[go: up one dir, main page]

WO2004010659A1 - Method and system for filtering packets based on source- and destination addresses - Google Patents

Method and system for filtering packets based on source- and destination addresses Download PDF

Info

Publication number
WO2004010659A1
WO2004010659A1 PCT/FI2003/000577 FI0300577W WO2004010659A1 WO 2004010659 A1 WO2004010659 A1 WO 2004010659A1 FI 0300577 W FI0300577 W FI 0300577W WO 2004010659 A1 WO2004010659 A1 WO 2004010659A1
Authority
WO
WIPO (PCT)
Prior art keywords
firewall
filtering
rules
telecommunication
terminal device
Prior art date
Application number
PCT/FI2003/000577
Other languages
French (fr)
Inventor
Toni Piponius
Original Assignee
Tycho Technologies Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tycho Technologies Oy filed Critical Tycho Technologies Oy
Priority to AU2003246751A priority Critical patent/AU2003246751A1/en
Publication of WO2004010659A1 publication Critical patent/WO2004010659A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/72Subscriber identity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W40/00Communication routing or communication path finding
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/26Network addressing or numbering for mobility support

Definitions

  • the invention relates to telecommunication technique.
  • the invention relates to a method and system for filtering telecommunication in a telecommunication network.
  • firewalls can be implemented either purely as a software application or as a hardware specifically designed for filtering.
  • a firewall is used to filter incoming traffic, but the filtering of outgoing traffic is also possible. This is advantageous e.g. in situa- tions in which one wishes to make sure that it is not possible to transfer information e.g. by means of back gate programs.
  • the firewall is arranged in the network to be protected in such a manner that all the traffic going from the network into the outside world goes through the same firewall. In .case there, are other possible routes to the network, they must be protected with corresponding firewalls because the level of protection of the network is determined based on the weakest link.
  • Telecommunication can be filtered based on various principles. Typically, the filtering regards, however, the filtering of certain protocols and addresses.
  • the firewall is configured such that it is possible to connect to the network only to certain server devices, and the rest of the network is invisible to the outside world.
  • the access may also be determined in such a manner that some de- vices can be connected only from determined addresses .
  • the actual filtering is based on rules.
  • the maintainer of the firewall system creates a number of rules which are gone through in a certain order. In the rules it is e.g. possible to describe to what addresses the traffic is allowed or from what addresses the traffic is automatically rejected.
  • the set of rules applies to the whole network, and making exceptions is possible by adding new rules.
  • the rules may consist of sub rules . . For example, each allowed address need not have to have its own rule, instead in the set of rules, one rule is created to which a set of sub rules or addresses are saved from which the incoming traffic is allowed.
  • the problem with the prior-art list of rules is their big size. In case there are thousands of devices included in the network to be protected, the list of rules may grow remarkably big. The firewall must, however, check the whole list for each incoming packet. If the packet is rejected, it is possible to stop going through the list as the rejecting rule is realized. Correspondingly, as concerns the allowed traffic, the list is gone through up to the accepting rule. This adds to the power requirements of the firewall and adds to the risk of error.
  • a conventional firewall is not suitable for filtering wireless terminal devices, since the firewall is arranged in between the company intranet and the public network.
  • the user When using a wireless terminal device the user first connects to the public network and proceeds via it to the protected network of the company behind • the firewall. In that case, the wire- less terminal device is left without the protection of the firewall, so that it must have a firewall application of its own.
  • firewalls of this kind are quite heavy applications, especially for wireless terminal devices.
  • a prior-art solution is to place another firewall' in the premises of the provider of the wireless data transfer service, but this makes it dif- ficult to answer to the individual needs of the client, especially in situations in which the clients wish to change the settings of their firewalls frequently.
  • Reference publication WO 02/23831 discloses a system in which there is a specific access node arranged in the wireless telecommunication network.
  • the access node is preferably placed in the GGSN component (Gateway GPRS Support Node) .
  • the filtering is started based on a separate filtering request.
  • the filtering request is transmitted to the access node each time serving.
  • the client's terminal device is left with- out protection.
  • the changes and the filtering request are made by means of a separate program arranged in the terminal device, so there must be capacity in the terminal device for running the program.
  • addresses to be dynamically allocated create a problem for a conventional firewall in the wireless environment.
  • the addresses to be dynamically allocated are allocated from a certain space.
  • the address may be any as such. In that case, the rules of the firewall must be changed in real time.
  • the objective of the invention is to eliminate the disadvantages referred to above, or at least significantly to alleviate them.
  • One specific objective of the invention is to disclose a new type of filtering method and system of telecommunication specifically for filtering the telecommunication of mo- bile devices.
  • the present invention relates to a new type of firewall solution that is particularly advantageous when using wireless terminal devices that move within the public network.
  • the addresses of the terminal devices can be allocated dynamically, and they need not be allocated from a protected network or from an oth- erwise restricted address space.
  • the system according to the invention includes at least two terminal devices, a firewall component and a telecommunication system.
  • the telecommunication system may be e.g. a conventional mobile com- munication network in which the data traffic is transmitted by means of packet switching.
  • the telecommunication may also be transmitted to another public network, such as the Internet.
  • the firewall is placed in the telecommunication system such that all the traffic goes through the firewall.
  • the firewall is arranged to retrieve the rules from a database which is common to all the firewall components of the telecommunication network. Since the terminal devices may be disposed in the same cell, the firewall component must be arranged such that also the internal traffic of the cell gets filtered.
  • the telecommunication goes through the component that is aware of the location of the terminal device.
  • the firewall component of the invention is advantageous to arrange in conjunction with the component that is aware of the location of the terminal device. In case the terminal devices are located in the same cell, the telecommunication can be filtered directly without directing the traffic to a separate firewall component.
  • the telecommunication is filtered step by step for each terminal device specifically.
  • the firewall component first checks the firewall settings of the terminal's own. In case the transmission of the packet in question is not allowed, the packet is immediately rejected. In case the packet is allowed, it is forwarded further.
  • the collection of rules of the recipient is loaded.
  • the rules of the recipient allow the reception of the telecommunication, the packets are transmitted to their destination.
  • the order of the filtering rules is not important from the point of view of the application, instead they may be arranged as desired.
  • the present invention improves the information security of terminal devices.
  • the invention is particularly advantageous because by means of the system according to the invention the client can customize his or her own firewall application without changing the terminal device or acquiring a separate firewall application in his or her terminal device.
  • the invention is advantageous because by means of it is possible to eliminate unnecessary telecommunication.
  • the sys- tem according to the invention is advantageous for controlling a big number of devices.
  • the filtering rules allocated for each terminal device specifically can be retrieved from the database by means of a unique identifier of the terminal device. If as the identifier, e.g. the IMSI number of the terminal device is used, then the terminal's telecommunication address, typically the IP address, need not be fixed but can be dynamically allocated from anywhere from the address space.
  • Fig. 1 shows one embodiment of the firewall system according to the invention
  • Fig. 2 shows the system as shown in Fig. 2 in more detail
  • Fig. 3 shows a functional block diagram of the system according to Fig. 1, and
  • Fig. 4 shows a firewall component according to the invention.
  • the system as shown in Fig. 1 comprises two telecommunication networks 12 and 13 independent of each other.
  • Connected to the telecommunication network 12 are terminal devices MTE and DTE1.
  • Connected to the telecommunication network 13 is a terminal device DTE2.
  • the present invention does not limit the number of terminal devices connected to the telecommunication networks, instead there may be several of them within the telecommunication network's own restrictions.
  • the networks are connected to each other by means of a firewall component FW, which filters the traffic between the networks.
  • the telecommunication in Fig. 1 is illustrated by means of two connections. Connection 11 represents the internal traffic of the telecommunication network 12, and connection 10 represents the traffic between the telecommunication networks.
  • the telecommunication connection 10 represents a typical connection from a mobile terminal device DTE1 to a server or to the second terminal device DTE2.
  • the mobile terminal device may be connected to the information network e.g. by means of a mobile station or a wireless local area network.
  • the terminal device DTE1 utilising the telecommunication connection 10 establishes a connection via the first telecommunication network 12. Since the traffic is di- rected to the second telecommunication network 13, it is directed through the firewall component FW.
  • the firewall component FW filters based on predetermined rules.
  • the filtered message is forwarded to the destination DTE2.
  • the telecommunication connection 11 represents a connection in which the mobile terminal devices communicate directly with each other.
  • Fig. 2 shows the system of Fig. 1 in more detail.
  • the first telecommunication network is a mobile communication network provided with the GPRS facility (General Packet Radio Service) that includes base stations BTS1 and BTS2 (Base Transceiver Station) .
  • GPRS facility General Packet Radio Service
  • the cell -specific components of the base station BTS1 include base station controller BSC1, serving GPRS support node SGSN1 and gateway GPRS support node GGSNl .
  • the corresponding components of the base station BTS2 are BSC2 , SGSN2 and GGSN2.
  • a GPRS core network 20 is arranged in between the service nodes and gateway nodes.
  • the firewall component of the telecommunication system is arranged for each cell specifically.
  • the firewall components FWl and FW2 are components of the first telecommunication system, and they are connected to the common database of rules DB.
  • the embodiment according to the invention uses advantageously the database of rules, but if necessary, the rules may also be downloaded from the terminal device as the terminal device connects to the network.
  • the firewall components are connected to the second telecommunication network 21, which may be e.g. the Internet.
  • the terminal device TE4 of Fig. 2 is located in the local area network separated from the internet by means of a firewall FW3.
  • the firewall FW3 is typically a conventional firewall solution, but if necessary, also it can be connected to the database of rules DB. In Fig. 2, substantial from the point of view of the invention is the placing of the firewall component.
  • the GPRS traffic is routed such that the trans- mitted and received packets always go through the gateway GGSN.
  • the gateway directly routes the traffic back to where it came from. Since the firewall component must be arranged in the telecommunication network such that all the packets go through the firewall, the firewall cannot be placed behind the gateway GGSN. If the firewall is placed behind the gateway, then all the packets must be routed also to the firewall.
  • the firewall components FWl and FW2 have been depicted as being located in front of the gateways GGSNl and GGSN2. In the most preferred implementation mode, the firewall component is arranged in conjunction with the gateway. In that case, all the packets go through the firewall component.
  • Fig. 3 illustrates the operation of one embodiment of the filtering system according to the invention.
  • the operation of the embodiment starts with the receiving of a packet, step 31.
  • the address has been received, it is checked whether the address belongs to a wireless terminal device, step 32.
  • the identifier corresponding to the address is retrieved, step 33.
  • the identifier of the address e.g. the IMSI code of the mobile station or some other corresponding unique identifier saved to the SIM card can be used.
  • the relationship between the address and the identifier can be saved to a cache memory for a prescribed time.
  • the information can be saved e.g. when the user logs into the network or out of the network.
  • the piece of identification information corresponding to the piece of address information can be retrieved from an external database or from a network component .
  • the external network component is a GGSN. It must be noted that when necessary, by means of the piece of identification information it is also possi- I2003/000577
  • the filtering rules of the transmitting terminal device are retrieved, step 34. Since the filtering rules are retrieved based on the user's identifier, the IP address of the terminal device need not be fixed. In case the terminal device has no separate address, default, rules can be used, or the traffic can be transmitted without filtering.
  • the firewall component interprets the filtering rules and checks whether the packet is in accordance with the rules, step 35. In case the packet is against the rules, it is rejected, step 36. If the packet is in accordance with the rules of the sender, the default rules of the service are retrieved, step 37.
  • the service provider can determine what services can be used in the network. Additional services can be activated with an additional charge, in which case the user's information has an effect on the service rules to be loaded.
  • the client can also order an unlimited service in which no service rules are loaded.
  • the packet is filtered based on the destination address. If the service rules are fulfilled, the destination address of the packet is retrieved, step 310.
  • the address has been received, it is checked whether the address belongs to a wireless terminal device, step 311. In case the terminal device is wireless, the identifier corresponding to the address is retrieved, step 312.
  • the filtering rules of the transmitting terminal device are T FI2003/000577
  • the firewall component interprets the filtering rules and checks whether the packet is in accordance with the rules, step 314. In case the packet is against the rules, it is rejected, step 315. In case the packet is allowed, it is transmitted to the recipient, step 316.
  • the firewall application according to the invention can also be configured in some other manner.
  • the telecommunication can be filtered in a firewall also in such a manner that the firewall application first retrieves all the rules and then interpreters them all in a row.
  • the filtering described above can be arranged to be assigned to the first firewall, but the task can also be divided be- tween the firewall of both the transmitting and receiving cell.
  • the firewall also functions in situations in which the clients are located in the networks of different operators and the operators do not have a common data- base of rules.
  • the traffic can be first filtered e.g. based on the unique rules of the sender and then based on the group-specific rules of the sender. In case both rules are fulfilled, one proceeds to the rules of the service provider.
  • the rules of the recipient can be divided into unique ones and group-specific ones.
  • each user has got his or her own rules, which are divided into incoming and outgoing traffic. The users can freely modify these rules.
  • the rules are indexed based on the user's address informa- tion or the address identifier. In this manner, the client's rules can be easily managed and quickly re- trieved.
  • the system according to the invention enables one to arrange unique rules for a big number of users .
  • Fig. 4 shows the firewall component FW according to the invention.
  • the firewall component FW receives incoming traffic IN.
  • the firewall is provided with means 40 for filtering the telecommunication based on the sender's filtering rules and means 41 for filtering the telecommunication based on the recipient's filter- ing rules.
  • the firewall FW is provided with means 42 for filtering the telecommunication based on the service provider's rules.
  • Each filtering rule is handled separately.
  • the number of filtering means can be added, if necessary. Additional rules of this kind can include e.g. group-specific rules.
  • the rules can be saved to the firewall FW, or they can be retrieved from a separate database server DB .
  • the firewall can further comprise means 43 for establishing a connection between the address of the public network of the user, e.g. a dynamic IP address, and the unique identifier of the terminal device, e.g. an IMSI code.
  • the invention is not limited merely to the examples of its embodiments referred to above, instead many variations are possible within the scope of the inventive idea defined in the claims.

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention relates to filtering of telecommunica­tion in the network, in which the devices connected to the network have device-specific filtering rules. A firewall component (FW) is arranged in the telecommu­nication network in such a manner that all the tele­communication goes through the firewall component (FW). The firewall component (FW) is connected to a database server (DB), to which the filtering rules are saved. It is possible to connect several firewall com­ponents (FW) to the same database. The firewall compo­nent (FW) retrieves from the database (DE) the sender's and the recipient's filtering rules based on unique identification information. In addition, from the da­tabase (DE) it is possible to retrieve the filtering rules of the service provider or additional filtering rules, e.g. group-specific rules. Each rule is handled separately, and in case the telecommunication is in accordance with all the rules, it is transmitted fur­ther.

Description

METHOD AND SYSTEM FOR FILTERING PACKETS BASED ON SOURCE- AND DESTINATION ADDRESSES
FIELD OF THE INVENTION
The invention relates to telecommunication technique. In particular, the invention relates to a method and system for filtering telecommunication in a telecommunication network.
BACKGROUND OF THE INVENTION
As the amount of telecommunication explo- sively increases, the filtering of non-desired telecommunication has become a necessity. In conventional telecommunication networks, telecommunication is filtered by means of firewalls and blocking lists of routers. A firewall can be implemented either purely as a software application or as a hardware specifically designed for filtering.
Typically, a firewall is used to filter incoming traffic, but the filtering of outgoing traffic is also possible. This is advantageous e.g. in situa- tions in which one wishes to make sure that it is not possible to transfer information e.g. by means of back gate programs. The firewall is arranged in the network to be protected in such a manner that all the traffic going from the network into the outside world goes through the same firewall. In .case there, are other possible routes to the network, they must be protected with corresponding firewalls because the level of protection of the network is determined based on the weakest link. Telecommunication can be filtered based on various principles. Typically, the filtering regards, however, the filtering of certain protocols and addresses. In most cases, the firewall is configured such that it is possible to connect to the network only to certain server devices, and the rest of the network is invisible to the outside world. The access may also be determined in such a manner that some de- vices can be connected only from determined addresses . With the present systems, various different variations are possible.
The actual filtering is based on rules. The maintainer of the firewall system creates a number of rules which are gone through in a certain order. In the rules it is e.g. possible to describe to what addresses the traffic is allowed or from what addresses the traffic is automatically rejected. The set of rules applies to the whole network, and making exceptions is possible by adding new rules. To clarify the set of rules, the rules may consist of sub rules.. For example, each allowed address need not have to have its own rule, instead in the set of rules, one rule is created to which a set of sub rules or addresses are saved from which the incoming traffic is allowed.
The problem with the prior-art list of rules is their big size. In case there are thousands of devices included in the network to be protected, the list of rules may grow remarkably big. The firewall must, however, check the whole list for each incoming packet. If the packet is rejected, it is possible to stop going through the list as the rejecting rule is realized. Correspondingly, as concerns the allowed traffic, the list is gone through up to the accepting rule. This adds to the power requirements of the firewall and adds to the risk of error.
A conventional firewall is not suitable for filtering wireless terminal devices, since the firewall is arranged in between the company intranet and the public network. When using a wireless terminal device the user first connects to the public network and proceeds via it to the protected network of the company behind the firewall. In that case, the wire- less terminal device is left without the protection of the firewall, so that it must have a firewall application of its own. However, firewalls of this kind are quite heavy applications, especially for wireless terminal devices. A prior-art solution is to place another firewall' in the premises of the provider of the wireless data transfer service, but this makes it dif- ficult to answer to the individual needs of the client, especially in situations in which the clients wish to change the settings of their firewalls frequently.
Reference publication WO 02/23831 discloses a system in which there is a specific access node arranged in the wireless telecommunication network. In the case of a GPRS (General Packet Radio Service) network, the access node is preferably placed in the GGSN component (Gateway GPRS Support Node) . In the system according to the reference publication, the filtering is started based on a separate filtering request. The filtering request is transmitted to the access node each time serving. In case there is no request for filtering, the client's terminal device is left with- out protection. The changes and the filtering request are made by means of a separate program arranged in the terminal device, so there must be capacity in the terminal device for running the program.
Also addresses to be dynamically allocated create a problem for a conventional firewall in the wireless environment. In the network of the company's own, the addresses to be dynamically allocated are allocated from a certain space. In case the connection to the public network is to be made from outside the company information network, the address may be any as such. In that case, the rules of the firewall must be changed in real time.
OBJECTIVE OF THE INVENTION
The objective of the invention is to eliminate the disadvantages referred to above, or at least significantly to alleviate them. One specific objective of the invention is to disclose a new type of filtering method and system of telecommunication specifically for filtering the telecommunication of mo- bile devices.
SUMMARY OF THE INVENTION
The present invention relates to a new type of firewall solution that is particularly advantageous when using wireless terminal devices that move within the public network. The addresses of the terminal devices can be allocated dynamically, and they need not be allocated from a protected network or from an oth- erwise restricted address space.
The system according to the invention includes at least two terminal devices, a firewall component and a telecommunication system. The telecommunication system may be e.g. a conventional mobile com- munication network in which the data traffic is transmitted by means of packet switching. The telecommunication may also be transmitted to another public network, such as the Internet.
In the system according to the invention, the firewall is placed in the telecommunication system such that all the traffic goes through the firewall. Advantageously, the firewall is arranged to retrieve the rules from a database which is common to all the firewall components of the telecommunication network. Since the terminal devices may be disposed in the same cell, the firewall component must be arranged such that also the internal traffic of the cell gets filtered. Typically, in a telecommunication network, the telecommunication goes through the component that is aware of the location of the terminal device. The firewall component of the invention is advantageous to arrange in conjunction with the component that is aware of the location of the terminal device. In case the terminal devices are located in the same cell, the telecommunication can be filtered directly without directing the traffic to a separate firewall component. In the system according to the invention, the telecommunication is filtered step by step for each terminal device specifically. Arranged in the firewall component, for each terminal device specifically, is a collection of rules which the client can freely mod- ify. When a .packet is sent from the client's terminal device, the firewall component first checks the firewall settings of the terminal's own. In case the transmission of the packet in question is not allowed, the packet is immediately rejected. In case the packet is allowed, it is forwarded further. In the next phase it is advantageous to filter the telecommunication using the rules of the service provider. These rules are used to check whether it is at all possible to transmit the transferred telecommunication. This phase is not obligatory. In case the telecommunication is in accordance with the rules of the service provider, the collection of rules of the recipient is loaded. In case the rules of the recipient allow the reception of the telecommunication, the packets are transmitted to their destination. The order of the filtering rules is not important from the point of view of the application, instead they may be arranged as desired.
The present invention improves the information security of terminal devices. The invention is particularly advantageous because by means of the system according to the invention the client can customize his or her own firewall application without changing the terminal device or acquiring a separate firewall application in his or her terminal device. As concerns the telecommunication network, the invention is advantageous because by means of it is possible to eliminate unnecessary telecommunication. By means of the system according to the invention it is possible to check the authenticity and permissibility of the packets in time. This arrangement allows one to save band for allowed useful traffic. Furthermore, the sys- tem according to the invention is advantageous for controlling a big number of devices. The filtering rules allocated for each terminal device specifically can be retrieved from the database by means of a unique identifier of the terminal device. If as the identifier, e.g. the IMSI number of the terminal device is used, then the terminal's telecommunication address, typically the IP address, need not be fixed but can be dynamically allocated from anywhere from the address space.
LIST OF FIGURES
In the following, the invention will be described in detail by means of its embodiments, in which
Fig. 1 shows one embodiment of the firewall system according to the invention, and
Fig. 2 shows the system as shown in Fig. 2 in more detail, and Fig. 3 shows a functional block diagram of the system according to Fig. 1, and
Fig. 4 shows a firewall component according to the invention.
DETAILED DESCRIPTION OF THE INVENTION
The system as shown in Fig. 1 comprises two telecommunication networks 12 and 13 independent of each other. Connected to the telecommunication network 12 are terminal devices MTE and DTE1. Connected to the telecommunication network 13 is a terminal device DTE2. The present invention does not limit the number of terminal devices connected to the telecommunication networks, instead there may be several of them within the telecommunication network's own restrictions. The networks are connected to each other by means of a firewall component FW, which filters the traffic between the networks. The telecommunication in Fig. 1 is illustrated by means of two connections. Connection 11 represents the internal traffic of the telecommunication network 12, and connection 10 represents the traffic between the telecommunication networks.
The telecommunication connection 10 represents a typical connection from a mobile terminal device DTE1 to a server or to the second terminal device DTE2. The mobile terminal device may be connected to the information network e.g. by means of a mobile station or a wireless local area network. In Fig. 1, the terminal device DTE1 utilising the telecommunication connection 10 establishes a connection via the first telecommunication network 12. Since the traffic is di- rected to the second telecommunication network 13, it is directed through the firewall component FW. The firewall component FW filters based on predetermined rules. The filtered message is forwarded to the destination DTE2. The telecommunication connection 11 represents a connection in which the mobile terminal devices communicate directly with each other. In the telecommunication connection 11 both of the terminal devices MTE and DTE1 communicate with each other via the telecommunication network 12. Since the terminal devices are located in the area of the same network, a firewall arranged at the point of interconnection traffic of two telecommunication networks does not protect the connections. Due to this, the telecommuni- cation connection 11 must be circulated via the firewall component FW. Fig. 2 shows the system of Fig. 1 in more detail. In the example of Fig. 2, the first telecommunication network is a mobile communication network provided with the GPRS facility (General Packet Radio Service) that includes base stations BTS1 and BTS2 (Base Transceiver Station) . Connected to the base station BTS1 is one terminal device TE1, and connected to the base station BTS2' are the terminal devices TE2 and TE3. The present invention does not restrict th num- ber of base stations or the number of terminal devices connected to them. In the system as shown in the figure, the cell -specific components of the base station BTS1 include base station controller BSC1, serving GPRS support node SGSN1 and gateway GPRS support node GGSNl . The corresponding components of the base station BTS2 are BSC2 , SGSN2 and GGSN2. A GPRS core network 20 is arranged in between the service nodes and gateway nodes. In Fig. 2 also the firewall component of the telecommunication system is arranged for each cell specifically. The firewall components FWl and FW2 are components of the first telecommunication system, and they are connected to the common database of rules DB. The embodiment according to the invention uses advantageously the database of rules, but if necessary, the rules may also be downloaded from the terminal device as the terminal device connects to the network. The firewall components are connected to the second telecommunication network 21, which may be e.g. the Internet. The terminal device TE4 of Fig. 2 is located in the local area network separated from the internet by means of a firewall FW3. The firewall FW3 is typically a conventional firewall solution, but if necessary, also it can be connected to the database of rules DB. In Fig. 2, substantial from the point of view of the invention is the placing of the firewall component. The GPRS traffic is routed such that the trans- mitted and received packets always go through the gateway GGSN. In case the terminal devices are located in the area of the same cell, such as TE2 and TE3 , the gateway directly routes the traffic back to where it came from. Since the firewall component must be arranged in the telecommunication network such that all the packets go through the firewall, the firewall cannot be placed behind the gateway GGSN. If the firewall is placed behind the gateway, then all the packets must be routed also to the firewall. In Fig. 2, the firewall components FWl and FW2 have been depicted as being located in front of the gateways GGSNl and GGSN2. In the most preferred implementation mode, the firewall component is arranged in conjunction with the gateway. In that case, all the packets go through the firewall component.
Fig. 3 illustrates the operation of one embodiment of the filtering system according to the invention. The operation of the embodiment starts with the receiving of a packet, step 31. When the address has been received, it is checked whether the address belongs to a wireless terminal device, step 32. In case the terminal device is wireless, the identifier corresponding to the address is retrieved, step 33. As the identifier of the address, e.g. the IMSI code of the mobile station or some other corresponding unique identifier saved to the SIM card can be used. The relationship between the address and the identifier can be saved to a cache memory for a prescribed time. The information can be saved e.g. when the user logs into the network or out of the network. The piece of identification information corresponding to the piece of address information can be retrieved from an external database or from a network component . In the case of a GPRS system, the external network component is a GGSN. It must be noted that when necessary, by means of the piece of identification information it is also possi- I2003/000577
10
ble to retrieve the necessary IP address when retrieving or handling the rules, since the relationship between the address and the identifier is two-way. When the terminal device has been identified, the filtering rules of the transmitting terminal device are retrieved, step 34. Since the filtering rules are retrieved based on the user's identifier, the IP address of the terminal device need not be fixed. In case the terminal device has no separate address, default, rules can be used, or the traffic can be transmitted without filtering. The firewall component interprets the filtering rules and checks whether the packet is in accordance with the rules, step 35. In case the packet is against the rules, it is rejected, step 36. If the packet is in accordance with the rules of the sender, the default rules of the service are retrieved, step 37. Using these rules the service provider can determine what services can be used in the network. Additional services can be activated with an additional charge, in which case the user's information has an effect on the service rules to be loaded. The client can also order an unlimited service in which no service rules are loaded. When the rules have been loaded, it is checked whether the packet is in accordance with the service rules, step 38. In case the packet is against the rules, it is rejected, step 39.
As the last filtering step, the packet is filtered based on the destination address. If the service rules are fulfilled, the destination address of the packet is retrieved, step 310. When the address has been received, it is checked whether the address belongs to a wireless terminal device, step 311. In case the terminal device is wireless, the identifier corresponding to the address is retrieved, step 312. When the terminal device has been identified, the filtering rules of the transmitting terminal device are T FI2003/000577
11
retrieved, step 313. The firewall component interprets the filtering rules and checks whether the packet is in accordance with the rules, step 314. In case the packet is against the rules, it is rejected, step 315. In case the packet is allowed, it is transmitted to the recipient, step 316.
It must be noted that the firewall application according to the invention can also be configured in some other manner. The telecommunication can be filtered in a firewall also in such a manner that the firewall application first retrieves all the rules and then interpreters them all in a row. The filtering described above can be arranged to be assigned to the first firewall, but the task can also be divided be- tween the firewall of both the transmitting and receiving cell. By means of a divided filtering the firewall also functions in situations in which the clients are located in the networks of different operators and the operators do not have a common data- base of rules.
It is possible to increase the number of filtering rules and levels of filtering, if necessary. In that case, the traffic can be first filtered e.g. based on the unique rules of the sender and then based on the group-specific rules of the sender. In case both rules are fulfilled, one proceeds to the rules of the service provider. Correspondingly, the rules of the recipient can be divided into unique ones and group-specific ones. In the system according to the invention, each user has got his or her own rules, which are divided into incoming and outgoing traffic. The users can freely modify these rules. In the database, the rules are indexed based on the user's address informa- tion or the address identifier. In this manner, the client's rules can be easily managed and quickly re- trieved. The system according to the invention enables one to arrange unique rules for a big number of users .
Fig. 4 shows the firewall component FW according to the invention. The firewall component FW receives incoming traffic IN. In order to filter the telecommunication, the firewall is provided with means 40 for filtering the telecommunication based on the sender's filtering rules and means 41 for filtering the telecommunication based on the recipient's filter- ing rules. Further, the firewall FW is provided with means 42 for filtering the telecommunication based on the service provider's rules. Each filtering rule is handled separately. The number of filtering means can be added, if necessary. Additional rules of this kind can include e.g. group-specific rules. The rules can be saved to the firewall FW, or they can be retrieved from a separate database server DB . Since the filtering rules are handled based on the piece of unique identification information of the terminal device, the firewall can further comprise means 43 for establishing a connection between the address of the public network of the user, e.g. a dynamic IP address, and the unique identifier of the terminal device, e.g. an IMSI code. The invention is not limited merely to the examples of its embodiments referred to above, instead many variations are possible within the scope of the inventive idea defined in the claims.

Claims

P T/FI2003/00057713CLAIMS
1. A method for filtering packet-switched telecommunication between two terminal devices, in which there is a filtering component arranged in be- tween the terminal devices, the method comprising the following steps: receiving, by means of the filtering component, telecommunication from the transmitting terminal device; and filtering the telecommunication based on the filtering rules; and transmitting the telecommunication allowed by the rules to the receiving terminal device, c h a r a c t e r i s e d in that the method further comprises the steps: establishing a connection between the address of the public network of the user and the unique identifier of the terminal device, which unique identifier of the terminal device is a fixed feature of the ter- minal device, a feature of the subscription to be used in the terminal device, an identifier input by the user, or the like; filtering the telecommunication in accordance with the filtering rules of the transmitting terminal device based on the unique identifier of the transmitting terminal device; and filtering the telecommunication in accordance with the rules of the receiving terminal device based on the unique identifier of the receiving terminal de- vice
2. The method according to claim 1, c a r a c t e r i s e d in that the telecommunication is filtered in accordance with the rules of the service provider.
3. The method according to claim 1 or 2, c h a r a c t e r i s e d in that the filtering rules are group-specific .
4. The method according to claim 1, 2 or 3, c h a r a c t e r i s e d in that the source and destination addresses are retrieved from the packet to be filtered.
5. The method according to any one of the preceding claims 1-4, c h a r a c t e r i s e d in that the filtering rules are retrieved from a separate database based on the unique identifier of the user's terminal device.
6. The method according to any one of the preceding claims 1-5, c h a r a c t e r i s e d in that the address of the public network of the user is an IP address.
7. The method according to any one of the preceding claims 1-6, c h a r a c t e r i s e d in that the user's unique terminal device-specific identifier is an IMSI code.
8. The method according to any one of the preceding claims 1-8, c h a r a c t e r i s e d in that the traffic is filtered based on one or more additional filtering rules.
9. The method according to claim 8, c h a r a c t e r i s e d in that the additional filtering rule is a group-specific filtering rule of the sender.
10. The method according to claim 8, c h a r a c t e r i s e d in that the additional filtering rule is a group-specific filtering rule of the recipient .
11. The method according to any one of the preceding claims 1-10, c h a r a c t e r i s e d in that the rules of both the sender and the recipient are handled independently as groups of their own.
12. The method according to any one of the preceding claims 1-11, c h a r a c t e r i s e d in that the possible additional filtering rules and filtering rules of the service provider are handled independently as groups of their own.
13. The method according to any one of the preceding claims 1-12, c ha r a c t e r i s e d in that the telecommunication is filtered based on the most limiting filtering rules.
14. A firewall (FW) for filtering telecommunication, the firewall (FW) comprising: means for filtering telecommunication; means for filtering telecommunication based on filtering rules; and means for transmitting allowed traffic further; c ha r a c t e r i s e d in that the firewall further comprises: means (43) for establishing a connection be- tween the public address of the user and the unique identifier of the terminal device, the unique identifier of the terminal device being a fixed feature of the terminal device, a feature of the subscription being used in the terminal device, an identifier input by the user, or the like; means (40) for filtering telecommunication in accordance with the sender's filtering rules based on the unique identifier of the sender's terminal device; and means (41) for filtering telecommunication in accordance with the recipient's filtering rules based on the recipient's unique identifier.
15. The firewall (FW) according to claim 14, c h a r a c t e r i s e d in that the firewall further comprises means (42) for filtering the telecommunication based on service-specific filtering rules.
16. The firewall (FW) according to claim 14 or 15, c h a r a c t e r i s e d in that the firewall
(FW) is arranged to retrieve the source and destina- tion addresses from the packet to be filtered.
17. The firewall (FW) according to the any one of the preceding claims 14-16, c h a r a c t e r - i s e d in that the firewall is arranged to retrieve the filtering rules from a separate database (DB) based on the unique identification information of the terminal devices.
18. The firewall (FW) according to any one of the preceding claims 14-17, c h a r a c t e r i s e d in that the firewall is arranged to handle the filtering rules of both the sender and the recipient independently as groups of their own.
19. The firewall (FW) according to any one of the preceding claims 14-18, c h a r a c t e r i s e d in that the address of the public network of the user is an IP address.
20. The firewall (FW) according to any one of the preceding claims 14-19, c h a r a c t e r i s e d in that the unique identifier of the. user's terminal device is an IMSI code.
21. The firewall (FW) according to any one of the preceding claims 14-20, c h a r a c t e r i s e d in that the firewall is arranged to filter the telecommunication based on additional filtering rules.
22. The firewall (FW) according to any one of the preceding claims 14-21, c h a r a c t e r i s e d in that the additional filtering rule is a group- specific rule of the user.
23. The firewall (FW) according to any one of the preceding claims 14-22, c h a r a c t e r i s e d in that the firewall is arranged to handle the service-specific filtering rules and additional filtering rules independently as groups of their own.
24. The firewall (FW) according to any one of the preceding claims 14-23, c h a r a c t e r i s e d in that the firewall is arranged to filter the telecommunication based on the most limiting filtering rules.
25. A system for filtering telecommunication, the system comprising at least: a transmitting terminal device (DTE1) , and a firewall device (FW) ; a receiving terminal device (DTE2) ; and a telecommunication network for connecting the aforementioned devices; c h a r a c t e r i s e d in that the firewall further comprises: means (43) for establishing a connection between the user's public address and the unique identi- fier of the terminal device, the unique identifier of. the terminal device being a fixed feature of the terminal device, a feature of the subscription being used in the terminal device, an identifier input by the user, or the like; means (40) for filtering telecommunication in accordance with the sender's filtering rules; and means (41) for filtering telecommunication in accordance with the recipient's filtering rules.
26. The system according to claim 25, c h a r a c t e r i s e d in that the firewall (FW) further comprises means (42) for filtering the telecommunication based on service-specific filtering rules .
27. The system according to claim 25 or 26, c h a r a c t e r i s e d in that the firewall (FW) is arranged to retrieve the filtering rules from a separate database (DB) based on the unique identification information of the terminal devices.
28. The system according to claim 25, 26 or 27, c h a r a c t e r i s e d in that the firewall (FW) is arranged to retrieve the source and destination addresses from the packet to be filtered.
29. The system according to any one of the preceding claims 25-28, c h a r a c t e r i s e d in that the firewall (FW) is arranged to handle the filtering rules of both the sender and the recipient independently as groups of their own.
30. The system according to any one of the preceding claims 25-29, c h a r a c t e r i s e d ' in that the address of the public network of the user is an IP address.
31. The system according to any one of the preceding claims 25-30, c h a r a c t e r i s e d in that the unique identifier of the user's terminal device is an IMSI code.
32. The system according to any- one of the preceding claims 25-31, c h a r a c t e r i s e d in that the firewall (FW) >is arranged to filter the telecommunication based on additional filtering rules.
33. The system according to any one of the preceding claims 25-32,. c h a r a c t e r i s e d in that the additional filtering rule is a group-specific rule of the user.
34. The system according to any one of the preceding claims 25-33, c h a r a c t e r i s e d in that the firewall (FW) is arranged to handle the serv- ice-specific filtering rules and additional filtering rules independently as groups of their own.
35. The system according to any one of the preceding claims 25-34, c h a r a c t e r i s e d in that the firewall (FW) is arranged to filter the tele- communication based on the most limiting filtering rules .
PCT/FI2003/000577 2002-07-24 2003-07-22 Method and system for filtering packets based on source- and destination addresses WO2004010659A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2003246751A AU2003246751A1 (en) 2002-07-24 2003-07-22 Method and system for filtering packets based on source- and destination addresses

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FI20021407A FI20021407A7 (en) 2002-07-24 2002-07-24 Filtering of data traffic
FI20021407 2002-07-24

Publications (1)

Publication Number Publication Date
WO2004010659A1 true WO2004010659A1 (en) 2004-01-29

Family

ID=8564377

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/FI2003/000577 WO2004010659A1 (en) 2002-07-24 2003-07-22 Method and system for filtering packets based on source- and destination addresses

Country Status (3)

Country Link
AU (1) AU2003246751A1 (en)
FI (1) FI20021407A7 (en)
WO (1) WO2004010659A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2425912A (en) * 2005-05-04 2006-11-08 Psytechnics Ltd Packet filtering
US8079073B2 (en) 2006-05-05 2011-12-13 Microsoft Corporation Distributed firewall implementation and control
US8122492B2 (en) 2006-04-21 2012-02-21 Microsoft Corporation Integration of social network information and network firewalls
US8176157B2 (en) 2006-05-18 2012-05-08 Microsoft Corporation Exceptions grouping

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1999005828A1 (en) * 1997-07-25 1999-02-04 Telefonaktiebolaget Lm Ericsson (Publ) Dynamic quality of service reservation in a mobile communications network
US5951651A (en) * 1997-07-23 1999-09-14 Lucent Technologies Inc. Packet filter system using BITMAP vector of filter rules for routing packet through network
EP1119151A2 (en) * 2000-01-18 2001-07-25 Lucent Technologies Inc. Method and apparatus for analyzing one or more firewalls

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5951651A (en) * 1997-07-23 1999-09-14 Lucent Technologies Inc. Packet filter system using BITMAP vector of filter rules for routing packet through network
WO1999005828A1 (en) * 1997-07-25 1999-02-04 Telefonaktiebolaget Lm Ericsson (Publ) Dynamic quality of service reservation in a mobile communications network
EP1119151A2 (en) * 2000-01-18 2001-07-25 Lucent Technologies Inc. Method and apparatus for analyzing one or more firewalls

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2425912A (en) * 2005-05-04 2006-11-08 Psytechnics Ltd Packet filtering
US8122492B2 (en) 2006-04-21 2012-02-21 Microsoft Corporation Integration of social network information and network firewalls
US8079073B2 (en) 2006-05-05 2011-12-13 Microsoft Corporation Distributed firewall implementation and control
US8176157B2 (en) 2006-05-18 2012-05-08 Microsoft Corporation Exceptions grouping

Also Published As

Publication number Publication date
FI20021407L (en) 2004-01-25
AU2003246751A1 (en) 2004-02-09
FI20021407A0 (en) 2002-07-24
FI20021407A7 (en) 2004-01-25

Similar Documents

Publication Publication Date Title
JP4166942B2 (en) Internet protocol traffic filter for mobile radio networks
CN100366025C (en) Method of distributing information from a main service to a mobile station
US6885870B2 (en) Transferring of a message
JP4644681B2 (en) Apparatus and method for controlling unnecessary traffic addressed to wireless communication apparatus
US6836477B1 (en) Methods and systems for routing messages in a communications network
CN103125142B (en) For the group of mobile entity implements common service quality
EP1082648B1 (en) Method for transmitting multimedia messages and multimedia message communication system
CN103262506B (en) Method and apparatus for allowing to distinguish disposal mobile network data business
CN101346947B (en) Method and apparatus for routing optimization in telecommunication network
CN1663204B (en) Gateway device and signal processing method in the gateway device
EP2082329B1 (en) System and method for redirecting requests
CN101099332A (en) Dynamic firewall capabilities for wireless access gateways
WO2003040943A1 (en) Cell level congestion policy management
CN103797772A (en) Differentiated processing of data traffic based on user class correlation adaptation using network address lookup
EP1247378A1 (en) Methods and systems for routing messages in a communications network
CN102265563A (en) Method and arrangement of identifying traffic flows in communication network
EP1952604A1 (en) Method, apparatus and computer program for access control
WO2004010659A1 (en) Method and system for filtering packets based on source- and destination addresses
WO2001024460A1 (en) Intelligent data network router
US7082121B1 (en) System, device, and method for interworking between a broadband SS7 network and an internet protocol network to provide transport of connection oriented information
WO2005041475A1 (en) Arrangements and methods relating to security in networks supporting communication of packet data
CA3130666C (en) Multi-layered distributed gtp-c processing
JPH11355353A (en) How to use a pair consisting of a call number and an Internet source address
RU2005125203A (en) METHOD AND NETWORK OF MOBILE REMOTE RADIO COMMUNICATIONS FOR TRANSMISSION OF PACKET DATA
CA3194737A1 (en) Resource filter for integrated networks

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NI NO NZ OM PH PL PT RO RU SC SD SE SG SK SL TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP