CN113965347A - Data processing method and device of firewall - Google Patents
Data processing method and device of firewall Download PDFInfo
- Publication number
- CN113965347A CN113965347A CN202111058369.4A CN202111058369A CN113965347A CN 113965347 A CN113965347 A CN 113965347A CN 202111058369 A CN202111058369 A CN 202111058369A CN 113965347 A CN113965347 A CN 113965347A
- Authority
- CN
- China
- Prior art keywords
- packet
- control module
- session control
- firewall
- reverse
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 24
- 238000000034 method Methods 0.000 claims abstract description 37
- 238000012545 processing Methods 0.000 claims description 34
- 238000009434 installation Methods 0.000 claims description 25
- 230000008569 process Effects 0.000 claims description 17
- 230000005540 biological transmission Effects 0.000 claims description 5
- 238000005516 engineering process Methods 0.000 abstract description 7
- 238000010586 diagram Methods 0.000 description 12
- 230000001360 synchronised effect Effects 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 230000006872 improvement Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000005034 decoration Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000004321 preservation Methods 0.000 description 2
- 230000015556 catabolic process Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000006731 degradation reaction Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 238000012805 post-processing Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a data processing method and device of a firewall. Wherein, the method comprises the following steps: receiving a first session control module sent by a first peer firewall, wherein the first session control module is used for sending a data packet of a data stream; installing a first session control module; receiving a reverse first packet of a data stream, wherein the reverse first packet is a first data packet of the data stream processed by a server; and the reverse first packet is generated by the server according to the forward first packet, and the forward first packet is a first data packet when the data flow is sent to the server. The invention solves the technical problems that the firewall in the related technology can not ensure that the session control object is earlier than the reverse data of the data stream, so that the reverse data is wrong and can not be sent.
Description
Technical Field
The invention relates to the field of data security, in particular to a data processing method and device of a firewall.
Background
For an HA (high availability, also dual-machine hot standby) environment composed of two firewalls, if the flow is asymmetric (the uplink and downlink packets of a data flow do not pass through the same firewall, fig. 1 is a schematic diagram of data transmission of the firewall HA in the prior art, as shown in fig. 1, the uplink packet passes through the left firewall a, and the downlink packet passes through the right firewall B, then the first reverse packet, i.e. the second reverse packet (for example, SYN-ACK packet of TCP connection) arrives at the firewall B, it is possible that the data flow session control module (flow session) corresponding to this packet HAs not been synchronized from the opposite firewall (the first packet of each data flow will establish a flow session on the local firewall, and immediately synchronize this flow session to the opposite firewall through the HA channel between the two firewalls), at this time, the reverse first packet cannot find the correct flow session, causing the message to match to the wrong firewall policy (policy) or to be discarded.
In the related art, the above problem is solved by delaying the sending of the first packet by the firewall, specifically, sending a flow (data flow) first packet by XXX milliseconds on the firewall, and the specific delay time can be configured. But it is often not possible to accurately estimate how long the delay is appropriate. If the delay time is too long, the delay of network data packets is increased, and the performance is reduced. If the delay time is too short, the reverse first message still reaches the firewall of the opposite end earlier than the session (session control module) synchronous message, and the scheme is invalid.
In view of the above problems, no effective solution has been proposed.
Disclosure of Invention
The embodiment of the invention provides a firewall data processing method and device, which at least solve the technical problems that a firewall in the related technology cannot guarantee that a session control object is earlier than reverse data of a data stream, so that the reverse data is wrong and cannot be sent.
According to an aspect of the embodiments of the present invention, there is provided a data processing method for a firewall, including: receiving a first session control module sent by a first peer firewall, wherein the first session control module is used for sending a data packet of a data stream; installing the first session control module; receiving a reverse first packet of a data stream, wherein the reverse first packet is a first data packet of the data stream after being processed by a server; and the first session control module which is installed sends the reverse first packet to a client, wherein the reverse first packet is sent to a server after the first firewall of the opposite terminal receives a forward first packet of a data stream sent by the client, the reverse first packet is generated by the server according to the forward first packet, and the forward first packet is a first data packet when the data stream is sent to the server.
Optionally, the first session control module that receives the first peer firewall includes: receiving a forward first packet of a data stream sent by the first peer firewall and the first session control module, wherein the forward first packet and the first session control module are subjected to order preserving processing; installing the first session control module comprises: according to the requirement of the order-preserving processing, the first session control module is installed firstly; and after the first session control module is installed, rebounding the forward first packet to the first opposite-end firewall.
Optionally, after receiving the first session control module sent by the first peer firewall, the method further includes: and after the first session control module is installed, sending a completion message to the first peer firewall, wherein the completion message is used for prompting the first peer firewall to send the cached forward first packet of the data stream.
Optionally, before the first session control module that is installed and sends the reverse first packet to the client, the method further includes: judging whether the first session control module is installed; and caching the reverse first packet under the condition that the first session control module is not installed completely, and judging whether the first session control module is installed completely or not again after the preset time till the first session control module is installed completely.
Optionally, the first session control module corresponds to the data stream and is configured to send a packet data packet of the data stream, where the packet data packet includes the forward first packet and the reverse first packet, and the first session control module includes all session control modules related to a multi-layer firewall.
