CN104348660B - The upgrade method and device of detecting and alarm in firewall box - Google Patents
The upgrade method and device of detecting and alarm in firewall box Download PDFInfo
- Publication number
- CN104348660B CN104348660B CN201310344399.0A CN201310344399A CN104348660B CN 104348660 B CN104348660 B CN 104348660B CN 201310344399 A CN201310344399 A CN 201310344399A CN 104348660 B CN104348660 B CN 104348660B
- Authority
- CN
- China
- Prior art keywords
- session
- functional unit
- message
- version
- new version
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/34—Network arrangements or protocols for supporting network services or applications involving the movement of software or configuration parameters
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the present invention provides the upgrade method and device of detecting and alarm in a kind of firewall box.The upgrade method of detecting and alarm in firewall box of the present invention, including:The first functional unit of a new version is generated according to the software upgrade data packet of detecting and alarm, and runs the first functional unit of new version in detecting and alarm, to use first the first session of functional unit pair of new version to be detected;If there are at least one second session, it is detected using the subsequent packet of first the second session of functional unit pair of legacy version, until all second conversation agings;After all second conversation agings, the first functional unit of legacy version is destroyed.The embodiment of the present invention is that the functional unit upgraded to needs upgrades, and the functional unit being detected to the session after conversation aging is destroyed, and resource occupation is smaller, and upgrading is efficient, and the safety detection of existing service traffics is unaffected.
Description
Technical field
The present embodiments relate to a kind of upgrade method of detecting and alarm in network technology more particularly to firewall box and
Device.
Background technology
One basic demand of gateway device is the reliability of equipment work, such as customer flow is not because of the liter of software version
Grade and interrupt, the business of user is unaffected.To next generation firewall(Next Generation Firewall, abbreviation NGFW)
For this gateway device, higher requirement is needed, NGFW not only has the basic forwarding control function of traditional firewall, also
Safety detection is done to the application layer traffic for flowing through the equipment based on policy controls such as application, users, and according to specific strategy,
These safety detections include intrusion prevention system(Intrusion Prevention System, abbreviation IPS), anti-virus
(Anti-Virus, abbreviation AV), uniform resource locator(Uniform Resource Locator, abbreviation URL)Filtering, data
Leakage protection(Data Leak Prevention, abbreviation DLP)Deng.
Due to application layer traffic on network content change quickly, the attack for application layer service threatens same variation very
Soon.Threat in order to change to these is detected in time, it is necessary to be ensured in NGFW equipment detecting above-mentioned threat
Component, such as threat characteristics library or detecting and alarm can be upgraded in time.Upgrading mode in the prior art, it is a kind of
It is that new detecting and alarm replaces old detecting and alarm, upgrading successfully rear old detecting and alarm will be unavailable;Another kind is new inspection
After survey engine successfully loads, continue to use old detecting and alarm when running new detecting and alarm, that is, considerably long
A period of time in, in NGFW equipment simultaneously run a variety of detecting and alarms.
Above-mentioned first way, since detecting and alarm old after the completion of upgrading is unavailable, then in order to ensure to flow through NGFW
The flow of equipment is unaffected, it is necessary to which the subsequent packet flow to upgrading the session having built up before, which is done, to be passed through(bypass)
Processing, actually no longer valid to the detection of the application layer of this partial discharge, at this time in case of attacking, then NGFW equipment can not be examined
It measures that missing inspection can be caused;The second way, while running more parts of detecting and alarms, very to the consumption of the process resource of NGFW equipment
Greatly, efficiency is influenced.
Invention content
The embodiment of the present invention provides a kind of detecting and alarm upgrade processing method and device, to reduce in the prior art due to
Missing inspection problem caused by detecting and alarm upgrading.
In a first aspect, the embodiment of the present invention provides a kind of upgrade processing method of detecting and alarm in firewall box, including:
The first functional unit of a new version is generated according to the software upgrade data packet of detecting and alarm, and is transported in the detecting and alarm
First functional unit of the row new version, to use first the first session of functional unit pair of the new version to examine
Survey, first session refer to after the first functional unit for running the new version with the newly-established meeting of the firewall box
Words;
If there are at least one second session, using the first functional unit of legacy version to the follow-up of second session
Message is detected, and until all second conversation agings, second session refers to the of the operation new version
The session established with the firewall box when one functional unit;
After all second conversation agings, the first functional unit of the legacy version is destroyed.
With reference to first aspect, described that institute is run in the detecting and alarm in the first realization method of first aspect
After the first functional unit for stating new version, further include:
Message is received, determines that the message belongs to the message of first session according to the heading of the message, or
Belong to the message of second session;
If belonging to the message of first session, the first functional unit of the application new version is detected;If belonging to
In the message of second session, then it is detected using the first functional unit of the legacy version.
The first realization method with reference to first aspect, in second of realization method of first aspect, if it is described in the presence of
At least one second session is then detected the subsequent packet of second session using the first functional unit of legacy version,
Before until all second conversation agings, further include:
Establish and store the first functional unit of legacy version, second session and second session session status
The correspondence of three, so that whether aging judges to all second sessions.
Second of realization method with reference to first aspect, in the third realization method of first aspect, the reception report
After text, further include:
When the flag bit of the message is to terminate line FIN or line reset RST, if the affiliated session of the message is
The session state setting of the affiliated session of the message is then ageing state in the correspondence by second session.
With reference to first aspect or any one realization method of above-mentioned first aspect, in the 4th kind of realization of first aspect
In mode, further include:
If in the software upgrade data packet further including the upgrading data packet of at least one second functional unit, generate new
Second functional unit of version, and run in the detecting and alarm the second functional unit of the new version.
Second aspect, the embodiment of the present invention provide a kind of update device of detecting and alarm in firewall box, including:
Module is installed, the first function for generating a new version according to the software upgrade data packet of the detecting and alarm
Component, and run in the detecting and alarm the first functional unit of the new version;
Detection module, for being generated using the installation module and the first functional unit pair of the new version that runs the
One session is detected, first session refer to after the first functional unit for running the new version with the firewall box
Newly-established session;
The detection module, if being additionally operable to, there are at least one second session, use the first functional unit of legacy version
The subsequent packet of second session is detected, until all second conversation agings, second session is
Refer to the session established with the firewall box when the first functional unit for running the new version;
The destruction module after all second conversation agings, is destroyed for the triggering according to the detection module
First functional unit of the legacy version.
In conjunction with second aspect, in the first realization method of second aspect, described device further includes:
Receiving module determines that the message belongs to first meeting for receiving message according to the heading of the message
The message of words, or belong to the message of second session;
The detection module applies the first work(of the new version if being additionally operable to belong to the message of first session
Energy component is detected;If belonging to the message of second session, the first functional unit of the application legacy version is examined
It surveys.
In conjunction with the first realization method of second aspect, in second of realization method of second aspect, described device is also
Including:
Memory module, the first functional unit, second session and described second for establishing and storing legacy version
The correspondence of the session status three of session, so that the detection module to all second sessions whether sentence by aging
It is disconnected.
In conjunction with second of realization method of second aspect, in the third realization method of second aspect, the storage mould
Block is additionally operable to:
When the flag bit for the message that the receiving module receives is FIN or RST, if the affiliated session of the message
Then it is ageing state by the session state setting of the affiliated session of the message in the correspondence for second session.
In conjunction with any one realization method of second aspect or above-mentioned second aspect, in the 4th kind of realization of second aspect
In mode, the installation module is additionally operable to:
If in the software upgrade data packet further including the upgrading data packet of at least one second functional unit, generate new
Second functional unit of version, and run in the detecting and alarm the second functional unit of the new version.
The upgrade method and device of detecting and alarm in firewall box of the embodiment of the present invention, by according to the soft of detecting and alarm
Part upgrading data packet generates the first functional unit of a new version, and runs in the detecting and alarm the of the new version
One functional unit, to use first the first session of functional unit pair of the new version to be detected, first session is
Refer to after the first functional unit for running the new version with the newly-established session of the firewall box;If there are at least one
Two sessions are then detected the subsequent packet of second session using the first functional unit of legacy version, until all institutes
Until stating the second conversation aging, second session refer to when running the first functional unit of the new version with the fire prevention
The session that wall equipment is established;After all second conversation agings, the first functional unit of the legacy version is destroyed, due to only
It is to be upgraded to the corresponding function component that upgrades of needs rather than upgraded to entire detecting and alarm, and all second
The functional unit for the legacy version being detected to second session is destroyed after conversation aging, it is entire with prior art update
The scheme of detecting and alarm is compared, and resource occupation is smaller, and upgrading is efficient, realizes each of in next generation firewall detecting and alarm
The safety detection of the smooth upgrade of a functional unit and existing service traffics is unaffected.
Description of the drawings
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is this hair
Some bright embodiments for those of ordinary skill in the art without having to pay creative labor, can be with
Obtain other attached drawings according to these attached drawings.
Fig. 1 is the flow chart of the upgrade method embodiment one of detecting and alarm in firewall box of the present invention;
Fig. 2 is the application scenarios schematic diagram of the upgrade method embodiment one of detecting and alarm in firewall box of the present invention;
Fig. 3 is that the functional unit upgrade status of the upgrade method embodiment one of detecting and alarm in firewall box of the present invention is shown
It is intended to one;
Fig. 4 is that the functional unit upgrade status of the upgrade method embodiment one of detecting and alarm in firewall box of the present invention is shown
It is intended to two;
Fig. 5 is that the functional unit upgrade status of the upgrade method embodiment one of detecting and alarm in firewall box of the present invention is shown
It is intended to three;
Fig. 6 is the structural schematic diagram of the update device embodiment one of detecting and alarm in firewall box of the present invention;
Fig. 7 is the structural schematic diagram of the update device embodiment two of detecting and alarm in firewall box of the present invention;
Fig. 8 is the structural schematic diagram of detecting and alarm updating apparatus embodiment one of the present invention.
Specific implementation mode
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention
In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is
A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art
The every other embodiment obtained without creative efforts, shall fall within the protection scope of the present invention.
Fig. 1 is the flow chart of the upgrade method embodiment one of detecting and alarm in firewall box of the present invention, and Fig. 2 is the present invention
The application scenarios schematic diagram of the upgrade method embodiment one of detecting and alarm in firewall box, Fig. 3 are firewall box of the present invention
The functional unit upgrade status schematic diagram one of the upgrade method embodiment one of middle detecting and alarm, Fig. 4 are firewall box of the present invention
The functional unit upgrade status schematic diagram two of the upgrade method embodiment one of middle detecting and alarm, Fig. 5 are firewall box of the present invention
The functional unit upgrade status schematic diagram three of the upgrade method embodiment one of middle detecting and alarm.The executive agent of the present embodiment is anti-
The update device of detecting and alarm in wall with flues equipment, the device can pass through software and or hardware realization.The scheme of the present embodiment is answered
In network access equipment or the network switching equipment, such as in gateway device, fire wall and NGFW.
As shown in Figure 1, the method for the present embodiment may include:
Step 101, the first functional unit that a new version is generated according to the software upgrade data packet of detecting and alarm, and
The first functional unit that new version is run in detecting and alarm, to use first the first session of functional unit pair of new version to carry out
Detection, the first session refer to run new version the first functional unit after with the newly-established session of firewall box.
Specifically, as shown in Fig. 2, the update device of detecting and alarm can be for example arranged in the firewall box of the present embodiment
In NGFW, NGFW major deployments are exported in Internet exportation, Office Network, are carried out to the subscriber's main station of server and Office Network
Protection.Based on application identifies, safety detection mainly is carried out for the application layer traffic in network by NGFW, such as IPS detections, AV
The function of safety protection such as detection, url filtering.It is wherein deployed with upgrade server in a network, if in upgrade server or NGFW
There are the software upgrade data packet of the functional unit such as IPS functional units of new version in detecting and alarm, and the upgrading dress of detecting and alarm
It sets detection and learns that a functional unit such as IPS functional units or AV functional units are upgraded in detecting and alarm, then basis
The software upgrade data packet of detecting and alarm generates the first functional unit of a new version, and new version is run in detecting and alarm
The first functional unit, to use first the first session of functional unit pair of new version to be detected, the first session refer to fortune
After first functional unit of row new version with the newly-established session of firewall box, if the first functional unit such as AV of new version
Functional unit, corresponding to also have new feature database then to load update simultaneously, feature database for example includes the information of a variety of viruses.
The detection of functional unit upgrading can be detected with clocked flip as upgrade server is communicated with NGFW in the present embodiment
The release status for obtaining each functional unit of detecting and alarm in NGFW in real time, is compared with the release status in upgrade server
Know whether to be upgraded, can also manual detection trigger such as in the case where upgrade server is not communicated with NGFW, can be with
Software upgrade data packet is downloaded in NGFW manually, judges whether to need to upgrade by the upgrade components in NGFW.Such as multiple work(
Energy component needs while upgrading, then can simultaneously upgrade respectively to each functional unit and can also upgrade in order, i.e. a work(
Next functional unit can be upgraded again after the completion of component upgrade.
If step 102, there are at least one second sessions, first the second session of functional unit pair of legacy version is used
Subsequent packet is detected, and until all second conversation agings, the second session refers to running the first functional group of new version
The session established with firewall box when part.
Specifically, if as shown in figure 3, the second session be run new version the first functional unit when with firewall box
The session of foundation then uses the first functional unit of legacy version, if IPS functional units version 1 is to the second session such as session 1
Subsequent packet carries out safety detection, and the subsequent packet of the second session refers to after running the first functional unit of the new version, connecing
What is received belongs to the message of second session, and since AV functional units are not upgraded, the message of session 1 is by IPS functions
After component version 1 carries out safety detection, it is sent to AV functional units version 1 and carries out safety detection;If the first session is operation
After first functional unit of new version the first function of new version is then used such as session 2 with the newly-established session of firewall box
Component for example the first session of IPS functional units version 2 pair carry out safety detection, if as shown in figure 4, be sent to AV functional units it
Before, AV functional units carry out upgrading and generate new version 2 and run in detecting and alarm, then the message of session 2 will make
Safety detection is carried out with the functional unit AV functional units version 2 of new version, if as shown in figure 3, AV functional units do not carry out
Upgrading is then continuing with AV functional units version 1 and carries out safety detection.
In the present embodiment, as shown in figure 3, can be carried out after the stream distribution that conversates using identification, i.e., to the message that receives into
Row application identification searches corresponding functional unit and carries out safety detection.Attached drawing 3 is only with functional unit for IPS functional units and AV
It is illustrated for functional unit, can include more functional units, such as url filtering functional unit, DLP in practical application
Functional unit etc..It after carrying out safety detection, is acted accordingly according to the result of safety detection, such as blocks, alerts, day
Will, clearance etc..
Step 103, after all second conversation agings, destroy the first functional unit of legacy version.
Specifically, as shown in figure 5, being set with fire wall before the first functional unit of operation new version in detecting and alarm
After the standby session established such as the whole agings of session 1, then the functional unit of legacy version in the detecting and alarm that session 1 uses is destroyed such as
IPS functional units version 1, session 2 is continuing with IPS functional units version 2 and AV functional units version 1 carries out safety detection,
Aging refers to a transmission control protocol(Transmission Control Protocol, abbreviation TCP)The both sides of connection are
Terminate line FIN or line reset RST messages through sending.If the update device detection of subsequent detection engine learns that detection is drawn
Middle IPS functional units are held up to need to carry out upgrading processing again, then it is raw in detecting and alarm according to the software upgrade data packet of acquisition
At the first functional unit such as IPS functional units version 3 of a new version, and this functional unit is run, newly-established session 3 at this time
Safety detection is carried out using new IPS functional units version 3 and AV functional unit version 2s, after 2 aging of session(And do not have
Other sessions are detected using IPS functional units version 2 and AV functional units version 1)The detection that session 2 uses then is destroyed to draw
Hold up middle IPS functional units version 2 and AV functional units version 1.
Above-mentioned first functional unit of the present embodiment, the second functional unit, the first session and " first " in the second session,
" second " is not order of representation relationship, but in order to distinguish different functional units and session, mentioned in following file
One, second etc. also for difference different component, version, session etc..
The present embodiment, by the first functional group for generating a new version according to the software upgrade data packet of detecting and alarm
Part, and the first functional unit of the new version is run in the detecting and alarm, to use the first work(of the new version
Can the first session of component pair be detected, first session refer to after the first functional unit for running the new version with it is described
The newly-established session of firewall box;If there are at least one second session, using the first functional unit of legacy version to institute
The subsequent packet for stating the second session is detected, and until all second conversation agings, second session refers to fortune
The session established with the firewall box when the first functional unit of the row new version;It is old in all second sessions
After change, the first functional unit of the legacy version is destroyed, due to only being upgraded to the corresponding function component that upgrades of needs
It is not to upgrade to entire detecting and alarm, and second session will be detected after the second all conversation agings
Legacy version functional unit destroy, resource occupation is smaller, upgrading it is efficient, realize the detecting and alarm in next generation firewall
Each functional unit smooth upgrade and existing service traffics safety detection it is unaffected.
In firewall box of the present invention in the upgrade method embodiment two of detecting and alarm, embodiment of the method shown in Fig. 1
On the basis of, further, the method can also include:
Message is received, determines that message belongs to the message of the first session according to the heading of message, or belong to the second session
Message;
If the message of the first session, it is detected using the first functional unit of new version;If belonging to the second session
Message then applies the first functional unit of legacy version to be detected.
Specifically, as shown in figure 3, NGFW receives message, determine that message belongs to the first session such as according to the heading of message
The message of session 2, or belong to the message of the second session such as session 1;If the message of the first session such as session 2, new edition is applied
This first functional unit such as IPS functional units version 2 is examined, if belonging to the message of the second session such as session 1, using old
First functional unit of version such as IPS functional units version 1 is detected.
Further, if it is described there are at least one second session, using the first functional unit of legacy version to described
The subsequent packet of second session is detected, until all second conversation agings before, the method for the present embodiment is also
Including:
Establish and store the first functional unit, the second session and pair of the session status three of the second session of legacy version
It should be related to, so as to all second sessions, whether aging judges;
Optionally, it can also establish and store the first functional unit, the first session and the meeting of the first session of new version
The correspondence of speech phase three, when upgrading again in order to first functional unit, to all first sessions whether
Aging is judged.
Specifically, as shown in figure 3, can for example establish and deposit in the update device of detecting and alarm in firewall box
Storage:IPS functional units version 1 and AV functional units version 1, session 1 and session 1 session status correspondence, IPS work(
Can component version 2 and AV functional units version 1, session 2 and session 2 session status correspondence, as shown in figure 4, meeting
The correspondence of words 2 and IPS functional units version 2 and AV functional unit version 2s, as shown in table 1, for all sessions whether
Aging is judged, convenient for judging whether each functional unit carries out destroying and which version the subsequent packet of session uses
Functional unit carries out safety detection, and as shown in table 1, first row indicates that correspondence number, secondary series indicate functional unit version,
Third row indicate that session, the 4th row indicate session status.
Table 1
Correspondence | Functional unit version | Session | Session status |
1 | IPS functional units version 1 | Session 1 | Non- ageing state |
2 | AV functional units version 1 | Session 1 | Non- ageing state |
3 | IPS functional unit version 2s | Session 2 | Non- ageing state |
4 | AV functional units version 1 | Session 2 | Non- ageing state |
Further, after the reception message, can also include:
When the flag bit of message is to terminate line FIN or line reset RST, if session described in the message is described
The session state setting of the affiliated session of the message is then ageing state in the correspondence by the second session.
Optionally, if session described in the message is first session, by the report in the correspondence
The session state setting of session belonging to text is ageing state.
Specifically, as shown in table 1, when the flag bit of the service message of transmission is to terminate line FIN or line reset RST
When, and the session belonging to message is session 1, it will the session state setting in correspondence 1,2 corresponding to words 1 is aging shape
State, at this time if be detected using IPS functional units version 1 without other sessions, due to the use of IPS functional units
All sessions that version 1 is detected all agings, therefore IPS functional units version 1 is destroyed, follow-up newly-established meeting
The message of words is all detected using IPS functional units version 2 and AV functional units version 1.
