Data filtering is generally provided by data processing servers equipped with a processing device called a firewall. A firewall is usually intended to protect private (or internal) local area networks (LAN) and isolated user terminals from external attack or intrusion, generally originating from a public (or external) wide area network (WAN), such as the Internet. It may also be used to restrict access by users of a private network to a public network and/or to protect the server from the internal and external networks.
The firewall must be configured to provide at least one of the above-mentioned functions, or in other words to be able to filter packets of data received by the server in which it is installed. Primary (or elementary) rules defining filters are generally used for this purpose. Configuring the firewall therefore consists in applying thereto an ordered series (in the mathematical sense of the term) of active filters. On receiving a packet of data, the characteristics of the packet are compared to those of the filters of the ordered series, and only packets having characteristics compatible with those of the filters are allowed to pass.
Configuring a firewall is a difficult operation that is carried out manually by the administrator of the network to which it belongs. Because of this static manual intervention, the resulting configuration may be functionally correct but unsuitable or less than the optimum. It may even be erroneous. In all those cases, the performance of the server is generally degraded.
As networks evolve frequently, firewalls must be reconfigured regularly, which not only increases the risk of error or unsuitability but also takes up a great deal of the network administrator's time.
Thus one object of the invention is to overcome some or all of the above-mentioned drawbacks by proposing a firewall filter management device taking account in real time of modifications and evolutions of the parameters of the network or the services offered by the network, as well as of unpredictable events.
To this end it proposes a data processing device adapted to be installed in a data processing server adapted to receive primary data (or data packets) and to transmit said primary data after application of dedicated processing based on primary rules by control means of the firewall type.