A computer network with a firewall and the firewall

 

The invention relates to the field of information security and, in particular, refers to the hardware and software components of firewalls are used to prevent unauthorized access and exchange of information between the various subscribers of computer networks. The technical result is to increase information security due to the lack or complete hiding of network device interfaces protection. Firewall for local area network includes at least two network interface for packet-switching data between segments of the computer network, performed in accordance with the program packet filter. Firewall after processing the packet in accordance with the rules of the filter retains without change the information about the physical and logical addresses of the sender of each of the packages contained in their headers. The control program does not assign network interfaces logical addresses and does not pass in the associated network segments information about their physical addresses. To ensure that changes in the filtering rules, the firewall contains a special management interface, and any crystals, 3 Il.

The invention relates to the field of information security and, in particular, refers to the hardware and software components of firewalls are used to prevent unauthorized access and exchange of information between the various subscribers of computer networks.

Currently, most local area networks (LAN) connected to the Internet. However, the lack of built-in tools to protect information in the existing network protocols is the cause of various violations of the integrity of transmitted data. Therefore, expanding the range and increasing the level requirements for privacy network applications require the use of special technical means of controlling access to information resources and control data exchange between different computer networks. As such remedies are widely used firewalls, called in English literature fairvalue (firewall). A firewall is a specialized network device that is switched between two LAN segments so that the entire exchange network packets between these segments is limited with the aid of which novlene between the protected segment of the LAN and the router, one of the ports which are connected to the Internet. Used filter rules packet traffic may include a ban on the transfer of information both inside and inside the protected segment of the LAN, including the control of certain users in certain time intervals of days, weeks or months.

Known protection system for two computer networks, described in Russian patent application And 96118130/09. This protection system has two network motherboard and is designed to prevent unauthorized exchanges data between the first and second computer networks. Each of these cards has a network interface adapter to communicate with these networks. Each of these motherboards also has the adapter data transfer to exchange information with another network adapter motherboard and uses special software to prevent the transmission of service information routing between network interface adapters and adapter data transfer. Each network motherboard further comprises a software Protocol translation, preventing the passage of information about the work the network interface adapter and the specified adapter data of each network motherboard. When one network motherboard has a special software tools to maintain the interface at the application layer to perform the respective tasks.

The above described system protection functions can be classified as server-representative (proxy server) or a network node, connecting the name and on behalf of the registered network client.

When using a proxy server as a firewall requires that the network customer has implemented a number of additional communication sessions in the network connections that reduce the overall network performance and increased delays in packet transmission, especially in the case of a serial connection of several computer networks separated by a firewall of the specified type.

These shortcomings are overcome in the invention described in patent US 5898830, which is the closest to the present invention. This firewall being installed in the channel of information exchange between two computer networks, provides transparency interconnectivity for users of the protected segment. For this is no to be addressed only by protected and the second side of the open network segments.

Consider the sets of virtual subscribers programmatically linked using the correspondence table of network addresses in the same way as is done when using DNS servers. Transfer or deny transfer of packets from the virtual subscriber one set of addresses to the virtual subscriber from another set of addresses is carried out in accordance with the rules of the packets stored in the configuration file of the firewall.

Virtual subscribers, with the exception of one, which is specially dedicated for this purpose, do not have access to the file system and other system resources of the device, which actually implemented the firewall. Managing software module provides firewall configuration, in particular the generation of virtual subscribers in accordance with the recorded configuration files during the initial launch of this device. Access to the configuration files by using rules with authorization functions through a special virtual subscriber, the destination of the computer network. These rules include the authentication and authorization of zaprashivaushego, controlling the exchange of information between computer networks, can be modified.

The above-mentioned transparency of the screen in relation to the protocols of the network layer does not mean that the screen cannot be detected with the use of special software. Since the set of protected network nodes escaped one network interface of the considered safety devices on the data link layer interworking each of these nodes is identified by a corresponding physical address to the same network interface.

