Firewall control system based on a next generation network service and method thereof

US 7,987,503 B2
Filed: 04/23/2007
Issued: 07/26/2011
Est. Priority Date: 07/30/2005
Status: Expired due to Fees

First Claim

Patent Images

1. A firewall control system based on a Next Generation Network (NGN) service, the system comprising:

an Application Proxy module including an Application-proxy-based Firewall function located in an NGN Service Control Function (SCF) device, for resolving an application layer signalling, performing a security inspection of a signalling flow, and determining requirements of a service media flow on security level;

a Policy Decision Functional entity (PDF), for mapping the requirements of the service media flow on security level to controlment of the service media flow on security level, according to a stored policy and the requirements of the service media flow on security level provided by the Application Proxy module; and

a firewall function module configured in a Border Gateway Function (BGF) device, for performing a security inspection of the service media flow passing by, according to the controlment of the service media flow on security level control provided by the PDF;

wherein the firewall function module comprises;

a packet filtering mode selection module, for determining a working mode of firewall packet filtering for a security inspection of the service media flow, according to the controlment of the media flow on security level provided by the PDF; and

a packet filtering processing module including configured firewall functions with various working modes of firewall packet filtering, wherein the configured firewall functions are initiated under the control of the packet filtering mode selection module and used for performing a security inspection of a corresponding service; and

wherein the packet filtering mode selection module is further used for initiating a corresponding Packet-filter-based Firewall processing function in a corresponding packet filtering processing module.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention provides a firewall control system based on a Next Generation Network (NGN) service and a method thereof. The method includes: resolving an application layer signaling, performing a security inspection of a signaling flow and determining requirements of a service media flow on security level; determining controlment of the service media flow on security level according to a stored policy and the requirements of the service media flow on security level; performing a security inspection of the service media flow passing by, according to the controlling information of the service media flow on security level. In embodiments of the invention, a Packet-filter-based Firewall is enabled to perform a fine granularity security hierarchy processing of each subscriber and each session in the NGN, and dynamically select working mode of firewall packet filtering of different security levels according to a subscriber requirement and a session type to prevent network attacks.

9 Citations

View as Search Results

14 Claims

1. A firewall control system based on a Next Generation Network (NGN) service, the system comprising:
- an Application Proxy module including an Application-proxy-based Firewall function located in an NGN Service Control Function (SCF) device, for resolving an application layer signalling, performing a security inspection of a signalling flow, and determining requirements of a service media flow on security level;
  
  a Policy Decision Functional entity (PDF), for mapping the requirements of the service media flow on security level to controlment of the service media flow on security level, according to a stored policy and the requirements of the service media flow on security level provided by the Application Proxy module; and
  
  a firewall function module configured in a Border Gateway Function (BGF) device, for performing a security inspection of the service media flow passing by, according to the controlment of the service media flow on security level control provided by the PDF;
  
  wherein the firewall function module comprises;
  
  a packet filtering mode selection module, for determining a working mode of firewall packet filtering for a security inspection of the service media flow, according to the controlment of the media flow on security level provided by the PDF; and
  
  a packet filtering processing module including configured firewall functions with various working modes of firewall packet filtering, wherein the configured firewall functions are initiated under the control of the packet filtering mode selection module and used for performing a security inspection of a corresponding service; and
  
  wherein the packet filtering mode selection module is further used for initiating a corresponding Packet-filter-based Firewall processing function in a corresponding packet filtering processing module.
- View Dependent Claims (2, 3, 4, 10, 11, 12, 13)
- - 2. The system of claim 1, wherein the SCF comprises:
    - a Proxy Call Session Control Function (P-CSCF) in an Internet Protocol Multimedia Subsystem (IMS) in the NGN.
  - 3. The system of claim 1, wherein the PDF is set in the SCF.
  - 4. The system of claim 1, wherein the working mode of firewall packet filtering configured by the packet filtering processing module comprises:
    - a dynamic packet filtering, a Stateful Inspection and a Deep Packet Filter.
  - 10. The system of claim 1, wherein the SCF comprises a Call Agent device in a Softswitch system in the NGN.
  - 11. The system of claim 1, wherein the SCF comprises an SCF including an Application Proxy function in other service system(s) in the NGN.
  - 12. The system of claim 1, wherein the PDF is set in the BGF.
  - 13. The system of claim 1, wherein the PDF is set to an independent device.

5. A firewall control method based on a Next Generation Network (NGN) service, the method comprising:
- resolving, by an Application Proxy module in a Service Control Function (SCF) device, an application layer signalling;
  
  performing, by the Application Proxy module in the SCF device, a security inspection of a signalling flow;
  
  determining, by the Application Proxy module in the SCF device, requirements of a service media flow on security level;
  
  mapping, by a Policy Decision Function (PDF) device, the requirements of the service media flow on security level to controlment of the service media flow on security level according to a stored policy and the requirements of the service media flow on security level provided by the Application Proxy Module; and
  
  performing, by a Border Gateway Function (BGF) device, a security inspection of the service media flow passing by, according to the controlment of the service media flow on security level provided by the PDF device;
  
  wherein performing a security inspection of the service media flow passing by comprises;
  
  determining a working mode of firewall packet filtering for the security inspection of the service media flow passing by, according to the controlment of the service media flow on security level; and
  
  performing the security inspection of the service media flow passing by, according to the determined working mode of the firewall packet filtering.
- View Dependent Claims (6, 7, 8, 9, 14)
- - 6. The method of claim 5, wherein determining requirements of a service media flow on security level comprises determining requirements based on an application attribute.
  - 7. The method of claim 5, wherein performing a security inspection of the service media flow passing by comprises:
    - determining working mode of firewall packet filtering for the security inspection of the service media flow passing by, according to the controlment of the service media flow on security level; and
      
      performing the security inspection of the service media flow passing by, according to the determined working mode of the firewall packet filtering.
  - 8. The method of claim 7, wherein the working mode of firewall packet filtering comprises:
    - a dynamic packet filtering, a Stateful Inspection and a Deep Packet Filter.
  - 9. The method of claim 5, wherein the working mode of firewall packet filtering comprises:
    - a dynamic packet filtering, a Stateful Inspection and a Deep Packet Filter.
  - 14. The method of claim 5, wherein determining requirements of a service media flow on security level comprises determining requirements based on a subscriber attribute.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Original Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Inventors
Liu, Enhui
Primary Examiner(s)
DADA, BEEMNET W

Application Number

US11/785,991
Publication Number

US 20070234414A1
Time in Patent Office

1,555 Days
Field of Search

726/1, 726/11, 726/12, 726/13, 726/14, 713/150, 713/151, 713/153, 709/224, 709/225
US Class Current

726/11
CPC Class Codes

H04L 63/0218   Distributed architectures, ...

H04L 63/0281   Proxies

H04L 63/029   Firewall traversal, e.g. tu...

H04L 67/14   Session management for real...

Firewall control system based on a next generation network service and method thereof

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

9 Citations

14 Claims

Specification

Use Cases

Quick Links

Others

Firewall control system based on a next generation network service and method thereof

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

9 Citations

14 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others