A kind of HTTP business fire walls based on Adaptive proxy mechanism
Technical field
The present invention is more particularly to a kind of HTTP business fire prevention based on Adaptive proxy mechanism on fire wall field
Wall.
Background technology
In fire wall field, there are the earliest data link layer based on the layer architectures of OSI seven, the fire wall of Internet, it is main
To be conducted interviews the fire wall of control of authority to carrying out source and destination, also there is the current newest application layer based on the layer architectures of OSI seven,
The application firewall for being checked based on attack signature again.Traditional fire wall mainly has following common technique type:Packet filtering
Fire wall, circuit layer fire wall, application level proxy fire wall, dynamic packet filter fire wall, Adaptive proxy fire wall.
Packet filter firewall:Finger is operated in Internet, and each bag for passing through is checked based on following information:IP sources
Address and destination address, TCP/UDP source ports be good and destination port number, agreement (TCP, UDP, ICMP, BGP etc.), ICMP
Type of message, size of bag etc..
Circuit layer fire wall:One kind of Proxy Firewall, is operated in transport layer;Flag bit according to packet sets up one
Individual session table;For certain the IP bag for receiving, check whether it belongs to some session;A meeting in tracking a period of time
By the sum of bag in words.
Application level proxy fire wall:It is operated in application layer;For specific protocol, such as telnet, http, smtp, pop etc.
Identity authentication function can be supported;In addition to based on address, agreement, the control of port, application layer order can also be supported
Filtering, such as GET of FTP, PUT etc..
Dynamic packet filter fire wall:Possess the essential characteristic of packet filter firewall, be provided additionally with following characteristics:By what is wrapped
Attribute monitors that the state of communication session relies on the setting for indicating rather than simple with a connection table is safeguarded;For transport layer
, so during selection dynamic packet filter, it is ensured that fire wall can safeguard the state of all transmission that user will use, such as
TCP, UDP, ICMP etc..;It is dialogue-based during the filtering rule of dynamic bag compared with common (static state) packet filter firewall.
Adaptive proxy fire wall:Combine packet filtering with proxy server firewall a little, its packet filtering rules is
It is dynamic, dialogue-based, and the filtering rule of IP filter can be dynamically adjusted in the process of running, carrying out filtering inspection
When, can be with dialogue-based difference, using the filtering rule of various criterion.
HTTP (HTTP HTTP-Hypertext transfer protocol), is current many IT industries
Operation system main flow a kind of operation communications protocol.In http protocol, possess two concepts of standard:URL(URL:
The abbreviation of Uniform Resource Locator, is translated into " URL ", for example:“http://
www.bank.com/loginUserId=1001&Pass=123456 ");URI(Uniform Resource
The abbreviation of Identifier, is translated into " universal resource identifier ", and the value of the URI of correspondence URL examples is:“http://
www.bank.com/login”)。
HTML (HTML HyperText Markup language), is current most popular one kind
Page definition language, specific details can be found in RFC (Request For Comments, be it is a series of to number the file that is ranked,
Basic Internet communication agreement have described in detail in RFC files) related specifications.
Html document is defined by HTML element, HTML element refer to from start label (start tag, such as:<p
>、<A href=" default.htm ">) to end-tag (end tag, such as:</p>、</a>) all codes.
Html link, HTML is connected using hyperlink with another document on network.Almost can be in all of net
Link is found in page.Clickthrough can be from a page jump to another page.Clickthrough is by according to link meaning
URL, initiates to access to service end.Such as:“<A href=" http://www.w3school.com.cn/">Visit
W3School</a>" just define one and be directed to " http:The link of //www.w3school.com.cn/ ", "<a href
=" http://www.w3school.com.cn/"><Img border=" 0 " src=" ./images/NextPage.GIF ">
</a>" also define one and be directed to " http:The link of //www.w3school.com.cn/ ".
Business fire wall, this is a new ideas, because the business of each client has larger difference, it is difficult to formed
It is standardized to check rule, and because the concept of business fire wall just started to walk at nearly 2 years, at present in the industry still without in this respect
Maturation or typical products.
The content of the invention
It is a primary object of the present invention to overcome deficiency of the prior art, there is provided one kind is associated with client session, oneself
It is to protect the firewall technology of new generation of core to adapt to white list rule, the mechanism of proxy access, pattern.To solve above-mentioned technology
Problem, solution of the invention is:
A kind of HTTP business fire walls based on Adaptive proxy mechanism are provided, for defending from client to being protected
The attack access of the operation system of shield, the HTTP business fire wall based on Adaptive proxy mechanism includes proxy module, core
The heart is controlled and security policy database;
The proxy module is used to access the HTTP access from client, then according to the moment for accessing generation, extracts
Current accessed time, and according to http protocol specification (RFC 1945, RFC 2616), extract the source IP that accesses and port,
The destination address of access, Request (referring to the Request definition in the HTTP Message definition of RFC 2616);
Each item data (destination address, the Request that access source IP and port, access) that proxy module will be obtained again is passed
Core control is passed, the ruling of core control is waited, and after ruling conclusion is received, proxy module is held according to ruling conclusion
OK;Wherein, ruling conclusion includes letting pass, monitors, alerts, intercepting;
If proxy module receives clearance, that is, check by conclusion after, proxy module acts on behalf of the Request of current sessions
After being sent to shielded operation system, the response content Response of Request of the operation system to be received to forwarding is waited (to return
Content is answered i.e. as issuing client as response contents), and message-body to responding content Response (refers to
Response definition in the HTTP Message definition of RFC 2616) according to html language (HyperText Markup
Language) parsed, obtained the addressable link responded in content;
The core control is the control centre of HTTP business fire walls, for being responsible for the cooperation of scheduling modules, connecing
Asked by modules, and updated data record, mode of operation, method of work in security policy database;
Core control can extract proxy module transmission HTTP access data, HTTP access data include source IP,
Source port, purpose IP, destination interface, the URL of HTTP request, the HEADER of HTTP request, the BODY of HTTP request, call visitor
Family end admission policy is checked client source (source IP, source port):
If the inspection conclusion of client is dangerous, according to the different risk classes of conclusion, order proxy module is to this time
Access carries out intercept process, and subsequent examination step is not entered;
If the inspection conclusion of client is safety, continue to call client session state repository to examine client state
Look into, be in the data record of client session state repository for client source-information (source IP, SessionID)
Session, as already-existing session, otherwise as new session;If being judged as new session, the data that the HTTP of current request is accessed
Pass to initial address white list and checked that inspection passes through, the new session is just added into client session state repository, by acting on behalf of
Request agency is sent to shielded operation system by module, and continues whole flow process treatment;If being judged as already-existing session,
The data transfer that the HTTP of current request is accessed is distinguished to initial address white list and subsequent address white list by two modules
Checked, if the inspection conclusion of one module of any of which is what is passed through, request agency is sent to by proxy module is received
The operation system of protection, and continue whole flow process treatment;Otherwise processed according to the conclusion for intercepting;
The security policy database includes submodule:Client admission policy, client session state repository, the white name of initial address
Single and subsequent address white list, and security policy database record has the initialization data of HTTP business fire walls, including client is permitted
Initialization data, the initialization data of initial address white list that can be tactful;
Security policy database is used to receive core control scheduling, realizes following function:According to the scheduling of core control (according to visitor
Request, the response of acquisition that family end is initiated), adjust the corresponding client session status data of client and subsequent address white list
(refer in legend 310 with " after the access-session status " of client session (X, Y), " after access-the white name of subsequent address
It is single "), and allow online (in running) to safeguard, update the data of client admission policy and initial address white list;According to
The scheduling (when knowing that proxy module receives client request) of core control, according to client and corresponding corresponding strategies (client
End admission policy, client session state repository, initial address white list, subsequent address white list), carry out corresponding safety inspection
Look into, and return to ruling conclusion and give core control;
The client admission policy is the admission policy for describing the client that HTTP business fire walls allow access, and only
There is the source for listing admission policy in, allow to access just now, otherwise will be intercepted;Admission policy includes that client is originated;
The client session state repository is used to preserve the rule of the client that HTTP business fire walls are allowed access into, and permits
(this is clear for the regular inventory that the client for allowing to access protected system is listed in the way of white list of the client for entering perhaps
It is single very close with traditional Access Control Lis);The rule of every client for allowing access into specifies protected system
The address (target HOST, Target IP, target port) of system, access address (target HOST, Target IP, the destination end of proxy module
Mouthful), the client that allows access into source (source IP, source port);
The initial address white list is made up of initial address white list rule, under initial address white list rule can be realized
State function:The scheduling for receiving core control (knowing that client receives respective page, and obtains therein by parsing the page
During chained address), can inquire about, increase, deleting the corresponding initial address rule of the client;The scheduling for receiving core control (is obtained
When knowing that proxy module receives client request), check the client in current sessions state, if to have the right with initial address
Mode accesses the initial address;Wherein, initial address white list rule include client condition, client session status condition,
Initial address;
The subsequent address white list is made up of subsequent address white list rule, under subsequent address white list rule can be realized
State function:The scheduling for receiving core control (knowing that client receives respective page, and obtains therein by parsing the page
During chained address), can inquire about, increase, deleting the corresponding subsequent address rule of the client;The scheduling for receiving core control (is obtained
When knowing that proxy module receives client request), check the client in current sessions state, if to have the right with subsequent address
Mode accesses the subsequent address;Wherein, subsequent address white list rule include client condition, client session status condition,
Subsequent address.
In the present invention, the core control can carry out man-machine interaction, and core control is by output equipment output data, news
Number, and outside input is obtained by input equipment, so as to realize man-machine interaction.
In the present invention, the output equipment includes screen, loudspeaker, light, and input equipment includes keyboard, mouse.
In the present invention, the client source in the client admission policy includes source IP, source port, and client
End source can be identified by regular expression, also can using it is general "", " * " asterisk wildcard recorded, and supported section
Mode is marked (such as:12-254, mark allows the integer from 12 to 254).
In the present invention, every rule of the client for allowing access into the client session state repository, can pass through
Regular expression is identified, also can using it is general "", " * " asterisk wildcard recorded, and support sector mode mark (ratio
Such as:12-254, mark allows the integer from 12 to 254).
In the present invention, the treatment side of the interception conclusion of the HTTP business fire walls based on Adaptive proxy mechanism
Formula, is that proxy module is directly closed client currently connection or closes connection after responding the response page of refusal service.
In the present invention, the initial address white list is when HTTP business fire wall is initialized, according to system operation
Set preset record;And initial address white list can set different patterns according to system operation needs:According to client come
Source, is that different initial address chained records are specified in different sources;All clients are originated, identical initial address is set
Chained record.
In the present invention, renewal of the core control to data record in security policy database includes:
Renewal to subsequent address white list:Proxy module obtains operation system to the addressable of the responses content of the request
After link, core control updates in subsequent address white list addressable link, and can be realized using both of which:Can visit
Ask that chained record is appended in subsequent address white list, and chained record is corresponding with session;Remove and may have access to link to should
The all old chained record of session, the new chained record corresponding with session for obtaining is added in subsequent address white list;
Renewal to client session state repository:Core control updates to client session state repository current accessed address
In, and can be realized using both of which:A current procedures chained record is only preserved in client session state repository, with current visit
The chained record asked directly covers original record;A plurality of current procedures chained record is preserved in client session state repository, ought
The linkage record of preceding access is added;
Core control energy periodically checks client session state repository for (such as per second, every 20 milliseconds etc.), to already-existing session
Record carry out expired inspection, if record arrived expired time if be purged;Wherein, expired time refers to that current time is added
The timestamp that term of validity duration is obtained, and core control current request be already-existing session in the case of, call client session
State repository to the term of validity duration of already-existing session, according to the session term of validity duration for pre-setting (such as:180 seconds, 3600 seconds etc.
Deng) extended.
In the present invention, it is described that visitor is processed using both of which based on the HTTP business fire wall of Adaptive proxy mechanism
Family end repeats to send current request:It is added to the address of current accessed as subsequent address in subsequent address white list;Will not
The address of current accessed adds initial address white list and subsequent address white list, if operation system is in the response of current request
When not including the URL/ chained addresses of current request in appearance, refresh page is not allowed to access current address again.
Operation principle of the invention:The interconnected system (access agent system Agent) of the HTTP access agents based on bottom,
By the data on flows for obtaining in real time, analysis Agent is obtained, and client session association is carried out, then form client clear
It is single, and the white list address for obtaining will be analyzed, merge rule, white name existing with corresponding client according to set in advance renewal
Singly merge, update, obtain new reference address white list.When finding that HTTP from certain client is accessed, will be by
The corresponding reference address white list of the client is checked, if meeting the rule of white list permission, then the access of letting pass,
If not meeting the rule of white list permission, then the HTTP is accessed will be monitored, and alert or intercept.
Compared with prior art, the beneficial effects of the invention are as follows:
The present invention is capable of identify that the session step residing for particular clients, and automatically generates corresponding white name according to current procedures
Single gauge then, let pass by the access hence for safety, and dangerous access is intercepted;
Interception is expanded into warning (controlling 120 to give a warning by core), authorized (by core control by the present invention
120 send request, it is desirable to by input equipment be input into authorization after allow just now the session continue access), intercept or not
Various processing modes of same level, are all easy to carry out deforming adjustment;
The present invention can be according to the scene of the application layer for being gone out rule, automatic study, the white list rule of revision current procedures
Then, so that it is guaranteed that all of access is met it is contemplated that all do not meet expected access and will all be rejected;
Agent protection of the invention design, the client for enabling protected system to receive access will all be it is safe,
As long as the accessing step flow of protected system itself does not occur confusion, client just can only be in predetermined step flow specification
Path on walk;
The present invention can reduce cold call, unexpected parameter, session parameter inspection, the Yong Huguan that protected system needs to consider
The inspection work of connection data etc. various secure contexts, so as to help protected system that development cost, and energy is greatly lowered
Enough by the safe class of lifting system of the present invention;
The present invention can make the protective capacities of fire wall obtain a rising for matter, and by various common attacks from mechanism
Means are just masked from first the sky, attack is entered the new epoch with the general layout of defence.
Brief description of the drawings
Fig. 1 is the computation environmental system structured flowchart of specific embodiment in the present invention.
Fig. 2 is the redirect procedure figure of specific embodiment in the present invention.
Fig. 3 is the corresponding data record figure of jump procedure of specific embodiment in the present invention.
Specific embodiment
Firstly the need of explanation, the present invention is one kind application of the computer technology in field of information security technology, at this
In the implementation process of invention, the application of multiple software function modules can be related to.It is applicant's understanding that such as reading over application text
After part, accurate understanding realization principle of the invention and goal of the invention, in the case where existing known technology is combined, this area skill
Art personnel can use the software programming technical ability of its grasp to realize the present invention completely.Aforementioned software functional module includes but does not limit
In:Proxy module, kernel control module, security policy database etc., all the present patent application files are referred to category this category, applicant
Will not enumerate.
The present invention is described in further detail with specific embodiment below in conjunction with the accompanying drawings:
As shown in figure 1, client 140 is to initiate the access source of access request, the request from client 140, it is necessary to
By the proxy access of HTTP business fire wall 100, operation system 150 is able to access that just now, by above-mentioned deployment architecture,
Realize protection of the HTTP business fire wall to operation system.
HTTP business fire wall 100 is exactly (the system) of the invention, and including proxy module 110, proxy module 110 is real
The access of client 140 is now received, and by by the access of kernel control module 120 and the safety inspection of related function module
Operation system 150 is sent to, the response of operation system 150 is then received, by the analysis to response contents, core control is updated
Then module 120 and the corresponding function module will be made to the security strategy of current sessions from the response contents of operation system 150
It is to be responded to the response contents of client 140.
Kernel control module 120 as HTTP business fire walls kernel scheduling center, proxy module 110 receives and comes from
The request of any client 140 must all notify that kernel control module 120, kernel control module 120 will extract current sessions
Relevant information (source IP, source port, purpose IP, destination interface, the URL of HTTP request, HEADER, HTTP of HTTP request
BODY of request etc.).
Kernel control module will call client admission policy 131 pairs after the corresponding information data for obtaining current sessions
Client source (source IP, source port) is checked.Check the request not by (interception), direct interception request (agency
Module is directly closed client and is currently connected, or responds closing connection after the response page of refusal service), follow-up inspection is not entered
Look into step;The request that inspection passes through, into the inspection of subsequent step.
What current request was not intercepted by client admission policy 131, client session state repository 133 will be called to client
End state (new session, already-existing session) is checked that client source-information (source IP, SessionID) has been in client
In the data record in end session status storehouse 133 (already-existing session), as already-existing session, otherwise as new session.
In the case of new session, the data transfer to the HTTP request of current request is carried out to initial address white list 132
Check that the session is added client session state repository 133 by the request that inspection passes through, and is acted on behalf of the request by proxy module 110
Operation system is sent to, and continues whole flow process treatment.
In the case of already-existing session, to the data transfer of the HTTP request of current request to initial address white list 132, after
Continuous address white list 134, is checked, the inspection conclusion of one module of any of which is what is passed through by two modules respectively, by
Request agency is sent to operation system by proxy module 110, and continues whole flow process treatment.Otherwise enter according to the conclusion for intercepting
Row treatment (proxy module is directly closed client and currently connected, or closes connection after the response page of response refusal service).
Initial address white list, when the system is initialized, the preset record of setting according to system operation, initial address is white
List can set different pattern (A according to system operation needs:Originated according to client, be that different sources specifies different
Initial address chained record;B:To two yuan of all clients, setting identical address chained record in fact;).
Obtain check by conclusion after, the request of current sessions agency is being sent to business system by proxy module 110
After system 150, response content of the operation system to the request will be received, and the response content is parsed, obtained and respond content
In addressable link.After obtaining respective links record, system needs that different patterns can be set to subsequent address according to operation
White list 134 is updated (A:By in respective links record addition to subsequent address white list 134, chained record and session pair
Should;B:The corresponding all old chained records of the session are removed, the new chained record corresponding with session for obtaining is added;).For
Current accessed address, system can set different patterns and be updated (A to client session state repository 133 according to operation needs:
A current procedures chained record is only kept, original record is directly covered with the chained record of current accessed;B:Keep a plurality of to work as
Preceding step chained record, the linkage record of current accessed is added;).When current request may be retransmitted, system
Needed to set different patterns to support (A according to operation:The address of current accessed is added to subsequently as subsequent address
In location white list 134;B:Any white list is not listed in, the URL/ not comprising current request is linked in the response content of the request
During address, refresh page is not allowed to access current address again;).
In the case where current request is already-existing session, kernel control module will call client session state repository 133 to incite somebody to action
Correspondence current sessions record time-out time according to the session term of validity duration for pre-setting (such as:180 seconds, 3600 seconds etc.
Deng) extended (timestamp obtained plus term of validity duration using current time as expired time).
Kernel control module checks client session state repository by periodically (such as per second, every 20 milliseconds etc.), to wherein
The record of already-existing session carries out expired inspection, and, already less than current time, relative recording will be clear for the timestamp of every record
Remove.
Fig. 2 is the initial address white list and the current procedures (current page according to residing for session of specific embodiment
URL) the redirect procedure figure of corresponding chained address.
Link 200, link 290 are initial addresses, and being can after any one legitimate client of certain specific embodiment enters
Conducted interviews as initial address.
Link 210, link 220, link 230, are the subsequent access addresses of correspondence initial address link 200.
Link 231, link 232, link 233, are the subsequent access addresses of correspondence current address link 230.
Link 200, while as a subsequent access address of connection 230.
Fig. 3 is the redirect procedure figure of the chained address of specific embodiment, and in different access step, this is a client
Corresponding client session state repository 133, initial address white list 132, the corresponding data of subsequent address white list 134 of uniting are remembered
Record.
Initial state tables of data 300, illustrates after the completion of the system is initialized:(1) without record in session status storehouse
Data;(2) initial address white list has two chained addresses by the way of to all source address Uniform provisions;(3) it is follow-up
Address white list, is to distinguish stored record for each session, and primary data is sky.
Step tables of data 310, illustrates after two sessions occur accessing step in each time, based on data with existing note
Record, the system is to the inspection result of this access and client session state repository 133, initial address white list 132, follow-up
The corresponding data variation of address white list 134.
There are two sessions in step tables of data 310, although be same source IP, but because the difference of SessionID,
The system is judged to two independent sessions.Session X represents (source IP:192.168.1.101, SessionID:
12345678900), session Y represents (source IP:192.168.1.101, SessionID:12345678901).
Current accessed URL in step tables of data 310, refers to that this records corresponding accessing step, and client expects what is accessed
Destination address (is illustrated according to URI in this specific embodiment, can be managed according to URL in other specific embodiments
Solution).All it is the URI of the most simple relative path for using for initial address, the differentiation of subsequent address in this specific embodiment
Mode illustrated, in practical application embodiment, it would however also be possible to employ absolute path, it would however also be possible to employ the URL with parameter.
It is carrying out white list chained address and differentiate, can be according to operation needs, in initial address white list, subsequent address white list
In module, corresponding comparative approach is set, the complete matching way of character string can be used, it would however also be possible to employ regular expression is carried out
The mode of matching, or other customized comparative approach.
In step tables of data 310 " after access-session status storehouse ", refer to after the completion of the step process, the system
Session status storehouse 131 in data record.
In step tables of data 310 " after access-subsequent address white list ", refer to after the completion of the step process, this
Data record in the subsequent address white list 134 of system.
In this specific embodiment, after the data Ji Lu completion systems initialization of initial address white list 132, keep not
Become.In other specific embodiments, the system can adjust initial address according to operation needs by kernel control module 120
The data record of white list 132.In other specific embodiments, it is also possible to by kernel control module 120, in system operation mistake
Cheng Zhong, the data record of adjustment client admission policy 131.In other specific embodiments, can be by kernel control module
120, adjust the initial address white list 132, comparative approach of subsequent address white list 134.
The present invention in actual applications, there is practical value very high.Fire wall designed by the present invention, belongs to application layer
Proxy Firewall, while but also with the feature of Adaptive proxy fire wall, the filtering rule that different sessions is used is different
, further, even if same session, when session is in different steps, filtering rule is also different.
As those skilled in the art should be recognized that, each aspect of the present invention can be presented as system, method or computer journey
Sequence product.Therefore, aspect of the invention can be hard using complete hardware specific embodiment, complete software specific embodiment or combination
The form of the specific embodiment of part and software aspects, it typically can be collectively referred to as " circuit ", " module ", " system " in the text.This
Outward, aspect of the invention (can have computer readable program code using one or more computer-readable medium is embodied in
Be embodied in wherein) in computer program product form.
Any combinations of one or more computer-readable medium can be utilized.It is embodied in the journey on computer-readable medium
Sequence code can be used any appropriate medium to transmit, the medium include but is not limited to wireless, wired, Connectorized fiber optic cabling, RF etc. or
Any appropriate combination of foregoing each.
The computer journey of the operation in terms of being write for performing the present invention with any combinations of one or more programming languages
Sequence code, it includes Object-Oriented Programming Language (for example:Java, Smalltalk, C++ or fellow) and traditional program
Programming language (such as " C " programming language or similar programming language).Program code can be performed on the user computer completely, portion
Divide ground to perform on the user computer, performed as independent software package, partly performing on the user computer and partly existing
Performed on remote computer or performed on remote computer or server completely.In latter, remote computer
Can (including LAN (LAN) or wide area network (WAN) be connected to the computer of user, or can connect by any kind of network
To outer computer (for example, by ISP via internet).
Each aspect of the present invention is with reference to method according to a particular embodiment of the invention, equipment (system) and computer program
Product flow chart explanation and/or module map and be described in.It should be understood that each block of flow chart explanation and/or module map
And the combination of block can be implemented by computer program instructions.These computer program instructions can be provided to all-purpose computer, specially
With computer or the equipment of other processors with programmable data processing unit, to cause to be set up by above-mentioned various equipment
For the means of function/action specified in implementing procedure figure and/or module map block.
Finally it should be noted that listed above is only specific embodiment of the invention.It is clear that the invention is not restricted to
Above example, can also there is many variations.One of ordinary skill in the art can directly lead from present disclosure
The all deformations for going out or associating, are considered as protection scope of the present invention.