According to another aspect of the embodiments of the present invention, there is also provided a data processing method for a firewall, including: receiving a forward first packet of a data stream sent by a client, and installing a second session control module of the data stream, wherein the forward first packet is a first data packet sent by the data stream to a server, and the second session control module comprises all related session control modules of a multilayer firewall; sending the second session control module to a second opposite-end firewall, and sending the forward first packet to a server through the second session control module; after receiving the forward first packet, the server generates a reverse first packet according to the forward first packet, and sends the reverse first packet to the second opposite-end firewall, the second opposite-end firewall sends the reverse first packet to the client through an installed second session control module, the second session control module is installed by the second opposite-end firewall according to the received second session control module, and the reverse first packet is a first data packet sent after the server processes the data stream.
Optionally, sending the second session control module to a second peer firewall, and sending the forward first packet to a server through the second session control module includes: performing order preserving processing on the forward first packet and the second session control module to ensure that the second session control module is installed in the second opposite-end firewall firstly; sending the forward first packet and the second session control module after the order preserving processing to the second opposite-end firewall; receiving a forward first packet rebounded by the second opposite-end firewall, wherein the second opposite-end firewall rebounds the forward first packet after the second session control module is installed; and sending the forward first packet to the server through the second session control module.
Optionally, sending the second session control module to a second peer firewall, and sending the forward first packet to a server through the second session control module includes: caching the forward first packet; sending the second session control module to the second peer firewall; receiving a message of completing the installation of the second session control module by the second peer firewall; and responding to the completion message, and sending the cached forward first packet to the server through the second session control module.
According to another aspect of the embodiments of the present invention, there is also provided a data processing apparatus of a firewall, including: the first receiving module is used for receiving a first session control module sent by a first peer firewall, wherein the first session control module is used for sending a data packet of a data stream; the installation module is used for installing the first session control module; a second receiving module, configured to receive a reverse first packet of a data stream, where the reverse first packet is a first data packet of the data stream after being processed by a server; the first sending module is used for sending the reverse first packet to a client through the installed first session control module, wherein the reverse first packet is sent to a server after the first peer firewall receives a forward first packet of a data stream sent by the client, the reverse first packet is generated by the server according to the forward first packet, and the forward first packet is a first data packet when the data stream is sent to the server.
According to another aspect of the embodiments of the present invention, there is also provided a data processing apparatus of a firewall, including: a third receiving module, configured to receive a forward first packet of a data stream sent by a client, and install a second session control module of the data stream, where the forward first packet is a first data packet sent by the data stream to a server, and the second session control module includes all related session control modules of a multi-layer firewall; the second sending module is used for sending the second session control module to a second opposite-end firewall and sending the forward first packet to a server through the second session control module; after receiving the forward first packet, the server generates a reverse first packet according to the forward first packet, and sends the reverse first packet to the second opposite-end firewall, the second opposite-end firewall sends the reverse first packet to the client through an installed second session control module, the second session control module is installed by the second opposite-end firewall according to the received second session control module, and the reverse first packet is a first data packet sent after the server processes the data stream.
According to another aspect of the embodiments of the present invention, there is also provided a processor, where the processor is configured to execute a program, where the program executes a data processing method of the firewall according to any one of the above descriptions.
According to another aspect of the embodiments of the present invention, there is also provided a computer storage medium, where the computer storage medium includes a stored program, and when the program runs, the apparatus where the computer storage medium is located is controlled to execute the firewall data processing method described in any one of the above.
In the embodiment of the invention, a first session control module is adopted for receiving the data packet sent by a first peer firewall, wherein the first session control module is used for sending the data packet of the data stream; installing a first session control module; receiving a reverse first packet of a data stream, wherein the reverse first packet is a first data packet of the data stream processed by a server; the first session control module sends the reverse first packet to the client through the installed first session control module, wherein the reverse first packet is a first firewall of the opposite end and sends the forward first packet to the server after receiving the forward first packet of the data stream sent by the client, the reverse first packet is generated by the server according to the forward first packet, and the forward first packet is a first data packet when the data stream is sent to the server.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
fig. 1 is a schematic diagram of data transmission of a firewall HA in the prior art;
fig. 2 is a flowchart of a data processing method of a firewall according to an embodiment of the present invention;
FIG. 3 is a flowchart of another data processing method of a firewall according to an embodiment of the present invention
FIG. 4 is a schematic diagram of one manner of firewall data processing, according to an embodiment of the invention;
FIG. 5 is a schematic diagram of another manner of firewall data processing, according to an embodiment of the invention;
FIG. 6 is a schematic diagram of yet another manner of firewall data processing, according to an embodiment of the invention;
FIG. 7 is a schematic diagram of a data processing apparatus of a firewall according to an embodiment of the invention;
fig. 8 is a schematic diagram of a data processing apparatus of another firewall according to an embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
In accordance with an embodiment of the present invention, there is provided a method embodiment of a data processing method for a firewall, it being noted that the steps illustrated in the flowchart of the figure may be performed in a computer system such as a set of computer-executable instructions and that although a logical order is illustrated in the flowchart, in some cases the steps illustrated or described may be performed in an order different than here.
Fig. 2 is a flowchart of a data processing method of a firewall according to an embodiment of the present invention, as shown in fig. 2, the method includes the following steps:
step S202, receiving a first session control module sent by a first peer firewall, wherein the first session control module is used for sending a data packet of a data stream;
step S204, a first session control module is installed;
step S206, receiving a reverse first packet of the data stream, wherein the reverse first packet is a first data packet of the data stream processed by the server;
and step S208, sending the reverse first packet to the client through the installed first session control module, wherein the reverse first packet is sent to the server after the first peer firewall receives the forward first packet of the data stream sent by the client, and the forward first packet is a first data packet when the data stream is sent to the server according to the reverse first packet generated by the server according to the forward first packet.
Through the steps, a first session control module which receives data packets sent by a first peer firewall is adopted, wherein the first session control module is used for sending the data packets of the data stream; installing a first session control module; receiving a reverse first packet of a data stream, wherein the reverse first packet is a first data packet of the data stream processed by a server; the reverse first packet is generated by the server according to the forward first packet, and the forward first packet is the first data packet when the data flow is sent to the server, the aim of effectively and quickly sending the reverse first packet is achieved by ensuring that the first session control module is installed firstly and then the reverse first packet is received, the problem of error caused by the fact that no first session control module is used for sending after the reverse first packet is received is avoided, the technical effect of ensuring that the data packet of the reverse data flow is sent is achieved, and therefore the problem that the firewall in the related technology cannot ensure that a session control object is earlier than the reverse data of the data flow is solved, leading to the technical problems that the reverse data is wrong and can not be sent.
The main execution body of the above steps may be a second peer firewall, and the first peer firewall and the second peer firewall form an HA mode of the firewall, as shown in fig. 1, where the first peer firewall is firewall a and the second peer firewall is firewall B, the firewall a receives the forward data stream of the client and forwards the forward data stream to the server, and the firewall B forwards the reverse data stream of the server to the client, the HA mode is an asymmetric traffic processing mode. In this case, the forward data flow passes through firewall a, and the reverse data flow passes through firewall B, so when the reverse first packet arrives at firewall B, there is a possibility that the first session control module corresponding to the reverse first packet has not been synchronized from firewall a on the opposite side. At this time, the reverse first packet cannot find the correct first session control module, resulting in the reverse first packet matching to the wrong firewall policy or being discarded.
In this embodiment, a first session control module sent by a first peer firewall is received, where the first session control module is configured to send a data packet of a data stream, and install the first session control module. After receiving the reverse first packet of the data stream, the first session control module which is installed sends the reverse first packet to the client, so that the first session control module is ensured to be installed first, and then the first session control module sends the reverse first packet to the client. The method and the device avoid the situation that the processing of the reverse first packet is earlier than the installation of the first session control module, and solve the technical problems that a firewall in the related technology cannot ensure that a session control object is earlier than the reverse data of the data stream, so that the reverse data is wrong and cannot be sent.
The reverse first packet is a first data packet of a data stream processed by the server, the reverse first packet is a forward first packet of the data stream sent by the first peer firewall after the first peer firewall receives the forward first packet, the forward first packet is generated by the server according to the forward first packet, and the forward first packet is a first data packet when the data stream is sent to the server. The first firewall at the opposite end forwards the data flow from the client to the server as a forward data flow, and the first data packet of the forward data flow is a forward first packet. The second firewall at the opposite end forwards the data flow in the direction from the server to the client as a reverse data flow, and the first data packet of the reverse data flow is a reverse first packet.
In specific implementation, a first peer firewall receives a forward first packet of a data stream sent by a client, then a first session control module of the data stream is created, the forward first packet is sent to a server through the first session control module, the server processes the forward first packet to generate a reverse first packet after receiving the forward first packet, and sends the reverse first packet to a second peer firewall, and the second peer firewall needs to install the first session control module before sending the reverse first packet to the client after receiving the reverse first packet.
In one embodiment, the first opposite-end firewall sends the first session control module and the forward first packet to the second opposite-end firewall after order preservation processing, so that the second opposite-end firewall bounces the forward first packet back to the first opposite-end firewall after the installation of the first session control module is completed, the first opposite-end firewall sends the forward first packet bounced by the second opposite-end firewall to the server through the first session control module installed on the first opposite-end firewall, at this time, before the forward first packet reaches the server, the second opposite-end firewall completes the installation of the first session control module, after the forward first packet reaches the server, the server processes the forward first packet to generate a reverse first packet, and sends the reverse first packet to the second opposite-end firewall, the second opposite-end firewall completes the installation of the first session control module early, thereby ensuring that the reverse first packet is received, it is sent to the client via the first session control module.
Optionally, the first session control module that receives the first peer firewall includes: receiving a forward first packet of a data stream sent by a first peer firewall and a first session control module, wherein the forward first packet and the first session control module are subjected to order preserving processing; installing the first session control module includes: according to the requirement of order-preserving processing, a first session control module is installed firstly; and after the first session control module is installed, rebounding the forward first packet to the first opposite-end firewall.
In one embodiment, after receiving the forward first packet, the first peer firewall installs the corresponding first session control module and caches the forward first packet. And sending the first session control module to a second opposite-end firewall, receiving and installing the first session control module by the second opposite-end firewall, and sending a completion message to the first opposite-end firewall after the installation is completed so as to prompt the first opposite-end firewall that the installation of the first session control module of the second opposite-end firewall is completed. And after receiving the completion message, the first peer firewall sends the cached forward first packet to the server. At the moment, before the forward first packet reaches the server, the second opposite-end firewall completes installation of the first session control module, after the forward first packet reaches the server, the server processes the forward first packet to generate a reverse first packet, and when the forward first packet is sent to the second opposite-end firewall, the second opposite-end firewall completes installation of the first session control module, so that the first session control module is sent to the client through the first session control module after the reverse first packet is received.
Optionally, after receiving the first session control module sent by the first peer firewall, the method further includes: and after the first session control module is installed, sending a completion message to the first peer firewall, wherein the completion message is used for prompting the first peer firewall to send the cached forward first packet of the data stream.
In one embodiment, after receiving the forward first packet, the first peer firewall installs the corresponding first session control module, and sends the forward first packet to the server through the first session control module. And then the first session control module is sent to a second firewall by the first firewall, and the second firewall receives and installs the first session control module. When the first session control module is sent by the first peer firewall, the sending of the forward first packet is not stopped, the forward first packet may be forwarded to the server at the same time, and the server also normally processes the forward first packet to generate a reverse first packet and sends the reverse first packet to the second peer firewall. At this moment, before the reverse first packet reaches the second firewall, the second firewall does not necessarily finish the installation of the first session control module, therefore, after the reverse first packet reaches the second firewall, whether the installation of the first session control module on the second firewall is finished is detected and judged, after the installation is finished, the reverse first packet is sent to the client through the first session control module, and therefore the reverse first packet is sent to the client through the first session control module after the first session control module is installed on the firewall at the opposite end.
Optionally, before the first session control module that is installed and sends the reverse first packet to the client, the method further includes: judging whether the first session control module is installed; and caching the reverse first packet under the condition that the first session control module is not installed completely, and judging whether the first session control module is installed completely or not again after the preset time till the first session control module is installed completely.
The first session control module corresponds to a data stream and is used for sending a message data packet of the data stream, wherein the message data packet comprises a forward first packet and a reverse first packet, and the first session control module comprises all related session control modules of a multilayer firewall.
The first session control module may be a flow session, and may correspond to a data flow, where the data flow may also be referred to as a packet, the forward data flow may also be referred to as an uplink packet, and the reverse data flow may also be referred to as a downlink packet. Each data stream includes a plurality of data packets. It should be noted that the firewall HA formed by the first peer firewall and the second peer firewall may include multiple firewalls, for example, 2 to 7 firewalls. The multilayer firewall possibly corresponds to a plurality of different session control modules, after the first butt-end firewall receives the forward first packet, the session control modules of the multilayer firewall are installed in a unified mode and are also sent in a unified mode in sending, the second butt-end firewall can be installed in a unified mode when the installation is successful, the session control modules needed by different firewall layers are guaranteed to be installed successfully, the reverse first packet is sent, and the reverse first packet can include data of the multilayer firewall.
Fig. 3 is a flowchart of another data processing method of a firewall according to an embodiment of the present invention, as shown in fig. 3, the method includes the following steps:
step S302, receiving a forward first packet of a data stream sent by a client, and installing a second session control module of the data stream, wherein the forward first packet is a first data packet sent by a data stream to a server, and the second session control module comprises all related session control modules of a multilayer firewall;
step S304, the second session control module is sent to a second opposite-end firewall, and the forward first packet is sent to the server through the second session control module;
after receiving the forward first packet, the server generates a reverse first packet according to the forward first packet, sends the reverse first packet to a second opposite-end firewall, the second opposite-end firewall sends the reverse first packet to the client through an installed second session control module, the second session control module is installed by the second opposite-end firewall according to the received second session control module, and the reverse first packet is a first data packet sent after the server processes a data stream.
Through the steps, a forward first packet of the data stream sent by the client is received, and a second session control module of the data stream is installed, wherein the forward first packet is a first data packet sent by the data stream to the server, and the second session control module comprises all related session control modules of a multilayer firewall; the second session control module is sent to a second opposite-end firewall, and the forward first packet is sent to the server through the second session control module; wherein, after the server receives the forward first packet, a reverse first packet is generated according to the forward first packet, the reverse first packet is sent to a second opposite firewall, the second opposite firewall sends the reverse first packet to the client through an installed second session control module, the second session control module is installed by the second opposite firewall according to the received second session control module, the reverse first packet is a first data packet sent after the server processes the data stream, the purpose of effectively and quickly sending the reverse first packet is achieved by ensuring that the second session control module is installed firstly and then the reverse first packet is received, thereby realizing the technical effect of ensuring the sending of the data packet of the reverse data stream, further solving the problem that the firewall in the related technology can not ensure that the session control object is earlier than the reverse data of the data stream, and causing the error of the reverse data, the technical problem of unable transmission.
The execution main body of the above steps may be a first peer firewall, and the second session control module may be the same as the first session control module, but may be distinguished in different methods, and its actual function and structure are similar or identical.
Optionally, the sending the second session control module to the second peer firewall, and sending the forward first packet to the server through the second session control module includes: carrying out order preservation processing on the forward first packet and the second session control module to ensure that the second session control module is installed in the second opposite-end firewall firstly; sending the forward first packet and the second session control module after the order preserving processing to a second opposite-end firewall; receiving a forward first packet rebounded by a second opposite-end firewall, wherein the second opposite-end firewall rebounds the forward first packet after a second session control module is installed; and sending the forward first packet to the server through the second session control module.
Optionally, the sending the second session control module to the second peer firewall, and sending the forward first packet to the server through the second session control module includes: caching the forward first packet; sending the second session control module to a second peer firewall; receiving a message of completing the installation of the second session control module by the second opposite-end firewall; and responding to the completion message, and sending the cached forward first packet to the server through the second session control module.
It should be noted that the present application also provides an alternative implementation, and the details of the implementation are described below.
The embodiment provides a firewall HA asymmetric flow first packet processing method, wherein a firewall packs a forward first packet and a session synchronization message together and sends the forward first packet and the session synchronization message to an opposite-end firewall, and then rebounds the first packet. And packaging the flow session synchronization message and the flow forward first packet together on the firewall and sending the packaged flow session synchronization message and the flow forward first packet to the HA opposite-end firewall. And after the firewall at the opposite end completes the flow session installation, the forward first packet is sent back to the firewall at the local end. Then the firewall of the local terminal sends the message out. The second-layer firewall cannot find the scene of the outgoing interface, the message is sent to each outgoing interface in a flood mode, a tentative session needs to be established for each zone, and each tentative session needs to be synchronized to the firewall of the opposite end. Thus, the forward header needs to be replicated in multiple copies, each of which sends the peer with a tentative session synchronization message. Thus, in the case of a relatively large number of zones, the HA tunnel, which is originally not wide between the two firewalls, will be subjected to a greater traffic pressure. Eventually leading to network performance degradation.
The first improvement scheme is as follows:
on the firewall, a flow session synchronization message (the flow session includes all related tentative sessions of the two-layer firewall) is sent to the HA opposite-end firewall, and then the forward first packet is sent to the HA opposite-end firewall. And the firewall at the opposite end performs message order-preserving processing, firstly processes the flow session synchronization message, completes the installation of the flow session and then processes the forward first packet (processing method: the message is sent back to the firewall at the local end). Then the firewall of the local terminal sends the message out.
Fig. 4 is a schematic diagram of one mode of firewall data processing according to the embodiment of the present invention, and as shown in fig. 4, the flow is described in detail:
step 1: the Flow's forward first packet arrives at firewall a.
Step 2: and on the firewall A, the flow session cannot be matched with the forward first packet, so that a new flow session is installed, and the forward first packet is conveniently sent to the server subsequently.
Step 3: the firewall A sends a flow session synchronization message (firstly installed) subjected to order preserving processing to the firewall B;
step 4: firewall a sends the forward first packet of the order-preserving process to firewall B (post-processing).
Step 5: and the firewall B receives the session synchronization message and installs the flow session locally according to the order preserving processing.
Step 6: after the flow session installation is completed, firewall B bounces the forward first packet back to firewall a. This flow session HAs been successfully completed for HA synchronization, which is equivalent to informing firewall a.
Step 7: and the firewall A sends out the forward first packet rebounded by the firewall B through the flow session (to the server).
Step 8: the Flow's reverse first packet arrives at firewall B.
Step 9: since firewall B has successfully installed the flow session at Step5, the reverse first packet can be successfully matched to the flow session in firewall B and forwarded normally (to the client).
The second improvement scheme is as follows:
caching the forward first packet on the firewall, then sending a flow session synchronization message (including the synchronization message of all related reactive sessions of the two-layer firewall) to the opposite-end firewall, informing the local-end firewall after the opposite-end firewall completes the installation of the flow session, and then sending out the cached forward first packet by the local-end firewall.
Fig. 5 is a schematic diagram of another firewall data processing method according to an embodiment of the present invention, and as shown in fig. 5, the flow is described in detail:
step 1: the Flow's forward first packet arrives at firewall a.
Step 2: and on the firewall A, the flow session cannot be matched with the forward header, so a new flow session is installed, and the forward header is cached on the flow session (is not sent out).
Step 3: firewall a sends a synchronization message of flow session to firewall B.
Step 4: firewall B, upon receiving the session synchronization message, installs the flow session locally.
And Step5, the firewall B sends a flow session installation completion message to the firewall A. This flow session HAs been successfully completed for HA synchronization, which is equivalent to informing firewall a.
Step 6: firewall a sends out the forward first packet cached in this flow session (to the server).
Step 7: the Flow's reverse first packet arrives at firewall B.
Step 8: since firewall B has successfully installed the flow session at Step4, the reverse first packet can be successfully matched to the flow session in firewall B and forwarded normally (to the client).
The third improvement scheme is as follows:
when a reverse first packet reaches a firewall, if the flow session is not matched, caching the message for M milliseconds, then trying to match the flow session … …, if the flow session cannot be matched after trying for N times, then going through the original message flow (finding policy, creating a new flow session … …). The purpose of the retry is to wait for the flow session synchronization message sent by the firewall on the opposite end of the HA to complete the installation of the flow session.
To narrow the range of influence and flexible control, the above M and N values may be configured based on zone or policy. Such as: some zones or some policies do not have asymmetric traffic, this function is not configured (turned off).
M may also be configured to be a non-fixed value (e.g., 2ms between the first attempt and the second attempt, and 3ms … … between the second attempt and the third attempt).
Fig. 6 is a schematic diagram of another firewall data processing method according to the embodiment of the present invention, and as shown in fig. 6, the flow is described in detail as follows:
step 1: the Flow's forward first packet arrives at firewall a.
Step 2: and on the firewall A, the flow session cannot be matched with the forward first packet, so a new flow session is installed. The forward first packet is not cached and is directly sent out (sent to a server).
Step 3: firewall a sends a synchronization message of flow session to firewall B.
Step 4: the Flow's reverse first packet arrives at firewall B.
Step 5: when a reverse first packet reaches a firewall, if the flow session is not matched, caching the message for M milliseconds, then trying to match the flow session … …, if the flow session cannot be matched after trying for N times, then going through the original message flow (finding policy, creating a new flow session … …). The purpose of the retry is to wait for the flow session synchronization message sent by the firewall on the opposite end of the HA to complete the installation of the flow session.
Step 6: and the firewall B receives the flow session synchronization message in the step 3, and installs the flow session locally.
Step 7: since firewall B has successfully installed this flow session at Step6, the attempt at Step5 to re-match the flow session is now successful. That is, the reverse first packet can be successfully matched to this flow session in firewall B and forwarded out (to the client) normally.
For an HA environment formed by two firewalls, the flow is an asymmetric scene, and the two existing schemes can be improved by using the flow session first packet processing technical schemes provided by the invention so as to solve the defects of the existing schemes.
Fig. 7 is a schematic diagram of a data processing apparatus of a firewall according to an embodiment of the present invention, and as shown in fig. 7, according to another aspect of the embodiment of the present invention, there is also provided a data processing apparatus of a firewall, including: a first receiving module 72, a mounting module 74, a second receiving module 76 and a first transmitting module 78, which will be described in detail below.
A first receiving module 72, configured to receive a first session control module sent by a first peer firewall, where the first session control module is used to send a data packet of a data stream; a mounting module 74 connected to the first receiving module 72 for mounting a first session control module; a second receiving module 76, connected to the installing module 74, configured to receive a reverse first packet of the data stream, where the reverse first packet is a first data packet of the data stream after being processed by the server; the first sending module 78 and the second receiving module 76 are connected to each other, and configured to send a reverse first packet to the client through the installed first session control module, where the reverse first packet is sent to the server after the first firewall at the opposite end receives a forward first packet of a data stream sent by the client, and the server generates the reverse first packet according to the forward first packet, where the forward first packet is a first data packet when the data stream is sent to the server.
By the device, a first session control module is adopted for receiving the data packet sent by the first peer firewall, wherein the first session control module is used for sending the data packet of the data stream; installing a first session control module; receiving a reverse first packet of a data stream, wherein the reverse first packet is a first data packet of the data stream processed by a server; the first session control module sends the reverse first packet to the client through the installed first session control module, wherein the reverse first packet is a first firewall of the opposite end and sends the forward first packet to the server after receiving the forward first packet of the data stream sent by the client, the reverse first packet is generated by the server according to the forward first packet, and the forward first packet is a first data packet when the data stream is sent to the server.
Fig. 8 is a schematic diagram of another firewall data processing apparatus according to an embodiment of the present invention, and as shown in fig. 8, according to another aspect of the embodiment of the present invention, there is also provided a firewall data processing apparatus including: a third receiving module 82 and a second sending module 84, which will be described in detail below.
A third receiving module 82, configured to receive a forward first packet of a data stream sent by a client, and install a second session control module of the data stream, where the forward first packet is a first data packet sent by a data stream to a server, and the second session control module includes all related session control modules of a multi-layer firewall; a second sending module 84, connected to the third receiving module 82, configured to send the second session control module to the second peer firewall, and send the forward first packet to the server through the second session control module; after receiving the forward first packet, the server generates a reverse first packet according to the forward first packet, sends the reverse first packet to a second opposite-end firewall, the second opposite-end firewall sends the reverse first packet to the client through an installed second session control module, the second session control module is installed by the second opposite-end firewall according to the received second session control module, and the reverse first packet is a first data packet sent after the server processes a data stream.
By the device, a forward first packet of the data stream sent by the client is received, and a second session control module of the data stream is installed, wherein the forward first packet is a first data packet sent by the data stream to the server, and the second session control module comprises all related session control modules of a multilayer firewall; the second session control module is sent to a second opposite-end firewall, and the forward first packet is sent to the server through the second session control module; wherein, after the server receives the forward first packet, a reverse first packet is generated according to the forward first packet, the reverse first packet is sent to a second opposite firewall, the second opposite firewall sends the reverse first packet to the client through an installed second session control module, the second session control module is installed by the second opposite firewall according to the received second session control module, the reverse first packet is a first data packet sent after the server processes the data stream, the purpose of effectively and quickly sending the reverse first packet is achieved by ensuring that the second session control module is installed firstly and then the reverse first packet is received, thereby realizing the technical effect of ensuring the sending of the data packet of the reverse data stream, further solving the problem that the firewall in the related technology can not ensure that the session control object is earlier than the reverse data of the data stream, and causing the error of the reverse data, the technical problem of unable transmission.
According to another aspect of the embodiments of the present invention, there is also provided a processor, configured to execute a program, where the program executes a data processing method of a firewall in any one of the above.
According to another aspect of the embodiments of the present invention, there is also provided a computer storage medium, where the computer storage medium includes a stored program, and when the program runs, the apparatus where the computer storage medium is located is controlled to execute the data processing method of the firewall in any one of the above.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
In the above embodiments of the present invention, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed technology can be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units may be a logical division, and in actual implementation, there may be another division, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.
Claims (11)
1. A data processing method of a firewall is characterized by comprising the following steps:
receiving a first session control module sent by a first peer firewall, wherein the first session control module is used for sending a data packet of a data stream;
installing the first session control module;
receiving a reverse first packet of a data stream, wherein the reverse first packet is a first data packet of the data stream after being processed by a server;
and the first session control module which is installed sends the reverse first packet to a client, wherein the reverse first packet is sent to a server after the first firewall of the opposite terminal receives a forward first packet of a data stream sent by the client, the reverse first packet is generated by the server according to the forward first packet, and the forward first packet is a first data packet when the data stream is sent to the server.
2. The method of claim 1,
the first session control module for receiving the first peer firewall transmission comprises: receiving a forward first packet of a data stream sent by the first peer firewall and the first session control module, wherein the forward first packet and the first session control module are subjected to order preserving processing;
installing the first session control module comprises: according to the requirement of the order-preserving processing, the first session control module is installed firstly; and after the first session control module is installed, rebounding the forward first packet to the first opposite-end firewall.
3. The method of claim 1, further comprising, after receiving the first session control module sent by the first peer firewall:
and after the first session control module is installed, sending a completion message to the first peer firewall, wherein the completion message is used for prompting the first peer firewall to send the cached forward first packet of the data stream.
4. The method of claim 1, wherein before sending the reverse header packet to the client via the first session control module with the installation completed, the method further comprises:
judging whether the first session control module is installed;
and caching the reverse first packet under the condition that the first session control module is not installed completely, and judging whether the first session control module is installed completely or not again after the preset time till the first session control module is installed completely.
5. The method according to any one of claims 1 to 4, wherein the first session control module corresponds to the data flow and is configured to send a packet data packet of the data flow, wherein the packet data packet includes the forward header packet and the reverse header packet, and the first session control module includes all session control modules related to a multi-layer firewall.
6. A data processing method of a firewall is characterized by comprising the following steps:
receiving a forward first packet of a data stream sent by a client, and installing a second session control module of the data stream, wherein the forward first packet is a first data packet sent by the data stream to a server, and the second session control module comprises all related session control modules of a multilayer firewall;
sending the second session control module to a second opposite-end firewall, and sending the forward first packet to a server through the second session control module;
after receiving the forward first packet, the server generates a reverse first packet according to the forward first packet, and sends the reverse first packet to the second opposite-end firewall, the second opposite-end firewall sends the reverse first packet to the client through an installed second session control module, the second session control module is installed by the second opposite-end firewall according to the received second session control module, and the reverse first packet is a first data packet sent after the server processes the data stream.
7. The method of claim 6, wherein sending the second session control module to a second peer firewall and sending the forward header packet to a server via the second session control module comprises:
performing order preserving processing on the forward first packet and the second session control module to ensure that the second session control module is installed in the second opposite-end firewall firstly;
sending the forward first packet and the second session control module after the order preserving processing to the second opposite-end firewall;
receiving a forward first packet rebounded by the second opposite-end firewall, wherein the second opposite-end firewall rebounds the forward first packet after the second session control module is installed;
and sending the forward first packet to the server through the second session control module.
8. The method of claim 6, wherein sending the second session control module to a second peer firewall and sending the forward header packet to a server via the second session control module comprises:
caching the forward first packet;
sending the second session control module to the second peer firewall;
receiving a message of completing the installation of the second session control module by the second peer firewall;
and responding to the completion message, and sending the cached forward first packet to the server through the second session control module.
9. A firewall data processing apparatus, comprising:
the first receiving module is used for receiving a first session control module sent by a first peer firewall, wherein the first session control module is used for sending a data packet of a data stream;
the installation module is used for installing the first session control module;
a second receiving module, configured to receive a reverse first packet of a data stream, where the reverse first packet is a first data packet of the data stream after being processed by a server;
the first sending module is used for sending the reverse first packet to a client through the installed first session control module, wherein the reverse first packet is sent to a server after the first peer firewall receives a forward first packet of a data stream sent by the client, the reverse first packet is generated by the server according to the forward first packet, and the forward first packet is a first data packet when the data stream is sent to the server.
10. A firewall data processing apparatus, comprising:
a third receiving module, configured to receive a forward first packet of a data stream sent by a client, and install a second session control module of the data stream, where the forward first packet is a first data packet sent by the data stream to a server, and the second session control module includes all related session control modules of a multi-layer firewall;
the second sending module is used for sending the second session control module to a second opposite-end firewall and sending the forward first packet to a server through the second session control module;
after receiving the forward first packet, the server generates a reverse first packet according to the forward first packet, and sends the reverse first packet to the second opposite-end firewall, the second opposite-end firewall sends the reverse first packet to the client through an installed second session control module, the second session control module is installed by the second opposite-end firewall according to the received second session control module, and the reverse first packet is a first data packet sent after the server processes the data stream.
11. A processor for executing a program, wherein the program when executed performs the data processing method of the firewall of any one of claims 1 to 5 or the data processing method of the firewall of any one of claims 6 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111058369.4A CN113965347B (en) | 2021-09-09 | 2021-09-09 | Firewall data processing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111058369.4A CN113965347B (en) | 2021-09-09 | 2021-09-09 | Firewall data processing method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113965347A true CN113965347A (en) | 2022-01-21 |
| CN113965347B CN113965347B (en) | 2024-03-15 |
Family
ID=79461245
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111058369.4A Active CN113965347B (en) | 2021-09-09 | 2021-09-09 | Firewall data processing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113965347B (en) |
Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101316271A (en) * | 2008-07-04 | 2008-12-03 | 华为技术有限公司 | Method for implementing information backup, fire wall and network system |
| CN101557317A (en) * | 2009-05-26 | 2009-10-14 | 杭州华三通信技术有限公司 | Active dialogue backup system, equipment and method in dual-server hot-backup network |
| CN101848100A (en) * | 2009-03-23 | 2010-09-29 | 北京鼎信高科信息技术有限公司 | Fire wall dual-computer hot-standby system based on CONNTRACK synchronism |
| WO2011120467A2 (en) * | 2011-05-09 | 2011-10-06 | 华为技术有限公司 | Message order-preserving processing method, order-preserving coprocessor and network equipment |
| US20120304251A1 (en) * | 2004-11-17 | 2012-11-29 | Juniper Networks, Inc. | Firewall security between network devices |
| CN102821099A (en) * | 2012-07-24 | 2012-12-12 | 北京星网锐捷网络技术有限公司 | Message forwarding method, message forwarding equipment and message forwarding system |
| CN103067304A (en) * | 2012-12-27 | 2013-04-24 | 华为技术有限公司 | Method and device of message order-preserving |
| US20130132532A1 (en) * | 2011-11-15 | 2013-05-23 | Nicira, Inc. | Load balancing and destination network address translation middleboxes |
| CN103973573A (en) * | 2014-05-16 | 2014-08-06 | 杭州华三通信技术有限公司 | Session backup method and device and message forwarding method and device |
| US8953434B1 (en) * | 2013-03-29 | 2015-02-10 | Juniper Networks, Inc. | Providing high availability as a service with network devices |
| US20150113588A1 (en) * | 2013-10-22 | 2015-04-23 | Cisco Technology, Inc. | Firewall Limiting with Third-Party Traffic Classification |
| CN107547503A (en) * | 2017-06-12 | 2018-01-05 | 新华三信息安全技术有限公司 | A kind of session entry processing method and processing device |
| CN108023968A (en) * | 2017-12-21 | 2018-05-11 | 东软集团股份有限公司 | A kind of session information synchronous method, device and equipment |
| CN111181985A (en) * | 2019-12-31 | 2020-05-19 | 奇安信科技集团股份有限公司 | Data transmission method, data transmission system, firewall device and storage medium |
-
2021
- 2021-09-09 CN CN202111058369.4A patent/CN113965347B/en active Active
Patent Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120304251A1 (en) * | 2004-11-17 | 2012-11-29 | Juniper Networks, Inc. | Firewall security between network devices |
| CN101316271A (en) * | 2008-07-04 | 2008-12-03 | 华为技术有限公司 | Method for implementing information backup, fire wall and network system |
| CN101848100A (en) * | 2009-03-23 | 2010-09-29 | 北京鼎信高科信息技术有限公司 | Fire wall dual-computer hot-standby system based on CONNTRACK synchronism |
| CN101557317A (en) * | 2009-05-26 | 2009-10-14 | 杭州华三通信技术有限公司 | Active dialogue backup system, equipment and method in dual-server hot-backup network |
| WO2011120467A2 (en) * | 2011-05-09 | 2011-10-06 | 华为技术有限公司 | Message order-preserving processing method, order-preserving coprocessor and network equipment |
| US20130132532A1 (en) * | 2011-11-15 | 2013-05-23 | Nicira, Inc. | Load balancing and destination network address translation middleboxes |
| CN102821099A (en) * | 2012-07-24 | 2012-12-12 | 北京星网锐捷网络技术有限公司 | Message forwarding method, message forwarding equipment and message forwarding system |
| CN103067304A (en) * | 2012-12-27 | 2013-04-24 | 华为技术有限公司 | Method and device of message order-preserving |
| US8953434B1 (en) * | 2013-03-29 | 2015-02-10 | Juniper Networks, Inc. | Providing high availability as a service with network devices |
| US20150113588A1 (en) * | 2013-10-22 | 2015-04-23 | Cisco Technology, Inc. | Firewall Limiting with Third-Party Traffic Classification |
| CN103973573A (en) * | 2014-05-16 | 2014-08-06 | 杭州华三通信技术有限公司 | Session backup method and device and message forwarding method and device |
| CN107547503A (en) * | 2017-06-12 | 2018-01-05 | 新华三信息安全技术有限公司 | A kind of session entry processing method and processing device |
| CN108023968A (en) * | 2017-12-21 | 2018-05-11 | 东软集团股份有限公司 | A kind of session information synchronous method, device and equipment |
| CN111181985A (en) * | 2019-12-31 | 2020-05-19 | 奇安信科技集团股份有限公司 | Data transmission method, data transmission system, firewall device and storage medium |
Non-Patent Citations (2)
| Title |
|---|
| 孔平;袁宝;刘宗杰;: "基于动态信息同步的防火墙双机热备研究", 中国新通信, no. 03 * |
| 赵开新;孙新领;: "双机热备技术在防火墙中的应用", 河南机电高等专科学校学报, no. 02 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113965347B (en) | 2024-03-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110166356B (en) | Method and network equipment for sending message | |
| US10742488B2 (en) | Detecting link faults in network paths that include link aggregation groups (LAGs) | |
| US9491189B2 (en) | Revival and redirection of blocked connections for intention inspection in computer networks | |
| CN107547383B (en) | Path detection method and device | |
| US8239670B1 (en) | Multi-aspect identifier in network protocol handshake | |
| WO2017088326A1 (en) | Tcp connection processing method, device and system | |
| CN107395632B (en) | SYN Flood protection method, device, cleaning equipment and medium | |
| EP3089435B1 (en) | Service processing method and network device | |
| CN105634660B (en) | Data packet detection method and system | |
| EP3322148B1 (en) | Apparatus, system, and method for protecting against denial of service attacks using one-time cookies | |
| CN108667829B (en) | Network attack protection method, device and storage medium | |
| US20190068762A1 (en) | Packet Parsing Method and Device | |
| CN111181985B (en) | Data transmission method, data transmission system, firewall device and storage medium | |
| US10680930B2 (en) | Method and apparatus for communication in virtual network | |
| WO2016154921A1 (en) | Data transmission method and device for data service | |
| CN113965347A (en) | Data processing method and device of firewall | |
| US20180167338A1 (en) | Handling reflexive acls with virtual port-channel | |
| CN110192378B (en) | Apparatus and method for controlling use of non-optimal path | |
| CN108965309B (en) | Data transmission processing method, device, system and equipment | |
| US9729574B2 (en) | Seamless switchover for anti-replay connections in multiple network processor systems | |
| CN106302456B (en) | Session keeping method and device | |
| CN113810398B (en) | Attack protection method, device, equipment and storage medium | |
| CN113783872B (en) | Firewall data processing method and device | |
| CN111200505B (en) | Message processing method and device | |
| KR20180099143A (en) | Apparatus and method for recovering tcp-session |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |