CN104348660B - The upgrade method and device of detecting and alarm in firewall box - Google Patents

The upgrade method and device of detecting and alarm in firewall box Download PDF

Info

Publication number
CN104348660B
CN104348660B CN201310344399.0A CN201310344399A CN104348660B CN 104348660 B CN104348660 B CN 104348660B CN 201310344399 A CN201310344399 A CN 201310344399A CN 104348660 B CN104348660 B CN 104348660B
Authority
CN
China
Prior art keywords
session
functional unit
message
version
new version
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201310344399.0A
Other languages
Chinese (zh)
Other versions
CN104348660A (en
Inventor
李世光
蒋武
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
XFusion Digital Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201310344399.0A priority Critical patent/CN104348660B/en
Priority to PCT/CN2014/072541 priority patent/WO2015018200A1/en
Publication of CN104348660A publication Critical patent/CN104348660A/en
Application granted granted Critical
Publication of CN104348660B publication Critical patent/CN104348660B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/34Network arrangements or protocols for supporting network services or applications involving the movement of software or configuration parameters 

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the present invention provides the upgrade method and device of detecting and alarm in a kind of firewall box.The upgrade method of detecting and alarm in firewall box of the present invention, including:The first functional unit of a new version is generated according to the software upgrade data packet of detecting and alarm, and runs the first functional unit of new version in detecting and alarm, to use first the first session of functional unit pair of new version to be detected;If there are at least one second session, it is detected using the subsequent packet of first the second session of functional unit pair of legacy version, until all second conversation agings;After all second conversation agings, the first functional unit of legacy version is destroyed.The embodiment of the present invention is that the functional unit upgraded to needs upgrades, and the functional unit being detected to the session after conversation aging is destroyed, and resource occupation is smaller, and upgrading is efficient, and the safety detection of existing service traffics is unaffected.

Description

The upgrade method and device of detecting and alarm in firewall box
Technical field
The present embodiments relate to a kind of upgrade method of detecting and alarm in network technology more particularly to firewall box and Device.
Background technology
One basic demand of gateway device is the reliability of equipment work, such as customer flow is not because of the liter of software version Grade and interrupt, the business of user is unaffected.To next generation firewall(Next Generation Firewall, abbreviation NGFW) For this gateway device, higher requirement is needed, NGFW not only has the basic forwarding control function of traditional firewall, also Safety detection is done to the application layer traffic for flowing through the equipment based on policy controls such as application, users, and according to specific strategy, These safety detections include intrusion prevention system(Intrusion Prevention System, abbreviation IPS), anti-virus (Anti-Virus, abbreviation AV), uniform resource locator(Uniform Resource Locator, abbreviation URL)Filtering, data Leakage protection(Data Leak Prevention, abbreviation DLP)Deng.
Due to application layer traffic on network content change quickly, the attack for application layer service threatens same variation very Soon.Threat in order to change to these is detected in time, it is necessary to be ensured in NGFW equipment detecting above-mentioned threat Component, such as threat characteristics library or detecting and alarm can be upgraded in time.Upgrading mode in the prior art, it is a kind of It is that new detecting and alarm replaces old detecting and alarm, upgrading successfully rear old detecting and alarm will be unavailable;Another kind is new inspection After survey engine successfully loads, continue to use old detecting and alarm when running new detecting and alarm, that is, considerably long A period of time in, in NGFW equipment simultaneously run a variety of detecting and alarms.
Above-mentioned first way, since detecting and alarm old after the completion of upgrading is unavailable, then in order to ensure to flow through NGFW The flow of equipment is unaffected, it is necessary to which the subsequent packet flow to upgrading the session having built up before, which is done, to be passed through(bypass) Processing, actually no longer valid to the detection of the application layer of this partial discharge, at this time in case of attacking, then NGFW equipment can not be examined It measures that missing inspection can be caused;The second way, while running more parts of detecting and alarms, very to the consumption of the process resource of NGFW equipment Greatly, efficiency is influenced.
Invention content
The embodiment of the present invention provides a kind of detecting and alarm upgrade processing method and device, to reduce in the prior art due to Missing inspection problem caused by detecting and alarm upgrading.
In a first aspect, the embodiment of the present invention provides a kind of upgrade processing method of detecting and alarm in firewall box, including: The first functional unit of a new version is generated according to the software upgrade data packet of detecting and alarm, and is transported in the detecting and alarm First functional unit of the row new version, to use first the first session of functional unit pair of the new version to examine Survey, first session refer to after the first functional unit for running the new version with the newly-established meeting of the firewall box Words;
If there are at least one second session, using the first functional unit of legacy version to the follow-up of second session Message is detected, and until all second conversation agings, second session refers to the of the operation new version The session established with the firewall box when one functional unit;
After all second conversation agings, the first functional unit of the legacy version is destroyed.
With reference to first aspect, described that institute is run in the detecting and alarm in the first realization method of first aspect After the first functional unit for stating new version, further include:
Message is received, determines that the message belongs to the message of first session according to the heading of the message, or Belong to the message of second session;
If belonging to the message of first session, the first functional unit of the application new version is detected;If belonging to In the message of second session, then it is detected using the first functional unit of the legacy version.
The first realization method with reference to first aspect, in second of realization method of first aspect, if it is described in the presence of At least one second session is then detected the subsequent packet of second session using the first functional unit of legacy version, Before until all second conversation agings, further include:
Establish and store the first functional unit of legacy version, second session and second session session status The correspondence of three, so that whether aging judges to all second sessions.
Second of realization method with reference to first aspect, in the third realization method of first aspect, the reception report After text, further include:
When the flag bit of the message is to terminate line FIN or line reset RST, if the affiliated session of the message is The session state setting of the affiliated session of the message is then ageing state in the correspondence by second session.
With reference to first aspect or any one realization method of above-mentioned first aspect, in the 4th kind of realization of first aspect In mode, further include:
If in the software upgrade data packet further including the upgrading data packet of at least one second functional unit, generate new Second functional unit of version, and run in the detecting and alarm the second functional unit of the new version.
Second aspect, the embodiment of the present invention provide a kind of update device of detecting and alarm in firewall box, including:
Module is installed, the first function for generating a new version according to the software upgrade data packet of the detecting and alarm Component, and run in the detecting and alarm the first functional unit of the new version;
Detection module, for being generated using the installation module and the first functional unit pair of the new version that runs the One session is detected, first session refer to after the first functional unit for running the new version with the firewall box Newly-established session;
The detection module, if being additionally operable to, there are at least one second session, use the first functional unit of legacy version The subsequent packet of second session is detected, until all second conversation agings, second session is Refer to the session established with the firewall box when the first functional unit for running the new version;
The destruction module after all second conversation agings, is destroyed for the triggering according to the detection module First functional unit of the legacy version.
In conjunction with second aspect, in the first realization method of second aspect, described device further includes:
Receiving module determines that the message belongs to first meeting for receiving message according to the heading of the message The message of words, or belong to the message of second session;
The detection module applies the first work(of the new version if being additionally operable to belong to the message of first session Energy component is detected;If belonging to the message of second session, the first functional unit of the application legacy version is examined It surveys.
In conjunction with the first realization method of second aspect, in second of realization method of second aspect, described device is also Including:
Memory module, the first functional unit, second session and described second for establishing and storing legacy version The correspondence of the session status three of session, so that the detection module to all second sessions whether sentence by aging It is disconnected.
In conjunction with second of realization method of second aspect, in the third realization method of second aspect, the storage mould Block is additionally operable to:
When the flag bit for the message that the receiving module receives is FIN or RST, if the affiliated session of the message Then it is ageing state by the session state setting of the affiliated session of the message in the correspondence for second session.
In conjunction with any one realization method of second aspect or above-mentioned second aspect, in the 4th kind of realization of second aspect In mode, the installation module is additionally operable to:
If in the software upgrade data packet further including the upgrading data packet of at least one second functional unit, generate new Second functional unit of version, and run in the detecting and alarm the second functional unit of the new version.
The upgrade method and device of detecting and alarm in firewall box of the embodiment of the present invention, by according to the soft of detecting and alarm Part upgrading data packet generates the first functional unit of a new version, and runs in the detecting and alarm the of the new version One functional unit, to use first the first session of functional unit pair of the new version to be detected, first session is Refer to after the first functional unit for running the new version with the newly-established session of the firewall box;If there are at least one Two sessions are then detected the subsequent packet of second session using the first functional unit of legacy version, until all institutes Until stating the second conversation aging, second session refer to when running the first functional unit of the new version with the fire prevention The session that wall equipment is established;After all second conversation agings, the first functional unit of the legacy version is destroyed, due to only It is to be upgraded to the corresponding function component that upgrades of needs rather than upgraded to entire detecting and alarm, and all second The functional unit for the legacy version being detected to second session is destroyed after conversation aging, it is entire with prior art update The scheme of detecting and alarm is compared, and resource occupation is smaller, and upgrading is efficient, realizes each of in next generation firewall detecting and alarm The safety detection of the smooth upgrade of a functional unit and existing service traffics is unaffected.
Description of the drawings
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is this hair Some bright embodiments for those of ordinary skill in the art without having to pay creative labor, can be with Obtain other attached drawings according to these attached drawings.
Fig. 1 is the flow chart of the upgrade method embodiment one of detecting and alarm in firewall box of the present invention;
Fig. 2 is the application scenarios schematic diagram of the upgrade method embodiment one of detecting and alarm in firewall box of the present invention;
Fig. 3 is that the functional unit upgrade status of the upgrade method embodiment one of detecting and alarm in firewall box of the present invention is shown It is intended to one;
Fig. 4 is that the functional unit upgrade status of the upgrade method embodiment one of detecting and alarm in firewall box of the present invention is shown It is intended to two;
Fig. 5 is that the functional unit upgrade status of the upgrade method embodiment one of detecting and alarm in firewall box of the present invention is shown It is intended to three;
Fig. 6 is the structural schematic diagram of the update device embodiment one of detecting and alarm in firewall box of the present invention;
Fig. 7 is the structural schematic diagram of the update device embodiment two of detecting and alarm in firewall box of the present invention;
Fig. 8 is the structural schematic diagram of detecting and alarm updating apparatus embodiment one of the present invention.
Specific implementation mode
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art The every other embodiment obtained without creative efforts, shall fall within the protection scope of the present invention.
Fig. 1 is the flow chart of the upgrade method embodiment one of detecting and alarm in firewall box of the present invention, and Fig. 2 is the present invention The application scenarios schematic diagram of the upgrade method embodiment one of detecting and alarm in firewall box, Fig. 3 are firewall box of the present invention The functional unit upgrade status schematic diagram one of the upgrade method embodiment one of middle detecting and alarm, Fig. 4 are firewall box of the present invention The functional unit upgrade status schematic diagram two of the upgrade method embodiment one of middle detecting and alarm, Fig. 5 are firewall box of the present invention The functional unit upgrade status schematic diagram three of the upgrade method embodiment one of middle detecting and alarm.The executive agent of the present embodiment is anti- The update device of detecting and alarm in wall with flues equipment, the device can pass through software and or hardware realization.The scheme of the present embodiment is answered In network access equipment or the network switching equipment, such as in gateway device, fire wall and NGFW.
As shown in Figure 1, the method for the present embodiment may include:
Step 101, the first functional unit that a new version is generated according to the software upgrade data packet of detecting and alarm, and The first functional unit that new version is run in detecting and alarm, to use first the first session of functional unit pair of new version to carry out Detection, the first session refer to run new version the first functional unit after with the newly-established session of firewall box.
Specifically, as shown in Fig. 2, the update device of detecting and alarm can be for example arranged in the firewall box of the present embodiment In NGFW, NGFW major deployments are exported in Internet exportation, Office Network, are carried out to the subscriber's main station of server and Office Network Protection.Based on application identifies, safety detection mainly is carried out for the application layer traffic in network by NGFW, such as IPS detections, AV The function of safety protection such as detection, url filtering.It is wherein deployed with upgrade server in a network, if in upgrade server or NGFW There are the software upgrade data packet of the functional unit such as IPS functional units of new version in detecting and alarm, and the upgrading dress of detecting and alarm It sets detection and learns that a functional unit such as IPS functional units or AV functional units are upgraded in detecting and alarm, then basis The software upgrade data packet of detecting and alarm generates the first functional unit of a new version, and new version is run in detecting and alarm The first functional unit, to use first the first session of functional unit pair of new version to be detected, the first session refer to fortune After first functional unit of row new version with the newly-established session of firewall box, if the first functional unit such as AV of new version Functional unit, corresponding to also have new feature database then to load update simultaneously, feature database for example includes the information of a variety of viruses.
The detection of functional unit upgrading can be detected with clocked flip as upgrade server is communicated with NGFW in the present embodiment The release status for obtaining each functional unit of detecting and alarm in NGFW in real time, is compared with the release status in upgrade server Know whether to be upgraded, can also manual detection trigger such as in the case where upgrade server is not communicated with NGFW, can be with Software upgrade data packet is downloaded in NGFW manually, judges whether to need to upgrade by the upgrade components in NGFW.Such as multiple work( Energy component needs while upgrading, then can simultaneously upgrade respectively to each functional unit and can also upgrade in order, i.e. a work( Next functional unit can be upgraded again after the completion of component upgrade.
If step 102, there are at least one second sessions, first the second session of functional unit pair of legacy version is used Subsequent packet is detected, and until all second conversation agings, the second session refers to running the first functional group of new version The session established with firewall box when part.
Specifically, if as shown in figure 3, the second session be run new version the first functional unit when with firewall box The session of foundation then uses the first functional unit of legacy version, if IPS functional units version 1 is to the second session such as session 1 Subsequent packet carries out safety detection, and the subsequent packet of the second session refers to after running the first functional unit of the new version, connecing What is received belongs to the message of second session, and since AV functional units are not upgraded, the message of session 1 is by IPS functions After component version 1 carries out safety detection, it is sent to AV functional units version 1 and carries out safety detection;If the first session is operation After first functional unit of new version the first function of new version is then used such as session 2 with the newly-established session of firewall box Component for example the first session of IPS functional units version 2 pair carry out safety detection, if as shown in figure 4, be sent to AV functional units it Before, AV functional units carry out upgrading and generate new version 2 and run in detecting and alarm, then the message of session 2 will make Safety detection is carried out with the functional unit AV functional units version 2 of new version, if as shown in figure 3, AV functional units do not carry out Upgrading is then continuing with AV functional units version 1 and carries out safety detection.
In the present embodiment, as shown in figure 3, can be carried out after the stream distribution that conversates using identification, i.e., to the message that receives into Row application identification searches corresponding functional unit and carries out safety detection.Attached drawing 3 is only with functional unit for IPS functional units and AV It is illustrated for functional unit, can include more functional units, such as url filtering functional unit, DLP in practical application Functional unit etc..It after carrying out safety detection, is acted accordingly according to the result of safety detection, such as blocks, alerts, day Will, clearance etc..
Step 103, after all second conversation agings, destroy the first functional unit of legacy version.
Specifically, as shown in figure 5, being set with fire wall before the first functional unit of operation new version in detecting and alarm After the standby session established such as the whole agings of session 1, then the functional unit of legacy version in the detecting and alarm that session 1 uses is destroyed such as IPS functional units version 1, session 2 is continuing with IPS functional units version 2 and AV functional units version 1 carries out safety detection, Aging refers to a transmission control protocol(Transmission Control Protocol, abbreviation TCP)The both sides of connection are Terminate line FIN or line reset RST messages through sending.If the update device detection of subsequent detection engine learns that detection is drawn Middle IPS functional units are held up to need to carry out upgrading processing again, then it is raw in detecting and alarm according to the software upgrade data packet of acquisition At the first functional unit such as IPS functional units version 3 of a new version, and this functional unit is run, newly-established session 3 at this time Safety detection is carried out using new IPS functional units version 3 and AV functional unit version 2s, after 2 aging of session(And do not have Other sessions are detected using IPS functional units version 2 and AV functional units version 1)The detection that session 2 uses then is destroyed to draw Hold up middle IPS functional units version 2 and AV functional units version 1.
Above-mentioned first functional unit of the present embodiment, the second functional unit, the first session and " first " in the second session, " second " is not order of representation relationship, but in order to distinguish different functional units and session, mentioned in following file One, second etc. also for difference different component, version, session etc..
The present embodiment, by the first functional group for generating a new version according to the software upgrade data packet of detecting and alarm Part, and the first functional unit of the new version is run in the detecting and alarm, to use the first work(of the new version Can the first session of component pair be detected, first session refer to after the first functional unit for running the new version with it is described The newly-established session of firewall box;If there are at least one second session, using the first functional unit of legacy version to institute The subsequent packet for stating the second session is detected, and until all second conversation agings, second session refers to fortune The session established with the firewall box when the first functional unit of the row new version;It is old in all second sessions After change, the first functional unit of the legacy version is destroyed, due to only being upgraded to the corresponding function component that upgrades of needs It is not to upgrade to entire detecting and alarm, and second session will be detected after the second all conversation agings Legacy version functional unit destroy, resource occupation is smaller, upgrading it is efficient, realize the detecting and alarm in next generation firewall Each functional unit smooth upgrade and existing service traffics safety detection it is unaffected.
In firewall box of the present invention in the upgrade method embodiment two of detecting and alarm, embodiment of the method shown in Fig. 1 On the basis of, further, the method can also include:
Message is received, determines that message belongs to the message of the first session according to the heading of message, or belong to the second session Message;
If the message of the first session, it is detected using the first functional unit of new version;If belonging to the second session Message then applies the first functional unit of legacy version to be detected.
Specifically, as shown in figure 3, NGFW receives message, determine that message belongs to the first session such as according to the heading of message The message of session 2, or belong to the message of the second session such as session 1;If the message of the first session such as session 2, new edition is applied This first functional unit such as IPS functional units version 2 is examined, if belonging to the message of the second session such as session 1, using old First functional unit of version such as IPS functional units version 1 is detected.
Further, if it is described there are at least one second session, using the first functional unit of legacy version to described The subsequent packet of second session is detected, until all second conversation agings before, the method for the present embodiment is also Including:
Establish and store the first functional unit, the second session and pair of the session status three of the second session of legacy version It should be related to, so as to all second sessions, whether aging judges;
Optionally, it can also establish and store the first functional unit, the first session and the meeting of the first session of new version The correspondence of speech phase three, when upgrading again in order to first functional unit, to all first sessions whether Aging is judged.
Specifically, as shown in figure 3, can for example establish and deposit in the update device of detecting and alarm in firewall box Storage:IPS functional units version 1 and AV functional units version 1, session 1 and session 1 session status correspondence, IPS work( Can component version 2 and AV functional units version 1, session 2 and session 2 session status correspondence, as shown in figure 4, meeting The correspondence of words 2 and IPS functional units version 2 and AV functional unit version 2s, as shown in table 1, for all sessions whether Aging is judged, convenient for judging whether each functional unit carries out destroying and which version the subsequent packet of session uses Functional unit carries out safety detection, and as shown in table 1, first row indicates that correspondence number, secondary series indicate functional unit version, Third row indicate that session, the 4th row indicate session status.
Table 1
Correspondence Functional unit version Session Session status
1 IPS functional units version 1 Session 1 Non- ageing state
2 AV functional units version 1 Session 1 Non- ageing state
3 IPS functional unit version 2s Session 2 Non- ageing state
4 AV functional units version 1 Session 2 Non- ageing state
Further, after the reception message, can also include:
When the flag bit of message is to terminate line FIN or line reset RST, if session described in the message is described The session state setting of the affiliated session of the message is then ageing state in the correspondence by the second session.
Optionally, if session described in the message is first session, by the report in the correspondence The session state setting of session belonging to text is ageing state.
Specifically, as shown in table 1, when the flag bit of the service message of transmission is to terminate line FIN or line reset RST When, and the session belonging to message is session 1, it will the session state setting in correspondence 1,2 corresponding to words 1 is aging shape State, at this time if be detected using IPS functional units version 1 without other sessions, due to the use of IPS functional units All sessions that version 1 is detected all agings, therefore IPS functional units version 1 is destroyed, follow-up newly-established meeting The message of words is all detected using IPS functional units version 2 and AV functional units version 1.
Further, the method can also further include:
If further including the upgrading data packet of at least one second functional unit in software upgrade data packet, new version is generated The second functional unit, and in detecting and alarm run new version the second functional unit.
Specifically, if in software upgrade data packet further including the upgrading data packet of at least one second functional unit, as When include IPS functional units and AV functional units upgrading data packet, then generate the first functional unit such as IPS functions of new version Component version 2 and the second functional unit such as AV functional units version 2 for generating new version, and new edition is run in detecting and alarm This second functional unit;If further including the upgrading data packet of two the second functional units in software upgrade data packet, such as AV work( The upgrading data packet of energy component and DLP functional units then generates the second functional unit such as AV functional units of two new versions Version 2 and DLP functional unit version 2s.
The present embodiment, by the first functional unit, the first session and the meeting of the first session of establishing and store new version The correspondence of speech phase three is established so that whether aging judges to all first sessions and stores legacy version The first functional unit, the second session and the correspondence of the session status three of the second session, for all described Whether aging is judged for two sessions;Message is received, determines that message belongs to the message of the first session according to the heading of message, or Person belongs to the message of the second session, if the message of the first session, is detected using the first functional unit of new version, if belonging to In the message of the second session, then the first functional unit of legacy version is applied to be detected, when the flag bit of message is to terminate line It is ageing state by the session state setting of the affiliated session of message, if in software upgrade data packet when FIN or line reset RST Further include the upgrading data packet of at least one second functional unit, then generates the second functional unit of new version, and draw in detection The second functional unit of middle operation new version is held up, resource occupation is smaller, and upgrading is efficient, realizes and is examined in next generation firewall The safety detection of the smooth upgrade and existing service traffics of surveying each functional unit of engine is unaffected.
Fig. 6 is the structural schematic diagram of the update device embodiment one of detecting and alarm in firewall box of the present invention, such as Fig. 6 institutes Show, the device 50 of the present embodiment may include:Module 501, detection module 502 are installed and destroy module 503, wherein installation mould Block 501 is used to generate the first functional unit of a new version according to the software upgrade data packet of the detecting and alarm, and in institute State the first functional unit that the new version is run in detecting and alarm;Detection module 502 is used to give birth to using the installation module 501 At and first the first session of functional unit pair of the new version for running be detected, first session refers to described in operation After first functional unit of new version with the newly-established session of the firewall box;The detection module 502, if being additionally operable to deposit In at least one second session, then the subsequent packet of second session is examined using the first functional unit of legacy version It surveys, until all second conversation agings, second session refers to running the first functional unit of the new version When with the firewall box establish session;Module 503 is destroyed for the triggering according to the detection module 502, in institute After having second conversation aging, the first functional unit of the legacy version is destroyed.
The device of the present embodiment can be used for executing the technical solution of embodiment of the method shown in Fig. 1, realization principle and skill Art effect is similar, and details are not described herein again.
Fig. 7 is the structural schematic diagram of the update device embodiment two of detecting and alarm in firewall box of the present invention, such as Fig. 7 institutes Show, on the basis of 50 apparatus structure shown in Fig. 5 of device of the present embodiment, further, can also include:Receiving module 504, The receiving module 504 determines that the message belongs to first session for receiving message according to the heading of the message Message, or belong to the message of second session;The detection module 502, if being additionally operable to belong to the report of first session Text is then detected using the first functional unit of the new version;If belonging to the message of second session, using described First functional unit of legacy version is detected.
Further, the device of the present embodiment can also include:
Memory module 505, the memory module 505 is for establishing and storing the first functional unit of legacy version, described second The correspondence of the session status three of session and second session, so that the detection module is to all second meetings Whether aging is judged words.
Optionally, which can be also used for establishing and storing the first functional unit of legacy version, described first The correspondence of the session status three of session and first session, so that the detection module is to all first meetings Whether aging is judged words.
The memory module 505 is additionally operable to:
When the flag bit for the message that the receiving module 504 receives is to terminate line FIN or line reset RST, It, will in the correspondence that the memory module 505 stores if the affiliated session of message is second session The session state setting of the affiliated session of message is ageing state.
Optionally, the memory module 505 is additionally operable to:
When the flag bit for the message that the receiving module 504 receives is to terminate line FIN or line reset RST, It, will in the correspondence that the memory module 505 stores if the affiliated session of message is first session The session state setting of the affiliated session of message is ageing state.
Optionally, the installation module 501 is additionally operable to:
If in the software upgrade data packet further including the upgrading data packet of at least one second functional unit, generate new Second functional unit of version, and run in the detecting and alarm the second functional unit of the new version.
The device of the present embodiment can be used for executing the technical solution of embodiment of the method two, realization principle and technology effect Seemingly, details are not described herein again for fruit.
Fig. 8 is the structural schematic diagram of the updating apparatus embodiment one of detecting and alarm of the present invention.As shown in figure 8, the present embodiment The updating apparatus 70 of the detecting and alarm of offer includes bus 701, receiver 702, processor 703 and memory 704.Wherein, always Line 701 transmits information for connecting receiver 702, processor 703 and memory 704;Receiver 702 is used to receive message, The storage of memory 704 executes instruction, and when the updating apparatus 70 of detecting and alarm is run, leads between processor 703 and memory 704 Believe, the code stored in 703 run memory 704 of processor, executes following operation:
The first functional unit of a new version is generated according to the software upgrade data packet of detecting and alarm, and in the detection The first functional unit that the new version is run in engine, to use first the first session of functional unit pair of the new version It is detected, first session refers to newly being established with the firewall box after the first functional unit for running the new version Session;
If there are at least one second session, using the first functional unit of legacy version to the follow-up of second session Message is detected, and until all second conversation agings, second session refers to the of the operation new version The session established with the firewall box when one functional unit;
After all second conversation agings, the first functional unit of the legacy version is destroyed.
Preferably, if it is described there are at least one second session, using the first functional unit of legacy version to described the The subsequent packet of two sessions is detected, until all second conversation agings before, the memory 704 is also used In:
Establish and store the first functional unit, the second session and pair of the session status three of the second session of legacy version It should be related to, so as to all second sessions, whether aging judges.
Optionally, the memory 704 be additionally operable to establish and store the first functional unit of new version, the first session and The correspondence of the session status three of first session, so that whether aging judges to all first sessions.
Optionally, the processor 703 is additionally operable to determine the report according to the heading of message described in the receiver 702 Text belongs to the message of first session, or belongs to the message of second session;
If belonging to the message of first session, the first functional unit of the application new version is detected;If belonging to In the message of second session, then it is detected using the first functional unit of the legacy version.
Optionally, the processor 703 is additionally operable to when the flag bit for the message that the receiver 702 receives be to terminate When line FIN or line reset RST, if the affiliated session of the message is second session, in the correspondence It is ageing state by the session state setting of the affiliated session of the message.
Optionally, the processor 703 is additionally operable to:
When the flag bit for the message that the receiver 702 receives is to terminate line FIN or line reset RST, such as The affiliated session of message described in fruit is first session, then by the session shape of the affiliated session of the message in the correspondence State is set as ageing state.
Optionally, the processor 703 is additionally operable to:
If in the software upgrade data packet further including the upgrading data packet of at least one second functional unit, generate new Second functional unit of version, and run in the detecting and alarm the second functional unit of the new version.
The equipment of the present embodiment can be used for executing the technical solution of embodiment of the method, implementing principle and technical effect Similar, details are not described herein again.
In several embodiments provided by the present invention, it should be understood that disclosed device and method can pass through it Its mode is realized.For example, the apparatus embodiments described above are merely exemplary, for example, the division of the unit, only Only a kind of division of logic function, formula that in actual implementation, there may be another division manner, such as multiple units or component can be tied Another system is closed or is desirably integrated into, or some features can be ignored or not executed.Another point, it is shown or discussed Mutual coupling, direct-coupling or communication connection can be the INDIRECT COUPLING or logical by some interfaces, device or unit Letter connection can be electrical, machinery or other forms.
The unit illustrated as separating component may or may not be physically separated, aobvious as unit The component shown may or may not be physical unit, you can be located at a place, or may be distributed over multiple In network element.Some or all of unit therein can be selected according to the actual needs to realize the mesh of this embodiment scheme 's.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, it can also It is that each unit physically exists alone, it can also be during two or more units be integrated in one unit.Above-mentioned integrated list The form that hardware had both may be used in member is realized, can also be realized in the form of hardware adds SFU software functional unit.
The above-mentioned integrated unit being realized in the form of SFU software functional unit can be stored in one and computer-readable deposit In storage media.Above-mentioned SFU software functional unit is stored in a storage medium, including some instructions are used so that a computer Equipment(Can be personal computer, server or the network equipment etc.)Or processor(processor)It is each to execute the present invention The part steps of embodiment the method.And storage medium above-mentioned includes:USB flash disk, mobile hard disk, read-only memory(Read- Only Memory, ROM), random access memory(Random Access Memory, RAM), magnetic disc or CD etc. it is various The medium of program code can be stored.
Those skilled in the art can be understood that, for convenience and simplicity of description, only with above-mentioned each function module Division progress for example, in practical application, can be complete by different function modules by above-mentioned function distribution as needed At the internal structure of device being divided into different function modules, to complete all or part of the functions described above.On The specific work process for stating the device of description, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
Finally it should be noted that:The above embodiments are only used to illustrate the technical solution of the present invention., rather than its limitations;To the greatest extent Present invention has been described in detail with reference to the aforementioned embodiments for pipe, it will be understood by those of ordinary skill in the art that:Its according to So can with technical scheme described in the above embodiments is modified, either to which part or all technical features into Row equivalent replacement;And these modifications or replacements, various embodiments of the present invention technology that it does not separate the essence of the corresponding technical solution The range of scheme.

Claims (10)

1. the upgrade method of detecting and alarm in a kind of firewall box, which is characterized in that the detecting and alarm includes the first function Component and at least one second functional unit, first functional unit and each second functional unit are realized mutual indepedent Safety detection function, first functional unit and second functional unit in a serial fashion handle message, The method includes:
The first functional unit of a new version is generated according to the software upgrade data packet of the detecting and alarm, and in the detection The first functional unit that the new version is run in engine is carried out using first the first session of functional unit pair of the new version Detection, first session refer to after the first functional unit for running the new version with the newly-established meeting of the firewall box Words;
If first session message by the first functional unit of the new version be sent to second functional unit it Before, second functional unit is not upgraded, then is examined to first session using the second functional unit of legacy version It surveys, establishes and store the first functional unit of new version, the second functional unit of legacy version, first session and described the The correspondence of one session status, so that whether aging judges to first session;
If there are at least one second session, use the first functional unit of legacy version to the subsequent packet of second session It is detected, until all second conversation agings, second session refers to running the first work(of the new version The session established with the firewall box when energy component;
After all second conversation agings, the first functional unit of the legacy version is destroyed.
2. according to the method described in claim 1, it is characterized in that, described run the new version in the detecting and alarm After first functional unit, further include:
Message is received, determines that the message belongs to the message of first session according to the heading of the message, or belong to The message of second session;
If belonging to the message of first session, the first functional unit of the application new version is detected;If belonging to institute The message of the second session is stated, then is detected using the first functional unit of the legacy version.
3. if according to the method described in claim 2, it is characterized in that, described there are at least one second session, using old First functional unit of version is detected the subsequent packet of second session, until all second conversation agings are Before only, further include:
Establish and store the first functional unit of legacy version, second session and second session session status three Correspondence, so as to all second sessions, whether aging judges.
4. according to the method described in claim 3, it is characterized in that, after the reception message, further include:
When the flag bit of the message is to terminate line FIN or line reset RST, if the affiliated session of the message is described The session state setting of the affiliated session of the message is then ageing state in the correspondence by the second session.
5. according to any method in Claims 1-4, which is characterized in that further include:
If further including the upgrading data packet of at least one second functional unit in the software upgrade data packet, new version is generated The second functional unit, and run in the detecting and alarm the second functional unit of the new version.
6. the update device of detecting and alarm in a kind of firewall box, which is characterized in that the detecting and alarm includes the first function Component and at least one second functional unit, first functional unit and each second functional unit are realized mutual indepedent Safety detection function, first functional unit and second functional unit in a serial fashion handle message, Described device includes:
Module is installed, the first functional group for generating a new version according to the software upgrade data packet of the detecting and alarm Part, and run in the detecting and alarm the first functional unit of the new version;
Detection module, first the first meeting of functional unit pair of the new version for generating and running using the installation module Words are detected, and first session refers to newly-built with the firewall box after the first functional unit for running the new version Vertical session;
If first session message by the first functional unit of the new version be sent to second functional unit it Before, second functional unit is not upgraded, then the detection module, is also used for the second functional unit pair of legacy version First session is detected, and establishes and store the second functional unit, described of the first functional unit of new version, legacy version The correspondence of first session and first session status, so that whether aging is sentenced to first session It is disconnected;
The detection module, if being additionally operable to there are at least one second session, using the first functional unit of legacy version to institute The subsequent packet for stating the second session is detected, and until all second conversation agings, second session refers to fortune The session established with the firewall box when the first functional unit of the row new version;
Module is destroyed, for destroying the old edition after all second conversation agings according to the triggering of the detection module This first functional unit.
7. device according to claim 6, which is characterized in that described device further includes:
Receiving module determines that the message belongs to first session for receiving message according to the heading of the message Message, or belong to the message of second session;
The detection module applies the first functional group of the new version if being additionally operable to belong to the message of first session Part is detected;If belonging to the message of second session, the first functional unit of the application legacy version is detected.
8. device according to claim 7, which is characterized in that described device further includes:
Memory module, the first functional unit, second session and second session for establishing and storing legacy version Session status three correspondence, so as to all second sessions, whether aging judges the detection module.
9. device according to claim 8, which is characterized in that the memory module is additionally operable to:
When the flag bit for the message that the receiving module receives is FIN or RST, if the affiliated session of the message is institute The second session is stated, then is ageing state by the session state setting of the affiliated session of the message in the correspondence.
10. according to any device in claim 6 to 9, which is characterized in that the installation module is additionally operable to:
If further including the upgrading data packet of at least one second functional unit in the software upgrade data packet, new version is generated The second functional unit, and run in the detecting and alarm the second functional unit of the new version.
CN201310344399.0A 2013-08-08 2013-08-08 The upgrade method and device of detecting and alarm in firewall box Active CN104348660B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201310344399.0A CN104348660B (en) 2013-08-08 2013-08-08 The upgrade method and device of detecting and alarm in firewall box
PCT/CN2014/072541 WO2015018200A1 (en) 2013-08-08 2014-02-26 Method and apparatus for upgrading detection engine in firewall device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310344399.0A CN104348660B (en) 2013-08-08 2013-08-08 The upgrade method and device of detecting and alarm in firewall box

Publications (2)

Publication Number Publication Date
CN104348660A CN104348660A (en) 2015-02-11
CN104348660B true CN104348660B (en) 2018-08-21

Family

ID=52460606

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310344399.0A Active CN104348660B (en) 2013-08-08 2013-08-08 The upgrade method and device of detecting and alarm in firewall box

Country Status (2)

Country Link
CN (1) CN104348660B (en)
WO (1) WO2015018200A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106059790A (en) * 2016-05-13 2016-10-26 杭州华三通信技术有限公司 Firewall upgrading method and apparatus
US10424319B2 (en) 2017-09-26 2019-09-24 International Business Machines Corporation Assessing the structural quality of conversations
CN112866238B (en) * 2021-01-15 2022-07-05 杭州迪普科技股份有限公司 Session control method and device
CN113839882B (en) * 2021-09-26 2023-09-26 杭州迪普信息技术有限公司 Message flow splitting method and device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101122934A (en) * 2006-08-11 2008-02-13 珠海金山软件股份有限公司 Device for preventing and treating computer virus by real-time monitoring for file and its upgrading method
CN101695031A (en) * 2009-10-27 2010-04-14 成都市华为赛门铁克科技有限公司 Upgrading method and device of intrusion prevention system
CN101854334A (en) * 2009-03-30 2010-10-06 华为技术有限公司 Admission control system, device and method

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2844415B1 (en) * 2002-09-05 2005-02-11 At & T Corp FIREWALL SYSTEM FOR INTERCONNECTING TWO IP NETWORKS MANAGED BY TWO DIFFERENT ADMINISTRATIVE ENTITIES
CN102118296B (en) * 2009-12-30 2015-05-27 华为技术有限公司 Rule base upgrading method and communication equipment
CN101938460B (en) * 2010-06-22 2014-04-09 北京中兴网安科技有限公司 Coordinated defense method of full process and full network safety coordinated defense system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101122934A (en) * 2006-08-11 2008-02-13 珠海金山软件股份有限公司 Device for preventing and treating computer virus by real-time monitoring for file and its upgrading method
CN101854334A (en) * 2009-03-30 2010-10-06 华为技术有限公司 Admission control system, device and method
CN101695031A (en) * 2009-10-27 2010-04-14 成都市华为赛门铁克科技有限公司 Upgrading method and device of intrusion prevention system

Also Published As

Publication number Publication date
WO2015018200A1 (en) 2015-02-12
CN104348660A (en) 2015-02-11

Similar Documents

Publication Publication Date Title
CN106790186B (en) Multi-step attack detection method based on multi-source abnormal event correlation analysis
CN104348660B (en) The upgrade method and device of detecting and alarm in firewall box
CN110535831A (en) Cluster safety management method, device and storage medium based on Kubernetes and network domains
CN107251514A (en) For the technology for the scalable security architecture for virtualizing network
CN108805704A (en) Block chain service implementation method, audiomonitor, storage medium and system
CN104301141B (en) A kind of method, apparatus and system for preserving configuration information
ATE365433T1 (en) RESTART IN MOBILE COMMUNICATION SYSTEMS
CN104967588A (en) Protection method, apparatus and system for distributed denial of service DDoS (distributed denial of service) attack
CN105357114A (en) Distributed network equipment
CN106101171B (en) Server connection method and device
CN109962912A (en) A kind of defence method and system based on the drainage of honey jar flow
CN107547566A (en) A kind of method and device of processing business message
CN103618778A (en) System and method for achieving data high concurrency through Linux virtual host
CN109495350A (en) The check method and equipment of office data
CN110855566B (en) Method and device for dragging upstream flow
CN109246121B (en) Attack defense method and device, Internet of things equipment and computer readable storage medium
CN106209867B (en) Advanced threat defense method and system
CN105373415A (en) Virtualization based application storage method, execution method, apparatus and system
CN108124022A (en) A kind of network address translation management method and device
CN106533882B (en) Message processing method and device
CN112153027B (en) Counterfeit behavior identification method, apparatus, device and computer readable storage medium
CN106506410A (en) A kind of safe item establishing method and device
CN108881255B (en) Method for detecting botnet based on C & C communication state conversion
CN101534225B (en) Method and device used for detecting authenticity of routing information
CN110012033A (en) A kind of data transmission method, system and associated component

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20211227

Address after: 450046 Floor 9, building 1, Zhengshang Boya Plaza, Longzihu wisdom Island, Zhengdong New Area, Zhengzhou City, Henan Province

Patentee after: Super fusion Digital Technology Co.,Ltd.

Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen

Patentee before: HUAWEI TECHNOLOGIES Co.,Ltd.