(51) Int Cl.: H04L 29/06 ( ) H04L 12/24 ( )

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "(51) Int Cl.: H04L 29/06 (2006.01) H04L 12/24 (2006.01)"

Transcription

1 (19) (12) EUROPEAN PATENT SPECIFICATION (11) EP B1 (4) Date of publication and mention of the grant of the patent: Bulletin 11/11 (1) Int Cl.: H04L 29/06 (06.01) H04L 12/24 (06.01) (21) Application number: (22) Date of filing: (4) Handling information about packet data connections in a security gateway element Handhabung von Information über Datenpaketverbindungen in einer Sicherheitsdurchgangsvorrichtung Traitement d information sur les connections paquets de données dans une passerelle de sécurité (84) Designated Contracting States: DE FR GB () Priority: FI 06 (43) Date of publication of application: Bulletin 02/33 (73) Proprietor: Stonesoft Corporation 002 Helsinki (FI) (72) Inventor: Syvänne, Tuomo 01 Vantaa (FI) (74) Representative: Äkräs, Tapio Juhani et al KOLSTER OY AB P.O. Box 148 (Iso Roobertinkatu 23) Helsinki (FI) (6) References cited: EP-A WO-A-00/082 WO-A-00/62167 US-A US-A US-A US-A US-A BELLOVIN S M ET AL: "NETWORK FIREWALLS" IEEE COMMUNICATIONS MAGAZINE, IEEE SERVICE CENTER. PISCATAWAY, N.J, US, vol. 32, no. 9, 1 September 1994 ( ), pages 0-7, XP ISSN: HARI A ET AL: "DETECTING AND RESOLVING PACKET FILTER CONFLICTS" PROCEEDINGS IEEE INFOCOM 00. THE CONFERENCE ON COMPUTER COMMUNICATIONS. 19TH. ANNUAL JOINT CONFERENCE OF THE IEEE COMPUTER ANDCOMMUNICATIONS SOCIETIES. TEL AVIV, ISRAEL, MARCH 26-, 00, PROCEEDINGS IEEE INFOCOM. THE CONFERENCE ON COMPUTER COMMUN, vol. VOL. 3 OF 3. CONF. 19, 26 March 00 ( ), pages , XP ISBN: EP B1 Note: Within nine months of the publication of the mention of the grant of the European patent in the European Patent Bulletin, any person may give notice to the European Patent Office of opposition to that patent, in accordance with the Implementing Regulations. Notice of opposition shall not be deemed to have been filed until the opposition fee has been paid. (Art. 99(1) European Patent Convention). Printed by Jouve, 7001 PARIS (FR)

2 1 EP B1 2 Description BACKGROUND OF THE INVENTION 1. Field of the Invention [0001] The invention relates in general to handling in a security gateway element a connection data structure, in which information about allowed packet data connections is stored. In particular the invention relates to handling the connection data structure in a flexible way. 2. Description of Related art [0002] The local networks of various organizations and enterprises are nowadays connected to the public Internet. To protect a local network, special gateway is usually used to connect the local network to a public network. This special gateway is often called a security gateway or a firewall, and the purpose of a security gateway is to prevent authorized access to the local network. Typically there is need to restrict access to a local network from a public network and/or to restrict access from the local network to the public network or further networks connected to the public network. On data packet level this means that data packets, which are entering and/or exiting a local network, are screened or filtered in a security gateway. In addition to filtering data packets a security gateway may secure data packets transmitted between, for example, some communication entities. In this case the security gateway is both a firewall and a VPN (Virtual Private Network) gateway. [0003] Figure 1 illustrates an example with a first local network 12, a second local network 14 and a public network. The public network may be, for example, the Internet. The local networks 12, 14 are connected to the public network via security gateway elements 16 and 18, respectively. A security gateway element 16, 18 may be implemented as one network node (server) or as a cluster of nodes. Term security gateway element is used in this description to refer to a network node or to a cluster of network nodes, where stateful (see below) data packet screening is performed and which connects at least two networks to each other. A security gateway element may be, for example, a plain firewall node screening packets or a firewall node provided with VPN functionality, or a cluster of such nodes. [0004] Screening of data packets in a network element may be stateless or stateful. Stateless screening refers to packet filtering, where each packet is handled according to a set of rules (or other screening information, see below) without any information about history of packets. Stateless screening is typically used, for example, in routers. Stateful screening refers to a situation, where a data packet initiating a packet data connection is accepted using a set of rules, and consequently information about an accepted packet data connection is stored in the network element for handling the rest of the data packets belonging to the opened packet data connection. Security gateways typically perform stateful screening of data packets. The main reason for using stateful screening is security. Typically, it is required to restrict access from a public network to a local network while allowing entities in the local network to access public network. In stateless screening there must be rules, which allow possible reply packets from the public network to the local network to pass a network element. Many other data packets than proper reply packets may be accepted using such rules. When statefull packet screening is used only those data packets, which are really part of an opened packet data connection, can be accepted. [000] The screening of first data packets in stateful screening is usually done using information specifying at least parts of allowed data packet headers and corresponding instructions for processing a data packet. The screening information is usually an ordered set of rules. Figure 2 illustrates as an example a set of rules, having a first rule Rule1, a second rule Rule2, and so forth. The order of the rules in the rule set typically defines the order in which a header of a data packet is compared to the rules. The instructions specified in the first rule, to which the header of a data packet matches, states the action to be carried out for said data packet. The rules are typically listed in a rule file in the order in which they are processed: a rule file thus typically comprises a sequence of rules Rule1, Rule2,..., RuleN. The rule file is typically stored in a security gateway element, for example in security gateway 16. [0006] A typical format for the rules is the following: header information, action. The header information typically involves source address (src), destination address (dst) and protocol (prot) relating to a data packet, and a rule typically has the following form: src, dst, prot, action. This means that for a data packet, which has the indicated header information, the indicated action is carried out. Typically the action defines whether the data packet is discarded or allowed to proceed. As a data packet is processed, its header information is compared to the header information indicated by the rules; the rules are processed in the order defined by the ordered set. Typically the last rule in the ordered set of rules (e.g. RuleN in Figure 2) does not allow any packet to proceed. This means a data packet, whose header information does not match the header information indicated in any of the preceding rules, is discarded. [0007] In stateful screening information about ongoing data packet connections or about packet data connections relating to ongoing connections is typically stored in a data structure, which is here called a connection data structure. A data packet initiating a packet data connection and arriving at a security gateway element, is compared to the screening information. If a rule allowing the data packet to traverse the security gateway element is found, a corresponding entry is made to the connection data structure. Typically, a connection data structure entry comprises some header information of the corre- 2

3 3 EP B sponding data packet and possibly further additional information. Data packets other than packets initiating a packet data connection are then compared to the connection data structure and, if a corresponding entry is found, the packet is allowed to traverse the security gateway element. Thus, only data packets relating to open packet data connections are accepted. As a further advantage, stateful screening may require less processing power than stateless screening, as data packets of an open packet data connection are checked only against the connection data structure, and there is no need to check if the data packets are in accordance with the given, possibly long, set of rules. [0008] The part of the connection data structure that is related to one currently open packet data connection traversing a security gateway element is called an entry. When a packet data connection is closed, the corresponding entry is typically removed (or deleted or cleared) from the connection data structure. The number of entries having information about packet data connections thus typically varies as function of time. [0009] Information about other data packets, which a security gateway element should allow to proceed, may also be dynamically updated to the connection data structure. In many cases a given set of rules is just basic information for making a decision about allowing a certain data packet to proceed. Additional information may also be needed. Consider, for example, FTP (File Transfer Protocol), which has a control connection and the files are transferred using a separate data connection. This separate data connection should be allowed even though a network element outside the local network initiates the FTP data connection, if a related control connection has been established and a request for opening the data connection has been detected within the control connection before the data connection is attempted. A security gateway element should thus be prepared to receive a data packet initiating such a FTP data connection and to allow such a data packet to proceed. Typically, such a data packet initiating a FTP data connection would not be allowed to proceed on the basis of the rules. It is only allowed on the basis of the prior information transferred within the FTP control connection. [00] The connection data structure, where information about data packets that are allowed to arrive and be processed in a security gateway element, may be, for example, a connection data structure described in Figure 3. In the connection data structure each entry 31 corresponds to a data packet having the header information 32 specified in the table entry. The header information 32 typically comprises the source address, the destination address, the source port and the destination port. A connection data structure entry typically comprises further additional information 33. This additional information may comprise information about the protocol to which the data packet relates. The protocol may be, for example, TCP (transmission control protocol) or UDP (User Datagram Protocol). Furthermore, the additional information may specify NAT (Network Address Translation) details, encrypting keys, routing information and/or a program code, which is used to investigate and optionally modify the contents of a data packet. Term protocol-specific program code is here used to refer to program code, which may be either a separate program, an integrate part of a kernel or a kernel module, and which is used to investigate and optionally modify the contents of data packets. A FTP-specific program code, for example, typically monitors the content of data packets relating to a FTP control connection, and when it finds out that a FTP data connection is to be established, it creates a connection data structure entry for the FTP data connection or otherwise informs the software running in the security gateway element to let data packets relating to said FTP data connection to proceed. There may be separate protocol-specific program codes for various protocols or application programs. [0011] The set of rules, or other screening information, is updated every now and then. It may be updated, for example, periodically to ensure that too old screening information is not used. Alternatively, new screening information may be delivered to a security gateway element from a management system after the screening information has been modified, that is, new screening information is pushed to the security gateway element from the management system. [0012] In current security gateway elements, when screening information is updated, a connection data structure is typically cleared. Clearing the connection data structure causes established connections to fail since the connection data structure entry which is required for accepting the packets other that the packet initiating a connection are lost. This is a problem especially in circumstances, where connections should be as reliable as possible. [0013] A second way to handle ongoing packet data, when screening information is updated, is to maintain information about the open connections in the connection data structure. This way existing packet data connections survive, and the packet data connections are as reliable as possible. There may, however, be existing packet data connections which are not in accordance with the updated screening information, and this may cause security risks. Some security gateways give the user a possibility to select between dropping all existing packet data connections and allowing all existing packet data connections. Such a selection is a selection between security and network usability. [0014] A further way to handle ongoing packet data connections when screening information is updated may have, for example, the following features. Before clearing a connection data structure, the connection data structure is copied to a previous connection data structure. The connection data structure is then cleared, and therefore all arriving data packets are handled using the updated screening information. Typically only data packets initiating a packet data connection may be compared to 3

