The present disclosure relates to appliances capable of providing network security protection, and more particularly, to an appliance which comprises an “IP-free management module” for receiving a management command to configure a network security policy, so as to provide network security protection to a network end-point device as the appliance is connected to the protected network end-point device.
FIG. 1 is a schematic view of a conventional intranet. A user of an external end-point 101 accesses a network connection device 106 of enterprises in a demilitarized zone (DMZ) 105 through an extranet 103. The network connection device 106 is a device exemplified by a switch, a bridge, or a router and adapted to controlling the direction of a flow of network packets. A conventional network security device, such as a firewall, an intrusion detection system (IDS), or an intrusion prevention system (IPS), is disposed in the DMZ 105 and coupled to the network connection device 106.
An intranet resource 107 includes but is not limited to specific appliances or servers. The intranet resource 107 comprises an unlimited number of appliances or servers, or a combination thereof. For example, the intranet resource 107 is a local area network (LAN). An appliance, commonly known as an Internet appliance, is built-in with networking capability and has a specific function. Unlike a general-purpose computer, the appliance is usually designed in accordance with a specific purpose or a specific service to conduct a specific transaction, and thus the appliance features high performance.
The intranet resource 107 is exemplified by a virtual local area network (VLAN). Network engineers in charge of internal resources of enterprises or organizations can perform logical grouping of apparatuses in different physical LANs by VLAN technology, so as to provide full information security protection.
Moreover, to ensure internal data security, enterprises or organizations rely upon a virtual private network (VPN) and thus install a VPN server in the DMZ 105 to enable the user to access internal resources from outside through a network connection. The VPN server is coupled to the network connection device 106. The user of the external end-point 101 logs in to the VPN server. After being authenticated and authorized, the user of the external end-point 101 gets connected to the network connection device 106 through the VPN. In some embodiments, the VPN server is not necessary; in other words, the user of the external end-point 101 may connect the network connection device 106 and the intranet resource 107 without a VPN. Other hardware and software components (not shown), such as an additional computer system, a router, and a firewall, are disposed in the extranet 103 between the VPN server (or the network connection device 106) and the external end-point 101.
Furthermore, to ensure internal data security, enterprises or organizations are connected to end-points in their intranet to configure network security policies, by providing security devices, including a firewall, antivirus software, an intrusion detection system (IDS), and an intrusion prevention system (IPS), so as to ensure Web-based communication security. The end-points in the intranet are each a host computer (such as a router, a workstation, or a server) or a data circuit-terminating equipment (DCE) (such as a bridge or a switch device, etc.).
To provide a network security policy to an end-point, it is necessary that a software agent located at the end-point, i.e., an end-point management agent is installed. However, a software agent may have a number of challenges such as:
1. A software agent is usually operating system-dependent (OS dependent) and thus difficult to install by a user. Furthermore, a software agent seldom supports various operating systems (OSs), for example, Solaris or a custom-built embedded Linux core (such as a Linux TV box).
2. A software agent may be susceptible to malware infection.
3. A software agent can be stopped manually by a user.
4. A software agent can take up too much system resources, such as CPU and memory.
A hardware security protection device is the alternative to a software agent in providing a network security policy to an end-point. Examples of a hardware security protection device include a router, an intrusion prevention system (IPS), and a residential gateway. However, a hardware security protection device is usually a router-level device and thus requires an additional IP address for managing the hardware security protection device.