CN106230771A - Industrial control system industrial fireproof wall based on polycaryon processor - Google Patents

Abstract

An industrial control firewall based on a multi-core processor. The business requirements of the firewall require in-depth analysis of the specific content of the application data protocol on the basis of the analysis of the network layer and transport layer protocols, extracting the operation content of the transmitted industrial control instructions, and making judgments and identifications. Traffic is processed accordingly. The system architecture and processing flow apply multi-core processors to optimize and improve firewall processing performance. Multi-core processors refer to the integration of two or more complete computing engines (cores) in one processor. The computing engine is responsible for computing, receiving/storing commands, and processing data. Each core has an independent and complete logic structure, and communicates and shares data through high-speed bus and memory. Multiple cores within a single chip work together to boost overall processor performance.

Description

Industrial firewall of industrial control system based on multi-core processor

technical field

The invention relates to an industrial firewall, in particular to an industrial firewall based on a multi-core processor.

Background technique

The industrial control system is composed of various automation control components and process control components, including SCAD, DCS, PLC, etc. The industrial control system is the control center and core component of the entire industrial system.

After decades of development, industrial control systems gradually tend to adopt open and transparent communication protocols, and Ethernet/IP/TCP networks are increasingly widely used as communication infrastructure, and industrial control protocols are migrated to the TCP/IP protocol stack. Application layer; use various wireless networks including IWLAN, GPRS, etc.; widely use standard Windows and other commercial operating systems, equipment, middleware and various general technologies.

While enjoying the progress, efficiency and benefits brought by open and interconnected technologies, industrial automation control systems are also facing increasingly serious security threats. Operation and maintenance personnel have insufficient awareness of potential security risks in industrial control systems, and the adoption of general-purpose technologies has virtually reduced the learning costs for attackers, and the security threats in traditional Ethernet have also been brought into industrial networks. The occurrence of similar Stuxnet incidents sounded the alarm for industrial network security from the perspective of actual cases. The safety of industrial control systems directly threatens the personal safety of employees, the economic interests of enterprises, and even the safety of society and the country.

The industrial control system firewall is used to analyze, identify and control the passing industrial control network traffic at the network boundary. In addition to the functions of access control, security domain management, and NAT conversion provided by traditional firewalls, firewalls in industrial control systems generally use deep packet inspection technology to further analyze the data transmitted by the application layer on the basis of analyzing the second-layer and third-layer protocols. The contents of the industrial control protocol network message, deeply analyze the commonly used industrial control protocols such as OPC, ModBus, DNP3, IEC104, Profinet, etc., so as to conduct in-depth inspection of the internal instructions and internal registers of the industrial protocol to ensure the integrity of the industrial protocol communication Controllability and accuracy, preventing application layer protocols from being tampered with or destroyed. By configuring filtering rules and security control policies, it can filter illegal access, ensure the transmission of trusted industrial control traffic in the network, and provide security guarantee for the network connection between the control network and the management network. Industrial control system firewalls are widely used in industrial manufacturing industries such as electric power, tobacco, petroleum and petrochemical industries.

The current technical implementation of industrial control system firewall products is mainly based on pattern matching, that is, through the analysis of normal operation traffic to generate abnormal traffic matching rules, and extract signatures from known attack behaviors to build a pattern matching rule base. When the network traffic passes, by comparing the content of the network traffic message, abnormal behavior or attack behavior is found, thereby triggering the control strategy. With the continuous expansion of the scale of industrial network traffic and the continuous increase of the number of rules in the pattern matching rule base, the gap between the transmission speed of network data and the detection speed of pattern matching is getting bigger and bigger, and packet loss occurs in high-speed network environments. Case. In addition, industrial control systems have high requirements for network delay, which puts forward higher requirements on the performance of industrial control system firewalls.

Former industrial control system hardware firewall products usually adopt three architectures: X86 general-purpose processor, ASIC application-specific integrated circuit and hardware architecture based on NP network processor.

Traditional X86-based industrial control system firewalls use common CPU and PCI bus interfaces. The main functions of the product are implemented by software, and product function modules can be flexibly customized based on user needs. Therefore, the architecture has high flexibility and strong scalability. However, limited by the versatility of the X86 architecture, the architecture has many layers and is fixed, making it difficult to optimize. The X86 platform adopts the "interrupt" mechanism to realize the transmission of the captured network message content from the network card hardware to the CPU. When high-speed network traffic passes, frequent "interrupt" control causes the CPU usage to rise rapidly, and the firewall throughput rate is seriously affected. influences. In addition, due to the bandwidth limitation of the PCI bus, there is a bottleneck in the overall throughput of the firewall. The security of the firewall product depends largely on the security of the general-purpose operating system itself, and there may be security holes.

The NP architecture industrial control system firewall adopts the programmable integrated circuit optimized to process network packet data as the core component of the hardware architecture, and realizes the characteristics of high performance, high flexibility and high reliability through the modular design of hardware and software levels . The NP processor can directly complete the common tasks of network data processing, such as checksum calculation of TCP/IP data layer 2 and layer 3 protocols, packet classification, routing lookup, etc. At the same time, the hardware architecture adopts high-speed interface technology and bus specifications , with high I/O capability, the packet processing capability has been greatly improved. The NP chip uses multiple RISC processors and coprocessors to realize parallel processing at different levels such as instruction level, thread level and processor level, and can perform high-speed and complex data processing, and can adjust bandwidth and business processing according to business needs. Priorities are defined to implement differentiated processing of different network packets. However, the function development and application expansion of the NP architecture need to be carried out on the NP supporting software, which is more difficult to develop and the functional content is limited. Compared with the X86 architecture, the firewall based on NP technology is less flexible, and the performance It is not as good as the ASIC architecture. Overall, the solution based on NP architecture is between ASIC and X86 architecture. In addition, the current NP products mainly focus on data processing and control, and there is relatively insufficient support at the level of function management.

The industrial control system firewall based on ASIC architecture performs hardware acceleration processing through specially designed integrated circuit chip logic. ASIC solidifies instructions or calculation logic into integrated circuit chips, has a stable structure, obtains high processing capabilities, and significantly improves the performance of firewalls. The new generation of highly programmable ASIC chips can change the application logic through software, which improves the flexibility and scalability of the overall architecture. However, ASIC architecture development costs are high and the development cycle is long, which limits the speed of product upgrades. For small and medium-sized manufacturers, there are certain risks in choosing ASIC architecture for product development.

Considering comprehensively, the industrial control system hardware firewalls of the three hardware architectures have their own advantages and disadvantages. The X86 architecture hardware firewall has good flexibility and short development cycle, and the functional modules can be flexibly expanded, but there is a bottleneck in performance; the ASIC architecture firewall uses a dedicated chip, which has excellent performance, but the development cycle is long and the flexibility is poor; the NP architecture firewall has performance and flexibility The performance is between the two, and the comprehensive ability is better. It is suitable for the research and development of mid-range firewall products, but the development is more difficult and the cost is higher.

Contents of the invention

Purpose of the invention: In order to meet the performance requirements of industrial control system firewalls, in addition to optimizing software levels such as pattern matching algorithms and control strategy modes, it is more direct and effective to improve performance by improving the hardware architecture of firewall devices. The use of network processors has a significant effect on improving the performance of the firewall hardware platform. Invent a system architecture and processing flow of an industrial control firewall based on a multi-core processor. Applying multi-core processors to optimize and improve firewall processing performance Multi-core processors refer to the integration of two or more complete computing engines (cores) in one processor. The computing engine is responsible for computing, receiving/storing commands, and processing data. Each core has an independent and complete logic structure, and communicates and shares data through high-speed bus and memory. Multiple cores within a single chip work together to boost overall processor performance.

The present invention is realized in this way: based on the industrial firewall of the industrial control system of the multi-core processor, the system network message processing flow is as follows:

(1) The network message is first detected by the message processing module: for the data stream where the message is located, if it has been judged as passed or rejected before, the message will be processed according to the same operation result; if it has not been judged, then sent to the load balancing processing module;

(2) The load balancing module splits the packets according to the traffic balancing algorithm, and sends them to different pattern matching modules for matching processing:

(3) The pattern matching module performs pattern matching on the content of the message, including protocol content filtering, attack behavior identification, and access policy control. By identifying and analyzing the content of the message, key fields are matched in advance, and the feature library is matched to realize the detection of abnormal behavior;

(4) For the matching result, a control strategy is generated and handed over to the data packet processing module for processing.

Compared with the prior art, the present invention has the positive effect that: the business requirements of the industrial control system firewall need to analyze the specific content of the application data protocol in depth on the basis of the analysis of the network layer and the transport layer protocol, and extract the transmitted industrial control command operation content, determine and identify the traffic, and process the traffic accordingly.

According to this business requirement, this solution comprehensively analyzes the advantages and disadvantages of current hardware firewalls based on X86 architecture, ASIC architecture and NP architecture, and proposes to use multi-core processors to improve the performance of industrial control firewalls. The multi-core processor adopts the MIPS64 architecture, and supports multiple CPUs with independent architectures in one multi-core processor. At the same time, considering the application requirements of deep packet inspection, it integrates hardware coprocessors and network application accelerators such as hardware acceleration and regular matching to achieve high throughput, high session establishment speed, and hardware support for multiple advanced security functions.

The industrial control system hardware firewall uses an embedded multi-core processor chip. The embedded multi-core processor chip is different from the general-purpose chips provided by Intel and AMD. In terms of network traffic processing, the data packet processing is customized and optimized. The mainstream multi-core processors integrate hardware coprocessors such as hardware encryption and regular matching. and network application accelerators to improve packet forwarding performance. In addition, the analysis and processing capabilities of each layer of protocol content are optimized, which is helpful for content analysis of industrial control protocols.

The OCTEON processor chip provided by Cavium is mainly used in network, wireless, security and other application fields, covering routers, switches, UTM, security gateways, firewalls and many other network products. The Cavium processor chip mainly adopts the MIPS64 architecture, and the current highest version is 48 cores.

OCTEON CN50xx and CN58xx processors are specially designed for network and service performance. Each processor is equipped with one or two MIPS cores with 512KB L2 cache and interface. The main frequency of the processor supports up to 900MHz, and the maximum performance range supports 4Gbps. The processor adopts a dual-instruction superscalar architecture, with mature prefetch and optimized cache and memory delay, equipped with hardware acceleration options, and provides hardware acceleration functions for network packet processing, queue and scheduling control, and QoS. The NSP version provides an acceleration function for in-depth packet inspection, which can greatly improve the processing capability of the firewall. The main features of the chip include:

(1) A hardware-based packet processing and buffer management engine is used for the network layer, transport layer and application layer data of IPv4 and IPv6 datagrams;

(2) Support the management of message checksum, timer and buffer through hardware acceleration;

(3) Adopt brand-new queue scheduling and service quality control hardware to realize functions such as queue scheduling and priority processing based on ports or other combinations of input messages;

(4) Adopt secure hardware acceleration equipment to accelerate processing for security protocols such as IPSec and SSL, and support encryption algorithms including DES/3DES, AES and other algorithms;

(5) Using compression/decompression hardware acceleration to realize GZIP, PKZIP and various protocols, improving the rate of data compression and decompression;

(6) Realize support for in-depth message detection through the pattern matching hardware acceleration engine, and optimize the matching analysis of data.

Description of drawings

The accompanying drawing is a schematic diagram of the system architecture of the present invention.

detailed description

In this system, in order to improve the data processing performance of the industrial control firewall, the message processing module and the load balancing processing module in the firewall architecture are implemented with a multi-core processor architecture.

As shown in the accompanying drawing is a schematic diagram of the system architecture of the present invention. The system network message processing flow is as follows:

(1) The network message is first detected by the message processing module: for the data stream where the message is located, if it has been judged as passed or rejected before, the message will be processed according to the same operation result; if it has not been judged, then sent to the load balancing processing module;

(2) The load balancing module splits the message according to the traffic balancing algorithm, and sends it to different pattern matching modules for matching processing;

(3) The pattern matching module performs pattern matching on message content, including protocol content filtering, attack behavior identification, access policy control, etc. By identifying and parsing the content of the message, advance the key field, and match it with the feature library to realize the discovery of abnormal behavior;

(4) For the matching result, a control policy is generated and handed over to the data message processing module for processing, for example: passing or discarding.

By adopting a multi-core processor architecture, based on hardware acceleration, regular matching and other hardware coprocessors and network application accelerators, the performance of industrial control system firewalls can be effectively improved, and functions can be easily expanded.

Claims (1)

1. industrial control system industrial fireproof wall based on polycaryon processor, it is characterised in that: at described grid message Reason flow process is as follows:

(1) network message first passes around message processing module (MPM) and detects: for the data stream at this message place, if the most Through being judged as by or refusing, then process this message according to identical operating result；If not judging, then it is sent to load all Weighing apparatus processing module；

(2) message is split by load balancing module according to flow equalization algorithm, is sent to different Pattern Matching Module and carries out Matching treatment；

(3) Pattern Matching Module carries out pattern match to message content, including protocol contents filtration, aggressive behavior identification, access Policy control, by message content being identified, resolving, critical field in advance, mate with feature database, it is achieved to exception The discovery of behavior；

(4) for matching result, generate control strategy, transfer to data message processing module to process.