4 EP B1 6 screening information. It is possible, however, to make an exception to this rule. In this case, all arriving data packets are compared to the screening information. If the updated screening information contains a rule allowing said data packet to pass but the packet is not a packet initiating a new connection, it is checked if the previous connection data structure contains an entry allowing the data packet to proceed. If such entry is found, an entry relating to this packet data connection is added to the connection data structure. These features prevent some existing packet data connections to be dropped. For example FTP data connection is, however, dropped, as it is accepted on the basis of the FTP control connection, not directly on the basis of a rule. [001] WO discloses an Intrusion and Misuse Deterrence System (IMDS) that passively detects network intruders. The IMDS creates a synthetic network complete with synthetic hosts and routers to monitor packet flow in an enterprise until it determines that a packet is destined for the synthetic network. Since there are no legitimate users on the synthetic or virtual network, the IMDS identifies the source of the packet and notifies a system administrator of the presence of a network intruder. [0016] EP discloses a "session cache" that tracks cache rule versions and dynamic filter rule versions in such a way that outdated cache rules are detected, deleted from memory and replaced upon being called upon and before being applied to a packet, while rules unaffected by a change in a local rule base are left intact in the cache. [0017] US779 discloses a secure network interface unit (SNIU) coupled between each host or user computer unit, which may be non-secure, and a network, which may be non-secure, and a security management (SM) architecture, including a security manager (SM) connected to each of the SNIUS for controlling their operation and configuration on the network. The SM architecture is implemented to ensure user accountability, configuration management, security administration, and cryptographic key management among the SNIUS. [0018] BELLOVIN S M ET AL: "NETWORK FIRE- WALLS" IEEE COMMUNICATIONS MAGAZINE, IEEE SERVICE CENTER. PISCATAWAY, N.J, US, vol. 32, no. 9, 1 September 1994 ( ), pages 0-7, XP ISSN: , provides a review on network firewalls. [0019] HARI A ET AL: "DETECTING AND RESOLV- ING PACKET FILTER CONFLICTS" PROCEEDINGS IEEE INFOCOM 00. THE CONFERENCE ON COM- PUTER COMMUNICATIONS. 19TH. ANNUAL JOINT CONFERENCE OF THE IEEE COMPUTER ANDCOM- MUNICATIONS SOCIETIES. TEL A VIV, ISRAEL, MARCH 26-, 00, PROCEEDINGS IEEE INFOCOM. THE CONFERENCE ON COMPUTER COMMUN, vol. VOL. 3 OF 3. CONF. 19, 26 March 00 ( ), pages , XP ISBN: , discloses a new way for detecting and resolving packet filter conflicts. SUMMARY OF THE INVENTION [00] Object of the invention is to present a flexible method and arrangement for handling information about existing packet data connections in a security gateway element. A further object is to present such a method and arrangement for handling information about existing packet data connections which allows packet data connections via a security gateway element to be reliable even when screening information is updated. [0021] Objects of the invention are achieved by classifying, after screening information is updated, packet data connections to packet data connections in accordance with new screening information and packet data connections in conflict with new screening information. [0022] A method according to the invention is a method for handling information about packet data connections, which arrive at a security gateway element, in order to have in a connection data structure information about packet data connections in accordance with current screening information, said connection data structure comprising a number of entries representing a number of packet data connections, said method comprises the step of: - storing data packet header information about packet data connections, which are in accordance with first screening information, in said connection data structure, and - receiving updated screening information, said updated screening information forming either by itself or in connection with said first screening information second screening information, and said method is characterized in that if further comprises the step of: - after receiving said updated screening information, comparing entries of said connection data structure to said second screening information, resulting in a classification of said entries as first entries, said first entries representing packet data connections in accordance with said second screening information, and as second entries, said second entries representing packet data connections in conflict with said second screening information. [0023] A security gateway element according to the invention is a gateway element comprising - means for processing data packets so that data packet connections in accordance with current screening information are allowed to proceed, - means for storing first screening information used as current screening information, - means for storing in a connection data structure in- 4

5 7 EP B1 8 formation about packet data connections in accordance with the first screening information, and - means for receiving updated screening information, which by itself or together with the first screening information forms second screening information, and the security gateway element is characterized in that it further comprises - means for comparing entries in said connection data structure to second screening information, resulting in a classification of said entries as first entries, said first entries representing packet data connections in accordance with said second screening information, and as second entries, said second entries representing packet data connections in conflict with said second screening information. [0024] The invention further relates to a management system relating to at least one security gateway element, said management system comprising - means for defining screening information, and - means for delivering screening information to said at least one security gateway element, and said management system being characterized in that if further comprises - means for receiving from said at least one security gateway element information indicating all or some of packet data connections that said at least one security gateway element, after updating screening information in said at least one security gateway element, has classified to be in conflict with the delivered screening information, - means for representing said information indicating all or some packet data connections to a user, said means arranged to produce a confirmation as a response to user actions, and - means for sending said confirmation to said at least one security gateway element. [00] The invention relates also to a computer program comprising program code for performing all the steps of a method in accordance with the invention, when said program is run on a computer. [0026] The invention further relates to a computer program product comprising program code means stored on a computer readable medium for performing a method according to the invention, when said program product is run on a computer. [0027] A connection data structure according to the invention is a data structure comprising a number of entries representing a number of packet data connections, said entries comprising header information of data packets, and the connection data structure is characterized in that at least one of said entries further involves acceptance information relating to grounds for accepting the represented packet data connections to traverse a security gateway element when, after screening information is updated in said security gateway element, packet data connections are classified to packet data connections in accordance with the updated screening information and packet data connections in conflict with the updated screening information. [0028] According to an embodiment of the invention at least one of said entries further comprises information indicating the current screening information at the time of creation of said entry. [0029] The appended dependent claims describe some preferred embodiments of the invention. The features described in one dependent claim may be further combined with features described in another dependent claim to produce further embodiments of the invention. [00] The packet data connections discussed here are typically packet data connections on IP protocol. In this specification and in the appended claims, term packet data connection refers here to a bi-directional flow of data packets. Examples of such packet data connections are TCP connections, bi-directional UDP packet flows, UDP queries, ICMP (Internet Control Message Protocol) queries and replies. [0031] In this specification and in the appended claims, term entry refers to a piece of information relating to one packet data connection. An entry typically comprises information at least about data packet headers. Term connection data structure refers to a data structure, whose entries represent packet data connections arriving at a security gateway. A connection data structure may be, for example, a table or a linked list or any other more versatile data structure. [0032] According to the invention, packet data connections represented in a connection data structure are classified as packet data connections in accordance with updated screening information and as packet data connections in conflict updated screening information. After this classification it is possible to ensure that packet data connections in accordance with updated screening information are allowed to traverse a security gateway element. This is the main advantage of the invention. Furthermore, it is possible to inspect the packet data connections in conflict with updated screening information before possibly rejecting part or all of these packet data connections. This can be made, for example, by representing a list of existing packet data connections that are not allowed with new set of rules to the administrator, who can then decide if he or she wants to terminate those or not. [0033] The screening information is typically a set of rules. It may be, for example, an ordered sequence of rules, and a data packet is processed by comparing header information of the data packet to the rules, rule by rule, in the order dictated by the sequence numbers. Alternatively, screening information may be a hierarchically ordered, so that a certain rule may have a number of subrules and, typically, header information common to all said subrules is specified in said certain rule. In this case data packets are compared to subrules only if the header information of a data packet matches first the header information specified in the rule, to which the subrules

6 9 EP B1 are subordinates. BRIEF DESCRIPTION OF THE DRAWING [0034] The invention is now described in more detail with reference to the accompanying drawing, where Figure 1 Figure 2 Figure 3 Figure 4 Figure Figure 6 Figure 7 Figure 8 Figure 9 Figure illustrates two local networks connected to a public network via security gateways, illustrates a set of rules for screening data packets according to prior art, illustrates a prior art connection data structure, illustrates as an example a flowchart of a method according to the invention, where interaction with a management system is involved, illustrates as an example a connection data structure according to the invention, illustrates as examples flowcharts of two methods according to the invention, where different information relating to existing packet data connections is compared to new screening information, illustrates as examples flowcharts of two methods according to the invention, where different ways to carry out the comparison are involved, illustrates as an example a flowchart of a method for testing validity of screening information update employing the invention, illustrates as an example a flowchart of a method for updating screening information, said method employing the invention, and illustrates as an example a security gateway element and a management system according to the invention. DETAILED DESCRIPTION OF THE INVENTION [003] Figures 1-3 are discussed in more detail above in connection with the prior art description. [0036] Figure 4 illustrates as an example a flowchart of a method 0, which is a method for handling information about packet data connections, which arrive at a security gateway element and which are in accordance with current screening information. [0037] In step 1 information about packet data connections, which are in accordance with first screening information, is stored in a connection data structure, said connection data structure consequently comprising a number of entries representing a number of existing packet data connections arriving at a security gateway element. In step 2 updated screening information is received. This updated screening information forms new (second) screening information on its own or together with the first screening information. Typically this updated screening information is pushed from a management system. It is possible that a security gateway element asks for updated screening information if, for example, too long time has elapsed since it has received the latest update. [0038] In step 3 entries of said connection data structure are compared to new (second) screening information. As a result, the entries are classified as first entries representing packet data connections in accordance with said second screening information or as second entries representing packet data connections in conflict with said second screening information. [0039] Steps 4-6 relate to interaction between a management system and a security gateway element. In step 4 a security gateway element indicates the packet data connections, which are mentioned in a connection data structure and which are conflicting the new screening information. In step a security gateway element requests, either implicitly by indicating the packet data connections in step 4 or explicitly, a confirmation whether to reject the conflicting packet data connections. A user of a management system may at this point decide, which packet data connections are rejected or, for example, if the entries corresponding to those packet data connections are modified. If a confirmation is received (step 6), the conflicting packet data connections and relating connection data structure entries are processed according to said confirmation. If a confirmation is not received, a security gateway element may, for example, reject the conflicting packet data connections. Typically data packets relating to conflicting packet data connections are allowed to proceed until a confirmation to reject those data packets is received or a timeout occurs. [00] Method 0 and especially the steps relating to interaction between a management system and a security gateway element are presented here as an example. The details of methods employed in management systems and security gateway elements in accordance with the invention may vary from those presented above. [0041] Figure illustrates as an example a connection data structure 0 according to the invention. The connection data structure comprises information about packet data connections arriving at a security gateway element. In addition to header information 32 and additional information 33, which are discussed in more detail above in connection with prior art connection data structures and corresponding data structures, entry 1a of connection data structure 0 comprises acceptance information relating to the grounds according to which the packet data connection represented by the entry 1a is allowed to traverse a security gateway element. This acceptance information may be, for example, a rule identifier a of that rule, according to which the packet data connection is allowed. Alternatively, it is possible that data packet connections are allowed, if the user (or process) opening the packet data connection is authenticated. This authentication may be performed in a variety of ways. In this case typically a user (process) identifier b of a validly authenticated user (process) may be stored in a connec- 6

7 11 EP B1 12 tion data structure entry. Furthermore a packet data connection may be allowed, because a relating connection is allowed. This is the case for example, for FTP protocol, as described in connection with the description of prior art. In this case, information c indicating a relating rule is present in the connection data structure. This information may be part of the entry in a connection data structure, or the relating connection may be concluded from the structure of the connection data structure. For example, connections relating to a certain control connection may be represented by linking entries of said connections to the entry of the control connection. A further example of acceptance information is information d relating to a secure tunnel (a VPN tunnel) within which the data packet connection is. [0042] Typically all elements of a connection data structure 0 according to the invention comprise acceptance information, as illustrated in Figure. Figure 6a below illustrates a method, where a connection data structure according to the invention is used. Connection data structure entries may further or alternatively comprise information 6 indicating which version of the screening information was used when the connection data structure entry was created. This information 6 may be, for example, a time stamp 6a or a version number 6b of the screening information. Figure 7b below illustrates a method where such information is useful. [0043] Figure 6 illustrates as examples flowcharts of two methods 600 and 6 according to the invention. In methods 600 and 6 different information, information which typically is stored in connection data structure entries, is compared to new (second) screening information. Figure 6a illustrates method 600, where a connection data structure 0, for example, is used. The first step of method 600 is similar to step 1. In step 602 acceptance information relating to an entry is stored. This acceptance information is typically stored in the corresponding entry. In step 2 updated screening information is received, as in method 0. Thereafter, in step 602 (which is a more detailed description of step 3) acceptance information stored in connection data structure entries is compared to new (second) screening information. [0044] If the acceptance information is a rule identifier, in step 602 it is typically checked that a rule having the same identifier is present also in the new (second) screening information and that it is not preceded by a rule inhibiting said packet data connection to be accepted based on the specific, identified rule. If the acceptance information is a user identifier, it typically implies that this specific user has been validly authenticated. Therefore it is checked if a rule allowing a packet data connection by the specified user is present in the new (second) screening information. If the acceptance information indicates a relating packet data connection, it is typically checked if the relating connection still exists and if it is allowed according to the new (second) screening information. If the acceptance information is a relating secure tunnel, e.g. a VPN tunnel, it is checked, if a rule allowing a connection using said specified tunnel is present in the new (second) screening information and if the encrypting methods are still valid. [004] Figure 6b illustrates method 6, where a prior art connection data structure or other connection data structure not specifying acceptance information may be employed. The first and second steps of method 600 are similar to steps 1 and 2 of method 0. In the third step 611, which is a more detailed description of step 3, header information stored in connection data structure is compared to new (second) screening information. The connection data structure entries may be treated similarly as data packets, which are processed in a security gateway element. The header information stored in a connection data structure entry is sufficient for this. If a rule (or other corresponding piece of screening information) in new (second) screening information allows a data packet having the header information specified in an entry to proceed, the entry is kept in the connection data structure, otherwise the entry is typically deleted. [0046] In many cases it is advantageous to use the method of Figure 6a, in other words to store acceptance information relating to the packet data connections. This enhances especially the handling of more complicated protocols that, say, just plain TCP. For example, in case of FTP connection the rule allowing the packet data connection covers both the control connection and the data connection, even though data connection is not allowed as such without the control connection. Nevertheless, it is possible to verify that also a certain FTP data connection is in accordance with the new screening information, if the rule that allowed the control connection relating to this certain FTP data connection is in accordance with the new screening information. This implies also to any other (complicated) protocols in which opening one or more connections requires that some other connection is opened first, or to any other connections that are not accepted purely on the basis of a rule, but require for example authentication. [0047] Figure 7 illustrates as examples flowcharts of two methods 700 and 7 according to the invention. In these methods different ways to carry out the comparison of the connection data structure entries are used. [0048] Figure 7a illustrates method 700, where a snapshot of the connection data structure is taken (step 701) after receipt of updated screening information. The connection data structure may be, for example, a data structure to which a kernel process compares arriving data packets and which a kernel process updates. The snapshot may be, for example, taken so that the actual connection data structure is all the time updated by a kernel process (using, when needed, the new screening information), but another process (which may be a user process and which typically performs the comparing of connection data structure entries in step 3, 702) sees the contents of the connection data structure at a certain moment in time. At least some of the connection data structure entries, which represent packet data connections 7

8 13 EP B1 14 conflicting the new screening information, are typically deleted (step 703). It is possible that some of the connection data structure entries representing packet data connections in accordance with the new screening information are modified (step 704). If a connection data structure entry comprises, for example, information about an interface, via which data packets of said packet data connection arrive at the security gateway element, this information may be modified for example for enforcing a check according to new anti-spoofing settings. [0049] The above example of providing a snapshot of a connection data structure to a user process is given as an example of implementing a method in accordance with the invention. Some operating systems have functionality to provide to various processes various views about a certain object. [000] In method 7, which is illustrated in Figure 7b, the connection data structure entries are compared - one by one - to new (second) screening information. It is possible to make this comparison and allow entries to be added to the connection data structure at the same time. One way to do this is to store - typically to the connection data structure entries themselves - information about the screening information version, based on which an entry has been added to the connection data structure. This information is stored in step 711. In comparing connection data structure entries (step 3, 712), those entries which are based on the new screening information, need not be compared. [001] It is possible to interrupt the processing of those data packets, which do not initiate packet data connections, for the duration of the comparison in steps 3, 702, 712. This prevents data packets relating to packet data connections conflicting the new screening information from traversing the security gateway element. As the comparison typically takes only some milliseconds, a delay, which may be caused for data packets relating to packet data connections in accordance with the new screening information, is often practically negligible and should not affect these packet data connections. [002] The comparison (step 3) in methods 700 and 701 may be done, for example, by comparing header information stored in connection data structure entries to new screening information (cf. step 611) or by comparing acceptance information to new screening information (cf. step 602). [003] It is possible to combine the features presented in method 0 together with those features presented either in method 600 or 6 and/or together with those presented either in method 700 or 7. Additionally, it is not required to perform all the steps presented in the Figures in order to use the invention, but some of the steps may be optionally ignored. Furthermore, the order of the steps in Figures is not meant to be restrictive. For example, steps 702/712 and steps 703 and 704 may be performed in the order presented in Figures or, for example, by interleaving steps 712 and 703 so that after an entry conflicting new screening information is found, it is deleted and then a next entry conflicting new screening information is searched for. Similarly, steps 712 and 704 may be interleaved, as well as steps 702, 703 and 704. [004] Figure 8 illustrates as an example a flowchart of a method 800 for testing validity of screening information update. In step 1 information about packet data connections is stored in a connection data structure. In step 801 information indicating that the next updated screening information is sent for testing purposes is received. After the updated screening information is received (step 2) and connection data structure entries are compared to the new screening information (step 3), information about said comparison is transmitted (step 802), for example, to a management system. This information may, for example, comprise a list of those packet data connections, which are in conflict with the new screening information. This method allows evaluation of the effect of certain updated screening information. This method need not involve an actual security gateway element and an actual management system, but it may be used, for example, in simulations. [00] Figure 9 illustrates as an example a flowchart of a method 900 for updating screening information. In this method first screening information is saved (step 901) as a precaution, to allow rejection of updated screening information. After comparing connection data structure entries to new screening information, information about the packet data connections conflicting new screening information, for example, is transmitted (step 802). Thereafter either a confirmation for taking the new screening information into use is received (steps 904, 703, 704) or the confirmation is not received and the updated screening information is discarded (step 903). In this case the first screening information is still used in accepting data packet connections. [006] Figure illustrates an example of a security gateway element according to the invention. The security gateway element 00 comprises means 01 for processing data packets so that data packet connections in accordance with current screening information are allowed to proceed. The current screening information is stored in means 02, and typically screening information is a set of rules. Typically the means 01 are arranged to compare a data packet first to entries in a connection data structure, where information about open packet data connections are stored, and only if a matching entry cannot be found, the data packet is compared to the current screening information. Typically, only data packets initiating a packet data connection are compared to the current screening information. Means 03 are used for storing in the connection data structure information about current packet data connections in accordance with first screening information. The security gateway element 00 further comprises means 04 for receiving updated screening information, which by itself or together with the first screening information forms second screening information, which is to replace the first screening 8

9 1 EP B1 16 information currently stored in means 02. [007] The security gateway element 00 is characterized in that it further comprises means 0 for comparing entries of said connection data structure to second screening information, thus classifying entries in said connection data structure as first entries, said first entries representing packet data connections in accordance with said second screening information, or as second entries, said second entries representing packet data connections in conflict with said second screening information. [008] The security gateway element 00 further comprises means 06 for rejecting packet data connections conflicting new (second) screening information, for example by deleting or modifying some of said second entries from said connection data structure. The security gateway element 00 typically further comprises means 07 for indicating to a management system all or some of the packet data connections conflicting the second screening information, and means 08 for receiving a confirmation from the management system whether to reject all or some of the packet data connections conflicting the second screening information. Furthermore, it is possible that said means 06 for rejecting packet data connections are arranged to delete all packet data connections conflicting the second screening information, if a confirmation is not received within a predefined period of time. [009] A security gateway element according to the invention may further comprise any of the following means: - means for receiving information indicating the receipt of test update screening information, - means for transmitting information about comparison connection data structure entries to new (second) screening information, said information about comparison being typically a list of packet data connections conflicting the new screening information, - means for storing first screening information as a precaution, and - means for receiving a confirmation to use updated screening information. [0060] Figure illustrates also an example of a management system relating to at least one security gateway element. This management system 0 comprises means 1 for defining screening information, and means 2 for delivering screening information to said at least one security gateway element. It further comprises means 3 for receiving from said at least one security gateway element information indicating all or some of packet data connections conflicting the delivered screening information. Means 4 for representing said information indicating all or some packet data connections to a user are arranged to produce a confirmation as a response to user actions. A security gateway element 00 typically comprises also means for sending said confirmation to said at least one security gateway element. [0061] A management system according to the invention may further comprise any of the following means in addition or alternatively to means 3-: - means for sending information indicating the receipt of test updated screening information, - means for receiving information about comparison connection data structure entries to new (second) screening information, said information about comparison being typically a list of packet data connections conflicting the new screening information, - means for deciding on a use of updated screening information based at least on said information about comparison, and - means for sending a confirmation to use updated screening information. [0062] A security gateway element according to the invention may be one network node or a cluster of network nodes. The means and 1-, or any other means mentioned in connection with Figure or in the appended claims, are typically implemented as a suitable combination of hardware and software. They are advantageously implemented using software program code means executed by a processor unit. A security gateway element according to the invention may employ any method according to the invention. Some examples of such methods are described above. [0063] In the view of the foregoing description it will be evident to a person skilled in the art that various modification may be made within the scope of the invention. It should be apparent that many modifications and variations to the above described examples are possible, all of which fall within the scope of the invention. Claims 1. A method (0, 600, 6, 700, 7, 800, 900) for handling information about packet data connections, which arrive at a security gateway element, in order to have in a connection data structure information about packet data connections in accordance with current screening information, said connection data structure comprising a number of entries representing a number of packet data connections, said method comprising the steps of: - storing (1) data packet header information about packet data connections, which are in accordance with first screening information, in said connection data structure, and - receiving (2) updated screening information, said updated screening information forming either by itself or in connection with said first screening information second screening information, 9

10 17 EP B1 18 characterized in that said method further comprises the step of: - after receiving said updated screening information, comparing (3) entries of said connection data structure to said second screening information, resulting in a classification of said entries as first entries, said first entries representing packet data connections in accordance with said second screening information, and as second entries, said second entries representing packet data connections in conflict with said second screening information. 2. A method according to claim 1, characterized in that it further comprises the step of: - storing (601) for a packet data connection acceptance information relating to grounds for accepting that packet data connection, and in that said acceptance information is used (602) in comparing entries of said connection data structure to said second screening information. 3. A method according to claim 2, characterized in that said acceptance information is stored to a same connection data structure entry (0) as data packet header information about a packet data connection. 4. A method according to claim 2, characterized in that said screening information comprises a number of rules and said acceptance information is a rule identifier (a) of that rule with which a packet data connection is in accordance.. A method according to claim 2, characterized in that said acceptance information is information (b) identifying an authenticated entity. 6. A method according to claim 2, characterized in that said acceptance information is information (c) identifying a relating packet data connection. 7. A method according to claim 6, characterized in that a specific form of said packet data connection data structure indicates said relating packet data connection A method (6) according to claim 1, characterized in that in comparing (3, 611) entries of said connection data structure to said second screening information, it is checked if packet data header information stored in said entries is in accordance with second screening information.. A method (700) according to claim 1, characterized in that it further comprises the step of: - deleting (703) at least one of said second entries from said connection data structure. 11. A method (700) according to claim 1, characterized in that it further comprises the step of: - modifying (704) at least one of said first entries in said connection data structure. 12. A method (700) according to claim 1, characterized in that it further comprises the step of: - storing (701) contents of said connection data structure at a certain time in order to use the stored contents in comparing of entries of said connection data structure. 13. A method (7) according to claim 1, characterized in that it further comprises the step of: - storing (711) in a connection data structure entry (0) information (6) indicating current screening information version at the time of adding a connection data structure entry, and in that in comparing (3, 712) entries of said connection data structure to second screening information, only entries specifying first screening information as current screening information are compared. 14. A method (0) according to claim 1, characterized in that it further comprises the steps of: - indicating (4) to a management system all or some of the packet data connections conflicting the second screening information and represented by said the second entries, and - requesting () a confirmation from the management system whether to reject packet data connections conflicting said second screening information. 8. A method according to claim 2, characterized in that said acceptance information is information (d) identifying a secured tunnel, within which the packet data connection is tunneled A method (0) according to claim 14, characterized in that said packet data connections conflicting said second screening information are rejected (8) after a predefined period of time in the absence of the confirmation by deleting relating entries of said connection data structure 16. A method (800) according to claim 1, characterized in that it further comprises the steps of:

11 19 EP B1 - receiving (801) information indicating that the second screening information is only for test use, and - transmitting (802) information about results of said comparison. 17. A method (8) according to claim 1, characterized in that it further comprises the step of: - storing (811) said first screening information as a precaution, enabling the return to using said first screening information as current screening information. 18. A method (700) according to claim 1, characterized in that it further comprises the step of: - modifying (703, 704) said connection data structure based on said comparison. 19. A security gateway element (00) comprising - means (01) for processing data packets so that data packet connections in accordance with current screening information are allowed to proceed, - means (02) for storing first screening information used as current screening information, - means (03) for storing in a connection data structure information about packet data connections in accordance with the first screening information, and - means (04) for receiving updated screening information, which by itself or together with the first screening information forms second screening information, characterized in that it further comprises - means (0) for comparing entries in said connection data structure to second screening information, resulting in a classification of said entries as first entries, said first entries representing packet data connections in accordance with said second screening information, and as second entries, said second entries representing packet data connections in conflict with said second screening information.. A security gateway element according to claim 19, characterized in that said means for processing data packets are arranged to compare data packets to said connection data structure and in that said security gateway element further comprises means (06) for rejecting packet data connections in conflict with second screening information. 21. A security gateway element according to claim, characterized in that it further comprises means (07) for indicating to a management system all or some of the packet data connections conflicting the second screening information, and - means (08) for receiving a confirmation from the management system whether to reject all or some of the packet data connections conflicting the second screening information. 22. A security gateway element according to claim 21, characterized in that said means (06) for rejecting packet data connections are arranged to delete all packet data connections conflicting the second screening information, if a confirmation is not received within a predefined period of time. 23. A management system (0) relating to at least one security gateway element, said management system comprising - means (1) for defining screening information, and - means (2) for delivering screening information to said at least one security gateway element, characterized in that said management system further comprises - means (3) for receiving from said at least one security gateway element information indicating all or some of packet data connections that said at least one security gateway element, after updating screening information in said at least one security gateway element, has classified to be in conflict with the delivered screening information, - means (4) for representing said information indicating all or some packet data connections to a user, said means arranged to produce a confirmation as a response to user actions, and - means () for sending said confirmation to said at least one security gateway element. 24. A computer program comprising program code for performing all the steps of Claim 1 when said program is run on a computer.. A computer program product comprising program code means stored on a computer readable medium for performing the method of Claim 1 when said program product is run on a computer. 26. A connection data structure (0) comprising a number of entries (1) representing a number of packet data connections, said entries comprising header information (32) of data packets, characterized in that at least one of said entries further involves acceptance information () relating to grounds for accepting the represented packet data 11

12 21 EP B1 22 connection to traverse a security gateway element when, after screening information is updated in said security gateway element, packet data connections are classified to packet data connections in accordance with the updated screening information and packet data connections in conflict with the updated screening information. 27. A connection data structure according to claim 26, characterized in that each entry of said connection data structure comprises entry-specific acceptance information. 28. A connection data structure according to claim 26, characterized in that said acceptance information is a rule identifier (a) of that rule with which a packet data connection is in accordance. 29. A connection data structure according to claim 26, characterized in that said acceptance information is information (b) identifying an authenticated entity.. A connection data structure according to claim 26, characterized in that said acceptance information is information (c) identifying a relating packet data connection. 31. A connection data structure according to claim 26, characterized in that a specific form of said connection data structure indicates said relating packet data connection. 32. A connection data structure according to claim 26, characterized in that said acceptance information is information (d) identifying a secured tunnel, within which the packet data connections is tunneled. 33. A connection data structure according to claim 26, characterized in that at least one of said entries further comprises information (6) indicating the current screening information at the time of creation of said entry. 34. A connection data structure according to claim 33, characterized in that said information indicating the current screening information at the time of creation of said entry is a time stamp. 3. A connection data structure according to claim 33, characterized in that said information indicating the current screening information at the time of creation of said entry is a version identifier. Patentansprüche Handhabung von Information über Datenpaketverbindungen, die an einem Sicherheitsgateway-Element ankommen, um in einer Verbindungsdatenstruktur Information über aktueller Filterungsinformation entsprechende Datenpaketverbindungen zu haben, wobei die besagte Verbindungsdatenstruktur eine Anzahl von Einträgen aufweist, die eine Anzahl von Datenpaketverbindungen repräsentiert, wobei das besagte Verfahren die Schritte aufweist: - Speicherung (1) von Datenpaket-Headerinformation über erster Filterungsinformation entsprechende Datenpaketverbindungen in der besagten Verbindungsdatenstruktur und - Empfangen (2) von aktualisierter Filterungsinformation, wobei die besagte aktualisierte Filterungsinformation entweder allein oder in Verbindung mit der besagten ersten Filterungsinformation zweite Filterungsinformation ausbildet, dadurch gekennzeichnet, dass das besagte Verfahren weiterhin den Schritt aufweist, bei dem - nach dem Empfangen der besagten aktualisierten Filterungsinformation Einträge der besagten Verbindungsdatenstruktur mit der besagten zweiten Filterungsinformation verglichen werden (3), was zu einer Klassifizierung der besagten Einträge als erste Einträge, wobei die besagten ersten Einträge der besagten zweiten Filterungsinformation entsprechende Datenpaketverbindungen repräsentieren, und als zweite Einträge führt, wobei die besagten zweiten Einträge in Konflikt mit der besagten zweiten Filterungsinformation stehende Datenpaketverbindungen repräsentieren. 2. Verfahren nach Anspruch 1, dadurch gekennzeichnet, dass es weiterhin den Schritt aufweist, bei dem - für eine Datenpaketverbindung Akzeptanzinformation, die sich auf Gründe für Akzeptieren dieser Datenpaketverbindung bezieht, gespeichert wird (601), und dass die besagte Akzeptanzinformation dafür verwendet wird (602), Einträge der besagten Verbindungsdatenstruktur mit der besagten zweiten Filterungsinformation zu vergleichen. 3. Verfahren nach Anspruch 2, dadurch gekennzeichnet, dass die besagte Akzeptanzinformation in demselben Verbindungsdatenstruktureintrag (0) wie Datenpaket-Headerinformation über eine Datenpaketverbindung gespeichert wird. 1. Verfahren (0, 600, 6, 700, 7, 800, 900) zur 4. Verfahren nach Anspruch 2, dadurch gekenn- 12

13 23 EP B1 24 zeichnet, dass die besagte Filterungsinformation eine Anzahl von Regeln aufweist und die besagte Akzeptanzinformation eine Regelkennung (a) derjenigen Regel ist, der eine Datenpaketverbindung entspricht.. Verfahren nach Anspruch 2, dadurch gekennzeichnet, dass die besagte Akzeptanzinformation eine authentifizierte Einheit identifizierende Information (b) ist. 6. Verfahren nach Anspruch 2, dadurch gekennzeichnet, dass die besagte Akzeptanzinformation eine zugehörige Datenpaketverbindung identifizierende Information (c) ist. 7. Verfahren nach Anspruch 6, dadurch gekennzeichnet, dass eine spezifische Form der besagten Datenpaketverbindungsdatenstruktur die besagte zugehörige Datenpaketverbindung anzeigt. 8. Verfahren nach Anspruch 2, dadurch gekennzeichnet, dass die besagte Akzeptanzinformation Information (d) ist, die einen gesicherten Tunnel identifiziert, innerhalb dessen die Datenpaketverbindung getunnelt wird. 9. Verfahren (6) nach Anspruch 1, dadurch gekennzeichnet, dass es, wenn Einträge der besagten Verbindungsdatenstruktur mit der besagten zweiten Filterungsinformation verglichen werden (3, 611), überprüft wird, ob in den besagten Einträgen gespeicherte Datenpaket-Headerinformation der zweiten Filterungsinformation entspricht.. Verfahren (700) nach Anspruch 1, dadurch gekennzeichnet, dass es weiterhin den Schritt aufweist, bei dem - zumindest einer der besagten zweiten Einträge in der besagten Verbindungsdatenstruktur gelöscht wird (703). 1 3 beim Vergleichen von Einträgen der besagten Verbindungsdatenstruktur zu verwenden. 13. Verfahren (7) nach Anspruch 1, dadurch gekennzeichnet, dass es weiterhin den Schritt aufweist, bei dem - Information (6), die eine aktuelle Filterungsinformationsversion zum Zeitpunkt der Hinzufügung eines Verbindungsdatenstruktureintrags identifiziert, in einem Verbindungsdatenstruktureintrag (0) gespeichert wird (711), und dass, wenn Einträge der besagten Verbindungsdatenstruktur mit der zweiten Filterungsinformation verglichen werden (3, 712), nur die Einträge, die erste Filterungsinformation als aktuelle Filterungsinformation definieren, verglichen werden. 14. Verfahren (0) nach Anspruch 1, dadurch gekennzeichnet, dass es weiterhin die Schritte aufweist, bei denen - alle oder einige Datenpaketverbindungen, die in Konflikt mit der zweiten Filterungsinformation stehen und von den besagten zweiten Einträgen repräsentiert werden, einem Verwaltungssystem angezeigt werden (4) und - eine Bestätigung vom Verwaltungssystem dafür angefordert wird (), ob mit der besagten zweiten Filterungsinformation in Konflikt stehende Datenpaketverbindungen abgelehnt werden. 1. Verfahren (0) nach Anspruch 14, dadurch gekennzeichnet, dass die besagten mit der besagten zweiten Filterungsinformation in Konflikt stehenden Datenpaketverbindungen nach einer vorbestimmten Zeitperiode in Abwesenheit von der Bestätigung abgelehnt werden (8), indem zugehörige Einträge der besagten Verbindungsdatenstruktur gelöscht werden. 11. Verfahren (700) nach Anspruch 1, dadurch gekennzeichnet, dass es weiterhin den Schritt aufweist, bei dem - zumindest einer der besagten ersten Einträge in der besagten Verbindungsdatenstruktur modifiziert wird (704). 12. Verfahren (700) nach Anspruch 1, dadurch gekennzeichnet, dass es weiterhin den Schritt aufweist, bei dem - der Inhalt der besagten Verbindungsdatenstruktur zu einem bestimmten Zeitpunkt gespeichert wird (701), um den gespeicherten Inhalt Verfahren (800) nach Anspruch 1, dadurch gekennzeichnet, dass es weiterhin die Schritte aufweist: - Empfangen (801) von Information, die anzeigt, dass die zweite Filterungsinformation nur zu Testzwecken vorgesehen ist, und - Übertragen (802) von Information über Ergebnisse des besagten Vergleichs. 17. Verfahren (8) nach Anspruch 1, dadurch gekennzeichnet, dass es weiterhin den Schritt aufweist, bei dem - die besagte erste Filterungsinformation als Si- 13

14 EP B1 26 cherheitsmaßnahme gespeichert wird (811), was wieder die Verwendung der besagten ersten Filterungsinformation als aktuelle Filterungsinformation ermöglicht. 18. Verfahren (700) nach Anspruch 1, dadurch gekennzeichnet, dass es weiterhin den Schritt aufweist, bei dem - die besagte Verbindungsdatenstruktur aufgrund des besagten Vergleichs modifiziert wird (703, 704). 19. Sicherheitsgateway-Element (00) mit - Mitteln (01) zum Verarbeiten von Datenpaketen, so dass aktueller Filterungsinformation entsprechende Datenpaketverbindungen vorgehen können, - Mitteln (02) zum Speichern von als aktuelle Filterungsinformation verwendeter erster Filterungsinformation, - Mitteln (03) zum Speichern von Information über der ersten Filterungsinformation entsprechende Datenpaketverbindungen in einer Verbindungsdatenstruktur und - Mitteln (04) zum Empfangen von aktualisierter Filterungsinformation, die allein oder zusammen mit der ersten Filterungsinformation zweite Filterungsinformation ausbildet, dadurch gekennzeichnet, dass es weiterhin aufweist: - Mittel (0) zum Vergleichen von Einträgen in der besagten Verbindungsdatenstruktur mit zweiter Filterungsinformation, was zu einer Klassifizierung der besagten Einträge als erste Einträge, wobei die besagten ersten Einträge der besagten zweiten Filterungsinformation entsprechende Datenpaketverbindungen repräsentieren, und als zweite Einträge führt, wobei die besagten zweiten Einträge in Konflikt mit der besagten zweiten Filterungsinformation stehende Datenpaketverbindungen repräsentieren.. Sicherheitsgateway-Element nach Anspruch 19, dadurch gekennzeichnet, dass die besagten Mittel zum Verarbeiten von Datenpaketen angeordnet sind, Datenpakete mit der besagten Verbindungsdatenstruktur zu vergleichen, und dass das besagte Sicherheitsgateway-Element weiterhin Mittel (06) zum Ablehnen von in Konflikt mit der zweiten Filterungsinformation stehenden Datenpaketverbindungen aufweist. 21. Sicherheitsgateway-Element nach Anspruch, dadurch gekennzeichnet, dass es weiterhin aufweist: - Mittel (07) zum Anzeigen aller oder einiger Datenpaketverbindungen, die in Konflikt mit der zweiten Filterungsinformation stehen, einem Verwaltungssystem und - Mittel (08) zum Empfangen einer Bestätigung vom Verwaltungssystem, ob alle oder einige Datenpaketverbindungen, die in Konflikt mit der zweiten Filterungsinformation stehen, abgelehnt werden. 22. Sicherheitsgateway-Element nach Anspruch 21, dadurch gekennzeichnet, dass die besagten Mittel (06) zum Ablehnen von Datenpaketverbindungen angeordnet sind, alle in Konflikt mit der zweiten Filterungsinformation stehenden Datenpaketverbindungen zu löschen, falls eine Bestätigung innerhalb einer vorbestimmten Zeitperiode nicht empfangen wird. 23. Verwaltungssystem (0) für zumindest ein Sicherheitsgateway-Element, welches Verwaltungssystem aufweist: - Mittel (1) zum Definieren von Filterungsinformation und - Mittel (2) zum Liefern von Filterungsinformation an das besagte zumindest eine Sicherheitsgateway-Element, dadurch gekennzeichnet, dass das besagte Verwaltungssystem weiterhin aufweist: - Mittel (3) zum Empfangen von Information vom besagten zumindest einen Sicherheitsgateway-Element, die alle oder einige Datenpaketverbindungen anzeigt, die das besagte zumindest eine Sicherheitsgateway-Element, nachdem Filterungsinformation im besagten zumindest einen Sichterheitsgateway-Element aktualisiert geworden ist, klassifiziert hat, in Konflikt mit der gelieferten Filterungsinformation zu stehen, - Mittel (4) zum Repräsentieren der besagten alle oder einige Datenpaketverbindungen einem Benutzer anzeigenden Information, wobei die besagten Mittel angeordnet sind, eine Bestätigung als Antwort auf Benutzeraktionen zu erzeugen, und - Mittel () zum Senden der besagten Bestätigung an das besagte zumindest eine Sichterheitsgateway-Element. 24. Computerprogramm mit Programmcode zur Ausführung aller Schritte des Anspruchs 1, wenn das besagte Programm auf einem Computer abläuft.. Computerprogrammprodukt mit auf einem computerlesbaren Medium gespeicherten Programmcodemitteln zur Ausführung des Verfahrens nach An- 14

15 27 EP B1 28 spruch 1, wenn das besagte Programmprodukt auf einem Computer abläuft. 26. Verbindungsdatenstruktur (0) mit einer Anzahl von Einträgen (1), die eine Anzahl von Datenpaketverbindungen repräsentiert, wobei die besagten Einträge Headerinformation (32) von Datenpaketen aufweisen, dadurch gekennzeichnet, dass zumindest einer der besagten Einträge weiterhin Akzeptanzinformation () umfasst, die sich auf Gründe dafür bezieht, den Durchgang der repräsentierten Datenpaketverbindung über ein Sichterheitsgateway-Element zu akzeptieren, wenn Datenpaketverbindungen, nachdem Filterungsinformation im besagten Sichterheitsgateway-Element aktualisiert geworden ist, als der aktualisierten Filterungsinformation entsprechende Datenpaketverbindungen und in Konflikt mit der aktualisierten Filterungsinformation stehende Datenpaketverbindungen klassifiziert werden. 27. Verbindungsdatenstruktur nach Anspruch 26, dadurch gekennzeichnet, dass jeder Eintrag der besagten Verbindungsdatenstruktur eintragsspezifische Akzeptanzinformation aufweist. 28. Verbindungsdatenstruktur nach Anspruch 26, dadurch gekennzeichnet, dass die besagte Akzeptanzinformation eine Regelkennung (a) derjenigen Regel ist, der eine Datenpaketverbindung entspricht. 29. Verbindungsdatenstruktur nach Anspruch 26, dadurch gekennzeichnet, dass die besagte Akzeptanzinformation eine authentifizierte Einheit identifizierende Information (b) ist.. Verbindungsdatenstruktur nach Anspruch 26, dadurch gekennzeichnet, dass die besagte Akzeptanzinformation eine betreffende Datenpaketverbindung identifizierende Information (c) ist Verbindungsdatenstruktur nach Anspruch 26, dadurch gekennzeichnet, dass zumindest einer der besagten Einträge weiterhin Information (6) aufweist, die die aktuelle Filterungsinformation zum Zeitpunkt der Bildung des besagten Eintrags anzeigt. 34. Verbindungsdatenstruktur nach Anspruch 33, dadurch gekennzeichnet, dass die besagte Information, die die aktuelle Filterungsinformation zum Zeitpunkt der Bildung des besagten Eintrags anzeigt, ein Zeitstempel ist. 3. Verbindungsdatenstruktur nach Anspruch 33, dadurch gekennzeichnet, dass die besagte Information, die die aktuelle Filterungsinformation zum Zeitpunkt der Bildung des besagten Eintrags anzeigt, eine Versionskennung ist. Revendications 1. Procédé (0, 600, 6, 700, 7, 800, 900) pour manipuler des informations concernant des connexions de données de paquet, qui arrivent au niveau d un élément de passerelle de sécurité, afin d avoir, dans une structure de données de connexion, des informations concernant des connexions de données de paquet qui sont conformes à des informations de filtrage actuelles, ladite structure de données de connexion comprenant un certain nombre d entrées représentant un certain nombre de connexions de données de paquet, ledit procédé comprenant les étapes consistant à : mémoriser (1) des informations d en-tête de paquet de données concernant des connexions de données de paquet, qui sont conformes à des premières informations de filtrage, dans ladite structure de données de connexion, et recevoir (2) des informations de filtrage mises à jour, lesdites informations de filtrage mises à jour formant par elles-mêmes ou en relation avec lesdites premières informations de filtrage des deuxièmes informations de filtrage, 31. Verbindungsdatenstruktur nach Anspruch 26, dadurch gekennzeichnet, dass eine spezifische Form der besagten Verbindungsdatenstruktur die besagte zugehörige Datenpaketverbindung anzeigt. 32. Verbindungsdatenstruktur nach Anspruch 26, dadurch gekennzeichnet, dass die besagte Akzeptanzinformation Information (d) ist, die einen gesicherten Tunnel identifiziert, innerhalb dessen die Datenpaketverbindungen getunnelt werden. 4 0 caractérisé en ce que ledit procédé comprend en outre l étape consistant à : après avoir reçu lesdites informations de filtrage mises à jour, comparer (3) les entrées de ladite structure de données de connexion auxdites deuxièmes informations de filtrage, résultant en une classification desdites entrées en tant que premières entrées, lesdites premières entrées représentant des connexions de données de paquet qui sont conformes auxdites deuxièmes informations de filtrage, et en tant que deuxièmes entrées, lesdites deuxièmes entrées représentant des connexions de données de paquet qui sont en conflit avec lesdites deuxièmes informations de filtrage. 1

16 29 EP B1 2. Procédé selon la revendication 1, caractérisé en ce qu il comprend en outre l étape consistant à : mémoriser (601), pour une connexion de données de paquet, des informations d acceptation concernant des raisons pour accepter cette connexion de données de paquet, et en ce que lesdites informations d acceptation sont utilisées (602) pour comparer les entrées de ladite structure de données de connexion auxdites deuxièmes informations de filtrage. 3. Procédé selon la revendication 2, caractérisé en ce que lesdites informations d acceptation sont mémorisées dans une même entrée de structure de données de connexion (0) que les informations d en-tête de paquet de données concernant une connexion de données de paquet. 4. Procédé selon la revendication 2, caractérisé en ce que lesdites informations de filtrage comprennent un certain nombre de règles et lesdites informations d acceptation sont un identifiant de règle (a) de la règle avec laquelle une connexion de données de paquet est en accord.. Procédé selon la revendication 2, caractérisé en ce que lesdites informations d acceptation sont des informations (b) identifiant une entité authentifiée. 1 effacer (703) au moins l une desdites deuxièmes entrées de ladite structure de données de connexion. 11. Procédé (700) selon la revendication 1, caractérisé en ce qu il comprend en outre l étape consistant à modifier (704) au moins l une desdites premières entrées dans ladite structure de données de connexion. 12. Procédé (700) selon la revendication 1, caractérisé en ce qu il comprend en outre l étape consistant à mémoriser (701) les contenus de ladite structure de données de connexion à un certain moment afin d utiliser les contenus mémorisés pour comparer les entrées de ladite structure de données de connexion. 13. Procédé (7) selon la revendication 1, caractérisé en ce qu il comprend en outre l étape consistant à : mémoriser (711), dans une entrée de structure de données de connexion (0), des informations (6) indiquant une version d informations de filtrage actuelle à l instant d ajout d une entrée de structure de données de connexion, et en ce que, dans la comparaison (3, 712) des entrées de ladite structure de données de connexion aux deuxièmes informations de filtrage, seules les entrées spécifiant des premières informations de filtrage en tant qu informations de filtrage actuelles sont comparées. 6. Procédé selon la revendication 2, caractérisé en ce que lesdites informations d acceptation sont des informations (c) identifiant une connexion de données de paquet concernée. 7. Procédé selon la revendication 6, caractérisé en ce qu une forme spécifique de ladite structure de données de connexion de données de paquet indique ladite connexion de données de paquet concernée. 8. Procédé selon la revendication 2, caractérisé en ce que lesdites informations d acceptation sont des informations (d) identifiant un tunnel sécurisé, dans lequel la connexion de données de paquet est tunnellisé. 9. Procédé (6) selon la revendication 1, caractérisé en ce que, dans la comparaison (3, 611) des entrées de ladite structure de données de connexion auxdites deuxièmes informations de filtrage, il est vérifié si les informations d en-tête de données de paquet mémorisées dans lesdites entrées sont conformes aux deuxièmes informations de filtrage.. Procédé (700) selon la revendication 1, caractérisé en ce qu il comprend en outre l étape consistant à Procédé (0) selon la revendication 1, caractérisé en ce qu il comprend en outre les étapes consistant à: indiquer (4) à un système de gestion la totalité ou certaines des connexions de données de paquet qui sont en conflit avec les deuxièmes informations de filtrage et représentées par lesdites deuxièmes entrées, et demander () au système de gestion de confirmer s il convient de rejeter les connexions de données de paquet qui sont en conflit avec lesdites deuxièmes informations de filtrage. 1. Procédé (0) selon la revendication 14, caractérisé en ce que lesdites connexions de données de paquet qui sont en conflit avec lesdites deuxièmes informations de filtrage sont rejetées (8) après une période de temps prédéfinie en l absence de la confirmation en effaçant les entrées concernées de ladite structure de données de connexion. 16. Procédé (800) selon la revendication 1, caractérisé en ce qu il comprend en outre les étapes consistant à: recevoir (801) des informations indiquant que 16

17 31 EP B1 32 les deuxièmes informations de filtrage ne sont destinées qu à une utilisation de test, et transmettre (802) des informations concernant les résultats de ladite comparaison. 17. Procédé (8) selon la revendication 1, caractérisé en ce qu il comprend en outre l étape consistant à mémoriser (811) lesdites premières informations de filtrage en tant que précaution, permettant le retour à l utilisation desdites premières informations de filtrage en tant qu informations de filtrage actuelles. 18. Procédé (700) selon la revendication 1, caractérisé en ce qu il comprend en outre l étape consistant à modifier (703, 704) ladite structure de données de connexion sur la base de ladite comparaison. 19. Elément de passerelle de sécurité (00) comprenant : des moyens (01) pour traiter des paquets de données de sorte que des connexions de paquet de données conformes à des informations de filtrage actuelles puissent être effectuées, des moyens (02) pour mémoriser des premières informations de filtrage utilisées en tant qu informations de filtrage actuelles, des moyens (03) pour mémoriser, dans une structure de données de connexion, des informations concernant des connexions de données de paquet qui sont conformes aux premières informations de filtrage, et des moyens (04) pour recevoir des informations de filtrage mises à jour qui, par ellesmêmes ou avec les premières informations de filtrage, forment des deuxièmes informations de filtrage, caractérisé en ce qu il comprend en outre : des moyens (0) pour comparer les entrées dans ladite structure de données de connexion à des deuxièmes informations de filtrage, résultant en une classification desdites entrées en tant que premières entrées, lesdites premières entrées représentant des connexions de données de paquet qui sont conformes auxdites deuxièmes informations de filtrage, et en tant que deuxièmes entrées, lesdites deuxièmes entrées représentant des connexions de données de paquet qui sont en conflit avec lesdites deuxièmes informations de filtrage.. Elément de passerelle de sécurité selon la revendication 19, caractérisé en ce que lesdits moyens pour traiter des paquets de données sont agencés pour comparer les paquets de données à ladite structure de données de connexion, et en ce que ledit élément de passerelle de sécurité comprend en outre des moyens (06) pour rejeter les connexions de données de paquet qui sont en conflit avec des deuxièmes informations de filtrage. 21. Elément de passerelle de sécurité selon la revendication, caractérisé en ce qu il comprend en outre : des moyens (07) pour indiquer à un système de gestion la totalité ou certaines des connexions de données de paquet qui sont en conflit avec les deuxièmes informations de filtrage, et des moyens (08) pour recevoir du système de gestion une confirmation du fait qu il convient de rejeter la totalité ou certaines des connexions de données de paquet qui sont en conflit avec les deuxièmes informations de filtrage. 22. Elément de passerelle de sécurité selon la revendication 21, caractérisé en ce que lesdits moyens (06) pour rejeter des connexions de données de paquet sont agencés pour supprimer toutes les connexions de données de paquet qui sont en conflit avec les deuxièmes informations de filtrage, si une confirmation n est pas reçue dans une période de temps prédéfinie. 23. Système de gestion (0) concernant au moins un élément de passerelle de sécurité, ledit système de gestion comprenant : des moyens (1) pour définir des informations de filtrage, et des moyens (2) pour délivrer des informations de filtrage audit au moins un élément de passerelle de sécurité, caractérisé en ce que ledit système de gestion comprend en outre : des moyens (3) pour recevoir dudit au moins un élément de passerelle de sécurité des informations indiquant la totalité ou certaines des connexions de données de paquet que ledit au moins un élément de passerelle de sécurité, après la mise à jour des informations de filtrage dans ledit au moins un élément de passerelle de sécurité, a classées comme étant en conflit avec les informations de filtrage délivrées, des moyens (4) pour représenter lesdites informations indiquant la totalité ou certaines de connexions de données de paquet à un utilisateur, lesdits moyens étant agencés pour produire une confirmation en tant que réponse à des actions d utilisateur, et des moyens () pour envoyer ladite 17

18 33 EP B1 34 confirmation audit au moins un élément de passerelle de sécurité. 24. Programme d ordinateur comprenant un code de programme pour effectuer toutes les étapes de la revendication 1 lorsque ledit programme s exécute sur un ordinateur.. Produit-programme d ordinateur comprenant des moyens formant code de programme mémorisé sur un support pouvant être lu par un ordinateur pour effectuer le procédé selon la revendication 1 lorsque ledit produit-programme s exécute sur un ordinateur. 26. Structure de données de connexion (0) comprenant un certain nombre d entrées (1) représentant un certain nombre de connexions de données de paquet, lesdites entrées comprenant des informations d en-tête (32) de paquets de données, caractérisée en ce qu au moins l une desdites entrées implique en outre des informations d acceptation () concernant des raisons d accepter que la connexion de données de paquet représentée traverse un élément de passerelle de sécurité lorsque, après que les informations de filtrage ont été mises à jour dans ledit élément de passerelle de sécurité, les connexions de données de paquet sont classées en des connexions de données de paquet qui sont conformes aux informations de filtrage mises à jour et en des connexions de données de paquet qui sont en conflit avec les informations de filtrage mises à jour. 1 indique ladite connexion de données de paquet concernée. 32. Structure de données de connexion selon la revendication 26, caractérisée en ce que lesdites informations d acceptation sont des informations (d) identifiant un tunnel sécurisé, dans lequel les connexions de données de paquet sont tunnellisées. 33. Structure de données de connexion selon la revendication 26, caractérisée en ce qu au moins l une desdites entrées comprend en outre des informations (6) indiquant les informations de filtrage actuelles à l instant de création de ladite entrée. 34. Structure de données de connexion selon la revendication 33, caractérisée en ce que lesdites informations indiquant les informations de filtrage actuelles à l instant de création de ladite entrée sont un horodatage. 3. Structure de données de connexion selon la revendication 33, caractérisée en ce que lesdites informations indiquant les informations de filtrage actuelles à l instant de création de ladite entrée sont un identifiant de version. 27. Structure de données de connexion selon la revendication 26, caractérisée en ce que chaque entrée de ladite structure de données de connexion comprend des informations d acceptation spécifiques à une entrée Structure de données de connexion selon la revendication 26, caractérisée en ce que lesdites informations d acceptation sont un identifiant de règle (a) de la règle avec laquelle une connexion de données de paquet est en accord. 29. Structure de données de connexion selon la revendication 26, caractérisée en ce que lesdites informations d acceptation sont des informations (b) identifiant une entité authentifiée. 4. Structure de données de connexion selon la revendication 26, caractérisée en ce que lesdites informations d acceptation sont des informations (c) identifiant une connexion de données de paquet concernée. 31. Structure de données de connexion selon la revendication 26, caractérisée en ce qu une forme spécifique de ladite structure de données de connexion 0 18

19 EP B1 19

20 EP B1

TEPZZ 57_ A_T EP A1 (19) (11) EP A1 (12) EUROPEAN PATENT APPLICATION. (51) Int Cl.: H04L 29/06 ( )

TEPZZ 57_ A_T EP A1 (19) (11) EP A1 (12) EUROPEAN PATENT APPLICATION. (51) Int Cl.: H04L 29/06 ( ) (19) TEPZZ 57_ A_T (11) EP 2 571 223 A1 (12) EUROPEAN PATENT APPLICATION (43) Date of publication: 20.03.2013 Bulletin 2013/12 (51) Int Cl.: H04L 29/06 (2006.01) (21) Application number: 11181229.3 (22)

More information

21.4 Network Address Translation (NAT) 21.4.1 NAT concept

21.4 Network Address Translation (NAT) 21.4.1 NAT concept 21.4 Network Address Translation (NAT) This section explains Network Address Translation (NAT). NAT is also known as IP masquerading. It provides a mapping between internal IP addresses and officially

More information

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Internet Protocol: IP packet headers. vendredi 18 octobre 13 Internet Protocol: IP packet headers 1 IPv4 header V L TOS Total Length Identification F Frag TTL Proto Checksum Options Source address Destination address Data (payload) Padding V: Version (IPv4 ; IPv6)

More information

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Firewalls and VPNs. Principles of Information Security, 5th Edition 1 Firewalls and VPNs Principles of Information Security, 5th Edition 1 Learning Objectives Upon completion of this material, you should be able to: Understand firewall technology and the various approaches

More information

TEPZZ 96 A_T EP 2 961 111 A1 (19) (11) EP 2 961 111 A1. (12) EUROPEAN PATENT APPLICATION published in accordance with Art.

TEPZZ 96 A_T EP 2 961 111 A1 (19) (11) EP 2 961 111 A1. (12) EUROPEAN PATENT APPLICATION published in accordance with Art. (19) TEPZZ 96 A_T (11) EP 2 961 111 A1 (12) EUROPEAN PATENT APPLICATION published in accordance with Art. 13(4) EPC (43) Date of publication:.12.1 Bulletin 1/3 (21) Application number: 147426.7 (22) Date

More information

FIREWALL AND NAT Lecture 7a

FIREWALL AND NAT Lecture 7a FIREWALL AND NAT Lecture 7a COMPSCI 726 Network Defence and Countermeasures Muhammad Rizwan Asghar August 3, 2015 Source of most of slides: University of Twente FIREWALL An integrated collection of security

More information

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, 2015. Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, 2015. Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik Network Security Chapter 3 Cornelius Diekmann Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik Version: October 21, 2015 IN2101, WS 15/16, Network Security 1 Security Policies and

More information

Internet Security Firewalls

Internet Security Firewalls Overview Internet Security Firewalls Ozalp Babaoglu! Exo-structures " Firewalls " Virtual Private Networks! Cryptography-based technologies " IPSec " Secure Socket Layer ALMA MATER STUDIORUM UNIVERSITA

More information

Security Technology: Firewalls and VPNs

Security Technology: Firewalls and VPNs Security Technology: Firewalls and VPNs 1 Learning Objectives Understand firewall technology and the various approaches to firewall implementation Identify the various approaches to remote and dial-up

More information

(51) Int Cl.: H04L 12/58 (2006.01) H04L 29/06 (2006.01)

(51) Int Cl.: H04L 12/58 (2006.01) H04L 29/06 (2006.01) (19) TEPZZ_986 8 B_T (11) EP 1 986 382 B1 (12) EUROPEAN PATENT SPECIFICATION (4) Date of publication and mention of the grant of the patent: 19.02.14 Bulletin 14/08 (1) Int Cl.: H04L 12/8 (06.01) H04L

More information

Firewalls. Ahmad Almulhem March 10, 2012

Firewalls. Ahmad Almulhem March 10, 2012 Firewalls Ahmad Almulhem March 10, 2012 1 Outline Firewalls The Need for Firewalls Firewall Characteristics Types of Firewalls Firewall Basing Firewall Configurations Firewall Policies and Anomalies 2

More information

(51) Int Cl.: G06F 11/14 (2006.01)

(51) Int Cl.: G06F 11/14 (2006.01) (19) (12) EUROPEAN PATENT SPECIFICATION (11) EP 1 08 414 B1 (4) Date of publication and mention of the grant of the patent: 04.03.09 Bulletin 09/ (1) Int Cl.: G06F 11/14 (06.01) (21) Application number:

More information

Communications and Computer Networks

Communications and Computer Networks SFWR 4C03: Computer Networks and Computer Security January 5-8 2004 Lecturer: Kartik Krishnan Lectures 1-3 Communications and Computer Networks The fundamental purpose of a communication system is the

More information

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN Virtual private network Network security protocols COMP347 2006 Len Hamey Instead of a dedicated data link Packets securely sent over a shared network Internet VPN Public internet Security protocol encrypts

More information

ΕΠΛ 674: Εργαστήριο 5 Firewalls

ΕΠΛ 674: Εργαστήριο 5 Firewalls ΕΠΛ 674: Εργαστήριο 5 Firewalls Παύλος Αντωνίου Εαρινό Εξάμηνο 2011 Department of Computer Science Firewalls A firewall is hardware, software, or a combination of both that is used to prevent unauthorized

More information

NAT & IP Masquerade. Internet NETWORK ADDRESS TRANSLATION INTRODUCTION. NAT & IP Masquerade Page 1 of 5. Internal PC 192.168.0.25

NAT & IP Masquerade. Internet NETWORK ADDRESS TRANSLATION INTRODUCTION. NAT & IP Masquerade Page 1 of 5. Internal PC 192.168.0.25 NAT & IP Masquerade Page 1 of 5 INTRODUCTION Pre-requisites TCP/IP IP Address Space NAT & IP Masquerade Protocol version 4 uses a 32 bit IP address. In theory, a 32 bit address space should provide addresses

More information

Stateful Inspection Technology

Stateful Inspection Technology Stateful Inspection Technology Security Requirements TECH NOTE In order to provide robust security, a firewall must track and control the flow of communication passing through it. To reach control decisions

More information

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design Learning Objectives Identify common misconceptions about firewalls Explain why a firewall

More information

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

Final exam review, Fall 2005 FSU (CIS-5357) Network Security Final exam review, Fall 2005 FSU (CIS-5357) Network Security Instructor: Breno de Medeiros 1. What is an insertion attack against a NIDS? Answer: An insertion attack against a network intrusion detection

More information

EP 2 455 926 A1 (19) (11) EP 2 455 926 A1 (12) EUROPEAN PATENT APPLICATION. (43) Date of publication: 23.05.2012 Bulletin 2012/21

EP 2 455 926 A1 (19) (11) EP 2 455 926 A1 (12) EUROPEAN PATENT APPLICATION. (43) Date of publication: 23.05.2012 Bulletin 2012/21 (19) (12) EUROPEAN PATENT APPLICATION (11) EP 2 4 926 A1 (43) Date of publication: 23.0.2012 Bulletin 2012/21 (21) Application number: 11190024.7 (1) Int Cl.: G08B 2/14 (2006.01) G08B 2/00 (2006.01) G0B

More information

Redundancy Removing Protocol to Minimize the Firewall Policies in Cross Domain

Redundancy Removing Protocol to Minimize the Firewall Policies in Cross Domain Redundancy Removing Protocol to Minimize the Firewall Policies in Cross Domain Kamarasa V D S Santhosh M.Tech Student, Department of ComputerScience & Engineering, School of Technology, Gitam University,

More information

Understanding TCP/IP. Introduction. What is an Architectural Model? APPENDIX

Understanding TCP/IP. Introduction. What is an Architectural Model? APPENDIX APPENDIX A Introduction Understanding TCP/IP To fully understand the architecture of Cisco Centri Firewall, you need to understand the TCP/IP architecture on which the Internet is based. This appendix

More information

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας Department of Computer Science Firewalls A firewall is hardware, software, or a combination of both that is used to prevent unauthorized Internet users

More information

12. Firewalls Content

12. Firewalls Content Content 1 / 17 12.1 Definition 12.2 Packet Filtering & Proxy Servers 12.3 Architectures - Dual-Homed Host Firewall 12.4 Architectures - Screened Host Firewall 12.5 Architectures - Screened Subnet Firewall

More information

Internet Security Firewalls

Internet Security Firewalls Internet Security Firewalls Ozalp Babaoglu ALMA MATER STUDIORUM UNIVERSITA DI BOLOGNA Overview Exo-structures Firewalls Virtual Private Networks Cryptography-based technologies IPSec Secure Socket Layer

More information

Security principles Firewalls and NAT

Security principles Firewalls and NAT Security principles Firewalls and NAT These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/) Host vs Network

More information

Internet Firewall CSIS 3230. Internet Firewall. Spring 2012 CSIS 4222. net13 1. Firewalls. Stateless Packet Filtering

Internet Firewall CSIS 3230. Internet Firewall. Spring 2012 CSIS 4222. net13 1. Firewalls. Stateless Packet Filtering Internet Firewall CSIS 3230 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 8.8: Packet filtering, firewalls, intrusion detection Ch

More information

Hay (43) Pub. Date: Oct. 17, 2002

Hay (43) Pub. Date: Oct. 17, 2002 US 20020152322A1 (19) United States (12) Patent Application Publication (10) Pub. No.: US 2002/0152322 A1 Hay (43) Pub. Date: Oct. 17, 2002 (54) (76) (21) (22) (51) (52) METHOD AND APPARATUS FOR FACILITATING

More information

NETWORK SECURITY. Ch. 8: Defense Mechanism - Firewall

NETWORK SECURITY. Ch. 8: Defense Mechanism - Firewall NETWORK SECURITY Ch. 8: Defense Mechanism - Firewall Firewall A firewall is a hardware, software, or a combination of both that monitors and filters traffic packets that attempt to either enter or leave

More information

About Firewall Protection

About Firewall Protection 1. This guide describes how to configure basic firewall rules in the UTM to protect your network. The firewall then can provide secure, encrypted communications between your local network and a remote

More information

CSCE 465 Computer & Network Security

CSCE 465 Computer & Network Security CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Firewall 1 Basic firewall concept Roadmap Filtering firewall Proxy firewall Network Address Translation

More information

Internet Ideal: Simple Network Model

Internet Ideal: Simple Network Model Middleboxes Reading: Ch. 8.4 Internet Ideal: Simple Network Model Globally unique identifiers Each node has a unique, fixed IP address reachable from everyone and everywhere Simple packet forwarding Network

More information

Firewalls. configuring a sophisticated GNU/Linux firewall involves understanding

Firewalls. configuring a sophisticated GNU/Linux firewall involves understanding Firewalls slide 1 configuring a sophisticated GNU/Linux firewall involves understanding iptables iptables is a package which interfaces to the Linux kernel and configures various rules for allowing packets

More information

Application Note. Stateful Firewall, IPS or IDS Load- Balancing

Application Note. Stateful Firewall, IPS or IDS Load- Balancing Application Note Stateful Firewall, IPS or IDS Load- Balancing Document version: v1.0 Last update: 8th November 2013 Purpose Improve scallability of the security layer Limitations when Load-Balancing firewalls

More information

8. Firewall Design & Implementation

8. Firewall Design & Implementation DMZ Networks The most common firewall environment implementation is known as a DMZ, or DeMilitarized Zone network. A DMZ network is created out of a network connecting two firewalls; i.e., when two or

More information

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003 http://technet.microsoft.com/en-us/library/cc757501(ws.10).aspx Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003 Updated: October 7, 2005 Applies To: Windows Server 2003 with

More information

Track 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT

Track 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT Track 2 Workshop PacNOG 7 American Samoa Firewalling and NAT Core Concepts Host security vs Network security What is a firewall? What does it do? Where does one use it? At what level does it function?

More information

Cisco Integrated Services Routers Performance Overview

Cisco Integrated Services Routers Performance Overview Integrated Services Routers Performance Overview What You Will Learn The Integrated Services Routers Generation 2 (ISR G2) provide a robust platform for delivering WAN services, unified communications,

More information

(51) Int Cl.: H04L 12/28 (2006.01) H04L 29/06 (2006.01) H04L 12/56 (2006.01)

(51) Int Cl.: H04L 12/28 (2006.01) H04L 29/06 (2006.01) H04L 12/56 (2006.01) (19) (12) EUROPEAN PATENT SPECIFICATION (11) EP 1 096 7 B1 (4) Date of publication and mention of the grant of the patent: 11.03.09 Bulletin 09/11 (1) Int Cl.: H04L 12/28 (06.01) H04L 29/06 (06.01) H04L

More information

Internet Control Message Protocol (ICMP)

Internet Control Message Protocol (ICMP) Internet Control Message Protocol (ICMP) Relates to Lab 2: A short module on the Internet Control Message Protocol (ICMP). 1 Overview The IP (Internet Protocol) relies on several other protocols to perform

More information

Cisco PIX vs. Checkpoint Firewall

Cisco PIX vs. Checkpoint Firewall Cisco PIX vs. Checkpoint Firewall Introduction Firewall technology ranges from packet filtering to application-layer proxies, to Stateful inspection; each technique gleaning the benefits from its predecessor.

More information

Overview. Firewall Security. Perimeter Security Devices. Routers

Overview. Firewall Security. Perimeter Security Devices. Routers Overview Firewall Security Chapter 8 Perimeter Security Devices H/W vs. S/W Packet Filtering vs. Stateful Inspection Firewall Topologies Firewall Rulebases Lecturer: Pei-yih Ting 1 2 Perimeter Security

More information

TheGreenBow IPsec VPN Client. Configuration Guide Cisco RV325 v1. Website: www.thegreenbow.com Contact: support@thegreenbow.com

TheGreenBow IPsec VPN Client. Configuration Guide Cisco RV325 v1. Website: www.thegreenbow.com Contact: support@thegreenbow.com TheGreenBow IPsec VPN Client Configuration Guide Cisco RV325 v1 Website: www.thegreenbow.com Contact: support@thegreenbow.com Table of Contents 1 Introduction... 3 1.1 Goal of this document... 3 1.2 VPN

More information

EP 2 365 669 A1 (19) (11) EP 2 365 669 A1 (12) EUROPEAN PATENT APPLICATION. (43) Date of publication: 14.09.2011 Bulletin 2011/37

EP 2 365 669 A1 (19) (11) EP 2 365 669 A1 (12) EUROPEAN PATENT APPLICATION. (43) Date of publication: 14.09.2011 Bulletin 2011/37 (19) (12) EUROPEAN PATENT APPLICATION (11) EP 2 36 669 A1 (43) Date of publication: 14.09.11 Bulletin 11/37 (1) Int Cl.: H04L 12/8 (06.01) (21) Application number: 00243.6 (22) Date of filing:.03. (84)

More information

ReadyNAS Remote White Paper. NETGEAR May 2010

ReadyNAS Remote White Paper. NETGEAR May 2010 ReadyNAS Remote White Paper NETGEAR May 2010 Table of Contents Overview... 3 Architecture... 3 Security... 4 Remote Firewall... 5 Performance... 5 Overview ReadyNAS Remote is a software application that

More information

OS/390 Firewall Technology Overview

OS/390 Firewall Technology Overview OS/390 Firewall Technology Overview Washington System Center Mary Sweat E - Mail: sweatm@us.ibm.com Agenda Basic Firewall strategies and design Hardware requirements Software requirements Components of

More information

Networking Security IP packet security

Networking Security IP packet security Networking Security IP packet security Networking Security IP packet security Copyright International Business Machines Corporation 1998,2000. All rights reserved. US Government Users Restricted Rights

More information

(Refer Slide Time: 02:17)

(Refer Slide Time: 02:17) Internet Technology Prof. Indranil Sengupta Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Lecture No #06 IP Subnetting and Addressing (Not audible: (00:46)) Now,

More information

TEPZZ 9 Z5A_T EP 2 922 305 A1 (19) (11) EP 2 922 305 A1. (12) EUROPEAN PATENT APPLICATION published in accordance with Art.

TEPZZ 9 Z5A_T EP 2 922 305 A1 (19) (11) EP 2 922 305 A1. (12) EUROPEAN PATENT APPLICATION published in accordance with Art. (19) TEPZZ 9 ZA_T (11) EP 2 922 A1 (12) EUROPEAN PATENT APPLICATION published in accordance with Art. 13(4) EPC (43) Date of publication: 23.09.1 Bulletin 1/39 (21) Application number: 1386446.2 (22) Date

More information

Firewalls P+S Linux Router & Firewall 2013

Firewalls P+S Linux Router & Firewall 2013 Firewalls P+S Linux Router & Firewall 2013 Firewall Techniques What is a firewall? A firewall is a hardware or software device which is configured to permit, deny, or proxy data through a computer network

More information

(30) Foreign Application Priority Data

(30) Foreign Application Priority Data US 20040015727A1 (19) United States (12) Patent Application Publication (10) Pub. No.: US 2004/0015727 A1 Lahti et al. (43) Pub. Date: Jan. 22, 2004 (54) SYNCHRONIZATION METHOD (76) Inventors: Jerry Lahti,

More information

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 6 Network Security Objectives List the different types of network security devices and explain how they can be used Define network

More information

Troubleshooting Tools

Troubleshooting Tools Troubleshooting Tools An overview of the main tools for verifying network operation from a host Fulvio Risso Mario Baldi Politecnico di Torino (Technical University of Turin) see page 2 Notes n The commands/programs

More information

Deploying ACLs to Manage Network Security

Deploying ACLs to Manage Network Security PowerConnect Application Note #3 November 2003 Deploying ACLs to Manage Network Security This Application Note relates to the following Dell PowerConnect products: PowerConnect 33xx Abstract With new system

More information

+ iptables. packet filtering && firewall

+ iptables. packet filtering && firewall + iptables packet filtering && firewall + what is iptables? iptables is the userspace command line program used to configure the linux packet filtering ruleset + a.k.a. firewall + iptable flow chart what?

More information

VPNC Interoperability Profile

VPNC Interoperability Profile StoneGate Firewall/VPN 4.2 and StoneGate Management Center 4.2 VPNC Interoperability Profile For VPN Consortium Example Scenario 1 Introduction This document describes how to configure a StoneGate Firewall/VPN

More information

Configuring the BIG-IP and Check Point VPN-1 /FireWall-1

Configuring the BIG-IP and Check Point VPN-1 /FireWall-1 Configuring the BIG-IP and Check Point VPN-1 /FireWall-1 Introducing the BIG-IP and Check Point VPN-1/FireWall-1 LB, HALB, VPN, and ELA configurations Configuring the BIG-IP and Check Point FireWall-1

More information

IP Firewalls. an overview of the principles

IP Firewalls. an overview of the principles page 1 of 16 IP Firewalls an overview of the principles 0. Foreword WHY: These notes were born out of some discussions and lectures with technical security personnel. The main topics which we discussed

More information

Architecture of distributed network processors: specifics of application in information security systems

Architecture of distributed network processors: specifics of application in information security systems Architecture of distributed network processors: specifics of application in information security systems V.Zaborovsky, Politechnical University, Sait-Petersburg, Russia vlad@neva.ru 1. Introduction Modern

More information

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 40 Firewalls and Intrusion

More information

An Approach for improving Network Performance using Cross-Domain Cooperative Secrecy-Maintaining Firewall Optimization

An Approach for improving Network Performance using Cross-Domain Cooperative Secrecy-Maintaining Firewall Optimization An Approach for improving Network Performance using Cross-Domain Cooperative Secrecy-Maintaining Firewall Optimization Yogita Nikhare 1 andprof. Anil Bende 2 1 M.TechScholar, Department of Computer Science

More information

Firewall Firewall August, 2003

Firewall Firewall August, 2003 Firewall August, 2003 1 Firewall and Access Control This product also serves as an Internet firewall, not only does it provide a natural firewall function (Network Address Translation, NAT), but it also

More information

TEPZZ 68575_A_T EP 2 685 751 A1 (19) (11) EP 2 685 751 A1. (12) EUROPEAN PATENT APPLICATION published in accordance with Art.

