TWI254533B - A method of data communication control applying package-oriented filtering mechanism - Google Patents

A method of data communication control applying package-oriented filtering mechanism Download PDF

Info

Publication number
TWI254533B
TWI254533B TW93123900A TW93123900A TWI254533B TW I254533 B TWI254533 B TW I254533B TW 93123900 A TW93123900 A TW 93123900A TW 93123900 A TW93123900 A TW 93123900A TW I254533 B TWI254533 B TW I254533B
Authority
TW
Taiwan
Prior art keywords
rule
data
packet
communication
filtering mechanism
Prior art date
Application number
TW93123900A
Other languages
Chinese (zh)
Other versions
TW200607281A (en
Inventor
Chun-Hung Liou
Original Assignee
Fineart Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fineart Technology Co Ltd filed Critical Fineart Technology Co Ltd
Priority to TW93123900A priority Critical patent/TWI254533B/en
Publication of TW200607281A publication Critical patent/TW200607281A/en
Application granted granted Critical
Publication of TWI254533B publication Critical patent/TWI254533B/en

Links

Abstract

This invention is a method of data communication control applying package-oriented filtering mechanism, by establishing a gateway control mechanism toward the data package transmission protocol on a server to control data communication. And by enforcing the method presented in the invention, controls employees' data communication on the web to prevent betraying confidential information via web communication from using such as web browsers or data transmission programs.

Description

1254533 --—--- 五、發明說明(1) 【發明所屬之技術領域】 的方法,為防止+1 & 灸 〜…叭&刺貝竹遇汛 補认 業内部員工透過網路通訊方彳推轩杳抖 方法。 傳下載為防止洩密而採用的管制 本發明係為一種μ七道A、占 的方法,為防止企紫i 濾機制管制資料通訊 。為防業内部員工透過網路通訊方式進行資料 將貝料上傳下載’為防止洁宓品松田从总土丨 L先前技術】 網路服務 而易見的,因 問題。溝通程 提升,成本自 電腦性能與運 入侵的頻率。 内部員工所可 根據國際 出,僅1 5 %來^ 企業内部。據 眾多的攻擊行 資訊洩漏事件 部的駭客等攻 接式儲存設備 不易控管事後 問題更是不可 是最主要的是 的應用為企 為公司不必 序越簡化, 然降低。也 异能力越來 但為了防止 能帶來的傷 電腦安全協 I外部入侵, 國際權威機 為和事件中 ’攻擊者主 擊者。企業 或網路傳輸 不易察覺, 輕忽。安全 内部人員有 業節省成本與提高生產力是最顯 再去煩惱彼此系統間如何溝通的 就越能提高生產力。生產力一旦 由於網路系統比以前更加便利, 越強,越來越好用,則提高非法 企業外來的入侵,卻忽略了公司 害。 會(ICSA Security Report)指 但卻有6 0〜8 0 %的洩密事件來自 構CS I /FB I提供的統計資料,在 ’最主要的、最多的安全事件是 要來自企業内部,而不是來自外 内部懷有惡意的員工,可透過外 方式即可輕易帶走資料,且事先 因此對企業而言,内部資訊安全 事件造成的經濟損失最大的,也 意或無意的資訊洩漏事件造成的1254533 ------ V. Description of the invention (1) The method of the invention belongs to the method of preventing +1 & moxibustion ~... &&; 刺 竹 竹 汛 汛 内部 内部 内部 内部Fang Xuan Xuan Xuan method. The invention is a method for preventing the leakage of the present invention. The present invention is a method for controlling the data communication. In order to prevent the internal employees from carrying out information through the network communication method, uploading and downloading the bait material to prevent the cleansing of the product from the general bandit L previous technology] network service is easy to see, due to problems. The communication process is improved, and the cost is from the performance of the computer and the frequency of the invasion. The internal staff can be based on the international out, only 15% to the inside of the enterprise. According to numerous attack lines, information leakage incidents, such as hackers and other attack-based storage devices, are not easy to control afterwards. The problem is that the most important application is that the company is more simplistic and less effective. It is also the ability to get different but to prevent the injury. Computer security association I external invasion, the international authority and the attacker's attacker. Enterprise or network transmission is not easy to detect and ignore. Safety Internal staff saves costs and increases productivity is the most important thing to worry about how to communicate with each other's systems. Productivity Once the network system is more convenient, stronger, and better used than before, it increases the intrusion of illegal enterprises, but ignores the company's harm. The ICSA Security Report refers to the fact that there are 60 to 80% of the leaks from the statistics provided by CS I / FB I. The 'most important and most security incidents are from inside the company, not from The inside of the company has malicious employees who can easily take away the information through external means, and in advance, for the enterprise, the internal information security incident caused the greatest economic loss, and the intentional or unintentional information leakage caused by the incident.

1254533 五、發明說明(2) 經濟損失。 另一方面,所有個人電腦上的使用程式或軟體,皆採 用網路系統’於是所有存取的資料皆由企業内部區域網路 (Local Area Network ; LAN)上的伺服器端而來。而一般 人上網的活動包括收發郵件(如使用〇11_1:1〇〇1^ Express • ·.郵件伺服器)、瀏覽網頁(如使用Internet Expl〇rer • · ·網頁瀏覽器)、上傳下載檔案(如使用CuteFTp· · ·資 料傳輸應用私式)。其中又以邊〗覽網頁使用最廣泛,透過 瀏覽器,除了 「瀏覽網頁i ,、等1 μ 「 八 ^ , v u ττ見 Μ」 遇可兼做「收發郵件」(例 登入士口 Yahoo 、Hotmail 等人 鄱俨安沾丁从 i寻入口網站收發郵件)和Γ上傳下 載棺案」的工作。再者,最备 v , u 々近流行的如MSN Messenger 、Yah〇Q Messenger 等應用齡蘗 Messenger 槽案、視訊對話等等。 ~可以聊天、傳簡訊、傳 上述這些網路應用程式 便,同時也構成了企業資訊a =能,雖帶給企業很大的方 能上網瀏覽非工作範圍的網^全的重大危機。企業員工可 的重要文件輕易傳送到企、酱[’可以聊天,更可以將公司 山从丄 系外面。 此外,由於軟體有著作 企業令每一部門所需要催保護以及版權的問題,不是 企業主便會針對需求進行弯=軟體都相同,為避免侵權, 下自行安裝未授權之軟體、毒\但有時員工會為求方便私 如此’若以各部門的^衫響企業的形象與聲譽。 發部、技術部的員工, 丨而言,市場部、業務部、研 ;會計部、倉儲部、行政部料是屬正常之工作中行為 _ 貝工,若上網傳輸資料則應1254533 V. Description of invention (2) Economic loss. On the other hand, all programs or software used on personal computers use the network system', so all access data is from the server on the local area network (LAN). The average person's online activities include sending and receiving emails (such as using 〇11_1:1〇〇1^ Express • ·. Mail server), browsing the web (such as using Internet Expl〇rer • · · web browser), uploading and downloading files (such as Use CuteFTp···Data Transfer Application Private). Among them, the webpage is the most widely used. Through the browser, in addition to "browsing webpage i, etc. 1 μ "8^, vu ττ see Μ" can also be used as "sending and receiving mail" (for example, logging in to Yahoo, Hotmail) Waiting for someone to pick up the e-mail from the i-search portal, and upload and download the file. In addition, the most v, u are popular, such as MSN Messenger, Yah〇Q Messenger and other application-aged Messenger slots, video conversations and so on. ~ Can chat, send newsletters, pass these web applications, and also constitute corporate information a = can, although it gives companies a large degree to browse the non-working network of the major crisis. The important documents that can be sent by the employees of the company can be easily transferred to the company, the sauce [' can chat, and the company can be outside the company. In addition, because the software has a company that requires each department to protect and copyright issues, not the business owner will bend the demand for the same = the software is the same, in order to avoid infringement, install the unauthorized software, poison, but have At the time, employees will be so convenient and private as to "if the image of each department is the image and reputation of the company." The staff of the Ministry of Development and the Ministry of Technology, in other words, the marketing department, the business department, the research department, the accounting department, the warehousing department, and the administrative department are expected to be in the normal work behavior _ beigong, if the information is transmitted online,

IHK 1254533 五、發明說明(3) 非屬其正常之工作行為。所以,為了讓員工在正蜂的上班 時間内進行有生產力的行為,更可針對部門與工作性質設 定其使用權限的功能,且為了避免上述狀況的發生進而如 何克服諸如此類之問題,實為一具有實用性之思考方向。 【發明内容】 有鑑於此,本發明提出一種運用封包導向過濾機制管 制資料通訊的方法’其主要目的在於解決習知技術中為防 止企業内部員工透過網路通訊方式即可輕易將資料上傳下 載’為防止泡密而採用的措施造成伺服器端負荷過大、付 出較多的管理成本等問題。 而本發明的第二目的在於解決防止企業内員工利用網 路的便利性或者使用其他程式/軟體以進行與自身工作職 務無關的網路通訊等問題。本發明所提之網路資料通訊管 制機制’係針對區域網路(L 〇 c a 1 a r e a N e t w 〇 r k ; L A N )對 外部網路之通訊連接埠(por t)及特定網域名稱 (Universal Resource Locator,URL)或對應的 IP 位址等 進行管制’當企業員工於工作中,使用到受管制的網路通 訊行為則會被記錄並禁止其使用,以進而方便企業管理者 查詢及管理。 本發明的第三目的,提供依資料封包的傳輸協定設定 資料封包傳輸規則,針對以超文件傳輸協定(hypertext ti'ansmission protocol,http)傳送資料封包或以安全資 料傳輸層(Secure Socket Layer,SSL)之網路安全協定傳IHK 1254533 V. INSTRUCTIONS (3) Not a normal work behavior. Therefore, in order to allow employees to conduct productive behavior during the working hours of the bee, it is also possible to set the function of the use authority for the department and the nature of the work, and in order to avoid the above situation and how to overcome such problems, it has one Practical thinking direction. SUMMARY OF THE INVENTION In view of this, the present invention provides a method for controlling data communication by using a packet-oriented filtering mechanism. The main purpose of the present invention is to solve the problem in the prior art that the internal employees can easily upload and download data through network communication. The measures taken to prevent the bubble are caused by problems such as excessive load on the server end and high management costs. The second object of the present invention is to solve the problem of preventing the convenience of employees in the enterprise from using the network or using other programs/software to perform network communication irrelevant to their own work duties. The network data communication control mechanism proposed by the present invention is directed to a communication connection (por t) and a specific domain name (Universal Resource) of a local network (L 〇ca 1 area Netw 〇rk; LAN) to an external network. Locator, URL) or the corresponding IP address is regulated. When a company employee is at work, the use of controlled network communication behavior is recorded and prohibited from being used, so that the enterprise manager can query and manage it. A third object of the present invention is to provide a data packet transmission rule according to a data packet transmission protocol, and to transmit a data packet or a secure data transmission layer (Secure Socket Layer, SSL) for a hypertext ti'ansmission protocol (http). Network security protocol

1254533 -------- 五、發明說明(4) 送資料封包 輸的容量大 網路通訊傳 便企業管理 本發明 對每一位使 料通訊,及 網域之使用 彈性,再者 資料通訊, 態。 根據本 1. 於一 規則; 2. 設定 3. 將一 4 ·該伺 纟罔路通訊; 5.該伺 有關本發明 之管制方 小,同時 輸資料封 者查詢及 更提出一 用者,甚 針對每一 者,建立 ,可準確 更易於管 式,並限定 當企業員工 包的行為皆 管理。 種使用權限 至是外來訪 位使用者所 適用之使用 的讓每個部 理企業内員 資料封 於工作 可被記 規則的 客於特 屬之部 權限規 門與特 工使用 發明所揭露之方法,其至少 伺服器端没定一通訊連接淳 一資料封包傳輸規則; 資料通訊管制規則儲存於該 包傳輸的方式或傳 中,所進行的任何 錄存檔,以進而方 觀念,也就是可針 定時段使用網路資 門、編組、及所屬 則,以增加管理的 定員工能使用網路 網路資料通訊的狀 包含下列步驟: 規則及一網址瀏覽 服器端接受至少 及 伺服器端資料庫; 個一使用者端之登入以進行 服器端管制經由閘道器之網 之詳細内容及技術,茲就配 路通訊。 合圖式說明如下: 【實施方式】 的本發明係為一種運用封包導向過濾機制管制資料通訊 法在紹本發明的方法前,先陳述本發明的基本系1254533 -------- V. Description of invention (4) Capacity for sending data packets and large network communication and communication enterprise management The present invention is flexible for each material communication and the use of the domain, and further information Communication, state. According to this 1. in a rule; 2. set 3. will be a 4 · the servo link communication; 5. the server related to the invention is small, while the data block reader query and more to present a user, even For each, the establishment can be accurate and easier to manage, and the behavior of the employee package is managed. The right to use is the method used by the externally-visited user to make the information of each departmental enterprise member sealed in the workable rules, and the method disclosed by the invention is used by the special department. At least the server end does not have a communication connection and a data packet transmission rule; the data communication control rule is stored in the manner or transmission of the packet transmission, and any recorded recording is performed in a further concept, that is, the time period can be used. Network resources, grouping, and affiliates, to increase the management of the staff can use the network data communication, the following steps: The rules and a URL browser server accept at least the server-side database; The user's login is used to control the details and technology of the network through the gateway device. The drawing is as follows: [Embodiment] The present invention is a method for controlling the data communication method by using a packet-oriented filtering mechanism, and the basic system of the present invention is stated before the method of the present invention.

第9頁 1254533 五、發明說明(5) 統架構,請參照第1圖,為本發明運用封包導向過濾機制 管制資料通訊的方法之系統架構圖,其說明如下·· 本發明之系統架構係由設置於閘道器(Gateway )之一 伺服器端1 0 0與至少一個一使用者端2 0 〇所構成,而該使用 者端2 0 0與該伺服器端100係透過企業内部區域網路(Local A r e a N e ΐ w 〇 r k ; L A N )加以連結,並透過區域網路的設定以 限定該使用者端2 0 0必需經由該伺服器端1 0 0所管制的閘道 器(Gat eway )連結至外部網路與進行資料傳輸,藉由該伺 服器端1 0 0對每個一使用者端2 〇 〇建立管制規則並存入該伺 服T端資料庫1 1 0 ’管制該使用者端2 0 0利用可連接至網路 之資訊處理裝置經由閘道器(Gateway)進行網路通訊的操 限盆限制個別員工所能瀏覽的網站及上傳下載檔案的 腦]&其中忒可連接至網路資訊處理裝置,玎從桌上型電 掌ij型,恥(N B )、個人數位助理(PD A )、行動電話及 =訊置的組合中任意擇-。 料傳輪提使用者端2 0 0經由閘道器進行資 網路通訊,如透過、'剔ί 1理者查詢,藉此以防土貝工利用 機密資料外洩。11 器或使用資料傳輸應用輕式將企業 有了上述的系绥銘 的使用進行管理,接ί i便可針對企業内的資訊處理袭置 濾機制管制資料通旬&來就針對本發明之運用封包導向過 丄請參照第2圖,係发=法流程,做更進一梦詳細之說明 貝料通訊的方法之逮二發明運用封包導向過濾機制警制Page 9 1254533 V. Description of the invention (5) System architecture, please refer to FIG. 1 , which is a system architecture diagram of a method for controlling data communication using a packet-oriented filtering mechanism according to the present invention, which is explained as follows: The server terminal 100 is configured to be connected to one of the server terminals 100 and the at least one user terminal 20, and the server terminal 100 and the server terminal 100 are transmitted through the internal network of the enterprise. (Local A rea N e ΐ w 〇rk ; LAN ) is connected, and through the setting of the local area network to define the gateway device (Gat eway) controlled by the server terminal 1 0 0 Linking to the external network and performing data transmission, the server terminal 1 0 0 establishes a control rule for each user terminal 2 and deposits the servo T-end database 1 1 0 ' to control the user The terminal 200 uses the information processing device that can be connected to the network to communicate with the network via the gateway (Gateway), and limits the websites that can be browsed by individual employees and the brains of uploading and downloading files. To the network information processing device, Ij the palm type electric type, shame (N B), a personal digital assistant (PD A), a combination mobile phone and hearing = opposed to any optional -. The material transmission wheel carries out the communication between the user terminal and the gateway through the gateway device, such as through the inquiry, to prevent the soil and shell workers from using the confidential information to leak. 11 or use the data transfer application to lightly manage the use of the above-mentioned system of the company, and then you can use the information processing control mechanism in the enterprise to control the data. Please refer to Figure 2 for the use of the package guide. Please refer to Figure 2 for a more detailed description of the method for the communication of the material. The invention uses the packet-oriented filtering mechanism.

第]〇頁 立步驟流程圖,其說明詳述如下: 1254533 五、發明說明(6) 首先先建立一資料通訊管制規則,其步驟包含,於一 伺服器端1 0 0設定一通訊連接埠規則及一網址潮覽規則(步 驟3 0 0 );而後,依資料封包的傳輸協定設定一資料封包傳 輸規則(步驟310),即包含設定以超文件傳輸協定 (hypertext transmission protocol,http)傳送資料封 包之管制方式(步驟32 0 )與設定以安全資料傳輸層(以⑶“ Socket Layer,SSL)之網路安全協定傳送資料封包之管制 方式(步驟33 0 ); 於上述步驟32 0所設定之管制方式,可由禁止網址連 結(步驟32U、僅允許資料下載(步驟322 )、允許資料下載 及限制上傳資料量小於一特定容量(步驟323 )、允許任何 資料傳輸(步驟3 24 )之方式中任意擇一; 而上述步驟33 0所設定之管制方式’可由禁止網址連 結(步驟331)、僅允許資料下載(步驟332 )、僅允許傳送小 於一特定容量之登入用資料(步驟33 3 )、允許任何資料 輸(步驟334 )之方式中任意擇―,而其中於步驟323及步驟 333所述之該特定容量之大小,係由該飼服器端1〇〇設定; 待該貢料通訊管制規則建立完成I,即將該資料通訊 管制規則儲存於該伺服器端資料庫11〇(步驟34〇);缺後, 待該使用者端20 0欲利用可連接至網路之資訊處理裝置進 仃網路通訊時,須由該伺服器端丨〇〇接受至少一個該使用 之登入以進行網路通訊(步驟35〇);再由該伺服器 1 0 0管制經由閘道器之網路通訊(步驟3 6 〇 )。 於上述步驟3 0 0中所述之該通訊連接埠規則,係針對The following is a step-by-step flow chart, the description of which is detailed as follows: 1254533 V. Description of the invention (6) First, a data communication control rule is established, the steps of which include setting a communication connection rule on a server end 1 0 0 And a URL browsing rule (step 300); and then, according to the data packet transmission protocol, a data packet transmission rule is set (step 310), that is, the data packet is configured to be transmitted by a hypertext transmission protocol (http). The control method (step 32 0 ) and the control method for transmitting the data packet by the secure data transmission layer (the network security protocol of (3) "Socket Layer, SSL" (step 33 0 ); the control set in the above step 32 0 The manner may be arbitrarily selected by the method of prohibiting the URL link (step 32U, allowing only the data download (step 322), allowing the data to be downloaded, and limiting the amount of uploaded data to be less than a specific capacity (step 323), allowing any data transmission (step 3 24). The control mode set by the above step 33 0 can be linked by the forbidden URL (step 331), and only the data download is allowed (step 332). It is only allowed to transfer less than a specific capacity of the login data (step 33 3 ), any mode of allowing any data input (step 334), and the size of the specific capacity described in steps 323 and 333 is Set by the feeding device end; after the establishment of the tributary communication control rule I, the data communication control rule is stored in the server end database 11〇 (step 34〇); after the absence, the use is to be used When the terminal 20 wants to use the information processing device connectable to the network to enter the network communication, the server terminal must accept at least one of the used logins for network communication (step 35); The network communication via the gateway is controlled by the server 100 (step 3 6 〇). The communication connection rule described in the above step 300 is for

第11頁 1254533Page 11 1254533

任一可透過通訊連接埠(P0RT)傳輸資料封包之應用程式 由該伺服器端1 0 0限定其傳輸資料封包之通訊連接埠丨而 該網址瀏覽規則,係由該伺服器端丨0 0針對特定網域名稱 (Universal Resource Locator,URL)或對應的1?位址設 定一限制方式,而該限制方式可由該伺服器端丨〇〇自行定 一然而,藉由本發明之一種運用封包導向過濾機制管制 資料通訊的方法之實施,可針對企業組織内部之員工,管 制其進行網路傳輸之行為,以防止員工利用網路通訊,如 透過瀏覽器或使用資料傳輸應用程式將企業機密資料外泡 。因此更提出一種企業内網路通訊之封包導向過濾機制, 以下即配合一具體實施例及詳細說明其實施的方式,請參 照第3 A、3 B、3 C圖,為建立企業内網路通訊之封包導 向過濾機制步驟流程圖。 首先,請參照第3 A圖,透過一伺服器端1 〇 〇對每個一 使用者端2 0 0建立一使用權限規則並存入該伺服器端資料 庫11 0 (步驟4 0 0 );而後,待該使用者端2 〇 〇利用資訊處理 裝置進行網路通訊時,必需對該伺服器端丨〇 〇進行登入, 由a亥伺服器端100接受至少一個該使用者端2〇〇之登入(步 驟4 1 0 ),以確認該使用者端2 〇 〇之身分,及其所適用的使 用權限規則; 接著,該使用者端2 0 0透過該伺服器端1 〇 〇所管制的閘 道器進行網路通訊(步驟4 2 0 );該伺服器端1 〇 〇依據該使用 者端2 0 0所適用之該使用權限規則限定該使用者端2 〇 〇之網Any application that transmits a data packet through a communication port (P0RT) is limited by the server terminal 100 to the communication link of the data packet, and the URL browsing rule is determined by the server terminal 丨0 0 A specific domain name (Universal Resource Locator, URL) or a corresponding 1? address is set to a restriction mode, and the restriction mode can be determined by the server terminal. However, by using a packet-oriented filtering mechanism of the present invention The implementation of the method of controlling data communication can control the behavior of employees in the organization to conduct network transmissions to prevent employees from using network communication, such as using a browser or using a data transfer application to bubble corporate confidential information. Therefore, a packet-oriented filtering mechanism for intra-network communication is proposed. The following is a specific embodiment and a detailed description of the implementation manner. Please refer to the 3A, 3B, and 3C diagrams for establishing intra-enterprise network communication. The flow chart of the packet-oriented filtering mechanism step. First, please refer to FIG. 3A, and establish a usage permission rule for each user terminal 2000 through a server terminal 1 and store it in the server end database 11 0 (step 4 0 0 ); Then, when the user terminal 2 uses the information processing device to perform network communication, it is necessary to log in to the server port, and the server server 100 accepts at least one user terminal. Log in (step 4 1 0) to confirm the identity of the user terminal 2 and its applicable usage rights rules; then, the user terminal 200 transmits the gate controlled by the server terminal 1 The router performs network communication (step 4 2 0); the server terminal 1 defines the user terminal 2 according to the usage permission rule applicable to the user terminal 2000.

第12頁 1254533__________ 五、發明說明(8) 路連結權限並管制資料封包之傳輸(步驟4 3 〇 );最後,記 錄該使用者端2 0 0資料傳輸狀態(步驟4 4 〇 ),以供查詢。 而其中建立該使用權限規則之詳細流程步驟係為步驟 A,請參照第3 B圖’為本發明之透過一伺服器端對每個使 用者端建立一使用權限規則之步驟流程圖,更進一步詳細 說明如下: 於上述步驟40 0建立之該使用權限規則,包含同時建 立該使用者端2 0 0之一共用規則(步驟4 〇丨)與設定該共用規 則之執行時段及優先順序(步驟4 〇 11 )、建立該使用者端 2 0 0之一群組規則(步驟4 〇 2 )與設定該群組規則之執行時段 及優先順序(步驟4021)、建立該使用者端2〇〇之一暫用規 則(步驟4 0 3 )與設定該暫用規則之執行時段及優先順序(步 驟4 0 3 1 )、及建立一資料通訊管制規則(步驟B);待針對該 使用者端2 0 0建立該共用規則、該群組規則、該暫用規則 並設定好各規則之執行時段及優先順序,同時完成建立該 資料通Λ管制規則後,遠飼服器端將建立之各該規則合併 成該使用權限規則(步驟40 8 ) ·’接著,進入步驟41〇,1繼 其中,該共用規則係針對所有該使用者端2 〇 〇之管制 規則」可建立至少包含一上班時間規則、—下班時間規 、一訪客規則之方式實施。而該群組規則係依昭企業員、 =屬之部門、編組、及所屬網域之使用者登入制服器= 1 〇 〇時所適用之管制規則。而該暫用規則係針對須於一 定時間内對特定該使用者端2 0 〇之管制規則,而其中兮暫Page 12 1254533__________ V. Invention Description (8) Road connection authority and control the transmission of data packets (step 4 3 〇); Finally, record the user terminal 2000 data transmission status (step 4 4 〇) for query . The detailed process step of establishing the usage permission rule is step A. Please refer to FIG. 3B, which is a flow chart of steps of establishing a usage permission rule for each user end through a server end. The detailed description is as follows: The usage permission rule established in the above step 40 0 includes establishing one sharing rule of the user terminal 200 (step 4 〇丨) and setting the execution period and priority order of the sharing rule (step 4) 〇11), establishing a group rule of the user terminal 200 (step 4 〇 2 ) and setting an execution period and a priority order of the group rule (step 4021), establishing one of the user terminals 2 Temporary rules (step 4 0 3 ) and setting the execution period and priority order of the temporary rules (step 4 0 3 1 ), and establishing a data communication control rule (step B); waiting for the user terminal 2 0 0 Establishing the sharing rule, the group rule, the temporary rule, and setting the execution period and priority order of each rule, and completing the establishment of the data overnight control rule, the rules of the rule server will be established In the use permission rule (step 40 8 ) · 'Next, proceed to step 41 〇, 1 followed, the sharing rule is for all the user-side 2 control rules can be established to include at least one working time rule, - It is implemented in the form of off-duty time rules and one visitor rule. The group rules are the rules applicable to the users of the company, the department, the group, and the users of the domain to log in to the uniform = 1 〇 。. The provisional rule is for a control rule that is required to be specific to the user terminal within a certain period of time, and

第13頁 1254533 五、發明說明(9) 用規則與該特定時間長短可由伺服器端2 〇 〇設定。 至於建立一資料通訊管制規則之詳細流程步驟係為步 驟β,請參照第3 C圖’為本發明之透過一伺服器端對每個 使用者端建立一資料通訊管制規則之步驟流程圖,更進一 步詳細說明如下:Page 13 1254533 V. Description of the invention (9) The rules and the length of the specific time can be set by the server terminal 2 〇 。. The detailed process steps for establishing a data communication control rule are step β. Please refer to FIG. 3C for the flow chart of the steps of establishing a data communication control rule for each user end through a server end. Further details are as follows:

首先,設定一通訊連接埠規則及一網址瀏覽規則(步 驟4 04);接著,依資料封包的傳輸協定,設定一資料封包 傳輸規則(步驟4 0 5 ),即包含設定以超文字傳輸協定 (hypertext transmission protocol , http)傳送資料隹才 包之管制方式(步驟406)與設定以安全資料傳輸層(Secure Socket Layer,SSL)之網路安全協定傳送資料封包之管制 方式(步驟40 7 );於上述步驟40 6所設定之管制方式,可由 禁止網址連結(步驟40 6 1 )、僅允許資料下載(步驟4 0 62 )、 允許資料下載及限制上傳資料量小於一特定容量(步驟 4 0 6 3 )、允許任何資料傳輸(步驟4 〇 6 4)之方式中任意擇一 :而上述步驟4 0 7所設定之管制方式,可由禁止網址連結 (步驟4 0 7 1 )、僅允許資料下載(步驟4072 )、僅允許傳送小 於一特定容量之登入用資料(步驟4 〇 7 3 )、允許任何資料傳 輸(步驟4074)之方式中任意擇一,而其中於步驟4063及步 驟4 0 7 3所述之該特定容量之大小,係由該伺服器端1 〇 〇設 定;待該步驟B建立該資料通訊管制規則完成後,接著即 進入步驟4 0 8並繼續未完之流程。 雖然本發明以前述之較佳實施例揭露如上,然其並非 用以限疋本發明,任何熟習此技藝者,在不脫離本發明之First, a communication link rule and a URL browsing rule are set (step 4 04); then, according to the data packet transmission protocol, a data packet transmission rule (step 4 0 5) is set, that is, the setting is set to a hypertext transfer protocol ( Hypertext transmission protocol, http) a method for controlling the transmission of data packets (step 406) and a method for controlling the transmission of data packets by a secure data transfer layer (Secure Socket Layer (SSL) network security protocol (step 40 7); The control method set in the above step 40 6 can be linked by the prohibition URL (step 40 6 1 ), only the data download is allowed (step 4 0 62 ), the data download is allowed, and the limit upload data amount is less than a specific capacity (step 4 0 6 3 ), allow any data transmission (step 4 〇 6 4) to choose any one of them: and the control method set in step 4 0 7 above can be linked by the prohibition URL (step 4 0 7 1 ), only data download is allowed (step 4072), it is only allowed to transfer less than a specific capacity of the login data (step 4 〇 7 3 ), any mode of allowing any data transmission (step 4074), The size of the specific capacity described in step 4063 and step 4 0 73 is set by the server end 1; after the step B establishes the data communication control rule, the process proceeds to step 4 0. 8 and continue the unfinished process. Although the present invention has been disclosed in the foregoing preferred embodiments, it is not intended to limit the invention, and those skilled in the art, without departing from the invention.

第14頁 1254533Page 14 1254533

第15頁 1254533 圖式簡單說明 【圖式簡單說明】 第1圖係為本發明運用封包導向過濾機制管制資料通訊的 方法之系統架構圖; 第2圖係為本發明運用封包導向過濾機制管制資料通訊的 方法之建立步驟流程圖;及 第3A、3B、3C圖係為建立企業内網路通訊之封包導向 過濾機制步驟流程圖。 【圖示符號說明】Page 15 1254533 Brief description of the diagram [Simple description of the diagram] The first diagram is the system architecture diagram of the method for controlling data communication using the packet-oriented filtering mechanism of the present invention. The second diagram is the control data of the invention using the packet-oriented filtering mechanism. The flowchart of the steps of establishing the communication method; and the 3A, 3B, and 3C diagrams are flow charts for the steps of establishing a packet-oriented filtering mechanism for network communication in the enterprise. [Illustration of the symbol]

100 伺服器端 110 伺服器端資料庫 1 50 網路骨幹 2 0 0 使用者端 步驟3 0 0 於一伺服器端設定一通訊連接槔規則及一網 址瀏覽規則 步驟3 1 0 設定一資料封包傳輸規則 步驟3 2 0 以超文件傳輸協定傳送資料封包之管制方式 步驟3 2 1 禁止網址連結100 server end 110 server side database 1 50 network backbone 2 0 0 user side step 3 0 0 set a communication port on a server side 槔 rules and a web browsing rule step 3 1 0 set a data packet transmission Rule Step 3 2 0 Controlling the transmission of data packets in the Hyper-File Transfer Protocol Step 3 2 1 Prohibit URL Links

步驟3 2 2 僅允許資料下載 步驟32 3 允許資料下載及限制上傳資料量小於一特定 容量 步驟32 4 允許任何資料傳輸 步驟3 3 0 以安全資料傳輸層之網路安全協定傳送資料 封包之管制方式Step 3 2 2 Only data download is allowed. Step 32 3 Allow data download and limit the amount of uploaded data to be less than a specific capacity. Step 32 4 Allow any data transfer Step 3 3 0 Transfer data at the secure data transfer layer.

第16頁 1254533 圖式簡單說明 步驟3 3 1 禁 止 網 址 連 結 步驟3 3 2 僅 允 許 資 料 下 載 步驟3 3 3 僅 允 許 傳 送 小 於 一 特 定 容 量 之 登 入 用 資 料 步驟3 3 4 允 許 任 何 資 料 傳 'J 步驟3 4 0 將 資 料 通 訊 管 制 規 則 儲 存 於 該 饲 服 器 端 資 料 庫 步驟3 5 0 該 伺 服 器 端 接 受 至 少 一 個 一 使 用 者 端 之 登 入 以 進 行 網 路 通 訊 步驟3 6 0 該 伺 服 器 端 管 制 經 由 閘 道 器 之 網 路 通 訊 步驟4 0 0 透 過 一丨一 伺 服 器 端 對 每 個 一 使 用 者 端 建 立 一 使 用 權 限 規 則 並 存 入 該 祠 服 器 端 資 料 庫 步驟40 1 建 立 該 使 用 者 端 之 一 共 用 規 則 步驟4 0 1 1 設 定 該 共 用 規 則 之 執 行 時 段 及 優 先 順 序 步驟4 0 2 建 立 該 使 用 者 端 之 一 群 組 規 則 步驟40 2 1 設 定 該 群 組 規 則 之 執 行 時 段 及 優 先 順 序 步驟403 建 立 該 使 用 者 端 之 一 暫 用 規 則 步驟4 0 3 1 設 定 該 暫 用 規 則 之 執 行 時 段 及 優 先 順 序 步驟4 0 4 設 定 一 通 訊 連 接 埠 規 則 及 一 網 址 瀏 覽 規 則 步驟4 0 5 設 定 一 資 料 封 包 傳 m 規 則 步驟4 0 6 以 超 文 件 傳 協 定 傳 送 資 料 封 包 之 管 制 方 式 步驟40 6 1 禁 止 網 址 連 結 步驟40 6 2 僅 允 許 資 料 下 載 步驟40 6 3 允 許 資 料 下 載 及 限 制 上 傳 資 料 量 小 於 一 特 定 容量Page 16 1254533 Brief description of the steps Step 3 3 1 Prohibit URL link Step 3 3 2 Only allow data download Step 3 3 3 Only allow login data smaller than a specific capacity Step 3 3 4 Allow any data to pass 'J Step 3 4 0 Store the data communication control rules in the feed server database. Step 3 5 0 The server receives at least one user-side login for network communication. Step 3 6 0 The server-side control passes through the gateway. The network communication step of the device is performed by using a server to establish a usage permission rule for each user terminal and depositing it into the server side database. Step 40 1 Establish a sharing rule of the user terminal. Step 4 0 1 1 Set the execution period and priority of the sharing rule. Step 4 0 2 Establish a group of the user terminal. Rule Step 40 2 1 Set the execution period and priority order of the group rule. Step 403 Establish a temporary rule for the user terminal. Step 4 0 3 1 Set the execution period and priority order of the temporary rule. Step 4 0 4 Set one Communication link rules and a URL browsing rule Step 4 0 5 Set a data packet transmission m Rule Step 4 0 6 Control method for transmitting data packets by hyper-file transfer protocol Step 40 6 1 Prohibit URL link step 40 6 2 Only data download is allowed Step 40 6 3 Allow data download and limit the amount of uploaded data to less than a specific capacity

第17頁 1254533 圖式簡單說明 步驟40 64 步驟407 步驟4 0 7 1 步驟40 72 步驟4 0 7 3 步驟4 0 7 4 步驟408 步驟4 1 0 步驟420 步驟430Page 17 1254533 Schematic description of the steps Step 40 64 Step 407 Step 4 0 7 1 Step 40 72 Step 4 0 7 3 Step 4 0 7 4 Step 408 Step 4 1 0 Step 420 Step 430

步驟4 4 0 步驟A 步驟B 允許任何資 以安全資料 封包之管制 禁止網址連 僅允許資料 僅允許傳送 允許任何資 該祠服器端 權限規則 該伺服器端 該使用者端 進行網路通 該伺服器端 權限規則限 管制資料封 記錄該使用 建立一使用 建立一資料Step 4 4 0 Step A Step B Allow any security-enforced data packet to be banned. Only the data is allowed to be transmitted. Only the server is allowed to allow the server to access the server. The device-side permission rule is limited to the control data seal record. The use establishes a use to establish a data.

料傳輸 傳輸層之網路安全協定傳送資料 方式 結 下載 小於一特定容量之登入用資料 料傳輸 將建立之各該規則合併成該使用 接受至少一個該使用者端之登入 透過該伺服器端所管制的閘道器 訊 依據該使用者端所適用之該使用 定該使用者端之網路連結權限並 包之傳輸 者端資料傳輸狀態 權限規則 通訊管制規則 第18頁The network security protocol transmission data mode of the material transmission and transmission layer downloads the login data material that is smaller than a specific capacity, and the respective rules that are established are merged into the use. At least one login of the user terminal is controlled by the server end. The gateway device is configured according to the usage of the user terminal, and the network connection authority of the user end is set and the transmitter data transmission status permission rule is adopted.

Claims (1)

1254533 六、申請專利範圍 1. 一種運用封包導向過濾機制管制資料通訊的方法,係 藉由一伺服器端針對資料封包的傳輸協定,設定閘道 器(Gateway)之管制方式,以管制資料通訊的方法, 其至少包含下列步驟: 於一伺服器端設定一通訊連接璋規則及一網址劉覽 規則; 設定一資料封包傳輸規則; 將一資料通訊管制規則儲存於該伺服器端資料庫; 該伺服器端接受至少一個一使用者端之登入以進行 網路通訊;及 該伺服器端管制經由閘道器之網路通訊。 2 .如申請專利範圍第1項所述之運用封包導向過濾機制 管制資料通訊的方法,其中該伺服器端係可接受至少 一個一使用者端透過區域網路(Local Area Networ*k ’ L A N)之聯結,並限制該使用者端必須經由該伺服器 端所管制的閘道器(G a t e way )連結至外部網路與進行 資料傳輸。 ^ 3 ·如申凊專利範圍第1項所述之運用封包導向過濾機制 管制資料通訊的方法,其中該使用者端係利用可連接 至一網路骨幹之資訊處理裝置,可從桌上型電腦、筆 吕己型電腦(ΝΒ)、個人數位助理(PDA)、行動電話及掌 上型資訊處理裝置的組合中任意擇一。 4 .如申請專利範圍第1項所述之運用封包導向過濾機制 官制資料通訊的方法,其中該通訊連接埠(P )規則1254533 VI. Application for Patent Scope 1. A method for controlling data communication by using a packet-oriented filtering mechanism is to control the data communication by means of a server-side transmission protocol for data packets. The method comprises the following steps: setting a communication connection rule and a website browsing rule on a server end; setting a data packet transmission rule; storing a data communication control rule in the server end database; the servo The terminal end accepts at least one user-side login for network communication; and the server side controls network communication via the gateway. 2. A method for controlling data communication using a packet-oriented filtering mechanism as described in claim 1, wherein the server end accepts at least one user-side through a local area network (Local Area Networ*k 'LAN) The connection is terminated, and the user terminal must be connected to the external network via the gateway controlled by the server to perform data transmission. ^ 3 · A method for controlling data communication using a packet-oriented filtering mechanism as described in claim 1 of the patent scope, wherein the user terminal utilizes an information processing device connectable to a network backbone, from a desktop computer Any combination of a pen-type computer (ΝΒ), a personal digital assistant (PDA), a mobile phone, and a palm-sized information processing device. 4. The method of applying the packet-oriented filtering mechanism to the official data communication as described in the first application of the patent scope, wherein the communication connection (P) rule 第19頁 1254533 六、申請專利範圍 ’係針對任一可透過通訊連接埠傳輸資料封包之應用 程式,由該伺服器端限定其傳輸資料封包之通訊連接 埠。 5 ·如申請專利範圍第1項所述之運用封包導向過濾機制 管制資料通訊的方法,其中該網址瀏覽規則,係由該 伺服端針對特定網域名稱(Universal Resource Locator,URL)或對應的IP位址設定一限制方式,而 該限制方式可由該伺服器端自行定義。 6 ·如申請專利範圍第1項所述之運用封包導向過濾機制 管制資料通訊的方法,其中該資料通訊管制規則,係 包含該通訊連接埠(P 0RT )規則、該網址瀏覽規則及該 資料封包傳輸規則。 7 ·如申請專利範圍第1項所述之運用封包導向過濾機制 管制資料通訊的方法,其中該設定一資料封包傳輸規 則之步驟,其至少包含下列方式:設定以超文件傳輸 協定(hypertext transmission protocol ’http)傳 送資料封包之管制方式、設定以安全資料傳輸層 (Secure Socket Layer,SSL)之網路安全協定傳送資 料封包之管制方式。 8 ·如申請專利範圍第7項所述之資料封包傳輸的管制方 法,其中該設定以超文件傳輸協定(http)傳送資料封 包之管制方式,其至少可由下列方式任意擇一:禁止 網址連結、僅允許資料下載、允許資料下載及限制上 傳資料量小於一特定容量、允許任何資料傳輸。Page 19 1254533 VI. Scope of Application ‘After any application that transmits a data packet through a communication port, the server end limits its communication port for transmitting data packets. 5) The method for controlling data communication by using a packet-oriented filtering mechanism as described in claim 1, wherein the URL browsing rule is performed by the server for a specific domain name (Universal Resource Locator, URL) or a corresponding IP address. The address is set to a restriction mode, and the restriction mode can be defined by the server side. 6 · The method for controlling data communication using the packet-oriented filtering mechanism as described in claim 1 of the patent scope, wherein the data communication control rule includes the communication link (P 0RT ) rule, the website browsing rule and the data packet Transmission rules. 7) A method for controlling data communication using a packet-oriented filtering mechanism as described in claim 1, wherein the step of setting a data packet transmission rule comprises at least the following method: setting a hypertext transmission protocol 'http) The method of controlling the transmission of data packets and setting the control method for transmitting data packets by the Secure Socket Layer (SSL) network security protocol. 8 · The method for controlling the transmission of data packets as described in item 7 of the patent application, wherein the setting is to control the transmission of data packets by the Hypertext Transfer Protocol (http), which may be arbitrarily selected by at least one of the following methods: Only data downloads, data downloads, and restricted uploads are allowed to be less than a specific capacity, allowing any data transfer. 第20頁 1254533 六、申請專利範圍 9 ·如申請專利範圍第8項所述之運用封包導向過濾機制 管制資料通訊的方法,其中該特定容量之大小,係由 該伺服器端自行設定。 I 〇.如申請專利範圍第7項所述之運用封包導向過濾機制 管制資料通訊的方法,其中該設定以安全資料傳輸層 (SSL)之網路安全協定傳送資料封包之管制方式,其 至少可由下列方式任意擇一:禁止網址連結、僅允許 資料下載、僅允許傳送小於一特定容量之登入用資料 、允許任何資料傳輸。 II ·如申請專利範圍第1 〇項所述之運用封包導向過濾機 制管制資料通訊的方法,其中該特定容量大小及登入 用資料型態之限制,係由該伺服器端自行定義。 1 2. —種企業内網路通訊之封包導向過濾機制,係透過一 伺服器端對每個一使用者端建立一使用權限規則,針 對閘道器(G a t e w a y )設定管制方式,以管制至少一個 該使用者端傳輸資料的方法,其至少包含下列步驟: 透過一伺服器端對每個一使用者端建立一使用權限 規則並存入該伺服器端資料庫; 該伺服器端接受至少一個該使用者端之登入; 該使用者端透過該伺服器端所管制的閘道器進行網 路通訊;及 該伺服器端依據該使用者端所適用之該使用權限規 則限定該使用者端之網路連結權限並管制資料封包之 傳輸。Page 20 1254533 VI. Scope of Patent Application 9 · The method of controlling packet communication using the packet-oriented filtering mechanism as described in item 8 of the patent application scope, wherein the size of the specific capacity is set by the server itself. I. A method for controlling data communication using a packet-oriented filtering mechanism as described in claim 7 of the patent application, wherein the setting is controlled by a secure data transfer layer (SSL) network security protocol for transmitting data packets, which may be at least You can choose any of the following methods: prohibit URL connection, allow data download only, allow only less than one specific capacity of login data, and allow any data transmission. II. The method of using the packet-oriented filter mechanism to control data communication as described in the first paragraph of the patent application, wherein the specific capacity size and the limitation of the login data type are defined by the server side. 1 2. A packet-oriented filtering mechanism for intra-enterprise network communication, which establishes a usage permission rule for each user end through a server end, and sets a control mode for the gateway device (Gateway) to control at least A method for transmitting data by the user terminal, comprising at least the following steps: establishing a usage permission rule for each user end through a server end and storing the usage permission database; the server end accepts at least one The user terminal logs in; the user terminal performs network communication through the gateway controlled by the server; and the server end defines the user terminal according to the usage permission rule applicable to the user terminal. Network access permissions and control of the transmission of data packets. 第21頁 1254533_ 六、申請專利範圍 1 3.如申請專利範圍第1 2項所述之企業内網路通訊之封 包導向過濾機制,其中該伺服器端係可接受至少一個 該使用者端透過區域網路(Local Area Network,LAN) 之聯結,並限制該使用者端必須經由該伺服器端所管 制的閘道器(G a t e w a y )連結至外部網路與進行資料傳 輸。 1 4 ·如申請專利範圍第1 2項所述之企業内網路通訊之封 包導向過濾機制,其中該使用者端係利用可連接至一 網路骨幹之資訊處理裝置,可從桌上型電腦、筆記型 電腦(NB)、個人數位助理(PDA)、行動電話及掌上型 資訊處理裝置的組合中任意擇一。 1 5.如申請專利範圍第1 4項所述之企業内網路通訊之封 包導向過濾機制,其中該網路骨幹可為一電信網路, 係指一切具有通訊、資料傳輸功能的電信網路架構及 型態。 1 6 ·如申請專利範圍第1 2項所述之企業内網路通訊之封 包導向過濾機制,其中該透過該伺服器端對每個一使 用者端建立一使用權限規則並存入該伺服器端資料庫 之步驟,其至少包含建立下列規則: 建立該使用者端之一共用規則、建立該使用者端之 一群組規則、建立該使用者端之一資料通訊管制規則 :及 該伺服器端將建立之各該規則合併成該使用權限規 則0Page 21 1254533_6. Patent Application Range 1 3. The packet-oriented filtering mechanism for intra-enterprise network communication as described in claim 12, wherein the server end accepts at least one of the user-end transmission areas. A network (Local Area Network, LAN) is connected, and the user terminal must be connected to the external network via the gateway controlled by the server to perform data transmission. 1 4 · The packet-oriented filtering mechanism for intra-network communication in the enterprise as described in claim 12, wherein the user terminal utilizes an information processing device connectable to a network backbone, and is available from a desktop computer Any combination of a notebook computer (NB), a personal digital assistant (PDA), a mobile phone, and a palm-sized information processing device. 1 5. The packet-oriented filtering mechanism for intra-enterprise network communication as described in claim 14 of the patent application scope, wherein the network backbone can be a telecommunication network, and refers to all telecommunication networks having communication and data transmission functions. Architecture and type. 1 6 · The packet-oriented filtering mechanism for intra-network communication in the enterprise as described in claim 12, wherein a usage permission rule is established for each user terminal through the server end and stored in the server The step of the end database, which at least includes establishing the following rules: establishing a sharing rule of the user terminal, establishing a group rule of the user end, establishing a data communication control rule of the user end: and the server The end will merge the established rules into the usage permission rules. 第22頁 1254533_ 六、申請專利範圍 1 7.如申請專利範圍第1 6項所述之企業内網路通訊之封 包導向過濾機制,其中該共用規則係針對所有該使用 者端之管制規則,可建立至少包含一上班時間規則、 一下班時間規則及一訪客規則。 1 8 ·如申請專利範圍第1 7項所述之企業内網路通訊之封 包導向過濾機制,其中該訪客規則係針對企業員工外 之使用者登入該伺服器端時所適用之管制規則。 1 9 ·如申請專利範圍第1 6項所述之企業内網路通訊之封 包導向過濾機制,其中該群組規則係依照企業員工所 屬之部門、編組、及所屬網域之使用者登入該伺服器 端時所適用之管制規則。 2 0 ·如申請專利範圍第1 6項所述之企業内網路通訊之封 包導向過濾機制,其中建立該使用者端之一共用規則 ,更包含設定該共用規則之執行時段及優先順序之步 驟。 2 1 ·如申請專利範圍第1 6項所述之企業内網路通訊之封 包導向過濾機制,其中建立該使用者端之一群組規則 ,更包含設定該群組規則之執行時段及優先順序之步 驟。 2 2.如申請專利範圍第1 6項所述之企業内網路通訊之封 包導向過濾機制,其中該建立該使用者端之一共用規 則、建立該使用者端之一群組規則、建立該使用者端 之一資料通訊管制規則之步驟,可更包含建立該使用 者端之一暫用規則之步驟。Page 22 1254533_ VI. Application for Patent Scope 1 7. The packet-oriented filtering mechanism for intra-enterprise network communication as described in claim 16 of the patent application scope, wherein the sharing rule is for all the control rules of the user terminal, The establishment includes at least one working time rule, an off-duty time rule, and a visitor rule. 1 8 · The packet-oriented filtering mechanism for intra-network communication as described in claim 17 of the patent application, wherein the visitor rule is a regulation rule applicable to a user outside the enterprise employee when logging in to the server. 1 9 · The packet-oriented filtering mechanism for intra-enterprise network communication as described in claim 16 of the patent application scope, wherein the group rule is logged in to the server according to the department, grouping, and user of the domain to which the employee belongs. The regulatory rules applicable at the end of the device. 2 0. The packet-oriented filtering mechanism for intra-enterprise network communication as described in claim 16 of the patent application, wherein the sharing rule of the user terminal is established, and the step of setting the execution period and the priority order of the sharing rule is further included. . 2 1 · The packet-oriented filtering mechanism for intra-enterprise network communication as described in claim 16 of the patent application, wherein establishing a group rule of the user terminal, further including setting an execution period and a priority order of the group rule The steps. 2 2. The packet-oriented filtering mechanism for intra-enterprise network communication as described in claim 16 of the patent application, wherein the sharing of one of the user-side sharing rules, establishing a group rule of the user terminal, establishing the The step of the data communication control rule of the user end may further comprise the step of establishing a temporary rule of the user end. 第23頁 1254533 六、申請專利範圍 23·如申請專利範圍第2 2項所述之企業内網路通訊之封 包導向過濾機制,其中建立該使用者端之一暫用規則 ,更包含設定該暫用規則之執行時段及優先順序之牛 驟。 24·如申請專利範圍第2 2項所述之企業内網路通訊之封 包導向過濾機制,其中該暫用規則係針對須於一特定 時間内對特定該使用者端之管制規則,而其中該暫用 規則與該特定時間長短可由該伺服器端自行設定。 2 5 ·如申請專利範圍第1 6項所述之企業内網路通訊之封 包導向過濾機制,其中該伺服器端將建立之各該規則 合併成該使用權限規則之步驟,其合併邏輯原則係由 該伺服器端自行定義。 2 6 ·如申請專利範圍第1 6項所述之企業内網路通訊之封 包導向過濾機制,其中該建立該使用者端之一資料通 訊管制規則,係針對資料封包的傳輸協定設定閘道器 (Gateway )之管制方式,管制經由閘道器傳輸資料封 包的方法,至少包含下列步驟: 設定一通訊連接埠規則及一網址瀏覽規則;及 設定一資料封包傳輸規則。 2 7 ·如申請專利範圍第2 6項所述之企業内網路通訊之封 包導向過濾機制,其中該通訊連接璋(p〇RT)規則,係 針對任一可透過通訊連接埠傳輸資料封包之應用程式 ,由該祠服器端限定直值私:欠, 卜 &具傅輸身料封包之通訊連接埠。 2 8 ·如申請專利範圍第2 fi j旨讲、+、 ^ b員所述之企業内網路通訊之封Page 23 1254533 VI. Application for Patent Scope 23. The packet-oriented filtering mechanism for intra-enterprise network communication as described in item 2 of the patent application scope, wherein one of the temporary rules of the user terminal is established, and the setting of the temporary Use the rule execution time and priority order. 24. The packet-oriented filtering mechanism for intra-enterprise network communication as described in claim 2, wherein the temporary rule is directed to a specific control rule for the user terminal within a specific time period, wherein The temporary rule and the length of the specific time can be set by the server itself. 2 5 · The packet-oriented filtering mechanism for intra-enterprise network communication as described in claim 16 of the patent application scope, wherein the server side merges the rules established by the server into the steps of using the permission rule, and the merge logic principle is It is defined by the server itself. 2 6 · The packet-oriented filtering mechanism for intra-enterprise network communication as described in claim 16 of the patent application, wherein the data communication control rule of one of the user terminals is established, and the gateway is set for the transmission protocol of the data packet (Gateway) control method for controlling the transmission of data packets via a gateway device, comprising at least the following steps: setting a communication connection rule and a website browsing rule; and setting a data packet transmission rule. 2 7 · The packet-oriented filtering mechanism for intra-enterprise network communication as described in claim 26, wherein the communication port (p〇RT) rule is for transmitting data packets for any communication link. The application is defined by the server end of the direct value private: owe, Bu & with the communication link of the Fu body packet. 2 8 ·If you apply for the patent scope 2nd fi j, the +, ^ b member of the intranet communication 第24頁 1254533 六、申請專利範圍 包導向過濾機制,其中該網址瀏覽規則,係由該伺服 器端針對特定網域名稱(Universal Resource Locator ’ URL)或對應的^位址設定一限制方式,而 該限制方式可由該伺服器端自行定義。 2 9 ·如申請專利範圍第2 6項所述之企業内網路通訊之封 包導向過濾機制,其中該設定一資料封包傳輸規則, 其至少包含下列方式:設定以超文件傳輸協定 (hypertext transmission protocol , http)傳送資 料封包之管制方式、設定以安全資料傳輸層(S e c u r e Socket Layer,SSL)之網路安全協定傳送資料封包之 管制方式。 3 0 ·如申請專利範圍第2 9項所述之企業内網路通訊之封 包導向過濾機制,其中該設定以超文件傳輸協定 (http)傳送資料封包之管制方式,其至少可由下列方 式任意擇一:禁止網址連結、僅允許資料下載、允許 資料下載及限制上傳資料量小於一特定容量、允許任 何資料傳輸。 3 1 ·如申請專利範圍第3 0項所述之企業内網路通訊之封 包導向過濾機制,其中該特定容量之大小,係由該伺 服器端自行設定。 3 2 ·如申請專利範圍第2 9項所述之企業内網路通訊之封 包導向過濾機制,其中該設定以安全資料傳輸層 (Secure Socket Layer,SSL)之網路安全協疋傳送負 料封包之管制方式,其至少可由下列方式任意擇一:Page 24 1254533 VI. Patent-scoped packet-oriented filtering mechanism, wherein the URL browsing rule is set by the server for a specific domain name (Universal Resource Locator 'URL) or a corresponding ^ address, and This restriction can be defined by the server itself. 2 9 · The packet-oriented filtering mechanism for intra-enterprise network communication as described in claim 26, wherein the data packet transmission rule is set to at least include the following method: setting a hypertext transmission protocol , http) The method of controlling the transmission of data packets, and setting the control method for transmitting data packets in the Secure Security Layer (Secure Socket Layer, SSL) network security protocol. 3 0 · The packet-oriented filtering mechanism for intra-enterprise network communication as described in claim 29, wherein the setting is controlled by the Hyper-File Transfer Protocol (http) to transmit data packets, which may be arbitrarily selected by at least the following methods One: prohibiting URL linking, allowing only data downloading, allowing data downloading and limiting the amount of uploaded data to be less than a specific capacity, allowing any data transmission. 3 1 · The packet-oriented filtering mechanism for intra-network communication in the enterprise as described in claim 30, wherein the size of the specific capacity is set by the server itself. 3 2 · The packet-oriented filtering mechanism for intra-enterprise network communication as described in claim 29, wherein the setting is to transmit a negative packet by a secure communication layer (Secure Socket Layer (SSL) network security protocol) The control method can be at least one of the following ways: 第25頁 1254533 六、申請專利範圍 禁止網址連結、僅允許資料下載、僅允許傳送小於一 特定容量之登入用資料、允許任何資料傳輸。 3 3 ·如申請專利範圍第3 2項所述之企業内網路通訊之封 包導向過濾機制,其中該特定容量大小及登入用資料 型態之限制,係由該伺服器端自行定義。Page 25 1254533 VI. Scope of application for patents It is forbidden to link URLs, only allow data downloads, and only allow the transmission of less than one specific capacity of the login data, allowing any data transmission. 3 3 · The packet-oriented filtering mechanism for intra-enterprise network communication as described in claim 3, wherein the specific size and the limitation of the login data type are defined by the server. 第26頁Page 26
TW93123900A 2004-08-10 2004-08-10 A method of data communication control applying package-oriented filtering mechanism TWI254533B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW93123900A TWI254533B (en) 2004-08-10 2004-08-10 A method of data communication control applying package-oriented filtering mechanism

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW93123900A TWI254533B (en) 2004-08-10 2004-08-10 A method of data communication control applying package-oriented filtering mechanism

Publications (2)

Publication Number Publication Date
TW200607281A TW200607281A (en) 2006-02-16
TWI254533B true TWI254533B (en) 2006-05-01

Family

ID=37587354

Family Applications (1)

Application Number Title Priority Date Filing Date
TW93123900A TWI254533B (en) 2004-08-10 2004-08-10 A method of data communication control applying package-oriented filtering mechanism

Country Status (1)

Country Link
TW (1) TWI254533B (en)

Also Published As

Publication number Publication date
TW200607281A (en) 2006-02-16

Similar Documents

Publication Publication Date Title
US10630689B2 (en) Strong identity management and cyber security software
Bhadauria et al. A survey on security issues in cloud computing
CN107872456A (en) Network intrusion prevention method, apparatus, system and computer-readable recording medium
US20120047259A1 (en) Web hosted security system communication
TWI242968B (en) System for establishing and regulating connectivity from a user's computer
US20110099621A1 (en) Process for monitoring, filtering and caching internet connections
Chopra Security issues of firewall
Leavitt Instant messaging: a new target for hackers
Goni Implementation of Local Area Network (lan) And Build A Secure Lan System For Atomic Energy Research Establishment (AERE)
Cashion et al. Protocol for mitigating the risk of hijacking social networking sites
JP5336405B2 (en) Internal information browsing server system and control method thereof
TWI254533B (en) A method of data communication control applying package-oriented filtering mechanism
NL2011857A (en) Secure single sign-on exchange of electronic data.
EP1643709B1 (en) Data processing system and method
JP3909289B2 (en) Voluntary virtual private network between portable device and corporate network
Abdulqader et al. Securing network services and protocols
O'Sullivan Instant Messaging vs. instant compromise
Jaramillo et al. Techniques and real world experiences in mobile device security
George et al. Multi-layered Architecture for Secure Inter-network Data Transfer using Data Diode
Holmberg Enemies at the gates: Securing the BACnet (R) building
Rao et al. Understanding networks and network security
JP2004165761A (en) Communication system
Broucek et al. A Forensic Computing perspective on the need for improved user education for information systems security management
Park et al. Security Analyses for Enterprise Instant Messaging (EIM) Systems.
Noth et al. Technology and the Law