[go: up one dir, main page]

WO2004034672A1 - Management of a distributed firewall - Google Patents

Management of a distributed firewall Download PDF

Info

Publication number
WO2004034672A1
WO2004034672A1 PCT/FI2003/000749 FI0300749W WO2004034672A1 WO 2004034672 A1 WO2004034672 A1 WO 2004034672A1 FI 0300749 W FI0300749 W FI 0300749W WO 2004034672 A1 WO2004034672 A1 WO 2004034672A1
Authority
WO
WIPO (PCT)
Prior art keywords
rules
filtering
terminal device
telecommunication
component
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/FI2003/000749
Other languages
French (fr)
Inventor
Toni Piponius
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
TYCHO TECHNOLOGIES Oy
Original Assignee
TYCHO TECHNOLOGIES Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by TYCHO TECHNOLOGIES Oy filed Critical TYCHO TECHNOLOGIES Oy
Priority to AU2003299272A priority Critical patent/AU2003299272A1/en
Publication of WO2004034672A1 publication Critical patent/WO2004034672A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • H04L63/0218Distributed architectures, e.g. distributed firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Definitions

  • the present invention relates to the management of the filtering of telecommunication.
  • the invention relates to the management of a distributed firewall.
  • telecommunication is filtered by a firewall.
  • Firewalls are often sub-network-specific, meaning that behind the same firewall there are several terminal devices. In a conventional internet net- work, this is a functional solution as terminal devices do not move. In that case, the firewall and the filtering of the telecommunication of the terminal devices are managed by way of centralization by a separate management program which just the administrator of the firewall is able to access.
  • a conventional firewall does not function in wireless communication.
  • the gateway used by a wireless terminal device to access a telecommunication network or the Internet varies depending on the loca- tion of the terminal device, it is not possible to use a separate, centralized firewall component. In that case the solution is to arrange a firewall solution directly in the terminal device.
  • a firewall solution of this kind has the disadvantage of being heavy as there often are only very little resources in wireless terminal devices. It is also problematic to manage a local firewall. Often the administrator of a firewall component of a terminal device is the user of the terminal device. As information networks are complicated, a safe maintenance of a firewall requires expertise, both in drafting rules as well as in the maintenance of the software updates of the firewall.
  • firewalls which are implemented in conjunction with a component of the telecommunication network.
  • the heavy firewall solution is run in the operator's system in which a professional administrator can take care both of the software maintenance and of the minimum level of the rules.
  • both the sender and the recipient have got their own firewall rules, which are handled independent of each other.
  • Additional rules such as operator or group rules can be attached to a system of this kind.
  • groups of rules can have different administrators, the management of the rules is difficult.
  • firewalls do not send a re- sponse of any kind to the packets to be filtered. In situations of this kind, it is very difficult for the user to get information on why the telecommunication was filtered and who is responsible for the filtering.
  • Reference publication US 6154775 discloses one solution for managing variable filtering rules.
  • the solution of the reference publication can be applied to a centralized telecommunication network in which the rules are maintained by a firewall administrator or a corresponding party.
  • the address of the terminal device can change frequently, so a centralized management of rules is not possible as the administra- tors do not find the time to make the necessary modifications for thousands of clients.
  • Reference publication GB 2316814 discloses a system in which modification requests are sent from the terminal device to the terminal device that maintains the firewall.
  • the system in accordance with the reference publication has the same problem as the system of reference publication US 6154775, because in both solutions, the administrator of the firewall has the management of the firewall by way of centralization. Further, the problem with the reference publications is a centralized firewall system, in which case the packets to be filtered must proceed via a certain firewall machine.
  • the objective of the invention is to eliminate the drawbacks referred to above, or at least to significantly alleviate them.
  • One specific objective of the invention is to disclose a new type of management method of a distributed firewall.
  • One further objective of the invention is the facilitation of a distributed decision making by forwarding the modifica- tion request to the administrator in charge of the firewall's maintenance.
  • the invention relates to a method for managing a distributed firewall.
  • a distributed firewall consists of at least one filtering component.
  • each filtering component it is possible to filter using several groups of rules .
  • an administrator which may be the same one in part of the groups of rules.
  • telecommunication is sent from the terminal device to the filtering component.
  • the filtering component filters the telecommunication based on one or more groups of rules .
  • the rules are gone through in a predetermined order. If the telecommunication is not allowed, the administrator of the rules in question is sent a request to modify the rules. The request can be sent either automatically or manually.
  • a modification request can be used to activate e.g. new services, which can be chargeable or non-chargeable .
  • new services can be chargeable or non-chargeable .
  • firewall rules or components there are several firewall rules or components.
  • the system in accordance with the invention includes a transmitting and receiving terminal device, as well as a filtering component.
  • the filtering component comprises reception means for receiving the telecommunication from the transmitting terminal device, filtering means for filtering the telecommunication, and transmission means for forwarding the allowed telecommunication further.
  • the filtering component further comprises means for sending and receiving the modification requests of rules into the terminal device that maintains the rules, which terminal device is typi- cally the transmitting or receiving terminal device.
  • the present invention facilitates the management of distributed firewalls.
  • the management method enables an easy management of various different groups of rules. Groups of rules of this kind include e.g. rules of the sender's own, operator's rules, sender's group rules and recipient's rules.
  • the modification requests of the filtering rules of telecommunication are automatically transmitted to the administrator in charge of the rules to be filtered.
  • the method in accordance with the invention is advan- tageous to use as it does not require modifications in the terminal device.
  • the necessary functionality can be arranged e.g. by means of a WAP user interface (Wireless Application Protocol) .
  • Fig. 1 is an example illustrating a block diagram of a system in accordance with the invention
  • Fig. 2 is an example illustrating signaling of a system in accordance with the invention.
  • Fig. 3 is an example -illustrating a filtering component in accordance with the invention.
  • Fig. 1 represents a block diagram of one embodiment of the system in accordance with the invention.
  • the system as shown in Fig.l includes terminal devices 10 and 113, between which there is a telecom- munication connection 114.
  • the telecommunication connection is arranged to pass through firewall components 11 and 17.
  • firewall components 11 and 17. In the examples as shown in the figure there are three sets of filtering rules 12, 13,
  • the system includes terminal devices
  • terminal devices can be any conventional terminal devices of the telecommunication network.
  • the termi- nal device 10 sends a telecommunication message to the terminal device 113.
  • the telecommunication message is first transmitted to the firewall component 11 which filters the telecommunication according to the filtering rules 12, 13 and 14.
  • the filtering rules 12 are the terminal device-specific rules of the terminal device 10.
  • the filtering rules 12 are the terminal de- vice-specific rules of the terminal device 10.
  • the user of the terminal device 10 maintains his or her own rules. If the traffic is not allowed, according to the filtering rules 12, a message is sent to the administrator of the rules, which in this case is the terminal device 10.
  • the filtering rules 13 represent group-specific rules of the terminal device. Rules of this kind can be set e.g.
  • the employer can set rules concerning the use of the terminal device.
  • the employer can e.g. prohibit the use of chargeable services.
  • the group of rules 13 filters the telecommunication message, a message is sent to the administrator of the group of rules 13, which administrator is in this case e.g. an administrator 15 employed by the employer.
  • the group of rules 14 represents default rules of the operator. These rules allow the operator to limit the telecommunication as desired by him or her.
  • the operator's rules 14 are maintained by an administrator 16 of the operator. If the telecommunication is allowed, according to all the groups of rules 12, 13 and 14, the firewall component 11 transmits the telecommunication further.
  • the tele- communication is transmitted to another operator's telecommunication network, in which the telecommunication is first transmitted to the firewall component 17.
  • the default rules 18 of the recipient's operator are handled, which rules are maintained by the administrator 111 of the recipient's operator.
  • the group of rules 19 represents group-specific rules of the recipient, which rules are maintained by the ad- ministrator 112 of the recipient's group.
  • the terminal device-specific rules 110 of the recipient's own are handled, which rules are managed by the recipient with his or her terminal device 113.
  • the firewall component 17 transmits a message to the terminal device 113.
  • each group of rules is bound to the administrator in a manner as described above.
  • the telecommunication is not allowed, according to the group of rules, it is filtered. It is possible to proceed in many different ways when filtering telecommunication.
  • the ad- ministrator of the group of rules is sent a message informing that the telecommunication was filtered by the group of rules. To avoid unnecessary requests, this message is only transmitted when the sender wishes to modify the rules so that the telecommunica- tion is allowed.
  • a modification request includes at least information on what addresses and rules the telecommunication concerns.
  • the modification request can include information e.g. on the moment of events.
  • a modification re- quest includes information on the quality of the modification, e.g. on the duration of a fixed-term modification.
  • the administrator of the rules can reject or accept the request, and a report informing of the decision is sent to the party that requested the modifi- cation.
  • the information is, at its simplest, a notification of the fact that the modification request is either accepted or rejected.
  • the message informing of the decision can also contain any other information; the administrator can e.g. ask for grounds for making the modification.
  • the modification of rules can mean e.g. the activation of a sur- charge service. In the case of commercial services, it is possible to include in the request e.g.
  • all messages include information on the sender, recipient and transmission time of the message.
  • the information of the sender and recipient can be any contact information, e.g. an e- mail address or a telephone number.
  • each rule is interpreted in one's turn, as is done in a conventional firewall.
  • the telecommunication is in accordance with the rules, one enters into the following group of rules.
  • the information on the administrator of the group, of rules is saved in conjunction with the group of rules.
  • the group of rules can also contain the information needed to identify the administrator.
  • a separate group of rules contains a set of conventional filtering rules, in which the filtering can be based e.g. on the sender's or recipient's address, on the protocol used, or on the port number used by the telecommunication.
  • Fig. 2 illustrates one signaling of a system in accordance with the invention.
  • a terminal device TE1 sends telecommunication to a terminal device TE3.
  • the terminal device TE1 establishes a connection by sending telecommunication with a signal 20.
  • the firewall FW checks the signal and, based on the rules, states that it is forbidden.
  • the firewall FW sends a notification of the refusal to the terminal device TE1 using a signal 21 and interrogates whether the administrator of the rules is sent a modi- fication request.
  • the terminal device TE1 sends a confirmation of the modification request using a signal 22.
  • the firewall FW sends a modification request of rules to the administrator TE2 using a signal 23.
  • the administrator TE2 accepts the modification and sends the new rules to the firewall FW using a signal 24.
  • the telecommunication is transmitted from the terminal device TE1 to the terminal device TE3 using a signal 25.
  • Fig. 3 represents a filtering component in accordance with the invention. Saved to the filtering component 30 are at least the groups of filtering rules 31, 32 and 33. The number of groups of rules varies for each application specifically.
  • the filter- ing component receives telecommunication by reception means 34. After this, the telecommunication is handled by filtering means 35. In case the telecommunication is allowed by the rules, it is transmitted further by transmission means 36.
  • a modification request of rules is generated by management means 37, and the modification request 38 is sent to the terminal device 39 that maintains the rules.
  • the rules are modified by modi- fication means 310.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to the management of a distributed firewall. In the embodiment in accordance with the invention, a terminal device (10) sends telecommunication to a terminal device (113). The telecommunication is transmitted through at least one filtering component (11, 17): To each filtering component it is possible to save a set of filtering rules based on which telecommunication is filtered. In case the filtering rules forbid the transmission of the telecommunication, the administrator of the filtering rules is sent a request to modify the filtering rules. If necessary, it is possible to ask the transmitting terminal device for a permission to transmit the modification request.

Description

MANAGEMENT OF A DISTRIBUTED FIREWALL FIELD OF THE INVENTION
The present invention relates to the management of the filtering of telecommunication. In particular, the invention relates to the management of a distributed firewall.
BACKGROUND OF THE INVENTION
As the amount of telecommunication increases, the filtering of telecommunication is more important than ever. Telecommunication is filtered mainly for data security reasons . Another important reason for filtering is the blocking of use of unnecessary services. Conventionally, telecommunication is filtered by a firewall. Firewalls are often sub-network-specific, meaning that behind the same firewall there are several terminal devices. In a conventional internet net- work, this is a functional solution as terminal devices do not move. In that case, the firewall and the filtering of the telecommunication of the terminal devices are managed by way of centralization by a separate management program which just the administrator of the firewall is able to access.
A conventional firewall does not function in wireless communication. As the gateway used by a wireless terminal device to access a telecommunication network or the Internet varies depending on the loca- tion of the terminal device, it is not possible to use a separate, centralized firewall component. In that case the solution is to arrange a firewall solution directly in the terminal device. A firewall solution of this kind has the disadvantage of being heavy as there often are only very little resources in wireless terminal devices. It is also problematic to manage a local firewall. Often the administrator of a firewall component of a terminal device is the user of the terminal device. As information networks are complicated, a safe maintenance of a firewall requires expertise, both in drafting rules as well as in the maintenance of the software updates of the firewall.
One solution is to arrange for the wireless terminal devices a firewall which is implemented in conjunction with a component of the telecommunication network. In that case, the heavy firewall solution is run in the operator's system in which a professional administrator can take care both of the software maintenance and of the minimum level of the rules. In a distributed model, both the sender and the recipient have got their own firewall rules, which are handled independent of each other. Additional rules such as operator or group rules can be attached to a system of this kind. As different groups of rules can have different administrators, the management of the rules is difficult. Conventionally, firewalls do not send a re- sponse of any kind to the packets to be filtered. In situations of this kind, it is very difficult for the user to get information on why the telecommunication was filtered and who is responsible for the filtering.
In case there is a wish to use the mobile phone to use a new service which is filtered with the rules of that moment, the rules must be modified. The problem with the present rules is that no information on the limiting rules is obtained, and modifying rules is therefore difficult. Reference publication US 6154775 discloses one solution for managing variable filtering rules. The solution of the reference publication can be applied to a centralized telecommunication network in which the rules are maintained by a firewall administrator or a corresponding party. In wireless telecommunication, the address of the terminal device can change frequently, so a centralized management of rules is not possible as the administra- tors do not find the time to make the necessary modifications for thousands of clients.
Reference publication GB 2316814 discloses a system in which modification requests are sent from the terminal device to the terminal device that maintains the firewall. The system in accordance with the reference publication has the same problem as the system of reference publication US 6154775, because in both solutions, the administrator of the firewall has the management of the firewall by way of centralization. Further, the problem with the reference publications is a centralized firewall system, in which case the packets to be filtered must proceed via a certain firewall machine.
OBJECTIVE OF THE INVENTION
The objective of the invention is to eliminate the drawbacks referred to above, or at least to significantly alleviate them. One specific objective of the invention is to disclose a new type of management method of a distributed firewall. One further objective of the invention is the facilitation of a distributed decision making by forwarding the modifica- tion request to the administrator in charge of the firewall's maintenance.
SUMMARY OF THE INVENTION
The invention relates to a method for managing a distributed firewall. A distributed firewall consists of at least one filtering component. In each filtering component it is possible to filter using several groups of rules . For each group of rules there is determined an administrator which may be the same one in part of the groups of rules. When applying the method in accordance with the invention, telecommunication is sent from the terminal device to the filtering component. The filtering component filters the telecommunication based on one or more groups of rules . The rules are gone through in a predetermined order. If the telecommunication is not allowed, the administrator of the rules in question is sent a request to modify the rules. The request can be sent either automatically or manually. In a manual transmission, the sender of the telecommunication is inquired whether he or she wishes to send a modification request of filtering rules. A modification request can be used to activate e.g. new services, which can be chargeable or non-chargeable . Typically, there are several firewall rules or components.
The system in accordance with the invention includes a transmitting and receiving terminal device, as well as a filtering component. There can be several filtering components, and they are disposed outside the terminal device to be filtered, e.g. in the mobile telephone exchange. The filtering component comprises reception means for receiving the telecommunication from the transmitting terminal device, filtering means for filtering the telecommunication, and transmission means for forwarding the allowed telecommunication further. The filtering component further comprises means for sending and receiving the modification requests of rules into the terminal device that maintains the rules, which terminal device is typi- cally the transmitting or receiving terminal device.
The present invention facilitates the management of distributed firewalls. The management method enables an easy management of various different groups of rules. Groups of rules of this kind include e.g. rules of the sender's own, operator's rules, sender's group rules and recipient's rules. By means of the management method in accordance with the invention, the modification requests of the filtering rules of telecommunication are automatically transmitted to the administrator in charge of the rules to be filtered. The method in accordance with the invention is advan- tageous to use as it does not require modifications in the terminal device. The necessary functionality can be arranged e.g. by means of a WAP user interface (Wireless Application Protocol) .
LIST OF FIGURES
Fig. 1 is an example illustrating a block diagram of a system in accordance with the invention,
Fig. 2 is an example illustrating signaling of a system in accordance with the invention, and
Fig. 3 is an example -illustrating a filtering component in accordance with the invention.
DETAILED DESCRIPTION OF THE INVENTION
Fig. 1 represents a block diagram of one embodiment of the system in accordance with the invention. The system as shown in Fig.l includes terminal devices 10 and 113, between which there is a telecom- munication connection 114. The telecommunication connection is arranged to pass through firewall components 11 and 17. In the examples as shown in the figure there are three sets of filtering rules 12, 13,
14, 18, 19 and 110 in both of the firewall components. Correspondingly, the system includes terminal devices
15, 16, 111 and 112 that maintain the rules, which terminal devices can be any conventional terminal devices of the telecommunication network.
In the example as shown in Fig. 1, the termi- nal device 10 sends a telecommunication message to the terminal device 113. The telecommunication message is first transmitted to the firewall component 11 which filters the telecommunication according to the filtering rules 12, 13 and 14. The filtering rules 12 are the terminal device-specific rules of the terminal device 10. The filtering rules 12 are the terminal de- vice-specific rules of the terminal device 10. The user of the terminal device 10 maintains his or her own rules. If the traffic is not allowed, according to the filtering rules 12, a message is sent to the administrator of the rules, which in this case is the terminal device 10. The filtering rules 13 represent group-specific rules of the terminal device. Rules of this kind can be set e.g. in such case when the terminal device is a terminal device of the user's workplace. The employer can set rules concerning the use of the terminal device. The employer can e.g. prohibit the use of chargeable services. In case the group of rules 13 filters the telecommunication message, a message is sent to the administrator of the group of rules 13, which administrator is in this case e.g. an administrator 15 employed by the employer. The group of rules 14 represents default rules of the operator. These rules allow the operator to limit the telecommunication as desired by him or her. The operator's rules 14 are maintained by an administrator 16 of the operator. If the telecommunication is allowed, according to all the groups of rules 12, 13 and 14, the firewall component 11 transmits the telecommunication further.
In the example as shown in Fig. 1, the tele- communication is transmitted to another operator's telecommunication network, in which the telecommunication is first transmitted to the firewall component 17. At first, the default rules 18 of the recipient's operator are handled, which rules are maintained by the administrator 111 of the recipient's operator. The group of rules 19 represents group-specific rules of the recipient, which rules are maintained by the ad- ministrator 112 of the recipient's group. Finally, the terminal device-specific rules 110 of the recipient's own are handled, which rules are managed by the recipient with his or her terminal device 113. In case the telecommunication is allowed, according to all the groups of rules 18, 19 and 110, the firewall component 17 transmits a message to the terminal device 113.
In the system as shown in Fig. 1, each group of rules is bound to the administrator in a manner as described above. In case the telecommunication is not allowed, according to the group of rules, it is filtered. It is possible to proceed in many different ways when filtering telecommunication. Typically, in the system in accordance with the invention, the ad- ministrator of the group of rules is sent a message informing that the telecommunication was filtered by the group of rules. To avoid unnecessary requests, this message is only transmitted when the sender wishes to modify the rules so that the telecommunica- tion is allowed. Typically, a modification request includes at least information on what addresses and rules the telecommunication concerns. In addition, the modification request can include information e.g. on the moment of events. Typically, a modification re- quest includes information on the quality of the modification, e.g. on the duration of a fixed-term modification. The administrator of the rules can reject or accept the request, and a report informing of the decision is sent to the party that requested the modifi- cation. In a message informing of the decision, the information is, at its simplest, a notification of the fact that the modification request is either accepted or rejected. The message informing of the decision can also contain any other information; the administrator can e.g. ask for grounds for making the modification. In the case of operator's filtering rules, the modification of rules can mean e.g. the activation of a sur- charge service. In the case of commercial services, it is possible to include in the request e.g. information on the price of the service to be activated, as well as to ensure that the user wishes to activate the sur- charge service. In addition to the aforementioned information, it is possible to include in the requests any information that is essential from the standpoint of the invention. Typically, all messages include information on the sender, recipient and transmission time of the message. The information of the sender and recipient can be any contact information, e.g. an e- mail address or a telephone number.
In the system as shown in Fig. 1, it is possible to arrange in a separate firewall component one or more rules. Each rule is interpreted in one's turn, as is done in a conventional firewall. In case the telecommunication is in accordance with the rules, one enters into the following group of rules. The information on the administrator of the group, of rules is saved in conjunction with the group of rules. When necessary, the group of rules can also contain the information needed to identify the administrator. A separate group of rules contains a set of conventional filtering rules, in which the filtering can be based e.g. on the sender's or recipient's address, on the protocol used, or on the port number used by the telecommunication.
Fig. 2 illustrates one signaling of a system in accordance with the invention. In the example, a terminal device TE1 sends telecommunication to a terminal device TE3. The terminal device TE1 establishes a connection by sending telecommunication with a signal 20. The firewall FW checks the signal and, based on the rules, states that it is forbidden. The firewall FW sends a notification of the refusal to the terminal device TE1 using a signal 21 and interrogates whether the administrator of the rules is sent a modi- fication request. The terminal device TE1 sends a confirmation of the modification request using a signal 22. The firewall FW sends a modification request of rules to the administrator TE2 using a signal 23. The administrator TE2 accepts the modification and sends the new rules to the firewall FW using a signal 24. When the rules have been modified, the telecommunication is transmitted from the terminal device TE1 to the terminal device TE3 using a signal 25. Fig. 3 represents a filtering component in accordance with the invention. Saved to the filtering component 30 are at least the groups of filtering rules 31, 32 and 33. The number of groups of rules varies for each application specifically. The filter- ing component receives telecommunication by reception means 34. After this, the telecommunication is handled by filtering means 35. In case the telecommunication is allowed by the rules, it is transmitted further by transmission means 36. If the rules forbid the tele- communication, a modification request of rules is generated by management means 37, and the modification request 38 is sent to the terminal device 39 that maintains the rules. In case the modification request of rules is accepted, the rules are modified by modi- fication means 310.
The invention is not restricted merely to the examples referred to above, instead many variations are possible within the scope of the inventive idea defined by the claims.

Claims

1. A method for managing a distributed filtering system, which filtering system consists of at least one filtering component, which filtering compo- nent comprises at least one set of filtering rules, which filtering component is disposed outside the terminal device to be filtered, in which the method comprises the steps of: sending telecommunication from the transmit- ting terminal device; filtering telecommunication by a distributed filtering system; and transmitting the allowed traffic further, c h a r a c t e r i z e d in that in case the filtering rules forbid the data transfer, the filtering component is used to send a modification request of rules to the terminal device that maintains the rules, in which the terminal device that maintains the rules is the transmitting or receiving terminal de- vice.
2. The method as defined in claim 1, c h a r a c t e r i z e d in that one asks the transmitting terminal device for a permission to send the modification request of rules.
3. The method as defined in claim 1 or 2 , c h a r a c t e r i z e d in that the filtering rules are modified based on the message requesting the modification.
4. The method as defined in claim 1, 2 or 3, c ha r a c t e r i z e d in that the filtering component is notified of the modified rules.
5. The method as defined in claim 3 or 4 , c h a r a c t e r i z e d in that the filtering rules are modified for a prescribed time.
6. The method as defined in claim 3, 4 or 5, c h a r a c t e r i z e d in that the filtering rules are modified for a set of terminal devices.
7. The method as defined in any one of the preceding claims 3-6, c ha ra c t e r i z e d in that the filtering rules are modified for a plurality of telecommunication protocols at a time.
8. A system for managing a distributed firewall, which firewall consists of at least one filtering component (11, 17), which filtering component comprises at least one set of filtering rules (12, 13, 14) and is disposed outside the terminal device to be filtered, in which the system further comprises: reception means (34) for receiving telecommunication from the transmitting terminal device; filtering means (35) for filtering the telecommunication; and transmission means (36) for transmitting the allowed telecommunication further, c h a r a c t e r i z e d in that the system further comprises means (37) for sending and receiving the modification request of rules into the terminal device that maintains the rules, which terminal device is the transmitting or receiving terminal device.
9. The system as defined in claim 8, c ha r a c t e r i z e d in that the terminal device that maintains the rules is a third terminal device (15, 16, 111 or 112) exterior of the telecommunication connection.
10. The system as defined in claim 8 or 9, c ha ra c t e r i z e d in that the filtering component (11, 17) is arranged to ask the transmitting ter- minal device (10) for a permission to send the modification request of rules.
11. The system as defined in claim 8, 9 or 10, c h a r a c t e r i z e d in that the system further comprises means for modifying the filtering rules based on the message requesting the modification.
12. The system as defined in any one of the preceding claims 8-11, c h a r a c t e r i z e d in that the maintaining terminal device is arranged to notify the filtering component of the modified rules.
13. The system as defined in claim 11 or 12, cha r a c t e r i z e d in that the system is ar- ranged to modify the filtering rules for a prescribed time.
14. The system as defined in claim 11, 12 or 13, cha r a c t e r i z e d in that the system is arranged to modify the filtering rules for a set of ter- minal devices.
15. The system as defined in any one of the preceding claims 11-14, ch a r a ct e r i z e d in that the system is arranged to modify the filtering rules for a plurality of telecommunication protocols at a time.
16. A filtering component (30) for managing a distributed filtering system, which filtering component comprises at least one set of filtering rules
(31, 32, 33) and is disposed outside the terminal de- vice to be filtered, in which the filtering component further comprises: reception means (34) for receiving telecommunication from the transmitting terminal device; filtering means (35) for filtering the tele- communication; and transmission means (36) for transmitting the allowed telecommunication further, cha r a c t e r i z e d in that the system further comprises means (37) for sending and receiving modification requests of rules into the terminal device that maintains the rules, which terminal device is the transmitting or receiving terminal device.
17. The filtering component as defined in claim 16, cha r a c t e r i z e d in that the filter- ing component further comprises means (310) for modifying the filtering rules based on the message requesting the modification.
18. The filtering component as defined in claim 16 or 17, char act e r i z e d in that the filtering component is arranged to receive from the terminal device that maintains the rules a notifica- tion informing of the modified rules.
19. The filtering component as defined in claim 16, 17 or 18, ch a r a c t e r i z e d in that the filtering component is arranged to modify the filtering rules for a prescribed time.
20. The filtering component as defined in claim 16 - 19, charact e ri z e d in that the filtering component is arranged to modify the filtering rules for a set of terminal devices.
21. The filtering component as defined in claim 16 - 20, ch ar a c t e r i z e d in that the filtering component is arranged to modify the rules for a plurality of telecommunication components at a time.
PCT/FI2003/000749 2002-10-09 2003-10-09 Management of a distributed firewall Ceased WO2004034672A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2003299272A AU2003299272A1 (en) 2002-10-09 2003-10-09 Management of a distributed firewall

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FI20021802A FI20021802L (en) 2002-10-09 2002-10-09 Distributed firewall management
FI20021802 2002-10-09

Publications (1)

Publication Number Publication Date
WO2004034672A1 true WO2004034672A1 (en) 2004-04-22

Family

ID=8564729

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/FI2003/000749 Ceased WO2004034672A1 (en) 2002-10-09 2003-10-09 Management of a distributed firewall

Country Status (3)

Country Link
AU (1) AU2003299272A1 (en)
FI (1) FI20021802L (en)
WO (1) WO2004034672A1 (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1628455A1 (en) * 2004-08-20 2006-02-22 Microsoft Corporation Method, apparatuses and computer software for enabling communication within a virtual network while the network's communications are restricted due to security threats
WO2008155188A3 (en) * 2007-06-19 2009-07-23 Ibm Firewall control using remote system information
US7716727B2 (en) 2004-10-29 2010-05-11 Microsoft Corporation Network security device and method for protecting a computing device in a networked environment
US7716726B2 (en) 2004-02-13 2010-05-11 Microsoft Corporation System and method for protecting a computing device from computer exploits delivered over a networked environment in a secured communication
US7814543B2 (en) 2004-02-13 2010-10-12 Microsoft Corporation System and method for securing a computer system connected to a network from attacks
US8272041B2 (en) 2007-06-21 2012-09-18 International Business Machines Corporation Firewall control via process interrogation
US8272043B2 (en) 2007-06-21 2012-09-18 International Business Machines Corporation Firewall control system
US8726347B2 (en) 2007-04-27 2014-05-13 International Business Machines Corporation Authentication based on previous authentications

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2316841A (en) * 1996-08-29 1998-03-04 Kokusai Denshin Denwa Co Ltd Method for controlling a firewall
US6154775A (en) * 1997-09-12 2000-11-28 Lucent Technologies Inc. Methods and apparatus for a computer network firewall with dynamic rule processing with the ability to dynamically alter the operations of rules
WO2001091418A2 (en) * 2000-05-25 2001-11-29 Secure Computing Corporation Distributed firewall system and method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2316841A (en) * 1996-08-29 1998-03-04 Kokusai Denshin Denwa Co Ltd Method for controlling a firewall
US6154775A (en) * 1997-09-12 2000-11-28 Lucent Technologies Inc. Methods and apparatus for a computer network firewall with dynamic rule processing with the ability to dynamically alter the operations of rules
WO2001091418A2 (en) * 2000-05-25 2001-11-29 Secure Computing Corporation Distributed firewall system and method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"Kerio Personal Firewall 2.1, user's guide", KERIO TECHNOLOGIES, INC., 4 February 2002 (2002-02-04), XP002970939, Retrieved from the Internet <URL:http://www.kerio.nl/manual/kpf/kpf21en.pdf> *

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7814543B2 (en) 2004-02-13 2010-10-12 Microsoft Corporation System and method for securing a computer system connected to a network from attacks
US7716726B2 (en) 2004-02-13 2010-05-11 Microsoft Corporation System and method for protecting a computing device from computer exploits delivered over a networked environment in a secured communication
US7353390B2 (en) 2004-08-20 2008-04-01 Microsoft Corporation Enabling network devices within a virtual network to communicate while the networks's communications are restricted due to security threats
CN1783879B (en) * 2004-08-20 2011-07-06 微软公司 Enables network devices in a virtual network to communicate when network communication is limited
EP1628455A1 (en) * 2004-08-20 2006-02-22 Microsoft Corporation Method, apparatuses and computer software for enabling communication within a virtual network while the network's communications are restricted due to security threats
US7716727B2 (en) 2004-10-29 2010-05-11 Microsoft Corporation Network security device and method for protecting a computing device in a networked environment
US8726347B2 (en) 2007-04-27 2014-05-13 International Business Machines Corporation Authentication based on previous authentications
US9094393B2 (en) 2007-04-27 2015-07-28 International Business Machines Corporation Authentication based on previous authentications
US9686262B2 (en) 2007-04-27 2017-06-20 International Business Machines Corporation Authentication based on previous authentications
WO2008155188A3 (en) * 2007-06-19 2009-07-23 Ibm Firewall control using remote system information
US8327430B2 (en) 2007-06-19 2012-12-04 International Business Machines Corporation Firewall control via remote system information
US8713665B2 (en) 2007-06-19 2014-04-29 International Business Machines Corporation Systems, methods, and media for firewall control via remote system information
US8272041B2 (en) 2007-06-21 2012-09-18 International Business Machines Corporation Firewall control via process interrogation
US8272043B2 (en) 2007-06-21 2012-09-18 International Business Machines Corporation Firewall control system

Also Published As

Publication number Publication date
AU2003299272A1 (en) 2004-05-04
FI20021802A7 (en) 2004-04-10
FI20021802A0 (en) 2002-10-09
FI20021802L (en) 2004-04-10

Similar Documents

Publication Publication Date Title
EP2289283B1 (en) Method and system for providing mobility management in network
US7889650B2 (en) Method for establishing diameter session for packet flow based charging
DE60016840T2 (en) A method of determining the transmission security condition in a telecommunications network
EP1659746B1 (en) Communications system
EP1257144B1 (en) Method and apparatus for establishing a communication group
AU2004309939B2 (en) Control decisions in a communication system
EP1956777B1 (en) Method and system for reducing the proliferation of electronic messages
US20050153686A1 (en) Controlling sending of messages in a communication system
CN102948115A (en) Methods, systems, and computer readable media for policy charging and rules function (pcrf) node selection
EP1763261A1 (en) Implementing method for short message service
AU5891399A (en) Connection management in a data communications network
WO2004034672A1 (en) Management of a distributed firewall
EP2781050B1 (en) Method and telecommunications network utilizing more than one online charging system for a given user
EP2466853B1 (en) Control of connection between devices for controlling the initiation, routing and security of connections between devices
US20050277430A1 (en) Intelligent mobile messaging and communication traffic Hub (iHub)
JP2004021623A (en) E-mail filter system using directory server and server program
DE10327056B4 (en) Method for modifying a multimedia message by network application of applications and associated radio communication system
JPH11355353A (en) How to use a pair consisting of a call number and an Internet source address
EP3804289B1 (en) Method and system for implementing user defined policies in an intelligent network
EP3515016B1 (en) System and method for providing a captive portal by packetcable multimedia
EP1450526B1 (en) Transfer of multimedia messages between MMS multimedia message center
EP1330892B1 (en) Method and system for transmitting information
CN118301213A (en) Service management capability integration method and device, electronic equipment and storage medium
CN104918240A (en) SMPP (Short Message Peer to Peer) message processing for SMS (Short Message Service) spam filtering
WO2007024061A2 (en) Billing and telecom portal service

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP