Security gateway system, method thereof, and program
First Claim
1. A security gateway system for connecting a plurality of networks each of which uses a standard protocol the standardized specifications of which have been published, the security gateway system comprising two sub-gateways realized by mutually independent and physically separated computers with one of the two sub-gateways connected to a wide-area network accessible to general public and the other of the two sub-gateways connected to an internal network necessary to be protected, and the two sub-gateways exchanging communication data with each other using a nonstandard protocol of which specifications have not been published, whereineach of said sub-gateways has a standard protocol communication portion which communicates with said network to which the same sub-gateway is connected using said standard protocol, a nonstandard protocol communication portion which communicates with the other sub-gateway using the nonstandard protocol, a protocol conversion portion which is provided between the standard protocol communication portion and the nonstandard protocol communication portion and performs protocol conversion of communication data between the standard protocol and the nonstandard protocol, and a relay permission setting information storage portion which is connected to the protocol conversion portion and stores relay permission setting information used to confirm relay permission for communication data;
- said two sub-gateways have a shared memory which can be accessed by the respective nonstandard protocol communication portion of each of said sub-gateways, and are configured such that the communication data converted by the protocol conversion portion of one of the sub-gateways into a nonstandard protocol format and written in the shared memory by said nonstandard protocol communication portion of the one of the sub-gateways is detected by said nonstandard protocol communication portion of the other of the sub-gateways and passed to the protocol conversion portion of the other of the sub-gateways and converted into a standard protocol format;
said nonstandard protocol communication portion of each of said sub-gateways is an original communication portion which has an implemented application layer which is a seventh layer of the Open Systems Interconnection (OSI) model, and which has unpublished and original communication layers implemented for first through sixth layers of the OSI model, so that data exchange between the nonstandard protocol communication portion and said standard protocol communication portion within the same sub-gateway is performed only in the application layer which is the seventh layer, and data exchange between the nonstandard protocol communication portion and said standard protocol communication portion within the same sub-gateway is not possible using any published protocol of the first through sixth layers; and
when performing protocol conversion of communication data, said protocol conversion portion of each of said sub-gateways refers to said relay permission setting information to confirm relay permission for the communication data, and performs protocol conversion of the communication data only when relay is permitted.
1 Assignment
0 Petitions
Accused Products
Abstract
A non-secure network gateway 11 and a secure network gateway 12 are realized by mutually independent computers, and are connected, by standard protocol communication portions 20 and 25, to a non-secure network 1 and a secure network 2 using a standard protocol the standardized specifications of which have been published. Data exchange between nonstandard protocol communication portions 22 and 23 of the sub-gateways 11 and 12 is performed using a nonstandard protocol the specifications of which have not been published, and data exchange between the nonstandard side and the standard side is performed only in the application layer. Protocol conversion portions 21 and 24 refers to relay permission settings tables 30 and 31 to confirm relay permission for communication data, and perform protocol conversion only when relaying is permitted. Even in the event that illicit communication data from one network has penetrated into a gateway, penetration of the communication data into the other network can be prevented.
14 Citations
11 Claims
-
1. A security gateway system for connecting a plurality of networks each of which uses a standard protocol the standardized specifications of which have been published, the security gateway system comprising two sub-gateways realized by mutually independent and physically separated computers with one of the two sub-gateways connected to a wide-area network accessible to general public and the other of the two sub-gateways connected to an internal network necessary to be protected, and the two sub-gateways exchanging communication data with each other using a nonstandard protocol of which specifications have not been published, wherein
each of said sub-gateways has a standard protocol communication portion which communicates with said network to which the same sub-gateway is connected using said standard protocol, a nonstandard protocol communication portion which communicates with the other sub-gateway using the nonstandard protocol, a protocol conversion portion which is provided between the standard protocol communication portion and the nonstandard protocol communication portion and performs protocol conversion of communication data between the standard protocol and the nonstandard protocol, and a relay permission setting information storage portion which is connected to the protocol conversion portion and stores relay permission setting information used to confirm relay permission for communication data; -
said two sub-gateways have a shared memory which can be accessed by the respective nonstandard protocol communication portion of each of said sub-gateways, and are configured such that the communication data converted by the protocol conversion portion of one of the sub-gateways into a nonstandard protocol format and written in the shared memory by said nonstandard protocol communication portion of the one of the sub-gateways is detected by said nonstandard protocol communication portion of the other of the sub-gateways and passed to the protocol conversion portion of the other of the sub-gateways and converted into a standard protocol format; said nonstandard protocol communication portion of each of said sub-gateways is an original communication portion which has an implemented application layer which is a seventh layer of the Open Systems Interconnection (OSI) model, and which has unpublished and original communication layers implemented for first through sixth layers of the OSI model, so that data exchange between the nonstandard protocol communication portion and said standard protocol communication portion within the same sub-gateway is performed only in the application layer which is the seventh layer, and data exchange between the nonstandard protocol communication portion and said standard protocol communication portion within the same sub-gateway is not possible using any published protocol of the first through sixth layers; and when performing protocol conversion of communication data, said protocol conversion portion of each of said sub-gateways refers to said relay permission setting information to confirm relay permission for the communication data, and performs protocol conversion of the communication data only when relay is permitted. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A security gateway method for connecting a plurality of networks each of which uses a standard protocol the standardized specifications of which have been published, the method using, as two sub-gateways realized by mutually independent and physically separated computers with one of the two sub-gateways connected to a wide-area network accessible to general public and the other of the two sub-gateways connected to an internal network necessary to be protected, and the two sub-gateways exchanging communication data with each other using a nonstandard protocol of which specifications have not been published, two sub-gateways each having a standard protocol communication portion which uses said standard protocol to communicate with said network connected to the same sub-gateway, a nonstandard protocol communication portion which uses the nonstandard protocol to communicate with the other sub-gateway and has an implemented application layer which is a seventh layer of the Open Systems Interconnection (OSI) model, and unpublished and original communication layers implemented for first through sixth layers of the OSI model, a protocol conversion portion which is provided between the standard protocol communication portion and the nonstandard protocol communication portion and performs protocol conversion of communication data between the standard protocol and the nonstandard protocol, and a relay permission setting information storage portion which is connected to the protocol conversion portion and stores relay permission setting information used to confirm relay permission for communication data, and said two sub-gateways also using a shared memory which can be accessed by the respective nonstandard protocol communication portion of each of the sub-gateways, comprising the steps of:
-
performing gateway-to-gateway communication processing, in said nonstandard protocol communication portions of said two sub-gateways, such that the communication data converted by the protocol conversion portion of one of the sub-gateways into a nonstandard protocol fat mat and written in said shared memory by said nonstandard protocol communication portion of the one of the sub-gateways is detected by said nonstandard protocol communication portion of the other of sub-gateways and passed to said protocol conversion portion of the other of the sub-gateway and converted into a standard protocol format; performing intra-gateway communication processing to exchange data between said nonstandard protocol communication portion and said standard protocol communication portion in each of said sub-gateways using only the seventh /application layer of the Open Systems Interconnection (OSI) model such that data exchange between said nonstandard protocol communication portion and said standard protocol communication portion within the same sub-gateway is not possible using any published protocol of the first through sixth layers of the OSI model; and performing relay permission confirmation and protocol conversion processing to, when performing protocol conversion of communication data in said protocol conversion portion of each of said sub-gateways, confirm relay permission for the communication data by referring to said relay permission setting information, and to perform protocol conversion of the communication data only when relaying is permitted. - View Dependent Claims (9)
-
-
10. A non-transitory computer readable medium storing a security gateway program for realizing two sub-gateways respectively connected to two networks to be connected using mutually independent and physically separated computers, to connect a plurality of networks that are a wide-area network accessible to general public and an internal network necessary to be protected and uses a standard protocol the standardized specifications of which have been published, the two sub-gateways exchanging communication data with each other using a nonstandard protocol of which specifications have not been published, wherein
when each of said sub-gateways has a standard protocol communication portion which uses said standard protocol to communicate with said network connected to the same sub-gateway, a nonstandard protocol communication portion which uses the nonstandard protocol to communicate with the other sub-gateway and has an implemented application layer which is a seventh layer of the Open Systems Interconnection (OSI) model, and unpublished and original communication layers implemented for first through sixth layers of the OSI model, a protocol conversion portion which is provided between the standard protocol communication portion and the nonstandard protocol communication portion and performs protocol conversion of communication data between the standard protocol and the nonstandard protocol, and a relay permission setting information storage portion which is connected to the protocol conversion portion and stores relay permission setting information used to confirm relay permission for communication data, and when said two sub-gateways also uses a shared memory which can be accessed by said nonstandard protocol communication portion of each of the sub-gateways, is further provided, said security gateway program causes said computers to execute: -
a gateway-to-gateway communication function, in said nonstandard protocol communication portions of said two sub-gateways, such that the communication data converted by the protocol conversion portion of one of the sub-gateways into a nonstandard protocol format and written in said shared memory by said nonstandard protocol communication portion of the one of the sub-gateways is detected by said nonstandard protocol communication portion of the other of the sub-gateways and passed to said protocol conversion portion of the other of the sub-gateways and converted into a standard protocol format; an intra-gateway communication function to exchange data between said nonstandard protocol communication portion and said standard protocol communication portion in each of said sub-gateways using only the seventh /application layer of the Open Systems Interconnection (OSI) model such that data exchange between said nonstandard protocol communication portion and said standard protocol communication portion within the same sub-gateway is not possible using any published protocol of the first through sixth layers; and a relay permission confirmation and protocol conversion function to, when performing protocol conversion of communication data in said protocol conversion portion of each of said sub-gateways, confirm relay permission for the communication data by referring to said relay permission setting information, and to perform protocol conversion of the communication data only when relaying is permitted. - View Dependent Claims (11)
-
Specification