CN104333549A - Data package filtering method applied to distributive firewall system - Google Patents
Data package filtering method applied to distributive firewall system Download PDFInfo
- Publication number
- CN104333549A CN104333549A CN201410589071.XA CN201410589071A CN104333549A CN 104333549 A CN104333549 A CN 104333549A CN 201410589071 A CN201410589071 A CN 201410589071A CN 104333549 A CN104333549 A CN 104333549A
- Authority
- CN
- China
- Prior art keywords
- packet
- firewall
- ipsec
- data package
- filtering
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0245—Filtering by information in the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
Abstract
The invention discloses a data package filtering method applied to a distributive firewall system. The method comprises the following steps: presetting a quintuple filtering rule and a content filtering rule through a strategy center; determining whether a quintuple of a data package is matched with the quintuple filtering rule; if so, giving the data package; if not so, sending the data package to a corresponding host computer firewall; receiving the data package and determining whether the data package arriving at the network firewall is the IPSec data package by host computer firewall; if so, extracting and decoding the IPSec data package through a hook with the IPSec data package coding processing capacity; filtering the received data package according to the content filtering rule; if the content of the data package is matched with the content filtering rule, giving up the data package; otherwise, receiving the data package. With the adoption of the method, the IPSec data package can be filtered, and the security of IPv6 network can be improved.
Description
Technical field
The present invention relates to network safety filed, particularly a kind of packet filtering method for distributed firewall system.
Background technology
Along with the development of the Internet, IPv6 is using the replacement IPv4 progressively as next generation optical transmission network.IPv6 brings many new characteristics, possibility and improvement, particularly considers the quality of simple, route speed, service and fail safe.The existence of IPv6 agreement proposes new requirement to typical network protection mechanism.Such as, the security incident of IPv6 is different from the security incident of IPv4, because security attack independent of IP layer, and can be carried out in the weak spot of transport layer or application layer.
Fire compartment wall is one of most important Security Mechanism of Intra-Network.They as network traffics filter for filtering all flows entering or leave local network.A lot of firewall software is had to be applied to different platforms for IPv4 network.But the fire compartment wall of IPv4 can not be directly deployed in IPv6 network, because in the possibility of Packet Filtering, there are some differences between IPv4 and IPv6.Fire compartment wall is the obstacle that IPv6 disposes, because it has negated the benefit of IPv6, as direct end to end communication and IPSec (being called for short IP fail safe).
The enforceable IPv6 of making of IPSec supports security service comprehensively, and similarly, will be frequently used IPv6 network.IPSec provides a kind of method for the protection of IP packet, and by defining a kind of method to specify the flow that will protect, how protected flow is, and flow sends to whom.Based on ipsec encryption communication, be forgery and the eavesdropping that design is used for preventing intermediate communication at first.But for the keeper of enterprise network, it may be unwelcome, because can be encrypted when data leave user terminal, cause them can not observe the behavior of user.
IPSec defines two kinds of message formats, authentication header (AH) and encapsulating security payload (ESP).Authentication header (AH) provides connectionless integrality and data source authentication explanation to whole IP packet.Encapsulating security payload (ESP) provide confidentiality, data source authentication, and connectionless integrality describes.Under the operation of transmission mode, initial IP head is retained, and new ESP or AH head is inserted between the header of the upper layer transport protocol such as IP header and TCP.Therefore, use transmission mode to mean and use IPSec between the actual source and destination of IP message.Under the operation of tunnel mode, whole IP grouping is protected and be encapsulated in another IP datagram, and between the IPsec header outside that is inserted in IP header and inside.Communication end point under tunnel mode is designated as in IP header, and crypto endpoint refers to that those appear at outside IP header.Due to this flexibility that tunnel mode provides, it is widely used in the most to set up VPN (virtual private network).Based on background as above, AH packet can by firewall filtering, because packet is not encrypted, and the packet of ESP can not be filtered, because ESP provides confidentiality, cause assailant can walk around the access control of packet filtering system, illegal access and attack are carried out to the network user, cause the loss of user.
Summary of the invention
Technical problem to be solved by this invention is: provide a kind of packet filtering method for distributed firewall system, solves that existing packet filtering method does not possess the IPSec packet function of process encryption and the access control that causes assailant can walk around packet filtering system carries out illegal access and attack to the network user.
In order to solve the problems of the technologies described above, the technical solution used in the present invention is: a kind of packet filtering method for distributed firewall system, comprises step:
S1, Strategy Center preset 5 tuple filtering rules and information filtering rule, and described 5 tuple filtering rules are applied to network firewall, and described information filtering rule is applied to host firewall;
The packet of S2, extraction arrival network firewall, judges whether 5 tuples of described packet mate with described 5 tuple filtering rules, if so, then abandon this packet, if not, then by host firewall corresponding for this Packet Generation;
S3, host firewall receive packet, judge whether described packet is the IPSec packet encrypted, if so, then adopt the hook with IPSec Data Packet Encryption disposal ability extract and decipher IPSec packet and go to step S4 after decryption, if not, then S4 is gone to step;
S4, host firewall filter the packet received according to described information filtering rule, if the content of described packet and information filtering rule match, then abandon this packet, if the content of described packet is not mated with information filtering rule, then receive this packet.
Beneficial effect of the present invention is: be different from existing network firewall and cannot filter IPSec packet, there is serious network security problem, the present invention by arrange 5 tuple filtering rules and information filtering rule packet is filtered, and adopt the hook with IPSec Data Packet Encryption disposal ability to extract and decipher IPSec packet at host firewall, packet is converted to the packet of IPv6 structure, the IPSec packet of encryption also can be filtered, thus the access control that can effectively prevent assailant from walking around packet filtering system carries out unauthorized access and attack to the network user, further enhance the protection of IPv6 network security.
Accompanying drawing explanation
Fig. 1 is the flow chart of an embodiment of the present invention for the packet filtering method of distributed firewall system;
Fig. 2 is network firewall 5 tuple filtering rule filtering process figure in an embodiment of the present invention;
Fig. 3 is the filtering process figure of host firewall information filtering rule in an embodiment of the present invention;
Fig. 4 is the entire flow figure of an embodiment of the present invention for the packet filtering method of distributed firewall system;
Fig. 5 is distributed firewall system system assumption diagram in an embodiment of the present invention.
Embodiment
By describing technology contents of the present invention in detail, realized object and effect, accompanying drawing is coordinated to be explained below in conjunction with execution mode.
The design of most critical of the present invention is: adopt the hook with IPSec Data Packet Encryption disposal ability to extract and decipher IPSec data, and packet is filtered at network firewall and host firewall by 5 tuple filtering rules and information filtering rule, improve network security.
Please refer to Fig. 1, a kind of packet filtering method for distributed firewall system, comprises step:
S1, Strategy Center preset 5 tuple filtering rules and information filtering rule, and described 5 tuple filtering rules are applied to network firewall, and described information filtering rule is applied to host firewall;
The packet of S2, extraction arrival network firewall, judges whether 5 tuples of described packet mate with described 5 tuple filtering rules, if so, then abandon this packet, if not, then by host firewall corresponding for this Packet Generation;
S3, host firewall receive packet, judge whether described packet is the IPSec packet encrypted, if so, then adopt the hook with IPSec Data Packet Encryption disposal ability extract and decipher IPSec packet and go to step S4 after decryption, if not, then S4 is gone to step;
S4, host firewall filter the packet received according to described information filtering rule, if the content of described packet and information filtering rule match, then abandon this packet, if the content of described packet is not mated with information filtering rule, then receive this packet.
Wherein, 5 tuple filtering rules are five-tuples that network firewall analyzes data packet header: source address, destination address, source port, destination interface, protocol type, judged by access control list, implement selectively to pass through to packet, if meet the rule that Packet Filtering abandons, then abandon this packet, otherwise this packet is transmitted to host firewall carries out information filtering.
From foregoing description, beneficial effect of the present invention is: the present invention by arrange 5 tuple filtering rules and information filtering rule packet is filtered, and adopt the hook with IPSec Data Packet Encryption disposal ability to extract and decipher IPSec packet at host firewall, packet is converted to the packet of IPv6 structure, the IPSec packet of encryption also can be filtered, thus the access control that can effectively prevent assailant from walking around packet filtering system carries out unauthorized access and attack to the network user, further enhance the protection of IPv6 network security, the present invention is specially adapted to IPv6 network.
Further, in described step S2, described IPSec packet is construed as IPv6 structured data bag, and classifies to packet.
Seen from the above description, IPSec packet is converted to the packet of IPv6 structure, enable IPSec better be applicable to IPv6 network, thus carry out the flow control protection of network, improve the fail safe of IPv6 network.
Further, in described step S4, host firewall also detects in described packet whether comprise responsive field, and when responsive field being detected, notification strategy center upgrades a new rule and this new regulation is sent to all network firewalls;
When network firewall detects the packet including responsive field, then this data packet discarding is fallen.
Seen from the above description, in the packet that can be transmitted in very first time invention network by the technical program, responsive field whether is comprised, and the filtering rule and filter out the packet including responsive field of upgrading in time.
Further, described " having the hook of IPSec Data Packet Encryption disposal ability " is the hook in one group of linux kernel with IPSec Data Packet Encryption disposal ability.
Please refer to Fig. 2, Fig. 3, Fig. 4 and Fig. 5, embodiments of the invention one are: a kind of packet filtering method for distributed firewall system, as shown in Figure 5, this execution mode adopts distributed firewall system structure, wherein Strategy Center and policy database communicate to connect, Strategy Center is connected by the Internet with network firewall, and network firewall is connected by the Internet with host firewall.
The Packet Filtering rule of two types is defined: 5 tuple filtering rules and information filtering rule, be distributed in network firewall and host firewall respectively in Strategy Center.
As shown in Figure 2, described 5 tuple filtering rules are the five-tuple that network firewall analyzes data packet header: source address, destination address, source port, destination interface, protocol type, judged by access control list, implement selectively to pass through to packet, if meet the rule that Packet Filtering abandons, then abandon this packet, otherwise this packet is transmitted to host firewall carries out information filtering.
So-called Access Control List (ACL) refers to: fire compartment wall, in order to filtering data bag, needs to configure a series of rule, and to determine which type of packet can pass through, these rules are defined by access control list ACL.The a series of sequential rule that Access Control List (ACL) is made up of permit/deny statement, these rules describe according to the source address, destination address, port numbers, protocol type etc. of packet.ACL is classified to packet by these rules, and these rules are applied on the router interface of fire compartment wall, and router according to which packet of these rule judgment can receive, which packets need refusal.
As shown in Figure 3 and Figure 4, the packet that host firewall processing forward is come, (especially, for IPSec packet, by the IPSec packet utilizing the hook with IPSec Data Packet Encryption disposal ability to extract deciphering, packet is interpreted as IPv6 packet structure, and classifies.) by the configuration information of storage as condition code, the keyword message that need mate, mate with information such as the condition code in packet, keywords, analyze by detecting the information such as illegal condition code, keyword occurred in packet content, judge, to not occurring that the packet of illegal keyword directly accepts, to occurring that the packet of illegal keyword directly abandons, and update rule storehouse, notification strategy center, be published to network firewall.When the packet comprising some responsive fields occurs in a network, network firewall will discard, and therefore other main frame can not receive this packet.
Can be obtained by present embodiment, this packet filtering method being used for distributed firewall system goes for IPv6 network, and it can process the IPSec packet of encryption, further enhances the protection of IPv6 network security.
In sum, packet filtering method for distributed firewall system provided by the invention can not only process the IPSec packet after encryption, improve the protection of IPv6 network security, the detected rule and the present invention can upgrade in time according to the responsive field detected, further increases network security.
The foregoing is only embodiments of the invention; not thereby the scope of the claims of the present invention is limited; every equivalents utilizing specification of the present invention and accompanying drawing content to do, or be directly or indirectly used in relevant technical field, be all in like manner included in scope of patent protection of the present invention.
Claims (4)
1. for a packet filtering method for distributed firewall system, it is characterized in that, comprise step:
S1, Strategy Center preset 5 tuple filtering rules and information filtering rule, and described 5 tuple filtering rules are applied to network firewall, and described information filtering rule is applied to host firewall;
The packet of S2, extraction arrival network firewall, judges whether 5 tuples of described packet mate with described 5 tuple filtering rules, if so, then abandon this packet, if not, then by host firewall corresponding for this Packet Generation;
S3, host firewall receive packet, judge whether described packet is the IPSec packet encrypted, if so, then adopt the hook with IPSec Data Packet Encryption disposal ability extract and decipher IPSec packet and go to step S4 after decryption, if not, then S4 is gone to step;
S4, host firewall filter the packet received according to described information filtering rule, if the content of described packet and information filtering rule match, then abandon this packet, if the content of described packet is not mated with information filtering rule, then receive this packet.
2. the packet filtering method for distributed firewall system according to claim 1, is characterized in that, in described step S3, described IPSec packet is construed as IPv6 structured data bag, and classifies to packet.
3. the packet filtering method for distributed firewall system according to claim 2, it is characterized in that, in described step S4, host firewall also detects in described packet whether comprise responsive field, when responsive field being detected, notification strategy center upgrades a new rule and this new regulation is sent to all network firewalls;
When network firewall detects the packet including responsive field, then this data packet discarding is fallen.
4. the packet filtering method for distributed firewall system according to claim 1, it is characterized in that, described " having the hook of IPSec Data Packet Encryption disposal ability " is the hook in one group of linux kernel with IPSec Data Packet Encryption disposal ability.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410589071.XA CN104333549A (en) | 2014-10-28 | 2014-10-28 | Data package filtering method applied to distributive firewall system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410589071.XA CN104333549A (en) | 2014-10-28 | 2014-10-28 | Data package filtering method applied to distributive firewall system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104333549A true CN104333549A (en) | 2015-02-04 |
Family
ID=52408201
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410589071.XA Pending CN104333549A (en) | 2014-10-28 | 2014-10-28 | Data package filtering method applied to distributive firewall system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104333549A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104735084A (en) * | 2015-04-13 | 2015-06-24 | 国家电网公司 | Firewall baseline strategy auditing method |
| CN105912674A (en) * | 2016-04-13 | 2016-08-31 | 精硕世纪科技(北京)有限公司 | Method, device and system for noise reduction and classification of data |
| CN109120612A (en) * | 2018-08-06 | 2019-01-01 | 浙江衣拿智能科技有限公司 | A kind of packet filtering method, system and application program |
| CN109587095A (en) * | 2017-09-28 | 2019-04-05 | 中国电信股份有限公司 | Information security control method, device and system |
| CN109862000A (en) * | 2019-01-22 | 2019-06-07 | 深圳市永达电子信息股份有限公司 | A kind of end to end security method and system of Linux network layer |
| CN110337137A (en) * | 2019-05-22 | 2019-10-15 | 华为技术有限公司 | Packet filtering method, apparatus and system |
| CN111447211A (en) * | 2020-03-24 | 2020-07-24 | 济南诚方网络科技有限公司 | Network fraud prevention system |
| CN116192463A (en) * | 2022-12-30 | 2023-05-30 | 北京明朝万达科技股份有限公司 | Data filtering method and device, electronic equipment and storage medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101964804A (en) * | 2010-10-22 | 2011-02-02 | 北京工业大学 | Attack defense system under IPv6 protocol and implementation method thereof |
-
2014
- 2014-10-28 CN CN201410589071.XA patent/CN104333549A/en active Pending
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101964804A (en) * | 2010-10-22 | 2011-02-02 | 北京工业大学 | Attack defense system under IPv6 protocol and implementation method thereof |
Non-Patent Citations (2)
| Title |
|---|
| Design and Implementation of Distributed Firewall System for IPv6;Yingxu Lai等;《Communication Software and Networks》;20090619;论文第1-5页 * |
| 基于IPv6的分布式智能防火墙系统的设计与实现;刘增辉等;《北京工业大学学报》;20111215;全文 * |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104735084A (en) * | 2015-04-13 | 2015-06-24 | 国家电网公司 | Firewall baseline strategy auditing method |
| CN105912674A (en) * | 2016-04-13 | 2016-08-31 | 精硕世纪科技(北京)有限公司 | Method, device and system for noise reduction and classification of data |
| CN109587095A (en) * | 2017-09-28 | 2019-04-05 | 中国电信股份有限公司 | Information security control method, device and system |
| CN109120612A (en) * | 2018-08-06 | 2019-01-01 | 浙江衣拿智能科技有限公司 | A kind of packet filtering method, system and application program |
| CN109120612B (en) * | 2018-08-06 | 2021-04-30 | 浙江衣拿智能科技股份有限公司 | Data packet filtering method, system and application program |
| CN109862000A (en) * | 2019-01-22 | 2019-06-07 | 深圳市永达电子信息股份有限公司 | A kind of end to end security method and system of Linux network layer |
| CN109862000B (en) * | 2019-01-22 | 2021-08-17 | 深圳市永达电子信息股份有限公司 | End-to-end encryption method and system for Linux network layer |
| CN110337137A (en) * | 2019-05-22 | 2019-10-15 | 华为技术有限公司 | Packet filtering method, apparatus and system |
| CN111447211A (en) * | 2020-03-24 | 2020-07-24 | 济南诚方网络科技有限公司 | Network fraud prevention system |
| CN116192463A (en) * | 2022-12-30 | 2023-05-30 | 北京明朝万达科技股份有限公司 | Data filtering method and device, electronic equipment and storage medium |
| CN116192463B (en) * | 2022-12-30 | 2024-02-20 | 北京明朝万达科技股份有限公司 | Data filtering method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104333549A (en) | Data package filtering method applied to distributive firewall system | |
| Quinn et al. | Network service header (NSH) | |
| US10757138B2 (en) | Systems and methods for storing a security parameter index in an options field of an encapsulation header | |
| CN107852359B (en) | Security system, communication control method, and computer program | |
| EP2790382B1 (en) | Protection method and device against attacks | |
| US8060927B2 (en) | Security state aware firewall | |
| KR100952350B1 (en) | Intelligent network interface controller | |
| EA004423B1 (en) | System, device and method for rapid packet filtering and processing | |
| CN101022343B (en) | Network invading detecting/resisting system and method | |
| CN107370715B (en) | Network security protection method and device | |
| US20140095862A1 (en) | Security association detection for internet protocol security | |
| US9178851B2 (en) | High availability security device | |
| US10375118B2 (en) | Method for attribution security system | |
| CN104994094B (en) | Virtual platform safety protecting method based on virtual switch, device and system | |
| US20080077694A1 (en) | Method and system for network security using multiple virtual network stack instances | |
| CN102932377A (en) | Method and device for filtering IP (Internet Protocol) message | |
| US8006303B1 (en) | System, method and program product for intrusion protection of a network | |
| CN106161386B (en) | Method and device for realizing IPsec (Internet protocol Security) shunt | |
| CN105049431A (en) | Data access control method and device | |
| KR100617321B1 (en) | Method and Apparatus for Protection to Link Security Attack | |
| JP2019165337A (en) | Communication system, communication control device, communication control method, and communication control program | |
| CN110099056B (en) | Policy conflict dynamic detection method for IPSec security gateway | |
| CN104079563A (en) | Control method and device resistant to DDOS attacks | |
| CN111464550A (en) | HTTPS transparent protection method for message processing equipment | |
| KR20210001728A (en) | Ship security system for Ethernet network based ship network protection. |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20150204 |