CN111181985B - Data transmission method, data transmission system, firewall device and storage medium - Google Patents

Data transmission method, data transmission system, firewall device and storage medium Download PDF

Info

Publication number
CN111181985B
CN111181985B CN201911425660.3A CN201911425660A CN111181985B CN 111181985 B CN111181985 B CN 111181985B CN 201911425660 A CN201911425660 A CN 201911425660A CN 111181985 B CN111181985 B CN 111181985B
Authority
CN
China
Prior art keywords
firewall
data packet
packet
response
response data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911425660.3A
Other languages
Chinese (zh)
Other versions
CN111181985A (en
Inventor
张再超
孙宝良
李红光
吴亚东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qianxin Technology Group Co Ltd
Secworld Information Technology Beijing Co Ltd
Original Assignee
Qianxin Technology Group Co Ltd
Secworld Information Technology Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qianxin Technology Group Co Ltd, Secworld Information Technology Beijing Co Ltd filed Critical Qianxin Technology Group Co Ltd
Priority to CN201911425660.3A priority Critical patent/CN111181985B/en
Publication of CN111181985A publication Critical patent/CN111181985A/en
Application granted granted Critical
Publication of CN111181985B publication Critical patent/CN111181985B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Abstract

The present disclosure provides a data transmission method, applied to a first firewall, the method including: under the condition that a request data packet from a client is sent to a server through a second firewall, a response data packet from the server is received, wherein the first firewall is a backup firewall of the second firewall; analyzing the response data packet to obtain analysis data; searching whether session data matched with the response data packet exists according to the analysis data so as to determine whether the response data packet is sent to the second firewall; and sending the response data packet to the second firewall under the condition that the session data matched with the response data packet does not exist, so that the response data packet is processed through the second firewall. The present disclosure also provides a data transmission method applied to the second firewall, a data transmission system and a firewall device, a readable storage medium and a computer program product.

Description

Data transmission method, data transmission system, firewall device and storage medium
Technical Field
The present disclosure relates to the field of computer technologies, and more particularly, to a data transmission method, a data transmission system, a firewall device, a readable storage medium, and a computer program product.
Background
When a plurality of firewall devices (hereinafter referred to as firewalls) are deployed, due to the complex network environment of a client, some special requirements generally exist, for example: the method does not change the current network networking, can not bring the purchase of other network equipment due to the deployment of the firewall, works independently among the firewalls and backups each other, and supports the path redundancy under the asymmetric routing structure.
At present, the firewall of a mainstream manufacturer can provide flexible networking under various environments based on the link-level multiple redundancy capability, and a mouth shape or Full Mesh networking mode under a main/standby structure and a main/main structure can be selected according to a specific customer network environment during specific deployment, so that session synchronization when a plurality of firewalls work independently is supported. When session synchronization of a plurality of firewalls is supported, respectively created session data need to be transmitted between the firewalls, and then data packets are forwarded based on the created session data.
In the course of implementing the disclosed concept, the inventors found that there are at least the following problems in the related art: if the firewall receives a data packet returned by the server under the condition of no session data, the firewall may transmit the data packet to the client and lose the packet, so that the client needs to initiate a connection establishment process again, and the data transmission efficiency is affected.
Disclosure of Invention
In view of this, the present disclosure provides a data transmission method, a data transmission system and a firewall device.
One aspect of the present disclosure provides a data transmission method applied to a first firewall, including: under the condition that a request data packet from a client is sent to a server through a second firewall, a response data packet from the server is received, wherein the first firewall is a backup firewall of the second firewall; analyzing the response data packet to obtain analyzed data; searching whether session data matched with the response data packet exists according to the analysis data so as to determine whether to send the response data packet to the second firewall; and sending the response data packet to the second firewall under the condition that the session data matched with the response data packet does not exist, so that the response data packet is processed through the second firewall.
According to an embodiment of the present disclosure, the method further comprises: determining a protocol type of the response packet before sending the response packet to the second firewall in the absence of session data matching the response packet; judging whether the protocol type of the response data packet is configured with a forwarding strategy or not; and sending the response data packet to the second firewall under the condition that the protocol type of the response data packet configures a forwarding strategy.
According to an embodiment of the present disclosure, the method further comprises: under the condition that the protocol type of the response data packet does not configure a forwarding strategy, executing a checking operation on the response data packet; under the condition that the response data packet check is passed, creating a session corresponding to the response data packet, and sending the response data packet to the client; and under the condition that the response data packet check is not passed, performing packet loss processing on the response data packet.
According to an embodiment of the present disclosure, the method further comprises: and sending the response data packet to the client under the condition that the session data matched with the response data packet exists.
According to an embodiment of the present disclosure, processing the response packet through the second firewall includes: judging whether the second firewall has session data matched with the response data packet or not; and under the condition that the second firewall does not have session data matched with the response data packet, performing packet loss processing on the response data packet.
According to an embodiment of the present disclosure, the method further comprises: sending the response data packet to the client under the condition that the second firewall has session data matched with the response data packet; and sending the session data to the first firewall so that the first firewall can store the session data.
Another aspect of the present disclosure provides a data transmission method applied to a second firewall, including: sending a request data packet from a client to a server; and receiving a response data packet from the first firewall, and processing the response data packet. Wherein the first firewall is a backup firewall of the second firewall, and the response packet is sent after the first firewall performs the following operations: receiving a response data packet from the server; analyzing the response data packet to obtain analysis data; searching whether session data matched with the response data packet exists according to the analysis data so as to determine whether to send the response data packet to the second firewall; and searching for the session data which is not matched with the response data packet according to the analysis data, and sending the response data packet to the second firewall.
According to an embodiment of the present disclosure, processing the response packet includes: judging whether the second firewall has session data matched with the response data packet or not; under the condition that the second firewall does not have session data matched with the response data packet, performing packet loss processing on the response data packet; sending the response data packet to the client under the condition that the session data matched with the response data packet exists in the second firewall; and sending the session data to the first firewall so that the first firewall can store the session data.
Another aspect of the present disclosure provides a data transmission system, including a first firewall and a second firewall, where the first firewall is a backup firewall of the second firewall, where:
the first firewall is configured to perform: under the condition that a request data packet from a client is sent to a server through the second firewall, a response data packet from the server is received; analyzing the response data packet to obtain analysis data; searching whether session data matched with the response data packet exists according to the analysis data so as to determine whether to send the response data packet to the second firewall; and in the absence of session data matching the response packet, sending the response packet to the second firewall;
the second firewall is to perform: sending a request data packet from a client to a server; receiving a response packet from the first firewall; and processing the response data packet.
Another aspect of the present disclosure provides a firewall apparatus, including: one or more processors; memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method as described above.
Another aspect of the present disclosure provides a readable storage medium storing computer-executable instructions for implementing the method as described above when executed.
Another aspect of the disclosure provides a computer program product comprising executable instructions that, when executed by a processor, cause the processor to implement the method as described above.
According to the embodiment of the disclosure, under the condition that the first firewall receives the response data packet from the server, the response data packet is analyzed, whether session data matched with the response data packet exists or not is searched according to the analysis data, and under the condition that the session data matched with the response data packet does not exist, the response data packet is sent to the second firewall, so that the response data packet is processed through the second firewall. The second firewall can determine whether to forward the response data packet to the client according to the session data created by the second firewall, so that the technical problem that the client needs to initiate a connection establishment process again due to the fact that the packet is likely to be forwarded to the client but lost if the first firewall receives the data packet returned by the server under the condition of no session is at least partially solved, and the technical effect of improving the data transmission efficiency is further achieved.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent from the following description of embodiments of the present disclosure with reference to the accompanying drawings, in which:
fig. 1 schematically illustrates an exemplary system architecture to which the data transmission method and the data transmission system may be applied, according to an embodiment of the present disclosure;
fig. 2 schematically shows an exemplary system architecture to which the data transmission method and the data transmission system can be applied, according to another embodiment of the present disclosure;
fig. 3 schematically shows a flow chart of a data transmission method applied to a first firewall according to an embodiment of the present disclosure;
fig. 4 schematically shows a flow chart of a data transmission method applied to a first firewall according to another embodiment of the present disclosure;
fig. 5 schematically shows a flow chart of a data transmission method applied to a first firewall according to another embodiment of the present disclosure;
fig. 6 schematically shows a flow chart of a data transmission method applied to a data transmission system according to another embodiment of the present disclosure;
fig. 7 schematically shows a block diagram of a data transmission apparatus applied to a first firewall according to an embodiment of the present disclosure;
fig. 8 schematically shows a block diagram of a data transmission apparatus applied to a second firewall according to an embodiment of the present disclosure; and
fig. 9 schematically illustrates a block diagram of a firewall device suitable for implementing the data transmission method described above according to an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B, and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B, and C" would include but not be limited to systems that have A alone, B alone, C alone, A and B together, A and C together, B and C together, and/or A, B, and C together, etc.). In those instances where a convention analogous to "at least one of A, B, or C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B, or C" would include but not be limited to systems that have A alone, B alone, C alone, A and B together, A and C together, B and C together, and/or A, B, and C together, etc.).
Fig. 1 schematically shows an exemplary system architecture to which the data transmission method and the data transmission system may be applied according to an embodiment of the present disclosure.
As shown in fig. 1, the data transmission system 100 includes a first firewall 101 and a second firewall 102, wherein the first firewall 101 is a backup firewall of the second firewall 102.
According to an embodiment of the present disclosure, the data transmission system 100 may belong to an asymmetric routing network, and the routing policy thereof is: the second firewall 102 receives the request data packet Syn (req) from the client 104, and sends the request data packet Syn (req) from the client 104 to the server 103 through the second firewall 102, and a response data packet Syn (req, ack) sent by the server 103 may be returned to the client 104 through the first firewall 101, and this routing policy is referred to as a different-path return.
In terms of data transmission, when a packet flows through the second firewall 102, the second firewall 102 establishes a Session (Session) according to a policy, matches a subsequent packet through the Session, and if the subsequent packet can be matched, fast forwards the packet. If the packet returned by the server 102 flows through the first firewall 101, the first firewall 101 also needs to perform session matching according to the returned packet.
According to the embodiment of the disclosure, in order to ensure that the data packet returned by the different way is not discarded by the first firewall 101, the first firewall 101 and the second firewall 102 which are backuped with each other may be connected by using a heartbeat line, and the second firewall 102 may complete the Session data Session sync in real time to synchronize to the first firewall 101, so that the same Session is also present in the first firewall 101 to implement a normal matching response data packet, when the Session is present, the response data packet may be quickly forwarded without performing operations such as state check and security policy check, and the response data packet is normally forwarded.
However, if the first firewall 101 receives a packet without a session, it performs operations such as a status check, a security policy check, and the like according to the configuration. If the check is passed, a new session is created and the packet is switched; if the check fails, packet loss processing may be directly performed, and the firewall cannot subsequently establish a new session for the response packet.
In the process of implementing the present disclosure, the inventors found that if the second firewall 102 synchronizes the Session data Session sync to the first firewall 101, the Session data may arrive after the first firewall 101 receives the response packet, which may cause the response packet to fail due to performing operations such as status check and security policy check, and thus the first packet or the first few packets may be discarded by the first firewall 101.
In addition, if the UDP protocol is used to synchronously transmit the session data, it is difficult to ensure that the firewall of the opposite party can receive the session data, and the session data synchronization packet is not retransmitted under the condition that the session data is not received, that is, the session data synchronization packet may be lost, which may cause the response data packet to be discarded by the firewall because other checks are not passed. The success rate of network connection under the asymmetric network environment is seriously reduced, and especially for TCP connection, the use ratio of the TCP connection in the network generally exceeds 90 percent, so the normal use of the network is influenced.
Through the embodiment of the disclosure, under the condition that the request data packet from the client 104 is sent to the server 103 through the second firewall 102, the first firewall 101 receives the response data packet from the server 103, and analyzes the response data packet to obtain analysis data; searching whether session data matched with the response data packet exists according to the analysis data so as to determine whether the response data packet is sent to the second firewall 102; in the absence of session data matching the response packet, the first firewall 101 sends the response packet to the second firewall 102. The second firewall 102 receives the response packet from the first firewall 101, and processes the response packet.
The second firewall can determine whether to forward the response data packet to the client according to the session data created by the second firewall, so that the technical problem that the client needs to initiate a connection establishment process again due to the fact that the packet is likely to be forwarded to the client but lost if the first firewall receives the data packet returned by the server under the condition of no session is at least partially solved, and the technical effect of improving the data transmission efficiency is further achieved.
According to the method and the device, the response data packet is sent to the second firewall 102 through the first firewall 101, the success rate of TCP connection establishment is effectively improved, the stability of an asymmetric network is guaranteed, and the user experience is effectively improved.
The method for special processing of the different-circuit loop packet by the firewall under the asymmetric network environment realizes zero packet loss of the different-circuit loop packet of the firewall under the asymmetric network. The problem of prevent hot wall and abandon the repackage is solved, prevented hot wall's reliability has been promoted.
According to an embodiment of the present disclosure, a router 105 may be included between the server 103 and the first firewall 101 and the second firewall 102, so as to implement data transmission between the server 103 and the first firewall 101 and the second firewall 102.
According to an embodiment of the present disclosure, a router 106 may be included between the client 104 and the first firewall 101 and the second firewall 102, for enabling data transmission between the client 104 and the first firewall 101 and the second firewall 102.
It should be noted that fig. 1 is only an example of a system architecture to which the embodiments of the present disclosure may be applied to help those skilled in the art understand the technical content of the present disclosure, and does not mean that the embodiments of the present disclosure may not be applied to other devices, systems, environments or scenarios.
For example, fig. 2 schematically shows an exemplary system architecture to which the data transmission method and the data transmission system may be applied, according to another embodiment of the present disclosure.
As shown in fig. 2, the local area network Lan may include one or more clients, and one or more clients may send a request packet, route and forward the request packet through the router 201 or the router 202, create a session through the firewall 203 or the firewall 204 in the data transmission system 200, detect the session, and route and forward the request packet to the wide area network Internet through the router 205 or the router 206. The execution flow of the firewall 203 or the firewall 204 may refer to the description in fig. 1, and is not described herein again.
It should be understood that the number of firewalls, clients, and servers in fig. 1 and 2 are merely illustrative. There may be any number of firewalls, clients, and servers, as desired for the implementation.
Fig. 3 schematically shows a flowchart of a data transmission method applied to a first firewall according to an embodiment of the present disclosure.
As shown in fig. 3, the data transmission method applied to the first firewall includes operations S301 to S304.
In operation S301, in the case that a request packet from a client is sent to a server through a second firewall, a response packet from the server is received, where a first firewall is a backup firewall of the second firewall.
According to the embodiment of the disclosure, the second firewall may first send a request packet from the client to the server, and then the first firewall receives a response packet from the server. In other words, the data transmission method applied to the first firewall is applicable to the scenario of the different-loop packet. The first firewall is a backup firewall of the second firewall, that is, after the second firewall receives the request packet and establishes the session data corresponding to the request packet, under a general condition, the second firewall sends the session data corresponding to the request packet to the first firewall synchronously, so that the first firewall can store the session data corresponding to the request packet.
In operation S302, the response packet is parsed to obtain parsing data.
According to the embodiment of the disclosure, the parsing data may include data such as an IP address of the client, an IP address of the server, a port address of the client, a port address of the server, a type of a transmission protocol, and the like.
In operation S303, it is checked whether there is session data matching the response packet according to the parsed data to determine whether to send the response packet to the second firewall.
According to an embodiment of the present disclosure, the session data may include identification information for identifying the client sending the request packet, for example, an IP address of the client, a port address of the client. Of course, the session data may also include the IP address of the server, the port address of the server, the type of the transport protocol, and so on.
According to an embodiment of the present disclosure, the IP address of the client included in the resolution data may be matched with the IP address of the client stored in the first firewall. If the IP address of the client stored in the first firewall comprises the IP address of the client contained in the analysis data, the matching is successful; the matching is unsuccessful if the IP address of the client stored in the first firewall does not include the IP address of the client contained in the resolved data.
According to an embodiment of the present disclosure, in the case where it is determined that there is session data matching the response packet after the first firewall lookup, the response packet may be directly transmitted to the client.
In operation S304, in the absence of session data matching the response packet, the response packet is transmitted to the second firewall such that the response packet is processed by the second firewall.
According to an embodiment of the present disclosure, the number of the second firewalls is not limited, and for example, the second firewalls may include 1 firewall, 2 firewalls, and the like. In other words, the first firewall may send response packets to the plurality of second firewalls in the absence of session data matching the response packets.
According to an embodiment of the present disclosure, the processing, by the second firewall, the response packet includes: and judging whether the second firewall has session data matched with the response data packet, and performing packet loss processing on the response data packet under the condition that the second firewall does not have the session data matched with the response data packet.
According to the embodiment of the disclosure, in the case that the second firewall has session data matching the response packet, the response packet is sent to the client, and the session data is sent to the first firewall so that the first firewall saves the session data.
Through the embodiment of the disclosure, under the condition that the second firewall has the session data matched with the response data packet, the session data is sent to the first firewall, so that when the first firewall receives the response data packet again, the first firewall can directly match the session data according to the received session data, and the response data packet does not need to be sent to the second firewall again for processing.
According to the embodiment of the disclosure, under the condition that the first firewall receives the response data packet from the server, the response data packet is analyzed, whether session data matched with the response data packet exists or not is searched according to the analyzed data, and under the condition that the session data matched with the response data packet does not exist, the response data packet is sent to the second firewall, so that the response data packet is processed through the second firewall. Because the second firewall can determine whether to forward the response data packet to the client according to the session data created by the second firewall, the technical problem that if the first firewall receives the data packet returned by the server under the condition of no session, the packet is lost when the second firewall forwards the data packet to the client, so that the client needs to initiate a connection establishment process again is at least partially solved, and the technical effect of improving the data transmission efficiency is further achieved.
Firewall to send the response data package through first preventing hot wall to the second for can prevent hot wall through the second and handle the response data package, realize preventing the zero packet loss of hot wall asymmetric network different-circuit return package, and use it to prevent hot wall asymmetric network environment, promote to prevent hot wall reliability and practicality in asymmetric network. The method can solve the technical problem that the Session synchronization packet sent by the second firewall to the first firewall is lost or the synchronization packet arrives late, so that the response data packet is lost, and is an effective supplement to the Session synchronization mechanism of the firewall and the data transmission of the different-loop packet in the asymmetric network.
The method shown in fig. 3 is further described with reference to fig. 4-6 in conjunction with specific embodiments.
Fig. 4 schematically shows a flowchart of a data transmission method applied to a first firewall according to another embodiment of the present disclosure.
As shown in fig. 4, the data transmission method applied to the first firewall includes operations S401 to S403 in addition to operations S301 to S304.
In operation S401, in the absence of session data matching the response packet, the protocol type of the response packet is determined before the response packet is transmitted to the second firewall.
According to the embodiment of the present disclosure, during data transmission, the protocol type of processing of the data packet is mainly TCP protocol, and other protocols (not limited to transport layer protocol) may also be processed by referring to this method.
In operation S402, it is determined whether a protocol type of the response packet configures a forwarding policy.
According to an embodiment of the present disclosure, a forwarding policy may be configured for one or more of the TCP protocol, the UDP protocol, and the like. Due to the fact that the TCP occupation ratio in network data transmission is high, forwarding of TCP type data packets can be started by default, and data packets of other protocol types can execute the method only when starting commands are required according to actual application scenes.
In operation S403, in case that the protocol type of the response packet configures a forwarding policy, the response packet is sent to the second firewall.
Fig. 5 schematically shows a flowchart of a data transmission method applied to a first firewall according to another embodiment of the present disclosure.
As shown in fig. 5, the data transmission method applied to the first firewall includes operations S501 to S503 in addition to operations S301 to S304, S401 to S403.
In operation S501, in case that the protocol type of the response packet does not configure a forwarding policy, a checking operation is performed on the response packet.
According to an embodiment of the present disclosure, for example, the checking operation may include performing a status check, a security policy check, or the like.
In operation S502, in case that the response packet check passes, a session corresponding to the response packet is created and the response packet is transmitted to the client.
In operation S503, in the case where the response packet check fails, packet loss processing is performed on the response packet.
According to an embodiment of the present disclosure, therefore, the method of sending the response packet to the second firewall is described in terms of a TCP connection establishment procedure.
a) And the first firewall receives the Tcp response data packet and executes the following processing:
i. and detecting the match of the Session Session, and if the Session Session is matched with the Session Session, directly sending a Tcp response data packet to the client.
ii, if the session without session is matched, judging whether a Tcp response data packet type configures a forwarding switch, if so, executing the next step: b) The first firewall forwards the response packet sync (req, ack) to the second firewall.
And if the Tcp response data packet type is not provided with a forwarding switch, processing according to an original data packet processing method of the first firewall, for example, executing various checking operations, if the checking operations pass, creating a new Session and forwarding, and if the checking operations do not pass, directly processing packet loss.
b) The first firewall forwards the response packet sync (req, ack) to the second firewall.
c) The second firewall receives the response data packet forwarded by the first firewall and executes the following processing:
i. and detecting Session match, and if the match is not detected, directly losing the packet.
ii, if the connection is matched with the Tcp connection, forwarding a response data packet to the client, ensuring the establishment of the Tcp connection, and executing the next step iii.
And iii, because the response data packet of the first firewall is received, the Session synchronization is possibly failed, and the second firewall initiates the process of Session synchronization to the first firewall again. The first firewall has a Session with Tcp connection, and other Tcp response data packets sent by the subsequent server side can be normally and quickly forwarded to the client side.
Fig. 6 schematically shows a flow chart of a data transmission method applied to a data transmission system according to another embodiment of the present disclosure.
Referring to fig. 1, in this embodiment, a process in which the first firewall 101 processes a response packet returned from the server 103 is described. The first firewall 101 and the second firewall 102 may be active firewalls for each other, and may be suitable for a situation that the Session sync packet of the second firewall 102 may be lost or arrive too late, that is, the Session sync packet of the second firewall 102 in step0 is lost or arrives too late when being sent to the first firewall 101.
As shown in fig. 6, the method includes operations S601 to S616.
In operation S601, the standby firewall (in this case, the first firewall 101 is the standby firewall, which is abbreviated as the standby firewall) receives the data packet (i.e., the response packet) returned by the server 103.
In operation S602, the standby firewall parses the five-tuple of the data packet, and searches for a matching Session. The quintuple may include an IP address of the client, an IP address of the server, a port address of the client, a port address of the server, and a transport protocol type.
In operation S603, the standby firewall determines whether a matching Session exists, and if a matching Session exists, executes operation S612; operation S604 is not performed.
In operation S604, the packet type of the packet is obtained, and the special processing configuration is searched.
In operation S605, it is determined whether packet forwarding needs to be performed. If the type of packet has the processing switch configured, operation S607 is performed, and if not, operation S613 is performed
In operation S606, the standby firewall forwards the data packet to the main firewall (i.e., the second firewall 102, referred to as the main wall).
In operation S607, the master firewall analyzes the five-tuple of the packet and finds a matching Session.
In operation S608, the master firewall determines whether a Session exists, and if there is a match, then operation S609 is performed, and operation S614 is not performed.
In operation S609, the main firewall forwards the packet to the client.
In operation S610, the primary firewall synchronizes Session to the backup firewall again.
In operation S611, the standby firewall saves the synchronized Session.
In operation S612, the standby firewall has a session with a message match, and directly forwards the message to the client.
In operation S613, if the packet of the type does not have a special processing switch in the firewall, various checks are performed according to the normal packet, it is determined whether the check is passed, and the check is passed in operation S616 and failed in operation S615.
In operation S614, the standby firewall fails to check and discards the packet.
In operation S615, the standby firewall checks to pass, creates a new session, and forwards the packet.
In operation S616, if the main firewall has no Session matched with the message, the message is discarded.
According to the embodiment of the disclosure, under the condition that the first firewall receives the response data packet from the server, the response data packet is analyzed, whether session data matched with the response data packet exists or not is searched according to the analyzed data, and under the condition that the session data matched with the response data packet does not exist, the response data packet is sent to the second firewall, so that the response data packet is processed through the second firewall. The second firewall can determine whether to forward the response data packet to the client according to the session data created by the second firewall, so that the technical problem that the client needs to initiate a connection establishment process again due to the fact that the packet is likely to be forwarded to the client but lost if the first firewall receives the data packet returned by the server under the condition of no session is at least partially solved, and the technical effect of improving the data transmission efficiency is further achieved.
Firewall to send the response data package through first preventing hot wall to the second for can prevent hot wall through the second and handle the response data package, realize preventing the zero packet loss of hot wall asymmetric network different-circuit return package, and use it to prevent hot wall asymmetric network environment, promote to prevent hot wall reliability and practicality in asymmetric network. The method can solve the technical problem that the Session synchronization packet sent by the second firewall to the first firewall is lost or the synchronization packet arrives late, so that the response data packet is lost, and is an effective supplement to the Session synchronization mechanism of the firewall and the data transmission of the different-loop packet in the asymmetric network.
Fig. 7 schematically shows a block diagram of a data transmission apparatus applied to a first firewall according to an embodiment of the present disclosure.
As shown in fig. 7, the data transmission apparatus 700 applied to the first firewall includes a first receiving module 701, a parsing module 702, a searching module 703 and a first sending module 704.
The first receiving module 701 is configured to receive a response packet from a server under the condition that a request packet from a client is sent to the server through a second firewall, where the first firewall is a backup firewall of the second firewall.
The analyzing module 702 is configured to analyze the response data packet to obtain analysis data.
The searching module 703 is configured to search whether session data matching the response packet exists according to the analysis data, so as to determine whether to send the response packet to the second firewall.
The first sending module 704 is configured to send the response packet to the second firewall so that the response packet is processed by the second firewall if there is no session data matching the response packet.
Fig. 8 schematically shows a block diagram of a data transmission apparatus applied to a second firewall according to an embodiment of the present disclosure.
As shown in fig. 8, the data transmission apparatus 800 applied to the second firewall includes a second sending module 801, a second receiving module 802, and a processing module 803.
The second sending module 801 is configured to send a request packet from the client to the server.
The second receiving module 802 is configured to receive a response packet from the first firewall, where the first firewall is a backup firewall of the second firewall, and the response packet is sent after the first firewall performs the following operations; receiving a response data packet from the server; analyzing the response data packet to obtain analysis data; searching whether session data matched with the response data packet exists according to the analysis data so as to determine whether the response data packet is sent to the second firewall; and searching the session data which is not matched with the response data packet according to the analysis data.
The processing module 803 is configured to process the response packet.
Through the embodiment of the disclosure, under the condition that the session data matched with the response data packet exists in the second firewall, the session data is sent to the first firewall, so that when the first firewall receives the response data packet again, the first firewall can directly match according to the received session data, and the response data packet does not need to be sent to the second firewall again for processing.
According to the embodiment of the disclosure, under the condition that the first firewall receives the response data packet from the server, the response data packet is analyzed, whether session data matched with the response data packet exists or not is searched according to the analyzed data, and under the condition that the session data matched with the response data packet does not exist, the response data packet is sent to the second firewall, so that the response data packet is processed through the second firewall. Because the second firewall can determine whether to forward the response data packet to the client according to the session data created by the second firewall, the technical problem that if the first firewall receives the data packet returned by the server under the condition of no session, the packet is lost when the second firewall forwards the data packet to the client, so that the client needs to initiate a connection establishment process again is at least partially solved, and the technical effect of improving the data transmission efficiency is further achieved.
Firewall to send the response data package through first preventing hot wall to the second for can prevent hot wall through the second and handle the response data package, realize preventing the zero packet loss of hot wall asymmetric network different-circuit return package, and use it to prevent hot wall asymmetric network environment, promote to prevent hot wall reliability and practicality in asymmetric network. The method can solve the technical problem that the Session synchronization packet sent by the second firewall to the first firewall is lost or the synchronization packet arrives late, so that the response data packet is lost, and is an effective supplement to the Session synchronization mechanism of the firewall and the data transmission of the different-loop packet in the asymmetric network.
Any of the modules, or at least part of the functionality of any of them, according to embodiments of the present disclosure may be implemented in one module. Any one or more of the modules according to the embodiments of the present disclosure may be implemented by being split into a plurality of modules. Any one or more of the modules according to the embodiments of the present disclosure may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in any other reasonable manner of hardware or firmware by integrating or packaging the circuit, or in any one of three implementations, or in any suitable combination of any of the software, hardware, and firmware. Alternatively, one or more of the modules according to embodiments of the present disclosure may be implemented at least partly as computer program modules which, when executed, may perform corresponding functions.
For example, any plurality of the first receiving module 701, the parsing module 702, the searching module 703 and the first sending module 704 may be combined and implemented in one module/unit/sub-unit, or any one of the modules/units/sub-units may be split into a plurality of modules/units/sub-units. Alternatively, at least part of the functionality of one or more of these modules/units/sub-units may be combined with at least part of the functionality of other modules/units/sub-units and implemented in one module/unit/sub-unit. According to an embodiment of the present disclosure, at least one of the first receiving module 701, the parsing module 702, the searching module 703 and the first sending module 704 may be implemented at least partially as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented by hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or implemented by any one of three implementations of software, hardware and firmware, or implemented by a suitable combination of any several of them. Alternatively, at least one of the first receiving module 701, the parsing module 702, the finding module 703 and the first sending module 704 may be at least partly implemented as a computer program module, which when executed may perform a corresponding function.
It should be noted that, the data transmission apparatus applied to the first firewall in the embodiment of the present disclosure corresponds to the data transmission method applied to the first firewall in the embodiment of the present disclosure, and the description of the data transmission apparatus applied to the first firewall specifically refers to the data transmission method applied to the first firewall, and the data transmission apparatus applied to the first firewall can implement all operations in the data transmission method applied to the first firewall, and is not described herein again.
It should be noted that, the data transmission apparatus applied to the second firewall in the embodiment of the present disclosure corresponds to the data transmission method applied to the second firewall in the embodiment of the present disclosure, and the description of the data transmission apparatus applied to the second firewall specifically refers to the data transmission method applied to the second firewall, and the data transmission apparatus applied to the second firewall can implement all operations in the data transmission method applied to the second firewall, which is not described herein again.
According to an embodiment of the present disclosure, there is also provided a firewall device including: one or more processors; memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method as described above.
Fig. 9 schematically illustrates a block diagram of a firewall device adapted to implement the above-described method according to an embodiment of the present disclosure. The firewall device shown in fig. 9 is merely an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 9, the firewall device 900 according to the embodiment of the present disclosure includes a processor 901 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 902 or a program loaded from a storage section 908 into a Random Access Memory (RAM) 903. Processor 901 can include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or related chip sets and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 901 may also include on-board memory for caching purposes. The processor 901 may comprise a single processing unit or a plurality of processing units for performing the different actions of the method flows according to embodiments of the present disclosure.
In the RAM 903, various programs and data necessary for the operation of the firewall device 900 are stored. The processor 901, the ROM 902, and the RAM 903 are connected to each other through a bus 904. The processor 901 performs various operations of the method flows according to the embodiments of the present disclosure by executing programs in the ROM 902 and/or the RAM 903. Note that the programs may also be stored in one or more memories other than the ROM 902 and the RAM 903. The processor 901 may also perform various operations of the method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.
Firewall device 900 may also include an input/output (I/O) interface 905, where input/output (I/O) interface 905 is also connected to bus 904, according to an embodiment of the disclosure. Firewall device 900 may also include one or more of the following components connected to I/O interface 905: an input portion 906 including a keyboard, a mouse, and the like; an output portion 907 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage portion 908 including a hard disk and the like; and a communication section 909 including a network interface card such as a LAN card, a modem, or the like. The communication section 909 performs communication processing via a network such as the internet. A drive 910 is also connected to the I/O interface 905 as needed. A removable medium 911 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 910 as necessary, so that a computer program read out therefrom is mounted into the storage section 908 as necessary.
According to embodiments of the present disclosure, method flows according to embodiments of the present disclosure may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a readable storage medium, the computer program containing program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 909, and/or installed from the removable medium 911. The computer program performs the above-described functions defined in the firewall device of the embodiment of the present disclosure when executed by the processor 901. According to an embodiment of the present disclosure, the above-described apparatuses, devices, modules, units, and the like may be realized by computer program modules.
The present disclosure also provides a readable storage medium, which may be contained in the device/apparatus/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The readable storage medium carries one or more programs which, when executed, implement a method according to an embodiment of the disclosure.
According to an embodiment of the present disclosure, the readable storage medium may be a nonvolatile readable storage medium. Examples may include, but are not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
For example, according to embodiments of the present disclosure, a readable storage medium may include the ROM 902 and/or the RAM 903 described above and/or one or more memories other than the ROM 902 and the RAM 903.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions. Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments of the present disclosure and/or the claims may be made without departing from the spirit and teachings of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
The embodiments of the present disclosure are described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used advantageously in combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the disclosure, and these alternatives and modifications are intended to fall within the scope of the disclosure.

Claims (10)

1. A data transmission method is applied to a first firewall, and comprises the following steps:
under the condition that a request data packet from a client is sent to a server through a second firewall, receiving a response data packet from the server, wherein the first firewall is a backup firewall of the second firewall;
analyzing the response data packet to obtain analyzed data;
searching whether session data matched with the response data packet exists according to the analysis data so as to determine whether to send the response data packet to the second firewall; and
sending the response data packet to the second firewall so that the response data packet is processed by the second firewall in the absence of session data matching the response data packet; wherein processing the response packet through the second firewall includes:
sending the response data packet to the client under the condition that the session data matched with the response data packet exists in the second firewall; and
and sending the session data to the first firewall so that the first firewall can store the session data.
2. The method of claim 1, further comprising:
determining a protocol type of the response packet before sending the response packet to the second firewall in the absence of session data matching the response packet;
judging whether the protocol type of the response data packet is configured with a forwarding strategy or not; and
and sending the response data packet to the second firewall under the condition that the protocol type of the response data packet configures a forwarding policy.
3. The method of claim 2, further comprising:
under the condition that the protocol type of the response data packet does not configure a forwarding strategy, executing a checking operation on the response data packet;
under the condition that the response data packet check is passed, establishing a session corresponding to the response data packet, and sending the response data packet to the client; and
and under the condition that the response data packet check is not passed, performing packet loss processing on the response data packet.
4. The method of claim 1, further comprising:
and in the case that the session data matched with the response data packet exists, sending the response data packet to the client.
5. The method of claim 1, wherein processing the response packet by the second firewall comprises:
judging whether the second firewall has session data matched with the response data packet or not; and
and under the condition that the second firewall does not have session data matched with the response data packet, performing packet loss processing on the response data packet.
6. A data transmission method is applied to a second firewall, and comprises the following steps:
sending a request data packet from a client to a server;
receiving a response data packet from a first firewall, wherein the first firewall is a backup firewall of the second firewall, and the response data packet is sent after the first firewall performs the following operations;
receiving a response data packet from the server;
analyzing the response data packet to obtain analysis data;
searching whether session data matched with the response data packet exists according to the analysis data so as to determine whether to send the response data packet to the second firewall; and
searching for session data which are not matched with the response data packet according to the analysis data, and sending the response data packet to the second firewall;
processing the response data packet; wherein processing the response packet comprises:
sending the response data packet to the client under the condition that the session data matched with the response data packet exists in the second firewall; and
and sending the session data to the first firewall so that the first firewall can store the session data.
7. The method of claim 6, wherein processing the response packet comprises:
judging whether the second firewall has session data matched with the response data packet or not;
and under the condition that the second firewall does not have session data matched with the response data packet, performing packet loss processing on the response data packet.
8. A data transmission system comprises a first firewall and a second firewall, wherein the first firewall is a backup firewall of the second firewall, and the data transmission system comprises:
the first firewall is configured to perform:
under the condition that a request data packet from a client is sent to a server through the second firewall, a response data packet from the server is received;
analyzing the response data packet to obtain analyzed data;
searching whether session data matched with the response data packet exists according to the analysis data so as to determine whether to send the response data packet to the second firewall; and
sending the response packet to the second firewall in the absence of session data matching the response packet;
the second firewall is to perform:
sending a request data packet from a client to a server;
receiving a response packet from the first firewall; and
processing the response data packet, wherein the processing of the response data packet comprises: sending the response data packet to the client under the condition that the second firewall has session data matched with the response data packet; and sending the session data to the first firewall so that the first firewall can store the session data.
9. A firewall device, comprising:
one or more processors;
a memory for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1 to 5 or the method of claim 6 or 7.
10. A readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to carry out the method of any one of claims 1 to 5 or the method of claim 6 or 7.
CN201911425660.3A 2019-12-31 2019-12-31 Data transmission method, data transmission system, firewall device and storage medium Active CN111181985B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911425660.3A CN111181985B (en) 2019-12-31 2019-12-31 Data transmission method, data transmission system, firewall device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911425660.3A CN111181985B (en) 2019-12-31 2019-12-31 Data transmission method, data transmission system, firewall device and storage medium

Publications (2)

Publication Number Publication Date
CN111181985A CN111181985A (en) 2020-05-19
CN111181985B true CN111181985B (en) 2022-11-11

Family

ID=70650797

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911425660.3A Active CN111181985B (en) 2019-12-31 2019-12-31 Data transmission method, data transmission system, firewall device and storage medium

Country Status (1)

Country Link
CN (1) CN111181985B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112866245B (en) * 2021-01-18 2022-09-09 中国工商银行股份有限公司 Message routing method and device
CN113783872B (en) * 2021-09-09 2023-08-18 山石网科通信技术股份有限公司 Firewall data processing method and device
CN113965347B (en) * 2021-09-09 2024-03-15 山石网科通信技术股份有限公司 Firewall data processing method and device

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101199187A (en) * 2004-07-23 2008-06-11 茨特里克斯系统公司 A method and systems for securing remote access to private networks

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7188365B2 (en) * 2002-04-04 2007-03-06 At&T Corp. Method and system for securely scanning network traffic
CN107241208B (en) * 2016-03-29 2020-02-21 华为技术有限公司 Message forwarding method, first switch and related system
CN107888500B (en) * 2017-11-03 2020-04-17 东软集团股份有限公司 Message forwarding method and device, storage medium and electronic equipment
US20190215306A1 (en) * 2018-01-11 2019-07-11 Nicira, Inc. Rule processing and enforcement for interleaved layer 4, layer 7 and verb based rulesets

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101199187A (en) * 2004-07-23 2008-06-11 茨特里克斯系统公司 A method and systems for securing remote access to private networks

Also Published As

Publication number Publication date
CN111181985A (en) 2020-05-19

Similar Documents

Publication Publication Date Title
CN111181985B (en) Data transmission method, data transmission system, firewall device and storage medium
US10791055B2 (en) Virtual dispersive networking systems and methods
US10567340B2 (en) Data center system
US10243781B1 (en) Detecting link faults in network paths that include link aggregation groups (LAGs)
US8239670B1 (en) Multi-aspect identifier in network protocol handshake
US7461290B1 (en) Dynamic mirroring of a network connection
US7107609B2 (en) Stateful packet forwarding in a firewall cluster
US9762508B2 (en) Relay optimization using software defined networking
EP3310026B1 (en) Method and system for use in restarting network service without packet loss and downtime
US8189488B2 (en) Failback to a primary communications adapter
KR20140035925A (en) Hitless switchover from active tcp application to standby tcp application
US11463345B2 (en) Monitoring BGP routes of a device in a network
US11509749B2 (en) Data processing method and apparatus, and computer
US8149842B2 (en) Automated discovery of network devices supporting particular transport layer protocols
CN116032594A (en) Method, device, equipment and medium for judging IPv6 network real source address verification
KR20130032396A (en) A method for routing and associated routing device and destination device
US8233385B1 (en) Preventing upper layer renegotiations by making PPP aware of layer one switchovers
US11929924B1 (en) Establishing forward and reverse segment routing (SR) tunnels for bidirectional forwarding detection (BFD) continuity checks
US11064032B1 (en) Application-aware routing in network address translation environments
US11909609B1 (en) Methods for managing insertion of metadata into a data stream to assist with analysis of network traffic and devices thereof
US20240146628A1 (en) Methods for managing insertion of metadata into a data stream to assist with analysis of network traffic and devices thereof
CN116319934A (en) Load sharing method and device based on RoCE session
CN114726797A (en) Accelerated transmission method, device, equipment, system and storage medium
EP2642714A1 (en) Data communication

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088

Applicant after: Qianxin Technology Group Co.,Ltd.

Applicant after: Qianxin Wangshen information technology (Beijing) Co.,Ltd.

Address before: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088

Applicant before: Qianxin Technology Group Co.,Ltd.

Applicant before: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant