CN100452790C - Method for implementing virtual fire wall teaching experiment to multi-user - Google Patents
Method for implementing virtual fire wall teaching experiment to multi-user Download PDFInfo
- Publication number
- CN100452790C CN100452790C CNB200410016710XA CN200410016710A CN100452790C CN 100452790 C CN100452790 C CN 100452790C CN B200410016710X A CNB200410016710X A CN B200410016710XA CN 200410016710 A CN200410016710 A CN 200410016710A CN 100452790 C CN100452790 C CN 100452790C
- Authority
- CN
- China
- Prior art keywords
- rule
- group
- experiment
- address
- firewall
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The present invention relates to a method for realizing multiuser education experiments through a virtual firewall, which is used for the field of network security technology. The present invention adopts a method for converting firewall filtering rules into application proxy rules, a firewall is virtualized into a plurality of firewalls, and the firewalls are allocated to all experiment groups. All experiment groups are allocated with different network segments and configuration files in advance. The firewalls record the rule configurations of the groups during the experiment, and carry out necessary analysis processing through intercepting the rules in the configuration files of all groups. Then, the rules are written into a firewall core rule table and take effect. Firewall rules which are operated by each group from a browser are the rules in the corresponding configuration file of the group. Each group independently configures strategies, manages account information and carries out journal audit and experiments, and experimental results are mutually independent. When the present invention is used for carrying out firewall education experiments, multiple users can simultaneously operate without buying expensive commercial firewall products. The present invention has good popularization prospects.
Description
Technical field
The present invention relates to be used for the network security technology field.It specifically is a kind of method that realizes virtual firewall multi-user education experiment.
Background technology
Firewall technology is one of the widest, the easiest network safety prevention means of being accepted by the client of present range of application, is the first road gate of network security.Facts have proved, by making up firewall system to protect the network security of a mechanism, be comparatively convenient and efficient ways.Because fire compartment wall can effectively be isolated inner trusted area and outside deathtrap; the security strategy and the information flow of centralized management and Control Network; as much as possible to information, structure and the operation conditions of outside gauze screen network inside; stop uncertain, potential destructive intrusion, realize the safeguard protection of network with this.
Traditional user security measure is distributed, must independent fire compartment wall be installed at each server network segment, so both caused resource serious waste, take a large amount of rack spaces, and very flexible, be not easy to centralized management and control.Generally, firewall product on the market is based on the demand development of practical application network, does not allow the multi-user to revise configuration simultaneously, can not be different user is preserved configuration separately, especially is not suitable for carrying out the education experiment of firewall technology.
By retrieval, the famous gigabit level firewall product Netscreen-1000 of industry that Netscreen company released in 2000, though can provide nearly 100 virtual fire compartment walls for the user, distribute a virtual system for each user and manage by user oneself, but because its technical know-how is not easy to the education experiment that carries out the functional verification of internal module and carry out relevant firewall technology flexibly.In further retrieving, find identical with theme of the present invention or similar bibliographical information as yet.
Summary of the invention
The objective of the invention is to overcome limitation such as existing commercial firewall product costs an arm and a leg, technical know-how, a kind of method that realizes virtual firewall multi-user education experiment is proposed, make it reach the purpose that a multi-user shared fire compartment wall is carried out the fire compartment wall education experiment simultaneously independently, flexibility is good, is convenient to manage concentratedly and control.
The present invention is achieved by the following technical solutions, and the present invention adopts the conversion method of firewall filtering rule and application proxy rule, and a fire compartment wall is invented many fire compartment walls and distributes to each experiment group.Each experiment group allocates the different network segments and configuration file in advance, and fire compartment wall writes down the rule configuration of this group in experiment.By intercepting the rule in each group's configuration file, carry out writing fire compartment wall core rule table again after essential analysis is handled and coming into force.Each group is a rule the corresponding configuration file of this group from the firewall rule of browser operation, and In the view of them, its strictly all rules all is effectively, and fire compartment wall core rule table is invisible to them.Each group is collocation strategy, account executive information and carry out daily record and audit separately, carry out experiment, and experimental result is separate.Can solve network security technologys such as network security problem is serious day by day, fire compartment wall well based on the virtual firewall teaching experiment system of this method design and further develop, and the teaching practice link lacks the contradiction of corresponding education experiment.
