[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN107968770A - Network firewall and its data processing method based on domestic autonomous hardware and software platform - Google Patents

Network firewall and its data processing method based on domestic autonomous hardware and software platform Download PDF

Info

Publication number
CN107968770A
CN107968770A CN201610913127.1A CN201610913127A CN107968770A CN 107968770 A CN107968770 A CN 107968770A CN 201610913127 A CN201610913127 A CN 201610913127A CN 107968770 A CN107968770 A CN 107968770A
Authority
CN
China
Prior art keywords
network
address
exchange plate
control unit
configuration
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610913127.1A
Other languages
Chinese (zh)
Inventor
夏旸
张继业
王硕
单联强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Institute of Computer Technology and Applications
Original Assignee
Beijing Institute of Computer Technology and Applications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Institute of Computer Technology and Applications filed Critical Beijing Institute of Computer Technology and Applications
Priority to CN201610913127.1A priority Critical patent/CN107968770A/en
Publication of CN107968770A publication Critical patent/CN107968770A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

The present invention relates to a kind of network firewall and its data processing method based on domestic autonomous hardware and software platform, belong to technical field of network security.The present invention devises a kind of high performance network fire wall implementation based on domestic autonomous hardware and software platform, and the filtration treatment of network packet, the configuration for the control rule that accesses using domestic CPU are realized using domestic network exchange plate.It compensate for the deficiency of domestic processor performance by this way, meet the autonomous controllable demand of network firewall.

Description

Network firewall and its data processing method based on domestic autonomous hardware and software platform
Technical field
The present invention relates to technical field of network security, and in particular to a kind of network based on domestic autonomous hardware and software platform is prevented Wall with flues and its data processing method.
Background technology
With the development of information technology, the safe condition of organization's internal network environment is increasingly taken seriously.Network Fire wall is responsible for the internal important task with external network of isolation, it is most as the network safety prevention equipment being most widely used Main function is according to specific then, it is allowed to or the data of limitation transmission pass through.Due to fire wall be in in-house network with , it is necessary to which concatenating can just play the role of filtering data packet, therefore fire wall into network between extranets, private network and public network The data processing performance of class product is very important performance indicator.
Current fire wall, gateway class security protection product play important function to guarantee network security, but most of Network Security Device is all using external basic software and hardware, such as Intel processor, Windows operating system, oracle database Develop, there are the core technology security risk under one's control brought.After especially Snowdon event outburst in 2013, core is soft The production domesticization of hardware is by attention.With this contradiction, domestic fire wall currently on the market is difficult on data processing performance Reach actual operation requirements.
The deficiency of domestic processor performance how is made up, meets the autonomous controllable demand of network firewall, becomes urgently The technical problem of solution.
The content of the invention
(1) technical problems to be solved
The technical problem to be solved in the present invention is:The deficiency of domestic processor performance how is made up, meets network firewall Autonomous controllable demand.
(2) technical solution
In order to solve the above technical problem, the present invention provides a kind of network fire prevention based on domestic autonomous hardware and software platform Wall, including network exchange plate and control unit;
Described control unit is used for the access configuration of control rule and access control rule conversion, the access control rule Then configuration is that these dimensions of secondary IP address, MAC Address and port use different processing plans to the data packet for flowing through fire wall Slightly access control rule configuration;The access control rule conversion is that the access control rule is converted to network exchange The ACL configuration rules of plate, and network exchange plate is handed down to, to realize ACL access controls;
The network exchange plate is used to carry out network traffics processing, that is, carries out the processing and forwarding of network packet.
Preferably, the network exchange plate is using following configuration:According to the operating mode of fire wall, network exchange plate is determined Inflow and outflow network interface and operating mode;And be configured to communicate with control unit by dividing single vlan, or The bridge or route that person is worked using fire wall communicate with control unit.
Preferably, if fire wall is route operating mode, internal network address 192.168.1.0/24, control unit Location is 10.10.10.1, external network gateway 172.16.1.254, then the network exchange plate is using following configuration:Will be external Network interface eth0 is divided to vlan100, and is that vlan100 configuration IP address is 172.16.1.253, to ensure external network interface eth0 With the connection of external network gateway;Internal network interface eth1 is divided to vlan200, and is that vlan200 configurations IP address is 192.168.1.254, to ensure that internal network can be connected with internal network interface eht1, and internal network specifies the default gateway to be The IP address of vlan200;Network interface to be connected with control unit configures IP address 10.10.10.254.
Preferably, described control unit is realized using CPU.
Present invention also offers a kind of data processing method of the network firewall, comprise the following steps:
S1, accessed the configuration of control rule and access control rule conversion using control unit, the access control rule Then configuration is that these dimensions of secondary IP address, MAC Address and port use different processing plans to the data packet for flowing through fire wall Slightly access control rule configuration;The access control rule conversion is that the access control rule is converted to network exchange The ACL configuration rules of plate, and network exchange plate is handed down to, to realize ACL access controls;
S2, the processing and forwarding that network traffics processing, i.e. progress network packet are carried out using network exchange plate.
Preferably, the step of being configured as follows to the network exchange plate is further included before step S1:According to fire prevention The operating mode of wall, determines the inflow and outflow network interface and operating mode of network exchange plate;And it is configured to independent by dividing Vlan communicate with control unit, or the bridge or route that are worked using fire wall are communicated with control unit.
Preferably, if fire wall is route operating mode, internal network address 192.168.1.0/24, control unit Location is 10.10.10.1, external network gateway 172.16.1.254, then the network exchange plate is using following configuration:Will be external Network interface eth0 is divided to vlan100, and is that vlan100 configuration IP address is 172.16.1.253, to ensure external network interface eth0 With the connection of external network gateway;Internal network interface eth1 is divided to vlan200, and is that vlan200 configurations IP address is 192.168.1.254, to ensure that internal network can be connected with internal network interface eht1, and internal network specifies the default gateway to be The IP address of vlan200;Network interface to be connected with control unit configures IP address 10.10.10.254.
(3) beneficial effect
The present invention devises a kind of high performance network fire wall implementation based on domestic autonomous hardware and software platform, utilizes Domestic network exchange plate realizes the filtration treatment of network packet, the configuration for the control rule that accessed using domestic CPU.With this Kind mode compensate for the deficiency of domestic processor performance, meet the autonomous controllable demand of network firewall.
Brief description of the drawings
Fig. 1 is the Construction of Network Firewall schematic diagram of the embodiment of the present invention;
Fig. 2 is that the network firewall of the embodiment of the present invention realizes the configurations schematic diagram of network shunt.
Embodiment
To make the purpose of the present invention, content and advantage clearer, with reference to the accompanying drawings and examples, to the present invention's Embodiment is described in further detail.
Due in the flow set of network boundary exit, it is necessary to the safety means concatenated in a link possess enough performances with Meet actual use needs.Since the limitation on production domesticization cpu performance, the present invention are proposed with CPU and the network of domesticizing at present The processing mode of power board cooperating solves the problems, such as performance bottleneck.In slave device form, using ATCA architecture designs, net is used Network power board handles the network traffics of entrance, using the high-performance of network exchanging chip, meets data processing needs.If Standby concrete form as shown in Figure 1, the network firewall provided in an embodiment of the present invention based on domestic autonomous hardware and software platform, including Network exchange plate and control unit;
Described control unit is used for the access configuration of control rule and access control rule conversion.The access control rule Then configuration is that these dimensions of secondary IP address, MAC Address and port use different processing plans to the data packet for flowing through fire wall Slightly access control rule configuration;The access control rule conversion is that the access control rule is converted to network exchange ACL (accesses control list) configuration rule of plate, and network exchange plate is handed down to, to realize ACL access controls;Need what is illustrated It is that ACL (accesses control list) function of network exchange plate can realize the processing and filtering of data packet, but network exchange plate Order line configuration interface be not easy to general network administrator use.Therefore need access control rule being converted to power board ACL configuration rules, and network exchange plate is handed down to, to realize ACL access controls.
The network exchange plate is used to carry out network traffics processing, that is, carries out the processing and forwarding of network packet.
The processing of network exchange plate needs to consider following two aspect factors:
1st, traditional firewall operating mode is generally divided into bridge mode and route pattern, according to deployed with devices mode, it is necessary to really Determine the inflow and outflow network interface and operating mode of network exchange plate;
2nd, the control unit positioned at network exchange plate upper strata needs to access via network.Physically, control unit It is located at same equipment with network exchange plate;From network topology, control unit can regard bypass access network exchange plate as Autonomous device.Network exchange plate can be communicated by dividing single vlan with control unit, can also be used actual Bridge/route of work communicates, and specific works pattern need to be needed to configure according to real network.
Two demands for more than, the embodiment of the present invention are said by taking the route pattern of network exchange board one-in-and-one-out as an example The configurations of bright network exchange plate.As shown in Figure 2:
The fire wall route pattern for including 2 exterior network interfaces, internal network address 192.168.1.0/ is shown in Fig. 2 24, control unit address is 10.10.10.1, external network gateway 172.16.1.254.Network based on this operating mode Power board needs to be configured as follows:
1st, external network interface eth0 is divided to vlan100, and is that vlan100 configuration IP address is 172.16.1.253, this Kind configuration ensure that the connection of external network interface eth0 and external network gateway;
2nd, similarly, internal network interface eth1 is divided to vlan200, and is that vlan200 configurations IP address is 192.168.1.254, it is this configuration ensure that internal network can be connected with internal network interface eht1, and internal network should specify it is silent Recognize the IP address that gateway is vlan200;
3rd, the network interface to be connected with control unit configures IP address 10.10.10.254;
Above configuration mode has actually supported the configuration of multiple inflow/outflow network interfaces, if desired by another and in-house network The network interface card eth3 accesses that network is connected, then only need to be divided to vlan200 by eth3.
In the present embodiment, described control unit is realized using CPU.
The embodiment of the present invention additionally provides a kind of data processing method of the network firewall, comprises the following steps:
S1, accessed the configuration of control rule and access control rule conversion using control unit.
Production domesticization acl feature of the high performance network fire wall based on network exchange plate realizes Packet Filtering, except configuration is ordered Order and general purpose firewall difference, the function of realization is consistent.The ACL access control functions that network exchange plate is capable of providing It is very abundant, but for the simplicity of network administrator's configuration, the mistake based on packets fields the most basic is only provided here Filter function.Based on the ACL modes of tcp packet fragmentations, route-type etc. not in the range of discussion.Further, since the present invention makes The filtration treatment of data packet is carried out with network exchange plate, it is network level firewall to correspond to traditional firewall, therefore is not propped up Hold application layer protection wall function.Analyzed based on more than, the access control rule configuration is secondary IP address, MAC Address and port These dimensions are accessed the data packet for flowing through fire wall using different processing strategies and control rule configuration.
The access control rule conversion is that the ACL that the access control rule is converted to network exchange plate configures rule Then, and network exchange plate is handed down to, to realize ACL access controls;
On configuration mode, the acl rule of network exchange plate and the regular difference of general purpose firewall, to make network pipe The rule, it is necessary to by general purpose firewall can be managed for configuration to new network fire wall as described herein without barrier in reason person Be converted to the acl rule of network exchange plate.
For example, configure a firewall rule, it is allowed to source address for the 192.168.1.0 network segments data packet by, Then, it is necessary to perform following configuration order in power board acl rule:
Switch#configure terminal
Switch(config)#ip access-list ip-acl
Switch(config-ip-acl)#permit any 192.168.1.0 0.0.0.255any
Switch(config-ip-acl)#end
In Article 3 order, first any represents any transport layer protocol type, and second any represents any destination Location, and the form of network address mask is different from the form of plain IP address subnet mask, non-zero position represents to be not required to stringent Match somebody with somebody, 0 represents stringent matching, therefore " 192.168.1.0 0.0.0.255 " represent from 192.168.1.0 to 192.168.1.255 the whole network segment.
In addition, the section start of Article 3 rule can increase the sequence number of rule, so that network administrator can be more square The operation such as just it is inserted into, changed to rule.
S2, the processing and forwarding that network traffics processing, i.e. progress network packet are carried out using network exchange plate.
The step of being configured as follows to the network exchange plate is further included before step S1:According to the work of fire wall Pattern, determines the inflow and outflow network interface and operating mode of network exchange plate;And be configured to by divide single vlan with Control unit communicates, or the bridge or route that are worked using fire wall are communicated with control unit.Similarly, based on Fig. 2, If fire wall is route operating mode, internal network address 192.168.1.0/24, control unit address is 10.10.10.1, External network gateway is 172.16.1.254, then the network exchange plate is using following configuration:External network interface eth0 is divided to Vlan100, and be that vlan100 configuration IP address is 172.16.1.253, to ensure external network interface eth0 and external network gateway Connection;Internal network interface eth1 is divided to vlan200, and is that vlan200 configuration IP address is 192.168.1.254, to protect Card internal network can be connected with internal network interface eht1, and internal network specifies the IP address that default gateway is vlan200;For with The network interface configuration IP address 10.10.10.254 of control unit connection.
As can be seen that the embodiment of the present invention has the following advantages that:
1) process performance is high:Network traffics are handled using network exchange plate, significantly improve the process performance of equipment, are solved The performance issue of Loongson platform;
2) rule can be configured as needed, and the management interface with general purpose firewall configuration consistency is provided;
3) general purpose firewall rule can be changed with network exchange plate acl rule.
The program utilizes the mode that network exchange plate is combined with safe handling plate (control unit), autonomous controllable in lifting While horizontal, more prevent the information security hidden danger because caused by relying on external kernel component, meet core neck The high information security in domain, high autonomous controllable demand for services.
The above is only the preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art For member, without departing from the technical principles of the invention, some improvement and deformation can also be made, these are improved and deformation Also it should be regarded as protection scope of the present invention.

Claims (7)

1. a kind of network firewall based on domestic autonomous hardware and software platform, it is characterised in that including network exchange plate and control Unit;
Described control unit, which is used to access, controls rule configuration and access control rule conversion, and the access control rule is matched somebody with somebody Put be these dimensions of secondary IP address, MAC Address and port to flow through the data packet of fire wall using different processing strategies into Row access control rule configures;The access control rule conversion is that the access control rule is converted to network exchange plate ACL configuration rules, and network exchange plate is handed down to, to realize ACL access controls;
The network exchange plate is used to carry out network traffics processing, that is, carries out the processing and forwarding of network packet.
2. network firewall as claimed in claim 1, it is characterised in that the network exchange plate is using following configuration:According to The operating mode of fire wall, determines the inflow and outflow network interface and operating mode of network exchange plate;And it is configured to pass through division Single vlan communicates with control unit, or the bridge or route that are worked using fire wall are communicated with control unit.
3. network firewall as claimed in claim 2, it is characterised in that if fire wall is route operating mode, internal network Address is 192.168.1.0/24, and control unit address is 10.10.10.1, external network gateway 172.16.1.254, then institute Network exchange plate is stated using following configuration:External network interface eth0 is divided to vlan100, and is that vlan100 configurations IP address is 172.16.1.253 to ensure the connection of external network interface eth0 and external network gateway;Internal network interface eth1 is divided to Vlan200, and be that vlan200 configuration IP address is 192.168.1.254, to ensure that internal network can be with internal network interface eht1 Connection, and internal network specifies the IP address that default gateway is vlan200;For the network interface configuration of IP connected with control unit Address 10.10.10.254.
4. the network firewall as described in claim 1 or 2 or 3, it is characterised in that described control unit is realized using CPU.
A kind of 5. data processing method of network firewall according to any one of claims 1 to 4, it is characterised in that bag Include following steps:
S1, being accessed using control unit controls rule configuration and access control rule to change, and the access control rule is matched somebody with somebody Put be these dimensions of secondary IP address, MAC Address and port to flow through the data packet of fire wall using different processing strategies into Row access control rule configures;The access control rule conversion is that the access control rule is converted to network exchange plate ACL configuration rules, and network exchange plate is handed down to, to realize ACL access controls;
S2, the processing and forwarding that network traffics processing, i.e. progress network packet are carried out using network exchange plate.
6. method as claimed in claim 5, it is characterised in that further include before step S1 and carried out to the network exchange plate The step of following configuration:According to the operating mode of fire wall, the inflow and outflow network interface and operating mode of network exchange plate are determined;And Be configured to communicate with control unit by dividing single vlan, or using fire wall work bridge or route with Control unit communicates.
7. method as claimed in claim 6, it is characterised in that if fire wall is route operating mode, internal network address is 192.168.1.0/24, control unit address is 10.10.10.1, external network gateway 172.16.1.254, then the network Power board is using following configuration:External network interface eth0 is divided to vlan100, and is that vlan100 configurations IP address is 172.16.1.253 to ensure the connection of external network interface eth0 and external network gateway;Internal network interface eth1 is divided to Vlan200, and be that vlan200 configuration IP address is 192.168.1.254, to ensure that internal network can be with internal network interface eht1 Connection, and internal network specifies the IP address that default gateway is vlan200;For the network interface configuration of IP connected with control unit Address 10.10.10.254.
CN201610913127.1A 2016-10-19 2016-10-19 Network firewall and its data processing method based on domestic autonomous hardware and software platform Pending CN107968770A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610913127.1A CN107968770A (en) 2016-10-19 2016-10-19 Network firewall and its data processing method based on domestic autonomous hardware and software platform

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610913127.1A CN107968770A (en) 2016-10-19 2016-10-19 Network firewall and its data processing method based on domestic autonomous hardware and software platform

Publications (1)

Publication Number Publication Date
CN107968770A true CN107968770A (en) 2018-04-27

Family

ID=61997044

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610913127.1A Pending CN107968770A (en) 2016-10-19 2016-10-19 Network firewall and its data processing method based on domestic autonomous hardware and software platform

Country Status (1)

Country Link
CN (1) CN107968770A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109728944A (en) * 2018-12-24 2019-05-07 杭州迪普科技股份有限公司 The method and system of double-machine equipment configuration distributing is directed in a kind of OpenStack
CN111865994A (en) * 2020-07-23 2020-10-30 江苏安超云软件有限公司 Software and hardware combined gateway firewall construction method and network protection method thereof
CN114978854A (en) * 2022-05-30 2022-08-30 北京计算机技术及应用研究所 Domestic network resource dynamic sensing device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090125470A1 (en) * 2007-11-09 2009-05-14 Juniper Networks, Inc. System and Method for Managing Access Control Lists
CN102546117A (en) * 2012-02-20 2012-07-04 瑞斯康达科技发展股份有限公司 Frame loss measuring method, frame loss measuring device and frame loss measuring system
CN103220287A (en) * 2013-04-11 2013-07-24 汉柏科技有限公司 Method for service matching of messages by means of access control list (ACL)
CN105939274A (en) * 2016-05-17 2016-09-14 杭州迪普科技有限公司 Message forwarding method and apparatus

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090125470A1 (en) * 2007-11-09 2009-05-14 Juniper Networks, Inc. System and Method for Managing Access Control Lists
CN102546117A (en) * 2012-02-20 2012-07-04 瑞斯康达科技发展股份有限公司 Frame loss measuring method, frame loss measuring device and frame loss measuring system
CN103220287A (en) * 2013-04-11 2013-07-24 汉柏科技有限公司 Method for service matching of messages by means of access control list (ACL)
CN105939274A (en) * 2016-05-17 2016-09-14 杭州迪普科技有限公司 Message forwarding method and apparatus

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109728944A (en) * 2018-12-24 2019-05-07 杭州迪普科技股份有限公司 The method and system of double-machine equipment configuration distributing is directed in a kind of OpenStack
CN111865994A (en) * 2020-07-23 2020-10-30 江苏安超云软件有限公司 Software and hardware combined gateway firewall construction method and network protection method thereof
CN114978854A (en) * 2022-05-30 2022-08-30 北京计算机技术及应用研究所 Domestic network resource dynamic sensing device
CN114978854B (en) * 2022-05-30 2023-10-31 北京计算机技术及应用研究所 Domestic network resource dynamic sensing device

Similar Documents

Publication Publication Date Title
EP3206356B1 (en) Controlling transmission security of industrial communications flow in a sdn architecture
CN105099789B (en) A kind of network element updating method and apparatus
CN103763310B (en) Firewall service system and method based on virtual network
CN105791047B (en) A kind of control method of security video private network Network Management System
CN104954367B (en) A kind of cross-domain ddos attack means of defence of internet omnidirectional
CN104158767B (en) A kind of network admittance device and method
CN104994065A (en) Access control list operation system and method based on software-defined network
EP3200399B1 (en) Automated mirroring and remote switch port analyzer (rspan)/encapsulated remote switch port analyzer (erspan) functions using fabric attach (fa) signaling
CN106953788A (en) A kind of Virtual Network Controller and control method
CN105262738A (en) Router and method for preventing ARP attacks thereof
CN101635702B (en) Method for forwarding data packet using security strategy
CN108833305B (en) Virtual network device of host
CN104092684B (en) A kind of OpenFlow agreements support VPN method and apparatus
CN107968770A (en) Network firewall and its data processing method based on domestic autonomous hardware and software platform
CN106302371A (en) A kind of firewall control method based on subscriber service system and system
CN105471907A (en) Openflow based virtual firewall transmission control method and system
CN107645472A (en) A kind of virtual machine traffic detecting system based on OpenFlow
EP3200398B1 (en) Automated mirroring and remote switch port analyzer (rspan)/encapsulated remote switch port analyzer (erspan) functions using fabric attach (fa) signaling
CN107707557A (en) Anonymous access method, apparatus, the network equipment and readable storage medium storing program for executing
CN110301125A (en) The logic port of virtual machine authenticates
CN106341296A (en) Method of avoiding data message collision in communication network within transformer substation
CN103346950B (en) Between a kind of rack wireless controller customer service plate, method and device are shared in load equally
CN115766335A (en) Networking system for sharing technical research result information
CN106231596A (en) A kind of access point apparatus configuration devices and methods therefor, a kind of access point apparatus
CN106506409B (en) A kind of management method and network management exchange of network management exchange

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20180427