SECURITY GATEWAY SYSTEM, METHOD THEREOF, AND PROGRAM
1 Assignment
0 Petitions
Accused Products
Abstract
A non-secure network gateway 11 and a secure network gateway 12 are realized by mutually independent computers, and are connected, by standard protocol communication portions 20 and 25, to a non-secure network 1 and a secure network 2 using a standard protocol the standardized specifications of which have been published. Data exchange between nonstandard protocol communication portions 22 and 23 of the sub-gateways 11 and 12 is performed using a nonstandard protocol the specifications of which have not been published, and data exchange between the nonstandard side and the standard side is performed only in the application layer. Protocol conversion portions 21 and 24 refers to relay permission settings tables 30 and 31 to confirm relay permission for communication data, and perform protocol conversion only when relaying is permitted. Even in the event that illicit communication data from one network has penetrated into a gateway, penetration of the communication data into the other network can be prevented.
-
Citations
17 Claims
-
1-9. -9. (canceled)
-
10. A security gateway system for connecting a plurality of networks each of which uses a standard protocol the standardized specifications of which have been published, the security gateway system comprising two sub-gateways realized by mutually independent computers and respectively connected to two networks to be connected, wherein
each of said sub-gateways has a standard protocol communication portion which communicates with said network to which the same sub-gateway is connected using said standard protocol, a nonstandard protocol communication portion which communicates with the other sub-gateway using a nonstandard protocol the specifications of which have not been published, a protocol conversion portion which performs protocol conversion of communication data between the standard protocol and the nonstandard protocol, and a relay permission setting information storage portion which stores relay permission setting information used to confirm relay permission for communication data; -
said two sub-gateways have shared memory which can be accessed by the respective nonstandard protocol communication portion of each of said sub-gateways, and are configured such that data can be exchanged between the nonstandard protocol communication portions by accessing the shared memory using said nonstandard protocol, without performing direct communication between the nonstandard protocol communication portions; said nonstandard protocol communication portion of each of said sub-gateways is an original communication portion which has an implemented application layer which is a seventh layer of the Open Systems Interconnection (OSI) model, and which has unpublished and original communication layers implemented for the range corresponding to first through sixth layers, so that data exchange between the nonstandard protocol communication portion and said standard protocol communication portion within the same sub-gateway is performed only in the application layer which is the seventh layer, and data exchange is not possible in the range corresponding to the first through sixth layers; and when performing protocol conversion of communication data, said protocol conversion portion of each of said sub-gateways refers to said relay permission setting information to confirm relay permission for the communication data, and performs protocol conversion of the communication data only when relay is permitted. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A security gateway method for connecting a plurality of networks each of which uses a standard protocol the standardized specifications of which have been published, the method using, as two sub-gateways realized by mutually independent computers and respectively connected to two networks to be connected, two sub-gateways each having a standard protocol communication portion which uses said standard protocol to communicate with said network connected to the same sub-gateway, a nonstandard protocol communication portion which uses a nonstandard protocol the specifications of which have not been published to communicate with the other sub-gateway, a protocol conversion portion which performs protocol conversion of communication data between the standard protocol and the nonstandard protocol, and a relay permission setting information storage portion which stores relay permission setting information used to confirm relay permission for communication data, and also using shared memory, which can be accessed by the respective nonstandard protocol communication portion of each of the sub-gateways, comprising the steps of:
-
performing gateway-to-gateway communication processing, in said nonstandard protocol communication portions of said two sub-gateways, to exchange data between the nonstandard protocol communication portions by accessing said shared memory using said nonstandard protocol, without performing direct communication between the nonstandard protocol communication portions; performing intra-gateway communication processing to exchange data between said nonstandard protocol communication portion and said standard protocol communication portion in each of said sub-gateways using only a seventh or application layer of the Open Systems Interconnection (OSI) model, forbidding data exchange within the range from a first layer to a sixth layer; and performing relay permission confirmation and protocol conversion processing to, when performing protocol conversion of communication data in said protocol conversion portion of each of said sub-gateways, confirm relay permission for the communication data by referring to said relay permission setting information, and to perform protocol conversion of the communication data only when relaying is permitted.
-
-
17. A security gateway program for realizing two sub-gateways respectively connected to two networks to be connected using mutually independent computers, to connect a plurality of networks each of which uses a standard protocol the standardized specifications of which have been published, wherein
when each of said sub-gateways has a standard protocol communication portion which uses said standard protocol to communicate with said network connected to the same sub-gateway, a nonstandard protocol communication portion which uses a nonstandard protocol the specifications of which have not been published to communicate with the other sub-gateway, a protocol conversion portion which performs protocol conversion of communication data between the standard protocol and the nonstandard protocol, and a relay permission setting information storage portion which stores relay permission setting information used to confirm relay permission for communication data, and when shared memory which can be accessed by said nonstandard protocol communication portion of each of the sub-gateways, is further provided, said security gateway program causes said computers to execute: -
a gateway-to-gateway communication function, in said nonstandard protocol communication portions of said two sub-gateways, to exchange data between the nonstandard protocol communication portions by accessing said shared memory using said nonstandard protocol, without performing direct communication between the nonstandard protocol communication portions; an intra-gateway communication function to exchange data between said nonstandard protocol communication portion and said standard protocol communication portion in each of said sub-gateways using only a seventh or application layer of the Open Systems Interconnection (OSI) model, forbidding data exchange within the range from a first layer to a sixth layer; and a relay permission confirmation and protocol conversion function to, when performing protocol conversion of communication data in said protocol conversion portion of each of said sub-gateways, confirm relay permission for the communication data by referring to said relay permission setting information, and to perform protocol conversion of the communication data only when relaying is permitted.
-
Specification