WO2007014507A1 - System and method for controling ngn service-based firewall - Google Patents
System and method for controling ngn service-based firewall Download PDFInfo
- Publication number
- WO2007014507A1 WO2007014507A1 PCT/CN2006/001141 CN2006001141W WO2007014507A1 WO 2007014507 A1 WO2007014507 A1 WO 2007014507A1 CN 2006001141 W CN2006001141 W CN 2006001141W WO 2007014507 A1 WO2007014507 A1 WO 2007014507A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- service
- firewall
- media stream
- packet filtering
- ngn
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
- H04L63/0218—Distributed architectures, e.g. distributed firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/029—Firewall traversal, e.g. tunnelling or, creating pinholes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
Definitions
- the present invention relates to the field of network communication technologies, and more particularly to a firewall control system and method based on Next Generation Network (NGN) services.
- NTN Next Generation Network
- NGN Next Generation Network
- IP Internet Protocol
- firewall products are mainly divided into two types: packet filtering firewalls and proxy firewalls.
- the packet filtering firewall works at the transport layer
- the proxy firewall works at the application layer.
- the packet filtering firewall further includes the following four working modes:
- the static packet filtering firewall implements static packet filtering based on packet header information.
- the static packet filtering firewall makes a decision to allow rejection for each packet received.
- the firewall examines each packet to determine if it matches a packet filtering rule.
- the filtering rules are based on header information that can be provided to the IP forwarding process. Packet filtering mainly checks the following contents in the packet header: IP source address, IP destination address, protocol type (TCP packet, UDP packet, and ICMP packet), destination port of TCP or UDP packet, source port of TCP or UDP packet, ICMP message type , the ACK bit of the TCP header, and so on.
- the disadvantages of static packet filtering firewall are: Maintenance is difficult; Cannot effectively prevent hacker attacks; Does not support application layer filtering, can not prevent data-driven attacks; Can not provide comprehensive control over the information flowing on the network. Therefore, static packet filtering is less secure.
- the method of dynamically setting packet filtering rules avoids the problems of static packet filtering. Dynamic packet filtering only opens the port at the request of the user and closes the port after the service is completed, which reduces the possibility of attacks related to open ports. Firewalls can dynamically determine which packets can pass through the link and application layer services of the internal network. The corresponding access policy can be configured, the port is automatically opened only within the allowed range, and the port is closed when the communication ends.
- Dynamic Packet Filtering Firewall minimizes the number of exposed ports in both directions, providing greater security to the network. For many application protocols, such as media streaming, dynamic IP packet filtering provides the most secure way to handle dynamic allocations.
- the stateful inspection firewall checks the association between data packets while packet filtering, and checks the dynamically changing status codes in the data packets. It has a monitoring engine that measures the layers of network communication by extracting relevant data, extracts state information, and dynamically saves it as a reference for future implementation of security policies. Before the user access request arrives at the gateway's operating system, the status monitor extracts relevant data for analysis, and combines network configuration and security regulations to perform admission, rejection, identity authentication, alarming, or encryption of the communication.
- the stateful inspection firewall retains the state connection table and treats the data coming in and out of the network as a single session, using the state table to track each session state.
- the status monitoring checks each packet not only according to the rules table, but also considers whether the data packet conforms to the state of the session, thus providing a complete control of the transport layer.
- mainstream firewalls on the market are generally full-state detection firewalls. The security of the firewall for stateful detection is raised to a certain extent. High, but the performance in dealing with DDoS attacks, implementing application layer content filtering, and virus filtering is not satisfactory.
- Deep packet inspection technology combines intrusion detection and attack prevention. It can inspect the packet flow and detect malicious behavior. It can search for known attacks based on feature detection and content filtering. And understand what is "normal, communication, and prevent abnormal access.
- the deep packet inspection engine uses techniques based on fingerprint matching, heuristics, anomaly detection, and statistical analysis to determine how to process packets. Deep packet inspection firewalls can Effectively block DDoS attacks, virus propagation issues, and advanced application intrusion issues.
- the proxy firewall technology also undergoes the evolution of the application layer proxy (Proxy), the circuit layer proxy (Circuit Proxy) to the adaptive proxy (Application Proxy) firewall.
- the application layer proxy is also referred to as an application layer gateway.
- a proxy service is a specialized application or server program that runs on a firewall host.
- the application layer proxy provides a proxy for a special service that parses the application protocol and interprets the commands of the application protocol.
- the application layer proxy firewall can interpret the application protocol and support user authentication, so that the application layer data can be controlled more finely.
- the disadvantage is that it is inefficient and cannot support large-scale concurrent connections, only for a single protocol.
- application agents and packet filtering firewalls are widely used.
- the application proxy and the packet filtering firewall can coexist, and filter the data packets transmitted from the network from the two layers.
- the settings of static packet filtering, state detection, and deep packet inspection in the NGN transport layer are performed by the administrator, and can only be handled by the coarse-grained security hierarchical configuration configured by the operation policy, and the presence of the NGN service layer (including the session control agent) is Invisible.
- a firewall provides packet filtering with different security levels, such as static packet filtering, dynamic packet filtering, 'state detection, and deep packet inspection, it cannot dynamically select and perform packet filtering functions of different security levels according to user requirements and session types.
- Another object of the present invention is to provide a firewall control method based on NGN services, so that a firewall based on packet filtering can be achieved! ⁇ Perform NGN per-user per-session fine-grained security grading processing. '
- the invention provides a firewall control system based on an NGN service, comprising: an application layer proxy module: comprising an application proxy based firewall function, located in an NGN service control device, configured to parse application layer signaling, and perform signaling flow security Detecting, determining security level requirement information of the service media stream, and providing the policy decision function entity;
- an application layer proxy module comprising an application proxy based firewall function, located in an NGN service control device, configured to parse application layer signaling, and perform signaling flow security Detecting, determining security level requirement information of the service media stream, and providing the policy decision function entity;
- the policy decision function entity determining the security level control information of the service media stream according to the security level requirement information of the service media stream and the saved policy information, and providing the firewall function module based on the packet filtering;
- Firewall function module is set in the network border device, and is used according to the media stream The security level control information performs security detection on the service media stream flowing through.
- the service control device includes:
- the multimedia subsystem of the NGN The proxy call session control function entity P-CSCF in the IMS, or the call proxy device in the softswitch system of the NGN, or the service control device with the application layer proxy function in other NGN service systems.
- the policy decision function entity is set in the service control device or the network border device, or is set as an independent device.
- the firewall function module specifically includes:
- the packet filtering mode selection module is configured to determine a firewall packet filtering mode for performing security detection on the service media stream according to the media stream security level control information provided by the policy decision function entity, and enable corresponding packet filtering according to the corresponding packet filtering processing module.
- Firewall processing function
- Packet filtering processing module It includes the firewall function of various firewall packet filtering working modes.
- the firewall function of various firewall packet filtering working modes is enabled under the control of the packet filtering mode selection module, and security detection is performed on the corresponding service.
- the firewall packet filtering working mode set by the packet filtering processing module includes: any one of dynamic packet filtering, full state detection, and deep packet detection, or any combination of any one or more.
- the present invention provides a firewall control method based on an NGN service, including:
- the application layer proxy module in the service control device parses the application layer signaling, performs security detection of the signaling flow, determines the security level requirement information of the service media stream, and provides the policy decision function entity;
- the policy decision function entity determines the security level control information of the media stream according to the security level requirement information of the media stream and the saved policy information, and provides the information to the network boundary device.
- the firewall function module in the network border device performs security detection on the service media stream flowing according to the security level control information of the media stream.
- the step A described includes:
- the application layer proxy module parses the application layer signaling, performs security detection of the signaling flow, and determines security level requirement information of the service media stream according to the application attribute or the user attribute; the media stream identification information of the service and the The security level requirement information of the media stream is provided together with the policy decision function entity.
- the step A described further includes: '.
- the media stream identification information and the security level requirement information of the service are provided together with the service quality parameter requirement information of the service to the policy decision function entity.
- the step B described includes:
- the policy decision function entity maps the security level requirement information of the service media stream to the security level control information of the media stream according to the security level requirement information of the media stream and the saved policy information, and provides the information to the corresponding network boundary device.
- the step C described includes:
- the firewall function module in the network border device selects, according to the security level control information of the media stream, a firewall packet filtering operation method for performing security detection on the service media stream flowing through;
- Security detection is performed on the service media stream flowing according to the selected firewall packet filtering working mode.
- the firewall packet filtering working manner includes:
- the packet filtering-based firewall can perform fine-grained security grading processing per user per session of NGN. It can dynamically select packet filtering methods of different security levels according to user requirements and session types to prevent resource theft, IP address masquerading, denial of service and advanced. Apply cyber attacks such as intrusions.
- the service security level requirement information and the network security level control information can be independently defined, and the policy decision function is mapped according to the policy rules, thereby realizing the separation feature of the NGN service layer and the transport layer.
- the application proxy firewall function and the packet filtering-based firewall function are respectively located on the service control device and the network boundary device, and the respective technology evolution and function enhancement are performed independently, and do not affect each other, and only need to modify the policy decision function.
- the policy rules work together.
- FIG. 1 is a schematic structural diagram of a firewall dynamic control system in accordance with an embodiment of the present invention
- FIG. 2 is a schematic flow chart showing an implementation of a firewall dynamic control method according to an embodiment of the present invention. Mode for carrying out the invention
- the session control proxy function is an indispensable component, such as P-CSCF (Proxy Call Session Control Function) in IMS (Multimedia Service Subsystem), which is essentially an application proxy, which is a multimedia session.
- P-CSCF Proxy Call Session Control Function
- IMS Multimedia Service Subsystem
- NAPT application layer NAPT
- the packet filtering-based firewall function is an indispensable security component, including static packet filtering, dynamic packet filtering, stateful inspection, and deep packet inspection. It is usually deployed at the edge of the network to protect internal components of the network. Attacked.
- the present invention provides a firewall dynamic control system and method that supports NGN service security levels.
- the packet-filter-based firewall can perform fine-grained security grading processing for each session of each user of NGN, according to User requirements and session types dynamically select packet filtering methods of different security levels to prevent network attacks such as resource theft, IP address masquerading, denial of service, and advanced application intrusion, such as packet filtering such as dynamic packet filtering, stateful inspection, or deep packet inspection. the way.
- the present invention provides a firewall dynamic control system and method that supports NGN service security levels.
- the system and method provided by the present invention can be independently applied as a security solution for NGN services, or integrated into the resource and admission control framework of the NGN as a comprehensive solution for transmitting quality of service, security, and NAPT traversal for NGN services.
- FIG. 1 An exemplary structural block diagram of the firewall dynamic control system of the present invention is shown in FIG. 1 , and specifically includes:
- the application layer proxy (Application Proxy) module which includes an application proxy-based firewall function, is preferably located in the service control device, and is configured to parse and process the application layer signaling, perform security detection of the signaling flow, and determine the service media flow. Security level requirement information and provided to the policy decision function entity;
- the service control proxy device may be: a P-CSCF (Proxy Call Session Control Function) device in the NGN IP Multimedia Subsystem (IMS), or a CallAgent (Call Agent) device in the NGN Softswitch System (Softswitch), or , NGN other business systems contain application layer proxy function business control equipment.
- P-CSCF Proxy Call Session Control Function
- IMS NGN IP Multimedia Subsystem
- Softswitch NGN Softswitch System
- NGN other business systems contain application layer proxy function business control equipment.
- the policy decision function entity can be a standalone device or a function module integrated in the service control device or network edge device.
- a firewall function module is disposed in the network edge device, and is configured to perform packet-based security detection on the service media stream that flows according to the security level control information of the media stream, where the module specifically includes:
- the packet filtering mode selection module is configured to determine a firewall packet filtering mode for performing security detection on the service media stream according to the security level control information of the media stream provided by the policy decision function entity, and enable a corresponding packet-based packet in the corresponding packet filtering processing module. Filtered firewall processing function;
- Packet filtering processing module It includes the firewall function of various firewall packet filtering working modes.
- the firewall function of various firewall packet filtering working modes is enabled under the control of the packet filtering mode selection module, and security detection is performed on the corresponding service media stream. .
- firewall packet filtering methods described include: Dynamic packet filter, Stateful inspection, and Deep packet inspection firewall functions, and the like.
- Step 21 The service control service performs an application layer proxy function to parse, securely detect, and proxy the application layer signaling flow, that is, implement an application proxy based firewall technology.
- the application-based firewall function is included in the "application layer proxy" function module. At the same time, it supports user authentication, which is used to perform security check on access users and access authentication processing.
- Step 22 The service control device determines the media stream security level of the application service according to the application attribute or the user attribute, and the media stream identification information and the security level requirement letter of the service. Information is provided to the policy decision function entity;
- the application attribute or the user attribute includes: a service type (the voice stream may be higher than a video stream), a security requirement that the user subscribes to the operator (such as a security requirement of the enterprise user), and the like, and corresponding application attributes.
- the user attribute information may be stored in the user database or the service database, or may be the coarse classification information configured in the service control device, determined by the commercial operation mode, which is difficult to standardize or patent protection;
- Step 23 The policy decision function maps the received security level requirement information of the media stream of the service to the security level control information of the media stream based on the policy rule.
- the policy rules may be specifically determined by the operator according to the device deployment and the business operation mode;
- Step 24 The policy decision function provides the media stream identification information of the service and the security level control information of the media stream to the network border device to control the packet filtering-based firewall function in the network border device; according to the application requirement, the policy decision function
- the entity may also be provided to the network border device along with other QoS and NAPT control information;
- Step 25 The network border device selects a firewall packet filtering mode corresponding to the security level according to the security level control information of the received media stream.
- the firewall packet filtering mode such as dynamic packet filtering, state detection, or deep packet inspection may be selected.
- a packet filtering-based firewall function is implemented for the media stream of the service to prevent network attacks such as resource theft, IP address masquerading, denial of service, and advanced application intrusion.
- the cooperative operation between the session control proxy function of the service layer and the packet filtering-based firewall function of the transport layer enables the packet-filter-based firewall to perform fine-grained security grading of NGN per user per session.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Measuring Or Testing Involving Enzymes Or Micro-Organisms (AREA)
Description
Claims
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AT06742029T ATE454781T1 (de) | 2005-07-30 | 2006-05-29 | Vorrichtung und verfahren zur steuerung einer dienste-basierten firewall der nächsten generation |
DE602006011569T DE602006011569D1 (de) | 2005-07-30 | 2006-05-29 | Vorrichtung und verfahren zur steuerung einer dienste-basierten firewall der nächsten generation |
CN200680012307.7A CN101160774B (zh) | 2005-07-30 | 2006-05-29 | 基于下一代网络业务的防火墙控制系统及方法 |
EP06742029A EP1802023B1 (en) | 2005-07-30 | 2006-05-29 | System and method for controling ngn service-based firewall |
US11/785,991 US7987503B2 (en) | 2005-07-30 | 2007-04-23 | Firewall control system based on a next generation network service and method thereof |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN200510085721.8A CN1905555B (zh) | 2005-07-30 | 2005-07-30 | 基于ngn业务的防火墙控制系统及方法 |
CN200510085721.8 | 2005-07-30 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/785,991 Continuation US7987503B2 (en) | 2005-07-30 | 2007-04-23 | Firewall control system based on a next generation network service and method thereof |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2007014507A1 true WO2007014507A1 (en) | 2007-02-08 |
Family
ID=37674681
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2006/001141 WO2007014507A1 (en) | 2005-07-30 | 2006-05-29 | System and method for controling ngn service-based firewall |
Country Status (7)
Country | Link |
---|---|
US (1) | US7987503B2 (zh) |
EP (1) | EP1802023B1 (zh) |
CN (2) | CN1905555B (zh) |
AT (1) | ATE454781T1 (zh) |
DE (1) | DE602006011569D1 (zh) |
ES (1) | ES2355047T3 (zh) |
WO (1) | WO2007014507A1 (zh) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102035847A (zh) * | 2010-12-14 | 2011-04-27 | 成都市华为赛门铁克科技有限公司 | 用户访问行为处理方法、系统和客户端 |
US8751787B2 (en) | 2007-12-13 | 2014-06-10 | International Business Machines Corporation | Method and device for integrating multiple threat security services |
Families Citing this family (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7739403B1 (en) | 2003-10-03 | 2010-06-15 | Juniper Networks, Inc. | Synchronizing state information between control units |
GB0518578D0 (en) * | 2005-09-13 | 2005-10-19 | Qinetiq Ltd | Communications systems firewall |
US8316429B2 (en) * | 2006-01-31 | 2012-11-20 | Blue Coat Systems, Inc. | Methods and systems for obtaining URL filtering information |
US8166534B2 (en) | 2007-05-18 | 2012-04-24 | Microsoft Corporation | Incorporating network connection security levels into firewall rules |
WO2009030172A1 (fr) * | 2007-09-06 | 2009-03-12 | Huawei Technologies Co., Ltd. | Procédé et système pour contrôler un service de réseau |
US8955088B2 (en) | 2007-11-07 | 2015-02-10 | Futurewei Technologies, Inc. | Firewall control for public access networks |
CN101741821A (zh) | 2008-11-07 | 2010-06-16 | 华为技术有限公司 | 一种实现包过滤的方法、媒体网关及系统 |
US8266673B2 (en) | 2009-03-12 | 2012-09-11 | At&T Mobility Ii Llc | Policy-based privacy protection in converged communication networks |
US8363549B1 (en) * | 2009-09-02 | 2013-01-29 | Juniper Networks, Inc. | Adaptively maintaining sequence numbers on high availability peers |
US8938795B2 (en) * | 2012-11-19 | 2015-01-20 | Owl Computing Technologies, Inc. | System for real-time cross-domain system packet filtering |
CN104580168B (zh) * | 2014-12-22 | 2019-02-26 | 华为技术有限公司 | 一种攻击数据包的处理方法、装置及系统 |
US9825909B2 (en) * | 2015-01-30 | 2017-11-21 | Aruba Networks, Inc. | Dynamic detection and application-based policy enforcement of proxy connections |
US10587698B2 (en) * | 2015-02-25 | 2020-03-10 | Futurewei Technologies, Inc. | Service function registration mechanism and capability indexing |
TW201724800A (zh) * | 2015-12-07 | 2017-07-01 | Nec Corp | 資料通信裝置、通信系統、資料中繼方法及程式 |
US10432650B2 (en) | 2016-03-31 | 2019-10-01 | Stuart Staniford | System and method to protect a webserver against application exploits and attacks |
US10284521B2 (en) * | 2016-08-17 | 2019-05-07 | Cisco Technology, Inc. | Automatic security list offload with exponential timeout |
CN111224996A (zh) * | 2020-01-17 | 2020-06-02 | 国网福建省电力有限公司 | 一种防火墙集中辅助维护系统 |
CN111585957B (zh) * | 2020-04-01 | 2023-03-28 | 新华三信息安全技术有限公司 | 报文处理方法、装置、网络设备及存储介质 |
FR3114212B1 (fr) * | 2020-09-14 | 2023-02-10 | Mbda France | Procédé et pare-feu configurés pour contrôler des messages transitant entre deux éléments de communication. |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1286430A (zh) * | 1999-08-26 | 2001-03-07 | 网观科技(加拿大)有限公司 | 互联网络防火墙 |
CN1574792A (zh) * | 2003-06-06 | 2005-02-02 | 微软公司 | 用于执行网络防火墙的基于多层的方法 |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6978383B2 (en) * | 2001-07-18 | 2005-12-20 | Crystal Voice Communications | Null-packet transmission from inside a firewall to open a communication window for an outside transmitter |
CN1301607C (zh) * | 2002-02-01 | 2007-02-21 | 联想网御科技(北京)有限公司 | 实现支持虚拟局域网防火墙的方法 |
US8166533B2 (en) * | 2002-08-17 | 2012-04-24 | Rockstar Bidco Lp | Method for providing media communication across firewalls |
US7328451B2 (en) | 2003-06-30 | 2008-02-05 | At&T Delaware Intellectual Property, Inc. | Network firewall policy configuration facilitation |
CN1555170A (zh) * | 2003-12-23 | 2004-12-15 | 沈阳东软软件股份有限公司 | 流过滤防火墙 |
-
2005
- 2005-07-30 CN CN200510085721.8A patent/CN1905555B/zh active Active
-
2006
- 2006-05-29 EP EP06742029A patent/EP1802023B1/en active Active
- 2006-05-29 WO PCT/CN2006/001141 patent/WO2007014507A1/zh active Application Filing
- 2006-05-29 CN CN200680012307.7A patent/CN101160774B/zh not_active Expired - Fee Related
- 2006-05-29 DE DE602006011569T patent/DE602006011569D1/de active Active
- 2006-05-29 AT AT06742029T patent/ATE454781T1/de not_active IP Right Cessation
- 2006-11-23 ES ES06842029T patent/ES2355047T3/es active Active
-
2007
- 2007-04-23 US US11/785,991 patent/US7987503B2/en not_active Expired - Fee Related
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1286430A (zh) * | 1999-08-26 | 2001-03-07 | 网观科技(加拿大)有限公司 | 互联网络防火墙 |
CN1574792A (zh) * | 2003-06-06 | 2005-02-02 | 微软公司 | 用于执行网络防火墙的基于多层的方法 |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8751787B2 (en) | 2007-12-13 | 2014-06-10 | International Business Machines Corporation | Method and device for integrating multiple threat security services |
CN102035847A (zh) * | 2010-12-14 | 2011-04-27 | 成都市华为赛门铁克科技有限公司 | 用户访问行为处理方法、系统和客户端 |
Also Published As
Publication number | Publication date |
---|---|
US20070234414A1 (en) | 2007-10-04 |
CN1905555A (zh) | 2007-01-31 |
ATE454781T1 (de) | 2010-01-15 |
CN101160774A (zh) | 2008-04-09 |
EP1802023B1 (en) | 2010-01-06 |
EP1802023A4 (en) | 2008-01-23 |
CN1905555B (zh) | 2010-07-07 |
DE602006011569D1 (de) | 2010-02-25 |
CN101160774B (zh) | 2010-09-29 |
ES2355047T3 (es) | 2011-03-22 |
US7987503B2 (en) | 2011-07-26 |
EP1802023A1 (en) | 2007-06-27 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2007014507A1 (en) | System and method for controling ngn service-based firewall | |
US7764612B2 (en) | Controlling access to a host processor in a session border controller | |
US8904514B2 (en) | Implementing a host security service by delegating enforcement to a network device | |
Srisuresh et al. | Middlebox communication architecture and framework | |
US7596806B2 (en) | VPN and firewall integrated system | |
US8060927B2 (en) | Security state aware firewall | |
US7853998B2 (en) | Firewall propagation | |
KR101107742B1 (ko) | 에스아이피(sip) 기반 서비스의 보호를 위한 sip 침입 탐지 및 대응 시스템 | |
US9531673B2 (en) | High availability security device | |
JP2010268483A (ja) | 能動的ネットワーク防衛システム及び方法 | |
KR20070087165A (ko) | 클라이언트 이용 방화벽 설정 | |
US9391954B2 (en) | Security processing in active security devices | |
US20070143841A1 (en) | Defense device, defense method, defense program, and network-attack defense system | |
Roedig et al. | RSVP as firewall signalling protocol | |
WO2007115457A1 (fr) | Point d'application de politiques et procédé et système de liaison pour système de détection d'intrus | |
JP2006099590A (ja) | アクセス制御装置、アクセス制御方法およびアクセス制御プログラム | |
JP2006023934A (ja) | サービス拒絶攻撃防御方法およびシステム | |
Ge et al. | Context-aware service chaining framework for over-the-top applications in 5G networks | |
Reynolds et al. | STEM: secure telephony enabled middlebox | |
Gopal et al. | User plane firewall for 3G mobile network | |
Alimi | Effective Multi-Layer Security for Campus Network | |
Woodall | Firewall design principles | |
McRae | High speed packet classification | |
Roedig et al. | Industrial Process and System Communications, Darmstadt University of Technology, Germany German National Research Center for Information Technology, GMD IPSI, Darmstadt, Germany Email:{Utz. Roedig| Manuel. Goertz| Martin. Karsten| Ralf. Steinmetz}@ KOM. tu-darmstadt. de | |
Mariani | Firewall Strategies using network processors |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WWE | Wipo information: entry into national phase |
Ref document number: 11785991 Country of ref document: US |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2006742029 Country of ref document: EP |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWP | Wipo information: published in national office |
Ref document number: 2006742029 Country of ref document: EP |
|
WWP | Wipo information: published in national office |
Ref document number: 11785991 Country of ref document: US |
|
WWE | Wipo information: entry into national phase |
Ref document number: 200680012307.7 Country of ref document: CN |
|
NENP | Non-entry into the national phase |
Ref country code: DE |