-
公开(公告)号:KR1020040022709A
公开(公告)日:2004-03-18
申请号:KR1020020050468
申请日:2002-08-26
Applicant: 한국전자통신연구원
IPC: H04L12/00
CPC classification number: H04L45/302 , H04L63/14
Abstract: PURPOSE: A network system for simultaneously providing a network security service and a QoS(Quality of Service) service is provided to enhance the utilization of network security resources by dividing the network security resources into SFEs(Security Function Entities), distributing and installing the SFEs in network nodes, and centralizing and managing the SFEs. CONSTITUTION: One or more network nodes(11) have a security function block(111) having one or more SFEs(111a). The network nodes(11) have QoS resources. A path control server(10) connects to the network nodes(11), and stores and corrects security resource states and QoS resource states of the network nodes(11). The path control server(10) calculates a path suitable for the QoS and security request item of a client by the security resource states and the QoS resource states according to the connection request of the client.
Abstract translation: 目的:提供同时提供网络安全服务和QoS(服务质量)服务的网络系统,通过将网络安全资源划分为SFE(安全功能实体),分发和安装SFE来提高网络安全资源的利用率 在网络节点中,集中管理SFE。 构成:一个或多个网络节点(11)具有具有一个或多个SFE(111a)的安全功能块(111)。 网络节点(11)具有QoS资源。 路径控制服务器(10)连接到网络节点(11),并存储和修正网络节点(11)的安全资源状态和QoS资源状态。 路径控制服务器(10)根据客户端的连接请求,通过安全资源状态和QoS资源状态来计算适合于客户端的QoS和安全请求项的路径。
-
公开(公告)号:KR1020030062055A
公开(公告)日:2003-07-23
申请号:KR1020020002465
申请日:2002-01-16
Applicant: 한국전자통신연구원
IPC: H04L12/22
CPC classification number: H04L63/0263 , H04L63/20
Abstract: PURPOSE: A method for expressing, storing and editing a network security policy is provided to reduce development cost and time for policy-based network security management system, and to allow a designer to directly design an operation structure of a network security policy management tool, database schema and a structure of an object. CONSTITUTION: SecurityRule is a class for a rule object(200) including attributes of a rule itself. OnePacketCondition is a class for a condition object(310) indicating a condition for analyzing one packet. ConditionListType is an attribute indicating a combination method of each item for analyzing OnePacketCondition. VariableValueComparisonCondition is a class for condition objects(310a,310b) indicating a condition for comparing a field of a packet header with a value. Operator is an attribute indicating an operator to be used for checking. PayloadMatchingCondition is a class for a condition object(310c) for checking which content is included in a payload of a packet. PayloadVariable is a class for a variable object(310j) indicating a payload. AggregatedAlertAction is a class for an operation object(410a) indicating an alarming a rule applied situation. AggregatedAlertAction has an attribute of AlertDescription indicating descriptions for the rule applied situation. MessageStoreAction is a class indicating an operation object(410b) storing an alarm message. MessageShowAction is a class indicating an operation object(410c) outputting the alarm message.
Abstract translation: 目的:提供一种用于表达,存储和编辑网络安全策略的方法,以减少基于策略的网络安全管理系统的开发成本和时间,并允许设计者直接设计网络安全策略管理工具的操作结构, 数据库模式和对象的结构。 构成:SecurityRule是规则对象(200)的类,包括规则本身的属性。 OnePacketCondition是条件对象(310)的类,指示分析一个数据包的条件。 ConditionListType是指示用于分析OnePacketCondition的每个项目的组合方法的属性。 VariableValueComparisonCondition是条件对象(310a,310b)的类,它指示用于将数据包头的字段与值进行比较的条件。 运算符是指示用于检查的运算符的属性。 PayloadMatchingCondition是条件对象(310c)的类,用于检查哪个内容被包含在数据包的有效载荷中。 PayloadVariable是指示有效载荷的变量对象(310j)的类。 AggregatedAlertAction是一个操作对象(410a)的类,指示应用规则的情况令人震惊。 AggregatedAlertAction具有AlertDescription的属性,指示规则应用情况的描述。 MessageStoreAction是指示存储警报消息的操作对象(410b)的类。 MessageShowAction是指示输出警报消息的操作对象(410c)的类。
-
公开(公告)号:KR100484488B1
公开(公告)日:2005-04-20
申请号:KR1020020067051
申请日:2002-10-31
Applicant: 한국전자통신연구원
IPC: H04L12/22
Abstract: 본 발명은 분산된 보안자원을 포함하는 인터넷 서비스 사업자 망의 보안서비스 방법 및 시스템에 관한 것으로서, 그 방법은 분산된 보안 자원을 포함하는 다수 노드로 구성된 인터넷 서비스 사업자 망의 각 노드의 패킷처리 방법에 있어서 보안정보가 마킹된 패킷을 분석하는 패킷분석단계; 패킷의 보안정보에 상응하는 보안기능을 수행하는 보안단계; 및 분산된 보안자원의 주소정보를 이용하여 마킹된 패킷이 이동할 다음 홉을 결정하여 결정된 홉으로 패킷을 전달하는 단계를 포함함을 특징으로 한다. 그리고 그 시스템은 분산된 보안 자원을 포함하는 다수 노드로 구성된 인터넷 서비스 사업자 망의 각 노드의 패킷처리 방법에 있어서 보안정보가 마킹된 패킷인지 여부를 검사하여 마킹패킷이면 마킹정보를 분석하는 패킷분석부; 보안정보에 상응하는 보안기능을 수행하는 보안기능부; 보안기능이 수행된 보안정보에 대해서는 더 이상 동일한 보안기능을 수행하지 않도록 보안정보를 변환하는 마킹변환부; 및 마킹패킷이면 보안자원의 주소정보를 이용하여 패킷이 이동할 다음 홉을 결정하여 결정된 홉으로 패킷을 전달하고, 마킹패킷이 아니면 라우팅 정보에 따라 다음 홉으로 패킷을 전달하는 경로결정부를 포함함을 특징으로 한다.
본 발명에 의하면 마킹패킷을 이용하여 인터넷 서비스 망에 존재하는 분산된 네트워크 보안자원을 효율적으로 활용하여 차별화된 보안서비스를 제공할 수 있다.-
公开(公告)号:KR100473805B1
公开(公告)日:2005-03-10
申请号:KR1020020057564
申请日:2002-09-23
Applicant: 한국전자통신연구원
IPC: H04L12/927 , H04L12/733 , H04L12/22
Abstract: 본 발명은 인터넷 서비스 제공자(Internet Service Provider, ISP)망의 모든 자원을 최대한 활용하여 고객이 요구하는 네트워크 보안 서비스와 QoS 서비스(Quality of Service)를 동시에 제공하기 위하여 고객의 연결 요구가 들어왔을 때 그 연결 요구를 수용하여 연결을 설정하는 방법에 관한 것이다. 본 발명의 연결 설정 방법은 QoS 요구사항과 보안 서비스 요구사항이 명시된 고객의 연결 요구를 입력받는 단계; 상기 QoS 요구사항을 만족시키는 최단 라우팅 경로를 모두 검색하여 찾아내는 단계; 상기 검색하여 찾아낸 한 개 이상의 라우팅 경로에 속하는 라우터들의 보안 서비스 자원을 검색하는 단계; 상기 검색된 경로중 상기 보안 서비스 요구사항을 만족시키는 라우팅 경로가 존재하는가 판단하는 단계; 상기 판단 결과 라우팅 경로가 존재하면 그 경로를 설정하고 QoS 자원과 보안 서비스 자원을 예약하는 단계; 및 상기 라우터의 보안 기능 엔터티의 상태 정보인 보안자원정보베이스와 상기 라우터의 QoS 자원 상태 정보인 QoS자원정보베이스를 수정하는 단계를 포함한다. 본 발명은 서비스 제공자 망에 분산되어 있는 네트워크 보안용 자원과 QoS용 자원을 효율적으로 활용할 수 있는 효과가 있다.
-
公开(公告)号:KR100439177B1
公开(公告)日:2004-07-05
申请号:KR1020020002465
申请日:2002-01-16
Applicant: 한국전자통신연구원
IPC: H04L12/22
CPC classification number: H04L63/0263 , H04L63/20
Abstract: A network security policy is represented, stored and edited by using a rule object, a condition object, an action object, and their associations. The condition object is a one-packet-condition object, a repeated-packet-condition object or a linear-packet-condition object. The action object is an alert-action object, a packet-drop-action object, a packet-admission-action object, a session-drop-action object, a session-admission-action object, a session-logging-action object, a traceback-action object or an ICMP-unreachable-message-sending-action object.
Abstract translation: 网络安全策略通过使用规则对象,条件对象,动作对象及其关联来表示,存储和编辑。 条件对象是单数据包条件对象,重复数据包条件对象或线性数据包条件对象。 动作对象是警报动作对象,数据包丢弃动作对象,数据包允许动作对象,会话放置动作对象,会话允许动作对象,会话记录动作对象, 追踪动作对象或ICMP不可达消息发送动作对象。
-
Patent Agency Ranking
公开(公告)号:KR1020030057263A
公开(公告)日:2003-07-04
申请号:KR1020020018900
申请日:2002-04-08
Applicant: 한국전자통신연구원
IPC: H04L12/44
Abstract: PURPOSE: A method for storing a tree structure policy of a user view by using a reuseable container is provided to store repeated objects only once by using the reuseable container though the user does not know the concept of a reuse container constructed by reuseable objects previously designated when inserting, canceling and correcting policies by a user. CONSTITUTION: In a process(S100), reuse trees capable of sharing are previously designated and managed in a reuseable container separately. Rules and policies constructed by a rooted tree structure without node shared at the user's view are changed into a directed acyclic graph structure by using the reuseable container and then stored it(S200). According to a tree inserting request, a tree cancellation request and an object correction request of the user's view, a tree is inserted to the directed acyclic graph structure or cancelled by using the reuseable container and a specific objected is corrected(S300,S400,S500).
Abstract translation: 目的:提供一种通过使用可重复使用的容器来存储用户视图的树结构策略的方法,以通过使用可重复使用的容器来仅存储一次重复的对象,尽管用户不知道由先前指定的可重复使用的对象构建的重用容器的概念 当用户插入,取消和纠正策略时。 规定:在一个过程(S100)中,重用能够共享的树分别在可再利用的容器中指定和管理。 由用户视图共享的没有节点的根树结构构建的规则和策略通过使用可重用容器然后存储(S200)而被改变为有向非循环图结构。 根据树插入请求,树取消请求和用户视图的对象校正请求,将树插入到有向非循环图结构中,或者通过使用可再利用容器取消,并修正特定对象(S300,S400,S500 )。
-
公开(公告)号:KR1020020051542A
公开(公告)日:2002-06-29
申请号:KR1020000080914
申请日:2000-12-22
IPC: H04L12/16
CPC classification number: H04L12/4641 , H04L45/507 , H04L63/0272
Abstract: PURPOSE: A method for providing extranet VPN(Virtual Private Network) service in an MPLS(Multi Protocol Label Switching) network is provided to offer intranet VPN service and extranet VPN service at the same time, without having an effect on an old service providing mechanism, by utilizing a route target and a VPN label variable used in existing MPLS VPN intranet service. CONSTITUTION: A VPN packet processing procedure at an MPLS terminal side is divided into egress forwarding, extra-gate forwarding, and relay forwarding. In order to effectively classify it, a VPN label is composed of a 2-bit label type classifier(401) and 18-bit label index information(402). The 2-bit label type classifier(401) indicates a forwarding method, and the 18-bit label index information(402) indicates an output IF or an index for a table for access filtering. If a VPN packet is received, an extranet gateway and egress LER checks the VPN label value carried with the received packet and recognizes which procedure to be executed.
Abstract translation: 目的:提供MPLS(Multi Protocol Label Switching,多协议标签交换)网络中的Extranet VPN(Virtual Private Network,虚拟专用网)业务同时提供内部VPN业务和Extranet VPN业务的方法,而不影响旧业务提供机制 通过使用现有的MPLS VPN内联网服务中使用的路由目标和VPN标签变量。 规定:MPLS终端侧的VPN报文处理过程分为出站转发,外网转发和中继转发。 为了有效地对其进行分类,VPN标签由2位标签类型分类器(401)和18位标签索引信息(402)组成。 2位标签类型分类器(401)表示转发方法,18位标签索引信息(402)表示用于访问过滤的表的输出IF或索引。 如果接收到一个VPN数据包,外部网关和出口LER会检查接收到的数据包携带的VPN标签值,并识别执行哪个过程。
-
公开(公告)号:KR100456622B1
公开(公告)日:2004-11-10
申请号:KR1020020029146
申请日:2002-05-27
Applicant: 한국전자통신연구원
IPC: G06F15/00
Abstract: PURPOSE: A method for offering and executing a policy using a system function on a policy based network security management system is provided to increase expandability and flexibility of a policy server by generating a network security policy as referring the system function of a client, and offering it to the related policy client. CONSTITUTION: The system function having a different value for maintaining and managing each policy client is recognized mutually between the policy server and the policy client. The policy server generates, edits, or stores the network security policy referring the system function(S20). The policy server transfers the network security policy to the policy client(S30). The policy client replaces the system function with an actual value returned from the system function of the network security policy(S40). The policy client executes the network security policy(S50).
Abstract translation: 目的:提供一种在基于策略的网络安全管理系统上使用系统功能来提供和执行策略的方法,以通过产生参考客户机的系统功能的网络安全策略来提高策略服务器的可扩展性和灵活性, 它给相关的政策客户。 构成:在策略服务器和策略客户端之间相互识别具有用于维护和管理每个策略客户端的不同值的系统功能。 策略服务器参照系统功能生成,编辑或存储网络安全策略(S20)。 策略服务器将网络安全策略传送给策略客户端(S30)。 策略客户端用从网络安全策略的系统功能返回的实际值替换系统功能(S40)。 策略客户端执行网络安全策略(S50)。
-
公开(公告)号:KR100401064B1
公开(公告)日:2003-10-10
申请号:KR1020010081104
申请日:2001-12-19
Applicant: 한국전자통신연구원
IPC: G06F15/16
Abstract: PURPOSE: A method for checking a collision at editing a policy in a network security policy managing tool is provided to complement an operation mechanism of a network security policy managing tool based on a policy server. CONSTITUTION: It is judged whether an appendix is executed or new object is created with respect to a reusable object(S41). If new object is created, a corresponding object is selected(S42) and an attribute of the selected object is inputted(S43). If a rule object is created, an attribute of the rule object is inputted. In addition, it is checked whether a rule object having an identical name or keyword exists(S44). In the case that a condition object, an action object, a variable object, or a value object is created except a rule object, it is checked whether an object of the same name exists. In addition, when an attribute is inputted, it is checked whether a value possessed in a range defined by the attribute is inputted, and the corresponding object is created(S45-S46). It is judged whether an object to be appended exists after creating the object(S47). If an object to be appended exists, the stage is returned to the stage (S41).
Abstract translation: 目的:提供一种在编辑网络安全策略管理工具中的策略时检查冲突的方法,以基于策略服务器来补充网络安全策略管理工具的操作机制。 构成:判断是否执行了附录或者针对可重用对象创建了新对象(S41)。 如果创建了新对象,则选择对应对象(S42),并输入所选对象的属性(S43)。 如果创建规则对象,则输入规则对象的属性。 另外,检查是否存在具有相同名称或关键字的规则对象(S44)。 在除规则对象之外创建条件对象,动作对象,变量对象或值对象的情况下,检查是否存在具有相同名称的对象。 另外,当输入属性时,检查是否输入了由该属性定义的范围中拥有的值,并且创建对应的对象(S45-S46)。 在创建对象之后判断是否存在要附加的对象(S47)。 如果存在要附加的对象,则将该阶段返回到阶段(S41)。
-
公开(公告)号:KR1020030050619A
公开(公告)日:2003-06-25
申请号:KR1020010081104
申请日:2001-12-19
Applicant: 한국전자통신연구원
IPC: G06F15/16
Abstract: PURPOSE: A method for checking a collision at editing a policy in a network security policy managing tool is provided to complement an operation mechanism of a network security policy managing tool based on a policy server. CONSTITUTION: It is judged whether an appendix is executed or new object is created with respect to a reusable object(S41). If new object is created, a corresponding object is selected(S42) and an attribute of the selected object is inputted(S43). If a rule object is created, an attribute of the rule object is inputted. In addition, it is checked whether a rule object having an identical name or keyword exists(S44). In the case that a condition object, an action object, a variable object, or a value object is created except a rule object, it is checked whether an object of the same name exists. In addition, when an attribute is inputted, it is checked whether a value possessed in a range defined by the attribute is inputted, and the corresponding object is created(S45-S46). It is judged whether an object to be appended exists after creating the object(S47). If an object to be appended exists, the stage is returned to the stage (S41).
Abstract translation: 目的:提供一种在网络安全策略管理工具中编辑策略时检查冲突的方法,以补充基于策略服务器的网络安全策略管理工具的运行机制。 构成:判断是否执行了附录,或者针对可重用对象创建了新对象(S41)。 如果创建新对象,则选择对应的对象(S42),并输入所选对象的属性(S43)。 如果创建了规则对象,则输入规则对象的属性。 此外,检查是否存在具有相同名称或关键字的规则对象(S44)。 在除规则对象之外创建条件对象,动作对象,变量对象或值对象的情况下,将检查是否存在同名的对象。 此外,当输入属性时,检查是否输入了由属性定义的范围内具有的值,并创建了相应的对象(S45-S46)。 在创建对象后,判断是否存在要附加的对象(S47)。 如果要附加的对象存在,则将舞台返回到舞台(S41)。
-
-
-
-
-
-
-
-
-
Search Results
22
records
(took 0.037 seconds)
