As is known, services supported by the next generation user terminal equipments, such as personal digital assistants, smart phones or laptops connected to wireless local area networks (WLAN), allow users to access high value-added contents in the network and also to exchange sensitive information in commercial transactions and in many other applications now accessible to mobile users.
These enhanced functionalities require a careful consideration of security aspects for protecting both the terminal equipment and the communication channel. This protection has to be provided by means of the elements usually available in the terminal equipment, i.e. the terminal equipment itself, an integrated circuit card, such as the subscriber identity module (SIM) card, and a memory card, such as a multimedia card or a secure digital™ card.
Several examples exist of integration of functionalities supported partly on the terminal equipment and partly on the integrated circuit card for implementing security applications, such as virtual private networks based on various technologies and protection of end-to-end communications by security session layer protocol. These methods allow secrecy by the encryption of exchanged data and the authentication of the counterparts, besides that of the data itself.
EP-A-1 094 682 discloses a mobile phone incorporating security firmware and a method for transmitting data packets in a communication system including a remote host (laptop, stand alone computer, or personal digital assistant), an independent access unit, and a receiving computer acting as a security gateway to an Intranet, wherein security firmware, in the form of IPsec (IP security protocol) or software, is located inside the independent access unit, and the independent access unit is used as a security gateway between the remote host and the Intranet in order to provide security in the communication to the remote host when the communication is performed over the Internet. The communication between the independent access unit and the remote host is performed by means of a wireless connection, and client private information required per client authentication are stored in a personal tamperproof storage in the form of a SIM card/smart card, and used in combination with the independent access unit as a security gateway upon establishment of a IPsec tunnel. The solution of moving the security function to the mobile telephone or the independent access unit, preferably a wireless independent access unit, where a lightweight security gateway or firewall is implemented, enables a user to borrow any remote host in order to access the Intranet by means of a mobile communication network or a fix network, e.g. PSTN. In this way, an employee staying away from his ordinary office may, by means of a personal independent access unit functioning as a security gateway, communicate with the protected Intranet of his employer.
WO-A-03/065181 discloses a method for controlling the use of digital contents by means of a security module or a chipcard comprising the security module, wherein any use of digital content is protected by an initial verification before any access of two types of access, the authorization of the user himself and the authorization associated with the digital content. The authorizations are stored on a security module provided for authorized users and controlled by the user security module. At least a private section of a digital content is stored in the security module and transmitted to the terminal after authorization. The solution disclosed in this document finds application in the field of electronic commerce essentially concerning the management of digital authorization for use of digital contents.
However, the support of virtual private networks does not protect from attacks directed against the terminal equipment that can exploit code downloads during web surfing and results in uncontrolled storage or even execution of malicious code. The use of an embedded firewall proves to be a strong prevention from dangerous user's behavior and external attacks. The firewall must be statefull and be able to track terminal equipment's activities during time.
In order to assure the effectiveness of a firewall protection, security policies should be configured and updated to protect data from unauthorized access and to minimize user's vulnerability to attacks from shared networks.
Key firewall features are:                rule-based packet filtering to provide an easily configurable system for multiple levels of protection against attacks;        automatic security policy download and update to make security transparent to the user;        easy-to-use application to define security policies and deploy security rules to the user terminal equipment;        scalable collection, consolidation, and reporting of security logs;        fine-grained security controls to enable protections against specific types of attacks;        device-level integrity monitoring to detect intentional tampering, accidental modifications and introduction of malicious code that could alter system files, file attributes, or registry entries.        
Moreover, the security level provided by a firewall can be further improved by adding:                an antivirus to detect malicious code/files with dangerous content to be stored and/or run on the user terminal;        an intrusion detection system to protect the user terminal against complex attacks.        
Implementing the above-described functionalities requires the availability of enough memory and computational power in the user terminal equipment. For instance, in a common approach, when encryption is needed the central processing unit of the terminal equipment fetches user's certificates and secret keys stored on the integrated circuit card, and performs the intensive computation based upon them. For instance, in a mobile terminal equipment, memory and cycles of the central processing unit are precious resources and adding to the system the security functionalities just described can spoil the performance for the network services accessed by the user. In order to make it interesting for mobile applications, a strong requirement for a security technology is therefore to overcome these drawbacks, that is to be light enough not to impact the performances of the system for other functions. In fact, having a security engine (including firewall, antivirus, and intrusion detection system functionalities) inside a user terminal equipment brings requirements in terms of how to manage it in a secure, automatic and easy way: finding a suitable mechanism to do this from remotely becomes an essential point not to make the security tools an issue to the user. So these tools should require very little effort and expertise of the user, and, on the other hand, it should be possible for a service provider or a corporate service manager to manage the security remotely in a guaranteed and controlled manner, offering turn-key solutions. Moreover, the configuration data can include sensitive information, such as personal keys for encryption, passwords, etc., and storing them in a safe location becomes a stronger requirement as the spectrum and range of the applications accessible become wider, in order to protect both the user and the provider or corporate network. Protection/prevention against the theft of the user terminal is therefore a relevant issue.