WO2015066996A1

WO2015066996A1 - A method and system for implementing ng-firewall, a ng-firewall client and a ng-firewall server

Info

Publication number: WO2015066996A1
Application number: PCT/CN2014/074744
Authority: WO
Inventors: Sanjay Kumar NAVIN; Debabrata NAYAK; Chi Zhang
Original assignee: Huawei Technologies Co., Ltd.
Priority date: 2013-11-07
Filing date: 2014-04-03
Publication date: 2015-05-14
Also published as: IN2013CH05037A

Abstract

The embodiments of the present invention provide a method and system for implementing NG-Firewall, a NG-Firewall client and a NG-Firewall server. The method includes: sending a request message for requesting security information of an application when the application is started in a terminal device configured with the NG-Firewall client; receiving a response message including the security information of the application; processing received or transmitted data of the application by using the security information of the application. In this invention, dynamically loading of attack defense can be realized, software footprints required on the terminal device can be reduced and performance of application installed on the terminal device can be improved.

Description

A METHOD AND SYSTEM FOR IMPLEMENTING

NG-FIREWALL, A NG-FIREWALL CLIENT AND A

NG-FIREWALL SERVER

FIELD OF THE INVENTION

This application relates to communication technology, in particular to a method and system for implementing NG-Firewall, a NG-Firewall client and a NG-Firewall server.

BACKGROUND NG-Firewall (NG-FW, Next Generation Firewall) unifies security services into a single engine and change the designing of access control and security policies. NG-Firewall extends management of applications and traffic flow. The functions of NG-Firewall include: allow, block, log, monitor and bandwidth control, and so on.

The NG-Firewall combines First Generation of Firewall, such as Stateful and Stateless Network Firewall, Application Firewall, NAT-ALG (Network Address Translation - Application Level Gateways), IPS (Intrusion Prevention System)/IDS (Intrusion Detection System), Anti-X malware scanning. This combination increases complexity of NG-Firewall. The foundation of NG-Firewall is deep packet inspection of the incoming and outgoing packets, co-relating the previous received packets.

On the other hand, Smartphone is key enabler of BYOD (Bring Your Own Device), personal banking, social networking and entertainment while on travelling. This increases the security threats on consumer privacy, leakage of personal and business data.

However, the applicant found that: NG-Firewall is installed on dedicated sever with high computing powers. However, NG-Firewall has not been implemented on terminal device like Smartphone. So that software footprints required on terminal devices are not reduced and performance of application installed on terminal devices is not improved. SUMMARY

Embodiments of the present invention pertain to a method and system for implementing NG-Firewall, a NG-Firewall client and a NG-Firewall server, in order to reduce software footprint of NG-Firewall on terminal devices without compromising on application level attack.

According to an aspect of the embodiments of the present invention, a method for implementing NG-Firewall (Next Generation Firewall) is provided, the method comprising:

sending a request message for requesting security information of an application to a NG-Firewall server, when the application is started in a terminal device;

receiving a response message comprising the security information of the application from the NG-Firewall server, wherein the security information of the application represents information of security protection for the application started in the terminal device;

processing data of the application by using the security information of the application.

According to another aspect of the embodiments of the present invention, wherein the request message comprising identification information of the application, and the identification information of the application is used by the NG-Firewall server to determine the security information of the application.

According to another aspect of the embodiments of the present invention, wherein the method further comprises:

clearing the security information of the application when the application is closed in the terminal device.

According to another aspect of the embodiments of the present invention, wherein the response message further comprises one or more timer value for maintaining part or all of the security information of the application; and

the method further comprise: re-requesting the part of the security information of the application when one or more timer of the one or more timer value that corresponds to the part of the security information of the application are timeout, or re-requesting the all of the security information of the application when one or more timer of the one or more timer value that corresponds to the all of the security information of the application are timeout.

clearing the part of the security information of the application when one or more timer of the one or more timer value that corresponds to the part of the security information of the application are timeout, or

clearing the all of the security information of the application when one or more timer of the one or more timer value that corresponds to the all of the security information of the application are timeout.

According to another aspect of the embodiments of the present invention, wherein the security information of the application comprises any one or combination of the following information: packet signature information of the application, access control list information of the application, malformed attack information of the application, stateful firewall library information of the application and packet rate limit policy information of the application.

According to another aspect of the embodiments of the present invention, wherein there are different timer values for maintaining any one or combination of the following information: packet signature information of the application, access control list information of the application, malformed attack information of the application, stateful firewall library information of the application and packet rate limit policy information of the application; or, there is the same timer value for maintaining any one or combination of the following information: packet signature information of the application, access control list information of the application, malformed attack information of the application, stateful firewall library information of the application and packet rate limit policy information of the application.

According to another aspect of the embodiments of the present invention, wherein processing data of the application by using the security information of the application, comprising:

processing the data of the application by using the packet signature information of the application, or

processing the data of the application by using the access control list information of the application, or

processing the data of the application by using the malformed attack information of the application, or

processing the data of the application by using the stateful firewall library information of the application, or

processing the data of the application by using the packet rate limit policy information of the application.

According to another aspect of the embodiments of the present invention, a method for implementing NG-Firewall is provided, the method comprising: receiving a request message for requesting security information of an application from a terminal device, wherein the security information of the application represents information of security protection for the application started in the terminal device;

determining the security information of the application according to the request message;

sending a response message comprising the security information of the application to the terminal device.

According to another aspect of the embodiments of the present invention, wherein the request message comprises identification information of the application; and

the determining the security information of the application according to the request message comprise: acquiring the security information of the application from a database according to the identification information of the application comprised in the request message.

According to another aspect of the embodiments of the present invention, wherein before sending a response message comprising the security information of the application to the terminal device, the method further comprises:

authenticating whether the request message is valid;

when the request message is valid, perform the process of sending the response message comprising the security information of the application to the terminal device.

According to another aspect of the embodiments of the present invention, the method further comprises: determining one or more timer value for maintaining part or all of the security information of the application;

the sending a response message comprising the security information of the application to the terminal device comprise: sending a response message comprising the security information of the application, and one or more timer value for maintaining part or all of the security information of the application to the terminal device.

According to another aspect of the embodiments of the present invention, a NG-Firewall client is provided, comprising:

a sending unit, configured to send a request message for requesting security information of an application to a NG-Firewall server when the application is started in a terminal device which is configured with the NG-Firewall client;

a receiving unit, configured to receive a response message comprising the security information of the application from the NG-Firewall server, wherein the security information of the application represents information of security protection for the application started in the terminal device;

a processing unit, configured to process data of the application by using the security information of the application.

According to another aspect of the embodiments of the present invention, wherein the sending unit is specifically configured to send the request message for requesting security information of the application to the NG-Firewall server when the application is started in the terminal device which is configured with the NG-Firewall client; wherein the request message comprising identification information of the application, and the identification information of the application is used by the NG-Firewall server to determine the security information of the application.

According to another aspect of the embodiments of the present invention, wherein the NG-Firewall client further comprises:

a clearing unit, configured to clear the security information of the application when the application is closed in the terminal device.

the sending unit is further configured to re-request the part of the security information of the application when one or more timer of the one or more timer value that corresponds to the part of the security information of the application are timeout, or re-request the all of the security information of the application when one or more timer of the one or more timer value that corresponds to the all of the security information of the application are timeout.

According to another aspect of the embodiments of the present invention, wherein the clearing unit is further configured to clear the part of the security information of the application when one or more timer of the one or more timer value that corresponds to the part of the security information of the application are timeout, or clear the all of the security information of the application when one or more timer of the one or more timer value that corresponds to the all of the security information of the application are timeout.

According to another aspect of the embodiments of the present invention, wherein the processing unit is specifically configured to:

process the data of the application by using the packet signature information of the application, or

process the data of the application by using the access control list information of the application, or

process the data of the application by using the malformed attack information of the application, or

process the data of the application by using the stateful firewall library information of the application, or

process the data of the application by using the packet rate limit policy information of the application.

According to another aspect of the embodiments of the present invention, a NG-Firewall server is provided, comprising:

a receiving unit, configured to receive a request message for requesting security information of an application from a terminal device, wherein the security information of the application represents information of security protection for the application started in the terminal device;

a first determining unit, configured to determine the security information of the application according to the request message;

a sending unit, configured to send a response message comprising the security information of the application to the terminal device.

wherein the first determining unit is specifically configured to acquire the security information of the application from a database according to the identification information of the application comprised in the request message.

According to another aspect of the embodiments of the present invention, wherein the NG-Firewall server further comprises:

an authenticating unit, configured to authenticate whether the request message is valid; and

the sending unit is specifically configured to send the response message comprising the security information of the application to the terminal device when the request message is valid.

a second determining unit, configured to determine one or more timer value for maintaining part or all of the security information of the application; the sending unit is specifically configured to send a response message comprising the security information of the application, and one or more timer value for maintaining part or all of the security information of the application to the terminal device.

According to another aspect of the embodiments of the present invention, a terminal device is provided, comprising:

a processor and a memory coupled to the processor;

wherein the processor is configured to:

send a request message for requesting security information of an application to a NG-Firewall server when the application is started in the terminal device;

receive a response message comprising the security information of the application from the NG-Firewall server, wherein the security information of the application represents information of security protection for the application started in the terminal device;

process data of the application by using the security information of the application.

a processor and a memory coupled to the processor;

wherein the processor is configured to:

receive a request message for requesting security information of an application from a terminal device, wherein the security information of the application represents information of security protection for the application started in the terminal device;

determine the security information of the application according to the request message;

send a response message comprising the security information of an application to the terminal device. According to another aspect of the embodiments of the present invention, a system for implementing NG-Firewall is provided, comprising:

one or more terminal devices as above mentioned; and

a NG-Firewall server as above mentioned.

The advantages of embodiments of the present invention exist in that: a

NG-Firewall client requests security information of an application from a NG-Firewall server, when the application is started in a terminal device. Thus dynamically loading of attack defense can be realized in the embodiments of the present invention, software footprints required on the terminal device can be reduced and performance of application installed on the terminal device can be improved.

Furthermore, terminal devices will be protected against new attacks originated either through new application or services. As the number of attack defense is directly dependent on the number of application user is using, the signaling packets will be reduced and this help in improving battery life of mobile terminal.

These and further aspects and features of the present invention will be apparent with reference to the following description and attached drawings. In the description and drawings, particular embodiments of the invention have been disclosed in detail as being indicative of some of the ways in which the principles of the invention may be employed, but it is understood that the invention is not limited correspondingly in scope. Rather, the invention includes all changes, modifications and equivalents coming within the spirit and terms of the appended claims.

Features that are described and/or illustrated with respect to one embodiment may be used in the same way or in a similar way in one or more other embodiments and/or in combination with or instead of the features of the other embodiments.

It should be emphasized that the term "comprises/comprising" when used in this specification is taken to specify the presence of stated features, integers, steps or components but does not preclude the presence or addition of one or more other features, integers, steps, components or groups thereof.

Many aspects of the invention can be better understood with reference to the following drawings. The components in the drawings are not necessarily to scale, emphasis instead being placed upon clearly illustrating the principles of the present invention. To facilitate illustrating and describing some parts of the invention, corresponding portions of the drawings may be exaggerated in size, e.g., made larger in relation to other parts than in an exemplary device actually made according to the invention. Elements and features depicted in one drawing or embodiment of the invention may be combined with elements and features depicted in one or more additional drawings or embodiments. Moreover, in the drawings, like reference numerals designate corresponding parts throughout the several views and may be used to designate like or similar parts in more than one embodiment.

BRIEF DESCRIPTION OF THE DRAWING

The drawings are included to provide further understanding of the present invention, which constitute a part of the specification and illustrate the embodiments of the present invention, and are used for setting forth the principles of the present invention together with the description. The same element is represented with the same reference number throughout the drawings.

In the drawings:

Figure 1 is a flowchart of the method for implementing NG-Firewall in accordance with an embodiment of the present invention;

Figure 2 is a schematic diagram showing an example of structure about the terminal device and the NG-Firewall server;

Figure 3 is a flowchart of the method for implementing NG-Firewall in accordance with an embodiment of the present invention;

Figure 4 is another flowchart of the method for implementing NG-Firewall in accordance with an embodiment of the present invention;

Figure 5 is a flowchart of the step 402 in accordance with an embodiment of the present invention;

Figure 6 is a flowchart of the step 403 in accordance with an embodiment of the present invention;

Figure 7 is a flowchart of the step 405 in accordance with an embodiment of the present invention; Figure 8 is a flowchart of the step 406 in accordance with an embodiment of the present invention;

Figure 9 is a flowchart of the step 407 in accordance with an embodiment of the present invention;

Figure 10 is a flowchart of the method for implementing NG-Firewall in accordance with embodiment of the present invention;

Figure 11 is another flowchart of the method for implementing NG-Firewall in accordance with embodiment of the present invention;

Figure 12 is a schematic diagram of the terminal device in accordance with an embodiment of the present invention;

Figure 13 is a schematic diagram of the terminal device in accordance with an embodiment of the present invention;

Figure 14 is a schematic diagram of the NG-Firewall server in accordance with an embodiment of the present invention;

Figure 15 is another schematic diagram of the NG-Firewall server in accordance with an embodiment of the present invention;

FIG. 16 is a schematic structure diagram of a terminal device according to an embodiment of the present invention;

FIG. 17 is a schematic structure diagram of a NG-Firewall server according to an embodiment of the present invention;

FIG. 18 is a schematic structure diagram of a system for implementing NG-Firewall according to an embodiment of the present invention.

DETAILED DESCRIPTION

The many features and advantages of the embodiments are apparent from the detailed specification and, thus, it is intended by the appended claims to cover all such features and advantages of the embodiments that fall within the true spirit and scope thereof. Further, since numerous modifications and changes will readily occur to those skilled in the art, it is not desired to limit the inventive embodiments to the exact construction and operation illustrated and described, and accordingly all suitable modifications and equivalents may be resorted to, falling within the scope thereof.

The embodiments of the present invention are described as follows in reference to the drawings. Embodiment 1

This embodiment of the present invention provides a method for implementing NG-Firewall, applied in a NG-Firewall client.

Figure 1 is a flowchart of the method for implementing NG-Firewall in accordance with embodiment 1 of the present invention. As shown in Figure 1, the method includes:

Step 101, a NG-Firewall client sends a request message to a NG-Firewall server when an application is started in a terminal device configured with the NG-Firewall client; where the request message is used for requesting security information of the application;

Step 102, the NG-Firewall client receives a response message from the NG-Firewall server; where the security information of the application is included in the response message; wherein the security information of the application represents information of security protection for the application started in the terminal device;

Step 103, the NG-Firewall client processes data of the application by using the security information of the application.

In this embodiment, the NG-Firewall client may be configured in a terminal device, the terminal device may be a fixed device or a wireless device, such as Smartphone, tablet. The application may be social software (such as Skype, youtube) and may have been installed in the terminal device. However, it is not limited thereto, and particular implement way may be determined as actually required.

In this embodiment, the NG-Firewall server has a NG-FW database containing data or information of NG-Firewall. As for the detail of the NG-FW database, please refer to the existing technology. The NG-Firewall Server can be connected through any interface of the terminal device (such as Smartphone); for example, Bluetooth, USB Port or any Air Interfaces.

In this embodiment, the security information of the application may include: packet signature information of the application, access control list information of the application, malformed attack information of the application, stateful firewall library information of the application and packet rate limit policy information of the application. However, it is not limited thereto, and particular implement way may be determined as actually required.

Figure 2 is a schematic diagram showing an example of structure about the terminal device and the NG-Firewall server. It should be noted that this figure is exemplary only, and other types of structures may be used for supplementing or replacing this structure.

As shown in Figure 2, there are some applications in the terminal device which configured with a NG-FW client; while there is security information of applications (such as attack defense data of applications) in a NG-FW server which configured with a database.

For example, the database storing the security of the application may be configured in the NG-FW server; in other words, the database is a local database of the NG-FW server. In another example, the database storing the security information of the application may be separately configured; the NG-FW server may access the database via a communication interface. However, it is not limited thereto.

In this embodiment, NG-FW is one of the mandatory requirement for terminal devices (like Smartphone) to enable BYOD, personal financial operation and strategic business information, and securing personal information. Smartphone is battery operated device and also have limited computing resources.

As the number of Mobile VAS (Value Added Service) is increasing at exponential rate, the number of attack will also increase exponentially and hence the software footprint of NG-FW and processing of each type of attack using exhaustive application framework will be expensive. It is evident that mobile user will use very limited number of application simultaneously.

In this embodiment, for example, exhaustive attack defense based on NG-FW can be installed on centralized entity, such as in packet core, secondary memory, or server cloud in environment. When Smartphone user starts any application, an attack defense request will be send to NG-FW database. Smartphone will install application specific attack defense, access control list and application signature. Any x/Tx packet will check against newly installed attack defense, so that access control of ingress and egress application is realized on the Smartphone.

It can be seen from the above embodiment that: a NG-Firewall client requests security information of an application from a NG-Firewall server, when the application is started in a terminal configured with the NG-Firewall client. Thus dynamically loading of attack defense can be realized in the embodiments of the present invention, software footprints required on the terminal device can be reduced and performance of application installed on the terminal device can be improved. Embodiment !

Based on the embodiment 1, this embodiment of the present invention provides a method for implementing NG-Firewall; the same content will not be described.

Figure 3 is a flowchart of the method for implementing NG-Firewall in accordance with an embodiment of the present invention, as shown in Figure 3, the method includes:

Step 301, a NG-Firewall client sends a request message to a NG-Firewall server when an application is started in a terminal device configured with the NG-Firewall client; where the request message is used for requesting security information of the application;

In this embodiment, the request message may include identification information of the application, such as an identifier of the application, or a kind of the application; and the identification information of the application is used by the NG-Firewall server to determine the security information of the application. However, it is not limited thereto, and particular implement way may be determined as actually required.

Step 302, the NG-Firewall client receives a response message including the security information of the application from the NG-Firewall server;

Step 303, the NG-Firewall client processes data of the application by using the security information of the application.

As shown in Figure 3, the method may further include:

Step 304, the NG-Firewall client clear the security information of the application when the application is closed in the terminal device.

In this embodiment, once the Smartphone user completes or closes the application (such as Skype); the security information of the application (such as all installed and downloaded data, application access list and signature) is flushed out.

Figure 4 is another flowchart of the method for implementing NG-Firewall in accordance with an embodiment of the present invention. The terminal device is configured with a NG-FW client. As shown in Figure 4, the method may include:

Step 401, a NG-Firewall function is enabled in the terminal device.

Step 402, an IP address and a port number of the NG-Firewall server are configured in the terminal device;

In this step, the terminal device may generate a request message based on the IP address and the port number of the NG-Firewall server.

Step 403, the terminal device sends the request message to a NG-Firewall server when an application is started in the terminal device; where the request message is used for requesting security information of the application and includes identification information of the application;

Step 404, after receiving the request message, the NG-Firewall server determines the security information of the application according to the identification information of the application included in the request message.

In this embodiment, the NG-FW server may send a response message to the terminal device; the security information of the application is included in the response message.

Furthermore, one or more timer value for maintaining part or all of the security information of the application may be included in the response message.

For example, there is a timer value for all of the security information of the application in the response message; or there are one timer value for packet signature information of the application, another timer value for access control list information of the application, and another timer value for malformed attack information of the application. However, it is not limited thereto, and particular implement way may be determined as actually required.

Step 405, the terminal device receives the response message including the security information of the application from the NG-Firewall server; Step 406, the terminal device processes data of the application by using the security information of the application.

In this embodiment, the terminal device may re-request the part of the security information of the application when one or more timer of the one or more timer value that corresponds to the part of the security information of the application are timeout;

Or, the terminal device may re-request the all of the security information of the application when one or more timer of the one or more timer value that corresponds to the all of the security information of the application are timeout.

For example, if there is a timer value A for all of the security information of the application in the response message, the terminal device may re-request the all of the security information of the application when a timer corresponding the timer value A is timeout.

For another example, if there are three timer value in the response message: a timer value B for packet signature information of the application, a timer value C for access control list information of the application, and a timer value D for malformed attack information of the application;

The terminal device may re-request the packet signature information of the application when a timer corresponding the timer value B is timeout; or the terminal device may re-request the access control list information of the application when a timer corresponding the timer value C is timeout; or the terminal device may re-request the malformed attack information of the application when a timer corresponding the timer value D is timeout.

As shown in Figure 4, the method may further include:

Step 407, the terminal device clear the security information of the application when the application is closed in the terminal device.

In this step, the terminal device may also clear the security information of the application based on a timer. The terminal device will clear the security information of the application when the timer is timeout.

For example, the terminal device may clear the part of the security information of the application when one or more timer of the one or more timer value that corresponds to the part of the security information of the application are timeout. Or, the terminal device may clear the all of the security information of the application when one or more timer of the one or more timer value that corresponds to the all of the security information of the application are timeout.

In step 401, a NG-FW Client (is has a NG-Firewall function) may be enabled on the terminal device. Each application can be allowed to select if the terminal device user wants to enable NG-FW attack application. By default, all applications are not allowed to download from theNG-FW server.

In step 402, NG-Firewall server information, such as port number and IP address of the NG-Firewall server may be configured in the terminal device by the user. Furthermore, a timer value for maintaining the security information of the application may be configured in the terminal device by the user.

In this embodiment, the security information of the application may include any one or combination of the following information: packet signature information of the application, access control list information of the application, malformed attack information of the application, stateful firewall library information of the application and packet rate limit policy information of the application.

Where, there are different timer values for maintaining any one or combination of the following information: packet signature information of the application, access control list information of the application, malformed attack information of the application, stateful firewall library information of the application and packet rate limit policy information of the application;

Or, there is the same timer value for maintaining any one or combination of the following information: packet signature information of the application, access control list information of the application, malformed attack information of the application, stateful firewall library information of the application and packet rate limit policy information of the application.

In this embodiment, the process of processing data of the application by using the security information of the application, may include: processing the data of the application by using the packet signature information of the application, or processing the data of the application by using the access control list information of the application, or processing the data of the application by using the malformed attack information of the application, or processing the data of the application by using the stateful firewall library information of the application, or processing the data of the application by using the packet rate limit policy information of the application.

Figure 5 is a flowchart of the step 402 in accordance with an embodiment of the present invention. As shown in Figure 5, the terminal device judges whether there is any change in existing policy; for example, judges whether security configuration is default configuration (step 501).

When the configuration is not default configuration, a port number and a IP address are configured in the terminal device (step 502). Furthermore, a timer for maintaining the security information of the application may be configured.

In step 403, for example, the user of the terminal device starts an application like "Skype" for social networking. An event will be sent to NG-FW client running on the terminal device. The terminal device will generate the request message to request security information of the application. This request message can be based on any transport mechanism.

In implement, the security information of the application may include: packet signature of the application, access control list of the application, malformed attack of the application, stateful firewall libs of the application, packet rate limit policy of the application, and so on.

Figure 6 is a flowchart of the step 403 in accordance with an embodiment of the present invention. As shown in Figure 6, the terminal device may judge if security configuration is default configuration (step 601). When the configuration is not default configuration, the terminal device may trigger an event (step 602), such as send a message to the NG-FW client configured in the terminal device.

Then the terminal device may judge if NG-FW database exit for the application (step 603). When the NG-FW database is not exit for the application, the terminal device sends the request message for requesting security information of the application (step 604).

As shown in Figure 6, the terminal device may judge if timeout is happened or an acknowledge message is not received (step 605); if no, the terminal device will continue to download the security information of the application and update existing policy (step 606). Then existing application policy and security mechanism (i.e. attack defense mechanism) are used (step 607).

In step 403, the request message may be generated based on UDP (User Datagram Protocol) as transport protocols. The format of the request message is shown as below. smart hone Request Message

.2 Header and IP Header >

0 1 2 3

O 1 2 34 5 6 7 8 9 O 1 2 34 5 67 8 901 2 34 5 6 7 89 O I +-+-+-+-+-+-+ -+-+-+-÷^■-+-+-+-+-+-+-÷-+-+-+-+-+-+-+ -+-+-+ -+-+-+-+-+ I src Port I Destination Port |

+ - + -+ - + -÷ -+-+-+ -^■!--+ - + -+ -+ -+ -+ -+- + - +—+ -+ - + -+ -+— r - + -+ -+ - + -+ -+-÷ - + -+

In step 405, the NG-Firewall server sends the security information of the application, such as all attack defense policy, NG-FW application and signature.

Figure 7 is a flowchart of the step 405 in accordance with an embodiment of the present invention. As shown in Figure 7, the NG-Firewall server receives the request message from the terminal device (step 701). Then the NG-Firewall server may judge if the terminal device is authenticated (step 702).

As shown in Figure 7, when the terminal device is authenticated as a valid user, the NG-Firewall server will determine the security information of the application (step 703), such as latest attack defense policy and libs. Then the NG-Firewall server may judge if NG-FW database exit for the application (step 704). When the NG-FW database is not exit for the application, the NG-Firewall server will send the security information of the application to the terminal device (step 705), such as application specific attack defense and updated existing policy. Then the NG-Firewall server may send an acknowledge message (step 706).

In step 405, a response message containing the security information of the application may be generated based on UDP as transport protocols. The format of the response message is shown as below. ssjsart phone Request ess age

< L 2 Header and IP Header >

0 1 2 3

0 1 2 3 4 5 6 7 S 9 Q 1 2 3 4 S 6 ? 8 9 0 I 2 3 4 5 6 7 8 9 O 1 + _₊ _₊ _₊ _₊ _₊ _ ₊ _₊ _₊ _₊ _₊ _₊ _₊ _₊ _₊ _₊ _₊_₊_₊

In step 406, the terminal device downloads the NG-FW application and installs application access list and signature in data plane. Any packet received/transmitted of the application from/to the terminal device will be processed by the security information of the application.

Figure 8 is a flowchart of the step 406 in accordance with an embodiment of the present invention. As shown in Figure 8, the terminal device receives the security information of the application from a NG-FW server (step 801), such as application specific attack defense. Then the terminal device judge if the NG-Firewall server is authenticated (step 802). When the NG-Firewall server is authenticated, the terminal device downloads all security information of the application, such as all attack defense mechanism.

In step 407, once the user of the terminal device completes or closes the application (such as Skype), the security information of the application (includes all installed and download application access list and signature) will flushed out.

Figure 9 is a flowchart of the step 407 in accordance with an embodiment of the present invention. As shown in Figure 9, the terminal device may further judge if it is timeout (step 901); when it is timeout, the terminal device sends a message to clear the downloaded data (step 902).

It can be seen from the above embodiment that: a NG-Firewall client requests security information of the application from a NG-Firewall server, when an application is started in a terminal device configured with the NG-Firewall client. Thus dynamically loading of attack defense can be realized in the embodiments of the present invention, software footprints required on the terminal device can be reduced and performance of application installed on the terminal device can be improved.

Embodiment 3

This embodiment of the present invention provides a method for implementing NG-Firewall, applied in a NG-Firewall server. This embodiment corresponds to the above embodiment 1 or 2, and the same content will not be described.

Figure 10 is a flowchart of the method for implementing NG-Firewall in accordance with an embodiment of the present invention. As shown in Figure 10, the method includes:

Step 1001, the NG-Firewall server receives a request message from a terminal device, where the request message is used for requesting security information of an application; wherein the security information of the application represents information of security protection for the application started in the terminal device;

Step 1002, the NG-Firewall server determines the security information of the application according to the request message;

Step 1003, the NG-Firewall server sends a response message including the security information of the application to the terminal device.

In this embodiment, the security information of the application includes: packet signature information of the application, access control list information of the application, malformed attack information of the application, stateful firewall library information of the application and packet rate limit policy information of the application. However, it is not limited thereto, and particular implement way may be determined as actually required.

Figure 11 is another flowchart of the method for implementing NG-Firewall in accordance with an embodiment of the present invention. As shown in Figure 11, the method includes:

Step 1101, the NG-Firewall server receives a request message from a terminal device, where the request message is used for requesting security information of an application; wherein the security information of the application represents information of security protection for the application started in the terminal device;

Step 1103, the NG-Firewall server determines the security information the application according to the request message;

In this embodiment, the process of determining the security information of the application according to the request message may include: acquiring the security information of the application from a database according to the identification information of the application included in the request message.

For example, the database storing the security of the application may be configured in the NG-FW server; in other words, the database is a local database of the NG-FW server. In another example, the database storing the security of the application may be separately set; the NG-FW server may access the database via a communication interface. However, it is not limited thereto.

Step 1104, the NG-Firewall server sends a response message including the security information of the application to the terminal device.

As shown in Figure 11, the method may further include:

Step 1102, the NG-Firewall server authenticates whether the request message is valid. When the request message is valid, perform the process of sending the response message including the security information of the application to the terminal device.

In this embodiment, one or more timer value for maintaining part or all of the security information of the application may be included in the response message.

The method may further include: determining one or more timer value for maintaining part or all of the security information of the application; the sending a response message including the security information of the application to the terminal device (step 1104) may include: sending a response message including the security information of the application, and one or more timer value for maintaining part or all of the security information of the application to the terminal device.

It should be noted that: in the above network environment, the security information of the application sent back by the NG-FW server may be different for different application of a terminal device. Or, the NG-FW server may send back different security information for different request messages of terminal devices. However, it is not limited thereto, and particular implement way may be determined as actually required.

It can be seen from the above embodiment that: a NG-Firewall client requests security information of the application from a NG-Firewall server, when an application is started in a terminal device configured with the NG-Firewall client. Thus dynamically loading of attack defense can be realized in the embodiments of the present invention, software footprints required on the terminal device can be reduced and performance of application installed on the terminal device t can be improved.

Embodiment 4

This embodiment of the present invention further provides a NG-Firewall client which is configured in a terminal device. This embodiment corresponds to the method of the above embodiment 1 , and the same content will not be described.

Figure 12 is a schematic diagram of the NG-Firewall client in accordance with an embodiment of the present invention. As shown in Figure 12, the NG-Firewall client 1200 includes: a sending unit 1201, a receiving unit 1202 and a processing unit 1203. Other parts of the NG-Firewall client can refer to the existing technology and not be described in the present application. However, it is not limited thereto, and particular implement way may be determined as actually required.

Where, the sending unit 1201 is configured to send a request message for requesting security information of an application when the application is started in a terminal device configured with the NG-Firewall client; the receiving unit 1202 is configured to receive a response message including the security information of the application; the processing unit 1203 is configured to process data of the application by using the security information of the application.

In this embodiment, the sending unit 1201 may be specifically configured to send the request message for requesting security information of the application to the NG-Firewall server when the application is started in the terminal device which is configured with the NG-Firewall client; wherein the request message including identification information of the application, and the identification information of the application is used by the NG-Firewall server to determine the security information of the application.

Embodiment 5

This embodiment of the present invention further provides a NG-Firewall client which is configured in a terminal device. This embodiment corresponds to the method of the above embodiment 2, and the same content will not be described.

Figure 13 is a schematic diagram of the NG-Firewall client in accordance with an embodiment of the present invention. As shown in Figure 13, the NG-Firewall client 1300 includes: a sending unit 1201, a receiving unit 1202 and a processing unit 1203. As described in above embodiment 4.

As shown in Figure 13, the NG-Firewall client 1300 may further include: a clearing unit 1304. The clearing unit 1304 is configured to clear the security information of the application when the application is closed in the terminal device.

As shown in Figure 13, the NG-Firewall client 1300 may further include: an enabling unit 1305, a configuring unit 1306 and a generating unit 1307. Where, the enabling unit 1305 is configured to enable a NG-Firewall function; the configuring unit 1306 is configured to configure an IP address and a port number of the NG-Firewall server; the generating unit 1307 is configured to generate the request message.

In this embodiment, the response message may further include one or more timer value for maintaining part or all of the security information of the application; and the sending unit is further configured to re-request the part of the security information of the application when one or more timer of the one or more timer value that corresponds to the part of the security information of the application are timeout, or re-request the all of the security information of the application when one or more timer of the one or more timer value that corresponds to the all of the security information of the application are timeout.

In this embodiment, the clearing unit may further be configured to clear the part of the security information of the application when one or more timer of the one or more timer value that corresponds to the part of the security information of the application are timeout, or clear the all of the security information of the application when one or more timer of the one or more timer value that corresponds to the all of the security information of the application are timeout.

wherein the processing unit 1203 may be specifically configured to: process the data of the application by using the packet signature information of the application, or process the data of the application by using the access control list information of the application, or process the data of the application by using the malformed attack information of the application, or process the data of the application by using the stateful firewall library information of the application, or process the data of the application by using the packet rate limit policy information of the application.

Embodiment 6

This embodiment of the present invention further provides a NG-Firewall server. This embodiment corresponds to the method of the above embodiment 3, and the same content will not be described.

Figure 14 is a schematic diagram of the NG-Firewall server in accordance with an embodiment of the present invention. As shown in Figure 14, the terminal device 1400 includes: a receiving unit 1401, a first determining unit 1402 and a sending unit 1403. Other parts of the NG-Firewall server can refer to the existing technology and not be described in the present application. However, it is not limited thereto, and particular implement way may be determined as actually required.

Where, the receiving unit 1401 is configured to receive a request message for requesting security information of an application from a terminal device; the first determining unit 1402 is configured to determining the security information of the application according to the request message; the sending unit 1403 is configured to send a response message including the security information of the application to the terminal device.

Figure 15 is another schematic diagram of the NG-Firewall server in accordance with an embodiment of the present invention. As shown in Figure 15, the NG-Firewall server 1500 includes: a receiving unit 1401, a first determining unit 1402 and a sending unit 1403. As described in above embodiment.

In this embodiment, the request message may include identification information of the application; and the first determining unit 1402 is specifically configured to acquire the security information of the application from a database according to the identification information of the application comprised in the request message.

As shown in Figure 15, the NG-Firewall server 1500 may further include: an authenticating unit 1503; the authenticating unit 1503 is configured to authenticate whether the request message is valid. The sending unit 1403 is specifically configured to send the response message including the security information of the application to the terminal device when the request message is valid.

In this embodiment, the NG-Firewall server 1500 may further include: a second determining unit 1504, which is configured to determine one or more timer value for maintaining part or all of the security information of the application;

the sending unit 1403 is specifically configured to send a response message including the security information of the application, and one or more timer value for maintaining part or all of the security information of the application to the terminal device.

Furthermore, terminal devices will be protected against new attacks originated either through new application or services. As the number of attack defense is directly dependent on the number of application user is using, the signaling packets will be reduced and this help in improving battery life of mobile terminal. Embodiment 7

This embodiment of the present invention further provides a terminal device configured with a NG-FW client. This embodiment corresponds to the method of the above embodiment 1-2, and the same content will not be described.

In this embodiment, the terminal device includes a processor and a memory coupled to the processor.

FIG. 16 is a schematic structure diagram of a terminal device according to an embodiment of the present invention. As shown in FIG. 16, there is a processor 41 and a memory 42 coupled to the processor 41.

The memory 42, configured to store program. Specifically, the program can includes program code, the program code includes computer operating instruction.

The processor 41 is configured to: send a request message for requesting security information of an application to a NG-Firewall server when the application is started in the terminal device; receive a response message comprising the security information of the application from the NG-Firewall server; process data of the application by using the security information of the application.

The memory 42 may include a high speed RAM and a non-volatile memory. The processor 41 may be a Central Processing Unit (CPU), or can be Application Specific Integrated Circuit (ASIC), or can be configured to one or more ASIC.

According to the above terminal device, the request message comprising identification information of the application and the identification information of the application is used by the NG-Firewall server to determine the security information of the application.

According to the above terminal device, the processor 41 is further configured to: clear the security information of the application when the application is closed in the terminal device.

According to the above terminal device, wherein the response message further comprises one or more timer value for maintaining part or all of the security information of the application; and

The processor 41 is further configured to: re-request the part of the security information of the application when one or more timer of the one or more timer value that corresponds to the part of the security information of the application are timeout, or re-request the all of the security information of the application when one or more timer of the one or more timer value that corresponds to the all of the security information of the application are timeout.

According to the above terminal device, wherein the processor 41 is further configured to: clear the part of the security information of the application when one or more timer of the one or more timer value that corresponds to the part of the security information of the application are timeout; or clear the all of the security information of the application when one or more timer of the one or more timer value that corresponds to the all of the security information of the application are timeout.

According to the above terminal device, wherein the security information of the application comprises any one or combination of the following information: packet signature information of the application, access control list information of the application, malformed attack information of the application, stateful firewall library information of the application and packet rate limit policy information of the application.

According to the above terminal device, wherein there are different timer values for maintaining any one or combination of the following information: packet signature information of the application, access control list information of the application, malformed attack information of the application, stateful firewall library information of the application and packet rate limit policy information of the application; or, there is the same timer value for maintaining any one or combination of the following information: packet signature information of the application, access control list information of the application, malformed attack information of the application, stateful firewall library information of the application and packet rate limit policy information of the application.

According to the above terminal device, in the step of processing data of the application by using the security information of the application, the processor 41 is further configured to: process the data of the application by using the packet signature information of the application, or process the data of the application by using the access control list information of the application, or process the data of the application by using the malformed attack information of the application, or process the data of the application by using the stateful firewall library information of the application, or process the data of the application by using the packet rate limit policy information of the application.

Further, as shown in Fig. 16, there may also include a communication interface 43, configured to complete the communication between the terminal device and the NG-Firewall server or other devices.

As shown in Fig. 16, the terminal device may also include a disk 44, configured to store the program to be tested and state information of the process of the program to be tested.

Alternatively, in specific implementation, if the memory 42, the processor 41 the communication interface 43 and the disk 44 can be implemented individually, then the memory 42, the processor 41, the communication interface 43 and the disk 44 can be in communication connection via BUS. The BUS can be Industry Standard Architecture (ISA) BUS, Peripheral Component (PCI) BUS or Extended Industry Standard Architecture (EISA) BUS etc. The BUS can be divided into address BUS, data BUS and control BUS etc. For convenient representation, the BUS is only represented by a single thick line, but does not mean there is only one BUS or one kind of BUS.

Alternatively, in specific implementation, if the memory 42, the processor 41, the communication interface 43 and the disk 44 can be integrated in a single chip, then the memory 42, the processor 41 the communication interface 43 and the disk 44 can be in communication connection via internal interface.

The advantages of embodiments of the present invention exist in that: the terminal device requests security information of an application from a NG-Firewall server, when the application is started in the terminal device. Thus dynamically loading of attack defense can be realized in the embodiments of the present invention, software footprints required on the terminal device can be reduced and performance of application installed on the terminal device can be improved.

The present invention also provides a non-transitory computer readable storage medium, including computer program codes which when executed by a computer processor cause the compute processor to execute the method for implementing NG-Firewall according to embodiments of the present invention.

By the embodiments described above, persons skilled in the art may clearly understand that the present invention may be implemented by software with necessary common hardware. Specifically, the present invention may also be implemented by only hardware. However, the former is the preferred implementation mode. Based on such understanding, the essence of the technical solution of the present invention or the part of that makes a contribution to the prior art may be implemented in the form of software product. The computer software product is stored in a readable storage medium such as a computer floppy disk, a hard disk, or an optical disk, and includes multiple instructions to enable computer equipment (which may be a personal computer, a server, or network equipment) to execute the method described in embodiments of the present invention.

Embodiment 8

This embodiment of the present invention provides a NG-FW server. This embodiment corresponds to the method of the above embodiment 3, and the same content will not be described.

In this embodiment, the NG-FW server includes: a processor and a memory coupled to the processor.

FIG. 17 is a schematic structure diagram of a NG-FW server according to an embodiment of the present invention. As shown in FIG. 17, there is a processor 51 and a memory 52 coupled to the processor 51. The memory 52, configured to store program. Specifically, the program can includes program code, the program code includes computer operating instruction.

The processor 51 is configured to: receive a request message for requesting security information of an application from a terminal device, where the security information of the application represents information of security protection for the application started in the terminal device; determine the security information of the application according to the request message; send a response message including the security information of the application to the terminal device.

The memory 52 may include a high speed RAM and a non-volatile memory. The processor 51 may be a Central Processing Unit (CPU), or can be Application Specific Integrated Circuit (ASIC), or can be configured to one or more ASIC.

According to the above NG-FW server, the request message includes identification information of the application; and in the step of determining the security information of the application according to the request message, the processor 51 is further configured to: acquire the security information of the application from a database according to the identification information of the application included in the request message.

According to the above NG-FW server, the processor 51 is further configured to: authenticate whether the request message is valid; when the request message is valid, perform the process of sending the response message including the security information of the application to the terminal device.

According to the above NG-FW server, the processor 51 is further configured to: determine one or more timer value for maintaining part or all of the security information of the application; and in the step of sending a response message, the processor 51 is further configured to: send a response message including the security information of the application, and one or more timer value for maintaining part or all of the security information of the application to the terminal device.

According to the above NG-FW server, wherein the security information of the application comprises any one or combination of the following information: packet signature information of the application, access control list information of the application, malformed attack information of the application, stateful firewall library information of the application and packet rate limit policy information of the application.

Further, as shown in Fig. 17, there may also include a communication interface 53, configured to complete the communication between the NG-FW server and the terminal device or other devices.

As shown in Fig. 17, the NG-FW server may also include a disk 54, configured to store the program to be tested and state information of the process of the program to be tested.

Alternatively, in specific implementation, if the memory 52, the processor 51 the communication interface 53 and the disk 54 can be implemented individually, then the memory 52, the processor 51, the communication interface 53 and the disk 54 can be in communication connection via BUS. The BUS can be Industry Standard Architecture (ISA) BUS, Peripheral Component (PCI) BUS or Extended Industry Standard Architecture (EISA) BUS etc. The BUS can be divided into address BUS, data BUS and control BUS etc. For convenient representation, the BUS is only represented by a single thick line, but does not mean there is only one BUS or one kind of BUS.

Alternatively, in specific implementation, if the memory 52, the processor 51, the communication interface 53 and the disk 54 can be integrated in a single chip, then the memory 52, the processor 51 the communication interface 53 and the disk 54 can be in communication connection via internal interface.

The advantages of embodiments of the present invention exist in that: a terminal device requests security information of an application from the NG-Firewall server, when the application is started in the terminal device. Thus dynamically loading of attack defense can be realized in the embodiments of the present invention, software footprints required on the terminal device can be reduced and performance of application installed on the terminal device can be improved.

Embodiment 9

This embodiment of the present invention provides a system for implementing NG-Firewall. This embodiment corresponds to the above embodiment 7 and 8, and the same content will not be described.

In this embodiment, the system for implementing NG-Firewall includes: one or more terminal devices as described in the embodiment 7 and a NG-Firewall server as described in the embodiment 8.

FIG. 18 is a schematic structure diagram of a system for implementing NG-Firewall according to an embodiment of the present invention. As shown in FIG. 18, there are at least one terminal device 1801 configured with a NG-FW client 1802 and one NG-FW server 1803 in the system for implementing NG-Firewall 1800.

It can be seen from the above embodiment that: the beneficial effects and advantages of the embodiments can be achieved:

(1) Lower footprint of a NG Firewall software for a terminal device; such as a smartphone and other terminal device;

(2) Enhance battery life as controlling message of NG-Firewall with respect to an unused application is not used;

(3) Lower size of an application specific access list, such as a white or black List; so that a better performance may be achieved;

(4) NG-Firewall services on a terminal device (such as a smartphone) will be used mandatory when a critical business application is started.

(5) Controlling critical information by using other interfaces, like Bluetooth, USB Ports etc;

(6) A securing application, data and an application access control will be used while an application is run.

It should be understood that each of the parts of the present invention may be implemented by hardware, software, firmware, or a combination thereof. In the above embodiments, multiple steps or methods may be realized by software or firmware that is stored in the memory and executed by an appropriate instruction executing system. For example, if it is realized by hardware, it may be realized by any one of the following technologies known in the art or a combination thereof as in another embodiment: a discrete logic circuit having a logic gate circuit for realizing logic functions of data signals, application-specific integrated circuit having an appropriate combined logic gate circuit, a Programmable Gate Array (PGA), and a field programmable gate array (FPGA), etc.

The description or blocks in the flowcharts or of any process or method in other manners may be understood as being indicative of comprising one or more modules, segments or parts for realizing the codes of executable instructions of the steps in specific logic functions or processes, and that the scope of the embodiments of the present invention comprise other implementations, wherein the functions may be executed in manners different from those shown or discussed, including executing the functions according to the related functions in a substantially simultaneous manner or in a reverse order, which should be understood by those skilled in the art to which the present invention pertains.

