DE102009022851A1 - Network component for e.g. monitoring communication connection between network unit and communication network, has determining unit to determine whether communication connection with data communication is allowed or suppressed - Google Patents

Abstract

The network component (5) has a determining unit (52) to determine whether a communication connection with a data communication is allowed or suppressed using information (53) at an actual active communication connection. The determining unit tests whether a connection class associated with the communication connection is compatible with a connection class of the actual active communication connection using a rule (51). The communication connections are blocked for a predetermined time period. Independent claims are also included for the following: (1) a method for monitoring communication connection and for communicating data between a network unit and a communication network (2) a computer program product with a set of instructions for performing a method for monitoring communication connection and for communicating data between a network unit and a communication network (3) a data carrier with a set of instructions for performing the method for monitoring communication connection and for communicating data between a network unit and a communication network.

Description

The The present invention relates to an apparatus and a method to monitor of communication links between at least one network entity and at least building or building a communication network are and for communicating data between the at least a network unit and the at least one communication network are configured. In particular, the present invention relates a network component, a method, a computer program product, a disk, a system and apparatus for monitoring communication links are configured.

devices, which are configured with other devices via a Communications network are often at risk of that over the communication network also such communication links come to frustrate the internal operations of these devices, the Security of internal processes jeopardize the devices or in the worst case, internal crashes of the devices bring. Become such harmful or disturbing Having allowed communication links on the devices performs this for faulty or unsafe operation of these devices.

Such Devices can for example, computers or arrangements of cooperating and / or be with connected computers.

When Components or modules that monitor communication links allow from and to the devices are z. Firewalls, filter components, Personal firewalls or security zones known. The firewalls let only pass such network traffic, which allowed is. Whether network traffic is allowed or not is determined by checked firewalls according to fixed criteria. The filter components to lead an analysis of the contents of the traffic (eg DPI (English: Deep Packet Inspection), where the analysis includes a data analysis at the application level. The personal firewalls Their functionality corresponds to the firewalls mentioned above. Lead the personal firewalls filtering for authorized network traffic locally on single-user computers or PCs (English: Personal Computer) by. As an example for The security-zone-based approach can be Microsoft Internet Called Explorer. This will be web pages in terms of categorizes the permissions of users on the web pages. It can Categories such. B. Intranet, reliable pages (English: Trusted Sites) or Internet emerge. In this process will of it assumed it was for a single workstation or PC appropriate permissions for each of Web pages exist.

The known approaches that monitor communication links from and to the devices often still leave communication links to who the internal processes of this Disturb devices and the security or safe operation of its internal operations Endanger devices can. By using the known procedures is thus after as not guaranteed before, that devices that over Communication links in communication networks with others Devices communicate, from such harmful or disturbing communication links are safe. Consequently, a faultless and safe work such communicating devices are still not always guaranteed.

The Object of the present invention is to provide a safer Communicate and thus a safer functioning of such devices to enable.

The Task is solved by a network component having the features of claim 1, by a method having the features of claim 11, by a Computer program product with the features of claim 12, by a disk with the features of claim 13, by a system having the features of claim 14 and / or by a device with the features of claim 15.

The under claims specify further embodiments of the present invention.

The The above object is achieved by means of a network component which is configured to monitor communication links between at least a network unit and at least one communication network or to build up and to communicate between the data at least one network unit and the at least one communication network are configured, wherein the network component is a decision module configured using information to currently active communication links to determine whether a Allow communication connection with a new data communication or suppress is.

there the communication link is one between the at least one Network unit and the at least one communication network constructed or still to be established communication connection.

Under communicating data is both the transmission of data from one Network device as well as the receiving of data by the network unit Understood.

The "new data communication" refers thus on straight or new received or on straight or new Data to be sent by the at least one network unit.

Of the Term "current active communication connection "refers turn on an existing, established communication link, at the time of determining whether the communication link to allow or suppress is carried out will, in fact is used or ready for use.

information to currently active communication links at least indicate which communication connections between the at least one network component and at least one communication network consist are and indeed be used or usable.

Of the Wording "at least a network unit "refers according to the present Invention on both a single device, over at least a communication network with at least one further device communicates, or on an arrangement of (or a system off) Devices which individually and / or cooperatively via at least a communication network with at least one further device communicate.

By the network component outlined above and explained in more detail below security in communicating data over communication networks elevated. In particular, the security of the devices or network units elevated, that communicate data. It can be a new Traffic over a data or communication connection depending on which others Types of traffic over Communication networks already exist and / or in use become, admitted or suppressed become. Under the term "suppress" can the Blocking or terminating a communication connection understood become.

By the onset of the network component becomes only such communication links simultaneously allowed, mutually no harmful, disturbing and / or have uncertain effects and / or mutually exclusive effects no harmful, disturbing and / or act with uncertainty.

According to one embodiment of the present invention, the decision module is configured to consider, whether a connection class assigned to the communication connection with connection classes of the currently active communication connections is compatible.

By classifying communication links becomes overhead and resources in performing of watching saved the communication connections. It's not necessary, analyze every single communication link, but it sufficient, existing or current communication links based on some of the key features in groups or classes their compatibility or compatibility with the communication link, which has a new data communication to check. At the same time no losses in terms of quality the monitoring of the invention Communication connections are accepted, as this only the security relevant and not all features of the communication links considered Need to become.

According to one embodiment of the present invention, the decision module is configured determining whether to allow or deny the communication connection suppress is to perform using at least one rule, wherein which defines at least one rule, whether the communication connection compatible with the currently active communication links.

On this meadow becomes an effective and flexibly configurable monitoring of communication links. By setting rules becomes a transparency with regard to checking the communication links offered. Furthermore, can the rules are fixed or variable, with each time also adding, changing and / or Remove or Delete the rules possible is.

According to one embodiment In the present invention, when using the at least one Usually checked, whether the connection class assigned to the communication connection with the connection classes of the currently active communication connections is compatible.

• – die Kommunikationsverbindung (mit der neuen Datenkommunikation) zuzulassen und solche aktuell aktiven Kommunikationsverbindungen, die mit der Datenkommunikation nicht vereinbar sind, zu unterdrücken, wenn alle Prioritäten, die Verbindungsklassen solcher aktuell aktiven Kommunikationsverbindungen zugeordnet sind, kleiner sind als eine Priorität, die einer Verbindungsklasse der Kommunikationsverbindung (mit der neuen Datenkommunikation) zugeordnet ist; und
• – die Kommunikationsverbindung (mit der neuen Datenkommunikation) zu unterdrücken, wenn zumindest eine Priorität, die einer Verbindungsklasse solcher aktuell aktiven Kommunikationsverbindungen zugeordnet sind, die mit der Kommunikationsverbindung (mit der neuen Datenkommunikation) nicht vereinbar sind, größer ist als die Priorität, die der Verbindungsklasse der Kommunikationsverbindung (mit der neuen Datenkommunikation) zugeordnet ist.

According to another embodiment of the present invention, the decision module is configured:

• To allow the communication connection (with the new data communication) and to suppress those currently active communication connections that are incompatible with the data communication, if all priorities associated with connection classes of such currently active communication connections are smaller than a priority belonging to a connection class of the Communication link (with the new data communication) is assigned; and
• To suppress the communication link (with the new data communication) if at least one priority associated with a link class of such currently active communication links inconsistent with the communication link (with the new data communication) is greater than the priority of the link class the communication link (with the new data communication) is assigned.

For this, the Network component is a priority module which is configured to prioritize the connection classes assign and / or priorities to manage the connection classes. The priorities indicate which class of connection the priority in allowing for data communication in the communication network across from another class of connection has.

According to one embodiment According to the present invention, the network component has an allocation module which is configured to communicate with each of the communication links Assign connection class. By assigning communication links becoming a connection class becomes an effective, efficient and transparently manageable monitoring of communication links.

According to one another embodiment the allocation module is configured to assign the communication connections to a connection class using criteria for mapping to perform a communication connection to a connection class. The Criteria can be handled flexibly. They can be fixed. Furthermore, can depending on the situation and / or the security requirements changed at any time, added and / or deleted or removed. In this way, a transparent and effective monitoring of communication links.

According to one embodiment The present invention includes suppressing a communication link blocking or terminating the communication connection. As indicated above Depending on the situation, certain currently active communication connections or a communication link with a new data communication repressed become. In this case, the blocking comprises a communication connection prohibiting the communication of data over the communication link, wherein the communication link is not degraded or terminated becomes.

According to one another embodiment The present invention provides blocking of the communication link for one performed predetermined time. Ie. the removal of the communication connection through which a communication of data over the communication connection is allowed again, will expire performed this predetermined time.

Further will according to one embodiment the present invention blocking the communication link performed so long at least one of currently active communication links such currently active communication link is present, the is incompatible with the blocked communication link. Ie. the removal of the communication connection through which a communication of data over the communication connection is allowed again, after finishing respectively degradation and / or blocking of all such currently active Communication connections performed with the communication link are incompatible.

The above object is achieved by a method comprising monitoring communication links configured or to be set up between at least one network unit and at least one communication network and configured to communicate data between the at least one network unit and the at least one communication network monitoring communication links determining whether a communication link with the new one Data communication is to be allowed or to be suppressed, wherein the determining is performed using information on currently active communication links.

The inventive method is described by the network component outlined above and explained in more detail below carried out. The process is configured, at least such actions perform the network component, in the context of the monitoring according to the invention be carried out by communication links. Therefore, the Steps of the method according to the invention from the actions or functions of the network component or its Modules derived or removed accordingly.

The The above object is also achieved by means of a computer program product achieved having a coding that is configured, the Implemented above and explained in more detail below method to implement and / or execute. The coding can be contained in a data carrier.

According to one embodiment According to the present invention, the computer program product is configured to carry out this procedure when the computer program product by means of a computing unit accomplished becomes. According to one another embodiment In the present invention, this calculating unit is in the above sketched and explained in more detail below network component contain.

In addition will solved the above object by means of a data carrier, wherein the data carrier the explained above Computer program product has.

Of Furthermore, the object of the present invention by a system solved, this is the network component outlined above and explained in more detail below having. The system is generally considered as a set of elements, Components, and / or units to understand which are among each other Interact. The network component is a component of the overall system.

In addition will the object of the present invention also by a device the network component outlined above and explained in more detail below has dissolved.

Consequently the present invention relates to the monitoring of communication links, the between at least one network unit and at least one communication network are built or set up and communicating data between the at least one network unit and the at least one Communication network are configured. It is under use Information about currently active communication connections determines if a communication connection with a new data communication to allow or suppress is. The present invention will communicate securely network units in communication networks. It is particularly applicable where a communication of or to a network unit via a communication network takes place.

there the present invention allows monitoring of communication links that ensures the safe functioning of devices, if these over Communicate communication networks with other devices or exchange data.

Of Further, the monitoring according to the invention of communication links easily and without cumbersome Modifications to existing procedures for monitoring communication links in addition to these existing procedures or in the context of this existing practices are implemented and implemented. Ie. the present invention is compatible with existing solutions and also without big ones Effort to be integrated into this.

Further The present invention allows an efficient, effective, transparent and effort and resource-saving monitoring of communication links.

in the Following are embodiments of the present invention in detail with reference to the figures attached below described.

It demonstrate:

1 a flowchart illustrating the execution of the monitoring of communication links according to the invention according to an embodiment;

2 a network environment and components configured to implement the present invention in accordance with an embodiment of the present invention;

3 a network environment and components configured to implement the present invention in accordance with another embodiment of the present invention;

4a monitoring communications according to an embodiment of the present invention;

4b monitoring communications according to the ??? Embodiment of the present invention;

5 a network component configured to monitor communication links in accordance with an embodiment of the present invention;

6 a network component included in a device configured to monitor communication links of the device according to an embodiment of the present invention; and

7 monitoring communications according to an embodiment of the present invention.

According to one embodiment The present invention can provide a filtering function of a firewall or a firewall computer or a personal firewall around the monitoring according to the invention be extended by communication links. In addition to the fixed Rules of a firewall that determine which traffic is allowed is and which is not, by using the present invention according to the present Embodiment checks which Type of traffic currently occurring. Whether a particular one Type of data traffic (or communication connection, respectively) be allowed, forbidden or suppressed, is thus no longer fixed as it is in the conventional firewall solutions of Case is. According to the present embodiment depends on this Decision on which other types of traffic (or Communication connections respectively) are currently available and are activated, d. H. be used or ready for use.

So can z. B. Prevents a safety-critical online banking and a potentially "dangerous" online game or an online broadcast or online play videos are allowed at the same time. The security of online banking and thus the security of the communication connection, the online banking allows is through the online game or the online transfer or playback of videos and thus by the appropriate communication link, the the online game or the online broadcast or play, endangered.

1 FIG. 12 is a flow chart illustrating the performance of monitoring communication links according to an embodiment of the invention. FIG.

In step 10 An analysis of a new traffic to be performed or the corresponding communication link that allows this traffic is performed. The communication connection is a communication connection which has already been set up for this data traffic or which still has to be set up for this data traffic. The analysis 10 will be using criteria 13 for the analysis of the data traffic or the communication connection.

• – eine Quell-Adresse und/oder Ziel-Adresse; eine Quell-Adresse und/oder Ziel-Adresse kann z. B. eine IP-Adresse (Internet-Protokoll-Adresse), eine MAC-Adresse (Media-Access- Control-Adresse), ein DNS-Name (Domgin-Name-System-Adresse) oder eine URL (Uniform Resource Locator) sein;
• – ein Protokoll; ein Protokoll kann ein Protokoll sein, das das Kommunizieren von Daten in einem Kommunikationsnetzwerk ermöglicht, z. B. ein TCP-Protokoll (Transmission Control Protocol, deutsch: Übertragungssteuerungsprotokoll), oder ein UDP-Protokoll (User Datagram Protocol);
• – Portnummern; eine Portnummer kann dabei z. B. eine Quell- oder eine Ziel-Portnummer sein;
• – Benutzer; diese Information kann z. B. mittels eines Identifizierungsprotokolls bestimmt werden;
• – Bei sicheren Verbindungen oder sicher zu haltenden Verbindungen respektive (z. B. SSL, TLS, IPsec) das verwendete Zertifikat; und/oder
• – Zugelassene Inhaltstypen, z. B. zulässiger Inhalt einer Netzseite (z. B. Profildateien (englisch: Cookies), Bilder, Flash, Video etc.).

Such criteria 13 For example, they can be as follows:

• A source address and / or destination address; a source address and / or destination address may e.g. Example, an IP address (Internet Protocol Address), a MAC address (Media Access Control Address), a DNS name (Domgin Name System Address) or a URL (Uniform Resource Locator) ;
• - a protocol; a protocol may be a protocol that allows communication of data in a communication network, e.g. As a TCP protocol (Transmission Control Protocol, German: Transmission Control Protocol), or a UDP protocol (User Datagram Protocol);
• - port numbers; a port number can be z. A source or destination port number;
• - users; this information can z. B. be determined by means of an identification protocol;
• - For secure connections or secure connections respectively (eg SSL, TLS, IPsec) the certificate used; and or
• - Allowed content types, eg. Eg permissible contents of a netpage (eg profile files, pictures, flash, video etc.).

These criteria 13 can be individually but also in combination with each other in the analysis 10 the data traffic or the communication connection are used.

Based on these criteria 13 can z. B. be checked whether it is a secure connection and thus a secure data transfer. Furthermore, the nature or character of the connection and thus of the data transmission can also be derived.

In step 10 In particular, data traffic-specific or communication-connection-specific information on the criteria becomes available 13 certainly. There is thus a kind of description of the corresponding data traffic or the corresponding communication connection on the basis of the criteria 13 filtered out or determined.

It should be noted that the list of criteria 13 for the analysis of a traffic or a communication connection over which the data traffic is or is to be carried out is not conclusive. According to the present invention, further corresponding criteria can also be used or defined. Further, the present invention also allows changing or removing criteria 13 ,

Furthermore, the present invention allows both stateless and stateful parsing 10 the data traffic or the communication connection. In stateless analysis 10 Each data unit (eg packet) to be communicated or communicated is analyzed. In stateful parsing 10 the structure of a communication connection is noted; When exchanging data (eg packets) it is then checked whether a corresponding communication connection still exists.

After finishing the analysis 10 , gets in step 11 Based on the analysis result, an assignment of the currently occurring network traffic (ie the new communication connection) made to a connection class. The analysis result contains concrete information about the new data traffic or the corresponding communication connection, which is in accordance with the criteria 13 in step 10 were determined.

As the new data traffic or the corresponding communication connection is treated, d. H. whether the new traffic or the corresponding Communication connection is allowed or not allowed or suppressed, depends on the connection class that matches the new traffic or the corresponding one Communication connection is assigned.

The assignment to a connection class is made by using predetermined connection classes 15 and criteria 14 or rules 14 for assigning to the connection classes 15 carried out. The connection classes 15 and the corresponding criteria or rules 14 may be fixed or may be added, changed and / or removed or deleted at any time.

According to the present embodiment, there are three classes of connections: "BANKING", "ENTERTAINMENT" and "BASIS". In this case, according to the present embodiment, the assignment 11 a communication or a communication connection to the connection class "BASE" with respect to network base protocols performed. According to the present embodiment, in step 10 a criterion 13 used to determine which protocols to use for communication. The result of the step 10 thus has information about the network base protocols of the respective data traffic or the respective communication connection. According to the present exemplary embodiment, such network base protocols may include, for example, Dynamic Host Configuration Protocol (DHCP), Address Resolution Protocol (ARP), Internet Control Message Protocol (ICMP), and / or Simple Mail Transfer Protocol (SMTP) Protocol). This information about the network base protocols is used when mapping 11 to the connection class "BASE" is decided, with the criteria 14 or rules 14 can be used for the assignment to the connection class "BASIS".