The procedure of authentication of the network subscriber who is authorized to gain access to the configuration file, vulnerable to attackers, which implies the possibility of unauthorized access due to password guessing or using undetected imperfections software used protection devices.

The present invention is based on the principle of guaranteed security-based non-use or full concealment address of network device interfaces protection.

The problem is solved in that a firewall with network interfaces for data exchange between the funkcionirovanie network address, associated with these communication interfaces, and the physical address of the network interface not transmitting the external network. Therefore, the presence of a firewall may not be detected by any technical means, located in the open or protected network segment. According to the invention to control the filtration process packet traffic, the firewall further comprises isolated from the network interfaces special management interface. All program change filter packet traffic and control network connections can be achieved through the management interface, which completely eliminates the possibility of unauthorized access to the firewall from users located in protected and open LAN segments. The task of providing guaranteed protection is also solved using the inability to create users from the public and/or protected network segments special channel packet data between the network interface and control interface via the internal system bus of the computer, on the basis of which built firewall. When this firewall saves nesme is, what it allows you to completely hide the existence of the firewall for users of the protected network segment.

In other words, the filtering software prevents the firewall from receiving data packets arriving at the network interfaces, but the firewall is configured to pass outward through the network interfaces only such information packages, senders which are external to the firewall.

The present invention discussed in detail below in an example of its implementation with reference to the drawings, in which: Fig. 1 depicts the external appearance is made according to the present invention firewall side panel, which contains the controls and interfaces external connections; Fig.2 is a circuit connecting two local area networks among themselves and with the external network through the firewall, made according to the present invention; Fig. 3 is a simplified algorithm of the program transmission control information blocks, arriving at one of the communication interfaces of the firewall, made according to the present invention.

The description below assumes familiarity with the most commonly used is accordance with the preferred implementation of the present invention is shown in Fig.1 firewall 1, adapted to work in a local area network (LAN), is a specialized computer with a built-in operating system. This calculator can be performed using commercially available motherboards of personal computers, for example, the card company Gygabyte, GA-AH in which you can connect up to 5 devices to the internal system bus PCI. A computer firewall running filtering tasks running embedded operating system, can be made on the basis of several types of General-purpose processors, including Pentium MMX, Cyrix MII, AMD K-6, MIPS RISC and other Firewall 1 includes a network interface for exchanging packet data, which can be used network Ethernet adapters of various types with a baud rate of 10 Mbps ISA or 10/100 Mbps PCI bus, for example Fast Etherlink XL company 3Com. On the front panel 2 firewall 1 are the connectors for the three interfaces for data exchange, designated positions 3, 4, 5. To each of the network adapters connected to segment local area networks, built on the architecture of the shared bus and uses the Ethernet Protocol. Malesuada motherboard can provide connectivity up to 5 LAN segments. If the LAN uses a different Protocol, used network adapters firewall should support this communication Protocol.

Panel 2 also has connectors on 9 and 25 pins respectively of the interfaces 6 and 7 of the COM ports standard RS232C. One of them is used as the management interface for editing programs in the management of information exchange between network LAN segments connected through a firewall 1. The LAN segments depending on their number can be connected to the interfaces 3, 4 or 3, 4, 5, respectively. Panel 2 also includes a connector 8 and the switch 9 power.

In this example implementation of the invention in the firewall 1 is running on UNIX-like system that provides multi-tasking operation control program in accordance with the configuration file stored in non-volatile memory device firewall 1.

Fig.2 illustrates a variation of the connection of the LAN to the firewall 1. In this example, firewall 1 divides the protected corporate network 10 with bus architecture on the segments 11, 12, 13 are connected respectively to the network adapters 3, 4, 5. Such structures is received for servicing different types of data applications. These applications may have different requirements for the level of confidentiality of transmitted data, which is taken into account in the filtering rules applied to each of the network interfaces.

In this example, the segment 13 includes only one subscriber, the gateway 14, which provides a LAN connection 10 with the external network 15. The network 15, in turn, may be connected to other networks. The gateway 14 may use a serial communication line for connecting the LAN 10 to the Internet via dial-up channels.