The logic and/or steps shown in the flowcharts or described in other manners here may be, for example, understood as a sequencing list of executable instructions for realizing logic functions, which may be implemented in any computer readable medium, for use by an instruction executing system, device or apparatus (such as a system including a computer, a system including a processor, or other systems capable of extracting instructions from an instruction executing system, device or apparatus and executing the instructions), or for use in combination with the instruction executing system, device or apparatus.

The above literal description and drawings show various features of the present invention. It should be understood that those skilled in the art may prepare appropriate computer codes to carry out each of the steps and processes as described above and shown in the drawings. It should be also understood that all the terminals, computers, servers, and networks may be any type, and the computer codes may be prepared according to the disclosure to carry out the present invention by using the apparatus.

Particular embodiments of the present invention have been disclosed herein. Those skilled in the art will readily recognize that the present invention is applicable in other environments. In practice, there exist many embodiments and implementations. The appended claims are by no means intended to limit the scope of the present invention to the above particular embodiments. Furthermore, any reference to "a device to... " is an explanation of device plus function for describing elements and claims, and it is not desired that any element using no reference to "a device to ... " is understood as an element of device plus function, even though the wording of "device" is included in that claim.

Although a particular embodiment has been shown and the present invention has been described, it is obvious that equivalent modifications and variants are conceivable to those skilled in the art in reading and understanding the description and drawings. Especially for various functions executed by the above elements (portions, assemblies, apparatus, and compositions, etc.), except otherwise specified, it is desirable that the terms (including the reference to "device") describing these elements correspond to any element executing particular functions of these elements (i.e. functional equivalents), even though the element is different from that executing the function of an exemplary embodiment or embodiments illustrated in the present invention with respect to structure. Furthermore, although the a particular feature of the present invention is described with respect to only one or more of the illustrated embodiments, such a feature may be combined with one or more other features of other embodiments as desired and in consideration of advantageous aspects of any given or particular application.

Claims

WE CLAIM

1. A method for implementing NG-Firewall (Next Generation Firewall), the method comprising:

2. The method as claimed in claim 1, wherein the request message comprising identification information of the application, and the identification information of the application is used by the NG-Firewall server to determine the security information of the application.

3. The method as claimed in claim 1, wherein the method further comprises:

4. The method as claimed in any one of claims 1 to 3, wherein the response message further comprises one or more timer value for maintaining part or all of the security information of the application; and

the method further comprise: re-requesting the part of the security information of the application when one or more timer of the one or more timer value that corresponds to the part of the security information of the application are timeout, or

re-requesting the all of the security information of the application when one or more timer of the one or more timer value that corresponds to the all of the security information of the application are timeout.

5. The method as claimed in claim 4, wherein the method further comprises: clearing the part of the security information of the application when one or more timer of the one or more timer value that corresponds to the part of the security information of the application are timeout, or

6. The method as claimed in any one of claims 1 -5, wherein the security information of the application comprises any one or combination of the following information: packet signature information of the application, access control list information of the application, malformed attack information of the application, stateful firewall library information of the application and packet rate limit policy information of the application.

7. The method as claimed in claim 6, wherein there are different timer values for maintaining any one or combination of the following information: packet signature information of the application, access control list information of the application, malformed attack information of the application, stateful firewall library information of the application and packet rate limit policy information of the application; or,

there is the same timer value for maintaining any one or combination of the following information: packet signature information of the application, access control list information of the application, malformed attack information of the application, stateful firewall library information of the application and packet rate limit policy information of the application.

8. The method as claimed in claim 6, wherein processing data of the application by using the security information of the application, comprising: processing the data of the application by using the packet signature information of the application, or

9. A method for implementing NG-Firewall, the method comprising: receiving a request message for requesting security information of an application from a terminal device, wherein the security information of the application represents information of security protection for the application started in the terminal device;

10. The method as claimed in claim 9, wherein the request message comprises identification information of the application; and

11. The method as claimed in claim 9 or 10, wherein before sending a response message comprising the security information of the application to the terminal device, the method further comprises:

authenticating whether the request message is valid;

12. The method as claimed in claim 9 or 10, the method further comprises:

determining one or more timer value for maintaining part or all of the security information of the application;

13. The method as claimed in any one of claims 9-12, wherein the security information of the application comprises any one or combination of the following information: packet signature information of the application, access control list information of the application, malformed attack information of the application, stateful firewall library information of the application and packet rate limit policy information of the application.

14. ANG-Firewall client, comprising:

15. The NG-Firewall client as claimed in claim 14, wherein the sending unit is specifically configured to send the request message for requesting security information of the application to the NG-Firewall server when the application is started in the terminal device which is configured with the NG-Firewall client; wherein the request message comprising identification information of the application, and the identification information of the application is used by the NG-Firewall server to determine the security information of the application.

16. The NG-Firewall client as claimed in claim 14, wherein the NG-Firewall client further comprises:

17. The method as claimed in any one of claims 14 to 16, wherein the response message further comprises one or more timer value for maintaining part or all of the security information of the application; and

18. The NG-Firewall client as claimed in claim 17, wherein the clearing unit is further configured to clear the part of the security information of the application when one or more timer of the one or more timer value that corresponds to the part of the security information of the application are timeout, or clear the all of the security information of the application when one or more timer of the one or more timer value that corresponds to the all of the security information of the application are timeout.

19. The NG-Firewall client as claimed in any one of claims 14-18, wherein the security information of the application comprises any one or combination of the following information: packet signature information of the application, access control list information of the application, malformed attack information of the application, stateful firewall library information of the application and packet rate limit policy information of the application.

20. The NG-Firewall client as claimed in claim 19, wherein the processing unit is specifically configured to:

21. A NG-Firewall server, comprising:

22. The NG-Firewall server as claimed in claim 21, wherein the request message comprises identification information of the application; and

23. The NG-Firewall server as claimed in claim 21 or 22, wherein the

NG-Firewall server further comprises:

24. The NG-Firewall server as claimed in claim 21 or 22, wherein the NG-Firewall server further comprises:

25. The NG-Firewall server as claimed in any one of claims 21 -24, wherein the security information of the application comprises any one or combination of the following information: packet signature information of the application, access control list information of the application, malformed attack information of the application, stateful firewall library information of the application and packet rate limit policy information of the application.

26. A terminal device, comprising:

a processor and a memory coupled to the processor;

wherein the processor is configured to:

27. A NG-Firewall server, comprising:

a processor and a memory coupled to the processor;

wherein the processor is configured to:

send a response message comprising the security information of an application to the terminal device.

28. A system for implementing NG-Firewall, comprising:

one or more terminal devices as claimed in claim 26; and

a NG-Firewall server as claimed in claim 27.