Similarly, mapping is also about 11 to the other classes of compounds 15 decided.

When assigning 11 For example, to the connection class "BANKING" information about protocols such. B. HTTP (English: Hypertext Transfer Protocol) or HTTPS (HyperText Transfer Protocol Secure) and the destination address such. Eg "* .sparkasse.de". Here, the string "* .sparkasse.de" points to online banking at a savings bank.

When assigning 11 For example, for the connection class "ENTERTAINMENT", information about peer-to-peer connections, instant messaging, http or HTTPS, etc. can be used for corresponding other network pages.

It should be noted that the above classes of compounds 15 are merely examples and that the present invention is not limited to these classes of compounds 15 is limited.

The decision about the further handling of a data traffic or a communication connection, ie whether a data traffic or a communication connection is permitted or suppressed, depends on the connection class 15 from the respective data traffic or the respective communication connection in step 11 assigned or assigned. This decision on the handling of traffic will be in step 12 met.

This will be the results or information of the assignment 11 to the connection classes 15 used. Further, the decision will be made 12 about the further handling of a data traffic or a communication connection also using rules 16 carried out the compatibility or compatibility of the compound classes 15 define one another. In addition, also information 17 to the currently active communication connections or to the currently active network or data traffic.

With respect to the above-exemplified classes of compounds 15 "BANKING" and "ENTERTAINMENT" can be one of the rules 16 for example, define that no network traffic of the class "BANKING" and the class "ENTERTAINMENT" are allowed at the same time.

Which one Data traffic or which communication connection is suppressed and which is allowed can be determined in different ways become.

For example, existing network traffic (ie currently active communication links) can be maintained. With regard to the above exemplified compound classes z. B. (by the rules 16 ) can be defined that no additional added network traffic of the class "BANKING" is allowed, if under the existing network traffic is also given an entertainment traffic.

Further, in the decision 12 also consider the priority of a connection class. With regard to the classes of compounds exemplified above 15 can z. B. (by the rules 16 ), that the BANKING connection class has a higher priority than the CONNECTIVE connection class. In this case, when there is already a conversation traffic and network traffic of the connection class "BANKING" is due, the banking traffic is allowed and the entertainment traffic is suppressed.

Will in step 12 decided that network traffic should be suppressed or denied, unauthorized network traffic can be blocked, ie it will not be forwarded. Alternatively, an actively existing communication connection can be terminated, for. For example, by signaling the depletion of a TCP connection, an ICMP message being "unreachable", sending a TCP reset message, or intervening in the flow control of TCP so that data is no longer forwarded and the involved communication partners (ie the communicating network devices or devices) is pretended that an active TCP connection still exists.

According to a further embodiment of the present invention, the communication of further network units or devices communicating via communication networks is also considered. In this case, the communicating network units or devices are computers. According to the present embodiment, a firewall configured to perform the method according to the present embodiment inhibits or suppresses network traffic of the connection class "ENTERTAINMENT" for all the computers of the home network in a local home network with a plurality of computers, as long as a home network computer over a communication link the connection class "BANKING" kommu cates.

According to one another embodiment can be a limitation or suppression concern only a user of a multi-user computer. Ie. when a user over a communication connection of the connection class "BANKING" communicates (For example, the user uses online banking) may be another user the same computer still a data communication over a Perform communication connection of the connection class "ENTERTAINMENT" (eg. Using peer-to-peer).

According to the present Invention can also the following implementation variants according to the following embodiments be used.

According to one Implementation variant of an embodiment of the present Invention is the procedure of the invention as an extension module (English: plug-in) of a network browser or realized by the web browser itself. This particular can for pure Browser-based applications are implemented.

According to one Another implementation variant of an embodiment of the present Invention is a local personal firewall to the inventive approach he advances. Such a local implementation can be in an automatic or in a manual mode, as is common in some personal firewalls. In this way it is possible the assignment of the communication connections to connection classes set up automatically. Furthermore, the functionality of many Personal firewalls, changes recognize the applications (eg by using so-called public keys (English: Fingerprints) = checksum of the application), used to the user from any safety-damaging effects to warn the onset of such applications via communication links communicate in certain connection classes.

In a further implementation variant according to an embodiment The present invention is the procedure of the invention implemented in an infrastructure firewall or proxy.

According to one another implementation variant of an embodiment of the present Invention is the procedure of the invention implemented as part of a DPI application.

It It should be noted that the present invention is not limited to the is limited to the above listed implementation variants. The present invention may also be used in other contexts accordingly be used.

Has a traffic or communication link of a high-priority Class of connection led to that a traffic or communication link is a lower priority If the connection class was blocked or locked, this block must be used or blocking.

This can be done in different ways. In the following are some of these possibilities demonstrated.

According to one embodiment The present invention may include such blocking or blocking be canceled if all communication connections with connection classes higher priorities dismantled or terminated, z. By TCP disconnection, etc.

According to one another embodiment The present invention may include such blocking or blocking be canceled after a predetermined time. According to the present embodiment this predetermined time refers to the time after communicating the last data unit (eg a data packet) over the Communication link the higher prioritized class of connection.

According to one other embodiment The present invention may include such blocking or blocking to be canceled after the browser has restarted another embodiment The present invention may include such blocking or blocking be canceled after the computer has been rebooted.

According to another embodiment of the present invention, such a blockage or suspend after performing a security scan or virus scan if the verification has revealed that there are no security risks or that no viruses could be found. This can also be done after a predetermined time after performing the check.

According to the present Invention can the respective embodiments also be combined to cancel the blocking or blocking.

It It should be noted that the present invention is by no means limited to the above-mentioned embodiments is limited to cancel the blocking or blocking. According to the present Invention can also other appropriate conditions for unblocking or blocking.

By The present invention will enhance the security of the communicating Network units or devices increased. It can, for example The simultaneous use of safety-critical online services and online services are suppressed with high security requirements, because the safety-critical online services are damaging Effect on the online services with high security requirements can have. For example, it can be ensured that the danger of XSS (English: Cross Site Scripting) by avoiding only certain Online connections as individual processes (English: Tasks) are performed.

2 FIG. 10 illustrates a network environment and components configured to implement the present invention in accordance with one embodiment of the present invention. FIG.

The communication network 20 , is communicated over, according to the present embodiment, the Internet. There are two client machines 22 . 23 with the Internet 20 connected and communicate with at least one of the servers 201 . 202 . 203 , According to the present embodiment, the monitoring of communications between the client computers according to the invention is 22 . 23 and the servers 201 . 202 . 203 in a supervising component 211 a firewall 21 implemented. The client machine 22 . 23 are with the internet 20 and thus with the servers 201 . 202 . 203 over the firewall 21 connected. It monitors the firewall 21 the communication links between the client machines 22 . 23 and the servers 201 . 202 . 203 , wherein the monitoring component 211 monitors the communication links according to the present invention and thus ensures that the communication of the client computers 22 . 23 as intended by the present invention.

3 FIG. 12 shows another network environment and components configured to implement the present invention in accordance with one embodiment of the present invention. FIG.

According to the present embodiment, a device (eg, a computer) communicates 31 with at least one server 201 . 202 . 203 over a communication network 20 , The device 31 has a monitoring component 311 configured to perform the monitoring of communication links according to the invention. The communication connections of the device 31 to the communication network 20 lead through the monitoring component 311 , At each new data communication over a communication link between the device 31 and that with at least one server 201 . 202 . 203 in the communication network 20 takes the monitoring component 311 checking the connections according to the present invention, thus ensuring that there are no unconstitutional or non-compliant communications on the device 31 occur.

In the following an example is shown, in which form information on connection classes 15 and criteria 14 can be managed to associate the connection classes with communication links. It should be noted, however, that the present invention is not limited to the following manner of managing and representing the classes of connections 15 and criteria 14 is limited and that further ways of managing and representing the information according to the present invention are possible. compound class Criteria for assigning connection classes to communication links protocol aim SC1 HTTP, HTTPS S1 SC2 Skype, peer-to-peer <*> SC3 DNS <*> SC3 NTP S3 SC4 HTTP, HTTPS <*>

According to the present embodiment, both the connection classes 15 as well as the criteria 14 managed to map connection classes to communication links in a table. The assignment 11 is performed using the table. The table above shows the assignment of data traffic or communication connections based on protocol and destination information for a connection class, here: "SC1", "SC2", "SC3", "SC4".

According to the present embodiment become the individual entries the table, as known from packet filters and firewalls, the series after being evaluated. The first matching entry, d. H. the one entry in the table where all criteria (here protocol and destination) match, is used. According to the present embodiment will be more entries not evaluated.

At It should be noted that according to the present invention Also, further appropriate ways of evaluation are possible.

According to the present embodiment are for the class "SC3" has two entries. Ie. if one of the two entries for the connection class "SC3" becomes one Communication connection, the traffic is assigned to security class "SC3".

In the following an example is given, in which form rules 16 which can define, manage and represent the compatibility or compatibility of the connection classes with each other. It should be understood, however, that the present invention is not limited to the following manner of administration and representation, and that other ways of managing and representing that information in accordance with the present invention are also possible. Compatible connection classes SC1, SC3 SC2, SC3, SC4

According to the present embodiment becomes the information or rules about which connection classes compatible or compliant, d. H. take place simultaneously allowed to, specified in a table. Each row of the table gives each which security classes per host, d. H. for a client, at the same time may be used. Alternatively could this also for a group of clients or for all clients on the intranet apply. According to the present invention Different ways of implementation are possible.

4a and 4b show monitoring communications according to an embodiment of the present invention.

According to the present embodiment builds a first client computer 22 an HTTPS connection to a first server 201 and uses it for communications with the first server 201 , This connection is assigned according to the present embodiment of the security fund "SC1". An attempt of the first client machine 22 Setting up a second communication connection according to the connection class "SC4" fails according to the present embodiment because the connection classes "SC1" and "SC4" are incompatible. The supervising component 211 the firewall 21 , which is configured to carry out the monitoring of communication links according to the invention, then sends a message for terminating the second communication link. Alternatively, a message may be sent to block the second communication link; In this case, the second communication connection is deactivated, ie no data is transmitted via this communication connection.

The second client research 23 but can establish a communication connection of the security class "SC4", as according to the present embodiment, this connection no incompatibility or incompatibility with the existing active communication links of the second client computer 23 represents.

Then build the first client machine 22 the communication connection of the connection class "SC1". The entry relating to the connection class "SC1" is updated. Since this is the only communication connection of the first client computer 22 is the connection class "SC1", the entry for the connection class "SC1" is deleted from the set of active connection classes of the first client computer. Ie. According to the present embodiment, the set of active connection classes of the first client computer 22 now empty again. A possible subsequent connection setup of the first client computer 22 to a second server 202 according to the connection class "SC4" will succeed.

The following will be in the 4a and 4b shown steps with reference to their reference numerals explained. The steps lead the 4b the in 4a progress shown.

In step 411 becomes a request to connect from the first client machine 22 to a first server 201 to the supervising component 211 the firewall 21 transmitted. According to the present embodiment, a corresponding communication connection is to be established using TCP and HTTPS. This can be done, for example, by transmitting the following command from the first client machine 22 to the first server 201 be performed:
Connect (C1, S1, TCP, HTTPS),
where "C1" is the first client machine 22 and "S1" the first server 201 and "Connect" stands for the connection.

In step 412 is controlled by the monitoring component 211 the firewall 21 made or determined a decision, as that of the first client computer 22 made request to build a new communication connection from the first client computer 22 to the first server 201 to treat. The supervising component 211 determines whether this new connection is to be allowed or denied or not allowed.

This is determined by the monitoring component 211 first the connection class of the new connection. According to the present embodiment, it is the class "SC1". Then the monitoring module determines 211 the currently active communication connections of the first client computer 22 and determines which connection classes have these currently active communication connections.

According to the present embodiment, the first client computer 22 no currently active communication connections. The set of connection classes containing the currently active communication connections of the first client computer 22 describe is thus empty. The connection class of the new communication connection thus represents another or a new connection class of the first client computer 22 in the set of current connection classes of the first client machine 22 Since the set of connection classes is empty, the connection class of the new communication connection is compatible or compatible with the currently active communication connections or their connection classes. Thus, the new communication connection can be allowed. The supervising component 211 notes or stores an entry "C1, SC1, T" in a data management module in which information about communication links is managed and forwards the connection request to the first server 201 further. In this case, the device or network unit is specified under "C1", from or to which the new communication connection is to be established, here the first client computer 22 , "SC1" indicates the connection class of the new communication connection. "T" indicates that the new communication was a transmission.

This decision or determination described above can be carried out, for example, by appropriately executing the following commands:
determine SC → SC1 (Determining the connection class → "SC1")
determine C1's active SCs → empty (determine the currently active connection classes → the set is empty)
additional SC? → yes (a new or additional connection class? → yes)
New SC compatible with active ones? → yes (is the new connection class compatible with the active connection classes → yes)
add entry: C1, SC1, T (adding the entry: C1, SC1, T)
Forward message

It It should be noted that the present invention applies to these commands not limited is, and that also more adequate Commands possible are. It should also be noted that, as the languages for describing Commands are English speaking, including those described herein Commands are represented in English. Here are in the brackets short translations provided these commands.

In step 413 sends the monitoring component 211 a request to establish the connection to the first server 201 , For this purpose, the module or the component 211 send the following command:
Connect (C1, S1, TCP, HTTPS).

In step 414 sends the first server 201 an answer to the request. According to the present embodiment, the first server is right 201 connecting to an OK message to:
OK (S1, C1, TCP, HTTPS).

The one from the first server 201 skillful answer to the request is from the supervising component 211 receive and the component 211 performs the inventive determination for further handling of the connection between the first client computer 22 and the first server 201 out. According to the present embodiment, the following commands are executed for this purpose:
determine SC → SC1 (Determining the connection class → "SC1")
determine C1's active SCs → SC1 (determine the currently active connection classes → SC1)
additional SC? → no (a new or additional connection class? → no)
update entry: C1, SC1, T (Update the entry: C1, SC1, T)
Forward message

After checking according to the invention passes the component 211 in step 416 the answer of the first server 201 :
OK (S1, C1, TCP, HTTPS)
to the first client machine 22 further.

In the following steps 417 to 422 According to the present embodiment, communication is from a data get (get) request and from the server 201 provided data "DATA" over the newly established communication connection performed.

In step 417 gets the get request with the command
GET (C1, S1, TCP, HTTPS)
from the client machine 22 to the module 211 cleverly.

The module or component 211 performs the checking according to the invention:
determine SC → SC1 (Determining the connection class → "SC1")
determine C1's active SCs → SC1 (determine the currently active connection classes → SC1)
additional SC? → no (a new or additional connection class? → no)
update entry: C1, SC1, T (Update the entry: C1, SC1, T)
Forward message

According to the present embodiment, the communication is allowed. In step 419 gets the get request through the component 211 to the first server 201 forwarded.

In step 420 sends the first server 201 an affirmative answer with the requested data back. For example, this answer might look like this:
OK (S1, C1, TCP, HTTPS, DATA).

The component 211 receives the affirmative response of the first server 201 and leads in step 421 the check according to the invention. According to the present embodiment, the following commands are performed:
determine SC → SC1 (Determining the connection class → "SC1")
determine C1's active SCs → SC1 (determine the currently active connection classes → SC1)
additional SC? → no (a new or additional connection class? → no)
update entry: C1, SC1, T (Update the entry: C1, SC1, T)
Forward message

According to the present embodiment, the result of the check is positive, the data transmission is allowed and in step 422 directs the component 211 the answer of the first server 201 with the data to the first client machine 22 further.

In step 423 wants the first client machine 22 a connection of the connection class "SC4" to the second server 23 build and send a connection request. This is provided by the monitoring component 211 receive.

According to the present embodiment, the request looks as follows:
Connect (C1, S2, TCP, HTTP), where "S2" for the second server 202 stands.

In step 424 leads the monitoring component 211 the check according to the invention. In this case, according to the present embodiment, the following instructions are implemented:
determine SC → SC4 (determine the connection class → "SC4")
determine C1's active SCs → SC1 (determine the currently active connection classes → SC1)
additional SC? → yes (a new or additional connection class? → yes)
compatible? → no (is the new connection class compatible with the currently active connection classes → no)
reject (reject the connection request)

Since the connection class "SC1" is incompatible or compatible with the "SC4", this connection request is made by the supervising component 211 declined.

In step 425 this connection is closed or dismantled:
close (S2, C1, TCP, HTTP) (Close the connection).

In step 426 is an acknowledgment message for closing the connection from the first client computer 22 to the supervising component 211 cleverly:
Close_Ack (C1, S2, TCP, HTTP) (closure confirmation).

In step 427 want the second client machine 23 a connection of the connection class "SC4" with the second server 202 build up. The second client machine 23 thus sends in step 427 a connection (English: Connect) request. This can be implemented, for example, by the following command:
connect (C2, S2, TCP, HTTP), where "C2" is for the second client machine 23 stands.

The supervising component 211 receives this connection request and performs in step according to the present embodiment 428 checking according to the invention by means of the following commands:
determine SC → SC4 (determine the connection class → "SC4")
determine C2's active SCs → empty (determine the currently active connection classes → the set is empty)
additional SC? → yes (a new or additional connection class? → yes)
New SC compatible with active ones? → yes (is the new connection class compatible with the active connection classes → yes)
add entry: C2, SC4, T (adding the entry: C2, SC4, T)
forward message

According to the present embodiment, the new communication connection of class "SC4" is from the second client computer 23 to the second server 202 allowed, as there are no collisions with the currently active connections of the second client computer 23 can arise through the new communication link.

In step 429 sends the monitoring component 211 the connection request to the second server 202 further.

In step 430 agrees the second server 202 to this new communication link and send:
OK (S2, CC2, TCP, HTTPS).

The supervising component 211 receives the from the second server 202 sent consent message and performs the check according to the invention. According to the present embodiment, the monitoring component performs 211 the following commands:
determine SC → SC4 (determine the connection class → "SC1")
determine C2's active SCs → SC4 (Determine the currently active connection classes → SC4)
additional SC? → no (a new or additional connection class? → no)
update entry: C2, SC4, T (Update the entry: C2, SC4, T)
forward message

According to the present embodiment, the check is positive and the supervising component 211 leads in step 432 that from the second server 202 sent consent message to the second client machine 23 further.

In step 433 sends the first client machine 22 a disconnect message:
close (C1, S1, TCP, HTTPS).

In step 434 receives the monitoring component 211 this message and performs the check according to the invention:
determine SC → SC1 (Determining the connection class → "SC1")
determine C1's active SCs → SC1 (determine the currently active connection classes → SC1)
additional SC? → no (a new or additional connection class? → no)
update entry: C1, SC1, T (Update entry C1, SC1, T)
forward message

In step 435 directs the monitoring component 211 the disconnect message of the first client computer 22 to the first server 201 further.

In step 436 sends the first server 201 a confirmation message to clear the connection:
Close_ACK (S1, C1, TCP, HTTPS).

In step 437 receives the monitoring component 211 the confirmation message and performs the check according to the invention:
determine SC → SC1 (Determining the connection class → "SC1")
determine C1's active SCs → SC1 (determine the currently active connection classes → SC1)
additional SC? → no (a new or additional connection class? → no)
update entry: C1, SC1, T (Update entry C1, SC1, T)
forward message

In step 438 directs the monitoring component 211 the confirmation message to the first client computer 22 further.

According to the present embodiment, the first client computer 22 no more communication links whose connection classes could collide with the connection class "SC4". Therefore, a new communication link of class "SC4" becomes the second server 202 fold as shown below.

In step 439 wants the first client machine 22 a connection of the connection class "SC4" with the second server 202 build up. The first client machine 22 thus sends in step 439 a connection request. This can be implemented, for example, by the following command:
Connect (C1, S2, TCP, HTTP).

The supervising component 211 receives this connection request and performs in step according to the present embodiment 440 checking according to the invention by means of the following commands:
determine SC → SC4 (determine the connection class → "SC4")
determine C1's active SCs → empty (determine the currently active connection classes → the set is empty)
additional SC? → yes (a new or additional connection class? → yes)
new SC compatible with active ones? → yes (is the new connection class compatible with the active connection classes → yes)
add entry: C1, SC4, T (adding the entry: C1, SC4, T)
forward message

According to the present embodiment, the new communication connection of class "SC4" is from the first client computer 22 to the second server 202 allowed, as there are no collisions with the currently active connections of the first client computer 22 can arise through the new communication link.

In step 441 sends the monitoring component 211 the connection request to the second server 202 further.

In step 442 agrees the second server 202 to this new communication link and send:
OK (S2, C1, TCP, HTTP).

The supervising component 211 receives the from the second server 202 sent approval message and leads in step 443 the check according to the invention. According to the present embodiment, the monitoring component performs 211 the following commands:
determine SC → SC4 (determine the connection class → "SC1")
determine C1's active SCs → SC4 (determine the currently active connection classes → SC4)
additional SC? → no (a new or additional connection class? → no)
update entry: C1, SC4, T (Update the entry: C1, SC4, T)
forward message

According to the present embodiment, the check is positive and the supervising component 211 leads in step 444 that from the second server 202 sent consent message to the first client machine 22 further.

5 shows a network component 5 configured for monitoring communication links according to an embodiment of the present invention.

The network component 5 has according to the present embodiment, two network interfaces 55 and 56 on, over which data will be forwarded. The internal network interface 55 is configured to receive all data and information received from a device whose communication from the network component 5 is transmitted to a communications network. Furthermore, the internal network interface 55 configured to communicate to the device any data and information whose communication has been permitted by the network component and which has been communicated to the device via the communication network.

The external network interface 56 is configured to receive all data and information that is sent to the device and its communication from the network component 5 monitored by the communications network. Further, the external network interface 56 configured to transmit all data and information whose communication has been authorized by the network component and which are transmitted from the device into the communication network, in the communication network.

The internal and external network interfaces 55 . 56 can be realized, for example, as Ethernet interfaces. It should be noted that the present invention also provides further possibilities for the realization of the network interfaces 55 . 56 allow. Another example is the implementation as a virtual network interface, whereby the invention described can be realized in a further embodiment as a virtual security appliance.

Furthermore, the network component 5 according to the present embodiment, a filtering and forwarding unit or module 54 on. The filter and forwarding unit or module 54 is configured by the interfaces 55 . 56 received data or information to a decision unit or module 52 forward, which decides or determines the further handling of the received data or information. In particular, the decision unit or module hits 52 their decisions based on the characteristics or criteria of the data or information received, on the basis of classes of compounds and on their compatibility 51 and information 53 to currently active communication connections or their connection classes. The characteristics or criteria of the received data or information are from the filtering and forwarding unit or module 54 determined by analyzing the received data or information and sent to the decision unit or module 52 provided or transmitted.

The decision about further handling of the data to be communicated is shared by the decision unit or module 52 the filter and forwarding unit or module 54 With. The filter and forwarding unit or module 54 is then responsible for resolutely communicating or suppressing the data or information.

Further, the decision unit or module 52 according to the present embodiment also configured to manage information on currently active communication links.

6 shows a network component 5 in a device 6 is included and for monitoring communication links of the device 6 is configured according to an embodiment of the present invention.

According to the present embodiment, the device 6 a calculator. Further, according to the present embodiment, the network component is 5 bound in a network stack to incoming and outgoing messages of the device 6 to filter and forward. The network component 5 is in the apparatus according to the present embodiment 6 that arranges itself between a network interface 63 and an application program 61 provided network API (Application Programming Interface) 62 is placed. The network component 5 is by its filter and forwarding unit or module 54 with the network API 62 and with the network interface 63 connected. As another example, the implementation can be specified here as a virtual network interface, whereby the described invention can also be implemented in a further embodiment as a virtual security appliance.

7 FIG. 10 shows the monitoring of communications according to an embodiment of the present invention. FIG.

The block 700 of the 7 indicates the beginning of the monitoring according to the present embodiment. In step 701 a message is received. In step 702 the connection class of the communication connection is determined via which the in step 702 received message has been communicated or is to communicate. In step 703 it checks which of the network interfaces 55 . 56 received the message. Was the message over the internal network interface 55 receive, so will in step 704 the amount of active compounds or classes of compounds of the active compounds determined by the transmitter. Was the message over the external network interface 56 receive, so will step in 705 determines the amount of active compounds or classes of compounds of the active compounds based on the recipient.

In step 706 is checked if the in step 702 determined class of compound is contained in the set of classes of active compounds.

Is that in step 702 If the determined connection class is not contained in the set of connection classes of the active connections, then in step 707 Checks whether this determined connection class is compatible with the connection classes of Active Connections. If the determined connection class is compatible with the connection classes of the active connections, then this determined connection class becomes in step 709 included in the set of compound classes of the active compounds. In step 710 then the one in step 701 received message forwarded accordingly (eg to the addressee or to a corresponding unit or to a module for appropriate further processing). If the determined connection class is incompatible with the connection classes of the active connections, then according to the present embodiment, the in step 701 received message in step 708 discarded.

Is that in step 702 contained in the set of compound classes of the active compounds, as determined in step 711 an update is made of the set of connection classes of the active connections. In step 710 then the one in step 701 received message forwarded accordingly (eg to the addressee or to a corresponding unit or to a module for appropriate further processing).

In step 712 According to the present embodiment, the monitoring of communications with respect to that in step 701 received message ended.

Although the invention will be explained above with reference to the embodiments according to the accompanying drawings, it is apparent that the invention is not limited to these, but within the The scope of the inventive idea disclosed above and in the appended claims may be modified. It goes without saying that there may be other embodiments which are the principle of the invention and are equivalent, and thus various modifications can be implemented without departing from the scope of the invention. Thus, the modules or units of the respective network units or devices can be designed differently, wherein a module or unit can also perform several functions according to the invention and / or a function according to the invention of several modules or units can be performed. Further, these modules or units may be software and / or hardware units or modules.

Claims (15)

Network component ( 211 . 311 . 5 ) configured to monitor communication links between at least one network device ( 22 . 23 . 31 ) and at least one communication network ( 20 ) and which are for communicating data between the at least one network entity ( 22 . 23 . 31 ) and the at least one communication network ( 20 ), the network component ( 211 . 311 . 5 ) a decision module ( 52 ) that is configured using information ( 17 . 53 ) to currently active communication links to determine whether to allow or suppress a communication connection with a new data communication. Network component according to claim 1, wherein the decision module ( 52 ) is configured to check whether a connection class assigned to the communication connection is compatible with connection classes of the currently active communication connections. Network component according to claim 1 or 2, wherein the decision module ( 52 ) is configured to determine whether the communication link is to be allowed or to be suppressed using at least one rule ( 16 . 51 ), wherein the at least one rule defines whether the communication link is compatible with the currently active communication links. Network component according to claim 2 and 3, wherein when using the at least one rule ( 16 . 51 ), it is checked whether the connection class assigned to the communication connection is compatible with the connection classes of the currently active communication connections. Network component according to at least one of the preceding claims 1 to 4, wherein the decision module ( 52 ) is configured to: - permit the communication connection and suppress such currently active communication connections incompatible with the data communication, if all priorities associated with connection classes of such currently active communication connections are smaller than a priority assigned to a connection class of the communication connection is; and - suppress the communication link if at least one priority associated with a link class of those currently active communication links incompatible with the communication link is greater than the priority associated with the link class of the communication link. Network component according to at least one of the preceding claims 1 to 5, wherein the network component ( 211 . 311 . 5 ) has an assignment module configured to associate each of the communication links with a connection class. The network component of claim 6, wherein the mapping module is configured to assign the communication links to a connection class using criteria ( 14 ) for assigning a communication connection to a connection class. Network component according to at least one of the preceding claims 1 to 6, wherein the suppression a communication connection blocking or terminating the communication connection having. The network component of claim 8, wherein the blocking the communication connection for performed a predetermined time becomes. Network component according to claim 8, wherein the blocking of the communication connection is carried out as long as long as currently active communication links at least one such com communication link is present, which is incompatible with the communication link. Method for monitoring communication links between at least one network device ( 22 . 23 . 31 ) and at least one communication network ( 20 ) and which are for communicating data between the at least one network entity ( 22 . 23 . 31 ) and the at least one communication network ( 20 ), the monitoring of communication links determining ( 12 ), whether a communication connection with a new data communication is to be allowed or to be suppressed, wherein the determining ( 12 ) using information ( 17 . 53 ) is performed to currently active communication links. Computer program product having an encoding which is configured to implement a method according to claim 11. disk, being the disk a computer program product according to claim 12. System that has a network component ( 211 . 311 . 5 ) according to at least one of claims 1 to 10. Contraption ( 21 . 31 . 6 ), which is a network component ( 211 . 311 . 5 ) according to at least one of claims 1 to 10.