SECURITY GATEWAY SYSTEM, METHOD THEREOF, AND PROGRAM

US 20090064308A1
Filed: 04/11/2006
Published: 03/05/2009
Est. Priority Date: 04/12/2005
Status: Active Grant

First Claim

Patent Images

1-9. -9. (canceled)

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A non-secure network gateway 11 and a secure network gateway 12 are realized by mutually independent computers, and are connected, by standard protocol communication portions 20 and 25, to a non-secure network 1 and a secure network 2 using a standard protocol the standardized specifications of which have been published. Data exchange between nonstandard protocol communication portions 22 and 23 of the sub-gateways 11 and 12 is performed using a nonstandard protocol the specifications of which have not been published, and data exchange between the nonstandard side and the standard side is performed only in the application layer. Protocol conversion portions 21 and 24 refers to relay permission settings tables 30 and 31 to confirm relay permission for communication data, and perform protocol conversion only when relaying is permitted. Even in the event that illicit communication data from one network has penetrated into a gateway, penetration of the communication data into the other network can be prevented.

Citations

17 Claims

1-9. -9. (canceled)

10. A security gateway system for connecting a plurality of networks each of which uses a standard protocol the standardized specifications of which have been published, the security gateway system comprising two sub-gateways realized by mutually independent computers and respectively connected to two networks to be connected, whereineach of said sub-gateways has a standard protocol communication portion which communicates with said network to which the same sub-gateway is connected using said standard protocol, a nonstandard protocol communication portion which communicates with the other sub-gateway using a nonstandard protocol the specifications of which have not been published, a protocol conversion portion which performs protocol conversion of communication data between the standard protocol and the nonstandard protocol, and a relay permission setting information storage portion which stores relay permission setting information used to confirm relay permission for communication data;
- said two sub-gateways have shared memory which can be accessed by the respective nonstandard protocol communication portion of each of said sub-gateways, and are configured such that data can be exchanged between the nonstandard protocol communication portions by accessing the shared memory using said nonstandard protocol, without performing direct communication between the nonstandard protocol communication portions;
  
  said nonstandard protocol communication portion of each of said sub-gateways is an original communication portion which has an implemented application layer which is a seventh layer of the Open Systems Interconnection (OSI) model, and which has unpublished and original communication layers implemented for the range corresponding to first through sixth layers, so that data exchange between the nonstandard protocol communication portion and said standard protocol communication portion within the same sub-gateway is performed only in the application layer which is the seventh layer, and data exchange is not possible in the range corresponding to the first through sixth layers; and
  
  when performing protocol conversion of communication data, said protocol conversion portion of each of said sub-gateways refers to said relay permission setting information to confirm relay permission for the communication data, and performs protocol conversion of the communication data only when relay is permitted.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The security gateway system according to claim 10, whereinsaid standard protocol communication portion of each of said sub-gateways waits for reception of packet data from said network to which the same sub-gateway is connected, and each time packet data is received, passes the packet data to said protocol conversion portion of the same sub-gateway;
    - said nonstandard protocol communication portion of each of said sub-gateways waits for reception of packet data from the other sub-gateway, and each time packet data is received, passes the packet data to said protocol conversion portion of the same sub-gateway; and
      
      said protocol conversion portion of each of said sub-gateways, upon receiving packet data from either said standard protocol communication portion or from said nonstandard protocol communication portion in the same sub-gateway, confirms relay permission for the packet data by referring to said relay permission setting information, and if relaying of the packet data is not permitted, discards the packet data.
  - 12. The security gateway system according to claim 10, wherein said relay permission information in each of said sub-gateways includes packet content inspection information for use in content propriety inspection of packet data, and said protocol conversion portion of each of said sub-gateways uses said packet content inspection information to perform content propriety inspection of packet data, and when the inspection result is unsatisfactory, discards the packet data.
  - 13. The security gateway system according to claim 10, wherein, when said two sub-gateways are a non-secure network gateway and a secure network gateway, connected to a non-secure network to which numerous unspecified people are connected and to a secure network the security of which is required to be maintained, respectively, said non-secure network gateway has a notification portion which confirms relay permission for the communication data by referring to said relay permission setting information, and when there is no relay permission, notifies said secure network gateway of the occurrence of a security threat by means of said nonstandard protocol, and said secure network gateway has an alarm output portion which, upon receiving notification of the occurrence of said security threat from said non-secure network gateway, outputs an alarm indicating this occurrence of the security threat.
  - 14. The security gateway system according to claim 13, wherein said alarm output portion of said secure network gateway uses said nonstandard protocol to transmit a stoppage instruction causing forcible stoppage of said non-secure network gateway at the time of output of an alarm, and said non-secure network gateway has a stoppage portion which forcibly stops the non-secure network gateway upon receiving said stoppage instruction signal from said secure network gateway.
  - 15. The security gateway system according to claim 10, wherein, when said two sub-gateways are a non-secure network gateway and a secure network gateway, connected to a non-secure network to which numerous unspecified people are connected and to a secure network the security of which is required to be maintained, respectively, a firewall portion is further provided between said standard protocol communication portion of said non-secure network gateway and said non-secure network.

16. A security gateway method for connecting a plurality of networks each of which uses a standard protocol the standardized specifications of which have been published, the method using, as two sub-gateways realized by mutually independent computers and respectively connected to two networks to be connected, two sub-gateways each having a standard protocol communication portion which uses said standard protocol to communicate with said network connected to the same sub-gateway, a nonstandard protocol communication portion which uses a nonstandard protocol the specifications of which have not been published to communicate with the other sub-gateway, a protocol conversion portion which performs protocol conversion of communication data between the standard protocol and the nonstandard protocol, and a relay permission setting information storage portion which stores relay permission setting information used to confirm relay permission for communication data, and also using shared memory, which can be accessed by the respective nonstandard protocol communication portion of each of the sub-gateways, comprising the steps of:
- performing gateway-to-gateway communication processing, in said nonstandard protocol communication portions of said two sub-gateways, to exchange data between the nonstandard protocol communication portions by accessing said shared memory using said nonstandard protocol, without performing direct communication between the nonstandard protocol communication portions;
  
  performing intra-gateway communication processing to exchange data between said nonstandard protocol communication portion and said standard protocol communication portion in each of said sub-gateways using only a seventh or application layer of the Open Systems Interconnection (OSI) model, forbidding data exchange within the range from a first layer to a sixth layer; and
  
  performing relay permission confirmation and protocol conversion processing to, when performing protocol conversion of communication data in said protocol conversion portion of each of said sub-gateways, confirm relay permission for the communication data by referring to said relay permission setting information, and to perform protocol conversion of the communication data only when relaying is permitted.

17. A security gateway program for realizing two sub-gateways respectively connected to two networks to be connected using mutually independent computers, to connect a plurality of networks each of which uses a standard protocol the standardized specifications of which have been published, whereinwhen each of said sub-gateways has a standard protocol communication portion which uses said standard protocol to communicate with said network connected to the same sub-gateway, a nonstandard protocol communication portion which uses a nonstandard protocol the specifications of which have not been published to communicate with the other sub-gateway, a protocol conversion portion which performs protocol conversion of communication data between the standard protocol and the nonstandard protocol, and a relay permission setting information storage portion which stores relay permission setting information used to confirm relay permission for communication data, and when shared memory which can be accessed by said nonstandard protocol communication portion of each of the sub-gateways, is further provided, said security gateway program causes said computers to execute:
- a gateway-to-gateway communication function, in said nonstandard protocol communication portions of said two sub-gateways, to exchange data between the nonstandard protocol communication portions by accessing said shared memory using said nonstandard protocol, without performing direct communication between the nonstandard protocol communication portions;
  
  an intra-gateway communication function to exchange data between said nonstandard protocol communication portion and said standard protocol communication portion in each of said sub-gateways using only a seventh or application layer of the Open Systems Interconnection (OSI) model, forbidding data exchange within the range from a first layer to a sixth layer; and
  
  a relay permission confirmation and protocol conversion function to, when performing protocol conversion of communication data in said protocol conversion portion of each of said sub-gateways, confirm relay permission for the communication data by referring to said relay permission setting information, and to perform protocol conversion of the communication data only when relaying is permitted.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kabushiki Kaisha Toshiba (Toshiba Corporation)
Original Assignee
Kabushiki Kaisha Toshiba (Toshiba Corporation)
Inventors
Komatsu, Satoshi

Granted Patent

US 8,739,268 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/12
CPC Class Codes

G06F 21/606   by securing the transmissio...

G06F 21/82   Protecting input, output or...

H04L 63/0209   Architectural arrangements,...

H04L 63/0281   Proxies

H04L 63/029   Firewall traversal, e.g. tu...

H04L 67/2876   Pairs of inter-processing e...

H04L 67/56   Provisioning of proxy servi...

H04L 69/08   Protocols for interworking;...

SECURITY GATEWAY SYSTEM, METHOD THEREOF, AND PROGRAM

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

SECURITY GATEWAY SYSTEM, METHOD THEREOF, AND PROGRAM

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links