Field of the Invention
The present invention is related to a method of interpreting a rule and a rule-interpreting apparatus for a rule-based security apparatus.
Description of the Prior Art
FIG. 1 shows a schematic diagram of a common conventional enterprise network. A user at an external endpoint 101 accesses a network connecting device 106 serving as a demilitarized zone (DMZ) 105 in an enterprise via an external network 103. The network connecting device 106 may be a device capable of controlling a direction for forwarding network packets, such as a switch, a bridge or a router. A common network rule-based security apparatus (e.g., a firewall, an intrusion detection system (IDS), or an intrusion prevention system (IPS)) may also be set up in the DMZ 105 and coupled with the network connecting device 106. For example, the architecture of the network connecting device 106 may be a Cisco Catalyst 3550 Series Switch manufactured by Cisco. For example, an internal network resource 107 may be any information appliance or server, and may include information appliances and/or servers in different quantities. For example, the internal network resource 107 may represent a local area network (LAN). An information appliance, also commonly known as an Internet appliance, is a device built-in with network capabilities and having a specific function. Compared to a general-purpose computer device, an information appliance offers higher performance as it is designed based on a specific goal or a specific service for performing a specific transaction.
The internal network resource 107 may be a virtual local area network (VLAN). For internal resources within an enterprise or organization, via the VLAN technique, a network administrator may implement logic grouping for appliances in different physical local networks to provide more comprehensive information security and protection.
Further, in a common enterprise or organization, to ensure the security of internal information, a virtual private network (VPN) is adopted to provide a VPN server in the DMZ 105 in order to allow a user to access internal resources via an external connection. Such approach may be referred to a technical document “WebSphere Everyplace Connection Manager: increasing mobile security, reducing wireless costs” published on the Applicant's official website. The VPN server is coupled to the network connecting device 106. A user at the external endpoint 101, having been verified and authorized after logging in the VPN server, may connect to the network connecting device 106 via the VPN. It should be noted that, in some embodiments, the VPN server is optional. That is to say, the VPN is not necessary for the user at the external endpoint 101 to connect to the network connecting device 106 and the internal network resource 107. Further, although not depicted, associated hardware and software components (e.g., additional computer systems, routers and firewalls etc.) may be included in the external network 103 between the VPN server (or the network connecting device 106) and the external endpoint 101.
More related information may be referred to technical documents “IBM SmartCloud Enterprise tip: Build multiple VPNs and VLANs: VPN and VLAN features and capabilities in IBM SmartCloud Enterprise 2.0” and “IBM SmartCloud Enterprise tip: Span virtual local area networks Provision and configure an instance that spans a public and private VLAN” published by Andrew Jones et al. on the Applicant's official website.
In an enterprise or organization, to ensure the security of internal information, a network rule-based security apparatus, such as a firewall, anti-virus software, an IDS or an IPS, is also provided to guard against network threats and to ensure network communication security. The rule-based security apparatus includes a set of rules for determining whether traffic received is suspicious. Upon having detected suspicious traffic, the rule-based security apparatus adopts protection measures, such as blocking the packet, declining the connection or generating a warning.
The reliability of the rule-based security apparatus is dependent on a network administrator to maintain appropriate rule sets and configurations, demanding thorough and in-depth knowledge on network threats, network protocols and network application traffic analyzing. For example, to block a packet of a message application, the network protocol and data contents of the corresponding requirements are analyzed to generate a rule that is applied to the rule-based security apparatus. The above process is usually carried out manually, and such is an extremely time-consuming challenge for professionals of network security protection. As current network application diversities and network threats expand at an exponential rate, rules of a rule-based security apparatus are becoming more and more complicated, such that the process of establishing an appropriate rule also becomes more and more time-consuming.
Therefore, it is beneficial to provide a solution without setbacks of complexities of conventional network management for a network administrator.