Each of the segments 11, 12 LAN contains multiple subscribers 16, 17, respectively, are connected to the network segments using adapters 18 type Ethernet. To make changes in the control program transmitting network packets between interfaces 3, 4 and 5, which may relate to filtering rules, to the control interface 6 is connected to a personal computer 19. Editing program management is done on the computer 19 through a standard Web Navigator (browser), such as Netscape Navigator, by establishing an authorized password in the connection between the computer 19 and firewall 1 Protocol point - to-point Protocol (PPP).

Program management provides the transmission with the cops. Since the firewall has no address associated with its network interfaces, it may not be a recipient of any network packets and acts as either a passive transit node between the network interfaces, or simulates a network connection by dropping packets that fail the established path between the data interfaces filtering rules.

The control program which controls the operation of the interfaces 3, 4, 5 exchanging packet data (driver Ethernet adapters), configured so that the contents of the address fields of the sender in the information blocks transmitted from firewall 1 through interfaces 3, 4, 5, remains unchanged.

The gateway 14 performs the functions of a router, exchanging information about the status of the network connection with the same device and transmitting the packet traffic in other segments of the corporate network or the Internet.

Thus, LAN 10 can be reliably protected by a firewall, network interfaces, which according to the present invention does not have a physical (MAC) and logical (IP) addresses. This firewall is not available for remote attacks via the computer network, so as not mougin standard with network identification, as used for communication with the network segments interfaces such as Ethernet, are managed in such a way that does not respond to broadcast ARP requests for its physical (MAC) address.

Fig. 3 illustrates an algorithm to filter packets arriving at the network interface 5.

Each packet transmitted through the segment 11 in the LAN 10, is received by the interface 5 and stored in the buffer memory. Primary processing according to the filtering rules is sequential operations 20, 21, that is, sequential testing facilities physical address Ad of the recipient contained in the header of the processed package, listed in table S3 list of allowed addresses to subscribers of the segment 11 (Fig.2) connected to the interface 3, and then to the list of addresses to subscribers connected to the interface 4 of the segment 12, is contained in table K4.

A packet with destination address that is not present in both tables K3, K4, is discarded. If the destination address belongs to the table K3, check the package in accordance with the rule set Test 3 depicts operation 22, otherwise it uses the operation 23 containing a different set of rules, Test 4.

The possibility of using difference is tov on the security level and categories of applications. In accordance with these categories, different users are connected to different network segments, such as segment a database of authorized users or segment of the technical Department of the corporate network. The packet filtering rules are set and changed only by the administrator of the LAN 10 through the computer 19, which on the special channel using password access through a dedicated control interface 6 (Fig.2) the time necessary to make changes, connects to the firewall.

The results of the validation rule sets, Test 3 and Test 4 are associated with logical variables T3 and T4, which is TRUE if the transfer information block is enabled, the operation 24, 25. If T3=TRUE, the packet is transmitted through the interface 3 in segment 11. If the package is addressed in segment 12, has been successfully authenticated by a set of rules for Test 4, the variable T4=TRUE and packet is transmitted via the interface 4. In case of discrepancy between the requirements of the filtering rules, the packet is discarded.

Processing package in the firewall 1, coming, for example, via the interface 3, in accordance with the algorithm described above (Fig.3) except for the application of those rules, which iny above the character and function of a firewall does not exhaust obvious to a person skilled applications of the present invention, not beyond being proposed solution, which is defined by the claims.

Claims

1. Local area network packet information in the headers contain information about the physical and logical addresses of the sender and/or recipient information, all subscribers on the network via network interfaces subscribers, the control Protocol network interface of the subscriber assigns this interface to the logical address, and transmits the network information about its physical address, the local area network includes separating the at least two segments firewall, which is a complex of hardware and software, containing at least two network interfaces for the exchange of bidirectional flows of packets between network segments and program management processes packet-switching between network interfaces of the firewall, based on the application of filter rules, wherein the firewall is excluded from the number of subscribers by such a configuration control program firewall, which the program uses to receive and predacon their physical addresses, this firewall provides no connection with the network interfaces of the firewall separate management interface to specify filtering rules and monitor the status of network connections.

2. The computing network under item 1, characterized in that the firewall is configured to maintain constant physical addresses of the senders of the packets traversing the firewall between network segments.

3. The computing network under item 1, characterized in that the firewall is built on the basis of a universal transmitter with built-in operating system, as well as multiple network interfaces and a dedicated control interface, and network interfaces are Ethernet adapters, and interface control may be performed based on the interface type Ethernet, and asynchronous serial interface.

4. The computing network under item 1, characterized in that the filtering rules, running a firewall, prohibit transit for any packet between its network interfaces, except those which are permitted signs and addressing options in their headers.

5. The computing network under item 1, characterized in that the access to the editing software components which are included in it through network interfaces subscribers, the control Protocol network interface of the subscriber assigns this interface to the logical address, and transmits the network information about its physical address, the firewall is a hardware and software containing at least two network interface for packet-switching data between segments of the computer network, and a control program transfer packets between network interfaces of the firewall in accordance with the filtering rules, wherein after processing the packet in accordance with the filtering rules, retains without change the information about the physical and logical addresses of the sender of each of the packages contained in their headers, moreover, the control program uses the network interfaces of the firewall without assigning the logical addresses and does not pass in the associated network segments information about their physical addresses, the firewall contains a separate, not connected with the network interfaces, the management interface to edit, control and configure filtering rules, and any changes of the parameters of the filter can be made exclusively through the management interface, the program is airjamaica in the packet header, only in cases where the addresses of the recipients and/or senders of packages meet all the requirements specified in the rules for packet filtering.

7. Firewall on p. 6, characterized in that it is built on the base of the transmitter with a built-in operating system, a universal bus for data exchange between the interface cards and a dedicated control channel, the access to which is protected by a password.

 

Same patents:

The invention relates to the field of computer engineering and can be used in automated control systems

The invention relates to computing and can be used to build high-performance computing systems to solve problems, algorithms that can be parallelized at the level of teams

The invention relates to the field of computer engineering and can be used to build a switching means multiprocessor computing and control systems

The invention relates to computing and can be used to estimate the state of an object by several parameters in the fuzzy set degree of membership of the possible options given the state of the object

The invention relates to computing and can be used to estimate the state of an object by several parameters in the fuzzy set degree of membership of the possible options given the state of the object

The invention relates to computing and can be used to build tools switching multiprocessor systems

The invention relates to the field of computer engineering and can be used to build a switching means multiprocessor computing and control systems

The invention relates to the field of electrical engineering, in particular to the matrix switches, and can be used in systems management and monitoring

The invention relates to computing and can be used in the development of automated control systems of various processes and large systems

The invention relates to digital computing, and is intended for use in homogeneous switching-computational structures

The invention relates to combining the Internet with the phone systems

The invention relates to the field of automation and computer engineering and can be used for data collection, management and transformation of data flow between management computers and control object

The invention relates to the field of automation and computer engineering and can be used for data collection, management and transformation of data flow between management computers and control object

The invention relates to computer technology and can be used in high-performance systems processing large amounts of information, including real-time

The invention relates to computing and can be used to build high-performance computing systems to solve problems, algorithms that can be parallelized at the level of teams

The invention relates to the field of computer engineering and can be used when building means switching multiprocessor computing and control systems, subscriber communication systems with decentralized management, information systems and information-measuring systems

The invention relates to the field of local area networks transmit information between spaced stations

FIELD: computers.

SUBSTANCE: device has three blocks for forming messages lines, block for analysis of messages line, multiplexer, decoder, broadcast control block, buffer register, launch trigger, synchronization block, AND elements block, denying element, blocks for organizing messages lines, direction selection block, OR element, AND elements.

EFFECT: higher efficiency.

3 cl, 12 dwg, 2 tbl

Up!