CN100358280C - A network security appliance and realizing method thereof - Google Patents

A network security appliance and realizing method thereof Download PDF

Info

Publication number
CN100358280C
CN100358280C CNB031370993A CN03137099A CN100358280C CN 100358280 C CN100358280 C CN 100358280C CN B031370993 A CNB031370993 A CN B031370993A CN 03137099 A CN03137099 A CN 03137099A CN 100358280 C CN100358280 C CN 100358280C
Authority
CN
China
Prior art keywords
network
module
message
interface
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Lifetime
Application number
CNB031370993A
Other languages
Chinese (zh)
Other versions
CN1567808A (en
Inventor
韦卫
高红
程勇
吕晓东
宋斌
宋春雨
肖为剑
刘春梅
王刚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Lenovo Beijing Ltd
Original Assignee
Lenovo Beijing Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lenovo Beijing Ltd filed Critical Lenovo Beijing Ltd
Priority to CNB031370993A priority Critical patent/CN100358280C/en
Priority to PCT/CN2004/000656 priority patent/WO2004112313A2/en
Publication of CN1567808A publication Critical patent/CN1567808A/en
Application granted granted Critical
Publication of CN100358280C publication Critical patent/CN100358280C/en
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/104Grouping of entities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

The present invention discloses a network security appliance which comprises a network security processing module, wherein the network security processing module comprises a network processor, a storage module and a network interface module which are connected by a high speed bus. The appliance analyzes a multilayer network protocol and processes the safety of network data by a strong chip microcode programming function of the network processor, and a plurality of microprocessors. The present invention discloses a realizing method of network security simultaneously. The network security appliance is connected with network equipment by the method. The network security appliance is configured by a manager computer, and an operation code of the network security processing module, and a security policy for processing a network message are stored in the network security appliance. The network security appliance analyzes the protocol of the network message and processes the safety of the message according to the security policy. The application of the present invention can ensure the processing speed of line speed at broadband environment and can conveniently upgrade a system at any time.

Description

A kind of network security device and its implementation
Technical field
The present invention relates to the network security technology field, particularly a kind of network security device and its implementation.
Background technology
At present, the network equipment has all been installed Network Security Device for information transmission security, and Network Security Device can be realized functions such as information filtering, virus filtration, intrusion behavior detection.Present Network Security Device has dual mode:
First kind, software mode.As: fire compartment walls etc., these equipment have the network security processing capacity in design, are realized by the network protocol stack software or the software on the operating system of operating system.This design causes the speed of safety means processing network message slow, and particularly at express network, safety means become the bottleneck of network.
In order to improve processing speed, hardware mode the second way appearred:.As: safety means adopt application-specific integrated circuit (ASIC) (ASIC) chip or field programmable gate array (FPGA) to realize network protocol stack.Because ASIC and fpga chip can not momentarily be made amendment in safety means, cause these class safety means can't promptly upgrade in the face of new attack means and new procotol.
Now, a lot of network equipments have all used network processing unit to optimize the processing of packet.Network processing unit is a kind of processor of special disposal packet, and it is with the speed of packet with its arrival, and promptly linear speed is delivered to next node; In addition, new if desired function or new standard, network processing unit can be realized by programming, to satisfy various network applications.
Network processing unit is integrated a plurality of universal cpus or application specific processor can be resolved multi-layer protocol simultaneously, by programming can the fit applications program carry out by purposes charging, load balancing, carry out complicated processing such as data management.Wherein the work of network processing unit comprises: monitor that login with the identification user, detects log-on message, and the file of match user and fees policy table then, and in load, find out keyword etc.
At present, along with the requirements at the higher level of user to the network processing unit proposition, special-purpose network processing unit such as higher layer protocols handler, cryptographic protocol processor, information filtering processor has appearred.Network processing unit can shorten the network equipment construction cycle by powerful programmability, and therefore the network equipment will adopt network processing unit on a large scale in the future, and the network processing unit technology also will obtain bigger development.
Summary of the invention
In view of this, main purpose of the present invention is to provide a kind of network security device, improves the processing speed of network message, and can carry out system upgrade at any time easily.
Another object of the present invention is to provide a kind of implementation method of network security, improves the processing speed of network message, and can carry out system upgrade at any time easily.
An aspect according to above-mentioned purpose the invention provides a kind of network security device, and this safety device comprises the network security processing module at least, and this network security processing module comprises network processing unit, memory module, Network Interface Module at least;
Memory module, Network Interface Module link to each other with network processing unit by high-speed bus;
Memory module, storage comprise operation code, the network security processing module information of configuration information, the network security processing module of security strategy, the agreement and the safe handling microcode software of network processor chip;
Network processing unit, receive outside network message, administration order, the configuration information that sends by Network Interface Module, network message is carried out protocol analysis, and, the network message after handling is sent by Network Interface Module according to network message being carried out safe handling from the security strategy of memory module taking-up; Or configuration information is sent memory module according to administration order; Or network security processing module information is sent to the outside by Network Interface Module according to administration order;
Network Interface Module links to each other network processing unit with external equipment, receive and transmission information.
Wherein, described network security module can further comprise safe Co-processor Module, safe Co-processor Module links to each other with network processing unit by high speed cascade bus, safe Co-processor Module receives the network message that network processing unit sends, and network message carried out protocol analysis, safe handling, the message after handling is returned to network processing unit.
Described safe Co-processor Module can comprise: the cipher protocol processor, upper-layer protocol parsing processor, information filtering processor, virus filtration processor and the intrusion detection processor that link to each other with network processing unit by high speed cascade bus.
Described Network Interface Module can comprise at least: 100 mbit ethernet interfaces, or gigabit ethernet interface, or asynchronous transfer mode interface, or Synchronous Digital Hierarchy interface, or T1/E1 interface, or WLAN (wireless local area network) 802.11 interfaces.
This safety device can further comprise control management module, and administration order, the configuration information that control management module will receive from the outside is converted to administration order, the configuration information that network processing unit can discern and is written to the memory module; Network processing unit is operated according to the order that receives, or running status, incident and the log information of safety device sent to external management person's computer.
Described control management module can comprise CPU, memory, interface circuit at least; Memory, interface circuit link to each other with CPU respectively;
CPU will be converted to administration order, the configuration information that network processing unit can discern from administration order, the configuration information that interface circuit receives and be written to the memory module, and network processing unit is operated according to this order;
Memory, storage control and management software;
Interface circuit links to each other with outer computer with the network security processing module respectively; It receives administration order, configuration information that outer computer sends, and the information returned of network security processing module; Administration order, configuration information after maybe will changing send to the network security processing module, and the information that the network security processing module is returned is transmitted to outer computer;
Described network security processing module further comprises the control interface module, and it links to each other with the interface circuit of network processing unit and control management module respectively, receives administration order, configuration information after changing; Return network security processing module information to control management module.
This safety device can further be included as power module and housing of this safety device power supply, and each module of safety device is arranged in the housing.
Described interface circuit can comprise control interface circuit and management interface circuit; Control interface circuit links to each other with the control interface module of network security processing module; The management interface circuit links to each other with outer computer.
Described control management module can be computer, and described control interface circuit is a pci interface, or the Compact-PCI interface, or serial communication interface, or Ethernet interface; Described management interface circuit is an Ethernet interface, or serial communication interface;
Described control interface module is PCI or Compact-PCI interface, or serial communication interface, or Ethernet interface.
According to another aspect of above-mentioned purpose, the present invention provides a kind of implementation method of network security simultaneously, and this method may further comprise the steps:
1) above-mentioned network security device is linked to each other with the network equipment;
2) by administrator computer network security device is configured, the operation code of network security processing module and the security strategy that network message is handled are stored in the network security device;
3) after network security device receives network message from network, network message is carried out protocol analysis, and this message is carried out safe handling according to security strategy;
4) network message after network security device will be handled is transmitted to the network equipment.
Wherein, described step 2) can may further comprise the steps:
21) network security device powers up initialization, be used in the memory module with being stored in that procotol is handled and the network processor microcode software loading of safe handling to network processing unit;
22) administrator computer, by browser interface or gui interface, or Command Line Interface, network security device is configured; To comprise that the security strategy that network message is handled, the configuration information of network security processing module operation code send to network security device;
23) network security device stores the configuration information that receives in the memory module of network security processing module into.
Described step 22) may further include: network security device carries out login authentication to administrator computer, and login authentication is configured network security device by the back administrator computer.
Described login authentication method can for: adopt password protocol or Password Authentication Protocol to carry out login authentication; Or adopt IP security protocol to carry out login authentication; Or adopt safe socket character layer protocol to carry out login authentication; Or adopt safe shell host protocol to carry out login authentication.
Described step 3) can may further comprise the steps:
31) after network security device is received network message, network processing unit in the network security device carries out l2 protocol to the network message of receiving and resolves, read relevant strategy in the memory module to the l2 protocol safe handling, and judge whether to meet security strategy, if meet, then change step 32 according to security strategy) or transmit this network message, otherwise, abandon this message;
32) network processing unit carries out the 3rd layer of (IP) protocol analysis to network message, read relevant strategy in the memory module to the layer-3 protocol safe handling, and judge whether to meet security strategy, if meet, then change step 33 according to security strategy) or transmit this network message, otherwise, abandon this message;
33) network processing unit carries out the upper-layer protocol parsing to network message, read relevant strategy in the memory module, according to security strategy network message is carried out information filtering, virus filtration, or intrusion behavior detects the upper-layer protocol safe handling, transmit the legitimate network message, abandon illegal network message.
Step 31) describedly judging whether to meet security strategy, can be to judge according to the layer 2 network protocol rule table in the security strategy; The content of rule list can comprise at least: media access control protocol address, virtual local area fidonetFido;
Step 32) describedly judging whether to meet security strategy, can be to judge according to address table, port numbers, protocol type or service agreement type in the content contrast security strategy of network message;
For network address transferring strategy, then network message is carried out network address translation and handle, transmit then; For the virtual gateway strategy, then network message is carried out virtual gateway and encrypt or decryption processing, transmit then; For the multi protocol label exchanging policy, then network message is carried out the multi protocol label exchange and handle, transmit then; If allow message to pass through, change step 33) or transmit this message.
Described information filtering can be that the keyword that will preserve in network message and the memory module mates, if consistent, then abandons this network message.
Described virus filtration can be that viral code is kept in the memory module as keyword, and network message and this keyword are mated, if consistent, then abandons this network message; Also viral code can be generated a word summary with hash function, be stored in the virus characteristic storehouse in the memory module; To detected network message, carry out Hash calculation, generate summary, compare with the virus characteristic storehouse again, if consistent, then abandon this network message.
It can be storage invasion rule of conduct storehouse in memory module that described intrusion behavior detects; Message to obtaining after one or more detected network message reorganization mates with rule base, if consistent, then abandons this network message.
By technical scheme of the present invention as seen, this network security device of the present invention and its implementation, network processing unit is set in network security device, utilize multimicroprocessor, multi-layer protocol parsing and the powerful chip level programing function of network processor chip that network data is carried out safe handling, guarantee the processing speed of linear speed under the broadband environment, and can carry out system upgrade at any time easily.
Description of drawings
Fig. 1 is the realization block diagram of network security device in the present invention's first preferred embodiment;
Fig. 2 is the workflow schematic diagram of network security device embodiment illustrated in fig. 1;
The realization block diagram of network security device in Fig. 3 the present invention second preferred embodiment;
Fig. 4 is the workflow schematic diagram of network security device embodiment illustrated in fig. 3;
Fig. 5 is the idiographic flow schematic diagram of step 407 shown in Figure 4.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, below in conjunction with embodiment and accompanying drawing, the present invention is described in more detail.
Network security device of the present invention mainly is made of the network security processing module that comprises network processing unit, utilized the protocol processes of network processing unit and powerful programing function that network message is carried out protocol analysis and safe handling, network security device of the present invention can also increase the work load that control management module alleviates the network security processing module, improve processing speed, implementation is versatile and flexible.
Network security device of the present invention has following several implementation at least:
1, network security device comprises the network security processing module, perhaps comprise network security processing module and control management module, this device is arranged to a circuit-board card, can directly pass through pci interface, or the Compact-PCI interface is installed on the computer or the network equipment.
2, network security device comprises the network security processing module, perhaps comprise network security processing module and control management module, a power module is set in addition is they power supplies, these modules are arranged in the housing, become an independently Network Security Device, link to each other with the computer or the network equipment by Ethernet interface.
3, network security device comprises network security processing module and control management module, control management module is realized by a computer, the network security processing module is set to a circuit-board card, and it is by pci interface, or the Compact-PCI interface is installed on the control management module; Or the network security processing module is set to an independently peripheral hardware, links to each other with control management module by serial communication interface or Ethernet interface.
Below two preferred embodiments of the present invention are described respectively:
The network security device of the present invention's first preferred embodiment only comprises the network security processing module, and it is arranged to a circuit-board card, and directly by pci interface, or the Compact-PCI interface is installed on the computer or the network equipment.
Referring to Fig. 1, Fig. 1 is the realization block diagram of network security device in the present invention's first preferred embodiment; Wherein network security device comprises: network security processing module 110.Network security processing module 110 is nucleus modules of network security device of the present invention, mainly finish the function of filtration treatment fast and safely to procotol, it comprises: network processing unit 111, memory module 112, Network Interface Module 113, and memory module 112, Network Interface Module 113 link to each other with network processing unit 111 by high speed cascade bus; Network Interface Module 113 links to each other with the network equipment 140 with network 130, can also link to each other with administrator computer 120.
Wherein, memory module 112, storage comprises the configuration information of security strategy, the operation code of network security processing module 110, the information of network security processing module 110 generations in service, be called for short network security processing module information, procotol, safe handling microcode software, security strategy rule etc.
A plurality of microprocessor engines and CPU are arranged in the network processing unit 111, network message is carried out network 7 layer protocols to be handled and safe handling, it receives the network message of network 130 transmissions, administration order, the configuration information that administrator computer 120 sends by Network Interface Module 113, network message is carried out protocol analysis, and, the network message after handling is sent to the network equipment 140 by Network Interface Module 113 according to network message being carried out safe handling from the security strategy of memory module 112 taking-ups; Or configuration information is sent memory module 112 according to administration order; Or network security processing module 110 information are sent to administrator computer 120 by Network Interface Module 113 according to administration order.
Network Interface Module 113 links to each other network processing unit 111 with administrator computer 120, network 130 and the network equipment 140, receive and transmission information.In the present embodiment, network security processing module 110 is arranged to a circuit-board card, and Network Interface Module 113 adopts pci interface, or the Compact-PCI interface, and the network security device of present embodiment is installed on the network equipment 140 by above-mentioned interface.Network Interface Module 113 is the critical pieces that receive message and E-Packet, it is made up of a plurality of talk various network protocols phy chips and physical interface, difference according to the network equipment of its connection can comprise 100 mbit ethernet interfaces, or gigabit ethernet interface, or ATM(Asynchronous Transfer Mode) interface, or Synchronous Digital Hierarchy (SDH) interface, or T1/E1 interface, or interface such as WLAN (wireless local area network) 802.11, the network security device of present embodiment also can link to each other with the remote administrator computer by these interfaces.
In the network security processing module 110 of present embodiment, also comprised safe Co-processor Module 114, when the algorithm of safe handling is complicated, as: VPN encrypts, the application layer information filtering, virus detects, detect with intrusion behavior, the network message that network processing unit 111 will be handled by high speed cascade bus sends safe Co-processor Module 114 to, realizes above-mentioned complicated algorithm by safety Co-processor Module 114, can improve whole handling property like this.
VPN encrypts in the present embodiment, the application layer information filtering, virus detects, with function such as intrusion behavior detection be respectively by cipher protocol processor 115, information filtering processor 116 and upper-layer protocol parsing processor 117 virus filtration processors 118, realize that with intrusion detection processor 119 above-mentioned five processors all pass through high speed cascade bus and link to each other with network processing unit 111.
Safe Co-processor Module 114 also can be realized with software by the CPU in the network processing unit 111, still does the work load that can increase network processing unit 111 like this, influences processing speed, so generally all adopt the hardware mode that increases processor to realize.
Referring to Fig. 2, Fig. 2 is the workflow schematic diagram of network security device embodiment illustrated in fig. 1; This flow process may further comprise the steps:
Step 201, after safety device powered up, network security processing module 110 started, be used in the memory module with being stored in that procotol is handled and the network processor microcode software loading of safe handling to network processing unit, finish hardware initialization.
Step 202, administrator computer 120 is by browser interface or gui interface, perhaps Command Line Interface, network security processing module 110 is configured, and these configuration informations comprise: to the security strategy that network message is handled, the operation code of network security processing module etc.
Step 203, network security processing module 110 receives above-mentioned configuration information, and stores in the memory module 112.
Step 204, network security processing module 110 is passed through Network Interface Module 113 behind the network message of network 130 receptions, carry out protocol analysis by 111 pairs of network messages of network processing unit, and according to the security strategy in the memory module 112 this network message is carried out safe handling, and the network message after will handling sends to the network equipment 140.
The network security device of the present invention's second preferred embodiment, comprise network security processing module and control management module, control management module is realized by a computer, the network security processing module is set to an independently peripheral hardware, link to each other with control management module by serial communication interface or Ethernet interface, and the network security processing module links to each other respectively with the network equipment with external network by network interface.
Referring to Fig. 3, the realization block diagram of network security device in Fig. 3 the present invention second preferred embodiment; Wherein network security device comprises: network security processing module 330, control management module 320.
The network security processing module 330 of present embodiment comprises: control interface module 331, network processing unit 332, memory module 333, Network Interface Module 340, comprised the safe Co-processor Module 334 of cipher protocol processor 335, information filtering processor 336, upper-layer protocol parsing processor 337, virus filtration processor 338 and intrusion detection processor 339.Wherein, network processing unit 332 links to each other with other modules respectively, in the present embodiment operation principle of network security processing module 330 and embodiment illustrated in fig. 1 in network security processing module 110 basic identical, just some control and management functions are realized by control management module 320, can alleviate the work load of network security processing module 330 like this, improve processing speed.
Network Interface Module 340 in the present embodiment links to each other with the network equipment 350 with network 360, receive the network message that network 360 sends, and the network message after will handling sends to the network equipment 350.Network Interface Module 340 can be identical with the Network Interface Module 113 in embodiment illustrated in fig. 1.
Control management module 320 comprises: memory 321, CPU 322, comprise the interface circuit 323 of management interface circuit 324 and control interface circuit 325; Memory 321, management interface circuit 324 and control interface circuit 325 link to each other with CPU 322 respectively.
The control interface circuit 325 of control management module 320 links to each other with the control interface module 331 of network security processing module 330; The management interface circuit 324 of control management module 320 links to each other with administrator computer 310.Management interface circuit 324 can be Ethernet interface.Because network security processing module 330 is set to an independently peripheral hardware in the present embodiment, so control interface circuit 325 can be serial communication interface under the situation of short range, also can be Ethernet interface under the long-range situation.If network security processing module 330 is set to a circuit-board card, then control interface circuit 325 can be PCI or Compact-PCI interface.
The control interface module 331 of network security processing module 330 can be serial communication interface in the present embodiment, or Ethernet interface.If network security processing module 330 is set to a circuit-board card, then control interface module 331 can be PCI or Compact-PCI interface.
CPU in the control management module 320 will be converted to administration order, the configuration information that network processing unit 332 can discern by administration order, the configuration information that management interface circuit 324 receives from administrator computer 310 and be written to the memory module 333, network processing unit 332 is operated according to this order, or running status, incident and the log information of safety device sent to administrator computer 310.
Memory 321 in the control management module 320, storage operating system and control and management software.
Administration order, configuration information that management interface circuit 324 receiving management person's computers 310 send, and the information returned of network security processing module 330; Administration order, configuration information after maybe will changing send to network security processing module 330, and the information that network security processing module 330 is returned is transmitted to administrator computer 310.
Safe Co-processor Module 334 in the present embodiment is except being realized with software by the CPU in the network processing unit 332, also can realize with software by the CPU in the control management module 320, but can influence processing speed equally like this, so generally all adopt the hardware mode of increase processor to realize.
The network security device of present embodiment, main by the control and management software control safety Co-processor Module 334 in the control management module 320, realize protocol processes and safe handling to network message.Control and management software is made up of a plurality of service processes, comprises at least: HTTP Web service process, the process that the long-range shell of order line is provided, log collection and transmission process, network management SNMP (simple networkmanagement protocol) process.Contain in the above-mentioned service processes to be useful on and guarantee to connect the safety authentication protocol of maintaining secrecy, as: safe socket character layer protocol SSL (Secure Socket Layer), or safe shell host protocol SSH (secure shell host), or IP security protocol IPSEC (Internet protocolsecurity), an or password protocol (one time password), or Password Authentication Protocol PAP (Password authentication protocol).
Referring to Fig. 4, Fig. 4 is the workflow schematic diagram of network security device embodiment illustrated in fig. 3; This flow process may further comprise the steps:
Step 401, after safety device powered up, the CPU and the operating system thereof of control management module 320 at first started, and operation is finished the initialization and the operating system of self hardware and is packed into; Meanwhile, network security processing module 330 also starts simultaneously, finishes the initialization of hardware; In these two module initialization processes, comprise the initialization of the control interface module 331 of the control interface circuit 325 of control management module 320 and network security processing module 330, after initialization is finished, connect between two modules to set up and finish.
Step 402, behind the os starting of control management module 320, for administrator computer 310 provides interactive maintenance interface service processes, starting command row service processes, HTTP service processes and configuration module software.
Step 403, administrator computer 310 starts browser, or an order line terminal, and perhaps a GUI configuration management software carries out login authentication with control management module 320; Can adopt password protocol or Password Authentication Protocol (PAP) to carry out login authentication in the present embodiment; Maybe when being configured, adopt IP security protocol (IPSEC) agreement to carry out login authentication by browser interface; Maybe when being configured, adopt safe socket character layer protocol (SSL) to carry out login authentication by browser interface or gui interface; Maybe when being configured, adopt safe shell host protocol (SSH) to carry out login authentication by Command Line Interface.After having passed through login authentication, administrator computer 310 signs in to control management module 320.
Step 404, administrator computer 310 is by browser interface or gui interface, perhaps Command Line Interface, send configuration order or administration order through control management module 320 to network security processing module 330, comprise configuration information in the configuration order: to the security strategy that network message is handled, the operation code of network security processing module 330 etc.
Step 405, the order of control management module 320 receiving management person's computers 310, if security strategy configuration order, then change step 406, if administration order, as check daily record, condition monitoring, then change step 408, from network security processing module 330, read corresponding information, send to administrator computer 310.
Step 406, control management module 320 converts configuration order to internal command that network security processing module 330 can be discerned, and this order is write in the memory module 333 in the network security processing module 330.
Step 407, network security processing module 330 is passed through Network Interface Module 340 behind the network message of network 360 receptions, by network processing unit network message is carried out protocol analysis, and this network message is carried out safe handling according to the security strategy in the memory module 333, the network message after handling is sent to the network equipment 350.
Among the present invention, utilize network processing unit that network message is carried out protocol analysis and safe handling is the core of this patent, its process is referring to Fig. 5, and Fig. 5 is the idiographic flow schematic diagram of step 407 shown in Figure 4.This flow process is identical with step 204 among Fig. 2, and it may further comprise the steps:
Step 501-503, network processing unit is transferred the 2nd layer of processor engine of network processing unit the message of receiving is carried out the l2 protocol parsing, read relevant strategy in the memory to the l2 protocol safe handling, judge whether to meet security strategy according to the layer 2 network protocol rule table in the security strategy, if meet, then change step 502 or transmit this message according to security strategy, otherwise, this message abandoned.Wherein the content of rule list can comprise: media access control protocol (MAC) address, virtual local area fidonetFido (VLAN) etc.
Step 504-506, network processing unit is transferred the 3rd layer of processor engine of network processing unit message is carried out the 3rd layer of (IP) protocol analysis, read relevant strategy in the memory, judge whether to meet security strategy according to address table, port numbers, protocol type or service agreement type in the content contrast security strategy of network message to the layer-3 protocol safe handling; If the security strategy of not meeting then abandons this message; If the network address translation (nat) strategy then carries out NAT to message and handles, transmit then; If allow to pass through, then directly transmit; If virtual gateway (VPN) strategy then carries out VPN to message and encrypts or the VPN decryption processing, transmit then; If the Multi-Protocol Label Switch (MPLS) strategy then carries out MPLS to network message and handles, transmit then; If allow message to pass through, change step 503 or transmit this message.
Step 507 reads security strategy, if upper strata or application layer protocol are as URL, HTTP, SMTP, FTP, POP3 etc. carry out information filtering, virus filtration, or intrusion behavior detects, then, network processing unit calls corresponding processor engine or the security coprocessor module is handled upper-layer protocol, if legal message is then transmitted this message, if invalid packet then abandons this message.Wherein, the method for information filtering is that the keyword that will preserve in network message and the memory module mates, if consistent, then abandons this network message.
The method of virus filtration has multiple, for example: can be that viral code is kept in the memory module as keyword, network message and this keyword are mated, if consistent, then abandon this network message; Also can be that viral code is generated a word summary with Hash (hash) function, be stored in the virus characteristic storehouse in the memory module; To detected network message, carry out hash and calculate, generate summary, compare with the virus characteristic storehouse again, if consistent, then abandon this network message.
The method that intrusion behavior detects is storage invasion rule of conduct storehouse in memory module; Message to obtaining after one or more detected network message reorganization mates with rule base, if consistent, then abandons this network message.
In addition, among above-mentioned two embodiment, administrator computer can send configuration order and administration order to network security device at any time, and network security device is configured and manages according to configuration order and administration order.If the security strategy configuration order then converts configuration order to the internal command that the network security processing module can be discerned, the configuration information in this order is write in the memory module in the network security processing module.If administration order, as check daily record, condition monitorings etc. then read corresponding information from system, send to administrator computer.Like this, administrator computer not only can manage network security device, the more important thing is and can realize upgrading rapidly by reconfiguring when new attack means and new procotol occurring.
By two above-mentioned embodiment as seen, this network security device of the present invention and its implementation, network processing unit is set in network security device, utilize the multi-layer protocol parsing and the powerful programing function of network processing unit that network data is carried out safe handling, guaranteed the processing speed of linear speed under the broadband environment, and can carry out system upgrade at any time easily, be applicable to that fire compartment wall, secure router, security switch, intrusion detection device, Anti Virus Gateway and VPN encrypt multiple network equipment such as gateway.

Claims (19)

1, a kind of network security device is characterized in that: this safety device comprises the network security processing module at least, and this network security processing module comprises network processing unit, memory module, Network Interface Module at least;
Memory module, Network Interface Module link to each other with network processing unit by high-speed bus;
Memory module, storage comprise operation code, the network security processing module information of configuration information, the network security processing module of security strategy, the agreement and the safe handling microcode software of network processor chip;
Network processing unit, receive outside network message, administration order, the configuration information that sends by Network Interface Module, network message is carried out protocol analysis, and, the network message after handling is sent by Network Interface Module according to network message being carried out safe handling from the security strategy of memory module taking-up; Or configuration information is sent memory module according to administration order; Or network security processing module information is sent to the outside by Network Interface Module according to administration order;
Network Interface Module links to each other network processing unit with external equipment, receive and transmission information.
2, safety device as claimed in claim 1, it is characterized in that: described network security module further comprises safe Co-processor Module, safe Co-processor Module links to each other with network processing unit by high speed cascade bus, safe Co-processor Module receives the network message that network processing unit sends, and network message carried out protocol analysis, safe handling, the message after handling is returned to network processing unit.
3, safety device as claimed in claim 2, it is characterized in that described safe Co-processor Module comprises: the cipher protocol processor, upper-layer protocol parsing processor, information filtering processor, virus filtration processor and the intrusion detection processor that link to each other with network processing unit by high speed cascade bus.
4, safety device as claimed in claim 1 is characterized in that: described Network Interface Module comprises at least: 100 mbit ethernet interfaces, or gigabit ethernet interface, or asynchronous transfer mode interface, or the Synchronous Digital Hierarchy interface, or the T1/E1 interface, or WLAN (wireless local area network) 802.11 interfaces.
5, safety device as claimed in claim 1, it is characterized in that: this safety device further comprises control management module, and administration order, the configuration information that control management module will receive from the outside is converted to administration order, the configuration information that network processing unit can discern and is written to the memory module; Network processing unit is operated according to the order that receives, or running status, incident and the log information of safety device sent to external management person's computer.
6, safety device as claimed in claim 5 is characterized in that: described control management module comprises CPU, memory, interface circuit at least; Memory, interface circuit link to each other with CPU respectively;
CPU will be converted to administration order, the configuration information that network processing unit can discern from administration order, the configuration information that interface circuit receives and be written to the memory module, and network processing unit is operated according to this order;
Memory, storage control and management software;
Interface circuit links to each other with outer computer with the network security processing module respectively; It receives administration order, configuration information that outer computer sends, and the information returned of network security processing module; Administration order, configuration information after maybe will changing send to the network security processing module, and the information that the network security processing module is returned is transmitted to outer computer;
Described network security processing module further comprises the control interface module, and it links to each other with the interface circuit of network processing unit and control management module respectively, receives administration order, configuration information after changing; Return network security processing module information to control management module.
7, as claim 1 or 6 described safety devices, it is characterized in that: this safety device further is included as power module and housing of this safety device power supply, and each module of safety device is arranged in the housing.
8, safety device as claimed in claim 6 is characterized in that: described interface circuit comprises control interface circuit and management interface circuit; Control interface circuit links to each other with the control interface module of network security processing module; The management interface circuit links to each other with outer computer.
9, safety device as claimed in claim 8 is characterized in that: described control management module is a computer, and described control interface circuit is a pci interface, or the Compact-PCI interface, or serial communication interface, or Ethernet interface; Described management interface circuit is an Ethernet interface, or serial communication interface;
Described control interface module is PCI or Compact-PCI interface, or serial communication interface, or Ethernet interface.
10, a kind of implementation method of network security is characterized in that, this method may further comprise the steps:
1) the described network security device of claim 1 is linked to each other with the network equipment;
2) by administrator computer network security device is configured, the operation code of network security processing module and the security strategy that network message is handled are stored in the network security device;
3) after network security device receives network message from network, network message is carried out protocol analysis, and this message is carried out safe handling according to security strategy;
4) network message after network security device will be handled is transmitted to the network equipment.
11, implementation method as claimed in claim 10 is characterized in that, described step 2) may further comprise the steps:
21) network security device powers up initialization, be used in the memory module with being stored in that procotol is handled and the network processor microcode software loading of safe handling to network processing unit;
22) administrator computer, by browser interface or gui interface, or Command Line Interface, network security device is configured; To comprise that the security strategy that network message is handled, the configuration information of network security processing module operation code send to network security device;
23) network security device stores the configuration information that receives in the memory module of network security processing module into.
12, implementation method as claimed in claim 11 is characterized in that, described step 22) further comprise: network security device carries out login authentication to administrator computer, and login authentication is configured network security device by the back administrator computer.
13, implementation method as claimed in claim 12 is characterized in that, described login authentication method is: adopt password protocol or Password Authentication Protocol to carry out login authentication; Or adopt IP security protocol to carry out login authentication; Or adopt safe socket character layer protocol to carry out login authentication; Or adopt safe shell host protocol to carry out login authentication.
14, implementation method as claimed in claim 10 is characterized in that, described step 3) may further comprise the steps:
31) after network security device is received network message, network processing unit in the network security device carries out l2 protocol to the network message of receiving and resolves, read relevant strategy in the memory module to the l2 protocol safe handling, and judge whether to meet security strategy, if meet, then change step 32 according to security strategy) or transmit this network message, otherwise, abandon this message;
32) network processing unit carries out the 3rd layer of (IP) protocol analysis to network message, read relevant strategy in the memory module to the layer-3 protocol safe handling, and judge whether to meet security strategy, if meet, then change step 33 according to security strategy) or transmit this network message, otherwise, abandon this message;
33) network processing unit carries out the upper-layer protocol parsing to network message, read relevant strategy in the memory module, according to security strategy network message is carried out information filtering, virus filtration, or intrusion behavior detects the upper-layer protocol safe handling, transmit the legitimate network message, abandon illegal network message.
15, implementation method as claimed in claim 14 is characterized in that: step 31) describedly judge whether to meet security strategy, be to judge according to the layer 2 network protocol rule table in the security strategy; The content of rule list comprises at least: media access control protocol address, virtual local area fidonetFido;
16, implementation method as claimed in claim 14, it is characterized in that: step 32) describedly judge whether to meet security strategy, be to judge according to address table, port numbers, protocol type or service agreement type in the content contrast security strategy of network message;
For network address transferring strategy, then network message is carried out network address translation and handle, transmit then; For the virtual gateway strategy, then network message is carried out virtual gateway and encrypt or decryption processing, transmit then; For the multi protocol label exchanging policy, then network message is carried out the multi protocol label exchange and handle, transmit then; If allow message to pass through, change step 33) or transmit this message.
17, implementation method as claimed in claim 14 is characterized in that: described information filtering is that the keyword that will preserve in network message and the memory module mates, if consistent, then abandons this network message.
18, implementation method as claimed in claim 14 is characterized in that: described virus filtration is that viral code is kept in the memory module as keyword, and network message and this keyword are mated, if consistent, then abandons this network message; Perhaps viral code is generated a word summary with hash function, be stored in the virus characteristic storehouse in the memory module; To detected network message, carry out Hash calculation, generate summary, compare with the virus characteristic storehouse again, if consistent, then abandon this network message.
19, implementation method as claimed in claim 14 is characterized in that: it is storage invasion rule of conduct storehouse in memory module that described intrusion behavior detects; Message to obtaining after one or more detected network message reorganization mates with rule base, if consistent, then abandons this network message.
CNB031370993A 2003-06-18 2003-06-18 A network security appliance and realizing method thereof Expired - Lifetime CN100358280C (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CNB031370993A CN100358280C (en) 2003-06-18 2003-06-18 A network security appliance and realizing method thereof
PCT/CN2004/000656 WO2004112313A2 (en) 2003-06-18 2004-06-18 A network security equipment and realize method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB031370993A CN100358280C (en) 2003-06-18 2003-06-18 A network security appliance and realizing method thereof

Publications (2)

Publication Number Publication Date
CN1567808A CN1567808A (en) 2005-01-19
CN100358280C true CN100358280C (en) 2007-12-26

Family

ID=33546184

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB031370993A Expired - Lifetime CN100358280C (en) 2003-06-18 2003-06-18 A network security appliance and realizing method thereof

Country Status (2)

Country Link
CN (1) CN100358280C (en)
WO (1) WO2004112313A2 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015131412A1 (en) * 2014-03-07 2015-09-11 深圳市迈科龙电子有限公司 Security device, server and method for achieving information security of server

Families Citing this family (34)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2417655B (en) * 2004-09-15 2006-11-29 Streamshield Networks Ltd Network-based security platform
CN100433639C (en) * 2005-01-27 2008-11-12 华为技术有限公司 Method and system for realizing network safety control
CN100563246C (en) * 2005-11-30 2009-11-25 华为技术有限公司 A kind of IP-based voice communication boundary safety coutrol system and method
CN100542103C (en) * 2006-10-25 2009-09-16 华为技术有限公司 A kind of method of hot upgrade of network processor and device
CN101374110B (en) * 2008-10-22 2011-05-11 成都市华为赛门铁克科技有限公司 Method, system and equipment for processing packet of wireless service network
US8553879B2 (en) * 2009-05-11 2013-10-08 Panasonic Corporation Content transmission device and content transmission method
US8479286B2 (en) * 2009-12-15 2013-07-02 Mcafee, Inc. Systems and methods for behavioral sandboxing
CN101820413B (en) * 2010-01-08 2012-08-29 中国科学院软件研究所 Method for selecting optimized protection strategy for network security
CN101902469A (en) * 2010-07-12 2010-12-01 江苏华丽网络工程有限公司 Intelligent security defense method based on two-layer network equipment
CN102006285B (en) * 2010-11-02 2016-07-06 北京天融信科技股份有限公司 A kind of message processing method for Network Security Device and device
CN102624726A (en) * 2012-03-07 2012-08-01 上海盖奇信息科技有限公司 Multi-core intelligent network card platform-based ultrahigh-bandwidth network security audit method
CN104135462A (en) * 2013-05-05 2014-11-05 南京理工大学连云港研究院 Network terminal security equipment based on SSL (Secure Sockets Layer) encryption protocol and method
CN105141596A (en) * 2015-08-12 2015-12-09 北京威努特技术有限公司 Industrial control firewall implementation method supporting extensible protocol detection
CN105337902A (en) * 2015-11-17 2016-02-17 福建星网锐捷网络有限公司 Network outlet device, network outlet system and network outlet message processing method
CN107231245B (en) * 2016-03-23 2021-04-02 阿里巴巴集团控股有限公司 Method and device for reporting monitoring log, and method and device for processing monitoring log
CN106603493B (en) * 2016-11-11 2020-04-24 北京安天网络安全技术有限公司 Safety protection device and protection method built in network equipment
CN106534177A (en) * 2016-12-08 2017-03-22 武汉万千无限科技有限公司 Multifunctional computer network safety control system
CN108216300A (en) * 2016-12-10 2018-06-29 河南蓝信科技股份有限公司 A kind of vehicle integrated information harvester and its method
CN106790113A (en) * 2016-12-27 2017-05-31 华东师范大学 A kind of hardware firewall configuring management method and device
CN107241307B (en) * 2017-04-26 2023-08-08 北京立思辰计算机技术有限公司 Self-learning network isolation safety device and method based on message content
CN106992947B (en) * 2017-05-23 2022-10-25 信联安宝(北京)科技有限公司 Safety management switch with separated power supply
CN108810035A (en) * 2018-08-23 2018-11-13 安徽阳露新型建材有限公司 A kind of Network Security Device monitored in real time
CN111628900B (en) * 2019-02-28 2023-08-29 西门子股份公司 Fuzzy test method, device and computer readable medium based on network protocol
CN110460475B (en) * 2019-08-22 2022-04-05 北京物芯科技有限责任公司 Message security processing system and method
CN110535847B (en) * 2019-08-23 2021-08-31 极芯通讯技术(南京)有限公司 Network processor and stack processing method of network data
CN111077883A (en) * 2019-12-27 2020-04-28 国家计算机网络与信息安全管理中心 Vehicle-mounted network safety protection method and device based on CAN bus
CN113742740B (en) * 2020-05-29 2024-06-18 华为技术有限公司 Equipment behavior supervision method, device and storage medium
CN111797371A (en) * 2020-06-16 2020-10-20 北京京投信安科技发展有限公司 Switch encryption system
CN111901129A (en) * 2020-06-28 2020-11-06 乾讯信息技术(无锡)有限公司 Safety protection device based on network multimedia
CN112261056B (en) * 2020-10-27 2022-11-11 南方电网数字电网研究院有限公司 Communication control method and device for power system, control equipment and storage medium
CN112929183B (en) * 2021-01-26 2023-01-20 北京百度网讯科技有限公司 Intelligent network card, message transmission method, device, equipment and storage medium
CN112965824B (en) * 2021-03-31 2024-04-09 北京金山云网络技术有限公司 Message forwarding method and device, storage medium and electronic equipment
CN114115099B (en) * 2021-11-08 2024-01-02 浙江高信技术股份有限公司 PLC system supporting network security
CN118199997A (en) * 2023-10-23 2024-06-14 北京光润通科技发展有限公司 Network card for checking route security level of link layer group

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6092202A (en) * 1998-05-22 2000-07-18 N*Able Technologies, Inc. Method and system for secure transactions in a computer system
CN1405687A (en) * 2002-10-31 2003-03-26 浙江大学 High-speed information safety processor

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2428261A1 (en) * 2000-11-07 2002-05-16 Fast-Chip, Inc. Switch-based network processor

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6092202A (en) * 1998-05-22 2000-07-18 N*Able Technologies, Inc. Method and system for secure transactions in a computer system
CN1405687A (en) * 2002-10-31 2003-03-26 浙江大学 High-speed information safety processor

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015131412A1 (en) * 2014-03-07 2015-09-11 深圳市迈科龙电子有限公司 Security device, server and method for achieving information security of server

Also Published As

Publication number Publication date
WO2004112313A3 (en) 2005-02-10
CN1567808A (en) 2005-01-19
WO2004112313A2 (en) 2004-12-23
WO2004112313A8 (en) 2005-03-17

Similar Documents

Publication Publication Date Title
CN100358280C (en) A network security appliance and realizing method thereof
CN109842585B (en) Network information safety protection unit and protection method for industrial embedded system
EP1444775B1 (en) Method and apparatus to manage address translation for secure connections
US7599289B2 (en) Electronic communication control
CN106022080B (en) A kind of data ciphering method based on the cipher card of PCIe interface and the cipher card
CN100594690C (en) Method and device for safety strategy uniformly treatment in safety gateway
CN1883154B (en) Method and apparatus of communicating security/encryption information to a physical layer transceiver
US20060256814A1 (en) Ad hoc computer network
CN113194097B (en) Data processing method and device for security gateway and security gateway
JP3599552B2 (en) Packet filter device, authentication server, packet filtering method, and storage medium
CN106027358A (en) Network security management and control system for accessing social video networks to video private network
EP1662700B1 (en) Network communication security processor and data processing method
CN111935212B (en) Security router and Internet of things security networking method based on security router
US20060101261A1 (en) Security router system and method of authenticating user who connects to the system
CN112910932B (en) Data processing method, device and system
CN107277058A (en) A kind of interface authentication method and system based on BFD agreements
CN210469376U (en) Data encryption and decryption equipment based on ZYNQ7020 and security chip
US20060256717A1 (en) Electronic packet control system
CN106203188B (en) A kind of Unilateral Data Transferring System and its method adding MAC based on dual processors
US20060256770A1 (en) Interface for configuring ad hoc network packet control
US12088569B1 (en) Protocol free encrypting device
Friend Making the gigabit IPsec VPN architecture secure
CN215420600U (en) Light quantum exchanger
CN101616087A (en) Be associated to the router of safety means
CN115278395A (en) Network switching equipment, data stream processing control method and related equipment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CX01 Expiry of patent term
CX01 Expiry of patent term

Granted publication date: 20071226