A virtual firewall system is a new firewall system that improves the security functions of a system, which supports Internet protocol version 4 (IPv4) and Internet protocol version 6 (IPv6), by enlarging a virtual firewall to protocols.
Security applications capable of supporting a dual stack, which uses both IPv4 and IPv6 at the same time, are gradually increasing.
In general, the virtual firewall system is suitable for security application environments that simultaneously use a firewall, a tunneling protocol (e.g., IPSec, L2TP, PPTP, GRE and IPinIP) and so forth.
The concept of the virtual firewall has been previously introduced in some commercial firewall systems. The virtual firewall can be used in one system, divided into several firewall environments, and has functions similar to those of a virtual router used in a routing protocol.
Even though the original concept of the virtual firewall is flexible, the policy defined by each firewall may confuse users.
Complexity may also be increased in the case of attempting to add a function, such as a tunneling protocol, which is complicated and is not directly related with a virtual firewall.
In many cases, a user has no choice but to use the virtual firewall in order to support other complicatedly-entangled tunneling protocols in actual environments.
According to the security technologies of the prior art as described above, a conventional firewall and a tunneling protocol can be separated from each other to operate as independent modules. Alternatively, the functions of the conventional firewall and the tunneling protocol can be processed in one virtual firewall, which is defined according to features, so that a plurality of virtual firewalls can be set according to necessary applications.
In the security technologies of the prior art, however, the conventional firewall is of a concept separated from the tunnel protocol, in which the firewall is processed, the tunneling process is performed by calling the tunneling protocol, and then the firewall is processed again in order to efficiently process the tunneling protocol.
The conventional firewall does not have information on the tunneling, and thus has to call a tunneling protocol module in order to determine whether or not tunneling is necessary for respective packets, thereby degrading the performance thereof.
Due to this problem, there was proposed an approach of processing firewall and tunneling protocol functions as shown in FIG. 1, in which a virtual firewall and a tunneling protocol exist in one module.
However, this approach of processing the firewall and tunneling protocol functions in one module requires unnecessary equipment settings to be performed for the tunneling protocol even if the virtual firewall is not necessary and to set all policies of the tunneling protocol to the virtual firewall. Further, when a change is required, the policies of the tunneling protocol of all the virtual firewalls also have to be changed.