deposits the servo T-end database 1 1 0 ' to control the user The terminal 200 uses the information processing device that can be connected to the network to communicate with the network via the gateway (Gateway), and limits the websites that can be browsed by individual employees and the brains of uploading and downloading files. To the network information processing device, Ij the palm type electric type, shame (N B), a personal digital assistant (PD A), a combination mobile phone and hearing = opposed to any optional -. The material transmission wheel carries out the communication between the user terminal and the gateway through the gateway device, such as through the inquiry, to prevent the soil and shell workers from using the confidential information to leak. 11 or use the data transfer application to lightly manage the use of the above-mentioned system of the company, and then you can use the information processing control mechanism in the enterprise to control the data. Please refer to Figure 2 for the use of the package guide. Please refer to Figure 2 for a more detailed description of the method for the communication of the material. The invention uses the packet-oriented filtering mechanism.
第]〇頁 立步驟流程圖,其說明詳述如下: 1254533 五、發明說明(6) 首先先建立一資料通訊管制規則,其步驟包含,於一 伺服器端1 0 0設定一通訊連接埠規則及一網址潮覽規則(步 驟3 0 0 );而後,依資料封包的傳輸協定設定一資料封包傳 輸規則(步驟310),即包含設定以超文件傳輸協定 (hypertext transmission protocol,http)傳送資料封 包之管制方式(步驟32 0 )與設定以安全資料傳輸層(以⑶“ Socket Layer,SSL)之網路安全協定傳送資料封包之管制 方式(步驟33 0 ); 於上述步驟32 0所設定之管制方式,可由禁止網址連 結(步驟32U、僅允許資料下載(步驟322 )、允許資料下載 及限制上傳資料量小於一特定容量(步驟323 )、允許任何 資料傳輸(步驟3 24 )之方式中任意擇一; 而上述步驟33 0所設定之管制方式’可由禁止網址連 結(步驟331)、僅允許資料下載(步驟332 )、僅允許傳送小 於一特定容量之登入用資料(步驟33 3 )、允許任何資料 輸(步驟334 )之方式中任意擇―,而其中於步驟323及步驟 333所述之該特定容量之大小,係由該飼服器端1〇〇設定; 待該貢料通訊管制規則建立完成I,即將該資料通訊 管制規則儲存於該伺服器端資料庫11〇(步驟34〇);缺後, 待該使用者端20 0欲利用可連接至網路之資訊處理裝置進 仃網路通訊時,須由該伺服器端丨〇〇接受至少一個該使用 之登入以進行網路通訊(步驟35〇);再由該伺服器 1 0 0管制經由閘道器之網路通訊(步驟3 6 〇 )。 於上述步驟3 0 0中所述之該通訊連接埠規則,係針對The following is a step-by-step flow chart, the description of which is detailed as follows: 1254533 V. Description of the invention (6) First, a data communication control rule is established, the steps of which include setting a communication connection rule on a server end 1 0 0 And a URL browsing rule (step 300); and then, according to the data packet transmission protocol, a data packet transmission rule is set (step 310), that is, the data packet is configured to be transmitted by a hypertext transmission protocol (http). The control method (step 32 0 ) and the control method for transmitting the data packet by the secure data transmission layer (the network security protocol of (3) "Socket Layer, SSL" (step 33 0 ); the control set in the above step 32 0 The manner may be arbitrarily selected by the method of prohibiting the URL link (step 32U, allowing only the data download (step 322), allowing the data to be downloaded, and limiting the amount of uploaded data to be less than a specific capacity (step 323), allowing any data transmission (step 3 24). The control mode set by the above step 33 0 can be linked by the forbidden URL (step 331), and only the data download is allowed (step 332). It is only allowed to transfer less than a specific capacity of the login data (step 33 3 ), any mode of allowing any data input (step 334), and the size of the specific capacity described in steps 323 and 333 is Set by the feeding device end; after the establishment of the tributary communication control rule I, the data communication control rule is stored in the server end database 11〇 (step 34〇); after the absence, the use is to be used When the terminal 20 wants to use the information processing device connectable to the network to enter the network communication, the server terminal must accept at least one of the used logins for network communication (step 35); The network communication via the gateway is controlled by the server 100 (step 3 6 〇). The communication connection rule described in the above step 300 is for
第11頁 1254533Page 11 1254533
任一可透過通訊連接埠(P0RT)傳輸資料封包之應用程式 由該伺服器端1 0 0限定其傳輸資料封包之通訊連接埠丨而 該網址瀏覽規則,係由該伺服器端丨0 0針對特定網域名稱 (Universal Resource Locator,URL)或對應的1?位址設 定一限制方式,而該限制方式可由該伺服器端丨〇〇自行定 一然而,藉由本發明之一種運用封包導向過濾機制管制 資料通訊的方法之實施,可針對企業組織内部之員工,管 制其進行網路傳輸之行為,以防止員工利用網路通訊,如 透過瀏覽器或使用資料傳輸應用程式將企業機密資料外泡 。因此更提出一種企業内網路通訊之封包導向過濾機制, 以下即配合一具體實施例及詳細說明其實施的方式,請參 照第3 A、3 B、3 C圖,為建立企業内網路通訊之封包導 向過濾機制步驟流程圖。 首先,請參照第3 A圖,透過一伺服器端1 〇 〇對每個一 使用者端2 0 0建立一使用權限規則並存入該伺服器端資料 庫11 0 (步驟4 0 0 );而後,待該使用者端2 〇 〇利用資訊處理 裝置進行網路通訊時,必需對該伺服器端丨〇 〇進行登入, 由a亥伺服器端100接受至少一個該使用者端2〇〇之登入(步 驟4 1 0 ),以確認該使用者端2 〇 〇之身分,及其所適用的使 用權限規則; 接著,該使用者端2 0 0透過該伺服器端1 〇 〇所管制的閘 道器進行網路通訊(步驟4 2 0 );該伺服器端1 〇 〇依據該使用 者端2 0 0所適用之該使用權限規則限定該使用者端2 〇 〇之網Any application that transmits a data packet through a communication port (P0RT) is limited by the server terminal 100 to the communication link of the data packet, and the URL browsing rule is determined by the server terminal 丨0 0 A specific domain name (Universal Resource Locator, URL) or a corresponding 1? address is set to a restriction mode, and the restriction mode can be determined by the server terminal. However, by using a packet-oriented filtering mechanism of the present invention The implementation of the method of controlling data communication can control the behavior of employees in the organization to conduct network transmissions to prevent employees from using network communication, such as using a browser or using a data transfer application to bubble corporate confidential information. Therefore, a packet-oriented filtering mechanism for intra-network communication is proposed. The following is a specific embodiment and a detailed description of the implementation manner. Please refer to the 3A, 3B, and 3C diagrams for establishing intra-enterprise network communication. The flow chart of the packet-oriented filtering mechanism step. First, please refer to FIG. 3A, and establish a usage permission rule for each user terminal 2000 through a server terminal 1 and store it in the server end database 11 0 (step 4 0 0 ); Then, when the user terminal 2 uses the information processing device to perform network communication, it is necessary to log in to the server port, and the server server 100 accepts at least one user terminal. Log in (step 4 1 0) to confirm the identity of the user terminal 2 and its applicable usage rights rules; then, the user terminal 200 transmits the gate controlled by the server terminal 1 The router performs network communication (step 4 2 0); the server terminal 1 defines the user terminal 2 according to the usage permission rule applicable to the user terminal 2000.
第12頁 1254533__________ 五、發明說明(8) 路連結權限並管制資料封包之傳輸(步驟4 3 〇 );最後,記 錄該使用者端2 0 0資料傳輸狀態(步驟4 4 〇 ),以供查詢。 而其中建立該使用權限規則之詳細流程步驟係為步驟 A,請參照第3 B圖’為本發明之透過一伺服器端對每個使 用者端建立一使用權限規則之步驟流程圖,更進一步詳細 說明如下: 於上述步驟40 0建立之該使用權限規則,包含同時建 立該使用者端2 0 0之一共用規則(步驟4 〇丨)與設定該共用規 則之執行時段及優先順序(步驟4 〇 11 )、建立該使用者端 2 0 0之一群組規則(步驟4 〇 2 )與設定該群組規則之執行時段 及優先順序(步驟4021)、建立該使用者端2〇〇之一暫用規 則(步驟4 0 3 )與設定該暫用規則之執行時段及優先順序(步 驟4 0 3 1 )、及建立一資料通訊管制規則(步驟B);待針對該 使用者端2 0 0建立該共用規則、該群組規則、該暫用規則 並設定好各規則之執行時段及優先順序,同時完成建立該 資料通Λ管制規則後,遠飼服器端將建立之各該規則合併 成該使用權限規則(步驟40 8 ) ·’接著,進入步驟41〇,1繼 其中,該共用規則係針對所有該使用者端2 〇 〇之管制 規則」可建立至少包含一上班時間規則、—下班時間規 、一訪客規則之方式實施。而該群組規則係依昭企業員、 =屬之部門、編組、及所屬網域之使用者登入制服器= 1 〇 〇時所適用之管制規則。而該暫用規則係針對須於一 定時間内對特定該使用者端2 0 〇之管制規則,而其中兮暫Page 12 1254533__________ V. Invention Description (8) Road connection authority and control the transmission of data packets (step 4 3 〇); Finally, record the user terminal 2000 data transmission status (step 4 4 〇) for query . The detailed process step of establishing the usage permission rule is step A. Please refer to FIG. 3B, which is a flow chart of steps of establishing a usage permission rule for each user end through a server end. The detailed description is as follows: The usage permission rule established in the above step 40 0 includes establishing one sharing rule of the user terminal 200 (step 4 〇丨) and setting the execution period and priority order of the sharing rule (step 4) 〇11), establishing a group rule of the user terminal 200 (step 4 〇 2 ) and setting an execution period and a priority order of the group rule (step 4021), establishing one of the user terminals 2 Temporary rules (step 4 0 3 ) and setting the execution period and priority order of the temporary rules (step 4 0 3 1 ), and establishing a data communication control rule (step B); waiting for the user terminal 2 0 0 Establishing the sharing rule, the group rule, the temporary rule, and setting the execution period and priority order of each rule, and completing the establishment of the data overnight control rule, the rules of the rule server will be established In the use permission rule (step 40 8 ) · 'Next, proceed to step 41 〇, 1 followed, the sharing rule is for all the user-side 2 control rules can be established to include at least one working time rule, - It is implemented in the form of off-duty time rules and one visitor rule. The group rules are the rules applicable to the users of the company, the department, the group, and the users of the domain to log in to the uniform = 1 〇 。. The provisional rule is for a control rule that is required to be specific to the user terminal within a certain period of time, and
第13頁 1254533 五、發明說明(9) 用規則與該特定時間長短可由伺服器端2 〇 〇設定。 至於建立一資料通訊管制規則之詳細流程步驟係為步 驟β,請參照第3 C圖’為本發明之透過一伺服器端對每個 使用者端建立一資料通訊管制規則之步驟流程圖,更進一 步詳細說明如下:Page 13 1254533 V. Description of the invention (9) The rules and the length of the specific time can be set by the server terminal 2 〇 。. The detailed process steps for establishing a data communication control rule are step β. Please refer to FIG. 3C for the flow chart of the steps of establishing a data communication control rule for each user end through a server end. Further details are as follows:
首先,設定一通訊連接埠規則及一網址瀏覽規則(步 驟4 04);接著,依資料封包的傳輸協定,設定一資料封包 傳輸規則(步驟4 0 5 ),即包含設定以超文字傳輸協定 (hypertext transmission protocol , http)傳送資料隹才 包之管制方式(步驟406)與設定以安全資料傳輸層(Secure Socket Layer,SSL)之網路安全協定傳送資料封包之管制 方式(步驟40 7 );於上述步驟40 6所設定之管制方式,可由 禁止網址連結(步驟40 6 1 )、僅允許資料下載(步驟4 0 62 )、 允許資料下載及限制上傳資料量小於一特定容量(步驟 4 0 6 3 )、允許任何資料傳輸(步驟4 〇 6 4)之方式中任意擇一 :而上述步驟4 0 7所設定之管制方式,可由禁止網址連結 (步驟4 0 7 1 )、僅允許資料下載(步驟4072 )、僅允許傳送小 於一特定容量之登入用資料(步驟4 〇 7 3 )、允許任何資料傳 輸(步驟4074)之方式中任意擇一,而其中於步驟4063及步 驟4 0 7 3所述之該特定容量之大小,係由該伺服器端1 〇 〇設 定;待該步驟B建立該資料通訊管制規則完成後,接著即 進入步驟4 0 8並繼續未完之流程。 雖然本發明以前述之較佳實施例揭露如上,然其並非 用以限疋本發明,任何熟習此技藝者,在不脫離本發明之First, a communication link rule and a URL browsing rule are set (step 4 04); then, according to the data packet transmission protocol, a data packet transmission rule (step 4 0 5) is set, that is, the setting is set to a hypertext transfer protocol ( Hypertext transmission protocol, http) a method for controlling the transmission of data packets (step 406) and a method for controlling the transmission of data packets by a secure data transfer layer (Secure Socket Layer (SSL) network security protocol (step 40 7); The control method set in the above step 40 6 can be linked by the prohibition URL (step 40 6 1 ), only the data download is allowed (step 4 0 62 ), the data download is allowed, and the limit upload data amount is less than a specific capacity (step 4 0 6 3 ), allow any data transmission (step 4 〇 6 4) to choose any one of them: and the control method set in step 4 0 7 above can be linked by the prohibition URL (step 4 0 7 1 ), only data download is allowed (step 4072), it is only allowed to transfer less than a specific capacity of the login data (step 4 〇 7 3 ), any mode of allowing any data transmission (step 4074), The size of the specific capacity described in step 4063 and step 4 0 73 is set by the server end 1; after the step B establishes the data communication control rule, the process proceeds to step 4 0. 8 and continue the unfinished process. Although the present invention has been disclosed in the foregoing preferred embodiments, it is not intended to limit the invention, and those skilled in the art, without departing from the invention.
第14頁 1254533Page 14 1254533
第15頁 1254533 圖式簡單說明 【圖式簡單說明】 第1圖係為本發明運用封包導向過濾機制管制資料通訊的 方法之系統架構圖; 第2圖係為本發明運用封包導向過濾機制管制資料通訊的 方法之建立步驟流程圖;及 第3A、3B、3C圖係為建立企業内網路通訊之封包導向 過濾機制步驟流程圖。 【圖示符號說明】Page 15 1254533 Brief description of the diagram [Simple description of the diagram] The first diagram is the system architecture diagram of the method for controlling data communication using the packet-oriented filtering mechanism of the present invention. The second diagram is the control data of the invention using the packet-oriented filtering mechanism. The flowchart of the steps of establishing the communication method; and the 3A, 3B, and 3C diagrams are flow charts for the steps of establishing a packet-oriented filtering mechanism for network communication in the enterprise. [Illustration of the symbol]
100 伺服器端 110 伺服器端資料庫 1 50 網路骨幹 2 0 0 使用者端 步驟3 0 0 於一伺服器端設定一通訊連接槔規則及一網 址瀏覽規則 步驟3 1 0 設定一資料封包傳輸規則 步驟3 2 0 以超文件傳輸協定傳送資料封包之管制方式 步驟3 2 1 禁止網址連結100 server end 110 server side database 1 50 network backbone 2 0 0 user side step 3 0 0 set a communication port on a server side 槔 rules and a web browsing rule step 3 1 0 set a data packet transmission Rule Step 3 2 0 Controlling the transmission of data packets in the Hyper-File Transfer Protocol Step 3 2 1 Prohibit URL Links
步驟3 2 2 僅允許資料下載 步驟32 3 允許資料下載及限制上傳資料量小於一特定 容量 步驟32 4 允許任何資料傳輸 步驟3 3 0 以安全資料傳輸層之網路安全協定傳送資料 封包之管制方式Step 3 2 2 Only data download is allowed. Step 32 3 Allow data download and limit the amount of uploaded data to be less than a specific capacity. Step 32 4 Allow any data transfer Step 3 3 0 Transfer data at the secure data transfer layer.
第16頁 1254533 圖式簡單說明 步驟3 3 1 禁 止 網 址 連 結 步驟3 3 2 僅 允 許 資 料 下 載 步驟3 3 3 僅 允 許 傳 送 小 於 一 特 定 容 量 之 登 入 用 資 料 步驟3 3 4 允 許 任 何 資 料 傳 'J 步驟3 4 0 將 資 料 通 訊 管 制 規 則 儲 存 於 該 饲 服 器 端 資 料 庫 步驟3 5 0 該 伺 服 器 端 接 受 至 少 一 個 一 使 用 者 端 之 登 入 以 進 行 網 路 通 訊 步驟3 6 0 該 伺 服 器 端 管 制 經 由 閘 道 器 之 網 路 通 訊 步驟4 0 0 透 過 一丨一 伺 服 器 端 對 每 個 一 使 用 者 端 建 立 一 使 用 權 限 規 則 並 存 入 該 祠 服 器 端 資 料 庫 步驟40 1 建 立 該 使 用 者 端 之 一 共 用 規 則 步驟4 0 1 1 設 定 該 共 用 規 則 之 執 行 時 段 及 優 先 順 序 步驟4 0 2 建 立 該 使 用 者 端 之 一 群 組 規 則 步驟40 2 1 設 定 該 群 組 規 則 之 執 行 時 段 及 優 先 順 序 步驟403 建 立 該 使 用 者 端 之 一 暫 用 規 則 步驟4 0 3 1 設 定 該 暫 用 規 則 之 執 行 時 段 及 優 先 順 序 步驟4 0 4 設 定 一 通 訊 連 接 埠 規 則 及 一 網 址 瀏 覽 規 則 步驟4 0 5 設 定 一 資 料 封 包 傳 m 規 則 步驟4 0 6 以 超 文 件 傳 協 定 傳 送 資 料 封 包 之 管 制 方 式 步驟40 6 1 禁 止 網 址 連 結 步驟40 6 2 僅 允 許 資 料 下 載 步驟40 6 3 允 許 資 料 下 載 及 限 制 上 傳 資 料 量 小 於 一 特 定 容量Page 16 1254533 Brief description of the steps Step 3 3 1 Prohibit URL link Step 3 3 2 Only allow data download Step 3 3 3 Only allow login data smaller than a specific capacity Step 3 3 4 Allow any data to pass 'J Step 3 4 0 Store the data communication control rules in the feed server database. Step 3 5 0 The server receives at least one user-side login for network communication. Step 3 6 0 The server-side control passes through the gateway. The network communication step of the device is performed by using a server to establish a usage permission rule for each user terminal and depositing it into the server side database. Step 40 1 Establish a sharing rule of the user terminal. Step 4 0 1 1 Set the execution period and priority of the sharing rule. Step 4 0 2 Establish a group of the user terminal. Rule Step 40 2 1 Set the execution period and priority order of the group rule. Step 403 Establish a temporary rule for the user terminal. Step 4 0 3 1 Set the execution period and priority order of the temporary rule. Step 4 0 4 Set one Communication link rules and a URL browsing rule Step 4 0 5 Set a data packet transmission m Rule Step 4 0 6 Control method for transmitting data packets by hyper-file transfer protocol Step 40 6 1 Prohibit URL link step 40 6 2 Only data download is allowed Step 40 6 3 Allow data download and limit the amount of uploaded data to less than a specific capacity
第17頁 1254533 圖式簡單說明 步驟40 64 步驟407 步驟4 0 7 1 步驟40 72 步驟4 0 7 3 步驟4 0 7 4 步驟408 步驟4 1 0 步驟420 步驟430Page 17 1254533 Schematic description of the steps Step 40 64 Step 407 Step 4 0 7 1 Step 40 72 Step 4 0 7 3 Step 4 0 7 4 Step 408 Step 4 1 0 Step 420 Step 430
步驟4 4 0 步驟A 步驟B 允許任何資 以安全資料 封包之管制 禁止網址連 僅允許資料 僅允許傳送 允許任何資 該祠服器端 權限規則 該伺服器端 該使用者端 進行網路通 該伺服器端 權限規則限 管制資料封 記錄該使用 建立一使用 建立一資料Step 4 4 0 Step A Step B Allow any security-enforced data packet to be banned. Only the data is allowed to be transmitted. Only the server is allowed to allow the server to access the server. The device-side permission rule is limited to the control data seal record. The use establishes a use to establish a data.
料傳輸 傳輸層之網路安全協定傳送資料 方式 結 下載 小於一特定容量之登入用資料 料傳輸 將建立之各該規則合併成該使用 接受至少一個該使用者端之登入 透過該伺服器端所管制的閘道器 訊 依據該使用者端所適用之該使用 定該使用者端之網路連結權限並 包之傳輸 者端資料傳輸狀態 權限規則 通訊管制規則 第18頁The network security protocol transmission data mode of the material transmission and transmission layer downloads the login data material that is smaller than a specific capacity, and the respective rules that are established are merged into the use. At least one login of the user terminal is controlled by the server end. The gateway device is configured according to the usage of the user terminal, and the network connection authority of the user end is set and the transmitter data transmission status permission rule is adopted.
Claims (1)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW93123900A TWI254533B (en) | 2004-08-10 | 2004-08-10 | A method of data communication control applying package-oriented filtering mechanism |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW93123900A TWI254533B (en) | 2004-08-10 | 2004-08-10 | A method of data communication control applying package-oriented filtering mechanism |
Publications (2)
Publication Number | Publication Date |
---|---|
TW200607281A TW200607281A (en) | 2006-02-16 |
TWI254533B true TWI254533B (en) | 2006-05-01 |
Family
ID=37587354
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
TW93123900A TWI254533B (en) | 2004-08-10 | 2004-08-10 | A method of data communication control applying package-oriented filtering mechanism |
Country Status (1)
Country | Link |
---|---|
TW (1) | TWI254533B (en) |
-
2004
- 2004-08-10 TW TW93123900A patent/TWI254533B/en active
Also Published As
Publication number | Publication date |
---|---|
TW200607281A (en) | 2006-02-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10630689B2 (en) | Strong identity management and cyber security software | |
Bhadauria et al. | A survey on security issues in cloud computing | |
CN107872456A (en) | Network intrusion prevention method, apparatus, system and computer-readable recording medium | |
US20120047259A1 (en) | Web hosted security system communication | |
TWI242968B (en) | System for establishing and regulating connectivity from a user's computer | |
US20110099621A1 (en) | Process for monitoring, filtering and caching internet connections | |
Chopra | Security issues of firewall | |
Leavitt | Instant messaging: a new target for hackers | |
Goni | Implementation of Local Area Network (lan) And Build A Secure Lan System For Atomic Energy Research Establishment (AERE) | |
Cashion et al. | Protocol for mitigating the risk of hijacking social networking sites | |
JP5336405B2 (en) | Internal information browsing server system and control method thereof | |
TWI254533B (en) | A method of data communication control applying package-oriented filtering mechanism | |
NL2011857A (en) | Secure single sign-on exchange of electronic data. | |
EP1643709B1 (en) | Data processing system and method | |
JP3909289B2 (en) | Voluntary virtual private network between portable device and corporate network | |
Abdulqader et al. | Securing network services and protocols | |
O'Sullivan | Instant Messaging vs. instant compromise | |
Jaramillo et al. | Techniques and real world experiences in mobile device security | |
George et al. | Multi-layered Architecture for Secure Inter-network Data Transfer using Data Diode | |
Holmberg | Enemies at the gates: Securing the BACnet (R) building | |
Rao et al. | Understanding networks and network security | |
JP2004165761A (en) | Communication system | |
Broucek et al. | A Forensic Computing perspective on the need for improved user education for information systems security management | |
Park et al. | Security Analyses for Enterprise Instant Messaging (EIM) Systems. | |
Noth et al. | Technology and the Law |