TEPZZ 68575_A_T EP 2 685 751 A1 (19) (11) EP 2 685 751 A1. (12) EUROPEAN PATENT APPLICATION published in accordance with Art. (19) TEPZZ 687_A_T (11) EP 2 68 71 A1 (12) EUROPEAN PATENT APPLICATION published in accordance with Art. 3(4) EPC (43) Date of publication:.01.14 Bulletin 14/03 (21) Application number: 1278849.6 (22)

More information

- Introduction to Firewalls -

- Introduction to Firewalls - 1 Firewall Basics - Introduction to Firewalls - Traditionally, a firewall is defined as any device (or software) used to filter or control the flow of traffic. Firewalls are typically implemented on the

More information

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM Okumoku-Evroro Oniovosa Lecturer, Department of Computer Science Delta State University, Abraka, Nigeria Email: victorkleo@live.com ABSTRACT Internet security

More information

Firewalls, Tunnels, and Network Intrusion Detection

Firewalls, Tunnels, and Network Intrusion Detection Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls

More information

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall Firewall Introduction Several Types of Firewall. Cisco PIX Firewall What is a Firewall? Non-computer industries: a wall that controls the spreading of a fire. Networks: a designed device that controls

More information

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA To purchase Full version of Practice exam click below; http://www.certshome.com/jk0-022-practice-test.html FOR CompTIA JK0-022 Exam Candidates

More information

Chapter 12. Security Policy Life Cycle. Network Security 8/19/2010. Network Security

Chapter 12. Security Policy Life Cycle. Network Security 8/19/2010. Network Security Chapter 12 Network Security Security Policy Life Cycle A method for the development of a comprehensive network security policy is known as the security policy development life cycle (SPDLC). Network Security

More information

Firewall Implementation

Firewall Implementation CS425: Computer Networks Firewall Implementation Ankit Kumar Y8088 Akshay Mittal Y8056 Ashish Gupta Y8410 Sayandeep Ghosh Y8465 October 31, 2010 under the guidance of Prof. Dheeraj Sanghi Department of

More information

A Novel QoS Framework Based on Admission Control and Self-Adaptive Bandwidth Reconfiguration

A Novel QoS Framework Based on Admission Control and Self-Adaptive Bandwidth Reconfiguration Int. J. of Computers, Communications & Control, ISSN 1841-9836, E-ISSN 1841-9844 Vol. V (2010), No. 5, pp. 862-870 A Novel QoS Framework Based on Admission Control and Self-Adaptive Bandwidth Reconfiguration

More information

Protecting and controlling Virtual LANs by Linux router-firewall

Protecting and controlling Virtual LANs by Linux router-firewall Protecting and controlling Virtual LANs by Linux router-firewall Tihomir Katić Mile Šikić Krešimir Šikić Faculty of Electrical Engineering and Computing University of Zagreb Unska 3, HR 10000 Zagreb, Croatia

More information

Firewalls. Chien-Chung Shen cshen@cis.udel.edu

Firewalls. Chien-Chung Shen cshen@cis.udel.edu Firewalls Chien-Chung Shen cshen@cis.udel.edu The Need for Firewalls Internet connectivity is essential however it creates a threat vs. host-based security services (e.g., intrusion detection), not cost-effective

More information

Network Defense Tools

Network Defense Tools Network Defense Tools Prepared by Vanjara Ravikant Thakkarbhai Engineering College, Godhra-Tuwa +91-94291-77234 www.cebirds.in, www.facebook.com/cebirds ravikantvanjara@gmail.com What is Firewall? A firewall

More information

Trials@uspto.gov Paper 41 571-272-7822 Date: May 11, 2015 UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD

Trials@uspto.gov Paper 41 571-272-7822 Date: May 11, 2015 UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Trials@uspto.gov Paper 41 571-272-7822 Date: May 11, 2015 UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD APPLE INC., Petitioner, v. VIRNETX INC., Patent Owner. Case

More information

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection. A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based

More information

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT Roopa K. Panduranga Rao MV Dept of CS and Engg., Dept of IS and Engg., J.N.N College of Engineering, J.N.N College of Engineering,

More information

INTRODUCTION TO FIREWALL SECURITY

INTRODUCTION TO FIREWALL SECURITY INTRODUCTION TO FIREWALL SECURITY SESSION 1 Agenda Introduction to Firewalls Types of Firewalls Modes and Deployments Key Features in a Firewall Emerging Trends 2 Printed in USA. What Is a Firewall DMZ

More information

Stateful Firewalls. Hank and Foo

Stateful Firewalls. Hank and Foo Stateful Firewalls Hank and Foo 1 Types of firewalls Packet filter (stateless) Proxy firewalls Stateful inspection Deep packet inspection 2 Packet filter (Access Control Lists) Treats each packet in isolation

More information

Implementing Network Address Translation and Port Redirection in epipe

Implementing Network Address Translation and Port Redirection in epipe Implementing Network Address Translation and Port Redirection in epipe Contents 1 Introduction... 2 2 Network Address Translation... 2 2.1 What is NAT?... 2 2.2 NAT Redirection... 3 2.3 Bimap... 4 2.4

More information

Packet Filtering using the ADTRAN OS firewall has two fundamental parts:

Packet Filtering using the ADTRAN OS firewall has two fundamental parts: TECHNICAL SUPPORT NOTE Configuring Access Policies in AOS Introduction Packet filtering is the process of determining the attributes of each packet that passes through a router and deciding to forward

More information

Security perimeter. Internet. - Access control, monitoring and management. Differentiate between insiders and outsiders - Different types of outsiders

Security perimeter. Internet. - Access control, monitoring and management. Differentiate between insiders and outsiders - Different types of outsiders Network Security Part 2: protocols and systems (f) s and VPNs (overview) Università degli Studi di Brescia Dipartimento di Ingegneria dell Informazione 2014/2015 Security perimeter Insider - Access control,

More information

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls Firewalls, Tunnels, and Network Intrusion Detection 1 Firewalls A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.

More information

15-441 Project 3, Fall 2001 Stateful Functionality in IP Layer Out: Thursday, November 1, 2001 Due: Tuesday, December 4, 2001

15-441 Project 3, Fall 2001 Stateful Functionality in IP Layer Out: Thursday, November 1, 2001 Due: Tuesday, December 4, 2001 15-441 Project 3, Fall 2001 Stateful Functionality in IP Layer Out: Thursday, November 1, 2001 Due: Tuesday, December 4, 2001 1. Introduction In Project 2 we asked you to implement the IP layer of the

More information

Evaluation guide. Vyatta Quick Evaluation Guide

Evaluation guide. Vyatta Quick Evaluation Guide VYATTA, INC. Evaluation guide Vyatta Quick Evaluation Guide A simple step-by-step guide to configuring network services with Vyatta Open Source Networking http://www.vyatta.com Overview...1 Booting Up

More information

NETASQ MIGRATING FROM V8 TO V9

NETASQ MIGRATING FROM V8 TO V9 UTM Firewall version 9 NETASQ MIGRATING FROM V8 TO V9 Document version: 1.1 Reference: naentno_migration-v8-to-v9 INTRODUCTION 3 Upgrading on a production site... 3 Compatibility... 3 Requirements... 4

More information

CIT 480: Securing Computer Systems. Firewalls

CIT 480: Securing Computer Systems. Firewalls CIT 480: Securing Computer Systems Firewalls Topics 1. What is a firewall? 2. Types of Firewalls 1. Packet filters (stateless) 2. Stateful firewalls 3. Proxy servers 4. Application layer firewalls 3. Configuring

More information

[2006] IEEE. Reprinted, with permission, from [M. Ye and K. Sandrasegaran, Teaching about Firewall Concepts using the inetwork Simulator, Information

[2006] IEEE. Reprinted, with permission, from [M. Ye and K. Sandrasegaran, Teaching about Firewall Concepts using the inetwork Simulator, Information [2006] IEEE. Reprinted, with permission, from [M. Ye and K. Sandrasegaran, Teaching about Firewall Concepts using the inetwork Simulator, Information Technology Based Higher Education and Training, 2006.

More information

Load Balancing. Final Network Exam LSNAT. Sommaire. How works a "traditional" NAT? Un article de Le wiki des TPs RSM.

Load Balancing. Final Network Exam LSNAT. Sommaire. How works a traditional NAT? Un article de Le wiki des TPs RSM. Load Balancing Un article de Le wiki des TPs RSM. PC Final Network Exam Sommaire 1 LSNAT 1.1 Deployement of LSNAT in a globally unique address space (LS-NAT) 1.2 Operation of LSNAT in conjunction with

More information

Networking Basics and Network Security

Networking Basics and Network Security Why do we need networks? Networking Basics and Network Security Shared Data and Functions Availability Performance, Load Balancing What is needed for a network? ISO 7-Layer Model Physical Connection Wired:

More information

Protocols and Architecture. Protocol Architecture.

Protocols and Architecture. Protocol Architecture. Protocols and Architecture Protocol Architecture. Layered structure of hardware and software to support exchange of data between systems/distributed applications Set of rules for transmission of data between

More information

BorderWare Firewall Server 7.1. Release Notes

BorderWare Firewall Server 7.1. Release Notes BorderWare Firewall Server 7.1 Release Notes BorderWare Technologies is pleased to announce the release of version 7.1 of the BorderWare Firewall Server. This release includes following new features and

More information

GregSowell.com. Mikrotik Security

GregSowell.com. Mikrotik Security Mikrotik Security IP -> Services Disable unused services Set Available From for appropriate hosts Secure protocols are preferred (Winbox/SSH) IP -> Neighbors Disable Discovery Interfaces where not necessary.

More information

Firewalls and Intrusion Detection

Firewalls and Intrusion Detection Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall

More information

83-10-41 Types of Firewalls E. Eugene Schultz Payoff

83-10-41 Types of Firewalls E. Eugene Schultz Payoff 83-10-41 Types of Firewalls E. Eugene Schultz Payoff Firewalls are an excellent security mechanism to protect networks from intruders, and they can establish a relatively secure barrier between a system

More information

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane SE 4C03 Winter 2005 Firewall Design Principles By: Kirk Crane Firewall Design Principles By: Kirk Crane 9810533 Introduction Every network has a security policy that will specify what traffic is allowed

More information

packet retransmitting based on dynamic route table technology, as shown in fig. 2 and 3.

packet retransmitting based on dynamic route table technology, as shown in fig. 2 and 3. Implementation of an Emulation Environment for Large Scale Network Security Experiments Cui Yimin, Liu Li, Jin Qi, Kuang Xiaohui National Key Laboratory of Science and Technology on Information System

More information

Juniper NetScreen 5GT

Juniper NetScreen 5GT TheGreenBow IPSec VPN Client Configuration Guide Juniper NetScreen 5GT WebSite: Contact: http://www.thegreenbow.com support@thegreenbow.com Configuration Guide written by: Writer: Connected Team Company:

More information

Firewalls. Firewall types. Packet filter. Proxy server. linux, iptables-based Windows XP s built-in router device built-ins single TCP conversation

Firewalls. Firewall types. Packet filter. Proxy server. linux, iptables-based Windows XP s built-in router device built-ins single TCP conversation Firewalls David Morgan Firewall types Packet filter linux, iptables-based Windows XP s built-in router device built-ins single TCP conversation Proxy server specialized server program on internal machine

More information

Linksys RV042. TheGreenBow IPSec VPN Client. Configuration Guide. http://www.thegreenbow.com support@thegreenbow.com

Linksys RV042. TheGreenBow IPSec VPN Client. Configuration Guide. http://www.thegreenbow.com support@thegreenbow.com TheGreenBow IPSec VPN Client Configuration Guide Linksys RV042 WebSite: Contact: http://www.thegreenbow.com support@thegreenbow.com Configuration Guide written by: Writer: TheGreenBow Support Team Company:

More information