Below the inventive method is done further to limit:
Fire compartment wall writes down the IP address and the netmask of this group when logining in each experiment group, generate automatically and respectively organize default filter rule list and application proxy rule list configuration file.When rule was revised by experiment group, the result deposited its corresponding configuration file in, and the rule of configuration file writes fire compartment wall core rule table through conversion and just can come into force.
Suppose that this group address is IP1/MASK1; Source address in certain bar rule or destination address are IP2/MASK2 (wherein IP1 and IP2 are 2 systems represent that MASK1 and MASK2 are mask-length).Change the source address and the destination address of each bar rule subnet address according to this group.
If 1. MASK1 is 0, illustrate and have only a group that the strictly all rules of this group is exactly the rule of fire compartment wall, and skips subsequent step;
If 2. MASK2 is 0,, and skip subsequent step then directly with the source address or the destination address of IP1/MASK1 as this rule;
3. define MAX=max (MASK1, MASK2), MIN=min (MASK1, MASK2);
4. XOR is carried out in the high MIN position of IP1 and IP2, if any of result is 1, the common factor that IP1/MASK1 and IP2/MASK2 then are described is 0;
If 5. step 4. in the result of XOR be 0, then get source address or the destination address of that group IP/MASK of MASK=MAX as this rule.
Then these rules are integrated and write fire compartment wall core rule table.Each group is a rule the corresponding configuration file of this group from the firewall rule of browser operation, In the view of them, its strictly all rules all is effectively, and what they operated is the fire compartment wall main frame of a platform independent, and fire compartment wall core rule table is invisible to them.This is the characteristics of virtual firewall system just.
Effect of the present invention is significant, use the virtual firewall multi-user teaching experiment system of this method design to have three big technology of general fire compartment wall now fully: packet filtering, state-detection and application proxy, its exclusive strong backing to education experiment is that commercial fire compartment wall is short of, and this support possesses good extensibility.Use the present invention to carry out the education experiment of fire compartment wall, the multi-user can operate simultaneously.
Description of drawings
Fig. 1 is based on the structure chart of teaching experiment system of the present invention.
Flow chart is prepared by the system that Fig. 2 is based on teaching experiment system of the present invention.
Fig. 3 is based on the workflow diagram of teaching experiment system of the present invention.
Embodiment
Content with the inventive method provides following examples in conjunction with the accompanying drawings.Virtual firewall multi-user teaching experiment system based on the inventive method exploitation adopts browser/service end (B/S) structure, utilizes the JSP programming technique.Support current fire compartment wall three big major techniques; Support the centralized management and the execution of at least 100 virtual firewalls, each organizes the student can finish identical education experiment simultaneously on a fire compartment wall.Concrete implementation content is as follows:
1. the fire compartment wall main frame adopts x86 framework machine, three network interface cards are installed, dispose the IP address of a plurality of different sub-networks, (SuSE) Linux OS is installed, and corresponding firewall package filtering software I PTABLES, application proxy software TIS FWTK and JSP service end software Jakarta Tomcat are installed, also having the core is the virtual firewall multi-user experimental system service end software of independent development.Service end system software can read the network configuration information of fire compartment wall, comprises host name, network interface card quantity, system default gateway, DNS configuration, routing iinformation, and the MAC Address of every network interface card, IP address, subnet mask etc.; Support by browser remotely modifying network configuration; And support the NAT (network address translation) that must do to dispose for the connection that realizes between the project team.
2. the opening of system's setting and experiment module is carried out in teacher login, as the experiment purpose of this experiment, requirement of experiment, experiment points for attention, experimental procedure etc.
3. the student is divided into how group is carried out experiment, and login system is seen the every requirement of teacher to this experiment.System uses the step in the summary of the invention to finish the conversion of each group's rule, makes each group independently use fire compartment wall to finish experiment.
Suppose that certain client ip is 192.168.1.4, fire compartment wall teaching experiment system service end extracts network address part 192.168.1.
When increasing a packet filtering rules, the information that system is submitted to according to client writes its configuration file with rule.For example, increase a firewall rule in interior-outer net direction, then system writes this rule among the configuration file 192.168.1.outin.fw, the information decision that the position that is increased to is submitted to by client.The configuration file of other three directions (between outer net-DMZ direction, Intranet-DMZ direction, the Intranet) is respectively 192.168.1.outdmz.fw, 192.168.1.indmz.fw, 192.168.1.inin.fw.Firewall system is analyzed this fw configuration file then, reads out all rules, for every rule according to step process described in the summary of the invention; Write again in the 192.168.1.outin.fw.chg file; With the rule application in the configuration file of all chg ending in operating system fire compartment wall core rule table.
When showing packet filtering rules, according to client network address (192.168.1), read the rule in all 192.168.1.*.fw files, and the firewall rule that disposed of the order explicit user of in the table of respective direction, reading in by file, it is regular the same so just to have guaranteed that rule that client sees and its write, and has also embodied the characteristics of virtual firewall system.
During the deletion packet filtering rules, according to the selected number of regulation that will delete, the rule of corresponding sequence number among the system-kill 192.168.1.*.fw, rule in the chg file of deletion correspondence then, system writes rule among all chg among the allrules again, is applied to again in the operating system fire compartment wall core rule table.To show packet filtering rules again after completing successfully.
During the deletion strictly all rules, the rule of all configuration files of System Cleaning empties the rule in system's fire compartment wall core rule table simultaneously.
4. after experiment was finished, system preserved student's experimental result get off automatically, and can generate laboratory report automatically, but teacher's login system is checked any student's experimental result and report.
Flow process such as Fig. 2 prepare in system.At firewall services end configuration network, start network address translation, Apache, Tomcat successively; At DMZ district service end configuration network, open WEB service and FTP service; At the client configuration network, test and fire compartment wall, outer net and with being connected of DMZ district server.
System works flow process such as Fig. 3.In the client open any browser, input fire compartment wall IP address, login system then.Remove go forward side by side the test before the line discipline configuration of other rules of fire compartment wall, logging test results.The user is configuration rule after understanding requirement of experiment, and taking effect rules is also tested and outcome record once more; Relatively the difference of two times result before and after the configuration is understood related firewall technology.If experiment is not finished then continue, otherwise saving result logs off.
The present invention can overcome and uses the existing commercial firewall product limitations such as very flexible and technical know-how that experimentize, and does corresponding adjustment under different situations as requested, to satisfy the education experiment of different mode, has obtained good effect.
Claims (3)
1, a kind of method that realizes virtual firewall multi-user education experiment, it is characterized in that, adopt the conversion method of firewall filtering rule and application proxy rule, a fire compartment wall is invented many fire compartment walls and distributes to each experiment group, each experiment group allocates the different network segments and configuration file in advance, fire compartment wall writes down the rule configuration of this group in experiment, by intercepting the rule in each group's configuration file, carry out writing fire compartment wall core rule table again after essential analysis is handled and coming into force, each group is a rule the corresponding configuration file of this group from the firewall rule of browser operation, each organizes independent collocation strategy, account executive information and carry out daily record audit, carry out experiment, and experimental result is separate;
Described essential analysis is handled, and be meant: change the source address and the destination address of each bar rule the subnet address according to this group:
If 1. the first mask-length MASK1 is 0, illustrate and have only a group that the strictly all rules of this group is exactly the rule of fire compartment wall, and skips subsequent step;
If 2. the second mask-length MASK2 is 0,, and skip subsequent step then directly with the source address or the destination address of this group address IP1/MASK1 as this rule;
3. define MAX=max (MASK1, MASK2), MIN=min (MASK1, MASK2);
4. XOR is carried out in the high MIN position of an IP address ip 1 and the 2nd IP address ip 2,, illustrate that then the source address of rule in this group address IP1/MASK1 and each group's configuration file or the common factor of destination address IP2/MASK2 are 0 if any of result is 1;
If 5. step 4. in the result of XOR be 0, then get source address or the destination address of that group IP/MASK of MASK=MAX as this rule.
2, the method for realization virtual firewall multi-user education experiment according to claim 1, it is characterized in that, fire compartment wall writes down the IP address and the netmask of this group when logining in each experiment group, automatically generate and respectively organize default filter rule list and application proxy rule list configuration file, when rule is revised by experiment group, the result deposits its corresponding configuration file in, and the rule of configuration file writes fire compartment wall core rule table through conversion and just can come into force.
3, the method for realization virtual firewall multi-user education experiment according to claim 1 is characterized in that, a described IP address ip 1 and the 2nd IP address ip 2 are 2 systems and represent.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB200410016710XA CN100452790C (en) | 2004-03-04 | 2004-03-04 | Method for implementing virtual fire wall teaching experiment to multi-user |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB200410016710XA CN100452790C (en) | 2004-03-04 | 2004-03-04 | Method for implementing virtual fire wall teaching experiment to multi-user |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1561058A CN1561058A (en) | 2005-01-05 |
| CN100452790C true CN100452790C (en) | 2009-01-14 |
Family
ID=34440602
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB200410016710XA Expired - Fee Related CN100452790C (en) | 2004-03-04 | 2004-03-04 | Method for implementing virtual fire wall teaching experiment to multi-user |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100452790C (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100496038C (en) * | 2005-11-03 | 2009-06-03 | 上海交通大学 | Method for implementing experimental system of firewall under multiple user's remote concurrency control in large scale |
| CN1917445B (en) * | 2006-09-07 | 2010-09-29 | 上海交通大学 | Method for auditing log event of fire wall, and teaching experimental system |
| CN101355415B (en) * | 2007-07-26 | 2010-12-01 | 万能 | Method and system for implementing safety access public network of network terminal as well as special network access controller thereof |
| CN105991790A (en) * | 2015-04-21 | 2016-10-05 | 杭州迪普科技有限公司 | Virtual device policy configuration method and virtual device policy configuration device |
| CN107547504B (en) * | 2017-06-16 | 2020-12-04 | 新华三信息安全技术有限公司 | Intrusion prevention method and device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2002094508A (en) * | 2000-09-13 | 2002-03-29 | Nippon Telegr & Teleph Corp <Ntt> | Method and system for managing connection in inter- private-network communication |
| CN1435969A (en) * | 2002-02-01 | 2003-08-13 | 联想(北京)有限公司 | Method for implementing supporting virtual local network fire wall |
| CN1453700A (en) * | 2002-04-26 | 2003-11-05 | 联想(北京)有限公司 | Network method of safety management of firewall equipment |
-
2004
- 2004-03-04 CN CNB200410016710XA patent/CN100452790C/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2002094508A (en) * | 2000-09-13 | 2002-03-29 | Nippon Telegr & Teleph Corp <Ntt> | Method and system for managing connection in inter- private-network communication |
| CN1435969A (en) * | 2002-02-01 | 2003-08-13 | 联想(北京)有限公司 | Method for implementing supporting virtual local network fire wall |
| CN1453700A (en) * | 2002-04-26 | 2003-11-05 | 联想(北京)有限公司 | Network method of safety management of firewall equipment |
Non-Patent Citations (2)
| Title |
|---|
| Virtual Firewalls White Paper. Virtual Firewalls White Paper. 2002 |
| Virtual Firewalls White Paper. Virtual Firewalls White Paper. 2002 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1561058A (en) | 2005-01-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101639879B (en) | Database security monitoring method, device and system | |
| CN103946834B (en) | virtual network interface objects | |
| US20090290501A1 (en) | Capture and regeneration of a network data using a virtual software switch | |
| EP3646549B1 (en) | Firewall configuration manager | |
| WO2020171410A1 (en) | Method, apparatus and computer program for collecting data from multiple domains | |
| CN102460391A (en) | Systems and methods for providing virtual appliance in application delivery fabric | |
| CN103930882A (en) | Architecture of networks with middleboxes | |
| JP2021528749A (en) | Automatic packetless network reachability analysis | |
| EP3451624B1 (en) | Device and method for controlling a communication network | |
| JP5614073B2 (en) | Relay device | |
| US8990387B2 (en) | Automatic completeness checks of network device infrastructure configurations during enterprise information technology transformation | |
| CN104270464A (en) | Cloud computing virtualized network architecture and optimization method | |
| CN104050038B (en) | A kind of virtual machine migration method based on policy-aware | |
| JP6181881B2 (en) | Control device, control system, control method, and control program | |
| CN100452790C (en) | Method for implementing virtual fire wall teaching experiment to multi-user | |
| CN102299821A (en) | Network virus monitor equipment test system and method thereof | |
| JP2000216780A (en) | Network management system | |
| CN103188086B (en) | A kind of method, Apparatus and system of management and control intranet and extranet bandwidth | |
| CN114422196B (en) | Network target range safety management and control system and method | |
| Fernandez | Security patterns and secure systems design | |
| DE102015107071B3 (en) | Device and method for controlling a communication network | |
| Ioannidis et al. | Design and implementation of virtual private services | |
| You et al. | OpenFlow security threat detection and defense services | |
| Pozo et al. | Afpl2, an abstract language for firewall acls with nat support | |
| Dantas | Architecting Google Cloud Solutions: Learn to design robust and future-proof solutions with Google Cloud technologies |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090114 Termination date: 20200304 |