Further, the method can also further include:
If further including the upgrading data packet of at least one second functional unit in software upgrade data packet, new version is generated
The second functional unit, and in detecting and alarm run new version the second functional unit.
Specifically, if in software upgrade data packet further including the upgrading data packet of at least one second functional unit, as
When include IPS functional units and AV functional units upgrading data packet, then generate the first functional unit such as IPS functions of new version
Component version 2 and the second functional unit such as AV functional units version 2 for generating new version, and new edition is run in detecting and alarm
This second functional unit;If further including the upgrading data packet of two the second functional units in software upgrade data packet, such as AV work(
The upgrading data packet of energy component and DLP functional units then generates the second functional unit such as AV functional units of two new versions
Version 2 and DLP functional unit version 2s.
The present embodiment, by the first functional unit, the first session and the meeting of the first session of establishing and store new version
The correspondence of speech phase three is established so that whether aging judges to all first sessions and stores legacy version
The first functional unit, the second session and the correspondence of the session status three of the second session, for all described
Whether aging is judged for two sessions;Message is received, determines that message belongs to the message of the first session according to the heading of message, or
Person belongs to the message of the second session, if the message of the first session, is detected using the first functional unit of new version, if belonging to
In the message of the second session, then the first functional unit of legacy version is applied to be detected, when the flag bit of message is to terminate line
It is ageing state by the session state setting of the affiliated session of message, if in software upgrade data packet when FIN or line reset RST
Further include the upgrading data packet of at least one second functional unit, then generates the second functional unit of new version, and draw in detection
The second functional unit of middle operation new version is held up, resource occupation is smaller, and upgrading is efficient, realizes and is examined in next generation firewall
The safety detection of the smooth upgrade and existing service traffics of surveying each functional unit of engine is unaffected.
Fig. 6 is the structural schematic diagram of the update device embodiment one of detecting and alarm in firewall box of the present invention, such as Fig. 6 institutes
Show, the device 50 of the present embodiment may include:Module 501, detection module 502 are installed and destroy module 503, wherein installation mould
Block 501 is used to generate the first functional unit of a new version according to the software upgrade data packet of the detecting and alarm, and in institute
State the first functional unit that the new version is run in detecting and alarm;Detection module 502 is used to give birth to using the installation module 501
At and first the first session of functional unit pair of the new version for running be detected, first session refers to described in operation
After first functional unit of new version with the newly-established session of the firewall box;The detection module 502, if being additionally operable to deposit
In at least one second session, then the subsequent packet of second session is examined using the first functional unit of legacy version
It surveys, until all second conversation agings, second session refers to running the first functional unit of the new version
When with the firewall box establish session;Module 503 is destroyed for the triggering according to the detection module 502, in institute
After having second conversation aging, the first functional unit of the legacy version is destroyed.
The device of the present embodiment can be used for executing the technical solution of embodiment of the method shown in Fig. 1, realization principle and skill
Art effect is similar, and details are not described herein again.
Fig. 7 is the structural schematic diagram of the update device embodiment two of detecting and alarm in firewall box of the present invention, such as Fig. 7 institutes
Show, on the basis of 50 apparatus structure shown in Fig. 5 of device of the present embodiment, further, can also include:Receiving module 504,
The receiving module 504 determines that the message belongs to first session for receiving message according to the heading of the message
Message, or belong to the message of second session;The detection module 502, if being additionally operable to belong to the report of first session
Text is then detected using the first functional unit of the new version;If belonging to the message of second session, using described
First functional unit of legacy version is detected.
Further, the device of the present embodiment can also include:
Memory module 505, the memory module 505 is for establishing and storing the first functional unit of legacy version, described second
The correspondence of the session status three of session and second session, so that the detection module is to all second meetings
Whether aging is judged words.
Optionally, which can be also used for establishing and storing the first functional unit of legacy version, described first
The correspondence of the session status three of session and first session, so that the detection module is to all first meetings
Whether aging is judged words.
The memory module 505 is additionally operable to:
When the flag bit for the message that the receiving module 504 receives is to terminate line FIN or line reset RST,
It, will in the correspondence that the memory module 505 stores if the affiliated session of message is second session
The session state setting of the affiliated session of message is ageing state.
Optionally, the memory module 505 is additionally operable to:
When the flag bit for the message that the receiving module 504 receives is to terminate line FIN or line reset RST,
It, will in the correspondence that the memory module 505 stores if the affiliated session of message is first session
The session state setting of the affiliated session of message is ageing state.
Optionally, the installation module 501 is additionally operable to:
If in the software upgrade data packet further including the upgrading data packet of at least one second functional unit, generate new
Second functional unit of version, and run in the detecting and alarm the second functional unit of the new version.
The device of the present embodiment can be used for executing the technical solution of embodiment of the method two, realization principle and technology effect
Seemingly, details are not described herein again for fruit.
Fig. 8 is the structural schematic diagram of the updating apparatus embodiment one of detecting and alarm of the present invention.As shown in figure 8, the present embodiment
The updating apparatus 70 of the detecting and alarm of offer includes bus 701, receiver 702, processor 703 and memory 704.Wherein, always
Line 701 transmits information for connecting receiver 702, processor 703 and memory 704;Receiver 702 is used to receive message,
The storage of memory 704 executes instruction, and when the updating apparatus 70 of detecting and alarm is run, leads between processor 703 and memory 704
Believe, the code stored in 703 run memory 704 of processor, executes following operation:
The first functional unit of a new version is generated according to the software upgrade data packet of detecting and alarm, and in the detection
The first functional unit that the new version is run in engine, to use first the first session of functional unit pair of the new version
It is detected, first session refers to newly being established with the firewall box after the first functional unit for running the new version
Session;
If there are at least one second session, using the first functional unit of legacy version to the follow-up of second session
Message is detected, and until all second conversation agings, second session refers to the of the operation new version
The session established with the firewall box when one functional unit;
After all second conversation agings, the first functional unit of the legacy version is destroyed.
Preferably, if it is described there are at least one second session, using the first functional unit of legacy version to described the
The subsequent packet of two sessions is detected, until all second conversation agings before, the memory 704 is also used
In:
Establish and store the first functional unit, the second session and pair of the session status three of the second session of legacy version
It should be related to, so as to all second sessions, whether aging judges.
Optionally, the memory 704 be additionally operable to establish and store the first functional unit of new version, the first session and
The correspondence of the session status three of first session, so that whether aging judges to all first sessions.
Optionally, the processor 703 is additionally operable to determine the report according to the heading of message described in the receiver 702
Text belongs to the message of first session, or belongs to the message of second session;
If belonging to the message of first session, the first functional unit of the application new version is detected;If belonging to
In the message of second session, then it is detected using the first functional unit of the legacy version.
Optionally, the processor 703 is additionally operable to when the flag bit for the message that the receiver 702 receives be to terminate
When line FIN or line reset RST, if the affiliated session of the message is second session, in the correspondence
It is ageing state by the session state setting of the affiliated session of the message.
Optionally, the processor 703 is additionally operable to:
When the flag bit for the message that the receiver 702 receives is to terminate line FIN or line reset RST, such as
The affiliated session of message described in fruit is first session, then by the session shape of the affiliated session of the message in the correspondence
State is set as ageing state.
Optionally, the processor 703 is additionally operable to:
If in the software upgrade data packet further including the upgrading data packet of at least one second functional unit, generate new
Second functional unit of version, and run in the detecting and alarm the second functional unit of the new version.
The equipment of the present embodiment can be used for executing the technical solution of embodiment of the method, implementing principle and technical effect
Similar, details are not described herein again.
In several embodiments provided by the present invention, it should be understood that disclosed device and method can pass through it
Its mode is realized.For example, the apparatus embodiments described above are merely exemplary, for example, the division of the unit, only
Only a kind of division of logic function, formula that in actual implementation, there may be another division manner, such as multiple units or component can be tied
Another system is closed or is desirably integrated into, or some features can be ignored or not executed.Another point, it is shown or discussed
Mutual coupling, direct-coupling or communication connection can be the INDIRECT COUPLING or logical by some interfaces, device or unit
Letter connection can be electrical, machinery or other forms.
The unit illustrated as separating component may or may not be physically separated, aobvious as unit
The component shown may or may not be physical unit, you can be located at a place, or may be distributed over multiple
In network element.Some or all of unit therein can be selected according to the actual needs to realize the mesh of this embodiment scheme
's.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, it can also
It is that each unit physically exists alone, it can also be during two or more units be integrated in one unit.Above-mentioned integrated list
The form that hardware had both may be used in member is realized, can also be realized in the form of hardware adds SFU software functional unit.
The above-mentioned integrated unit being realized in the form of SFU software functional unit can be stored in one and computer-readable deposit
In storage media.Above-mentioned SFU software functional unit is stored in a storage medium, including some instructions are used so that a computer
Equipment(Can be personal computer, server or the network equipment etc.)Or processor(processor)It is each to execute the present invention
The part steps of embodiment the method.And storage medium above-mentioned includes:USB flash disk, mobile hard disk, read-only memory(Read-
Only Memory, ROM), random access memory(Random Access Memory, RAM), magnetic disc or CD etc. it is various
The medium of program code can be stored.
Those skilled in the art can be understood that, for convenience and simplicity of description, only with above-mentioned each function module
Division progress for example, in practical application, can be complete by different function modules by above-mentioned function distribution as needed
At the internal structure of device being divided into different function modules, to complete all or part of the functions described above.On
The specific work process for stating the device of description, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
Finally it should be noted that:The above embodiments are only used to illustrate the technical solution of the present invention., rather than its limitations;To the greatest extent
Present invention has been described in detail with reference to the aforementioned embodiments for pipe, it will be understood by those of ordinary skill in the art that:Its according to
So can with technical scheme described in the above embodiments is modified, either to which part or all technical features into
Row equivalent replacement;And these modifications or replacements, various embodiments of the present invention technology that it does not separate the essence of the corresponding technical solution
The range of scheme.
Claims (10)
1. the upgrade method of detecting and alarm in a kind of firewall box, which is characterized in that the detecting and alarm includes the first function
Component and at least one second functional unit, first functional unit and each second functional unit are realized mutual indepedent
Safety detection function, first functional unit and second functional unit in a serial fashion handle message,
The method includes:
The first functional unit of a new version is generated according to the software upgrade data packet of the detecting and alarm, and in the detection
The first functional unit that the new version is run in engine is carried out using first the first session of functional unit pair of the new version
Detection, first session refer to after the first functional unit for running the new version with the newly-established meeting of the firewall box
Words;
If first session message by the first functional unit of the new version be sent to second functional unit it
Before, second functional unit is not upgraded, then is examined to first session using the second functional unit of legacy version
It surveys, establishes and store the first functional unit of new version, the second functional unit of legacy version, first session and described the
The correspondence of one session status, so that whether aging judges to first session;
If there are at least one second session, use the first functional unit of legacy version to the subsequent packet of second session
It is detected, until all second conversation agings, second session refers to running the first work(of the new version
The session established with the firewall box when energy component;
After all second conversation agings, the first functional unit of the legacy version is destroyed.
2. according to the method described in claim 1, it is characterized in that, described run the new version in the detecting and alarm
After first functional unit, further include:
Message is received, determines that the message belongs to the message of first session according to the heading of the message, or belong to
The message of second session;
If belonging to the message of first session, the first functional unit of the application new version is detected;If belonging to institute
The message of the second session is stated, then is detected using the first functional unit of the legacy version.
3. if according to the method described in claim 2, it is characterized in that, described there are at least one second session, using old
First functional unit of version is detected the subsequent packet of second session, until all second conversation agings are
Before only, further include:
Establish and store the first functional unit of legacy version, second session and second session session status three
Correspondence, so as to all second sessions, whether aging judges.
4. according to the method described in claim 3, it is characterized in that, after the reception message, further include:
When the flag bit of the message is to terminate line FIN or line reset RST, if the affiliated session of the message is described
The session state setting of the affiliated session of the message is then ageing state in the correspondence by the second session.
5. according to any method in Claims 1-4, which is characterized in that further include:
If further including the upgrading data packet of at least one second functional unit in the software upgrade data packet, new version is generated
The second functional unit, and run in the detecting and alarm the second functional unit of the new version.
6. the update device of detecting and alarm in a kind of firewall box, which is characterized in that the detecting and alarm includes the first function
Component and at least one second functional unit, first functional unit and each second functional unit are realized mutual indepedent
Safety detection function, first functional unit and second functional unit in a serial fashion handle message,
Described device includes:
Module is installed, the first functional group for generating a new version according to the software upgrade data packet of the detecting and alarm
Part, and run in the detecting and alarm the first functional unit of the new version;
Detection module, first the first meeting of functional unit pair of the new version for generating and running using the installation module
Words are detected, and first session refers to newly-built with the firewall box after the first functional unit for running the new version
Vertical session;
If first session message by the first functional unit of the new version be sent to second functional unit it
Before, second functional unit is not upgraded, then the detection module, is also used for the second functional unit pair of legacy version
First session is detected, and establishes and store the second functional unit, described of the first functional unit of new version, legacy version
The correspondence of first session and first session status, so that whether aging is sentenced to first session
It is disconnected;
The detection module, if being additionally operable to there are at least one second session, using the first functional unit of legacy version to institute
The subsequent packet for stating the second session is detected, and until all second conversation agings, second session refers to fortune
The session established with the firewall box when the first functional unit of the row new version;
Module is destroyed, for destroying the old edition after all second conversation agings according to the triggering of the detection module
This first functional unit.
7. device according to claim 6, which is characterized in that described device further includes:
Receiving module determines that the message belongs to first session for receiving message according to the heading of the message
Message, or belong to the message of second session;
The detection module applies the first functional group of the new version if being additionally operable to belong to the message of first session
Part is detected;If belonging to the message of second session, the first functional unit of the application legacy version is detected.
8. device according to claim 7, which is characterized in that described device further includes:
Memory module, the first functional unit, second session and second session for establishing and storing legacy version
Session status three correspondence, so as to all second sessions, whether aging judges the detection module.
9. device according to claim 8, which is characterized in that the memory module is additionally operable to:
When the flag bit for the message that the receiving module receives is FIN or RST, if the affiliated session of the message is institute
The second session is stated, then is ageing state by the session state setting of the affiliated session of the message in the correspondence.
10. according to any device in claim 6 to 9, which is characterized in that the installation module is additionally operable to:
If further including the upgrading data packet of at least one second functional unit in the software upgrade data packet, new version is generated
The second functional unit, and run in the detecting and alarm the second functional unit of the new version.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310344399.0A CN104348660B (en) | 2013-08-08 | 2013-08-08 | The upgrade method and device of detecting and alarm in firewall box |
PCT/CN2014/072541 WO2015018200A1 (en) | 2013-08-08 | 2014-02-26 | Method and apparatus for upgrading detection engine in firewall device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310344399.0A CN104348660B (en) | 2013-08-08 | 2013-08-08 | The upgrade method and device of detecting and alarm in firewall box |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104348660A CN104348660A (en) | 2015-02-11 |
CN104348660B true CN104348660B (en) | 2018-08-21 |
Family
ID=52460606
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310344399.0A Active CN104348660B (en) | 2013-08-08 | 2013-08-08 | The upgrade method and device of detecting and alarm in firewall box |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN104348660B (en) |
WO (1) | WO2015018200A1 (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106059790A (en) * | 2016-05-13 | 2016-10-26 | 杭州华三通信技术有限公司 | Firewall upgrading method and apparatus |
US10424319B2 (en) | 2017-09-26 | 2019-09-24 | International Business Machines Corporation | Assessing the structural quality of conversations |
CN112866238B (en) * | 2021-01-15 | 2022-07-05 | 杭州迪普科技股份有限公司 | Session control method and device |
CN113839882B (en) * | 2021-09-26 | 2023-09-26 | 杭州迪普信息技术有限公司 | Message flow splitting method and device |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101122934A (en) * | 2006-08-11 | 2008-02-13 | 珠海金山软件股份有限公司 | Device for preventing and treating computer virus by real-time monitoring for file and its upgrading method |
CN101695031A (en) * | 2009-10-27 | 2010-04-14 | 成都市华为赛门铁克科技有限公司 | Upgrading method and device of intrusion prevention system |
CN101854334A (en) * | 2009-03-30 | 2010-10-06 | 华为技术有限公司 | Admission control system, device and method |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FR2844415B1 (en) * | 2002-09-05 | 2005-02-11 | At & T Corp | FIREWALL SYSTEM FOR INTERCONNECTING TWO IP NETWORKS MANAGED BY TWO DIFFERENT ADMINISTRATIVE ENTITIES |
CN102118296B (en) * | 2009-12-30 | 2015-05-27 | 华为技术有限公司 | Rule base upgrading method and communication equipment |
CN101938460B (en) * | 2010-06-22 | 2014-04-09 | 北京中兴网安科技有限公司 | Coordinated defense method of full process and full network safety coordinated defense system |
-
2013
- 2013-08-08 CN CN201310344399.0A patent/CN104348660B/en active Active
-
2014
- 2014-02-26 WO PCT/CN2014/072541 patent/WO2015018200A1/en active Application Filing
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101122934A (en) * | 2006-08-11 | 2008-02-13 | 珠海金山软件股份有限公司 | Device for preventing and treating computer virus by real-time monitoring for file and its upgrading method |
CN101854334A (en) * | 2009-03-30 | 2010-10-06 | 华为技术有限公司 | Admission control system, device and method |
CN101695031A (en) * | 2009-10-27 | 2010-04-14 | 成都市华为赛门铁克科技有限公司 | Upgrading method and device of intrusion prevention system |
Also Published As
Publication number | Publication date |
---|---|
WO2015018200A1 (en) | 2015-02-12 |
CN104348660A (en) | 2015-02-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106790186B (en) | Multi-step attack detection method based on multi-source abnormal event correlation analysis | |
CN104348660B (en) | The upgrade method and device of detecting and alarm in firewall box | |
CN110535831A (en) | Cluster safety management method, device and storage medium based on Kubernetes and network domains | |
CN107251514A (en) | For the technology for the scalable security architecture for virtualizing network | |
CN108805704A (en) | Block chain service implementation method, audiomonitor, storage medium and system | |
CN104301141B (en) | A kind of method, apparatus and system for preserving configuration information | |
ATE365433T1 (en) | RESTART IN MOBILE COMMUNICATION SYSTEMS | |
CN104967588A (en) | Protection method, apparatus and system for distributed denial of service DDoS (distributed denial of service) attack | |
CN105357114A (en) | Distributed network equipment | |
CN106101171B (en) | Server connection method and device | |
CN109962912A (en) | A kind of defence method and system based on the drainage of honey jar flow | |
CN107547566A (en) | A kind of method and device of processing business message | |
CN103618778A (en) | System and method for achieving data high concurrency through Linux virtual host | |
CN109495350A (en) | The check method and equipment of office data | |
CN110855566B (en) | Method and device for dragging upstream flow | |
CN109246121B (en) | Attack defense method and device, Internet of things equipment and computer readable storage medium | |
CN106209867B (en) | Advanced threat defense method and system | |
CN105373415A (en) | Virtualization based application storage method, execution method, apparatus and system | |
CN108124022A (en) | A kind of network address translation management method and device | |
CN106533882B (en) | Message processing method and device | |
CN112153027B (en) | Counterfeit behavior identification method, apparatus, device and computer readable storage medium | |
CN106506410A (en) | A kind of safe item establishing method and device | |
CN108881255B (en) | Method for detecting botnet based on C & C communication state conversion | |
CN101534225B (en) | Method and device used for detecting authenticity of routing information | |
CN110012033A (en) | A kind of data transmission method, system and associated component |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right | ||
TR01 | Transfer of patent right |
Effective date of registration: 20211227 Address after: 450046 Floor 9, building 1, Zhengshang Boya Plaza, Longzihu wisdom Island, Zhengdong New Area, Zhengzhou City, Henan Province Patentee after: Super fusion Digital Technology Co.,Ltd. Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen Patentee before: HUAWEI TECHNOLOGIES Co.,Ltd. |