Firewall control system based on a next generation network service and method thereof
First Claim
1. A firewall control system based on a Next Generation Network (NGN) service, the system comprising:
- an Application Proxy module including an Application-proxy-based Firewall function located in an NGN Service Control Function (SCF) device, for resolving an application layer signalling, performing a security inspection of a signalling flow, and determining requirements of a service media flow on security level;
a Policy Decision Functional entity (PDF), for mapping the requirements of the service media flow on security level to controlment of the service media flow on security level, according to a stored policy and the requirements of the service media flow on security level provided by the Application Proxy module; and
a firewall function module configured in a Border Gateway Function (BGF) device, for performing a security inspection of the service media flow passing by, according to the controlment of the service media flow on security level control provided by the PDF;
wherein the firewall function module comprises;
a packet filtering mode selection module, for determining a working mode of firewall packet filtering for a security inspection of the service media flow, according to the controlment of the media flow on security level provided by the PDF; and
a packet filtering processing module including configured firewall functions with various working modes of firewall packet filtering, wherein the configured firewall functions are initiated under the control of the packet filtering mode selection module and used for performing a security inspection of a corresponding service; and
wherein the packet filtering mode selection module is further used for initiating a corresponding Packet-filter-based Firewall processing function in a corresponding packet filtering processing module.
1 Assignment
0 Petitions
Accused Products
Abstract
The invention provides a firewall control system based on a Next Generation Network (NGN) service and a method thereof. The method includes: resolving an application layer signaling, performing a security inspection of a signaling flow and determining requirements of a service media flow on security level; determining controlment of the service media flow on security level according to a stored policy and the requirements of the service media flow on security level; performing a security inspection of the service media flow passing by, according to the controlling information of the service media flow on security level. In embodiments of the invention, a Packet-filter-based Firewall is enabled to perform a fine granularity security hierarchy processing of each subscriber and each session in the NGN, and dynamically select working mode of firewall packet filtering of different security levels according to a subscriber requirement and a session type to prevent network attacks.
9 Citations
14 Claims
-
1. A firewall control system based on a Next Generation Network (NGN) service, the system comprising:
-
an Application Proxy module including an Application-proxy-based Firewall function located in an NGN Service Control Function (SCF) device, for resolving an application layer signalling, performing a security inspection of a signalling flow, and determining requirements of a service media flow on security level; a Policy Decision Functional entity (PDF), for mapping the requirements of the service media flow on security level to controlment of the service media flow on security level, according to a stored policy and the requirements of the service media flow on security level provided by the Application Proxy module; and a firewall function module configured in a Border Gateway Function (BGF) device, for performing a security inspection of the service media flow passing by, according to the controlment of the service media flow on security level control provided by the PDF; wherein the firewall function module comprises; a packet filtering mode selection module, for determining a working mode of firewall packet filtering for a security inspection of the service media flow, according to the controlment of the media flow on security level provided by the PDF; and a packet filtering processing module including configured firewall functions with various working modes of firewall packet filtering, wherein the configured firewall functions are initiated under the control of the packet filtering mode selection module and used for performing a security inspection of a corresponding service; and wherein the packet filtering mode selection module is further used for initiating a corresponding Packet-filter-based Firewall processing function in a corresponding packet filtering processing module. - View Dependent Claims (2, 3, 4, 10, 11, 12, 13)
-
-
5. A firewall control method based on a Next Generation Network (NGN) service, the method comprising:
-
resolving, by an Application Proxy module in a Service Control Function (SCF) device, an application layer signalling; performing, by the Application Proxy module in the SCF device, a security inspection of a signalling flow; determining, by the Application Proxy module in the SCF device, requirements of a service media flow on security level; mapping, by a Policy Decision Function (PDF) device, the requirements of the service media flow on security level to controlment of the service media flow on security level according to a stored policy and the requirements of the service media flow on security level provided by the Application Proxy Module; and performing, by a Border Gateway Function (BGF) device, a security inspection of the service media flow passing by, according to the controlment of the service media flow on security level provided by the PDF device; wherein performing a security inspection of the service media flow passing by comprises; determining a working mode of firewall packet filtering for the security inspection of the service media flow passing by, according to the controlment of the service media flow on security level; and performing the security inspection of the service media flow passing by, according to the determined working mode of the firewall packet filtering. - View Dependent Claims (6, 7, 8, 9, 14)
-
Specification