| CPC H04L 63/0263 (2013.01) [H04L 63/0236 (2013.01); H04L 63/0435 (2013.01); H04L 63/0823 (2013.01)] | 10 Claims |
|
1. A system for securing a protected host, comprising:
a terminal data processing apparatus, comprising:
a first communicating device; and
at least one first processor, being electrically connected to the first communicating device and functioning in executing a first operating system, the first operating system comprising:
an authentication module;
a secure process launcher, coupled to the authentication module;
a network filtering module, coupled to the secure process launcher;
a secure process authenticating module, coupled to the network filtering module;
a first storage module, being coupled to the secure process authenticating module and therein storing a plurality of verification rules, a plurality of first characteristics and a plurality of first redirection rules, wherein each verification rule corresponds to at least one of the plurality of first characteristics;
a packet encrypting module, coupled to the network filtering module;
a second storage module, coupled to the packet encrypting module; and
a first network driver, respectively coupled to the network filtering module and the first communicating device; and
a secure channel server, linking to the terminal data processing apparatus via a first network and linking to the protected host via a second network, the secure channel server comprising:
a second communicating device; and
at least one second processor, being electrically connected to the second communicating device and functioning in executing a second operating system, the second operating system comprising:
a second network driver, coupled to the second communicating device;
a packet analyzing module, coupled to the second network driver;
a certificate authenticating module, being coupled to the packet analyzing module and issuing a certificate, wherein the certificate is previously stored in the second storage module; and
a third storage module, being coupled to the packet analyzing module and therein storing a plurality of second redirection rules;
wherein the authentication module receives and authenticates at least one authentication data, if an authentication result authenticated by the authentication module according to the at least one authentication data is positive, the secure process launcher is executed,
when the secure process launcher is executed and the at least one first processor executes an application process to link to the secure channel server, the application process is coupled to the network filtering module,
the network filtering module retrieves N second characteristics relative to the application process, N is a natural number,
the secure process authenticating module judges whether the application process is a secure process according to the plurality of verification rules, the plurality of first characteristics and the N second characteristics, if the judgment result of the secure process authenticating module is positive, the secure process authenticating module selects a selected first redirection rule corresponding to the application process from the plurality of first redirection rules, and the network packet encrypting module with the certificate encrypts a plurality of first packets relative to the application process into a plurality of encrypted first packets,
the network filtering module, according to the selected first redirection rule, redirects the plurality of encrypted first packets to the second communicating device via the first network driver, the first communicating device and the first network,
the packet analyzing module receives a plurality of second packets transmitted over the first network through the second communicating device and the second network driver,
the packet analyzing module analyzes the plurality of second packets to obtain an analysis information, and the certificate authenticating module selectively with the certificate decrypts the plurality of second packets into a plurality of decrypted second packets according to the analysis information, the packet analyzing module selects a selected second redirection rule from the plurality of second redirection rules according to the analysis information, the packet analyzing module, according to the selected second redirection rule, selectively redirects the plurality of decrypted second packets or the plurality of second packets to the protected host via the second network driver, the second communicating device and the second network.
|