CN108845638B - Firewall device of embedded system - Google Patents
Firewall device of embedded system Download PDFInfo
- Publication number
- CN108845638B CN108845638B CN201810988269.3A CN201810988269A CN108845638B CN 108845638 B CN108845638 B CN 108845638B CN 201810988269 A CN201810988269 A CN 201810988269A CN 108845638 B CN108845638 B CN 108845638B
- Authority
- CN
- China
- Prior art keywords
- data
- firewall
- embedded
- module
- interface
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000007246 mechanism Effects 0.000 claims description 23
- 238000001914 filtration Methods 0.000 claims description 22
- 238000006243 chemical reaction Methods 0.000 claims description 20
- 238000012545 processing Methods 0.000 claims description 18
- 238000004891 communication Methods 0.000 claims description 16
- 230000006870 function Effects 0.000 claims description 13
- 230000017525 heat dissipation Effects 0.000 claims description 13
- 238000000034 method Methods 0.000 claims description 12
- 238000005516 engineering process Methods 0.000 claims description 11
- 230000005540 biological transmission Effects 0.000 claims description 9
- 230000003993 interaction Effects 0.000 claims description 8
- 230000008569 process Effects 0.000 claims description 7
- 238000005538 encapsulation Methods 0.000 claims description 5
- 238000004806 packaging method and process Methods 0.000 claims description 5
- 238000004364 calculation method Methods 0.000 claims description 4
- 238000012795 verification Methods 0.000 claims description 4
- 238000001816 cooling Methods 0.000 abstract description 4
- 238000010586 diagram Methods 0.000 description 11
- 238000013461 design Methods 0.000 description 6
- 230000000694 effects Effects 0.000 description 4
- 238000011160 research Methods 0.000 description 4
- 230000006978 adaptation Effects 0.000 description 2
- 230000002146 bilateral effect Effects 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 239000004576 sand Substances 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 239000013078 crystal Substances 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000013508 migration Methods 0.000 description 1
- 230000005012 migration Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000026676 system process Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F1/00—Details not covered by groups G06F3/00 - G06F13/00 and G06F21/00
- G06F1/16—Constructional details or arrangements
- G06F1/18—Packaging or power distribution
- G06F1/181—Enclosures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F1/00—Details not covered by groups G06F3/00 - G06F13/00 and G06F21/00
- G06F1/16—Constructional details or arrangements
- G06F1/20—Cooling means
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Human Computer Interaction (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a firewall device of an embedded system, which comprises universal embedded equipment, wherein the universal embedded equipment comprises an embedded host equipment main body in a rectangular vertical posture, and a horizontal base is fixedly arranged at the bottom of the embedded host equipment main body; the back of the shell of the embedded host device main body is provided with a plurality of host radiating ribs which extend longitudinally, each host radiating rib is distributed transversely in an equidistant array, a wind box enclosing table with an open upper end is enclosed at the bottom of one side of the host radiating rib, a positive pressure wind cavity is arranged in the enclosing range of the wind box enclosing table, a radiating wind barrel is arranged on the wall body of the wind box enclosing table, the air outlet end of the radiating wind barrel is communicated with the positive pressure wind cavity, and the air inlet end of the radiating wind barrel is communicated with the outside; the invention has simple structure, the firewall module can be used by plug and play, the disassembly is convenient, the firewall module and the universal embedded equipment share one cooling system, and the space and the cost are saved.
Description
Technical Field
The invention belongs to the field of firewalls, and particularly relates to a firewall device of an embedded system.
Background
The embedded system is applied to a specific environment, faces the application system of the professional field, and is a special computer system. The embedded system has strong individuation, the combination of software and hardware is tight, the whole system is organically combined with specific application, so the life cycle of the embedded system is generally long, and the updating of the system often adopts a mode of replacing the whole product.
Therefore, in the current field of network security, little research is done on the security aspects of embedded systems accessing the network. The current network security research mainly aims at the security protection of a network or a network formed by terminals such as a certain network or a certain specific host, a computer, a server and the like, and the research investment of the network security protection technology of a certain specific embedded system is very small, so that if the embedded system suffers from network attack, the data security in the embedded system and the normal operation of the system are difficult to protect. Aiming at the characteristics of the embedded system, the technology such as data filtering and data safety protection is adopted, and a firewall special for the embedded system is designed; meanwhile, the problem that the firewall module and the embedded equipment need to dissipate heat is solved.
Disclosure of Invention
The invention aims to: in order to overcome the defects in the prior art, the invention provides a firewall device of an embedded system sharing a cooling system.
The technical scheme is as follows: in order to achieve the above object, the firewall device of the embedded system of the present invention comprises a general embedded device, wherein the general embedded device comprises an embedded host device main body in a rectangular vertical posture, and a horizontal base is fixedly arranged at the bottom of the embedded host device main body; the embedded host equipment comprises a shell, wherein a plurality of host radiating ribs extending longitudinally are arranged on the back of the shell of the embedded host equipment body, the host radiating ribs are distributed transversely in an equidistant array, an air box enclosing table with an open upper end is arranged at the bottom of one side of the host radiating ribs in an enclosing mode, a positive pressure air cavity is arranged in the enclosing range of the air box enclosing table, a radiating air cylinder is arranged on the wall body of the air box enclosing table, the air outlet end of the radiating air cylinder is communicated with the positive pressure air cavity, and the air inlet end of the radiating air cylinder is communicated with the outside.
Further, the fire-proof wall comprises a fire-proof wall module body in a rectangular shape in a vertical posture, and the fire-proof wall module body is erected on the upper side of the bellows enclosing table; a plurality of firewall radiating ribs extending longitudinally are arranged on one side surface, close to the embedded host equipment main body, of the shell of the firewall module main body, and the firewall radiating ribs are distributed transversely and equidistantly; and each firewall radiating rib and each host radiating rib are mutually staggered and staggered, a plurality of radiating air channels are formed between each adjacent firewall radiating rib and host radiating rib, the lower ends of the radiating air channels are communicated with the positive pressure air cavity, and the upper ends of the radiating air channels are air outlets.
Further, vertical limit sliding grooves are symmetrically formed in two sides of the main body of the embedded host device, buckling plates are symmetrically arranged in two sides of the main body of the firewall module, longitudinal extending convex strips are symmetrically arranged on the inner sides of the buckling plates in a protruding mode, and the two convex strips are correspondingly buckled into the two limit sliding grooves respectively.
Further, a USB plug and a power input connector are arranged at the bottom of the firewall module main body; USB data sockets and power output sockets are respectively arranged on two sides of the top of the bellows enclosing table; when the firewall module main body is erected on the upper side of the bellows enclosing table, the USB plug and the power input connector are respectively inserted into the USB data socket and the power output socket correspondingly;
the firewall module main body is also provided with a wireless network receiving antenna; and a display screen is arranged on one side of the embedded host device main body, which is away from the host radiating ribs.
Further, the data transmitted from the wireless network is received by the wireless receiving unit of the firewall module, and is transmitted to the CPU of the universal embedded device for processing after passing the security policy verification of the firewall module through the USB interface; the security mechanism of the firewall module is to determine whether to allow the message to pass or not according to the source/destination address, the port number and the protocol type of the packet; the information source is from IP, TCP or UDP header, adopting the conventional firewall packet filtering technology, only the data packet meeting the filtering logic is forwarded to the corresponding destination outlet end, and the rest data packets not meeting the conditions are discarded; and according to the rules of the security policy, encryption, authentication, digital signature, integrity check and other security measures are carried out on the input and output data, so that the security in data transmission is ensured.
Further, the functional module of the firewall module comprises a memory and calculation module, a rule module for realizing the conversion from the security policy to the rule, a filtering module for judging whether the data packet accords with the rule, and a data interface module for realizing the data exchange with the embedded equipment or the network; the data interface module is divided into two parts, one side is a data I/O port connected with the embedded equipment, and the other side is an I/O port for exchanging data with the wireless network; different communication interfaces are adopted according to different embedded systems, so that a serial interface, a parallel interface and an RJ45 network cable interface can be supported;
after loading the firewall module, the general embedded system firstly transmits the data packet from the network to an external wireless data interface of the firewall, the communication protocol adopted by the wireless communication technology needs to carry out protocol conversion to execute subsequent operation on the data packet, and after the protocol conversion, the corresponding rule is extracted through the routing table, and the security policy rule judgment is carried out on the data packet, namely, the packet filtering function of the firewall is realized. The data packets which do not accord with the security policy rules are directly discarded, the data packets which accord with the security policy are packaged, protocol conversion, data encryption and authentication are carried out, after the packaging is completed, the data packets are sent to a CPU for operation through an embedded data interface such as a bus, a serial port and the like, after the data sent by a network are processed, the embedded system sends the data to an external network if the data need to be sent, and the data are sent from the CPU to a firewall module through an internal data interface for protocol conversion and packet filtration through the internal data interface, and then the processed data are sent to an internet through the external interface.
Further, the hardware structure inside the firewall module (2) comprises a CPU module for performing rule operation and data encryption operation; and a RAM storage module storing security policy rules; a Flash memory module for providing an operation memory; ASIC chip module for realizing wireless data protocol conversion; the system also comprises a data interface module and a power supply module which are used for carrying out data interaction with the embedded system;
the software part of the firewall module is respectively a Bootloader, an embedded operating system, a network interface driver and a rule judging program; taking an embedded operating system as a core, taking a Bootloader as a responsibility for initializing hardware, realizing interaction with a physical transmission medium by a network interface driver, and realizing various functions of a firewall by a rule judgment program;
the data message processing flow of the embedded system is as follows: firstly, registering a security mechanism interface in an embedded system operation kernel, wherein the security mechanism interface corresponds to an actual network interface one by one; then, an entry pointing to a firewall security mechanism interface is added in the routing table, so that all input and output data packets are directly sent to the security processing mechanism interface; the packet encapsulation process is then placed in a security processing mechanism so that the source code of the IP does not have to be modified, and the modules in the firewall security management mechanism include: inquiring a policy database SPD, selecting rules and packaging packets; and the final data packet is sent to a data interface of the embedded system, so that safe communication is realized.
The beneficial effects are that: the invention has simple structure, the firewall module is plug and play, the disassembly is convenient, the firewall module and the universal embedded equipment share one cooling system, the space and the cost are saved, and the firewall special for the embedded system in a wireless mode is designed by referring to the design thought of the network firewall aiming at the characteristics of the embedded system; the method adopts the technologies of data filtering, state detection, security policy, embedded type and the like, and is applied to the field of network security of the embedded system, so that the problems of security of the embedded system, data security, network attack, system operation security and the like aiming at accessing the Internet in the current network security research are researched and solved.
Drawings
FIG. 1 is a schematic diagram of a general embedded device and firewall module in a mated state;
FIG. 2 is a top view of FIG. 1;
FIG. 3 is a schematic diagram of a general embedded device and firewall module removal status;
FIG. 4 is a schematic diagram of the external structure of a general embedded device;
FIG. 5 is a schematic diagram of the external configuration of the firewall module;
FIG. 6 is a schematic diagram of a conventional embedded system access network;
FIG. 7 is a schematic diagram of an embedded system firewall of the device;
FIG. 8 is a block diagram of firewall functionality;
FIG. 9 is a firewall workflow diagram;
FIG. 10 is a diagram of an information interaction structure of the present solution;
fig. 11 is a schematic diagram of internal hardware of the firewall.
Detailed Description
The invention will be further described with reference to the accompanying drawings.
As shown in fig. 1 to 5, the external structures of the firewall module and the universal embedded device of the present embodiment are described as follows:
the universal embedded equipment comprises an embedded host equipment main body 2 in a rectangular vertical posture, and a horizontal base 5 is fixedly arranged at the bottom of the embedded host equipment main body 2; the back of the shell of the embedded host device main body 2 is provided with a plurality of host radiating ribs 3 which extend longitudinally, each host radiating rib 3 is distributed transversely in an equidistant array, a wind box enclosing table 8 with an open upper end is enclosed at the bottom of one side of the host radiating rib 3 of the embedded host device main body 2, a positive pressure wind cavity 6 is arranged in the enclosing range of the wind box enclosing table 8, a radiating wind barrel 9 is arranged on the wall body of the wind box enclosing table 8, the wind outlet end of the radiating wind barrel 9 is communicated with the positive pressure wind cavity 6, and the wind inlet end of the radiating wind barrel 9 is communicated with the outside; the fire-proof wall comprises a fire-proof wall module, wherein the fire-proof wall module comprises a rectangular fire-proof wall module main body 11 in a vertical posture, and the fire-proof wall module main body 11 is erected on the upper side of the bellows enclosing table 8; a plurality of firewall heat dissipation ribs 14 extending longitudinally are arranged on one side surface of the shell of the firewall module main body 11, which is close to the embedded host device main body 2, and the firewall heat dissipation ribs 14 are distributed transversely and equidistantly; the firewall radiating ribs 14 and the host radiating ribs 3 are staggered and staggered, a plurality of radiating air channels 17 are formed between each adjacent firewall radiating rib 14 and host radiating rib 3, the lower ends of the radiating air channels 17 are communicated with the positive pressure air cavity 6, and the upper ends of the radiating air channels 17 are air outlets 16;
the working process and principle of the cooling system are as follows: in the process that general embedded equipment and firewall module work simultaneously, start heat dissipation wind barrel 9, and then outside air enters into the positive pressure wind chamber 6 that bellows encloses platform 8 under the effect of heat dissipation fan barrel 9, and then form the malleation in the positive pressure wind chamber 6, and then compressed gas in the positive pressure wind chamber 6 upwards overflows in succession through each heat dissipation wind channel 17, and finally follow the air outlet 16 of each heat dissipation wind channel 17 upper end and discharge to the atmosphere, and then make in each heat dissipation wind channel 17 constantly flow through the heat dissipation air, and then taken away each heat dissipation rib 14 of preventing hot wall and host computer heat dissipation rib 3 simultaneously, and then realize the radiating effect to general embedded equipment and firewall module simultaneously.
The embedded host equipment main body 2 bilateral symmetry is provided with vertical spacing spout 1, the bilateral symmetry of preventing hot wall module main body 11 sets up buckling plate 15, two the inboard symmetry of buckling plate 15 is protruding to be provided with longitudinal extension's sand grip 18, two sand grip 18 corresponds respectively and buckles into two in the spacing spout 1, this structure plays the spacing effect to preventing hot wall module main body 11, still is convenient for dismouting simultaneously, still plays simultaneously and corresponds the alignment effect when inserting USB data socket 7 and power output socket 4 to USB plug 12 and power input connector 13 respectively.
The bottom of the firewall module main body 11 of the embodiment is provided with a USB plug 12 and a power input connector 13; USB data sockets 7 and power output sockets 4 are respectively arranged on two sides of the top of the bellows enclosing table 8; when the firewall module main body 11 is erected on the upper side of the bellows surrounding table 8, the USB plug 12 and the power input connector 13 are respectively inserted into the USB data socket 7 and the power output socket 4 correspondingly; the firewall module main body 11 is also provided with a wireless network receiving antenna; the embedded host device main body 2 is provided with a display screen on one side facing away from the host heat dissipation ribs 3.
The data transmitted from the wireless network is received by the wireless receiving unit of the firewall module, passes the security policy verification of the firewall module and is transmitted to the CPU of the universal embedded device for processing by the USB interface; the security mechanism of the firewall module is to determine whether to allow the message to pass or not according to the source/destination address, the port number and the protocol type of the packet; the information source is from IP, TCP or UDP header, adopting the conventional firewall packet filtering technology, only the data packet meeting the filtering logic is forwarded to the corresponding destination outlet end, and the rest data packets not meeting the conditions are discarded; and according to the rules of the security policy, encryption, authentication, digital signature, integrity check and other security measures are carried out on the input and output data, so that the security in data transmission is ensured;
the working method and the process of the firewall module are as follows:
when the embedded system commonly used in the market is accessed to the network, the embedded system directly receives data from the network server, does not have any safety protection means, and is extremely easy to attack. An existing general embedded system for connecting to a network in a wireless manner is illustrated in fig. 6. As can be seen from fig. 6, the information is directly transmitted from the network to the data interface of the embedded system, and then sent to the CPU module by the data interface;
according to the firewall design of the embedded system, a firewall module is loaded on the embedded system of the universal embedded device, data transmitted from a network are directly transmitted to the firewall module through a data interface module, and after passing security policy verification, the data is transmitted to a CPU through a data interface for processing. The illustration of which is shown in fig. 7.
The data interface between the firewall and the embedded device can be a serial communication interface, such as UART, SPT, USB, JTAG interface, or a parallel data interface, such as SPP or Epp interface, to meet different needs of different embedded systems, and in this embodiment, a USB interface is used. The wireless data interface can adopt corresponding interfaces according to different wireless communication technologies, such as 3G, 4G, zigbee, wiFi, bluetooth, ultra-wideband and the like.
Because the embedded equipment has smaller memory and poorer data processing capability of the processor, the independent external module is adopted to be loaded on a general embedded system, and the data exchange between the embedded system and the network is all required to be filtered through the detection of the external module, so that the firewall function is realized. The embedded device functions relatively single and the attack pattern to which it is subjected is also typically relatively single. The embedded device is generally developed according to a specific requirement, so that the required network function is relatively single, and other access modes can be limited, and the possibility of being attacked is reduced. The storage capacity of the embedded system is relatively weak, so that some viruses of the resident memory are difficult to exist, and meanwhile, the attack of memory consumption is easy to be carried out.
Based on the characteristics of the embedded system, a firewall design scheme for the embedded system is provided. Such firewalls provide encryption and authentication services at the network layer. The security mechanism of the firewall mainly comprises the following points:
1 it determines whether to allow the message to pass or not based on the source/destination address, port number and protocol type of the packet. The information source according to the method is from IP, TCP or UDP packet headers. With the packet filtering technology in the conventional firewall, only the data packets meeting the filtering logic are forwarded to the corresponding destination outlet, and the rest of the data packets not meeting the conditions are discarded.
And 2, according to the rules of the security policy, encryption, authentication, digital signature, integrity check and other security measures are carried out on the input and output data, so that the security in data transmission is ensured.
Security policy analysis of embedded networks:
for the embedded system, the uniqueness and pertinence of the embedded system are limited, and all of data encryption, data integrity authentication, identity authentication and data source authentication which are commonly used in PC communication are not applicable to the embedded system, so that proper encryption protocols and encryption measures are required to be established for specific firewall applications of embedded networking. In this way, the specific rules for making decisions in the routing table are determined.
1 access control security policy: by monitoring the input and output data and controlling the input and output of the input and output data, a part of attacks can be blocked. According to the pre-designated safety rule, the input and output data are monitored, the data meeting the requirements is allowed to pass, otherwise, the data packet is shielded, and the embedded equipment can control the access of unnecessary data because of relatively less network functions provided by the embedded equipment.
2 data privacy and integrity security policies: by encrypting the transmission data, the confidentiality of the data is ensured by encapsulation and authentication, so that unauthorized users cannot acquire information content.
The firewall functional modules are shown in fig. 8, and include necessary memory and calculation modules, rule modules for implementing conversion from security policy to rule, filtering modules for judging whether the data packet meets the rule, and data interface modules for implementing data exchange with embedded devices or networks. The data interface module is divided into two parts, one is a data I/O port connected with the embedded equipment, and the other is an I/O port for exchanging data with the wireless network. Different communication interfaces can be adopted according to different embedded systems, and a serial interface, a parallel interface and an RJ45 network cable interface can be supported.
The general embedded system, after loading the firewall proposed herein, performs a data exchange process with the network as shown in fig. 9. Firstly, a data packet is transmitted from a network to an external wireless data interface of a firewall, a communication protocol adopted by a wireless communication technology needs to be subjected to protocol conversion to execute subsequent operation, corresponding rules are extracted through a routing table after the protocol conversion, and the data packet is subjected to security policy rule judgment, namely, the packet filtering function of the firewall is realized. The data packets which do not accord with the security policy rules are directly discarded, the data packets which accord with the security policy are packaged, a series of works such as protocol conversion, data encryption and authentication are carried out on the data packets, and after the packaging is completed, the data packets are sent to a CPU through an embedded data interface such as a bus, a serial port and the like for operation. After the embedded system processes the data sent by the network, if the data is required to be sent to the external network, the embedded system also sends the data from the CPU to the firewall module through the internal data interface to perform protocol conversion and packet filtering through the above flow, and then sends the processed data to the Internet through the external interface.
The query efficiency of the SPD security policy database is an important factor affecting the firewall performance, and in most embedded systems, the firewall may need to provide packet filtering for more than one device, and for each packet, search the SPD database for a corresponding rule, which may become a bottleneck for the overall firewall data processing capability. To solve this problem, firstly consider the storage structure of the database, note that for the filtering rule, the communication protocol, the SPI, and the destination address uniquely determine a rule, and we use (protocol+spi+destination address) as the query condition, and use the hash table structure to query. For policy databases, a caching technique is used within the inner layer to preserve recently used security policies, taking into account that the transfer of data packets is continuous, thereby avoiding frequent query procedures and thus improving system performance.
The external embedded system firewall hardware adopts a modularized design and is composed of the following modules:
1. and the processor module is used for realizing the calculation of the packet filtering function and the data encryption and realizing the function of executing the firewall security policy.
2. The storage module is used for storing the rule set in the security policy and providing a memory space for running the program.
3. Data interface module for receiving and transmitting data packet from network to embedded system
4. The debugging circuit module is a channel of a development platform and a user interface and is used for realizing the debugging of the firewall system
5. The peripheral circuit module comprises a power supply circuit, a crystal oscillator circuit and a reset circuit 3.
Software structure of embedded system firewall:
since embedded systems often have small memory and relatively poor computing power, these factors need to be considered in designing firewalls. The firewall of the embedded system comprises 4 modules, namely a Bootloader, an embedded operating system, a network interface driver and a rule judging program. The embedded operating system is used as a core, the Bootloader is responsible for initializing hardware, the network interface driver realizes interaction with a physical transmission medium, and the rule judgment program realizes various functions of the firewall. Fig. 10 is an information interaction structure diagram of the 4 modules.
1 Bootloader initializes the hardware device, establishes a map of the memory space, and prepares a correctly started environment for finally calling the operation kernel of the embedded system.
2, the operating system loads a driver program so that the firewall can correctly accept and send the data packet.
And 3, calling a rule judging program by the operating system, processing the received data packet and returning a processing result.
And 4, calling the rule judging program by the operating system to send the data packet allowed to pass according to the processing result of the rule judging program.
Because the designed firewall of the embedded system has platform independence, any technical platform and hardware equipment can be selected as the implementation mode of the firewall. The realization of protocol conversion and regular code migration in an actual firewall is a key step of theoretical conversion into reality, so that the capability of data security transmission of an embedded system can be realized on a real device.
Firstly, determining a hardware structure of an embedded system firewall, wherein the hardware comprises a CPU module for performing rule operation and data encryption operation; and a RAM storage module storing security policy rules; a Flash memory module for providing an operation memory; ASIC chip module for realizing wireless data protocol conversion; the most important data interface module is used for carrying out data interaction with the embedded system; and a power supply module. The hardware structure is as shown in fig. 11.
Besides the minimum design scheme of CPU+RAM+flash+bus adopted in the specification, the firewall can be designed and realized in modes of FPGA, gate array, chip IC design and the like.
The concept of a security mechanism interface of a firewall is introduced into an embedded system, and the data message processing flow is as follows:
1. and registering a security mechanism interface in the embedded system operation kernel, wherein the security mechanism interface corresponds to the actual network interface one by one.
2. And adding an entry pointing to the firewall security mechanism interface in the routing table, so that all the input and output data packets are directly sent to the security processing mechanism interface.
3. The packet encapsulation process is placed in a security handling mechanism (i.e., firewall) so that the source code of the IP does not have to be modified, the modules in the firewall security management mechanism include: query of policy database SPD, selection of rules, and encapsulation processing (encryption and authentication) of packets.
4. And the final data packet is sent to a data interface of the embedded system, so that safe communication is realized.
The foregoing is only a preferred embodiment of the invention, it being noted that: it will be apparent to those skilled in the art that various modifications and adaptations can be made without departing from the principles of the present invention, and such modifications and adaptations are intended to be comprehended within the scope of the invention.
Claims (5)
1. The firewall device of the embedded system is characterized in that: the embedded type equipment comprises a rectangular vertical embedded type host equipment main body (2), wherein a horizontal base (5) is fixedly arranged at the bottom of the embedded type host equipment main body (2); the embedded host equipment comprises an embedded host equipment main body (2), wherein a plurality of host radiating ribs (3) extending longitudinally are arranged on the back of the shell of the embedded host equipment main body (2), the host radiating ribs (3) are distributed transversely in an equidistant array, an air box enclosing table (8) with an open upper end is enclosed at the bottom of one side of the embedded host equipment main body (2), a positive pressure air cavity (6) is arranged in the enclosing range of the air box enclosing table (8), a radiating air cylinder (9) is arranged on the wall body of the air box enclosing table (8), the air outlet end of the radiating air cylinder (9) is communicated with the positive pressure air cavity (6), and the air inlet end of the radiating air cylinder (9) is communicated with the outside;
the fire-proof wall comprises a fire-proof wall module, wherein the fire-proof wall module comprises a rectangular fire-proof wall module main body (11) in a vertical posture, and the fire-proof wall module main body (11) is erected on the upper side of the bellows enclosing table (8); a plurality of firewall heat dissipation ribs (14) extending longitudinally are arranged on one side surface, close to the embedded host equipment main body (2), of the shell of the firewall module main body (11), and the firewall heat dissipation ribs (14) are distributed transversely and equidistantly; the firewall radiating ribs (14) and the host radiating ribs (3) are staggered and staggered, a plurality of radiating air channels (17) are formed between each adjacent firewall radiating rib (14) and the host radiating rib (3), the lower ends of the radiating air channels (17) are communicated with the positive pressure air cavity (6), and the upper ends of the radiating air channels (17) are air outlets;
the embedded host equipment is characterized in that vertical limiting sliding grooves (1) are symmetrically formed in two sides of the embedded host equipment main body (2), buckling plates (15) are symmetrically arranged in two sides of the firewall module main body (11), longitudinal extending convex strips (18) are symmetrically arranged on the inner sides of the buckling plates (15) in a protruding mode, and the two convex strips (18) correspondingly slide into the two limiting sliding grooves (1) respectively.
2. The firewall apparatus of an embedded system of claim 1, wherein: the bottom of the firewall module main body (11) is provided with a USB plug (12) and a power input connector (13); USB data sockets (7) and power output sockets (4) are respectively arranged on two sides of the top of the bellows enclosing table (8); when the firewall module main body (11) is erected on the upper side of the bellows enclosing table (8), the USB plug (12) and the power input connector (13) are respectively inserted into the USB data socket (7) and the power output socket (4) correspondingly;
the firewall module main body (11) is also provided with a wireless network receiving antenna; and a display screen is arranged on one side of the embedded host device main body (2) away from the host radiating ribs (3).
3. A firewall apparatus for an embedded system according to claim 2, wherein: the data transmitted from the wireless network is received by the wireless receiving unit of the firewall module, passes the security policy verification of the firewall module and is transmitted to the CPU of the universal embedded device for processing by the USB interface; the security mechanism of the firewall module is to determine whether to allow the message to pass or not according to the source/destination address, the port number and the protocol type of the packet; the information source is from IP, TCP or UDP header, adopting the conventional firewall packet filtering technology, only the data packet meeting the filtering logic is forwarded to the corresponding destination outlet end, and the rest data packets not meeting the conditions are discarded; and according to the rules of the security policy, encryption, authentication, digital signature, integrity check and other security measures are carried out on the input and output data, so that the security in data transmission is ensured.
4. A firewall apparatus for an embedded system according to claim 3, wherein: the function module of the firewall module comprises a memory and calculation module, a rule module for realizing the conversion from a security policy to a rule, a filtering module for judging whether the data packet accords with the rule, and a data interface module for realizing the data exchange with the embedded equipment or the network; the data interface module is divided into two parts, one side is a data I/O port connected with the embedded equipment, and the other side is an I/O port for exchanging data with the wireless network; different communication interfaces are adopted according to different embedded systems, so that a serial interface, a parallel interface and an RJ45 network cable interface can be supported;
after loading the firewall module, the general embedded system firstly transmits a data packet from a network to an external wireless data interface of the firewall, a communication protocol adopted by the wireless communication technology needs to carry out protocol conversion to execute subsequent operation on the data packet, and after the protocol conversion, a corresponding rule is extracted through a routing table to judge the security policy rule of the data packet, namely, the packet filtering function of the firewall is realized; the data packets which do not accord with the security policy rules are directly discarded, the data packets which accord with the security policy are packaged, protocol conversion, data encryption and authentication are carried out, after the packaging is completed, the data packets are sent to a CPU for operation through an embedded data interface such as a bus, a serial port and the like, after the data sent by a network are processed, the embedded system sends the data to an external network if the data need to be sent, and the data are sent from the CPU to a firewall module through an internal data interface for protocol conversion and packet filtration through the internal data interface, and then the processed data are sent to an internet through the external interface.
5. The firewall apparatus of the embedded system of claim 4, wherein: the hardware structure inside the firewall module comprises a CPU module for performing rule operation and data encryption operation; and a RAM storage module storing security policy rules; a Flash memory module for providing an operation memory; ASIC chip module for realizing wireless data protocol conversion; the system also comprises a data interface module and a power supply module which are used for carrying out data interaction with the embedded system;
the software part of the firewall module is respectively a Bootloader, an embedded operating system, a network interface driver and a rule judging program; taking an embedded operating system as a core, taking a Bootloader as a responsibility for initializing hardware, realizing interaction with a physical transmission medium by a network interface driver, and realizing various functions of a firewall by a rule judgment program;
the data message processing flow of the embedded system is as follows: firstly, registering a security mechanism interface in an embedded system operation kernel, wherein the security mechanism interface corresponds to an actual network interface one by one; then, an entry pointing to a firewall security mechanism interface is added in the routing table, so that all input and output data packets are directly sent to the security processing mechanism interface; the packet encapsulation process is then placed in a security processing mechanism so that the source code of the IP does not have to be modified, and the modules in the firewall security management mechanism include: inquiring a policy database SPD, selecting rules and packaging packets; and the final data packet is sent to a data interface of the embedded system, so that safe communication is realized.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810988269.3A CN108845638B (en) | 2018-08-28 | 2018-08-28 | Firewall device of embedded system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810988269.3A CN108845638B (en) | 2018-08-28 | 2018-08-28 | Firewall device of embedded system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108845638A CN108845638A (en) | 2018-11-20 |
| CN108845638B true CN108845638B (en) | 2024-02-20 |
Family
ID=64189421
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810988269.3A Active CN108845638B (en) | 2018-08-28 | 2018-08-28 | Firewall device of embedded system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108845638B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112910836B (en) * | 2020-12-26 | 2023-04-07 | 北京珞安科技有限责任公司 | Industrial control network safety protection equipment and method |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN204406297U (en) * | 2015-02-02 | 2015-06-17 | 北京京东方茶谷电子有限公司 | A kind of mainframe box and main frame |
| CN206411572U (en) * | 2016-11-30 | 2017-08-15 | 同方工业信息技术有限公司 | Card insert type cooling cabinet |
| CN206479911U (en) * | 2017-01-20 | 2017-09-08 | 长春职业技术学院(长春市职业技术教育中心长春市财政学校) | A kind of many heat dissipation wind channel computer host boxes |
| CN108089667A (en) * | 2018-01-11 | 2018-05-29 | 苏州赫瑞特智控科技股份有限公司 | A kind of cabinet for industrial personal computer |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2310926B1 (en) * | 2006-06-01 | 2013-11-20 | Google Inc. | Modular computing environments |
| US10185331B2 (en) * | 2013-03-11 | 2019-01-22 | Ice Computer, Inc. | Modular computer and thermal management |
-
2018
- 2018-08-28 CN CN201810988269.3A patent/CN108845638B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN204406297U (en) * | 2015-02-02 | 2015-06-17 | 北京京东方茶谷电子有限公司 | A kind of mainframe box and main frame |
| CN206411572U (en) * | 2016-11-30 | 2017-08-15 | 同方工业信息技术有限公司 | Card insert type cooling cabinet |
| CN206479911U (en) * | 2017-01-20 | 2017-09-08 | 长春职业技术学院(长春市职业技术教育中心长春市财政学校) | A kind of many heat dissipation wind channel computer host boxes |
| CN108089667A (en) * | 2018-01-11 | 2018-05-29 | 苏州赫瑞特智控科技股份有限公司 | A kind of cabinet for industrial personal computer |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108845638A (en) | 2018-11-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109842585B (en) | Network information safety protection unit and protection method for industrial embedded system | |
| CN100594690C (en) | Method and device for safety strategy uniformly treatment in safety gateway | |
| CN200962604Y (en) | Vertical encryption authentication gateway device special for power | |
| CN111859472A (en) | Security plug-in for system-on-chip platform | |
| CN101262405B (en) | High-speed secure virtual private network channel based on network processor and its realization method | |
| CN102685740B (en) | A kind of short-distance wireless communication node and wireless communications method | |
| CN113194097B (en) | Data processing method and device for security gateway and security gateway | |
| CN107612679B (en) | Ethernet bridge scrambling terminal based on state cryptographic algorithm | |
| KR100687415B1 (en) | System, method and its recording media for processing IPsec with simplified process | |
| US20150019875A1 (en) | Portable device for data encryption/decryption and/or compression/decompression | |
| CN105991562B (en) | IPSec accelerated method, apparatus and system | |
| Xie et al. | How can IoT services pose new security threats in operational cellular networks? | |
| CN108845638B (en) | Firewall device of embedded system | |
| CN101447007B (en) | Safe outward communication method of active data safe storing equipment | |
| Chen et al. | WiFi-Based home IoT communication system | |
| CN101420299B (en) | Method for enhancing stability of intelligent cipher key equipment and intelligent cipher key equipment | |
| CN104834874A (en) | Establishing physical locality between secure execution environments | |
| CN108322464B (en) | Key verification method and device | |
| CN1808457B (en) | Portable trusted device for remote dynamic management | |
| CN107979608A (en) | The data encrypting and deciphering Transmission system and transmission method that a kind of interface can configure | |
| CN113014385B (en) | Double-network-port hardware network data encryption system | |
| CN215420600U (en) | Light quantum exchanger | |
| CN107590380A (en) | A kind of high-speed space-time calculating platform | |
| CN2914500Y (en) | Portable and reliable platform module | |
| CN104967508A (en) | Intelligent heat-dissipation-type data transmission encryption device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |