CN101827083A - Method and system for realizing unified threat management in heterogeneous network - Google Patents
Method and system for realizing unified threat management in heterogeneous network Download PDFInfo
- Publication number
- CN101827083A CN101827083A CN201010106979A CN201010106979A CN101827083A CN 101827083 A CN101827083 A CN 101827083A CN 201010106979 A CN201010106979 A CN 201010106979A CN 201010106979 A CN201010106979 A CN 201010106979A CN 101827083 A CN101827083 A CN 101827083A
- Authority
- CN
- China
- Prior art keywords
- packet
- protocol
- utm
- type
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 35
- 238000006243 chemical reaction Methods 0.000 claims abstract description 53
- 238000001914 filtration Methods 0.000 claims abstract description 47
- 238000004458 analytical method Methods 0.000 claims abstract description 18
- 238000005538 encapsulation Methods 0.000 claims description 20
- 230000008878 coupling Effects 0.000 claims description 11
- 238000010168 coupling process Methods 0.000 claims description 11
- 238000005859 coupling reaction Methods 0.000 claims description 11
- 230000007246 mechanism Effects 0.000 abstract description 3
- 230000003449 preventive effect Effects 0.000 abstract 2
- 150000001875 compounds Chemical class 0.000 description 36
- 230000008569 process Effects 0.000 description 17
- GKSPIZSKQWTXQG-UHFFFAOYSA-N (2,5-dioxopyrrolidin-1-yl) 4-[1-(pyridin-2-yldisulfanyl)ethyl]benzoate Chemical compound C=1C=C(C(=O)ON2C(CCC2=O)=O)C=CC=1C(C)SSC1=CC=CC=N1 GKSPIZSKQWTXQG-UHFFFAOYSA-N 0.000 description 4
- 101001094649 Homo sapiens Popeye domain-containing protein 3 Proteins 0.000 description 4
- 101000608234 Homo sapiens Pyrin domain-containing protein 5 Proteins 0.000 description 4
- 101000578693 Homo sapiens Target of rapamycin complex subunit LST8 Proteins 0.000 description 4
- 102100027802 Target of rapamycin complex subunit LST8 Human genes 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000008676 import Effects 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Communication Control (AREA)
Abstract
The invention discloses a method and a system for realizing unified threat management in a heterogeneous network, relating to the field of network security and aiming at solving the problem that the preventive mode of single equipment UTM of the current heterogeneous network can not be realized. The method comprises the following steps: carrying out protocol matching recognition on data flowing into the UTM, and determining actual protocol types of all data packets; distributing all the data packets according to the actual protocol types of all data packets; filtering the distributed data packet by the actual protocol type corresponding to distribution; and carrying out UTM agency on filtered data packets, and sending out the data packets. The system comprises a protocol analysis module, a protocol distribution module, a filtering module and a UTM function module. As the method and the system provides a set of complete mechanism including analysis, distribution, filtering, protocol conversion, UTM agency and protocol reduction mechanism, the preventive mode of single equipment UTM of the heterogeneous network can be realized.
Description
Technical field
The present invention relates to network safety filed, particularly relate to the method and system that realize UTM in a kind of heterogeneous network.
Background technology
At present most of firewall boxs on the market all are based on the IPv4 agreement, can't adapt to automatically new procotol or heterogeneous network such as IPv6, MPLS etc.Cause fire compartment wall under multi-network environment, to be suitable for, and must use the dedicated firewall of New Deal, or adopt the route interpretative system that New Deal is translated as the discernible IPv4 agreement of fire compartment wall.The special-purpose UTM (UTMUnited Threat Mnagement) of specialized protocol protecting wall such as IPv6, special-purpose routing device such as Iv6 routing device are erected at the protocol conversion that UTM is IPv6-IPv4 before.
Even be provided with special equipment at present, still can't solve the UTM strick precaution mode fully that sets up of compound network (heterogeneous network).
Summary of the invention
The invention provides the method and system that realize UTM in a kind of heterogeneous network, be equipped with the problem that UTM strick precaution mode can't realize in order to solve setting up of present heterogeneous network.
Realize the method for UTM in a kind of heterogeneous network of the present invention, comprise the following steps: the protocal analysis step: the packet that flows into UTM is carried out the identification of agreement coupling, determine the actual agreements type of each packet; Agreement is divided flow step: the actual agreements type according to packet is shunted each packet; Filtration step: to shunt of the Packet Filtering of corresponding actual agreements type to this shunting; Act on behalf of step: the filtered data bag is carried out the UTM agency, packet is sent.
Further, the corresponding actual agreements type of described shunting is non-ICP/IP protocol, then acts on behalf of step and also comprises the following steps: protocol conversion steps before: the protocol type of the packet behind this shunt filtering is converted to ICP/IP protocol; Indirect agency step: the UTM agency who the packet after the protocol conversion is transferred to corresponding agreement; Also comprise the following steps: the protocol encapsulation step after acting on behalf of step: described packet is encapsulated as former protocol type again.
Perhaps, the corresponding actual agreements type of described shunting is non-ICP/IP protocol, then acts on behalf of step and also comprises the following steps: protocol conversion steps before: the protocol type of the packet behind this shunt filtering is converted to ICP/IP protocol; Filtration step once more: the protocol type with after the conversion, filter once more to the packet after the protocol conversion; The indirect agency step: the filtered data bag is transferred to the UTM agency of corresponding agreement once more; Also comprise the following steps: the protocol encapsulation step after acting on behalf of step: described packet is encapsulated as former protocol type again.
Above-mentioned, also comprise in the described protocol conversion steps: for the packet after the protocol conversion increases label; And also comprise in the protocol encapsulation step: discern the label of described packet, and determine former protocol type according to the information that label provides.
Realize the system of UTM in a kind of heterogeneous network of the present invention, comprising: protocol-analysis model, be used for the packet that flows into is carried out the identification of agreement coupling, determine the actual agreements type of each packet; The agreement diverter module is used for according to the actual agreements type of packet each packet being shunted; Filtering module is used for to shunt the Packet Filtering of corresponding actual agreements type to this shunting; The UTM functional module is used for that the filtered data bag is carried out proxy data and transmits.
Further, the corresponding actual agreements type of described shunting is non-ICP/IP protocol, and then also comprise following modules: protocol conversion module is used for the protocol type of the packet behind this shunt filtering is converted to ICP/IP protocol; And the packet after the protocol conversion transferred to the UTM functional module, and the protocol type agency of indication UTM functional module after with conversion; The protocol encapsulation module is used for behind the agency described packet being encapsulated as former protocol type again.
Perhaps, the corresponding actual agreements type of described shunting is non-ICP/IP protocol, and then also comprise following modules: protocol conversion module is used for the protocol type of the packet behind this shunt filtering is converted to ICP/IP protocol; And the packet after the protocol conversion transferred to filtering module, and the protocol type of indication filtering module after with conversion filters once more to packet; And the filtered data bag is transferred to the UTM functional module once more, and indication UTM functional module is with the protocol type agency after changing; The protocol encapsulation module is used for behind the agency described packet being encapsulated as former protocol type again.
Above-mentioned, described protocol conversion module is that the packet after the protocol conversion increases label; And the protocol encapsulation module discerns the label of described packet, and determines former protocol type according to the information that label provides.
Further comprise: the protocol characteristic storehouse is used to store the characteristic information of all types of agreements, and mates the foundation of identification as the protocol-analysis model agreement.
Beneficial effect of the present invention is as follows:
Because complete analysis, shunting, filtration, protocol conversion, the UTM agency of a cover proposed in the method and system of the present invention, and protocol assembly mechanism, so can realize the UTM strick precaution mode fully that sets up of heterogeneous network.
Description of drawings
Fig. 1 is the method step flow chart in the embodiment of the invention 1;
Fig. 2 is the system configuration schematic diagram in the embodiment of the invention 4;
Fig. 3 is the modularization principle flow chart in the embodiment of the invention 5;
Fig. 4 is the modularization principle flow chart in the embodiment of the invention 6.
Embodiment
In order to adapt to the compound network demand of (various protocols mixes) automatically, need not to do overlapping investment for specialized protocol UTM or special-purpose routing device, the invention provides the method and system that realize UTM in a kind of heterogeneous network, below describe in detail by some embodiment.
Embodiment 1, referring to shown in Figure 1, realize the method for UTM in the heterogeneous network in the embodiment of the invention, comprise following key step:
S101, the packet that flows into UTM is carried out the identification of agreement coupling, determine the actual agreements type of each packet.
S102, according to the actual agreements type of packet with each packet shunting.
S103, to shunt of the Packet Filtering of corresponding actual agreements type to this shunting.
S104, the filtered data bag is carried out UTM agency, packet is sent.
Realize the method for UTM in the heterogeneous network in embodiment 2, the embodiment of the invention, comprise following key step:
S201, the packet that flows into UTM is carried out the identification of agreement coupling, determine the actual agreements type of each packet.
Because in compound network (heterogeneous network), the procotol of using not is a single-protocol, but use various protocols simultaneously, therefore, the packet that transmits in compound network has various protocols usually, as ICP/IP protocol (IPv4, IPv6), non-ICP/IP protocol (IPX/SPX, NETBEUI, agreements such as GRE).The process of the determined actual agreements type of this step is for example: the packet that compound network transmits is the IPv4 packet that encapsulates in the IPv6 mode, process is discerned with the protocol characteristic information matches in the protocol characteristic storehouse, find the actual IPv4 of the being packet of packet that compound network transmitted, just encapsulate, determine that then the actual agreements type is the IPv4 agreement in the IPv6 mode.
S202, according to the actual agreements type of packet with each packet shunting.
The above-mentioned IPv4 packet that encapsulates in the IPv6 mode is divided into the IPv4 shunting.
S203, to shunt of the Packet Filtering of corresponding actual agreements type to this shunting.
With the IPv4 protocol type the above-mentioned IPv4 packet that encapsulates in the IPv6 mode being filtered, specifically is the packet header of this packet to be removed (promptly removing the IPv6 encapsulation), obtains actual IPv4 packet.
S204, the filtered data bag is carried out UTM agency, packet is sent.
The IPv4 packet that obtains is after filtering acted on behalf of by the UTM of IPv4 type, as realizing the IP agency, and HTTP Proxy, the POP3 agency, the SMPT agency, sip agent, functions such as VPN, thus packet is transmitted.
Realize the method for UTM in the heterogeneous network in embodiment 3, the embodiment of the invention, comprise following key step:
S301, the packet that flows into UTM is carried out the identification of agreement coupling, determine the actual agreements type of each packet.
Because in compound network (heterogeneous network), the procotol of using not is a single-protocol, but use various protocols simultaneously, therefore, the packet that transmits in compound network has various protocols usually, as ICP/IP protocol (IPv4, IPv6), non-ICP/IP protocol (IPX/SPX, NETBEUI, agreements such as GRE).The process of the determined actual agreements type of this step is for example: the packet F1 that compound network transmitted in the T1 time is the IPv4 packet that encapsulates in the IPv6 mode, process is discerned with the protocol characteristic information matches in the protocol characteristic storehouse, find the actual IPv4 of the being packet of packet F1 that compound network transmitted, just encapsulate, determine that then the actual agreements type is the IPv4 agreement in the IPv6 mode; The packet F2 that compound network transmitted in the T2 time is the GRE packet that encapsulates in the IPv4 mode, process is discerned with the protocol characteristic information matches in the protocol characteristic storehouse, find the actual GRE of the being packet of packet F2 (non-TCP/IP packet) that compound network transmitted, just encapsulate, determine that then the actual agreements type is non-ICP/IP protocol in the IPv4 mode; The packet F3 that compound network transmitted in the T3 time is the IPv6 packet that encapsulates in the IPv6 mode, process is discerned with the protocol characteristic information matches in the protocol characteristic storehouse, find the actual IPv6 of the being packet of packet F3 that compound network transmitted, determine that then the actual agreements type is the IPv6 agreement; The packet F4 that compound network transmitted in the T4 time is the GRE packet that encapsulates in the GRE mode, process is discerned with the protocol characteristic information matches in the protocol characteristic storehouse, find the actual GRE of the being packet of packet F4 that compound network transmitted, determine that then the actual agreements type is non-ICP/IP protocol.
S302, according to the actual agreements type of packet with each packet shunting.
Above-mentioned packet F1 is divided into the IPv4 shunting, above-mentioned packet F2 is divided into non-TCP/IP shunting, above-mentioned packet F3 is divided into the IPv6 shunting, above-mentioned packet F4 is divided into non-TCP/IP shunting.
S303, to shunt of the Packet Filtering of corresponding actual agreements type to this shunting.
With the IPv4 protocol type above-mentioned packet F1 being filtered, specifically is the packet header of packet F1 to be removed (promptly removing the IPv6 encapsulation), obtains actual IPv4 packet; In like manner, with non-ICP/IP protocol type above-mentioned packet F2 is filtered.With the IPv6 protocol type above-mentioned packet F3 is filtered, can directly pass through; In like manner, above-mentioned packet F4 is filtered, can directly pass through with non-ICP/IP protocol type.
S304, the filtered data bag is carried out UTM agency, packet is sent.
The above-mentioned IPv4 packet that obtains after packet F1 is filtered is acted on behalf of by the UTM of IPv4 type, as realizing the IP agency, and HTTP Proxy, the POP3 agency, the SMPT agency, sip agent, functions such as VPN, thus packet is transmitted.
In like manner, the above-mentioned IPv6 packet that obtains after packet F3 is filtered is acted on behalf of by the UTM of IPv6 type.
Above-mentioned GRE packet to obtaining after the packet F2 filtration, and the GRE packet to obtaining after the packet F4 filtration also needed carry out following processing to packet F2, F4 before acting on behalf of by UTM:
The above-mentioned S303 that continues obtains after the GRE packet after filtration, and the GRE protocol type of the packet of non-TCP/IP shunting is converted to IPv4 (also can be exchanged into IPv6) agreement, promptly becomes the IPv4 shunting.Also can in the packet after each conversion, increase label, indicate that this packet gets through protocol conversion, and the former protocol type that the information of this label can embody packet F2 is the GRE packet that encapsulates in the IPv4 mode; The former protocol type of packet F4 is the GRE packet that encapsulates in the GRE mode.
Afterwards, the UTM that the shunting of the IPv4 after the protocol conversion is transferred to the IPv4 type acts on behalf of (if be converted to IPv6, then the UTM by the IPv6 type acts on behalf of).
At last, discern the label in the above-mentioned packet, and determine former protocol type, packet F2 is encapsulated as again the GRE packet that encapsulates in the IPv4 mode according to the information that label provides, packet F4 is encapsulated as the GRE packet that encapsulates in the GRE mode again, and transmits.
Also can carry out following processing for packet F2, F4:
The above-mentioned S303 that continues obtains after the GRE packet after filtration, and the GRE protocol type of the packet of non-TCP/IP shunting is converted to IPv4 (also can be exchanged into IPv6) agreement, promptly becomes the IPv4 shunting.Also can in the packet after each conversion, increase label, indicate that this packet gets through protocol conversion, and the former protocol type that the information of this label can embody packet F2 is the GRE packet that encapsulates in the IPv4 mode; The former protocol type of packet F4 is the GRE packet that encapsulates in the GRE mode.
Thereafter, with the protocol type after the conversion, promptly the IPv4 protocol type filters (if be converted to IPv6, then with the IPv6 protocol type this IPv6 shunting being filtered once more) once more to this IPv4 shunting.
Afterwards, the UTM that the IPv4 shunting after filtering is once more transferred to the IPv4 type acts on behalf of (if be converted to IPv6, then the UTM by the IPv6 type acts on behalf of).
At last, discern the label in the above-mentioned packet, and determine former protocol type, packet F2 is encapsulated as again the GRE packet that encapsulates in the IPv4 mode according to the information that label provides, packet F4 is encapsulated as the GRE packet that encapsulates in the GRE mode again, and transmits.
Embodiment 4, referring to shown in Figure 2, realize the system of UTM in the heterogeneous network in the embodiment of the invention, comprising: protocol characteristic storehouse, protocol-analysis model, agreement diverter module, filtering module and UTM functional module.
The protocol characteristic storehouse is used to store the characteristic information of all types of agreements, and mates the foundation of identification as the protocol-analysis model agreement;
Protocol-analysis model is used for the packet that flows into is carried out the identification of agreement coupling, determines the actual agreements type of each packet;
The agreement diverter module is used for according to the actual agreements type of packet each packet being shunted;
Filtering module is used for to shunt the Packet Filtering of corresponding actual agreements type to this shunting;
The UTM functional module is used for that the filtered data bag is carried out proxy data and transmits.
Embodiment 5, based on embodiment 4, referring to shown in Figure 3, the embodiment of the invention is described in further detail in modularization principle flow process mode.Wherein, comprising: the protocol characteristic storehouse; Protocol-analysis model; The agreement diverter module; Filtering module is decomposed into IPv4 filter, IPv6 filter and other filters, respectively the shunting of corresponding different agreement type; Protocol conversion module; The UTM functional module is decomposed into the UTM functional module of IPv4 and the UTM functional module of IPv6, respectively corresponding IPv4 shunting and IPv6 shunting; And protocol encapsulation module.
Because in compound network (heterogeneous network), the procotol of using not is a single-protocol, but use various protocols simultaneously, therefore, the packet that transmits in compound network has various protocols usually, as ICP/IP protocol (IPv4, IPv6), non-ICP/IP protocol (IPX/SPX, NETBEUI, agreements such as GRE).
Protocol characteristic storehouse internal memory contains the characteristic information of all types of agreements, and mates the foundation of discerning as the protocol-analysis model agreement, and renewable.
Protocol-analysis model can carry out the identification of agreement coupling to the packet that flows into, and determines the actual agreements type of each packet.For example: the packet F1 that compound network transmitted in the T1 time is the IPv4 packet that encapsulates in the IPv6 mode, process is discerned with the protocol characteristic information matches in the protocol characteristic storehouse, find the actual IPv4 of the being packet of packet F1 that compound network transmitted, just encapsulate, determine that then the actual agreements type is the IPv4 agreement in the IPv6 mode; The packet F2 that compound network transmitted in the T2 time is the GRE packet that encapsulates in the IPv4 mode, process is discerned with the protocol characteristic information matches in the protocol characteristic storehouse, find the actual GRE of the being packet of packet F2 (non-TCP/IP packet) that compound network transmitted, just encapsulate, determine that then the actual agreements type is non-ICP/IP protocol in the IPv4 mode; The packet F3 that compound network transmitted in the T3 time is the IPv6 packet that encapsulates in the IPv6 mode, process is discerned with the protocol characteristic information matches in the protocol characteristic storehouse, find the actual IPv6 of the being packet of packet F3 that compound network transmitted, determine that then the actual agreements type is the IPv6 agreement; The packet F4 that compound network transmitted in the T4 time is the GRE packet that encapsulates in the GRE mode, process is discerned with the protocol characteristic information matches in the protocol characteristic storehouse, find the actual GRE of the being packet of packet F4 that compound network transmitted, determine that then the actual agreements type is non-ICP/IP protocol.
The agreement diverter module is shunted each packet according to the actual agreements type of packet, specifically above-mentioned packet F1 is divided into the IPv4 shunting, above-mentioned packet F2 is divided into non-TCP/IP shunting, above-mentioned packet F3 is divided into the IPv6 shunting, above-mentioned packet F4 is divided into non-TCP/IP shunting.And send to IPv4 filter, IPv6 filter and other filters respectively.
The IPv4 filter filters above-mentioned packet F1 with the IPv4 protocol type, specifically is the packet header of packet F1 to be removed (promptly removing the IPv6 encapsulation), obtains actual IPv4 packet.In like manner, other filters filter above-mentioned packet F2 with non-ICP/IP protocol type; With non-ICP/IP protocol type above-mentioned packet F4 is filtered, can directly pass through.The IPv6 filter filters above-mentioned packet F3 with the IPv6 protocol type, can directly pass through.
The above-mentioned UTM functional module that the IPv4 packet that obtains after the packet F1 filtration is entered IPv4 through the UTM of IPv4 functional module agency, is acted on behalf of as realizing IP, HTTP Proxy, and the POP3 agency, SMPT acts on behalf of, sip agent, functions such as VPN, thus packet is transmitted.In like manner, the above-mentioned UTM functional module that the IPv6 packet that obtains after the packet F3 filtration is entered IPv6 through the UTM of IPv6 functional module agency, is transmitted packet.
Above-mentioned GRE packet to obtaining after the packet F2 filtration, and the GRE packet that obtains after packet F4 filtered enters protocol conversion module, as required and configuration, the protocol type of GRE packet can be converted to IPv4 or IPv6 agreement, promptly become IPv4 shunting or IPv6 shunting.Also can in the packet after each conversion, increase label, indicate that this packet gets through protocol conversion, and the former protocol type that the information of this label can embody packet F2 is the GRE packet that encapsulates in the IPv4 mode; The former protocol type of packet F4 is the GRE packet that encapsulates in the GRE mode.
With the corresponding UTM functional module of IPv4 or the UTM functional module of IPv6 (among Fig. 3 be example to be converted to IPv4) imported into of the IPv4 shunting that obtains after the conversion or IPv6 shunting, through the UTM of IPv4 functional module agency, the IPv4 packet is transmitted.
The protocol encapsulation module receives transmits the IPv4 packet of coming, discern the label in the above-mentioned packet, and determine former protocol type according to the information that label provides, packet F2 is encapsulated as again the GRE packet that encapsulates in the IPv4 mode, packet F4 is encapsulated as the GRE packet that encapsulates in the GRE mode again, and transmits.
Embodiment 6, based on embodiment 4, referring to shown in Figure 4, the embodiment of the invention is described in further detail in modularization principle flow process mode.Wherein, comprising: the protocol characteristic storehouse; Protocol-analysis model; The agreement diverter module; Filtering module is decomposed into IPv4 filter, IPv6 filter and other filters, respectively the shunting of corresponding different agreement type; Protocol conversion module; The UTM functional module is decomposed into the UTM functional module of IPv4 and the UTM functional module of IPv6, respectively corresponding IPv4 shunting and IPv6 shunting; And protocol encapsulation module.
Because in compound network (heterogeneous network), the procotol of using not is a single-protocol, but use various protocols simultaneously, therefore, the packet that transmits in compound network has various protocols usually, as ICP/IP protocol (IPv4, IPv6), non-ICP/IP protocol (IPX/SPX, NETBEUI, agreements such as GRE).
Protocol characteristic storehouse internal memory contains the characteristic information of all types of agreements, and mates the foundation of discerning as the protocol-analysis model agreement, and renewable.
Protocol-analysis model can carry out the identification of agreement coupling to the packet that flows into, and determines the actual agreements type of each packet.For example: the packet F1 that compound network transmitted in the T1 time is the IPv4 packet that encapsulates in the IPv6 mode, process is discerned with the protocol characteristic information matches in the protocol characteristic storehouse, find the actual IPv4 of the being packet of packet F1 that compound network transmitted, just encapsulate, determine that then the actual agreements type is the IPv4 agreement in the IPv6 mode; The packet F2 that compound network transmitted in the T2 time is the GRE packet that encapsulates in the IPv4 mode, process is discerned with the protocol characteristic information matches in the protocol characteristic storehouse, find the actual GRE of the being packet of packet F2 (non-TCP/IP packet) that compound network transmitted, just encapsulate, determine that then the actual agreements type is non-ICP/IP protocol in the IPv4 mode; The packet F3 that compound network transmitted in the T3 time is the IPv6 packet that encapsulates in the IPv6 mode, process is discerned with the protocol characteristic information matches in the protocol characteristic storehouse, find the actual IPv6 of the being packet of packet F3 that compound network transmitted, determine that then the actual agreements type is the IPv6 agreement; The packet F4 that compound network transmitted in the T4 time is the GRE packet that encapsulates in the GRE mode, process is discerned with the protocol characteristic information matches in the protocol characteristic storehouse, find the actual GRE of the being packet of packet F4 that compound network transmitted, determine that then the actual agreements type is non-ICP/IP protocol.
The agreement diverter module is shunted each packet according to the actual agreements type of packet, specifically above-mentioned packet F1 is divided into the IPv4 shunting, above-mentioned packet F2 is divided into non-TCP/IP shunting, above-mentioned packet F3 is divided into the IPv6 shunting, above-mentioned packet F4 is divided into non-TCP/IP shunting.And send to IPv4 filter, IPv6 filter and other filters respectively.
The IPv4 filter filters above-mentioned packet F1 with the IPv4 protocol type, specifically is the packet header of packet F1 to be removed (promptly removing the IPv6 encapsulation), obtains actual IPv4 packet.In like manner, other filters filter above-mentioned packet F2 with non-ICP/IP protocol type; With non-ICP/IP protocol type above-mentioned packet F4 is filtered, can directly pass through.The IPv6 filter filters above-mentioned packet F3 with the IPv6 protocol type, can directly pass through.
The above-mentioned UTM functional module that the IPv4 packet that obtains after the packet F1 filtration is entered IPv4 through the UTM of IPv4 functional module agency, is acted on behalf of as realizing IP, HTTP Proxy, and the POP3 agency, SMPT acts on behalf of, sip agent, functions such as VPN, thus packet is transmitted.In like manner, the above-mentioned UTM functional module that the IPv6 packet that obtains after the packet F3 filtration is entered IPv6 through the UTM of IPv6 functional module agency, is transmitted packet.
Above-mentioned GRE packet to obtaining after the packet F2 filtration, and the GRE packet that obtains after packet F4 filtered enters protocol conversion module, as required and configuration, the protocol type of GRE packet can be converted to IPv4 or IPv6 agreement, promptly become IPv4 shunting or IPv6 shunting.Also can in the packet after each conversion, increase label, indicate that this packet gets through protocol conversion, and the former protocol type that the information of this label can embody packet F2 is the GRE packet that encapsulates in the IPv4 mode; The former protocol type of packet F4 is the GRE packet that encapsulates in the GRE mode.
In order to reach more excellent effect, avoid the data flow after the protocol conversion module conversion to mix other protocol data bags.Protocol conversion module is finished GRE agreement after the conversion of IPv4 or IPv6 agreement (among Fig. 4 be example with IPv4) in the present embodiment, imports the IPv4 shunting that obtains after the conversion into the IPv4 filter and filters once more.
The UTM functional module of IPv4 is imported in IPv4 shunting after will filtering once more afterwards into, and through the UTM of IPv4 functional module agency, the IPv4 packet is transmitted.
The protocol encapsulation module receives transmits the IPv4 packet of coming, discern the label in the above-mentioned packet, and determine former protocol type according to the information that label provides, packet F2 is encapsulated as again the GRE packet that encapsulates in the IPv4 mode, packet F4 is encapsulated as the GRE packet that encapsulates in the GRE mode again, and transmits.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, if of the present invention these are revised and modification belongs within the scope of claim of the present invention and equivalent technologies thereof, then the present invention also is intended to comprise these changes and modification interior.
Claims (9)
1. realize the method for UTM in the heterogeneous network, it is characterized in that, comprise the following steps:
Protocal analysis step: the packet that flows into UTM is carried out the identification of agreement coupling, determine the actual agreements type of each packet;
Agreement is divided flow step: the actual agreements type according to packet is shunted each packet;
Filtration step: to shunt of the Packet Filtering of corresponding actual agreements type to this shunting;
Act on behalf of step: the filtered data bag is carried out the UTM agency, packet is sent.
2. realize the method for UTM according to claim 1 in the heterogeneous network, it is characterized in that the corresponding actual agreements type of described shunting is non-ICP/IP protocol, also comprise the following steps: before then acting on behalf of step
Protocol conversion steps: the protocol type of the packet behind this shunt filtering is converted to ICP/IP protocol;
Indirect agency step: the UTM agency who the packet after the protocol conversion is transferred to corresponding agreement;
Also comprise the following steps: after acting on behalf of step
Protocol encapsulation step: described packet is encapsulated as former protocol type again.
3. realize the method for UTM according to claim 1 in the heterogeneous network, it is characterized in that the corresponding actual agreements type of described shunting is non-ICP/IP protocol, also comprise the following steps: before then acting on behalf of step
Protocol conversion steps: the protocol type of the packet behind this shunt filtering is converted to ICP/IP protocol;
Filtration step once more: the protocol type with after the conversion, filter once more to the packet after the protocol conversion;
The indirect agency step: the filtered data bag is transferred to the UTM agency of corresponding agreement once more;
Also comprise the following steps: after acting on behalf of step
Protocol encapsulation step: described packet is encapsulated as former protocol type again.
4. as realizing the method for UTM in the heterogeneous network as described in claim 2 or 3, it is characterized in that, also comprise in the described protocol conversion steps: be that the packet after the protocol conversion increases label; And
Also comprise in the protocol encapsulation step: discern the label of described packet, and determine former protocol type according to the information that label provides.
5. realize the system of UTM in the heterogeneous network, it is characterized in that, comprising:
Protocol-analysis model is used for the packet that flows into is carried out the identification of agreement coupling, determines the actual agreements type of each packet;
The agreement diverter module is used for according to the actual agreements type of packet each packet being shunted;
Filtering module is used for to shunt the Packet Filtering of corresponding actual agreements type to this shunting;
The UTM functional module is used for that the filtered data bag is carried out proxy data and transmits.
6. it is characterized in that the UTM system as realizing in the heterogeneous network as described in the claim 5, the corresponding actual agreements type of described shunting is non-ICP/IP protocol, then also comprises following modules:
Protocol conversion module is used for the protocol type of the packet behind this shunt filtering is converted to ICP/IP protocol; And the packet after the protocol conversion transferred to the UTM functional module, and the protocol type agency of indication UTM functional module after with conversion;
The protocol encapsulation module is used for behind the agency described packet being encapsulated as former protocol type again.
7. it is characterized in that the UTM system as realizing in the heterogeneous network as described in the claim 5, the corresponding actual agreements type of described shunting is non-ICP/IP protocol, then also comprises following modules:
Protocol conversion module is used for the protocol type of the packet behind this shunt filtering is converted to ICP/IP protocol; And the packet after the protocol conversion transferred to filtering module, and the protocol type of indication filtering module after with conversion filters once more to packet; And the filtered data bag is transferred to the UTM functional module once more, and indication UTM functional module is with the protocol type agency after changing;
The protocol encapsulation module is used for behind the agency described packet being encapsulated as former protocol type again.
8. it is characterized in that the UTM system as realizing in the heterogeneous network as described in claim 6 or 7, described protocol conversion module is that the packet after the protocol conversion increases label; And the protocol encapsulation module discerns the label of described packet, and determines former protocol type according to the information that label provides.
9. it is characterized in that the UTM system as realizing in the heterogeneous network as described in the claim 5,6 or 7, also comprise: the protocol characteristic storehouse, be used to store the characteristic information of all types of agreements, and as the foundation of protocol-analysis model agreement coupling identification.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010106979 CN101827083B (en) | 2010-02-09 | 2010-02-09 | Method and system for realizing unified threat management in heterogeneous network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010106979 CN101827083B (en) | 2010-02-09 | 2010-02-09 | Method and system for realizing unified threat management in heterogeneous network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101827083A true CN101827083A (en) | 2010-09-08 |
| CN101827083B CN101827083B (en) | 2012-10-17 |
Family
ID=42690789
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 201010106979 Expired - Fee Related CN101827083B (en) | 2010-02-09 | 2010-02-09 | Method and system for realizing unified threat management in heterogeneous network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101827083B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102595509A (en) * | 2012-04-09 | 2012-07-18 | 西安电子科技大学 | Cocurrent data distribution method based on transmission control protocol (TCP) in heterogeneous networks |
| CN103763306A (en) * | 2013-12-27 | 2014-04-30 | 上海斐讯数据通信技术有限公司 | Remote network access support system and remote network access method |
| CN106549969A (en) * | 2016-11-21 | 2017-03-29 | 英赛克科技(北京)有限公司 | Data filtering method and device |
| CN107087006A (en) * | 2017-05-24 | 2017-08-22 | 全讯汇聚网络科技(北京)有限公司 | A kind of agreement shunt method, system and server |
| CN107124397A (en) * | 2017-03-29 | 2017-09-01 | 国网安徽省电力公司信息通信分公司 | A kind of mobile interaction platform network bracing means and its reinforcement means |
| CN110381087A (en) * | 2019-08-13 | 2019-10-25 | 珠海格力电器股份有限公司 | Data transmission method, device and the team control communication system of data converter |
| CN113473538A (en) * | 2021-07-13 | 2021-10-01 | 蒋溢 | Wireless convergence network-based shunt control method and system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101227289A (en) * | 2008-02-02 | 2008-07-23 | 华为技术有限公司 | Uniform intimidation managing device and loading method of intimidation defense module |
-
2010
- 2010-02-09 CN CN 201010106979 patent/CN101827083B/en not_active Expired - Fee Related
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102595509A (en) * | 2012-04-09 | 2012-07-18 | 西安电子科技大学 | Cocurrent data distribution method based on transmission control protocol (TCP) in heterogeneous networks |
| CN102595509B (en) * | 2012-04-09 | 2014-06-18 | 西安电子科技大学 | Cocurrent data distribution method based on transmission control protocol (TCP) in heterogeneous networks |
| CN103763306A (en) * | 2013-12-27 | 2014-04-30 | 上海斐讯数据通信技术有限公司 | Remote network access support system and remote network access method |
| CN103763306B (en) * | 2013-12-27 | 2018-05-01 | 上海斐讯数据通信技术有限公司 | System and remote network access method are supported in remote network access |
| CN106549969A (en) * | 2016-11-21 | 2017-03-29 | 英赛克科技(北京)有限公司 | Data filtering method and device |
| CN106549969B (en) * | 2016-11-21 | 2019-10-22 | 英赛克科技(北京)有限公司 | Data filtering method and device |
| CN107124397A (en) * | 2017-03-29 | 2017-09-01 | 国网安徽省电力公司信息通信分公司 | A kind of mobile interaction platform network bracing means and its reinforcement means |
| CN107087006A (en) * | 2017-05-24 | 2017-08-22 | 全讯汇聚网络科技(北京)有限公司 | A kind of agreement shunt method, system and server |
| CN107087006B (en) * | 2017-05-24 | 2019-08-16 | 全讯汇聚网络科技(北京)有限公司 | A kind of agreement shunt method, system and server |
| CN110381087A (en) * | 2019-08-13 | 2019-10-25 | 珠海格力电器股份有限公司 | Data transmission method, device and the team control communication system of data converter |
| CN113473538A (en) * | 2021-07-13 | 2021-10-01 | 蒋溢 | Wireless convergence network-based shunt control method and system |
| CN113473538B (en) * | 2021-07-13 | 2023-03-10 | 蒋溢 | Wireless convergence network-based shunt control method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101827083B (en) | 2012-10-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101827083B (en) | Method and system for realizing unified threat management in heterogeneous network | |
| CN103378654B (en) | Method for filtering network messages of process level of intelligent substation | |
| US20190356594A1 (en) | Packet Processing Method, Apparatus, and System | |
| CN101984598B (en) | Message forwarding method and deep packet inspection (DPI) device | |
| CN102970227A (en) | Method and device for achieving virtual extensible local area network (VXLAN) message transmitting in application specific integrated circuit (ASIC) | |
| CN104202300B (en) | Data communications method and device based on network isolating device | |
| CN101911644B (en) | The method of transmitting/receiving data frames and corresponding tranmission/reception apparatus in vehicle | |
| US9544165B2 (en) | Data transmission device for remote monitoring and remote controlling in a distributed process system | |
| CN110337799A (en) | The motor vehicle of data network with vehicle interior and the method for running motor vehicle | |
| US20150222711A1 (en) | Method, Device and Terminal for Implementing Internet of Things Application | |
| US20160301714A1 (en) | Method for operating a security gateway of a communication system for vehicles | |
| CN101101699A (en) | Method and apparatus for data collection and transmission | |
| CN105578491A (en) | Method and device for associating 4G user information with application data | |
| CN102136987B (en) | Message forwarding method and provider edge (PE) equipment for multi-protocol label switching virtual private network (MPLS VPN) | |
| CN103200123A (en) | Safety control method of switchboard port | |
| CN108881302A (en) | Industrial Ethernet and BLVDS bus bar communication device and industrial control system | |
| CN103036870A (en) | Industrial firewall without industrial protocol (IP) distributed type depth check arithmetic based on industrial protocol object linking and embedding for process control (OPC) classic | |
| US9548791B2 (en) | Remote operation and control system for pressure filter | |
| CN102611632A (en) | VPLS (Virtual Private LAN Service) output route filtering method and device based on BGP (Border Gateway Protocol) | |
| CN102857429A (en) | Method and device for carrying route in transparent interconnection of lots of links (TRILL) network | |
| EP2034672A4 (en) | An implementation method, system and apparatus for packet filtering | |
| EP2103046B1 (en) | Control frame handling by a provider backbone bridge | |
| CN106161386A (en) | A kind of method and apparatus realizing that IPsec shunts | |
| CN106059885A (en) | Method and system for processing CAPWAP message by wireless controller | |
| CN101855888A (en) | Interconnection of subnetworks by means of a uniform network layer |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| DD01 | Delivery of document by public notice |
Addressee: Wu Bingtang Document name: Notification of Passing Preliminary Examination of the Application for Invention |
|
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| DD01 | Delivery of document by public notice |
Addressee: Wu Bingtang Document name: Notification of Publication and of Entering the Substantive Examination Stage of the Application for Invention |
|
| DD01 | Delivery of document by public notice |
Addressee: Wu Bingtang Document name: Notification of Passing Examination on Formalities |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20121017 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |