In recent years, with the increase of the number of the Internet users, more and more service applications based on IP (Internet Protocol) networks have come forth. IP technologies have become the mainstream technologies used to construct network applications, but at the same time, its inherent essential characteristics of being simple and opening have not been changed substantially, which leaves hidden troubles for the occurrence of network security problems. Especially for enterprise users, because of the existence of the hidden troubles mentioned above, business secrets are most likely to become the data without any security due to vicious attacks of hackers when they are transported on the Internet, and this will be more serious for financial enterprise users such as bank, insurance business, securities business, etc.
Therefore, it has been a problem to be obviated urgently for the enterprises to ensure the security of the data transport. At present, to ensure the internal network (Cell, Intranet) of a user free from attacks of the external network, the common method is to arrange a firewall at the egress of the internal network, so as to isolate the internal network from the external network to guarantee the security. However, when the above method is applied to video communication (especially multi-point video communication), many ports need to be opened on the firewall and the internal network needs to communicate with multiple outside nodes (insecure nodes), thereby the isolation function of the firewall will be degraded and the risk of being attacked for the internal network will be increased accordingly.
To overcome the above-mentioned hidden troubles in video communication, the following technical scheme is generally adopted in the prior art:
FIG. 1 shows a firewall security system of the prior art, in which: there is a firewall 30 arranged between the internal network 10 and the external network 20, and there are network proxies 41 and 42 respectively arranged inside the firewall 30 and outside the firewall 30. All video streams from the internal network 10 to the external network 20 pass through the network proxy 41 first, and after multiplexing the streams and the signaling, the network proxy 41 transmits them to the network proxy 42 outside the firewall 30, and then network proxy 42 de-multiplexes the received streams and transmits them to the corresponding nodes. In a similar way, the streams and the signaling from the external network 20 pass through the network proxy 42 first, and after multiplexing the streams and the signaling, the network proxy 42 transmits them to the network proxy 41. However, the system of the prior art has some disadvantages:
1. Since the transport procedure relates to both the multiplexing and the de-multiplexing of the streams, it needs a procedure of mixing the data from multiple nodes and inserting identifiers into the mixed data, as well as a procedure of separating the multiplexed data into the data of respective nodes according to the identifiers. It takes times to execute such procedures, which increase the time delay of processing and make great influence on the service requests with high real-time demand, such as video communication. At the same time, the data pass through the network proxies 41 and 42, which also increases the time delay.
2. Two network proxies 41 and 42 are introduced in the system, which greatly increases the cost of the whole system.