WO2010083648A1 - 用于为ims网络的终端提供防火墙的方法及防火墙系统 - Google Patents
用于为ims网络的终端提供防火墙的方法及防火墙系统 Download PDFInfo
- Publication number
- WO2010083648A1 WO2010083648A1 PCT/CN2009/070275 CN2009070275W WO2010083648A1 WO 2010083648 A1 WO2010083648 A1 WO 2010083648A1 CN 2009070275 W CN2009070275 W CN 2009070275W WO 2010083648 A1 WO2010083648 A1 WO 2010083648A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- terminal
- firewall
- network
- firewall system
- identification information
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/029—Firewall traversal, e.g. tunnelling or, creating pinholes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/10—Architectures or entities
- H04L65/1016—IP multimedia subsystem [IMS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/1066—Session management
- H04L65/1073—Registration or de-registration
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/121—Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
- H04W12/122—Counter-measures against attacks; Protection against rogue devices
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/128—Anti-malware arrangements, e.g. protection against SMS fraud or mobile malware
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W92/00—Interfaces specially adapted for wireless communication networks
- H04W92/02—Inter-networking arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
Definitions
- the present invention relates to network communications and, more particularly, to a method and system for enhancing communication security of terminals in an IMS network. Background technique
- firewall In order to prevent network resources from being attacked by the network, a firewall is proposed to ensure the security of the network. Through the use of firewalls, data protection is protected and network resources are protected from possible network intruders. A successful firewall can ensure that the network element does not suffer from attacks or unauthorized queries from the network while allowing the network element to communicate and interact with other communication nodes.
- IMS IP Multimedia Subsystem
- the system establishes a platform that is independent of access, is based on an open SIP/IP protocol, and supports multiple multimedia service types to provide a richer range of services. It combines various technologies such as cellular mobile communication network, traditional fixed network and Internet to provide a common business intelligence platform for future all-IP network multimedia applications, and also provides network convergence in the future network development process.
- the technical foundation The many characteristics of IMS make it an ideal solution and development direction for solving future network convergence.
- IMS IMS network
- IP IP
- IMS security issues are not allowed. Neglect. Therefore, for communication terminals in an IMS network, as a network element that communicates and interacts with the public network, having its own firewall is critical to ensure it is protected from attacks and unauthorized access. However, not all IMS terminals have enough storage and computing power to run the firewall.
- firewall Even if a personal firewall system has been installed, the maintenance of the firewall is also a problem for the terminal, for example, whether the firewall is updated in real time, is correctly configured, whether the firewall system is powerful enough, and the like. Moreover, maintaining a network security configuration means a large workload for IMS users, especially those who do not have enough relevant knowledge: This not only costs the user more time and effort, but also requires the user. For network security, at least enough knowledge about the use of the firewall.
- telecommunications networks are known to have more mobile devices (e.g., cell phones, PDAs, etc.) than conventional computer networks.
- these mobile devices often lack sufficient resources (such as CPU, memory, etc.) to run high-performance firewalls.
- many legacy access devices such as old telephone devices, do not have firewall software/hardware installed. conditions of. In fact, such mobile devices need to address security risks. Therefore, while protecting the security of the terminal in the IMS network, how to minimize the burden on the IMS terminal user to run the firewall and configure the firewall is an urgent problem to be solved. Summary of the invention
- the present invention provides a method for providing a firewall for a terminal in an IMS network, and a firewall system for providing security for an IMS network terminal, so as to alleviate the burden on the IMS network terminal to operate or configure the firewall, or even completely eliminate such a burden.
- a method for providing a firewall for a terminal in an IMS network including the steps of:
- At least a portion of the communication activity between the terminal and other network elements is managed by a firewall system, wherein the other network elements include network elements in the IMS network and/or network elements that will communicate with the terminals via the IMS network.
- the network element is an S-CSCF or a trusted party thereof.
- the identification information of the terminal and the firewall system includes an IP address, a MAC address, a user ID, a firewall serial number, and the like, or any combination of the foregoing.
- the firewall system sends its identification information to the requesting network unit or its trusted party, and then the requesting network unit or its trusted direction sends the identification information to the terminal, or the firewall system separately sends the request information.
- the network element or its trusted party, and the terminal sends its identification information, or the firewall system sends identification information to either the requesting network element or its trusted party, and one of the terminals.
- the identification information of the firewall system is sent by the requesting network element or its trusted direction to the terminal and the associated network unit.
- the sending may be when/after sending the request message to the firewall system, or when/after sending the request message to the firewall system.
- the default setting is that once the terminal enters the IMS network and initiates a registration request or a session request, the requesting network element or its trust facilitates issuing a request to the firewall system to provide a firewall for the terminal.
- the registration request or the session request carries identification information about whether a firewall needs to be provided for the firewall or the firewall system is required to provide a specific service.
- the requesting network unit or its trusted party identifies the identifier information carried in the request sent by the terminal, and if the identifier information indicates that the terminal does not need to provide a firewall, the requesting network unit or Its relying party does not send a request to provide a firewall for the terminal.
- the firewall system identifies the identifier information carried in the request sent by the terminal, If the identification information indicates that the terminal does not need to be provided with a firewall, the firewall system does not provide firewall services for the terminal.
- the firewall system identifies the identifier information carried in the request sent by the terminal, and if the identifier information indicates that the terminal needs to provide a specific firewall service, the firewall system provides the terminal with the specific required Firewall service.
- the specific firewall is configured to manage all communication activities between the terminal and the other network unit, or manage part of communication activities between the terminal and the other network unit.
- the firewall system provides a configuration module for the terminal, and the terminal can set, by using the configuration module, the firewall to not manage, partially manage or fully manage communication activities between the other network units.
- the part of the communication activity may be a type of a communication protocol, a location area where other network units are located, a resource to be accessed by the terminal, a type of the accessed resource, a level of security, a degree of sensitivity, and a degree of privacy. And so on.
- a firewall system in an IMS network including: a communication interface, configured to send and receive information;
- An information obtaining module when receiving a request for providing a firewall from a requesting network unit via a communication interface, acquiring identification information of the terminal;
- a communication management module configured to: after receiving the identification information, send identification information of the firewall system to the terminal and/or related network unit via the communication interface, and manage between the terminal and other network units At least part of the communication activity;
- the other network element comprises a network element in the IMS network and/or a network element to communicate with the terminal via the IMS network.
- a firewall system in an IMS network including: a communication interface, configured to send and receive information;
- An information obtaining module when receiving a request for providing a firewall from a network unit via a communication interface, acquiring identification information of the terminal;
- a communication management module configured to: after receiving the identification information, and the network unit or After the trusted party provides the identification information of the firewall system to the terminal and/or the related network unit, managing at least part of the communication activity between the terminal and other network elements;
- the other network element comprises a network element in the IMS network and/or a network element to communicate with the terminal via the IMS network.
- the communication management module identifies, by the communication management module, whether the terminal carried in the request needs a firewall service and/or whether identification information of a specific service is required. If the carried identification information indicates that the terminal does not need to provide a firewall for the terminal, The firewall system does not provide a firewall service for the terminal, and if a specific service needs to be provided for the terminal, the terminal is provided with a specific service.
- the firewall system further includes a configuration module, configured to provide a configuration function for the terminal user.
- a firewall system in an IMS network configured to acquire identification information of a terminal, and manage the terminal when receiving a request for providing a firewall from a network unit from a network unit. At least part of the communication activity with other network elements, wherein the other network elements comprise network elements in the IMS network and/or network elements to communicate with the terminals via the IMS network.
- a network unit in an IMS network including: a communication interface, configured to send and receive information;
- a service control module configured to: when receiving a message from the terminal, determine whether the terminal needs a firewall service, and if necessary, send a request message for providing a firewall service to the terminal to the firewall system;
- a communication control module configured to send the identification information to the terminal when it receives the identification information of the firewall system from the firewall system, or after determining that the request message needs to be sent,
- the stored identification information of the firewall system is sent to the terminal; and all information sent to the terminal is sent to the firewall system instead of the terminal.
- the network unit may be implemented by software, hardware, or a combination thereof.
- a terminal for accessing an IMS network including: Communication interface for transmitting and receiving information;
- the identification information is obtained: when the message from the network unit or the firewall system including the firewall identification information is received via the communication interface, the identification information is obtained;
- a communication management module configured to send corresponding communication information to the other network unit via the firewall system, when the identifier information is acquired, when the network information needs to be communicated with the other network unit, where the other network unit includes A network element in the IMS network and/or a network element that will communicate with the terminal via the IMS network.
- an IMS network system comprising: a terminal accessing an IMS network, when it enters an IMS network, a registration request or a session request;
- the network unit when it receives the registration request or the session request, sends a request to the firewall system to provide a firewall for the terminal;
- a firewall system when it receives the request, acquiring identification information of the terminal; and managing at least part of communication activity between the terminal and other network elements, where the other network unit includes a network in an IMS network A unit and/or a network element that will communicate with the terminal via an IMS network.
- an IMS network system comprising a terminal of an IMS network as described above, a network element in an IMS network, and a firewall system.
- a computer program product comprising executable code for performing any of the methods described above, or for performing any of the firewall systems or network elements or terminals described above.
- the method and the firewall system of the present invention it is possible to achieve the protection of the security of the IMS terminal and the network while greatly reducing the burden on the IMS terminal user, and even completely eliminating such a burden.
- the method and system of the present invention can be used to provide a double firewall security guarantee, and can also provide value-added services by using the present invention, such as auxiliary update, assist configuration, and the like, thereby alleviating Its burden.
- the firewall system of the present invention may be selected. It provides security and completely eliminates the burden on the terminal.
- the firewall provided by the present invention is an IMS terminal-independent system deployed in the IMS network, any resources on the user equipment are not used. And since the maintenance work is already handled by the service provider, no maintenance work is required anymore. Moreover, compared with the firewall running on the IMS terminal, the firewall system can have more powerful functions and update in real time, so that the communication security of the IMS terminal can be better protected.
- FIG. 1 shows a network architecture for providing a firewall system for an IMS terminal in accordance with an embodiment of the present invention
- FIG. 2 shows an exemplary structure of a firewall system in accordance with an embodiment of the present invention
- FIG. 3 shows an exemplary structure of an S-CSCF in an IMS network according to an embodiment of the present invention
- FIG. 4 shows an exemplary structure of an IMS terminal according to an embodiment of the present invention
- Figure 5 illustrates a flow diagram of initiating a registration or session when an IMS terminal enters an IMS network, in accordance with an embodiment of the present invention.
- Figure 1 illustrates an illustrative network architecture for providing a firewall system for an IMS terminal.
- the user equipment UE accesses the IMS network via the access network.
- the user equipment UE may be any communication capable terminal, such as a fixed terminal such as a desktop computer, a mobile terminal such as a PDA (Personal Digital Assistant), a mobile phone, a notebook computer, a portable communication device, or the like.
- the access network may be an IP-CAN (IP connected access network), such as GPRS (in GSM/UMTS network), ADSL (in asymmetric digital subscriber line) or WLAN. (in WLAN).
- IP-CAN IP connected access network
- GPRS in GSM/UMTS network
- ADSL in asymmetric digital subscriber line
- WLAN wireless local area network
- Figure 1 may include various network elements, such as P-CSCF (Proxy CSCF, Proxy CSCF), I-CFCS (Interrogating CSCF, Query CSCF), S-CSCF (Serving CSCF, Serving CSCF), Other communication nodes (such as routers, switches, etc.).
- P-CSCF Proxy CSCF, Proxy CSCF
- I-CFCS Interrogating CSCF, Query CSCF
- S-CSCF Serving CSCF
- Other communication nodes such as routers, switches, etc.
- Figure 1 also shows an Internet or other public network coupled to an IMS network, wherein the other public network can be any type of network that can be connected to the IMS network and accessible via the IMS network.
- a firewall system is introduced in the IMS network, and the IMS terminal is protected by the firewall system.
- the firewall system Once the IMS terminal registers with the IMS network or once the UE initiates a request to a relevant component (eg, P-CSCF) in the IMS network, and the UE has the right to obtain the service provided by the firewall system of the present invention, the firewall system in the IMS network Provide security for the UE's communication sessions and resources.
- the default setting can be set to be owned by all user devices registered to the IMS network. That is, the default firewall system manages all security-related aspects of all IMS terminals. For user equipment that owns the service, all communication sessions/connections between the UE and other communication devices will be managed by the firewall system.
- the other communication devices include:
- the relevant network elements in the IMS network i.e., when the UE and other communication nodes establish a session/connection, will typically involve the necessary network elements depending on the specific specifications of the network specification/protocol/application used. For example, P-CSCF, I-CSCF, S-CSCF, etc.
- a network element that will communicate with the UE via the IMS network such as from the Internet, public network in Figure 1.
- the firewall system acts as a proxy for the UE in the IMS network, so that any information from the UE first passes through the firewall system before being sent to other network tickets in the IMS network.
- the element, and any information destined for the UE via the IMS network, will also pass through the firewall system and then be given to the UE to ensure secure communication between the UE and the public network.
- FIG. 2 shows an exemplary structural diagram of a firewall system.
- the firewall system includes: a communication interface, configured to receive information from other UEs, the S-CSCF, and the like, and send related information thereto; the information acquiring module, when receiving the S-CSCF or its trusted party via the communication interface Obtaining identification information of the terminal when the terminal provides a request for the firewall; the communication management module is configured to: after receiving the identification information of the terminal, send the identification information of the firewall system to the terminal and/or the related network via the communication interface Unit, and manage at least part of the communication activity between the terminal and other network elements;
- other network elements include network elements in the IMS network and/or network elements that will communicate with the terminals via the IMS network.
- Figure 2 shows other components that may be included in the firewall system. It should be noted that although Figure 2 shows these components, these components are not necessary to implement the firewall system of the present invention. In other words, with these components, the firewall of the present invention can be made to provide additional/enhanced functionality to the UE.
- the firewall system of the present invention also provides a configuration module for the user to change the firewall configuration of the user when needed. Specifically, when the information acquisition module finds that the information received via the communication interface is the configuration information about the firewall of the user, the configuration module provides the user with a corresponding firewall configuration service.
- the user can set through the configuration module, and the communication management module implements the user's setting.
- the firewall system can generate a corresponding configuration file for the user and store it in the user information database.
- the user information base can run on the same physical node as the firewall system, or on other physical nodes or back-end servers.
- the user can set up which communication activities the firewall system manages, such as managing only part of its communication activities, rather than all of its communication activities.
- the user can be configured to be unmanaged by the firewall system.
- the user can still accept the management of the firewall system (at this time, the firewall running on the UE and the firewall system of the present invention are used to protect the communication security of the UE, and change In other words, the UE has obtained double protection).
- the present invention provides a way for users of the UE to reduce their burden.
- the configuration module can also provide other value-added services for the UE user.
- the firewall module of the present invention can provide various support for the firewall running on the UE by using the configuration module to perform corresponding settings:
- Vulnerability scanning scanning the UE to check for security vulnerabilities (such as whether the last OS (Operating System) path is installed on the UE, whether the software running on the UE causes security problems, etc.).
- security vulnerabilities such as whether the last OS (Operating System) path is installed on the UE, whether the software running on the UE causes security problems, etc.
- the user is notified of the scan results, or the vulnerability is automatically fixed based on the user's settings.
- Real-time updates providing UEs with real-time updates or secure download paths. Since the firewall system of the present invention can be updated in real time, it is generally possible to provide various real-time update information required for the firewall running on the UE. In this way, the UE does not need to obtain updates from other public networks or other communication nodes such as the Internet through the IMS network, thereby reducing the amount of traffic in the network and reducing the possibility of network congestion. Moreover, this avoids the UE from downloading updates from insecure sites, or attacks that may be encountered during the download update process, thereby enhancing the communication security of the UE. At the same time, the time that the UE needs to wait for the update is reduced, thereby increasing the service shield QoS.
- the update is checked, when it is found that there is an uninstalled update on the UE, the user is notified to install the corresponding update, or the update is automatically installed based on the user's configuration.
- the configuration of the firewall is checked, and if any problems are found, the related problems, preferably, the preferred solution, can also be notified to the user, or the configuration update can be automatically performed based on the settings of the user.
- the firewall system can provide configuration assistance. It can provide more technical support for the user to configure the UE's own firewall, such as documentation, demonstration video, or user settings, so that the firewall system can perform some configuration on the firewall running on the UE instead of the user. In this way, the firewall system can assist users in maintaining the firewall on their devices. Obviously, this makes the task of maintaining the firewall much simpler for users who lack relevant experience/knowledge.
- the firewall system can issue a fault report or warning to both the user and the firewall system, or can only issue a fault report or warning to the firewall system (the specific implementation depends on the user's settings).
- the firewall system can automatically repair the UE based on the user's settings. In this case, once the communication interface of the firewall system receives any such abnormal message from the UE device, the firewall system can replace the user with the corresponding repair/recovery work for its firewall.
- the opening and closing of the firewall running on the UE is based on the user's setting.
- the firewall running on the UE can be closed.
- the firewall running on the UE is enabled. This function helps to use resources on the UE for more important tasks, while the protection of the UE is provided by the firewall system of the present invention.
- the configuration file is generated. According to the user's settings, the settings in the generated configuration file can be applied to the UE by default when the UE accesses the IMS network next time, unless the user updates the configuration.
- Anti-virus function assist the UE or replace the anti-virus software on the UE for virus protection, scanning, virus database update, and so on.
- the firewall system of the present invention can provide the UE with two functions of firewall and antivirus/antivirus, thereby further reducing the burden on the UE.
- a database or a storage medium may be set in the firewall system to store the configuration information of the user, or a corresponding information library or a corresponding engine corresponding to each of the above functions may be separately set.
- FIG. 3 illustrates an exemplary structure of a network element, such as an S-CSCF, in an IMS network.
- a network element such as an S-CSCF
- it includes a communication interface for transmitting and receiving information; and a service control module, configured to determine whether the terminal needs a firewall service when receiving a registration request/session request from the terminal (as described above, the default terminal may be used here) Need this service, you can also Determining, by the terminal, the identification information set in the sent request, if necessary, sending a request message for providing the firewall service to the terminal to the firewall system; and the communication control module is configured to receive the firewall from the communication interface And the identifier information of the firewall system is sent to the terminal, or is used to send the stored identifier information of the firewall system to the terminal after determining that the request message needs to be sent; And, the communication control module is configured to send all information sent to the terminal to the firewall system, and then send the information to the terminal via a firewall system.
- the functions implemented by the foregoing S-CSCF may be completely or partially offloaded to its trusted party, and the trusted party implements the corresponding function.
- the trusted party When the trusted party is responsible for implementing the above functions, it can communicate with components in the IMS network, such as the S-CSCF, if needed.
- FIG. 4 illustrates an exemplary structure of a terminal accessing an IMS network. As shown, it includes: a communication interface, configured to send and receive information; and an identification information acquisition module, when receiving a message including the firewall identification information from the S-CSCF or its trusted party or firewall system via the communication interface, The identification management information is configured to: after the obtaining the identification information, send communication information to the other network unit by using the firewall system, when the network unit needs to communicate with another network unit, where Other network elements include network elements in the IMS network and/or network elements that will communicate with the terminals via the IMS network.
- FIG. 5 shows the flow of the registration phase/initiation ⁇ performed when the UE enters the IMS network including the firewall system of the present invention via the access network.
- Step 1-5 shown in FIG. 5 is a UE registration/initiation session process in the prior art: the UE sends a registration message to the P-CSCF, and the P-CSCF forwards the registration message to the I-CSCF.
- the I-CSCF selects the S-CSCF for the user by querying the HSS (for example, through the Cx interface used in the specification). Subsequently, the S-CSCF interacts with the HSS to perform user authentication. Specifically, the S-CSCF downloads the user profile from the HSS.
- the user profile is more important information, in addition to the user information, it also includes filtering rules that determine when to forward the SIP request to the application server providing the service, and these filtering rules constitute a set of trigger conditions.
- filtering rules that determine when to forward the SIP request to the application server providing the service
- these filtering rules constitute a set of trigger conditions.
- the triggering of the firewall service of the present invention can also be saved in the filtering rule.
- Steps 6, 7 Based on the filtering rules, the S-CSCF can decide whether the request from the UE needs To pass one or more application servers that provide services to users. Although the S-CSCF does not provide the specific service requested, it triggers the application server to perform these services. If the user has a firewall (by default, all users have this), the S-CSCF will send registration information to the firewall system, such as "F/W Request" in Figure 5.
- the request includes the identification information of the UE, for example, the address information of the UE.
- the request may include the P-CSCF address, the home network contact information, and the user identifier (public users) according to specific needs. Information such as identification, private user identification).
- the identification information may be any form of information that can uniquely identify the UE, and may be in the form of numbers, letters, characters, or a combination thereof. Further, it may be of any kind, such as the IP address, MAC address, user ID, etc. of the UE, or any combination of the above.
- Step 8 The firewall can perform the necessary authorization checks on the user, such as based on user identification or other information to ensure that he/she is authorized to use the services provided by the firewall system. Such authorization checks are beneficial when the firewall system and the IMS network belong to different network providers. Of course, this check is not necessary, which may select whether to perform the check depending on the specific application needs. For the case of belonging to the same network provider, service control can be performed at the S-CSCF, that is, whether the UE is a user authorized to access the IMS network, then step 8 can be omitted at the firewall system.
- Steps 9, 10, 11 If the UE is an authorized user of the firewall system, the firewall system will send a 200 (OK) message to the UE, step 9.
- the message includes identification information that can uniquely identify the firewall, such as address information, to enable the UE and other related IMS components (eg, P-CSCF, S-CSCF, etc.) to know that it is a firewall of the UE.
- the UE and other related IMS components Upon receipt of this message, the UE and other related IMS components will update their associated configuration. Specifically, the UE stores the address of the firewall as an address to contact the network. Thereafter, all requests from the UE will be sent to the firewall system first, and the firewall system will forward these requests to the correct address in the network.
- firewall address For other network elements that communicate with the UE, they will store the firewall address and will use it instead of the UE address. Then, all messages between the network and the UE will be forwarded by the firewall system.
- address information of the firewall may also be added by the firewall system instead of
- the S-CSCF adds, and in step 10, sends a 200 (OK) message with the firewall address information to the P-CSCF, and sends it to the UE by the P-CSCF, step 11.
- the firewall adds its own address information to the 200 (OK) message, instead of sending the 200 (OK) message to the S-CSCF, as shown in FIG. 5,
- the firewall can send messages to the S-CSCF and the UE, respectively.
- the firewall can send 200 (OK) messages directly to the UE, and the 200 (OK) message transmission between the firewall and the UE can use other protocols (such as H323, HTTP, etc.).
- the firewall system may send only 200 (OK) messages to the UE, and then the UE notifies the S-CSCF (for the case of only sending to the S-CSCF, similar processing is performed).
- the above method can be flexibly selected according to the specific application settings.
- Steps 12, 13, 14 Once the update is complete, the 200 (OK) response will be sent back to the firewall system to inform the UE and the firewall system in the IMS network of connectivity. The firewall system will then work between the UE and the IMS network to provide services to the UE.
- the UE may not send the 200 (OK) response to the P-CSCF, the S-CSCF, and the firewall system in turn, but may send the response separately.
- the P-CSCF and the firewall system are then forwarded by the P-CSCF to the S-CSCF.
- the 200 (OK) message may not be sent back, but after a predetermined time, the communication between the UE and the IMS network is managed via the firewall system. That is, before the UE exits the IMS network, all communication activities between the UE and other network elements in the IMS network, or between the UE and the network element with which it communicates via the IMS network, will pass through the firewall system of the present invention. . However, if the user has made a specific configuration, the configuration is preferred.
- the UE may perform various settings mentioned above through a configuration module provided by the firewall system, thereby generating a corresponding configuration file in the firewall system.
- the IMS network After the UE exits the IMS network, if the IMS network is again
- the S-CSCF which can set the S-CSCF to maintain relevant data, can also obtain related data through interaction with the firewall system
- the firewall system to discover configuration information related to the UE, the existing configuration can be adopted for the UE.
- the UE may be set to include in the registration request transmitted in the first step whether or not the firewall system service is required, or which specific service or the like is required by the firewall system.
- the S-CSCF only needs to perform corresponding processing on the UE as a normal IMS terminal as in the prior art.
- the firewall system of the present invention is included in the IMS network, all communication between the UE and the IMS network and the public network will be managed by the firewall system.
- Each request from/to the UE over the IMS network will pass through the firewall. That is, the firewall can shield attacks from the IMS network and other public networks connected to the IMS (wired or wireless). Therefore, the network level firewall of the existing IMS network without user equipment is overcome, and the user can only guarantee the security of the communication by using the firewall running on the terminal.
- the firewall system of the present invention is capable of shielding the UE from attacks from the IMS network and external networks via the IMS network.
- the access network is not a secure network, or if some user equipment carries sensitive information, it may be desirable to obtain more comprehensive security protection.
- a VPN connection can be adopted between the UE and the firewall system, so that the UE can be prevented from being attacked by the access network.
- the VPN connection may be any type of VPN connection suitable for use by the UE and the firewall system, such as MPLS VPN. IPSec VPN.
- the IMS network terminal in the present invention refers to a communication party having wireless/wired communication capability in an IMS network or access to an IMS network via various types of access networks.
- the network element in the present invention may also be referred to as a communication node, or a communication unit, and refers to an entity having communication capability in the network, which may be implemented by software, hardware implementation, or a combination thereof.
- the entity of the firewall system, the IMS terminal, the IMS network unit and the like in the present invention may be implemented by software, may be implemented by hardware, or a combination thereof. In the implementation process, the modules and interfaces mentioned in the present invention may be combined or further split. Moreover, various entities in the IMS network, as well as the firewall system of the present invention, may be independent or So it is distributed. Moreover, they may be located at separate communication nodes in the network, or they may be located on the same communication node in the network. For example, the firewall system is located all/partially
- the communication node where the S-CSCF is located and the communication node may include all/part of the implementation of the S-CSCF.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Multimedia (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
- Telephonic Communication Services (AREA)
- Mobile Radio Communication Systems (AREA)
Description
Claims
Priority Applications (6)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020117016252A KR101520142B1 (ko) | 2009-01-22 | 2009-01-22 | Ims 네트워크 단말기에 방화벽을 제공하기 위한 방법, ims 네트워크 내의 방화벽 시스템, ims 네트워크 내의 네트워크 요소, ims 네트워크로 접근하기 위한 단말기 및 컴퓨터 프로그램 제품 |
EP09838615.4A EP2391059A4 (en) | 2009-01-22 | 2009-01-22 | FIREWALL PROVISION METHOD FOR IMS NETWORKING DEVICES AND FIREWALL SYSTEM |
JP2011546565A JP5694954B2 (ja) | 2009-01-22 | 2009-01-22 | Imsネットワーク端末装置にファイアウォールを提供するための方法、およびファイアウォールシステム |
PCT/CN2009/070275 WO2010083648A1 (zh) | 2009-01-22 | 2009-01-22 | 用于为ims网络的终端提供防火墙的方法及防火墙系统 |
US12/998,633 US20120047569A1 (en) | 2009-01-22 | 2009-01-22 | Method for providing terminals of ims network with firewall and firewall system |
CN2009801363809A CN102160331A (zh) | 2009-01-22 | 2009-01-22 | 用于为ims网络的终端提供防火墙的方法及防火墙系统 |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2009/070275 WO2010083648A1 (zh) | 2009-01-22 | 2009-01-22 | 用于为ims网络的终端提供防火墙的方法及防火墙系统 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2010083648A1 true WO2010083648A1 (zh) | 2010-07-29 |
Family
ID=42355490
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2009/070275 WO2010083648A1 (zh) | 2009-01-22 | 2009-01-22 | 用于为ims网络的终端提供防火墙的方法及防火墙系统 |
Country Status (6)
Country | Link |
---|---|
US (1) | US20120047569A1 (zh) |
EP (1) | EP2391059A4 (zh) |
JP (1) | JP5694954B2 (zh) |
KR (1) | KR101520142B1 (zh) |
CN (1) | CN102160331A (zh) |
WO (1) | WO2010083648A1 (zh) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103905413A (zh) * | 2012-12-28 | 2014-07-02 | 中国移动通信集团北京有限公司 | 一种核心网信令传输方法及系统 |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8805972B1 (en) * | 2013-06-26 | 2014-08-12 | Kaspersky Lab Zao | Multi-platform operational objective configurator for computing devices |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1469591A (zh) * | 2002-07-18 | 2004-01-21 | ��Ϊ��������˾ | 一种防御网络传输控制协议同步报文泛滥攻击的方法 |
CN1606304A (zh) * | 2003-10-10 | 2005-04-13 | 华为技术有限公司 | 下一代网络业务穿越网络地址转换设备/防火墙的方法 |
US20070079368A1 (en) * | 2005-09-30 | 2007-04-05 | Fujitsu Limited | Connection assistance apparatus and gateway apparatus |
CN1996946A (zh) * | 2006-12-01 | 2007-07-11 | 中国联合通信有限公司 | Ip多媒体通信业务处理系统及实现ip多媒体通信的方法 |
CN101087187A (zh) * | 2007-05-22 | 2007-12-12 | 网御神州科技(北京)有限公司 | 一种基于用户的安全访问控制的方法及装置 |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2004220120A (ja) * | 2003-01-09 | 2004-08-05 | Nippon Telegr & Teleph Corp <Ntt> | ネットワークセキュリティシステム、アクセス制御方法、認証機構、ファイアウォール機構、認証機構プログラム、ファイアウォール機構プログラム及びその記録媒体 |
US7372840B2 (en) * | 2003-11-25 | 2008-05-13 | Nokia Corporation | Filtering of dynamic flows |
US8316128B2 (en) * | 2004-01-26 | 2012-11-20 | Forte Internet Software, Inc. | Methods and system for creating and managing identity oriented networked communication |
US8191116B1 (en) * | 2005-08-29 | 2012-05-29 | At&T Mobility Ii Llc | User equipment validation in an IP network |
CN101102185B (zh) * | 2006-07-06 | 2012-03-21 | 朗迅科技公司 | Ims会话的媒体安全 |
EP1971101B1 (en) * | 2007-03-12 | 2018-11-21 | Nokia Solutions and Networks GmbH & Co. KG | A method , a device for configuring at least one firewall and a system comprising such device |
US20100095361A1 (en) * | 2008-10-10 | 2010-04-15 | Wenhua Wang | Signaling security for IP multimedia services |
-
2009
- 2009-01-22 KR KR1020117016252A patent/KR101520142B1/ko not_active IP Right Cessation
- 2009-01-22 JP JP2011546565A patent/JP5694954B2/ja not_active Expired - Fee Related
- 2009-01-22 CN CN2009801363809A patent/CN102160331A/zh active Pending
- 2009-01-22 US US12/998,633 patent/US20120047569A1/en not_active Abandoned
- 2009-01-22 EP EP09838615.4A patent/EP2391059A4/en not_active Withdrawn
- 2009-01-22 WO PCT/CN2009/070275 patent/WO2010083648A1/zh active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1469591A (zh) * | 2002-07-18 | 2004-01-21 | ��Ϊ��������˾ | 一种防御网络传输控制协议同步报文泛滥攻击的方法 |
CN1606304A (zh) * | 2003-10-10 | 2005-04-13 | 华为技术有限公司 | 下一代网络业务穿越网络地址转换设备/防火墙的方法 |
US20070079368A1 (en) * | 2005-09-30 | 2007-04-05 | Fujitsu Limited | Connection assistance apparatus and gateway apparatus |
CN1996946A (zh) * | 2006-12-01 | 2007-07-11 | 中国联合通信有限公司 | Ip多媒体通信业务处理系统及实现ip多媒体通信的方法 |
CN101087187A (zh) * | 2007-05-22 | 2007-12-12 | 网御神州科技(北京)有限公司 | 一种基于用户的安全访问控制的方法及装置 |
Non-Patent Citations (1)
Title |
---|
See also references of EP2391059A4 * |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103905413A (zh) * | 2012-12-28 | 2014-07-02 | 中国移动通信集团北京有限公司 | 一种核心网信令传输方法及系统 |
Also Published As
Publication number | Publication date |
---|---|
CN102160331A (zh) | 2011-08-17 |
KR20110105802A (ko) | 2011-09-27 |
JP5694954B2 (ja) | 2015-04-01 |
JP2012516081A (ja) | 2012-07-12 |
EP2391059A1 (en) | 2011-11-30 |
US20120047569A1 (en) | 2012-02-23 |
KR101520142B1 (ko) | 2015-05-13 |
EP2391059A4 (en) | 2013-05-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105933279B (zh) | 用于企业无线呼叫的系统、方法、装置及机器可读介质 | |
US9609460B2 (en) | Cloud based mobile device security and policy enforcement | |
US8230480B2 (en) | Method and apparatus for network security based on device security status | |
JP5431517B2 (ja) | 非3gppアクセスネットワーク経由のアクセス | |
US8279798B2 (en) | Virtual home network arrangement for a subscriber module using IMS | |
JP2012523614A (ja) | ネットワーク事業者によって提供されるアイデンティティ管理サービス | |
US11297058B2 (en) | Systems and methods using a cloud proxy for mobile device management and policy | |
US11777994B2 (en) | Dynamic per subscriber policy enablement for security platforms within service provider network environments | |
US11528253B2 (en) | Security platform for service provider network environments | |
US20110173687A1 (en) | Methods and Arrangements for an Internet Multimedia Subsystem (IMS) | |
JP5864598B2 (ja) | ユーザにサービスアクセスを提供する方法およびシステム | |
CN112868248A (zh) | 移动网络中基于网络切片的安全性 | |
EP2862335B1 (en) | Systems and methods for protection of a sip back-to-back user agent on modems | |
JP5694954B2 (ja) | Imsネットワーク端末装置にファイアウォールを提供するための方法、およびファイアウォールシステム | |
US20190124041A1 (en) | Network-based media content control | |
Park et al. | A security evaluation of IMS deployments | |
Moser et al. | Extending software defined networking to end user devices | |
CA2649132C (en) | Virtual home network arrangement for a subscriber module using ims | |
Tsagkaropulos et al. | Securing IP multimedia subsystem (IMS) infrastructures: protection against attacks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WWE | Wipo information: entry into national phase |
Ref document number: 200980136380.9 Country of ref document: CN |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 09838615 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 12998633 Country of ref document: US |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2011546565 Country of ref document: JP |
|
ENP | Entry into the national phase |
Ref document number: 20117016252 Country of ref document: KR Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2009838615 Country of ref document: EP |