Method and apparatus for setting up a firewall
First Claim
1. A fire wall apparatus for preventing unauthorized external access to an internal network having a plurality of servers which are coupled to an external terminal via an external network, wherein each of the plurality of servers provides a service, comprising:
- a data processing section for processing communication data which is transmitted from the external terminal and setting a communication path between at least one of the plurality of servers and the external terminal based on the communication data, wherein the communication data at least comprises an external address of the external terminal and user identification data for identifying a user of the external terminal; and
a switching section for connecting the at least one server and the external terminal based on the communication path which is set by the data processing section, wherein the data processing section includes;
a plurality of function sections; and
a communication section for receiving at least the communication data and requesting the plurality of function sections to perform processing based on the contents of the data, wherein the plurality of function sections comprise;
an authentication function section for authenticating the user identification data;
a directory management function section for registering units of service information, where each unit of service information represents an internal address of one of the plurality of servers and a service type in association with predetermined permitted-recipient data designating an external user who is entitled to connecting to the server, and allowing a user who is given authentication by the authentication function section to select one of the units of service information whose permitted-recipient data designates the user; and
a communication path setting function section for setting the communication path using the internal address of the server represented by the unit of service information selected by means of the directory management function section and the external address of the external terminal.
1 Assignment
0 Petitions
Accused Products
Abstract
The home gateway HGW (1) includes a communication section (31), an authentication function section (32), a directory management function section (33), and a communication path setting function section (34). The communication section (31) receives data transmitted to the HGW (1). The authentication function section (32) authenticates the aforementioned data to be from an authorized user or not. Responsive to a service registration, the directory management function section (33) registers service information, checks the matching between the service information and service permission policies, and requests the communication path setting function section (34) to set a communication path. The communication path setting function section (34) monitors the state of data communication along the communication paths, and closes any unnecessary communication paths that may have been set. As a result, it becomes possible to restrict the users who are entitled to accessing each terminal on an internal network from an external network, and to allow a user to access a selected terminal on an internal network.
44 Citations
32 Claims
-
1. A fire wall apparatus for preventing unauthorized external access to an internal network having a plurality of servers which are coupled to an external terminal via an external network, wherein each of the plurality of servers provides a service, comprising:
-
a data processing section for processing communication data which is transmitted from the external terminal and setting a communication path between at least one of the plurality of servers and the external terminal based on the communication data, wherein the communication data at least comprises an external address of the external terminal and user identification data for identifying a user of the external terminal; and
a switching section for connecting the at least one server and the external terminal based on the communication path which is set by the data processing section, wherein the data processing section includes;
a plurality of function sections; and
a communication section for receiving at least the communication data and requesting the plurality of function sections to perform processing based on the contents of the data, wherein the plurality of function sections comprise;
an authentication function section for authenticating the user identification data;
a directory management function section for registering units of service information, where each unit of service information represents an internal address of one of the plurality of servers and a service type in association with predetermined permitted-recipient data designating an external user who is entitled to connecting to the server, and allowing a user who is given authentication by the authentication function section to select one of the units of service information whose permitted-recipient data designates the user; and
a communication path setting function section for setting the communication path using the internal address of the server represented by the unit of service information selected by means of the directory management function section and the external address of the external terminal. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A fire wall apparatus for preventing unauthorized external access to an internal network having a plurality of servers which are coupled to a plurality of external terminals via an external network, wherein each of the plurality of servers provides a service, comprising:
-
a data processing section for processing communication data containing service data which is transmitted from at least one of the plurality of servers and setting a communication path between the server and at least one of the plurality of external terminals based on the communication data, wherein the service data at least comprises an internal address of the server and a service type; and
a switching section for connecting the server and the external terminal based on the communication path which is set by the data processing section, wherein the data processing section includes;
a plurality of function sections; and
a communication section for receiving at least the service data and requesting the plurality of function sections to perform processing based on the contents of the data, wherein the plurality of function sections comprise;
a directory management function section for registering units of service information, where each unit of service information represents the internal address and the service type in association with predetermined permitted-recipient data designating at least one of the plurality of external terminals which is entitled to connecting to the server; and
a communication path setting function section for, when the service information is registered, setting the communication path using the external address of at least one of the plurality of external terminals designated by the permitted-recipient data and the internal address of the, server. - View Dependent Claims (16)
-
-
17. A fire wall setting method for preventing unauthorized external access to an internal network having a plurality of servers which are coupled to an external terminal via an external network, wherein each of the plurality of servers provides a service, comprising:
-
a data processing step of processing communication data which is transmitted from the external terminal and setting a communication path between at least one of the plurality of servers and the external terminal based on the communication data, wherein the communication data at least comprises an external address of the external terminal and user identification data for identifying a user of the external terminal; and
a connection step of connecting the at least one server and the external terminal based on the communication path which is set by the data processing step, wherein the data processing step includes;
a communication step of receiving at least the communication data and requesting a plurality of steps to perform processing based on the contents of the data, wherein the plurality of steps comprise;
an authentication step of authenticating the user identification data;
a directory management step of registering units of service information, where each unit of service information represents an internal address of one of the plurality of servers and a service type in association with predetermined permitted-recipient data designating an external user who is entitled to connecting to the server, and allowing a user who is given authentication by the authentication step to select one of the units of service information whose permitted-recipient data designates the user; and
a communication path setting step of setting the communication path using the internal address of the server represented by the unit of service information selected by means of the directory management step and the external address of the external terminal. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
-
-
31. A fire wall setting method for preventing unauthorized external access to an internal network having a plurality of servers which are coupled to a plurality of external terminals via an external network, wherein each of the plurality of servers provides a service, comprising:
-
a data processing step of processing communication data containing service data which is transmitted from at least one of the plurality of servers and setting a communication path between the server and at least one of the plurality of external terminals based on the communication data, wherein the service data at least comprises an internal address of the server and a service type; and
a connection step of connecting the server and the external terminal based on the communication path which is set by the data processing step, wherein the data processing step includes;
a communication step of receiving at least the service data and requesting a plurality of steps to perform processing based on the contents of the data, wherein the plurality of steps comprise;
a directory management step of registering units of service information, where each unit of service information represents the internal address and the service type in association with predetermined permitted-recipient data designating at least one of the plurality of external terminals which is entitled to connecting to the server; and
a communication path setting step of, when the service information is registered, setting the communication path using the external address of at least one of the plurality of external terminals designated by the permitted-recipient data and the internal address of the server. - View Dependent Claims (32)
-
Specification