CN100499655C - Quick method for realizing authentication function of firewall - Google Patents
Quick method for realizing authentication function of firewall Download PDFInfo
- Publication number
- CN100499655C CN100499655C CNB2005100419552A CN200510041955A CN100499655C CN 100499655 C CN100499655 C CN 100499655C CN B2005100419552 A CNB2005100419552 A CN B2005100419552A CN 200510041955 A CN200510041955 A CN 200510041955A CN 100499655 C CN100499655 C CN 100499655C
- Authority
- CN
- China
- Prior art keywords
- label
- message
- array
- definition
- concrete
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Abstract
The invention overcomes issues of that when there is lot of users for authentications, rules inside firewall are increased continuously; system operation performance is dropped quickly; finally, integral performance of users' network is influenced. The method includes steps: (1) defining label; (2) binding label to role information; (3) setting up label; (4) process based on label. In order to raise speed for setting up labels, the disclosed technical scheme puts forward quick mapping algorithm to ensure that when there is lot of users for authentications, system performance will not be dropped evidently. Thus, the scheme prevents looking up speed from obvious descent when data quantity is increased.
Description
Technical field:
The present invention relates to the firewall technology field, be specifically related to a kind of implementation method of authentication function of firewall fast.
Background technology:
Fire compartment wall mainly carries out regular weaves according to the header information of network layer, transport layer, promptly carries out rule setting according to information such as IP address, ports.When handling, need the IP message sequence transmitted rule is mated, and take the respective handling action according to matching result.At present, a small amount of part fire compartment wall has authentication function, it in realization, often according to user authentication information, increase acl rule dynamically in fire compartment wall, so the problem that prior art exists is: when a large number of users authenticates, the fire compartment wall internal rule will be on the increase, system performance descends fast, finally influences the overall performance of user network.
Summary of the invention:
The purpose of this invention is to provide a kind of implementation method of authentication function of firewall fast, exist when a large number of users authenticates to overcome prior art, the fire compartment wall internal rule will be on the increase, and system performance descends fast, finally influence the problem of the overall performance of user network.
For overcoming the problem that prior art exists, technology solution of the present invention is: a kind of implementation method of authentication function of firewall fast, comprise following step successively,
(1), label definition:
According to the concrete tag format of customer attribute information (for example: the Authorization Attributes of user's correspondence, bandwidth attribute etc.) definition, processing so that system can classify;
(2), the binding of label and Role Information:
According to concrete customer attribute information and label definition format, form concrete label value, when authentification of user, concrete label is arranged in the kernel, when arriving, take out corresponding label, handle according to concrete label value with convenient user datagram literary composition;
(3), label setting:
According to the specifying information of network data message, take out the pairing label of user's message, and it is arranged on the message buffer head, so that the follow-up functional module of system is handled.
(4), based on the processing of label:
After the label setting of data message was finished, in repeating process, follow-up functional module was carried out respective handling according to label definition and concrete label value.
In the above-mentioned steps (), the label definition format can be similar to the definition of network message header format, by the definition different field, defines different meanings or function, by the value difference of each field, defines the different disposal of similar function.
Adopted the fast mapping algorithm in the above-mentioned steps (three), be about to source IP address and label and set up corresponding relation, taken out the pairing label of each user's message by source IP address.This method is applicable to that the data section that distributes is wider, intensive relatively data directory, lookup method but data distribute on some segments, by array of indexes to the data sectional management
In the above-mentioned steps (three), the concrete steps of fast mapping algorithm are: after 1) safe access authentication platform receives User IP, tag, check whether the array of indexes of this IP address correspondence exists, if exist, tag writes IP-IP﹠amp with label; In the position of FFFFFFOO correspondence; If there is no, it is 256 array that kernel is set up a length, and with the IP address range (IP﹠amp of group address, index; FFFFFFOO~IP﹠amp; FFFFFFOO+255) write in the kernel in the specific chained list (list), tag is written in the corresponding position of array of indexes simultaneously, promptly be written to the IP-IP﹠amp of array; In the element of FFFFFFOO;
2) when data message was transmitted by safe access authentication platform, kernel was searched chained list list according to message IP header information, so that find corresponding array of indexes, at the IP-IP﹠amp of array of indexes; On the FFFFFFOO position, take out the label tag of this IP correspondence, and fill in the head of the buffering area of bearing IP packet, so that follow-up functional module is used.
Compared with prior art, advantage of the present invention is:
1, realize quick firewall authentication: the present invention uses the various rules of coming organization system inside based on the label sorting technique, its core is by with user role and label binding, realize access rights and the access profile of control user to network, each user's message only needs mating with the own affiliated corresponding rule of role as can be seen, need not strictly all rules is mated, it can effectively overcome the fire compartment wall order shortcoming of coupling one by one, reduce the rule match clauses and subclauses, improve systematic function, the firewall class of its function and common support authentication function seemingly, by implementing the present invention, the effective number of the inner ACL of control system is so that support the large-scale consumer authentication.In technical scheme, speed is set, has also further proposed the fast mapping algorithm, ensured that when a large number of users authenticates systematic function does not have remarkable decline, prevent that seek rate from increasing with data volume and obviously decline for improving label.
The present invention can effectively reduce the regular number in the system by the label sorting technique, also can effectively control the regular number of the required coupling of each message simultaneously.
2, applied widely: the present invention has substantially proposed a kind of specific implementation of new regular weaves model, and it can use in a lot of systems, as: fire compartment wall, authentication and accounting system etc.
Embodiment:
Below will the present invention will be further described by specific embodiment.
Embodiment 1: the present invention comprises the steps: successively
(1), label definition
Tag length is 4 bytes, and in order to handle conveniently, each information field length is a byte, and is as shown in the table:
| Extend information | Acl rule | The downlink bandwidth rule | The upstream bandwidth rule |
1) extend information:
Length is a byte, mainly is provided with the back expansion and uses;
2) acl rule:
Length is a byte, is mainly used in control user capture scope, and is corresponding with acl rule;
3) downlink bandwidth rule:
Length is a byte, is mainly used in control user downlink bandwidth, and is corresponding with the downlink bandwidth rule;
4) upstream bandwidth rule:
Length is a byte, is mainly used in control user uplink bandwidth, and is corresponding with the upstream bandwidth rule;
Because each information field length is a byte, has determined that each information field at most can be corresponding with 256 rules, but in actual use, be enough to meet consumers' demand.
(2), based on role's ACL, the foundation of bandwidth rule, realize the binding of label and Role Information:
In actual applications, a large number of users has identical characteristic, as: Internet access profile, Bandwidth Management mode etc., according to these attributes is the good corresponding role of user definition, and in system, set up and the corresponding regular ACL of role, bandwidth rule, corresponding with each information field of label field, in system kernel, form correspondence table, (* represents arbitrary value) as shown in the table:
| Label | Acl rule |
| 0x?**01**** | ACL1 |
| 0x?**02**** | ACL2 |
| Label | The downlink bandwidth rule |
| 0x?****01** | Inband1 |
| 0x?****02** | Inband2 |
| Label | The downlink bandwidth rule |
| 0x?******01 | Outband1 |
| 0x?******02 | Outband2 |
(3), according to user profile the IP message is carried out the label setting
After an IP message enters system, system finds corresponding user authentication information according to source IP address, if do not find, also not authentication of user then is described, notifications the user authenticate, if find, then according to user profile, user's message is carried out Fast Classification, respective labels is set, so that the follow-up functional module of system is handled.Concrete step is as follows:
1) after authentification of user passes through, certificate server forms corresponding label tag according to affiliated role's various information.For example: the ACL of role's correspondence is ACL1 under the user, and the downlink bandwidth rule is inband2, and the downlink bandwidth rule is outband3, and the label tag that certificate server forms is 0x00010203;
2) certificate server is with the tag and the user's IP address that form, return to safe access authentication platform, by its writing system kernel, after the user data message enters system, system is according to source IP address, find corresponding label, and fill in the head of the buffering area of bearing IP packet, so that follow-up functional module is used.
(4), carry out corresponding ACL, Bandwidth Management according to label
After the label setting of IP message was finished, in repeating process, message was successively by follow-up relevant functional module, and the mapping table that these functional modules are set up according to step 2 carries out corresponding ACL, bandwidth processing.
Embodiment 2: in order to realize the label setting further improving label lookup speed fast, adopted quick mapping method to be optimized in step (three), the specific implementation step is as follows:
1) after safe access authentication platform receives User IP, tag, check whether the array of indexes of this IP address correspondence exists, if exist, tag writes IP-IP﹠amp with label; In the position of FFFFFFOO correspondence; If there is no, it is 256 array that kernel is set up a length, and with the IP address range (IP﹠amp of group address, index; FFFFFFOO ~ IP﹠amp; FFFFFFOO+255) write in the kernel in the specific chained list (list), tag is written in the corresponding position of array of indexes simultaneously, promptly be written to the IP-IP﹠amp of array; In the element of FFFFFFOO;
2) when data message was transmitted by safe access authentication platform, kernel was searched chained list list according to message IP header information, so that find corresponding array of indexes, at the IP-IP﹠amp of array of indexes; On the FFFFFFOO position, take out the label tag of this IP correspondence, and fill in the head of the buffering area of bearing IP packet, so that follow-up functional module is used.
The present invention has substantially proposed a kind of specific implementation of new regular weaves model, it can use in a lot of systems, as fire compartment wall, authentication and accounting system etc., further expansion, modification for model according to this carries out all belong within the range of rights and interests of the present invention.
Claims (4)
1, a kind of implementation method of authentication function of firewall fast, it is characterized in that: it comprises following step successively,
(1), label definition:
According to the concrete tag format of customer attribute information definition, processing so that system can classify;
(2), the binding of label and Role Information:
According to concrete customer attribute information and label definition format, form concrete label value, when authentification of user, concrete label is arranged in the kernel, when arriving, take out corresponding label, handle according to concrete label value with convenient user datagram literary composition;
(3), label setting:
According to the specifying information of network data message, take out the pairing label of user's message, and it is arranged on the message buffer head, so that the follow-up functional module of system is handled;
(4), based on the processing of label;
After the label setting of data message was finished, in repeating process, follow-up functional module was carried out respective handling according to label definition and concrete label value.
2, a kind of implementation method of authentication function of firewall fast as claimed in claim 1, it is characterized in that: in the described step (), the label definition format is similar to the definition of network message header format, by the definition different field, define different meanings or function, by the value difference of each field, define the different disposal of similar function.
3, a kind of implementation method of authentication function of firewall fast as claimed in claim 1 or 2, it is characterized in that: adopted the fast mapping algorithm in the described step (three), be about to source IP address and label and set up corresponding relation, take out the pairing label of each user's message by source IP address.
4, a kind of implementation method of authentication function of firewall fast as claimed in claim 3 is characterized in that: in the described step (three), the concrete steps of fast mapping algorithm are,
1) after safe access authentication platform receives User IP, tag, check whether the array of indexes of this IP address correspondence exists, if exist, tag writes IP-IP﹠amp with label; In the position of FFFFFFOO correspondence; If there is no, it is 256 array that kernel is set up a length, and with the IP address range IP﹠amp of group address, index; FFFFFFOO~IP﹠amp; FFFFFFOO+255 writes in the kernel among the specific chained list 1ist, tag is written in the corresponding position of array of indexes simultaneously, promptly is written to the IP-IP﹠amp of array; In the element of FFFFFFOO:
2) when data message was transmitted by safe access authentication platform, kernel was searched chained list 1ist according to message IP header information, so that find corresponding array of indexes, at the IP-IP﹠amp of array of indexes; On the FFFFFFOO position, take out the label tag of this IP correspondence, and fill in the head of the buffering area of bearing IP packet, so that follow-up functional module is used.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100419552A CN100499655C (en) | 2005-04-14 | 2005-04-14 | Quick method for realizing authentication function of firewall |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100419552A CN100499655C (en) | 2005-04-14 | 2005-04-14 | Quick method for realizing authentication function of firewall |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1697450A CN1697450A (en) | 2005-11-16 |
| CN100499655C true CN100499655C (en) | 2009-06-10 |
Family
ID=35349971
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005100419552A Expired - Fee Related CN100499655C (en) | 2005-04-14 | 2005-04-14 | Quick method for realizing authentication function of firewall |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100499655C (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101635701A (en) * | 2008-07-21 | 2010-01-27 | 山石网科通信技术(北京)有限公司 | Method for controlling safe access |
-
2005
- 2005-04-14 CN CNB2005100419552A patent/CN100499655C/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| CN1697450A (en) | 2005-11-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102402548B (en) | Method and system for controlling data query of application system | |
| CN102768662B (en) | A kind of method and apparatus Loaded Image | |
| US20190259024A1 (en) | Security electronic file processing system and method based on block chain structure | |
| US20110258430A1 (en) | Method and apparatus for applying execution context criteria for execution context sharing | |
| DE60319449D1 (en) | BEGINNING SYSTEM OF MULTIMEDIA DOCUMENTS | |
| US20110161285A1 (en) | Method and apparatus for providing automatic controlled value expansion of information | |
| CN105262591B (en) | A kind of network service implementation method based on data | |
| CA3145505A1 (en) | Staged information exchange facilitated by content-addressable records indexed to pseudonymous identifiers by a tamper-evident data structure | |
| CN109905328A (en) | The recognition methods of data flow and device | |
| CN107659946A (en) | A kind of mobile communications network model building method based on edge cache | |
| CN100499655C (en) | Quick method for realizing authentication function of firewall | |
| CN107291454A (en) | A kind of method and Commentary Systems that comment is added in the comment list of event | |
| CN102622685A (en) | Identity identification method for steel product trading system | |
| CN101621504A (en) | Deep packet inspection method and system | |
| CN102055669A (en) | Method for realizing N:1 virtual local area network (VLAN) mapping in 10 gigabit-capable passive optical network (10GPON) system | |
| US20080313700A1 (en) | Method to allow role based selective document access between domains | |
| CN104219160A (en) | Method and device for generating input parameter | |
| CN109240599A (en) | A kind of big data stocking system is integrated | |
| CN112910923A (en) | Intelligent financial big data processing system | |
| Khandelwal et al. | Design of a Blockchain-Powered Biometric Template Security Framework Using Augmented Sharding | |
| CN102137292B (en) | Service processing method, system and set top box | |
| Goyal et al. | Secure Authentication in Wireless Sensor Networks Using Blockchain Technology | |
| CN100579026C (en) | Method for recording user internet log in broadband access network device | |
| CN102014112B (en) | Hardware realizing method based on MAC/IP (Media Access Control/Internet Protocol) address classified statistic | |
| O'Loughlin | Terrorism coverage |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: Quick method for realizing authentication function of firewall Effective date of registration: 20170109 Granted publication date: 20090610 Pledgee: China Everbright Bank Xi'an branch Pledgor: XI'AN JIAOTONG UNIVERSITY JUMP NETWORK TECHNOLOGY Co.,Ltd. Registration number: 2017610000001 |
|
| PLDC | Enforcement, change and cancellation of contracts on pledge of patent right or utility model | ||
| PC01 | Cancellation of the registration of the contract for pledge of patent right | ||
| PC01 | Cancellation of the registration of the contract for pledge of patent right |
Date of cancellation: 20221214 Granted publication date: 20090610 Pledgee: China Everbright Bank Xi'an branch Pledgor: XI'AN JIAOTONG UNIVERSITY JUMP NETWORK TECHNOLOGY Co.,Ltd. Registration number: 2017610000001 |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090610 |