WO2003015372A1 - Architecture de reseau a securite amelioree - Google Patents

Architecture de reseau a securite amelioree Download PDF

Info

Publication number
WO2003015372A1
WO2003015372A1 PCT/EP2002/008293 EP0208293W WO03015372A1 WO 2003015372 A1 WO2003015372 A1 WO 2003015372A1 EP 0208293 W EP0208293 W EP 0208293W WO 03015372 A1 WO03015372 A1 WO 03015372A1
Authority
WO
WIPO (PCT)
Prior art keywords
communication
network
server
server group
access
Prior art date
Application number
PCT/EP2002/008293
Other languages
German (de)
English (en)
Inventor
Abolhassan Agha
Michael Höhre
Original Assignee
Abolhassan Agha
Hoehre Michael
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Abolhassan Agha, Hoehre Michael filed Critical Abolhassan Agha
Priority to EP02754937A priority Critical patent/EP1470685A1/fr
Publication of WO2003015372A1 publication Critical patent/WO2003015372A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/104Grouping of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/51Discovery or management thereof, e.g. service location protocol [SLP] or web services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2557Translation policies or rules

Definitions

  • the present invention relates to a communication network, a method for carrying out communication in the communication network and a communication module for use in the communication network.
  • nodes All servers, workstations etc. or existing networks, which are permanently or temporarily (dynamically) connected to the Internet, are briefly referred to below as nodes.
  • Example RFC 2827 tries to restrict the falsification of source addresses. This RFC is classified in the Best Current Practice category and is therefore only a recommendation.
  • PKI Public Key Infrastructures
  • SSL Secure Socket Layer
  • VPN Virtual Private Networks
  • a respected German fixed network operator offers its large customers so-called intelligent networks e.g. to operate origin-dependent service numbers that the major customer can administer independently via the Internet. Misuse of the administration access would make it possible, e.g. to permanently connect the customer's entire call center infrastructure with the local telephone counseling - at the push of a button. Since this is a business-critical application, the provider tries to take this into account in the form of the following solution:
  • the provider issues a certificate to the major customer, which is sent to the major customer via diskette (ie beyond the Internet), and there in the browser of the Large customers must be installed.
  • the certificate can only be activated by a password, which is also sent separately.
  • the administration service is accessed via an encrypted connection of adequate key length. If you look at the chain consisting of browser, internet connection and administration server and assume that the technology used was implemented without errors (eg no starting points for buffer overflow attacks), there is not necessarily a reason to be concerned given this horizon.
  • the present invention is therefore based on the object of providing a communication network, a communication method and a communication module for use in a communication network which does not have the above-mentioned disadvantages or at least to a lesser extent and in particular the possibilities of misuse of the data of users of a communication network significantly reduced.
  • Claim 12 solved.
  • the sub-claims contain further refinements of the Communication network or the communication process.
  • a user is to be understood as a node here.
  • the present invention is based on the following idea:
  • Electronically stored data are usually stored on a data carrier (hard disk, CD, chip card, memory, etc.).
  • the data is accessed by a program that controls a read / write device suitable for the respective storage medium.
  • Such a program is usually integrated into an operating system that enables potential users to access the data in the form of so-called services.
  • a user of a computer in a so-called network-transparent file system can access his local data, i.e. use the data stored on his computer in the same way as data that is actually stored on another computer.
  • the data of the remote computer are accessed by the operating system of the local computer using the corresponding services of the operating system of the remote computer on the basis of a communication protocol.
  • the authorization to use the service on the remote computer is based on an identification of the requesting user or his computer. In such a system, unauthorized use of a service can take place on the remote computer by pretending the remote computer to have an incorrect identity.
  • the invention now provides according to claim 1, already at the network level to provide a communication module in the communication path (in the communication line) between a first server or a first server group and a second server or a second server group that only uses one in which allows the first server or the first server group existing service by the second server or the second server group, but not the use of a service existing in the second server or the second server group by the first server or the first server group.
  • the invention provides a communication method for carrying out communication in a communication according to the invention.
  • onsnetzwerk which is characterized in that the server groups exchange data via the or the communication channels and that the communication module decides on the authorization to access the service of a server group.
  • the invention provides to create a communication module for use in a communication network according to the invention.
  • the communication module is characterized in that it comprises a communication protocol that includes the identification of servers or server groups.
  • the invention offers the possibility of reducing misuse of the data of users of a data processing network by orders of magnitude, in particular if the connection establishment between a data processing infrastructure or server group; and an access-authorized node takes place exclusively at the instigation of the access-authorized node. In this way, it is prevented in a simple manner that a connection can be established between the first access-authorized node and a second access-authorized node via the data processing infrastructure without the other node having to do anything, via which an attack on the data of the other node could take place.
  • an access module to enable access to an internal data processing infrastructure of the data processing center by an external user and the output of data from the internal data processing infrastructure to the user is available.
  • the access module is designed such that a connection between the external user and the data processing infrastructure can only be initiated by the external user.
  • the authorization of the individual nodes can be obtained in a known manner via corresponding usage contracts, the conclusion of which is usually followed by a corresponding check or identification of the node operator of the respective node.
  • the invention makes it possible to restructure the classic Internet in the direction of an infrastructure which is structured based on service relationships and is hereinafter referred to as Application Service Infrastructure (ASI) on the basis of a network architecture which has been optimized in terms of security.
  • ASI Application Service Infrastructure
  • An application service provider is therefore a person or organization that provides one or more services for another person or organization on the basis of a communication network. Perhaps the simplest example would be to publish a private homepage.
  • ASU Application Service User
  • ASC Application Service Customer
  • ASP Application Service Provider
  • the application service does not necessarily have to be provided by the operator of a data processing center. Rather can if necessary, another functional role can be identified, namely that of a so-called
  • ASIP Application Service Infrastructure Provider
  • ASU Application Service User
  • ASP Application Service Provider
  • ASIP Application Service Infrastructure Provider
  • the data processing infrastructure can comprise a single access area or infrastructure area as a data processing structure, for example a single server or the like, to which the access-authorized nodes can access.
  • the data processing structure can also as a network, similar to a LAN (Local Area Network).
  • the data processing infrastructure preferably comprises several data processing structures (access areas, infrastructure areas).
  • At least one access-restricted first data processing structure is preferably provided, the access module or a connection setup controller present in the access module then being designed to establish a connection between a node and the first data processing structure only in the case of an authorization of the node assigned to the first data processing structure in order to provide access only to appropriately authorized nodes to grant the first data processing structure or the services provided there.
  • an application service provider wants to administer a service made available in the data processing center via a connection to the data processing center
  • at least one server is assigned two data processing structures, one of which provides the service and the other as administration access for the application service Provider (ASP) serves.
  • ASU Application Service User
  • ASC Application Service Customer
  • ASP Application Service Providers
  • the Application Service Customer can position so-called private services in the Application Service Infrastructure.
  • Private services can e.g. B. have the character of a private network and can only be used by the Application Service Customer (ASC) himself or his Application Service User (ASU).
  • the Application Service User (ASU) of the Application Service Customer (ASC) only has access to the services for which the Application Service Customer (ASC) has concluded a usage contract with the respective Application Service Provider (ASP).
  • ASP Application Service Provider Only the Application Service User (ASU) of the Application Service Customer (ASC) can initiate a connection to a service node, ie to the data processing infrastructure or to a corresponding first infrastructure area of the same. The reverse direction is not possible.
  • the use of a service node by an Application Service User (ASU) of the Application Service Customer (ASC) is a directional relationship, ie it is guaranteed that the operator of the service node, conversely, does not have access to the customer's local IT infrastructure.
  • ASC Application Service Customer
  • a basic idea of the invention is accordingly to provide services in separate rooms to the user. These rooms are formed by the first infrastructure areas (data processing structures), which are also referred to below as network safes.
  • a network safe only connects servers or the like, which together provide a service and are in a relationship of trust with each other.
  • the services provided by a network safe can only be used by authorized nodes or node groups, with the private resources of the nodes or node groups being protected against mutual access.
  • the invention makes it possible to replace the previous approach of the almost unlimitedly open but security-deficient Internet, as well as the approach of completely closed networks, with a secure, standardized and flexible structure according to the invention that is based on explicit service relationships.
  • the nodes are connected to the data processing infrastructure via a communication line exclusively assigned to the respective node and the Control of the establishment of the connection with the first infrastructure area is based on the respective assigned communication line.
  • this is achieved in that for at least a number of communication lines assigned exclusively to a node in each case, an interface device of the data processing infrastructure assigned exclusively to the respective communication line is provided and a connection establishment control for access-based control of the connection establishment to the first infrastructure area in Dependence on the interface device is formed.
  • a connection establishment control for access-based control of the connection establishment to the first infrastructure area in Dependence on the interface device is formed.
  • only connections to the first infrastructure area are established via the connection establishment control, which are made via the communication lines or interface devices permanently assigned to them, which are assigned in a predetermined manner in accordance with access-authorized nodes.
  • the assignment can only be modified by the operator of the data processing center or at his request.
  • the local IT infrastructures of the application service customer (ASC) in question are preferably connected in a dedicated manner to the data processing center, also referred to below as the network operation center (NOC), which provides the application service infrastructure (ASI), that is to say the data processing infrastructure.
  • NOC network operation center
  • ASI application service infrastructure
  • Dedicated connection here means that the local structures of the Application Service Customer (ASC) are provided with identification that cannot be manipulated by software.
  • Dedicated lines are, for example, dedicated lines or connections with other physically anchored identification mechanisms. If several Network Operation Centers (NOC) are provided, the local IT infrastructures of the relevant Application Service Customer (ASC) are connected to the closest Network Operation Centers (NOC).
  • the security problems existing at the network level in the classic Internet can be overcome in a simple manner, which result almost exclusively from the fact that the security mechanisms are based on the content of one or more data packets.
  • data packets can be generated and manipulated almost arbitrarily by appropriate software.
  • the security mechanisms of this preferred variant of the invention are based on simple chains, the first link of which is always anchored to the physical access path of a packet. Attacks on such anchored security mechanisms require, as mentioned, the attacker's direct personal access to the physical infrastructure on site. The number of potential attackers is thus reduced by several orders of magnitude compared to the classic Internet.
  • connection set-up via a specific communication line is permitted or not can be carried out using simple lists which the connection set-up controller accesses and in which the access lines authorized for access for the respective first infrastructure area are stored.
  • the communication line is preferably a secure connection between the respective access-authorized node and the data processing center, for example a dedicated line or the like, which is not easily accessible for attacks or manipulation.
  • the invention can also be used in connection with other, less manipulation-proof communication lines, provided that an identification feature for the node that cannot be manipulated by software is present.
  • the term communication line is intended not only to include a physical line, but also to include communication connections which establish communication at least in sections in some other way, for example radio-based.
  • the advantages of the invention, in particular the Manipulation options can also be achieved here, albeit possibly to a lesser extent or with greater effort.
  • dial-in solutions must first be assessed from a security perspective. The selected solution is then to be integrated in a structurally harmonious manner.
  • the operation of dial-in solutions in the context of a network architecture according to the invention also creates additional security here compared to a conventional infrastructure, in which a connection to the entire network may be established.
  • the connected node is still only connected to the network safe (s) (first infrastructure areas) that have been released, but never to the entire network.
  • Preferred variants of such dial-in solutions that can be implemented on their own or in combination can look as follows:
  • the dial-in server permanently assigns the source address of a dial-in connection to the user.
  • the address ranges used can be distinguished from the address ranges of dedicated connections, so that more stringent security rules based on them can be used in the further course.
  • the check as to whether a connection is established or not can be carried out for all access variants on the basis of any criteria that enable an unambiguous assignment to a specific communication line. For example, it can be provided that when an attempt is made to establish a connection to a first infrastructure area via a specific communication line by a device assigned to the communication line, a corresponding identification feature is passed on to the connection establishment control, on the basis of which the latter decides whether the connection is established or not.
  • the via a communication line data arriving from a node in the data processing center are provided with an identification feature uniquely assigned to the communication line.
  • the connection establishment with the first infrastructure area is then controlled as a function of this identification feature.
  • this is achieved in a simple manner by providing at least one identification device assigned to the respective communication line, which is used to identify data arriving in the data processing center with an identification feature clearly assigned to the communication line.
  • the connection establishment control is then designed to control the connection establishment with the first infrastructure area depending on the identification feature. If there are several infrastructure areas, several identification features can be assigned accordingly.
  • the identification device in question is assigned to an interface.
  • the marking device can be part of such an interface.
  • the identification feature can be assigned to the data in any manner. It is preferably carried out by means of a so-called network address translation (NAT), in particular a source network address translation (S-NAT), or a connection tracking module, which is preferably implemented in the network architecture according to the invention or the data processing center according to the invention in that the identification device is designed to assign the identification feature by means of Network Address Translation (NAT).
  • NAT network address translation
  • S-NAT source network address translation
  • connection tracking module which is preferably implemented in the network architecture according to the invention or the data processing center according to the invention in that the identification device is designed to assign the identification feature by means of Network Address Translation (NAT).
  • NAT Network Address Translation
  • the Application Service Customer receives a source address that is clearly assigned to it and cannot be manipulated by software, which is thus used as the starting point for further access decisions.
  • the address space of the data processing center i.e. the Network Operation Center (NOC)
  • NOC Network Operation Center
  • the data processing infrastructure comprises at least two first infrastructure areas (data processing structures) and at least one connection in the form of a second infrastructure area between the first infrastructure areas, via which the first infrastructure areas are connected , for example to administer the first infrastructure area with the help of a further first infrastructure area.
  • the second infrastructure area can be a server, for example, which is connected to at least two first infrastructure areas.
  • ASP Application Service Providers
  • B2B business-to-business
  • a number of data processing centers that can be connected to one another via secure communication connections and at least one synchronization device are preferably provided, via which the data processing centers can be synchronized, so that in several data processing centers there are synchronized first infrastructure areas, ie network safes.
  • This makes it possible, for example, to provide services for Application Service Customers (ASC) whose Application Service Users (ASU) are located at different locations. Thanks to the synchronization of the data processing centers, they can then access the nearest data processing center in a cost-effective manner.
  • ASC Application Service Customers
  • ASU Application Service Users
  • a network safe can also be assigned to different network operation centers (NOC), H.
  • NOC network operation centers
  • H network operation centers
  • Data processing centers different operators can be distributed, so that here, too, higher-level organizational structures comparable to the classic Internet must exist or be provided, which are responsible for the administration of the address space.
  • the invention makes it possible to migrate to an alternative network architecture which, based on the weaknesses in the architecture of the classic Internet mentioned at the outset, primarily meets the following requirements:
  • the foundations of the network architecture or data processing center according to the invention are already designed such that in principle only the nodes can use the data processing infrastructure or the same areas of the data processing infrastructure, the node operators of which are in a desired service relationship with one another.
  • the term service relationship is to be understood as a directional connection, so that private resources of all parties involved in the context of a service relationship are adequately protected.
  • provider B The same applies in general to different users: Even if user A and user C use the same service, your private resources are mutually protected against unauthorized access, in particular by each other.
  • the properties of the network architecture or data processing center according to the invention assured of a user with regard to access security can advantageously be certified by a trustworthy external institution and monitored regularly.
  • the network architecture or data processing center according to the invention must be operated in an audit-proof manner, not least from the aforementioned aspect.
  • the starting point of service use can already be assigned to a user or user group in a manipulation-proof manner at the network level.
  • the alternative architecture can be set up and operated parallel to the classic Internet. It enables secure and controlled communication with the classic Internet, provided that a Secure Internet Gateway is available in the form of its own network safe. It also enables a gradual migration based on the classic Internet, since it does not have to be set up independently and ad hoc. The migration can initially be enforced in security or business-critical service infrastructures, since there is a high need for protection here.
  • the alternative architecture to the classic Internet is sufficiently flexible with regard to changing requirements.
  • it is also open to the integration of the business-to-consumer (B2C) and the consumer-to-consumer area.
  • FCAPS Fault Management
  • C Configuration Management
  • A Accounting
  • S Security Management
  • the user interface for the management of the network architecture according to the invention essentially as a front end of a management database specific for the network architecture according to the invention.
  • Protocol and configuration data are only exchanged via the database.
  • Device- or operating system-specific backends are used to transfer the configuration data to the corresponding devices or servers.
  • ASIP Application Service Infrastructure Provider
  • ASC Application Service Customer
  • ASP Application tion service provider
  • FIG. 1 shows a schematic block diagram of a preferred variant of the network architecture according to the invention
  • FIG. 2 shows a schematic block diagram of a further preferred variant of the network architecture according to the invention.
  • FIG. 3 shows a schematic block diagram of a further preferred variant of the network architecture according to the invention.
  • FIG. 4 shows a schematic block diagram of a further preferred variant of the network architecture according to the invention.
  • FIG. 5 shows a schematic block diagram of a further preferred variant of the network architecture according to the invention.
  • FIG. 6 shows a schematic block diagram of a further preferred variant of the network architecture according to the invention.
  • FIG. 7 shows a schematic block diagram of a further preferred variant of the network architecture according to the invention.
  • FIG. 8 shows a schematic block diagram of a further preferred variant of the network architecture according to the invention
  • FIG. 9 shows a schematic block diagram of a preferred variant of the data processing center according to the invention
  • FIG. 10 shows a schematic block diagram of a preferred variant of a detail of the data processing center from FIG. 9.
  • FIG. 1 shows a schematic block diagram of a preferred variant of the network architecture according to the invention, in which the method according to the invention is used.
  • the network architecture comprises a data processing center 1, hereinafter referred to as a network operation center (NOC), which has a data processing infrastructure 2 which can be connected to the nodes 4 of a data processing network via communication lines in the form of dedicated lines 3.
  • NOC network operation center
  • the nodes 4 are entitled to access the Network Operation Center (NOC) 1 as a result of corresponding usage contracts.
  • NOC Network Operation Center
  • the nodes 4 are formed by so-called local area networks (LAN).
  • LAN local area networks
  • a node can also be a single computer.
  • the data processing infrastructure 2 which is also referred to below as the Application Service Infrastructure (ASI), represents an infrastructure via which one or more so-called Application Service Providers (ASP) determined one or more so-called Application Service Customers (ASC) Services, i.e. H. To provide services, for example in the form of certain applications or the like.
  • the operator of the Network Operation Center (NOC) 1 is referred to as the Application Service Infrastructure Provider (ASIP) because it provides the necessary infrastructure.
  • ASIP Application Service Infrastructure Provider
  • ASIP Application Service Infrastructure Provider
  • ASIP Application Service Infrastructure Provider
  • ASIP Application Service Infrastructure Provider
  • ASIP Application Service Infrastructure Provider
  • ASIP Application Service Infrastructure Provider itself also operates as an Application Service Provider (ASP), i. H. not just the infrastructure, but certain services.
  • the Application Service Infrastructure (ASI) 2 has a number of separate first infrastructure areas in the form of so-called network safes 5.
  • the network safes 5 have no direct connections to one another, which is indicated in FIG. 1 by the crossed arrows 6.
  • the application service customer who is authorized to access on the basis of user contracts, ie. H. certain services are provided to the operator of a node 4, which is authorized to access the corresponding Network Safe 5, by an Application Service Provider (ASP).
  • ASP Application Service Provider
  • ASIP Application Service Infrastructure Provider
  • NOC Network Operation Center
  • a Network Safe 5 connects only servers that provide a service together and are in a relationship of trust. As mentioned, the services provided by a network safe 5 can only be used by authorized nodes 4, the private resources of the nodes 4 being protected against mutual access, as will be explained further below.
  • a Network Safe 5 is in principle comparable to a Local Area Network (LAN), but for which the additional standardized communication restrictions explained below and guaranteed by the operator of the Network Operation Center (NOC) 1 apply:
  • the Application Service Infrastructure (ASI) 2 has a connection setup controller in the form of a so-called Application Service Infrastructure Access Router (ASI-AR) 7 for authorization-based control of the connection setup between the nodes 4 and the network safes 5.
  • ASI-AR Application Service Infrastructure Access Router
  • the Application Service Infrastructure Access Router (ASI-AR) 7 is designed in such a way that connections between a specific node 4 and a specific network safe 5 are only established when this specific node 4 is initiated. This ensures that none of the network work safes 5 can be misused as routers in order to establish a connection between a first node 4.1 and a second node 4.2 without causing the respective other node. This is indicated in FIG. 1 by the crossed double arrows 8 and ultimately means that the private resources of the respective node 4 are protected against unauthorized access by others via the network operation center (NOC) 1 according to the invention.
  • NOC network operation center
  • the access scheme of the nodes 4 to the network safes 5, with which the Application Service Infrastructure Access Router (ASI-AR) 7 works, is represented in FIG. 1 by points 9, which connect horizontal and vertical lines 10 and 11 to one another in accordance with the respectively permitted service relationships :
  • the horizontal lines 10 symbolize the connections to the network safes 5, in which the servers are grouped which maintain a trust relationship within the scope of the provision of a service. Servers of a network safe 5 can communicate with one another without restriction.
  • the respective service is provided exclusively by exactly one server, only this server is located within the corresponding network safe 5.
  • the vertical lines 11 symbolize the access routes starting from the local infrastructures of the Application Service Customer (ASC), that is from the ASC.
  • ASC Application Service Customer
  • Access from a node 4 for example by the Application Service User (ASU) of an Application Service Customer (ASC) from a LAN of the Application Service Customer (ASC), to the Network Operation Center (NOC) 1 takes place exclusively via a dedicated access path, namely via dedicated lines 3.
  • ASU Application Service User
  • ASC Application Service Customer
  • NOC Network Operation Center
  • the Application Service Infrastructure Access Router (ASI-AR) 7 is designed for access-based control of the connection establishment depending on the dedicated line 3, via which the connection establishment is initiated. For this purpose, the Application Service Infrastructure Access Router (ASI-AR) 7 detects which leased line 3 is used to initiate the connection and establishes the connection with those network safes 5 which are assigned to this leased line 3 by the access lists mentioned above.
  • NAT network address translation
  • NAT network address translation
  • ASI-AR Application Service Infrastructure Access Router
  • each node 4 receives a source address which is clearly assigned to it and cannot be manipulated by software and which is used as the starting point for further access decisions.
  • NOC Network Operation Center
  • the access path of node 4 to the Network Operation Center thus becomes a directed, non-transitive usage relationship, i.e. Neither servers from a Network Safe 5 nor nodes 4 from different LAN environments can mutually access private infrastructures.
  • the addressing scheme used in the figures was based on IP V4 for didactic reasons and was also greatly simplified: the network masks used to subdivide certain network areas always end at 8-bit boundaries; Implications of redundant structures are ignored.
  • Network Safe 5 can also be distributed to different Network Operation Centers (NOC) from different operators, so that here too there must be higher-level organizational structures comparable to the classic Internet that are responsible for managing the address space would.
  • NOC Network Operation Centers
  • the address space used in the examples is divided into individual network areas as follows: 10.n. *. * Is the address space of the entire Network Operation Center (NOC) No. n; In the figures with only one network operation center (NOC), a network operation center (NOC) with the number 1 is assumed.
  • connection points 9 of the vertical access lines 11 with the horizontal service lines 10 each mark an access connection or permission for the respective service user or user group with respect to the service of the respective network safe 5.
  • FIG. 2 shows a schematic block diagram of a further preferred variant of the network architecture according to the invention, which corresponds to a supplemented network architecture from FIG. 1. Identical components were therefore identified with identical reference numbers.
  • the network safes 5 have been supplemented by a simplified, representative server configuration.
  • the Network Safe S1 is used by Application Service Customer ASC1, which operates node 4.1, as a private network.
  • the server 14 connected to this network could, for example, provide cross-location intranet functionality for the Application Service Customer ASC1.
  • the server 14 is administered by the Application Service Customer ASC1 itself.
  • Network Safe S2 and S3 have an analogous meaning:
  • the connected servers 15 and 16 house the private services of Application Service Customer ASC2 and Application Service Provider ASP1, which operate nodes 4.2 and 4.3, respectively.
  • the application service provider ASP1 provides a service to the application service customer ASC1 and the application service customer ASC2 on second infrastructure areas in the form of separate servers 17 and 18 in the network safes S4 and S5.
  • the servers 17 and 18 are administered by the Application Service Provider ASP1 on the basis of Network Safe S6.
  • the servers 17 and 18 connect the two network safes S4 and S6 or S5 and S6 as second infrastructure areas.
  • a Network Safe 5 connects only the servers that provide a service together and are in a relationship of trust with each other.
  • the services provided by a network safe 5 can only be used by authorized nodes 4, the private resources of the nodes 4 being protected against mutual access.
  • a Network Safe 5 is in principle comparable to a Local Area Network (LAN), but for which additional standardized communication restrictions that are guaranteed by the operator of the data processing infrastructure apply:
  • a network safe 5 only accepts data packets which contain, as the source address, the address of the network interface 13 of a node 4 which is authorized to access the relevant network safe 5.
  • the data packets leaving a Network Safe 5 must contain the address of another server in the same Network Operation Center (NOC) or the address of an access-authorized node as the destination address.
  • NOC Network Operation Center
  • nodes 4 can access a network safe 5 whose node operators are authorized to use the service of the respective network safe 5.
  • This usage relationship is a directional relationship, i.e. Even if the node 4 of the service user would also provide a service, this can neither be used by the server of the network safe 5 nor by another node 4.
  • the security mechanisms are based on the content of one or more data packets that can be manipulated and manipulated by software
  • the security mechanisms of the network architecture described are based on simple chains, the first link of which is always anchored to the physical access path of a packet ,
  • the filter chains of the Network Safes 5 are explicitly linked to the server ports and the output port of the Network Safes 5.
  • the Network Operation Center (NOC) is accessed via a physical-level access path, namely dedicated lines 3.
  • the dedicated access path is accessed clearly bound a source address that automatically receives all data packets that reach the Network Operation Center (NOC) in this way.
  • FIG. 3 shows a schematic block diagram of a further preferred variant of the network architecture according to the invention, which corresponds to a first application scenario of the network architecture from FIG. 2. Identical components have been identified with identical reference numbers.
  • the first application scenario from FIG. 3 is a simplification of the server constellation from FIG. 2.
  • Application service provider ASP1 makes its application available on a server 19 which is shared by the application service customers ASC1 and ASC2.
  • the server is administered using the same Network Safe S4.
  • Application Service Customer ASC1 and ASC2 in turn operate private servers 14 and 15 in Network Safe S1 and S2.
  • the server 19 is therefore operated IP-based with completely separate client data via the operating system and / or databases.
  • devices such as firewalls, a so-called trusted operating system or, as mentioned, an application with IP-based privilege restrictions can be used.
  • FIG. 4 shows a schematic block diagram of a further preferred variant of the network architecture according to the invention, which corresponds to a second application scenario in the form of a refinement of the network architecture from FIG. 2. Identical components have therefore been identified with identical reference numbers.
  • the Network Safe S6 is additionally used to supply the application, which is provided on the servers 17 and 18 as described for FIG. 2, with database services.
  • a first database server 20 connected to the Network Safe S6 is available for the Application Service Customer ASC1 and a second database server 21 connected to the Network Safe S6 for the Application Service Customer ASC2.
  • FIG. 5 shows a schematic block diagram of a further preferred variant of the network architecture according to the invention, which corresponds to a third application scenario in the form of a modification of the network architecture described in relation to FIG. Identical components were identified with identical reference numbers.
  • the application service provider ASP1 provides a service for the application service customers ASC1 to ASC5 on a server 22 which is connected to the network safes S7 and S8.
  • the nodes 4 of the Application Service Customer ASC1 to ASC5 are connected to the Network Safe S7 and access the server 22 via this, while the Application Service Provider ASP1 unregisters the service via the Network Safe S8 in a manner that is already the case Figure 2 has been described.
  • the server 22 is operated IP-based via the operating system and / or databases with completely separate client data for the application service customers ASC1 to ASC5.
  • devices such as firewalls, a so-called trusted operating system or, as already mentioned above, an application with IP-based privilege restrictions can also be used here.
  • FIG. 6 shows a schematic block diagram of a further preferred variant of the network architecture according to the invention, which corresponds to a fourth application scenario in the form of an addition to the network architecture described in FIG. 2, so that only the addition is to be dealt with.
  • Identical components have been identified with identical reference numbers.
  • a second application service provider ASP2 makes another service available to application service customer ASC1 and application service customer ASC2 on separate servers 23 and 24 in network safes S9 and S10.
  • the servers 23 and 24 are administered by the second application service provider ASP2 starting from Network Safe S11. It is also assumed here that the application in combination with the operating system may be able to provide the administration services only on the network interface connected to Network Safe S11.
  • FIG. 7 shows a schematic block diagram of a further preferred variant of the network architecture according to the invention. This is an extension of the basic model shown in FIG. 2 to two network operation centers (NOC) 1.1 and 1.2, the network operation center (NOC) 1.1 corresponding to the network operation center (NOC) 1 from FIG. 2 ,
  • the contents of the Network Safes 5.1 and 5.2 and the servers 17.1 and 17.2 or 18.1 and 18.2 are each synchronized with each other, so that the Application Service Customer ASC1 and ASC2 or the Application Service Provider ASP1 in both Network Operation Centers (NOC) 1.1 and 1.2 the same data is available.
  • NOC Network Operation Centers
  • the Application Service Customer ASC1 or ASC2 access the respective Network Operation Center (NOC) 1.1 or 1.2 from different access points 4.1.1 and 4.1.2 or 4.2.1 and 4.2.2.
  • NOC Network Operation Center
  • the expansion of the basic model to several network operation centers takes place via dedicated, correspondingly tamper-proof communication connections of the participating network operation centers (NOC) 1.1 and 1.2, which are implemented in the form of dedicated lines 25.
  • NOC participating network operation centers
  • the distribution of a network safe Several Network Operation Centers (NOC) are carried out by appropriate routers, not shown in FIG. 7, ie synchronization devices, that is to say on OSI Network Layer 3.
  • each Network Operation Center should be externally certified in accordance with the communication restrictions mentioned and operated in an audit-proof manner in accordance with the relevant organizational rules. In this way it can be excluded that data packets are manipulated by attack software within the infrastructure, which enables the use of conventional layer 3 technology at this point.
  • FIG. 8 illustrates, as an extension of the variant from FIG. 7, the possibility of synchronizing n network operation centers NOC1 to NOCn, in particular their network safes 5.1 to 5.n, with n being an arbitrary integer.
  • FIGS. 7 and 8 Examples were set out in FIGS. 7 and 8 in which all the infrastructure areas of the Network Operation Center (NOC) are synchronized with one another.
  • NOC Network Operation Center
  • ASC Application Service Customer
  • ASP Application Service Provider
  • FIG. 9 shows a schematic block diagram of a preferred example of a technical implementation of the core architecture of the Network Operation Center (NOC) 1 from FIG. 1.
  • a modular multilayer switch Catalyst 6506 from CISCO Systems Inc. is assumed as the first core component 26.
  • a connection of the customers by X.21 dedicated lines 3 was assumed.
  • ASI-AR Application Service Infrastructure Access Router
  • NOC Network Operation Center
  • the entire access area, especially the customer-side router 28, is the responsibility of the operator of the Network Operation Center (NOC) 1.
  • the dial-in area via which a mobile user 29 can dial in via a telecommunications network 30, is covered by a component 31 in the form of a modular multiservice router CISCO 3620.
  • a component 31 in the form of a modular multiservice router CISCO 3620.
  • the router of the dial-in area uses the authentication server (ACE / KEON), which is shown in connection with the Secure Internet Gateway described with reference to FIG.
  • An Internet service server 32, a Unix firewall 33, a virus scanner 35 and a security server 36 are also available as further components, which are connected to the first core component 26.
  • the network safes 5 are implemented as so-called virtual LANs (in the terminology of the company CISCO Systems Inc. for short VLANs), which are connected to the first core component 26.
  • a respective application server 36 is connected to the network safes 5.
  • VLANs virtual LANs
  • the original idea was to use virtual LANs (VLANs) of this kind across locations to implement the network safes.
  • VLANs virtual LANs
  • Such an implementation would have had the following disadvantages: In the case of network safes that would have been equipped with two servers at different locations, the router would not have been able to react to a connection failure between the two locations despite the so-called auto-state feature.
  • the SANS Institute also identified security deficiencies in the implementation of cross-switch (or router) VLANs (see "http://www.sans.org/newlook/resources/IDFAQ/vlan.htm").
  • VLANs are therefore limited to the implementation of network safes within a network operation center (NOC).
  • NOC network operation center
  • the cross-location realization of network safes takes place, as already shown above, with conventional routing techniques.
  • FIG. 10 shows a preferred exemplary embodiment for a so-called Secure Internet Gateway 37, which has the task of connecting the network architecture according to the invention in a controlled and secure manner to the classic Internet.
  • state-of-the-art technology is used, but with the highest priority in terms of security.
  • no direct connection is generally possible between the network architecture according to the invention and the classic Internet.
  • the connections are made exclusively via so-called application level gateways, which are protected by a multi-level firewall concept.
  • the WEB proxies are generally used by means of authentication.
  • the services provided by the Secure Internet Gateway 37 are used in the form of a separate network safe.
  • the customer i.e. the relevant Application Service Customer (ASC) or Application Service Provider (ASP), can thus freely decide whether they want to use this form of connection with the classic Internet.
  • ASC Application Service Customer
  • ASP Application Service Provider

Abstract

L'invention concerne un réseau de communication, un procédé de communication associé et un module de communication. Le réseau de communication est composé d'un premier groupe de serveurs, d'au moins un deuxième groupe de serveurs et d'une première voie de communication entre le premier et le deuxième groupe de serveurs. L'objectif de l'invention est de réaliser un réseau de communication, un procédé de communication et un module de communication à utiliser au sein d'un réseau de communication, dans lequel en particulier les possibilités d'emploi abusif des données par des utilisateurs d'un réseau de communication sont nettement réduites. Cet objectif est atteint par le fait que la première voie de communication comporte un module de liaison pour l'établissement et le maintien d'une première communication, ce module étant conçu de manière à permettre l'utilisation d'un service disponible dans le premier groupe de serveurs par le deuxième groupe de serveurs, sans autoriser l'utilisation d'un service disponible dans le deuxième groupe de serveurs par le premier groupe de serveurs.
PCT/EP2002/008293 2001-07-31 2002-07-25 Architecture de reseau a securite amelioree WO2003015372A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
EP02754937A EP1470685A1 (fr) 2001-07-31 2002-07-25 Architecture de reseau a securite amelioree

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE10137573 2001-07-31
DE10137573.5 2001-07-31

Publications (1)

Publication Number Publication Date
WO2003015372A1 true WO2003015372A1 (fr) 2003-02-20

Family

ID=7693914

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2002/008293 WO2003015372A1 (fr) 2001-07-31 2002-07-25 Architecture de reseau a securite amelioree

Country Status (3)

Country Link
EP (1) EP1470685A1 (fr)
DE (1) DE10234562B4 (fr)
WO (1) WO2003015372A1 (fr)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6055236A (en) * 1998-03-05 2000-04-25 3Com Corporation Method and system for locating network services with distributed network address translation
WO2001031874A2 (fr) * 1999-10-28 2001-05-03 Jpmorgan Chase Bank Systeme mandataire de sequençage de session protegee acceptant plusieurs applications et methode afferente
US6249873B1 (en) * 1997-02-28 2001-06-19 Xcert Software, Inc. Method of and apparatus for providing secure distributed directory services and public key infrastructure

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1996005549A1 (fr) * 1994-08-09 1996-02-22 Shiva Corporation Procede et dispositif permettant de limiter l'acces a un reseau local d'ordinateurs
DE19962937A1 (de) * 1999-12-24 2001-06-28 Raven Pack Ag Verfahren und Vorrichtung zur Bereitstellung von Daten an einen Netzwerkbenutzer

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6249873B1 (en) * 1997-02-28 2001-06-19 Xcert Software, Inc. Method of and apparatus for providing secure distributed directory services and public key infrastructure
US6055236A (en) * 1998-03-05 2000-04-25 3Com Corporation Method and system for locating network services with distributed network address translation
WO2001031874A2 (fr) * 1999-10-28 2001-05-03 Jpmorgan Chase Bank Systeme mandataire de sequençage de session protegee acceptant plusieurs applications et methode afferente

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
ANDREW S. TANENBAUM: "Computer Networks, 3rd Edition, ISBN 0-13-349945-6", 1996, PRENTICE HALL PTR, NEW JERSEY, XP002222724 *

Also Published As

Publication number Publication date
DE10234562A1 (de) 2003-02-20
EP1470685A1 (fr) 2004-10-27
DE10234562B4 (de) 2008-07-24

Similar Documents

Publication Publication Date Title
DE69836271T2 (de) Mehrstufiges firewall-system
DE19740547B4 (de) Vorrichtung und Verfahren zum Sicherstellen sicherer Kommunikation zwischen einer anfordernden Entität und einer bedienenden Entität
DE60019997T2 (de) Ggesicherte Kommunikation mit mobilen Rechnern
DE69928504T2 (de) Bereitstellung eines sicheren Zugriffs auf Netzwerkdienste
DE10393628B4 (de) System und Verfahren zum Integrieren mobiler Vernetzung mit sicherheitsbasierten virtuellen privaten Netzwerksystemen (VPNS)
DE60315521T2 (de) Kreuzungen von virtuellen privaten Netzwerken basierend auf Zertifikaten
DE69731965T2 (de) Zugriff auf rechnerbetriebsmittel von aussen durch eine firewall
DE60212289T2 (de) Verwaltung privater virtueller Netze (VPN)
DE60203433T2 (de) Externer Zugriff auf eine gesicherte Vorrichtung in einem privaten Netzwerk
DE102016124383B4 (de) Computersystem-Architektur sowie Computernetz-Infrastruktur, umfassend eine Mehrzahl von solchen Computersystem-Architekturen
DE60213391T2 (de) Persönlicher Firewall mit Positionsdetektion
DE60111089T2 (de) Verfahren und Vorrichtung zum Analysieren von einer oder mehrerer Firewalls
DE19741239C2 (de) Verallgemeinertes Sicherheitspolitik-Management-System und Verfahren
DE60121755T2 (de) Ipsec-verarbeitung
DE60201716T2 (de) Verfahren und Vorrichtung zum Schutz von E-Commerce-Site gegen Distributed-Denial-of-Service Angriffen
EP1417820B1 (fr) Procede et systeme informatique permettant la protection de la communication dans des reseaux
DE112004000125T5 (de) Gesichertes Client-Server-Datenübertragungssystem
DE69734179T2 (de) Verfahren und Vorrichtung zum Begrenzen des Zugriffs auf private Information in Domain Name Systemen durch Informationsfilterung
DE10234562B4 (de) Sichere Netzwerkarchitektur
DE60127187T2 (de) System und verfahren zur bereitstellung von diensten in virtuellen privatnetzen
DE19645006B4 (de) Verfahren zur Kommunikation zwischen Prozessen
EP1699181A1 (fr) Procédé et système de configuration automatique d'un sous-réseau dans un réseau
DE60031004T2 (de) Elektronisches sicherheitssystem und verfahren für ein kommunikationsnetz
DE102019120112B4 (de) Elektrische Netzwerkumschaltung
EP2436166B1 (fr) Interface de service

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BY BZ CA CH CN CO CR CU CZ DK DZ EC EE ES FI GB GD GE GH GM HR ID IL IN IS JP KE KG KP KR KZ LC LK LS LT LU LV MA MD MG MK MN MW MZ NO NZ OM PH PL PT RO RU SD SE SI SK SL TJ TM TN TR TT TZ UA UG UZ VN YU ZA ZM

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SD SE SG SI SK SL TJ TM TN TR TT TZ UA UG US UZ VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ UG ZM ZW AM AZ BY KG KZ RU TJ TM AT BE BG CH CY CZ DK EE ES FI FR GB GR IE IT LU MC PT SE SK TR BF BJ CF CG CI GA GN GQ GW ML MR NE SN TD TG

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR IE IT LU MC NL PT SE SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
WWE Wipo information: entry into national phase

Ref document number: 2002754937

Country of ref document: EP

WWP Wipo information: published in national office

Ref document number: 2002754937

Country of ref document: EP

WWW Wipo information: withdrawn in national office

Ref document number: 2002754937

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP