CN114944992A - Active defense gateway configuration detection method, device and system - Google Patents
Active defense gateway configuration detection method, device and system Download PDFInfo
- Publication number
- CN114944992A CN114944992A CN202210881431.8A CN202210881431A CN114944992A CN 114944992 A CN114944992 A CN 114944992A CN 202210881431 A CN202210881431 A CN 202210881431A CN 114944992 A CN114944992 A CN 114944992A
- Authority
- CN
- China
- Prior art keywords
- address
- gateway
- environment
- test environment
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0805—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
- H04L43/0817—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking functioning
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/66—Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Environmental & Geological Engineering (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method, a device and a system for detecting active defense gateway configuration. Firstly, a test environment and an address conversion space based on a network naming space are created, a file system of the test environment multiplexes a file system of a gateway main program running environment, and a network card, an IP address and a routing table are configured according to the running environment; the address translation space translates each IP address in the test environment into a pre-designated address to avoid conflict with the IP address in the operating environment when accessing the site; then scanning the TCP port monitored in the running environment and the process thereof, and simulating the TCP port monitoring condition in the running environment in the network naming space of the testing environment; and finally, starting a gateway main program by using a new configuration file in a network name space of the test environment, and accessing each site through the gateway to detect whether the configuration file has errors or not. The method and the system can improve the reliability of the configuration process of the active defense gateway and ensure the stable operation of the gateway.
Description
Technical Field
The invention relates to a method, a device and a system for detecting active defense gateway configuration, and belongs to the technical field of network security.
Background
An active defense gateway is a security gateway for protecting a Web site, which is deployed between a user and the Web site, near the site, and supports the HTTP and HTTPs protocols. Compared with a traditional security gateway, the active defense gateway has the capability of actively detecting and monitoring the operating environment of the user side, the judgment accuracy of threat events can be improved, and the safety protection capability is further improved.
As shown in fig. 1, inside the active defense gateway, the entire gateway system is composed of several modules, including a management platform, a gateway configuration program, and a gateway main program. The management platform itself is a small Web site, which is responsible for showing the running status of the gateway to the administrator, and accepting the administrator's configuration of the gateway, such as: 1. adding a new site; 2. modifying site information (accessing domain name, accessing IP, accessing port, etc.); 3. deleting the site; 4. adding a black and white list; 5. configuring dynamic countermeasure rules; and so on. The gateway configuration program is responsible for receiving the configuration change message of the management platform, converting the configuration change message into a configuration file which can be understood by the gateway main program, and then informing the gateway main program to test the configuration file. And under the condition of no error in verification, informing the gateway main program to load a new configuration file.
The main program of the gateway is the core of the gateway, is open to the public and provides reverse proxy service for the back-end sites. The gateway main program has high availability requirement, stable operation needs to be ensured as far as possible, and the risk of service interruption is reduced. A master-slave multi-process model is generally adopted, and the master process is responsible for: 1. analyzing the initial configuration file; 2. starting a plurality of work processes; 3. monitoring the running state of the working process, and restarting the working process when the working process is terminated due to failure; 4. receiving configuration change information, testing validity of configuration files, starting new working process, terminating old working process, and completing ordered switching of configuration files without interrupting service.
At present, although a gateway main program can test a configuration file, two problems exist: 1. because the access ports of the sites can be reused, it is difficult for the gateway master program to accurately check whether the access ports in the new configuration file are occupied, so that only static check is performed on the port list in the configuration file (check whether the port numbers conflict, for example, the HTTP port cannot be repeated with the TCP STREAM port), and it is not checked whether the relevant ports in the operating environment are occupied, which results in an operating error after the configuration file is formally loaded. 2. The configuration information of some software modules (such as dynamic countermeasure) contains executable script code, which cannot be checked accurately when the configuration file is tested, and needs to be further executed by the code of the relevant software module during the process of loading the configuration file to find the error therein.
Disclosure of Invention
The purpose of the invention is as follows: aiming at the problem of incomplete test of the gateway configuration file in the prior art, the invention aims to provide a method, a device and a system for detecting the configuration of an active defense gateway so as to improve the reliability of the configuration process of the active defense gateway and ensure the stable operation of the gateway.
The technical scheme is as follows: in order to realize the purpose of the invention, the invention adopts the following technical scheme:
an active defense gateway configuration detection method comprises the following steps:
creating a test environment based on a network name space, wherein the file system of the test environment reuses the file system of the gateway main program running environment, and the network card, the IP address and the routing table of the test environment are configured according to the running environment;
creating an address translation space based on a network name space, adding a virtual network card, a network bridge and a network filtering rule for each IP address except a loopback address in the operating environment, and translating each IP address in the test environment into a pre-designated address, wherein the pre-designated address is different from the IP address in the operating environment;
scanning a TCP port monitored in an operating environment and an affiliated process to obtain a TCP port list after a process related to a gateway main program is eliminated;
starting a TCP port monitoring program by taking the TCP port list as a parameter in a network name space of a test environment, wherein the TCP port monitoring program creates a TCP Socket and monitors each TCP port in the TCP port list so as to simulate the TCP port monitoring condition in an operating environment;
in a network naming space of a test environment, starting a gateway main program by using a new configuration file, and if the starting is successful, accessing each site through a gateway; if the startup fails or there is a site inaccessible, an error in the configuration file is considered.
Preferably, when the gateway main program in the test environment is successfully started and each site can normally access, the gateway main program in the running environment is notified to load a new configuration file and start switching.
Preferably, when the configuration file has an error, the error log is intercepted and reported.
Preferably, the creating of the address translation space includes:
creating a network namespace ns _ trans;
for each IP address IP _ a in the test environment, creating a virtual network card communicated with the corresponding virtual network card, and placing the virtual network card into a network name space ns _ trans; building a network bridge in a network name space ns _ trans and configuring an IP address IP _ b, wherein the configured IP _ b is in the same network segment with an IP address IP _ a in an operating environment and is a pre-allocated address;
and configuring a Netfilter rule to enable an address resolution request sent by the test environment to be responded, and sending the sent IP message to the local area network where the site is located by using the configured IP address IP _ b.
In specific implementation, if port conflict exists in the configuration file, the gateway main program in the test environment fails to be started; if the website is inaccessible after the gateway main program is started, the fact that the dynamic rule is wrong exists in the configuration file is indicated.
An active defense gateway configuration detection apparatus, comprising:
the system comprises a test environment construction unit, a network name space-based test environment configuration unit and a gateway main program operation environment configuration unit, wherein the test environment construction unit is used for creating a test environment based on a network name space, the file system of the test environment reuses the file system of the gateway main program operation environment, and the network card, the IP address and the routing table of the test environment are configured according to the operation environment;
the system comprises an address translation space construction unit, a test environment and a test environment, wherein the address translation space construction unit is used for creating an address translation space based on a network name space, adding a virtual network card, a network bridge and a network filtering rule for each IP address except a loopback address in the operation environment, and translating each IP address in the test environment into a pre-designated address, and the pre-designated address is different from the IP address in the operation environment;
a monitoring port obtaining unit, configured to scan a TCP port monitored in an operating environment and an affiliated process to obtain a TCP port list from which a process related to a gateway main program is excluded;
the port monitoring simulation unit is used for starting a TCP port monitoring program by taking the TCP port list as a parameter in a network name space of a test environment, creating a TCP Socket by the TCP port monitoring program, and monitoring each TCP port in the TCP port list so as to simulate the TCP port monitoring condition in an operating environment;
the configuration testing unit is used for starting a gateway main program by using a new configuration file in a network name space of a testing environment, and accessing each site through the gateway if the starting is successful; if the startup fails or there is a site inaccessible, an error in the configuration file is considered.
Preferably, in the address translation space construction unit, a network name space ns _ trans is created, and for each IP address IP _ a in the test environment, a virtual network card communicated with the corresponding virtual network card is created and is placed in the network name space ns _ trans; building a network bridge in a network name space ns _ trans and configuring an IP address IP _ b, wherein the configured IP _ b and the IP address IP _ a in the operating environment are in the same network segment and are pre-allocated addresses; by configuring the Netfilter rule, the address resolution request sent by the test environment can be responded, and the sent IP message can be sent to the local area network where the site is located by using the configured IP address IP _ b.
An active defense gateway system, comprising: the management platform is used for configuring the gateway and displaying the running state of the gateway; the gateway configuration program module is used for generating a configuration file after the management platform changes the configuration; the gateway main program module is used for providing reverse proxy service for the rear-end station; the gateway configuration program module is used for generating a new configuration file, creating a test environment, testing the configuration file, and informing the gateway main program module to load the new configuration file after the test is correct; the configuration detection program module comprises:
the system comprises a test environment construction unit, a gateway main program operation environment configuration unit and a gateway main program operation environment configuration unit, wherein the test environment construction unit is used for creating a test environment based on a network name space, the file system of the test environment reuses the file system of the gateway main program operation environment, and the network card, the IP address and the routing table of the test environment are configured according to the operation environment;
the system comprises an address translation space construction unit, a test environment and a test environment, wherein the address translation space construction unit is used for creating an address translation space based on a network name space, adding a virtual network card, a network bridge and a network filtering rule for each IP address except a loopback address in the operation environment, and translating each IP address in the test environment into a pre-designated address, and the pre-designated address is different from the IP address in the operation environment;
a monitoring port obtaining unit, configured to scan a TCP port monitored in an operating environment and an affiliated process to obtain a TCP port list from which a process related to a gateway main program is excluded;
the port monitoring simulation unit is used for starting a TCP port monitoring program by taking the TCP port list as a parameter in a network name space of a test environment, creating a TCP Socket by the TCP port monitoring program, and monitoring each TCP port in the TCP port list so as to simulate the TCP port monitoring condition in an operating environment;
the configuration testing unit is used for starting a gateway main program by using a new configuration file in a network name space of a testing environment, and accessing each site through the gateway if the starting is successful; if the startup fails or there is a site inaccessible, an error in the configuration file is considered.
A computer system comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the computer program when loaded into the processor implementing the steps of the active defense gateway configuration detection method.
A computer-readable storage medium, storing a computer program which, when executed by a processor, implements the steps of the active defense gateway configuration detection method.
Has the advantages that: compared with the prior art, the method and the device realize the simulation of the operation environment through the address conversion space, and can operate the gateway main program in an isolated test environment to verify the correctness of the configuration file. The method and the system can improve the reliability of the configuration process of the active defense gateway, avoid the situation that the gateway is in an unexpected state for a long time due to the fact that errors cannot be detected, and ensure the stable operation of the gateway.
Drawings
Fig. 1 is a flow chart of a conventional active defense gateway system module and configuration test.
Fig. 2 is a flowchart of a configuration testing method according to an embodiment of the present invention.
FIG. 3 is a diagram illustrating a connection between a test environment and an address translation space according to an embodiment of the invention.
FIG. 4 is a diagram illustrating another exemplary embodiment of a test environment coupled to an address translation space.
Fig. 5 is a flow chart of the active defense gateway system module and configuration test according to the embodiment of the present invention.
Detailed Description
The technical solution of the present invention will be clearly and completely described below with reference to the accompanying drawings and specific embodiments.
Aiming at the problem of incomplete test of the configuration file of the gateway, the embodiment of the invention discloses an active defense gateway configuration detection method, which is used for creating a test environment and an address conversion space based on a network name space technology and simulating the process of loading the configuration file in a real environment by utilizing an isolated test environment. As shown in fig. 2, the method of the embodiment of the present invention firstly creates a test environment based on a network namespace and an address translation space based on the network namespace; then scanning a TCP port monitored in the running environment and the process to which the TCP port belongs; then creating a TCP Socket in the test environment, and monitoring each TCP port to simulate the TCP port monitoring condition in the operating environment; and finally, starting a gateway main program in the test environment, and testing whether an error exists in the configuration file.
In the embodiment of the invention, the test environment is a virtual environment isolated from the original running environment. The file system of the test environment is the same as the original running environment, and the file system of the original running environment can be reused. The network of the test environment is the same as the original operation environment, but the original environment can not be reused; while also leaving the link up to the back end site clear. The method comprises the following specific steps:
step 1, creating a network name space with the name of ns _ test and the instruction of:
ip netns add ns_test
step 2, scanning the network card, the IP address and the routing table in the original operation environment, and the instruction is as follows:
ip link show
ip addr show
ip route show
and 3, restoring the network of the original operation environment in the network name space ns _ test to ensure that the number, name, IP address and routing table of the network cards are completely the same as those of the original operation environment. The instruction for creating the network card is as follows:
ip link add eth0 type veth peer name eth1
and 4, creating an address translation space. And adding a network card, a network bridge and a Netfilter rule for each address except the loopback address. The required translation address should be allocated in advance at the gateway deployment.
In order to simulate the original operating environment, an address translation technology is needed, so that the external network can be normally accessed after the address in the test environment is translated. This address translation is done in a network namespace named address translation space (ns _ trans).
The address translation space avoids address conflicts with the operating environment on the server by translating addresses in the test environment to a pre-specified address. The address translation space is realized by the following steps:
a) creating a network namespace ns _ trans with the instructions:
ip netns add ns_trans
b) creating a virtual network card and placing the virtual network card into a network name space, wherein the instruction is as follows:
ip link add link eth0 name eth2 type macvlan
ip link set eth2 netns ns_trans
here eth2 is the name of the new virtual network card, and is not duplicated with the name of the existing network card. eth0 is the name of the existing network card on the gateway server, if there are multiple existing network cards, then multiple virtual network cards need to be created accordingly; similarly, the names between the virtual network cards and the existing network cards are not repeatable. The virtual network card type can be ipvlan instead of macvlan, where the effect is the same.
c) Constructing a bridge in a network name space ns _ trans and configuring an address, wherein the instruction is as follows:
brctl addbr br1
brctl addif br1 eth1
ip link set eth1 up
ip link set eth2 up
ip link set br1 up
ip addr add 192.168.0.2/24 dev eth2
192.168.0.2 is an effective address of the same network segment as the address of the server network card eth0, and needs to be reserved when the system is deployed. The connection between the test environment and the address translation space is shown in fig. 3, and if a plurality of network cards are provided on the gateway server, a similar configuration may be performed for each network card, as shown in fig. 4.
d) Configuring a Netfilter rule in a network name space ns _ trans, wherein the instruction is as follows:
ebtables -t nat -A PREROUTING -p ARP -i eth1 -j arpreply --arpreply-mac 76:8b:db:ce:58:21
the instructions enable all address resolution requests (ARP) issued outside the test environment to be responded to.
iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
The above instruction makes it possible for the IP messages sent out by the test environment to be sent to the lan at the IP address 192.168.0.2 disguised as a virtual network card eth 2.
And 5, scanning the TCP port (including the address) monitored in the original running environment and the process to which the TCP port belongs. In these TCP ports, the process related to the gateway main program is excluded (we only need to simulate the running environment of the gateway main program, but do not need to simulate the gateway main program itself).
And 6, entering a network name space ns _ test, and operating a TCP port monitoring program by taking the TCP port list as a parameter. The TCP port listener accepts an address and port list at startup, for example:
0.0.0.0:22
127.0.0.1:8080
192.168.0.1:8081
for each pair of address and port in the list, the TCP port listener in turn creates a TCP Socket, binds this address and port and starts listening. The program does not need to accept TCP connections but only needs to occupy TCP ports.
If the listener name is tcp _ bind, then the example of the run instruction is as follows:
ip netns exec ns_test tcp_bind 0.0.0.0:22 127.0.0.1:8080 192.168.0.1:8081
after the TCP port monitoring program is started, a plurality of TCP sockets are created, and the TCP ports are monitored so as to simulate the TCP port monitoring condition in the original operating environment. In this embodiment, the gateway main program temporarily does not use ports of other protocol types except TCP, so the simulation is not performed here.
And 7, starting the gateway main program in the network name space ns _ test. If the starting is failed, the configuration errors such as port conflict and the like exist; if the starting is successful, each site is accessed through the gateway in sequence; if the site is not accessible, the dynamic rule error exists in the configuration file. And under the condition of configuration error, intercepting the error log to report to the management platform.
The embodiment of the invention discloses an active defense gateway configuration detection device, which comprises: the system comprises a test environment construction unit, a network name space-based test environment configuration unit and a gateway main program operation environment configuration unit, wherein the test environment construction unit is used for creating a test environment based on a network name space, the file system of the test environment reuses the file system of the gateway main program operation environment, and the network card, the IP address and the routing table of the test environment are configured according to the operation environment; the system comprises an address translation space construction unit, a test environment and a test environment, wherein the address translation space construction unit is used for creating an address translation space based on a network name space, adding a virtual network card, a network bridge and a network filtering rule for each IP address except a loopback address in the operation environment, and translating each IP address in the test environment into a pre-designated address, and the pre-designated address is different from the IP address in the operation environment; a monitoring port obtaining unit, configured to scan a TCP port monitored in an operating environment and an affiliated process to obtain a TCP port list from which a process related to a gateway main program is excluded; the port monitoring simulation unit is used for starting a TCP port monitoring program by taking the TCP port list as a parameter in a network name space of a test environment, and the TCP port monitoring program creates a TCP Socket and monitors each TCP port in the TCP port list so as to simulate the TCP port monitoring condition in an operating environment; the configuration testing unit is used for starting a gateway main program by using a new configuration file in a network name space of a testing environment, and accessing each site through the gateway if the starting is successful; if the startup fails or there is a site inaccessible, an error in the configuration file is considered.
In the address translation space construction unit, a network name space ns _ trans is created, a virtual network card communicated with a corresponding virtual network card is created for each IP address IP _ a in the test environment, and the IP addresses are placed in the network name space ns _ trans; building a network bridge in a network name space ns _ trans and configuring an IP address IP _ b, wherein the configured IP _ b and the IP address IP _ a in the operating environment are in the same network segment and are pre-allocated addresses; by configuring the Netfilter rule, the address resolution request sent by the test environment can be responded, and the sent IP message can be sent to the local area network where the site is located by using the configured IP address IP _ b.
As shown in fig. 5, an active defense gateway system disclosed in the embodiment of the present invention includes: the management platform is used for configuring the gateway and displaying the running state of the gateway; the gateway configuration program module is used for generating a configuration file after the management platform changes the configuration; the gateway main program module is used for providing reverse proxy service for the rear-end station; the configuration detection program module is used for creating a test environment after the gateway configuration program module generates a new configuration file, testing the configuration file, and informing the gateway main program module to load the new configuration file after the test is correct; the configuration detection program module includes: the system comprises a test environment construction unit, a network name space-based test environment configuration unit and a gateway main program operation environment configuration unit, wherein the test environment construction unit is used for creating a test environment based on a network name space, the file system of the test environment reuses the file system of the gateway main program operation environment, and the network card, the IP address and the routing table of the test environment are configured according to the operation environment; the system comprises an address translation space construction unit, a test environment and a test environment, wherein the address translation space construction unit is used for creating an address translation space based on a network name space, adding a virtual network card, a network bridge and a network filtering rule for each IP address except a loopback address in the operation environment, and translating each IP address in the test environment into a pre-designated address, and the pre-designated address is different from the IP address in the operation environment; a monitoring port obtaining unit, configured to scan a TCP port monitored in an operating environment and an affiliated process to obtain a TCP port list from which a process related to a gateway main program is excluded; the port monitoring simulation unit is used for starting a TCP port monitoring program by taking the TCP port list as a parameter in a network name space of a test environment, creating a TCP Socket by the TCP port monitoring program, and monitoring each TCP port in the TCP port list so as to simulate the TCP port monitoring condition in an operating environment; the configuration testing unit is used for starting a gateway main program by using a new configuration file in a network name space of a testing environment, and accessing each site through the gateway if the starting is successful; if the startup fails or there is a site inaccessible, an error in the configuration file is considered.
The specific working process of each module/unit described above may refer to the corresponding process in the foregoing method embodiment, and is not described herein again. The division of the modules/units is only one logical function division, and other division manners may be available in actual implementation, for example, a plurality of modules/units may be combined or may be integrated into another system.
The embodiment of the invention discloses a computer system, which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein the computer program realizes the steps of the active defense gateway configuration detection method when being loaded to the processor.
The embodiment of the invention discloses a computer readable storage medium, which stores a computer program, wherein the computer program is executed by a processor to realize the steps of the active defense gateway configuration detection method.
Those skilled in the art will appreciate that the technical solutions of the present invention in essence or portions contributing to the prior art can be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer system (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method described in the embodiments of the present invention. The storage medium includes: various media capable of storing computer programs, such as a U disk, a removable hard disk, a read only memory ROM, a random access memory RAM, a magnetic disk, or an optical disk.
Claims (10)
1. An active defense gateway configuration detection method is characterized by comprising the following steps:
creating a test environment based on a network name space, wherein the file system of the test environment reuses the file system of the gateway main program running environment, and the network card, the IP address and the routing table of the test environment are configured according to the running environment;
creating an address translation space based on a network name space, adding a virtual network card, a network bridge and a network filtering rule for each IP address except a loopback address in the operating environment, and translating each IP address in the test environment into a pre-designated address, wherein the pre-designated address is different from the IP address in the operating environment;
scanning a TCP port monitored in an operating environment and an affiliated process to obtain a TCP port list after a process related to a gateway main program is eliminated;
starting a TCP port monitoring program by taking the TCP port list as a parameter in a network name space of a test environment, wherein the TCP port monitoring program creates a TCP Socket and monitors each TCP port in the TCP port list so as to simulate the TCP port monitoring condition in an operating environment;
starting a gateway main program by using a new configuration file in a network name space of a test environment, and accessing each site through a gateway if the starting is successful; if the startup fails or there is a site inaccessible, an error in the configuration file is considered.
2. The active defense gateway configuration detection method of claim 1, wherein the gateway main program in the test environment is successfully started, and each site can normally visit, and the gateway main program in the running environment is notified to load a new configuration file and start switching.
3. The active defense gateway configuration detection method of claim 1, wherein when the configuration file has an error, the error log is intercepted and reported.
4. The active defense gateway configuration detection method of claim 1, wherein the step of creating the address translation space comprises:
creating a network namespace ns _ trans;
for each IP address IP _ a in the test environment, creating a virtual network card communicated with the corresponding virtual network card, and placing the virtual network card into a network name space ns _ trans; building a network bridge in a network name space ns _ trans and configuring an IP address IP _ b, wherein the configured IP _ b is in the same network segment with an IP address IP _ a in an operating environment and is a pre-allocated address;
and configuring a Netfilter rule to enable an address resolution request sent by the test environment to be responded, and sending the sent IP message to a local area network where the site is located by using the configured IP address IP _ b.
5. The active defense gateway configuration detection method of claim 1, wherein if there is a port conflict in the configuration file, the gateway main program in the test environment will fail to start; if the website is inaccessible after the gateway main program is started, the fact that the dynamic rule is wrong exists in the configuration file is indicated.
6. An active defense gateway configuration detection apparatus, comprising:
the system comprises a test environment construction unit, a network name space-based test environment configuration unit and a gateway main program operation environment configuration unit, wherein the test environment construction unit is used for creating a test environment based on a network name space, the file system of the test environment reuses the file system of the gateway main program operation environment, and the network card, the IP address and the routing table of the test environment are configured according to the operation environment;
the system comprises an address translation space construction unit, a test environment and a test environment, wherein the address translation space construction unit is used for creating an address translation space based on a network name space, adding a virtual network card, a network bridge and a network filtering rule for each IP address except a loopback address in the operation environment, and translating each IP address in the test environment into a pre-designated address, and the pre-designated address is different from the IP address in the operation environment;
a monitoring port acquisition unit, configured to scan a TCP port monitored in an operating environment and an affiliated process to obtain a TCP port list from which a process related to a gateway main program is excluded;
the port monitoring simulation unit is used for starting a TCP port monitoring program by taking the TCP port list as a parameter in a network name space of a test environment, and the TCP port monitoring program creates a TCP Socket and monitors each TCP port in the TCP port list so as to simulate the TCP port monitoring condition in an operating environment;
the configuration testing unit is used for starting a gateway main program by using a new configuration file in a network name space of a testing environment, and accessing each site through the gateway if the starting is successful; if the startup fails or there is a site inaccessible, an error in the configuration file is considered.
7. The active defense gateway configuration detection device of claim 6, wherein in the address translation space construction unit, a network namespace ns _ trans is created, and for each IP address IP _ a in the test environment, a virtual network card communicated with the corresponding virtual network card is created and is placed in the network namespace ns _ trans; building a network bridge in a network name space ns _ trans and configuring an IP address IP _ b, wherein the configured IP _ b and the IP address IP _ a in the operating environment are in the same network segment and are pre-allocated addresses; by configuring the Netfilter rule, the address resolution request sent by the test environment can be responded, and the sent IP message can be sent to the local area network where the site is located by using the configured IP address IP _ b.
8. An active defense gateway system, comprising: the management platform is used for configuring the gateway and displaying the running state of the gateway; the gateway configuration program module is used for generating a configuration file after the management platform changes the configuration; the gateway main program module is used for providing reverse proxy service for the rear-end station; the gateway configuration system is characterized by also comprising a configuration detection program module, a gateway main program module and a configuration detection program module, wherein the configuration detection program module is used for creating a test environment after the gateway configuration program module generates a new configuration file, testing the configuration file, and informing the gateway main program module to load the new configuration file after the test is correct; the configuration detection program module includes:
the system comprises a test environment construction unit, a network name space-based test environment configuration unit and a gateway main program operation environment configuration unit, wherein the test environment construction unit is used for creating a test environment based on a network name space, the file system of the test environment reuses the file system of the gateway main program operation environment, and the network card, the IP address and the routing table of the test environment are configured according to the operation environment;
the system comprises an address translation space construction unit, a test environment and a test environment, wherein the address translation space construction unit is used for creating an address translation space based on a network name space, adding a virtual network card, a network bridge and a network filtering rule for each IP address except a loopback address in the operation environment, and translating each IP address in the test environment into a pre-designated address, and the pre-designated address is different from the IP address in the operation environment;
a monitoring port obtaining unit, configured to scan a TCP port monitored in an operating environment and an affiliated process to obtain a TCP port list from which a process related to a gateway main program is excluded;
the port monitoring simulation unit is used for starting a TCP port monitoring program by taking the TCP port list as a parameter in a network name space of a test environment, and the TCP port monitoring program creates a TCP Socket and monitors each TCP port in the TCP port list so as to simulate the TCP port monitoring condition in an operating environment;
the configuration testing unit is used for starting a gateway main program by using a new configuration file in a network naming space of a testing environment, and if the starting is successful, each site is accessed by the gateway; if the startup fails or there is a site inaccessible, an error in the configuration file is considered.
9. A computer system comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the computer program, when loaded into the processor, implements the steps of the proactive defense gateway configuration detection method of any one of claims 1 to 5.
10. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the steps of the active defense gateway configuration detection method according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210881431.8A CN114944992B (en) | 2022-07-26 | 2022-07-26 | Active defense gateway configuration detection method, device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210881431.8A CN114944992B (en) | 2022-07-26 | 2022-07-26 | Active defense gateway configuration detection method, device and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114944992A true CN114944992A (en) | 2022-08-26 |
| CN114944992B CN114944992B (en) | 2022-10-18 |
Family
ID=82911261
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210881431.8A Active CN114944992B (en) | 2022-07-26 | 2022-07-26 | Active defense gateway configuration detection method, device and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114944992B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110990221A (en) * | 2019-11-26 | 2020-04-10 | 武汉大学 | Kernel LKM-based Android platform malicious software automatic detection method and system |
| CN113381906A (en) * | 2021-05-19 | 2021-09-10 | 郑州信大捷安信息技术股份有限公司 | Restrictive external network access test method based on government and enterprise system business |
| CN113419812A (en) * | 2021-05-20 | 2021-09-21 | 济南浪潮数据技术有限公司 | Port forwarding test method, device, equipment and medium in virtualization environment |
-
2022
- 2022-07-26 CN CN202210881431.8A patent/CN114944992B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110990221A (en) * | 2019-11-26 | 2020-04-10 | 武汉大学 | Kernel LKM-based Android platform malicious software automatic detection method and system |
| CN113381906A (en) * | 2021-05-19 | 2021-09-10 | 郑州信大捷安信息技术股份有限公司 | Restrictive external network access test method based on government and enterprise system business |
| CN113419812A (en) * | 2021-05-20 | 2021-09-21 | 济南浪潮数据技术有限公司 | Port forwarding test method, device, equipment and medium in virtualization environment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114944992B (en) | 2022-10-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10872034B2 (en) | Method, device and computer program product for executing test cases | |
| JP3595783B2 (en) | Load test execution device and system, method therefor, and program therefor | |
| KR102024694B1 (en) | Decentralized service platform using multiple service nodes based on block chain | |
| CN106326088B (en) | Method and device for realizing construction of test object and device for realizing service configuration test | |
| CN107241315B (en) | Access method and device of bank gateway interface and computer readable storage medium | |
| CN111651329B (en) | Health check method and device for application, computer system and storage medium | |
| CN110830606A (en) | Method and device for solving abnormal DNS cache and computer readable storage medium | |
| CN112818307A (en) | User operation processing method, system, device and computer readable storage medium | |
| US9645874B2 (en) | Analyzing OpenManage integration for troubleshooting log to determine root cause | |
| CN112637377B (en) | Method and equipment for detecting IP address conflict | |
| CN105743725A (en) | Method and device for testing application programs | |
| CN117478547A (en) | Method, device, equipment and storage medium for detecting memory leakage of TCP protocol stack of DPU network card | |
| CN114944992B (en) | Active defense gateway configuration detection method, device and system | |
| CN113904926A (en) | Pre-boot execution environment checking method, system, terminal and storage medium | |
| CN114189492A (en) | Network card pressure testing method and system based on network address translation technology | |
| CN111756870A (en) | IPv6 address configuration method, device, equipment and readable storage medium | |
| CN106506268B (en) | Server access method and system | |
| CN114860577A (en) | Test method, test device, readable medium and electronic equipment | |
| CN118055052A (en) | Dynamic host configuration protocol test method, electronic device and computer readable medium | |
| CN115599677A (en) | Paas cloud remote debugging method, device and equipment | |
| CN115102880A (en) | Network card testing method, system, terminal and storage medium | |
| CN114205218A (en) | Method and system for diagnosing container network fault | |
| CN108769246B (en) | NFS sharing maximization test method and system | |
| CN110727601A (en) | Multi-platform program testing method and related device | |
| CN112286738B (en) | Method, system, equipment and readable storage medium for accessing database |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |