CN102025735A - Distributed network firewall system of Linux based on defense strategy - Google Patents
Distributed network firewall system of Linux based on defense strategy Download PDFInfo
- Publication number
- CN102025735A CN102025735A CN2010105788361A CN201010578836A CN102025735A CN 102025735 A CN102025735 A CN 102025735A CN 2010105788361 A CN2010105788361 A CN 2010105788361A CN 201010578836 A CN201010578836 A CN 201010578836A CN 102025735 A CN102025735 A CN 102025735A
- Authority
- CN
- China
- Prior art keywords
- file
- network
- client
- module
- end subsystem
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a distributed network firewall system of Linux based on a defense strategy, which provides network security protection for a computer with a Linux operating system in a local area network. The system has a distributed structure which consists of a server terminal subsystem and a client subsystem. In the network firewall system, a network topologic structure for the local area network is firstly constructed in the server terminal for the local area network to be protected and then services to be protected and possibly attacked manners are selected and a defense rule document is generated. The defense rule document is timely updated in the client system and deployed to achieve the purpose of protection. A plurality of defense rules aiming at different computers and services in the network are generated by means of strategy reasoning and explanation of the client system to protect all computers with the client subsystem and firewall correspondingly. One defense strategy is set for a single network node to safely protect the plurality of network nodes simultaneously.
Description
Technical field
The present invention relates to a kind of computer fire proof wall system, more particularly say, be meant the distributed firewall system that a kind of computer that (SuSE) Linux OS is installed in the local area network (LAN) is protected based on defence policies.
Background technology
Local area network (LAN) (Local Area Network) is the computer communication network that (in a school, factory and office) links up various computers, external equipment and database etc. mutually composition in the geographic range of a part.It can pass through data communication network or exclusive data circuit, is connected with local area network (LAN), database or the processing center in a distant place, constitutes a large-scale information processing system.Be called for short LAN, be meant in a certain zone computer set by many interconnected one-tenth of computer." a certain zone " refers to same office, same building thing, same company and same school etc., generally is in several kms of circumference.Local area network (LAN) can realize that file management, application software are shared, printer is shared, scanner is shared, the functions such as schedule, Email and facsimile service in the working group.Local area network (LAN) is case type, can be made up of two computers in the office, also can be made up of thousands of computers in the company.Local area network (LAN) normally is distributed in the network system in the limited geographic range, and general related geographic range has only several kilometers.The local area network (LAN) specificity is very strong, has more stable and topological structure standard.Common local area network (LAN) topological structure is as follows: the extend type of hub-and-spoke configuration, tree structure, bus type structure, loop configuration and four kinds of structures thereof.
Network topology structure (network topology) is meant the arrangement or the layout of having specified equipment and circuit in computer network; Annexation between geographical network middle finger network element.Network topology structure is meant with the physical layout of transmission medium interconnection various device, with what mode the equipment such as computer in the network is coupled together exactly.Its structure mainly contains hub-and-spoke configuration, ring type structure, bus structures, distributed frame, tree, network structure, alveolate texture etc.
The C/S framework is meant user terminal/server framework, and it is a kind of master-slave architecture (Client/Server), is a kind of of the popular network architecture, and it makes a distinction client (Client) and server (Server).The example of each client software can send request to a server or apps server.A lot of dissimilar servers, for example file server, terminal server and mail servers etc. are arranged.Though the purpose of their existence is different, basic boom is the same.It is characterized in that: the master-slave architecture intention provides the framework of scalable (scaleable), and online whereby computer or processing procedure are a client or server.Server software is general, but always is not, operates on the powerful special-purpose business computer.On the other hand, client generally operates on ordinary individual's computer or the work station.Being characterized as of service end wherein: passive role (from) wait for requirement from client.Processing requirements and returned results.Being characterized as of client: role (master) initiatively sends requirement.Wait is up to receiving response.Server has state or stateless.Stateless server can not keep the information between any two requests, and the information of state server between can remembeing to ask is arranged.The action scope of these information can be the overall situation or certain affairs (session).
Fire compartment wall (Firewall) is a kind ofly to be used for strengthening access control between the network, to prevent that the external network user from entering internal network, visit internal network resource, the ad hoc network interconnect equipment of protection internal network operating environment with illegal means by external network.Traditional fire compartment wall mainly is divided into gateway formula fire compartment wall and unit fire compartment wall.For personal user's more options unit fire compartment wall, but the unit fire compartment wall is merely able to protect the aspect of software company's setting, can't be configured according to the hobby of oneself.In LAN, use the fire compartment wall of gateway formula, but along with present network speed requirement and fire compartment wall need be supported computable procotol, the fire compartment wall of gateway formula has become bottleneck more.Simultaneously; fire compartment wall for traditional type; " fire compartment wall protect local area network users be reliable " this hypothesis has no longer been set up now; present multiple network access such as tunnel, wireless connections and dialing access etc. make the individual in the local area network (LAN) be easy to set up one and walk around being connected of fire compartment wall; stay next back door to local area network (LAN); provide convenience for the assailant attacks internally, stay potential safety hazard.Simultaneously, if fire compartment wall starts a leak, then might cause the fail safe of whole network to be on the hazard.
At some shortcomings of traditional firewall, keep the intrinsic advantage of traditional firewall simultaneously.U.S. AT﹠amp in 1999; The breadboard researcher Steven of T M.Bellovin has proposed the notion of distributed fire wall in his paper " Distributed Firewalls ", and has provided the prototype frame of this fire compartment wall.This notion is paid close attention to once proposing just to have caused widely at once, in addition some people think this be new the 5th generation fire compartment wall.In his paper, " distributed fire wall " has several big characteristics: customize in the set of strategies, carry out on each main frame, the daily record centralized collection is handled.The basic thought of " distributed fire wall " is: the mode by the center management server centralized definition is adopted in the formulation of security strategy, and the execution of security strategy is then independently implemented by the associated host node.But at present domestic and international present situation, research at distributed fire wall all rests on modelling and design phase mostly, the distributed fire wall product that minority has realized is at the configuration language that all is based on bottom aspect the firewall policy formulation, the regular way basically identical of fire compartment wall defence with every computer of independent configuration, the realization that distributed fire wall " is customized " these core characteristics in the set of strategies is insufficient, thereby lacks due uniformity and high efficiency.
Summary of the invention
The present invention is based on the distributed network fire compartment wall of a kind of C/S framework of XSB reason DB and the design of attack path generation method automatically, the a plurality of defence rules that generate whole network at server end by the mode of selecting high-rise strategy have been adopted at specific network service, being distributed to each client then disposes, thereby reach the purpose of unified configuration, can solve inefficiency problem at local area network (LAN) any wide-area deployment defence rule, reduce the mistake that artificially takes place because of the duplication of labour, having overcome any wide-area deployment can only the problem that a computer is manually disposed.
For the policy configurations that makes distributed fire wall more efficient; the present invention has used a kind of high-level policy; by in the server end subsystem, selecting a tlv triple (context; service; behavior) (wherein context represents the predefine attack type; the service that the service representative needs protection; the corresponding measure that the behavior representative is taked) just can unify configuration to the main frame that client-end subsystem of the present invention has been installed in the network; opened the not attack of end under attack of main frame of this service in the protecting network; the deployment that reaches once strategy is the purpose of multiple host in the protecting network simultaneously, makes that the advantage of distributed fire wall is more obvious.
A kind of Linux distributed network firewall system of the present invention based on defence policies, this system is divided into server end subsystem and two parts of client-end subsystem;
Include network topology processing module, tactful integrate module, tactful inference engine module, defensive measure processing module and server end communication module in the described server end subsystem;
Include packet filter firewall, regular deployment module, client's device end communication module in the described client-end subsystem and set up log pattern, profile module;
Network topology processing module first aspect is drawn network topology structure; Second aspect configuration node information; The third aspect is integrated topological file;
Adopt logic programming language PROLOG form to preserve network topology structure and node topology information, obtain PROLOG topology file;
In integrating topological document stage, NECS topology file and PROLOG topology file are integrated with the form of expandable mark language XML, obtain integrating back file file-1;
The strategy integrate module is integrated according to the policy information of user in the server end subsystem, and saves as strategy file file-2;
Strategy inference engine module will be integrated information among afterwards the file file-1 and attack knowledge storehouse and merge and obtain a reason DB; Fetch policy file f ile-2 generates attack operation at the node of the service of opening protection and unites information in the reason DB and carry out the first-order predicate reasoning and generate simple attack path then, and makes an explanation, and generates defensive measure file f ile-3;
The defensive measure processing module is called the defensive measure interpreter defensive measure file f ile-3 is made an explanation, obtain the defence rule, and will defend rule to classify as filename according to the IP address of network node and store, the file of storage is called defence rule file file-4;
Described defensive measure interpreter is meant the rule that reads and screen the unit fire compartment wall Netfilter/IPtables that generates corresponding each network node use to defensive measure;
The server end communication module is carried out message transmission by SSL cryptographic protocol and client-end subsystem communication module;
The client communication module is carried out message transmission by SSL cryptographic protocol and server end subsystem communication module;
The rule deployment module will be deployed to the packet filter firewall from the defence rule file file-4 that the client communication module is downloaded, and concrete rule is disposed and included the following step:
Step 7-1: client is opened defence rule file file-4, this defence rule file file-4 is positioned at/the home/firewall path under;
Step 7-2: regular deployment module will be regular since the IPtables defence that second row reads among the defence rule file file-4; Meanwhile, regular deployment module is called bash shell, is used for each bar rule is configured in the packet filter firewall by IPtables configuration statement;
Utilized the packet filter firewall function of Netfilter,, realized corresponding invasion bag is tackled, reached the not invaded purpose of protection service by disposing the defence rule in Netfilter;
Set up log pattern and be responsible for writing down the time that defence rule file file-4 upgrades, and in the error message of client-end subsystem emerged in operation;
Profile module is responsible for the operational factor of client-end subsystem is configured, and guarantees the correct operation automatically of client-end subsystem; Calling profile module each time after the startup of client-end subsystem reads configuration file client.conf and comes client-end subsystem is configured; This configuration file client.conf is positioned at/the home/firewall/ path under.
The advantage that the present invention is based on the Linux distributed network firewall system of defence policies is:
1. just can realize protection by simple selection predefine attack type, the service that needs protection and the corresponding measure taked to multiple host in the network; used a kind of high-level policy deployment; broken away from concrete bottom, made the operator be more prone to left-hand seat.
2. SSL (Secure Socket Layer) cryptographic protocol has been used in the transmission of the strategy between main frame, has guaranteed the complete sum safe transmission of data.
3. client is utilized the existing unit firewall technology of increasing income, and has higher stability and availability.Meanwhile, client can intelligence be defendd rule with server end coupling and renewal, realizes autonomous operation, has reduced the required operations such as human configuration of system.
Description of drawings
Fig. 1 is the system construction drawing of server end subsystem of the present invention and client-end subsystem.
Fig. 2 is the typical star-like local net network topological diagram of a deployment server terminal system and client-end subsystem.
Embodiment
The present invention is described in further detail below in conjunction with accompanying drawing.
The present invention is a kind of distributed firewall system based on defence policies that the computer of (SuSE) Linux OS is installed in the local area network (LAN).This system is divided into server end subsystem and two parts of client-end subsystem, referring to shown in Figure 1.The wherein deployment of the editor of server end subsystem responsible network topology structure and defence policies mainly is to convert the defence policies that the user selects to bottom defence rule that client can be disposed; The bottom defence rule that client-end subsystem is responsible for receiving is deployed in the unit fire compartment wall of user's (PC of client-end subsystem is installed).
In the present invention, include network topology processing module, tactful integrate module, tactful inference engine module, defensive measure processing module and communication module (being called for short the server end communication module) responsible and that client-end subsystem communicates in the server end subsystem.
In the present invention, include in the client-end subsystem packet filter firewall, regular deployment module, be responsible for the communication module (abbreviation client device end communication module) that communicates with the server end subsystem and set up log pattern, profile module.
To the function that each module can realize be elaborated below:
(1) server end-network topology processing module
In the present invention, network topology processing module first aspect is drawn network topology structure; Second aspect configuration node information; The third aspect is integrated topological file.
Drawing network topology structure in the stage, the server end subsystem can provide a graphical interfaces to draw as the network configuration in the reality such as hub-and-spoke configuration, ring type structure, bus structures, distributed frame, tree, network structure, alveolate texture for user's structure.Correlation between server end subsystem and the client-end subsystem has been drawn hub-and-spoke configuration network as shown in Figure 2 for convenience of explanation.In the drawings, the server end subsystem is connected with router by fire compartment wall, and a plurality of client-end subsystem is connected with router by fire compartment wall equally.First PC numbering that client-end subsystem is installed is designated as H
1, second PC numbering that client-end subsystem is installed be designated as H
2, the 3rd the PC numbering that client-end subsystem is installed be designated as H
3..., n PC numbering that client-end subsystem is installed is designated as H
n
In local area network (LAN), numbering H
1, H
2, H
3..., H
nAlso be referred to as the node in the network, be expressed as network topology structure HOST={H with the mathematical set form
1, H
2, H
3..., H
n.
In the configuration node information phase, to the network topology structure HOST={H that draws
1, H
2, H
3..., H
nIn the information of each node be configured according to its node corresponding attribute, run time behaviour and the role in local area network (LAN) thereof, make each node have topology information (abbreviating node topology information as), i.e. H
1={ IP
1, MA
1, SE
1, APP
1, US
1, F
1, VL
1, in like manner can get H
2={ IP
2, MA
2, SE
2, APP
2, US
2, F
2, VL
2, H
3={ IP
3, MA
3, SE
3, APP
3, US
3, F
3, VL
3..., H
n={ IP
n, MA
n, SE
n, APP
n, US
n, F
n, VL
n; Wherein:
IP
nRepresented n IP addresses of nodes in the described network topology structure;
MA
nRepresented the netmask of n node in the described network topology structure;
SE
nRepresented the network service that the n node is offered in the described network topology structure; Specifying information comprises Service Name, Version, Protocol, Port, Privilege and Is Up; Wherein Service Name represents the title of network service, Version represents the version of network service, Protocol represents the procotol that the network service is used, Port represents the port numbers that the network service is used, Privilege represents the Permission Levels that the network service is used, and Is Up represents whether the network service starts at present node.
APP
nRepresented the application program of moving on the n node in the described network topology structure; Specifying information comprises Application Name, Version and Is Up; Wherein Application Name represents the title of the application program moved, and Version represents the version of the application program moved, and Is Up represents whether the application program of moving starts at present node.
US
nRepresent the user on the n node in the described network topology structure, be used for defining any assailant AT in the present invention
m(be also referred to as m assailant AT
m); Specifying information comprises User Name and Password.Wherein User Name represents user's title, the password that Password used when representing that the user logins.
F
nRepresented the file that exists on the n node in the described network topology structure; Specifying information comprises File Name, Path, Authority and Is Encrypted; Wherein File Name represents the title of the file that exists, and Path represents the path of depositing of the file that exists, and Authority represents the authority of the file that exists, and Is Encrypted represents whether the file that exists is encrypted.
VL
nRepresented the leak of the network service existence of offering on the n node in the described network topology structure; Specifying information comprises CVE ID and In Program; Wherein CVE ID represents that there is the leak number of leak in the network service, and In Program represents leak is present in which network service, corresponding to the Service Name of network service specifying information.
With above-mentioned network topology structure HOST={H
1, H
2, H
3..., H
nAnd node topology information H
n={ IP
n, MA
n, SE
n, APP
n, US
n, F
n, VL
nAdopt the network environment configuration to prefer NECS (Network Environment Configuration Scenario) form to preserve, obtain NECS topology file.
This normal form BNF of Baku (Backus-Naur Form) grammer of this NECS topology file is:
<NECS_statements>::=<role>{<NECS_description>}
<NECS_description>::=<domain_description>|<subnet_description>|<topology_description>
<domain_description>::=Domain<char_string>‘{…{<NECS_description>}‘}’
<subnet_sentence>::=Subnet<char_string>‘(’<subnet_constant>‘)’‘{’{<topology_descri?ption>}‘}’
<topology_description>::=<node_description>|<link_description>
<node_description>::=Node‘{’{<node_statements>}‘}’
<link_description>::=Link‘{’{Node1=<entity>,Node2=<entity>,<linke_statements>}‘}’
<node_statements>::=Host|Switch|Router|Firewall|IDS‘{’{<node_information>}‘}’
<node_information>::=<basic_info>|<OS>|<resources>|<services>|<applications>
<basic_info>::=ID=‘(’<integer>,<integer>‘)’|Name=<char_string>|LoCation=‘(’<integer>,<integer>‘)’|State=<state_value>|MTBF=<integer>|IPAddr=<IP_constant>|Mask=<mask_value>
<OS>::=Type=<OS_type>|Version=<OS_version>|Patches=<char_string>|Users=‘(’<root>,<average>‘)’
<resources>::=CPU=<real_number>|Memory=<real_number>|Disks=<real_number>|Files=<file_description>
<files_decription>::=<file_sentence>|<file_decription>&<file_sentence>
<file_sentence>::=‘(’<file_name>,<file_context>,<access_authority>,<encrypt_flag>‘)’
<file_name>::=<char_string>
<file_context>::=<char_string>
<access_authority>::=‘(’<authority_value>,<authority_value>‘)’
<authority_value>::=R|W|X|RW|RX|WX|RWX
<encrypt_flag>::=Encrypted|Unencrypted
<Services>::=Services=<service_description>
<service_description>::=<service_sentence><servic_ddecription>&<service_sentence>
<service_sentence>::=Type=<service_type>|Version=<app_type>|State=<state_value>|Patches=<char_string>
<link_statements>::=Name=<char_string>|Type=<link_type>|Bandwidth=<real_number><bw_unit>|Latency=<real_number><time_unit>
<real_number>::=<integer>|<integer>.<fraction>
<integer>::=<digit>|<integer><digit>
<fraction>::=<digit>|<digit><fraction>
<digit>::=[0-9]
<char_string>::=<letter>|<char_string><letter>|<char_string><digit>|<char_string><symbol>
<letter>::=[a-zA-Z]
<symbol>::=-|_
<entity>::=<char_string>|<domain>.<char_string>|<subnet>.<char_string>|<role>.<char_string>
<domain>::=[<role>.]<domain_name>
<domain_name>::=Domain(<char_string>)|Domain(<char_string>).<domain_name>
<subnet>::=Subnet(<char_string>)|<domain>.Subnet(<char_string>)|<role>.Subnet(<char_string>)
<role>::=Blue|Red|White
<IP_constant>::=<IP_dotted_decimal_numer>.<IP_dotted_decimal_numer>.<IP_dotted_decimal_numer>.<IP_dotted_decimal_numer>
<IP_dotted_decimal_numer>::=([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])<mask_value>::=8|9|1<digit>|2<digit>|30
<subnet_constant>::<<IP_constant>‘/’<mask>
<state_value>::=up|down
<bw_unit>::=[K|M]bps
<time_unit>::=[m|μ]sec
<service_type>::=Web|Telnet|Rlogin|Ftp|SMTP
With above-mentioned network topology structure HOST={H
1, H
2, H
3..., H
nAnd node topology information H
n={ IP
n, MA
n, SE
n, APP
n, US
n, F
n, UL
nAdopt logic programming language PROLOG (Programming in Logic) form to preserve, PROLOG topology file obtained.
In integrating topological document stage, NECS topology file and PROLOG topology file are integrated with the form of expandable mark language XML (Extensible Markup Language), obtain integrating back file file-1;
File use tricks programming language of the machine of calculating in this integration back is expressed as<Node NodeName=" [hostname] " NodeID=" [ID] " NodeIP=" [IPAdrr] " NodeMask=" [mask] " ClusterID=" 0 " Service=" [servicename]; [protocol]; [port]; [privilege] " Syetem=" " Ver=" " Vul=" [vulID]; [servicename]; [version], [protocol], [port] " User=" [username], [password], [password] " Files=" [filename], [path], [authority], [is encrypted] " Acl=" "/.
The title of [hostname] corresponding node wherein; [ID] system is Automatic Logos in order; The IP of [IPAdrr] corresponding node
nThe MA of [mask] corresponding node
n[servicename], [protocol], [port], [privilege] corresponding SE
nIn corresponding information; [vulID], [servicename], [version], [protocol], preceding two corresponding VL in [port]
nIn CVE ID, In Program, [version], [protocol], [port] corresponding SE
nIn corresponding information; [username], [password], [password] corresponding US
nIn corresponding information; [filename], [path], [authority], [is encrypted] corresponding F
nIn corresponding information.
(2) server end-tactful integrate module
In the present invention, tactful integrate module provides the user at the server end subsystem strategy is chosen the policy information of choosing in the interface and is integrated, and saves as strategy file file-2.This strategy file file-2 can provide the strategy input for tactful inference engine module.
File format adopts the XML form, with the programming language of computer be expressed as<Policy Service=" [service] " Context=" [context] " Behavior=" [behavior] "/.Wherein the strategy that provides at the server end subsystem of [service] expression user is chosen the COS of choosing in the interface that needs protection; the strategy that [context] expression user provides at the server end subsystem is chosen the context of choosing in the interface; be the predefine attack type, the strategy that [behavior] expression user provides at the server end subsystem is chosen the corresponding measure of choosing in the interface of taking.
(3) server end-tactful inference engine module
In the present invention, tactful inference engine module will be integrated information in back file file-1 and the attack knowledge storehouse and merge and obtain a reason DB; Fetch policy file f ile-2 generates attack operation at the node of the service of opening protection and unites information in the reason DB and carry out the first-order predicate reasoning and generate simple attack path then, and makes an explanation, and generates defensive measure file f ile-3.
(4) server end-defensive measure processing module
In the present invention, the defensive measure processing module is called the defensive measure interpreter defensive measure file f ile-3 is made an explanation, acquisition defence rule, and will defend rule to classify as filename according to the IP address of network node and store, the file of storage is called defence rule file file-4.
Described defensive measure interpreter is meant the rule that reads and screen the unit fire compartment wall Netfilter/IPtables that generates corresponding each network node use to defensive measure.
Described defence rule format is: " iptables-t filter-A INPUT-p[protocol]-s[IPAdrr]--dport[port]-j DROP ".
(5) server end-server end communication module
In the present invention, the server end communication module is carried out message transmission by SSL (Secure Socket Layer) cryptographic protocol and client-end subsystem communication module.Adopt SSL (Secure Socket Layer) cryptographic protocol to communicate the complete sum safe transmission that has guaranteed data.
(6) client-client communication module
In the present invention, the client communication module is carried out message transmission by SSL (Secure Socket Layer) cryptographic protocol and server end subsystem communication module.Adopt SSL (Secure Socket Layer) cryptographic protocol to communicate the complete sum safe transmission that has guaranteed data.
(7) client-regular deployment module
In the present invention, regular deployment module will be deployed to the packet filter firewall from the defence rule file file-4 that the client communication module is downloaded, and concrete rule is disposed and included the following step:
Step 7-1: client is opened defence rule file file-4, this defence rule file file-4 is positioned at/the home/firewall path under;
Described/home/firewall path is meant firewall (preserving the file name of the defence rule file file-4) file under the home file under the root file; The home file is a predefined file in the (SuSE) Linux OS.
Step 7-2: regular deployment module will be regular since the IPtables defence that second row reads among the defence rule file file-4; Meanwhile, regular deployment module is called bash shell (predefined in the (SuSE) Linux OS), is used for each bar rule is configured in the packet filter firewall by IPtables configuration statement.(8) client-packet filter firewall
In the present invention; packet filter firewall has adopted the third generation fire compartment wall Netfilter of Linux; in Linux; Netfilter exists with the form of module; realized the firewall functionality of Linux; provide protection to the operator's browse network that uses linux system, realize the analysis and the interception of network packet.
The present invention has utilized the packet filter firewall function of Netfilter, by disposing the defence rule in Netfilter, realizes corresponding invasion bag is tackled, and reaches the not invaded purpose of protection service.
(9) client-set up log pattern
In the present invention, set up log pattern and be responsible for writing down the time that defence rule file file-4 upgrades, and in the error message of client-end subsystem emerged in operation.
(10) client-profile module
In the present invention, profile module is responsible for the operational factor of client-end subsystem is configured, and guarantees the correct operation automatically of client-end subsystem.Calling profile module each time after the startup of client-end subsystem reads configuration file client.conf and comes client-end subsystem is configured.This configuration file client.conf is positioned at/the home/firewall/ path under.
In the present invention, in configuration file content be:
Set_addr=[IPAdrr]
Set_port=8000
Update_freq=30
Host_addr=[IPAdrr]
Wherein the Set_addr field is used for being provided with the IP address of server end, and the Set_port field is used for being provided with the PORT COM of server.If parameter incorrect (for example IP address field is illegal, port numbers surpass legal range etc.) is set, profile module will use the field default value (Set_addr=127.0.0.1, Set_port8000)
Wherein the Update_freq field is used for being provided with the frequency (time interval) that the defence rule is mourned in silence and upgraded, and wherein chronomere is second.If parameter incorrect (for example illegal time value etc.) is set, profile module will be used field default value (Update_freq=5).
Wherein the Host_addr field is used for being provided with the IP address of current PC.If parameter incorrect (for example IP address field illegal etc.) is set, profile module will be used field default value (Host_addr=192.168.0.1)
A kind of Linux distributed network firewall system of the present invention based on defence policies, this system has comprised two subsystems, and one is the server end subsystem, and another is a client-end subsystem.To be described in detail the operational process of two subsystems and the function of realization below:
The server end subsystem
Step 1-1: the mode of the editing interface inediting local area network (LAN) that provides according to the computer of server end is carried out the foundation of needs network topology structure;
Step 1-2: each node of setting up among the step 1-1 in the good network topology structure is configured according to its node corresponding attribute, run time behaviour and the role in local area network (LAN) thereof, makes each node have topology information;
Step 1-3: the topology information node according to resulting network topology structure of different configurations and configuration carries out the preservation of different-format;
Step 1-4: find out the assailant according to the leak in the service of each node unlatching;
Step 1-5: the defence policies of deployment server end;
According to the attack pattern (context) by selecting to be subjected in the policy selection interface, COS (the service that needs protection, be the network transmission protocol), and the file of preserving among the step 1-3 that selects to need to use, can defend rule to dispose on a large scale to the network node that client is installed at specific network protocol and attack pattern;
Can select according to the network topology structure that step 1-1 sets up that { the protect} strategy is protected the node of the service of the unlatching ftp in the network for ftp, Promote Privilege, prevents that node from carrying out Promote Privilege and attacking;
{ service, context, behavior} preserve into a file with the policy information selected according to tactful processing module; The single-row delegation of each information in the file;
According to form (<Node NodeName=" [hostname] " NodeID=" [ID] " NodeIP=" [IPAdrr] " NodeMask=" [mask] " ClusterID=" 0 " Service=" [servicename]; [protocol]; [port]; [privilege] " Syetem=" " Ver=" " Vul=" [vulID]; [servicename]; [version] of the information in the file of preserving among the step 1-3 of network topology processing module with selection with XML, [protocol], [port] " User=" [username], [password], [password] " Files=" [filename], [path], [authority], [is encrypted] " Acl=" " /) be organized into topological file;
According to tactful inference engine topological file and attack knowledge storehouse are merged into a database after comprehensive, the information in reading is then delivered in the reason DB system, and reasoning generates possible attack path, and makes an explanation, and generates the defensive measure file.
Give the defensive measure interpreter according to the defensive measure processing module with the defensive measure file that inference engine generates, by defensive measure read and screens the rule format that generates the unit fire compartment wall Netfilter/IPtables that corresponding each network node uses: " iptables-t filter-A INPUT-p[protocol]-s[IPAdrr]--dport[port]-j DROP ".With these defence rules according to the IP address of network node as filename h1IP, h2IP, h2IP ..., the hnIP} classification is stored under the file.
Step 1-6: the network of setting up according to step 1-1 and selected before { the protect} strategy can generate under file being the defence rule of filename for the IP address of nodal information is arranged for ftp, Promote Privilege.So far, the policy deployment of server end subsystem finishes.
Client-end subsystem
Client-end subsystem is a full-automatic program of starting shooting self-starting and moving as a backstage finger daemon.Main operating procedure is as follows:
Step 2-1: the defence rule that client-end subsystem and server end subsystem communicate and download step 1-6 generates;
Step 2-2: client-end subsystem sends connection request to the communication module of server end subsystem, and promptly client is attempted to set up SSL to the Set_port port of the IP address of Set_addr field appointment and connected.
Step 2-3:SSL connection mechanism is forced the communicating pair identity verification, in this process, server end need provide/ legal and valid server end private key file server.private and client public key file client.public under the home/firewall path, similarly, client need provide/ legal and valid client private key file client.private and server end PKI file server.public under the home/firewall path.If checking is passed through, then both sides set up the SSL connection, forward step 2-4 to; Otherwise the failure that connects, client records error message are to journal file/home/firewall/client.log, and server end misregistration information is to journal file/home/firewall/server.log.Behind the Policy Updates time interval Update_freq that is provided with, get back to step 2-7.
Step 2-4: whether the home town ruling file rules that client validation is positioned under this machine/home/firewall path exists.If do not exist, home town ruling then is described without deployment, jump to step 2-1.If exist, then to open this document, and read this regular update time that is stored in file first row, form is: yyyy-MM-ddHH:mm:ss
The rise time of the rule that this time and server end are provided compares.If equate, illustrate that then home town ruling has been up-to-date rule, need not to upgrade, carry out step 2-5; If do not wait, illustrate that then the home town ruling file is out of date, need to upgrade, carry out step 2-1.
Step 2-5: client connects by SSL safety downloads the defence rule.Client empties the rules file content under this locality/home/firewall path, and server end is transferred to local up-to-date defence rule is saved in the rules file, carries out step 2-6 afterwards.
Step 2-6: client reopens and is positioned at/ the rules file that has upgraded under the home/firewall path, and carries out step 2-7 afterwards.
Step 2-7: client-side program is regular since the IPtables defence that second row reads in the rules file.Meanwhile, a bash shell is moved, and is used for each bar rule is configured among the IPtables by IPtables configuration statement, carries out step 2-8 afterwards.
Step 2-8: local defence rule is successfully upgraded.Client is closed rules document flow, record rule lastest imformation in client.log.Behind the Policy Updates time interval Update_freq that is provided with, get back to step 2-1.
Linux distributed network firewall system based on defence policies of the present invention, be responsible for the network topological information of input is handled and screened by the network topology processing module in the server end subsystem, output is applicable to the file of tactful inference engine topology information pattern of the input.The COS that the strategy processing module is selected the user, context and behavioural information are integrated, and output is applicable to the file of tactful inference engine strategy pattern of the input.The strategy inference engine is responsible for topology information and the policy information with input, with reference to this database of attack knowledge storehouse, carries out the associating reasoning, exports the defensive measure file of the response policy of all relative clients terminal systems.The defensive measure processing module is responsible for the defensive measure file is carried out the screening and the parsing of information, the file set of the firewall configuration language of corresponding each client-end subsystem of output.Coded communication between communication module charge server terminal system and client-end subsystem, the transmission rule file.In client-end subsystem, the rule file of defending regular deployment module to be responsible for being transmitted by communication module is deployed among the unit fire compartment wall Netfilter and it is come into force simultaneously.Log system is responsible for writing down the time of defence Policy Updates, and in the error message of system's emerged in operation.Profile system is responsible for the configuration item in the configuration file is read, and client-end subsystem is according to the configuration and the parameter operational system of user's appointment in the configuration file.Final by the mutual cooperation between server end subsystem and client-end subsystem, realized the distributed fire wall function.
Claims (4)
1. Linux distributed network firewall system based on defence policies, it is characterized in that: this system is divided into server end subsystem and two parts of client-end subsystem;
Include network topology processing module, tactful integrate module, tactful inference engine module, defensive measure processing module and server end communication module in the described server end subsystem;
Include packet filter firewall, regular deployment module, client's device end communication module in the described client-end subsystem and set up log pattern, profile module;
Network topology processing module first aspect is drawn network topology structure; Second aspect configuration node information; The third aspect is integrated topological file;
Adopt logic programming language PROLOG form to preserve network topology structure and node topology information, obtain PROLOG topology file;
In integrating topological document stage, NECS topology file and PROLOG topology file are integrated with the form of expandable mark language XML, obtain integrating back file file-1;
The strategy integrate module is integrated according to the policy information of user in the server end subsystem, and saves as strategy file file-2;
Strategy inference engine module will be integrated information among afterwards the file file-1 and attack knowledge storehouse and merge and obtain a reason DB; Fetch policy file f ile-2 generates attack operation at the node of the service of opening protection and unites information in the reason DB and carry out the first-order predicate reasoning and generate simple attack path then, and makes an explanation, and generates defensive measure file f ile-3;
The defensive measure processing module is called the defensive measure interpreter defensive measure file f ile-3 is made an explanation, obtain the defence rule, and will defend rule to classify as filename according to the IP address of network node and store, the file of storage is called defence rule file file-4;
Described defensive measure interpreter is meant the rule that reads and screen the unit fire compartment wall Netfilter/IPtables that generates corresponding each network node use to defensive measure;
The server end communication module is carried out message transmission by SSL cryptographic protocol and client-end subsystem communication module;
The client communication module is carried out message transmission by SSL cryptographic protocol and server end subsystem communication module;
The rule deployment module will be deployed to the packet filter firewall from the defence rule file file-4 that the client communication module is downloaded, and concrete rule is disposed and included the following step:
Step 7-1: client is opened defence rule file file-4, this defence rule file file-4 is positioned at/the home/firewall path under;
Step 7-2: regular deployment module will be regular since the IPtables defence that second row reads among the defence rule file file-4; Meanwhile, regular deployment module is called bash shell, is used for each bar rule is configured in the packet filter firewall by IPtables configuration statement;
Utilized the packet filter firewall function of Netfilter,, realized corresponding invasion bag is tackled, reached the not invaded purpose of protection service by disposing the defence rule in Netfilter;
Set up log pattern and be responsible for writing down the time that defence rule file file-4 upgrades, and in the error message of client-end subsystem emerged in operation;
Profile module is responsible for the operational factor of client-end subsystem is configured, and guarantees the correct operation automatically of client-end subsystem; Calling profile module each time after the startup of client-end subsystem reads configuration file client.conf and comes client-end subsystem is configured; This configuration file client.conf is positioned at/the home/firewall/ path under.
2. the Linux distributed network firewall system based on defence policies according to claim 1, it is characterized in that: drawing network topology structure in the stage, the server end subsystem can be built with the network configuration of hub-and-spoke configuration, ring type structure, bus structures, distributed frame, tree, network structure or alveolate texture.
3. the Linux distributed network firewall system based on defence policies according to claim 1, it is characterized in that: in the configuration node information phase, the server end subsystem can be configured according to its node corresponding attribute, run time behaviour and the role in local area network (LAN) thereof the information of each node in the network topology structure of drawing, and makes each node have topology information.
4. the Linux distributed network firewall system based on defence policies according to claim 1; it is characterized in that: packet filter firewall has adopted the third generation fire compartment wall Netfilter of Linux; in Linux; Netfilter exists with the form of module; realized the firewall functionality of Linux; provide protection to the operator's browse network that uses linux system, realize the analysis and the interception of network packet.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010578836 CN102025735B (en) | 2010-12-08 | 2010-12-08 | Distributed network firewall system of Linux based on defense strategy |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010578836 CN102025735B (en) | 2010-12-08 | 2010-12-08 | Distributed network firewall system of Linux based on defense strategy |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102025735A true CN102025735A (en) | 2011-04-20 |
| CN102025735B CN102025735B (en) | 2013-04-24 |
Family
ID=43866589
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 201010578836 Expired - Fee Related CN102025735B (en) | 2010-12-08 | 2010-12-08 | Distributed network firewall system of Linux based on defense strategy |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102025735B (en) |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103825876A (en) * | 2013-11-07 | 2014-05-28 | 北京安码科技有限公司 | Firewall policy auditing system in complex network environment |
| CN104202333A (en) * | 2014-09-16 | 2014-12-10 | 浪潮电子信息产业股份有限公司 | Implementation method of distributed firewall |
| CN105393497A (en) * | 2014-05-08 | 2016-03-09 | 华为技术有限公司 | Method, device and system for generating access control list rules |
| CN105407099A (en) * | 2011-09-08 | 2016-03-16 | 迈可菲公司 | Authentication Sharing In A Firewall Cluster |
| CN105959291A (en) * | 2016-06-14 | 2016-09-21 | 西安电子科技大学 | System optimal defense method for rational attack |
| CN105959331A (en) * | 2016-07-19 | 2016-09-21 | 上海携程商务有限公司 | Firewall policy optimization method and device |
| CN106685924A (en) * | 2016-11-25 | 2017-05-17 | 合肥海亚信息科技有限公司 | Network security detection system based on firewall |
| WO2019062065A1 (en) * | 2017-09-26 | 2019-04-04 | 平安科技(深圳)有限公司 | Dedicated network establishment method and system, server and computer readable storage medium |
| CN109587174A (en) * | 2019-01-10 | 2019-04-05 | 广东电网有限责任公司信息中心 | Composite defense method and system for network protection |
| CN109802852A (en) * | 2018-12-13 | 2019-05-24 | 烽台科技(北京)有限公司 | The construction method and system of network simulation topology applied to network target range |
| CN111835794A (en) * | 2020-09-17 | 2020-10-27 | 腾讯科技(深圳)有限公司 | Firewall policy control method and device, electronic equipment and storage medium |
| CN112511495A (en) * | 2020-11-05 | 2021-03-16 | 方一信息科技(上海)有限公司 | Distributed firewall-oriented network system and interface card data flow acceleration processing method |
| CN117176475A (en) * | 2023-11-02 | 2023-12-05 | 成都卓拙科技有限公司 | Rule configuration method and device, linux host and storage medium |
| CN117834205A (en) * | 2023-12-13 | 2024-04-05 | 长江信达软件技术(武汉)有限责任公司 | Method and system for configuring firewall of dock container |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105592086B (en) * | 2015-12-22 | 2019-09-17 | Tcl集团股份有限公司 | A kind of method and device for Android platform managing firewall |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101018119A (en) * | 2007-02-09 | 2007-08-15 | 浪潮电子信息产业股份有限公司 | Hardware-based server network security centralized management system without relevance to the operation system |
| CN101442556A (en) * | 2008-12-25 | 2009-05-27 | 北京交通大学 | Wireless sensor network server system based on IPv6 |
-
2010
- 2010-12-08 CN CN 201010578836 patent/CN102025735B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101018119A (en) * | 2007-02-09 | 2007-08-15 | 浪潮电子信息产业股份有限公司 | Hardware-based server network security centralized management system without relevance to the operation system |
| CN101442556A (en) * | 2008-12-25 | 2009-05-27 | 北京交通大学 | Wireless sensor network server system based on IPv6 |
Non-Patent Citations (1)
| Title |
|---|
| 邹莹: "基于Linux主机IPv6防火墙的设计与实现", 《电脑知识与技术(学术交流)》 * |
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105407099B (en) * | 2011-09-08 | 2019-01-08 | 迈可菲公司 | The verifying that Firewall Group is concentrated is shared |
| CN105407099A (en) * | 2011-09-08 | 2016-03-16 | 迈可菲公司 | Authentication Sharing In A Firewall Cluster |
| CN103825876A (en) * | 2013-11-07 | 2014-05-28 | 北京安码科技有限公司 | Firewall policy auditing system in complex network environment |
| CN105393497A (en) * | 2014-05-08 | 2016-03-09 | 华为技术有限公司 | Method, device and system for generating access control list rules |
| CN104202333A (en) * | 2014-09-16 | 2014-12-10 | 浪潮电子信息产业股份有限公司 | Implementation method of distributed firewall |
| CN105959291A (en) * | 2016-06-14 | 2016-09-21 | 西安电子科技大学 | System optimal defense method for rational attack |
| CN105959331B (en) * | 2016-07-19 | 2019-03-12 | 上海携程商务有限公司 | The optimization method and device of firewall policy |
| CN105959331A (en) * | 2016-07-19 | 2016-09-21 | 上海携程商务有限公司 | Firewall policy optimization method and device |
| CN106685924A (en) * | 2016-11-25 | 2017-05-17 | 合肥海亚信息科技有限公司 | Network security detection system based on firewall |
| WO2019062065A1 (en) * | 2017-09-26 | 2019-04-04 | 平安科技(深圳)有限公司 | Dedicated network establishment method and system, server and computer readable storage medium |
| CN109802852A (en) * | 2018-12-13 | 2019-05-24 | 烽台科技(北京)有限公司 | The construction method and system of network simulation topology applied to network target range |
| CN109802852B (en) * | 2018-12-13 | 2022-06-17 | 烽台科技(北京)有限公司 | Method and system for constructing network simulation topology applied to network target range |
| CN109587174A (en) * | 2019-01-10 | 2019-04-05 | 广东电网有限责任公司信息中心 | Composite defense method and system for network protection |
| CN109587174B (en) * | 2019-01-10 | 2021-07-27 | 广东电网有限责任公司信息中心 | Collaborative defense method and system for network protection |
| CN111835794A (en) * | 2020-09-17 | 2020-10-27 | 腾讯科技(深圳)有限公司 | Firewall policy control method and device, electronic equipment and storage medium |
| CN112511495A (en) * | 2020-11-05 | 2021-03-16 | 方一信息科技(上海)有限公司 | Distributed firewall-oriented network system and interface card data flow acceleration processing method |
| CN117176475A (en) * | 2023-11-02 | 2023-12-05 | 成都卓拙科技有限公司 | Rule configuration method and device, linux host and storage medium |
| CN117176475B (en) * | 2023-11-02 | 2024-02-27 | 成都卓拙科技有限公司 | Rule configuration method and device, linux host and storage medium |
| CN117834205A (en) * | 2023-12-13 | 2024-04-05 | 长江信达软件技术(武汉)有限责任公司 | Method and system for configuring firewall of dock container |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102025735B (en) | 2013-04-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102025735B (en) | Distributed network firewall system of Linux based on defense strategy | |
| CN110351381B (en) | Block chain-based Internet of things trusted distributed data sharing method | |
| EP3563546B1 (en) | Decentralized data storage and processing for iot devices | |
| CN102217228B (en) | Network operating system for managing and securing networks | |
| Alcaraz et al. | Security of industrial sensor network-based remote substations in the context of the internet of things | |
| US20030154404A1 (en) | Policy engine for modular generation of policy for a flat, per-device database | |
| CN106487556B (en) | Service function SF deployment method and device | |
| Verma et al. | Generative policy model for autonomic management | |
| CN101300779B (en) | Method and system for providing service to subscribers | |
| CN102904749A (en) | Network security appliance | |
| CN102164148A (en) | Group security for portable information device | |
| JP2002507295A (en) | Multi-layer firewall system | |
| CN110971438A (en) | Method and device for configuring data | |
| Cimmino et al. | VICINITY: IoT semantic interoperability based on the web of things | |
| Gopal et al. | Security, Privacy and Challenges in Microservices Architecture and Cloud Computing-Survey | |
| Chaudhary et al. | A comprehensive survey on software‐defined networking for smart communities | |
| ABBASSI et al. | BCSDN-IoT: Towards an IoT security architecture based on SDN and Blockchain | |
| Sood | A survey on issues of concern in Software Defined Networks | |
| Li et al. | Iot architecture enabling dynamic security policies | |
| Gkioulos et al. | Securing tactical service oriented architectures | |
| Bentstuen et al. | On bootstrapping in-band control channels in software defined networks | |
| Lazaridis et al. | On the potential of sdn enabled network deployment in tactical environments | |
| Boudriga et al. | Fault and intrusion tolerance in wireless ad hoc networks | |
| CN116582424B (en) | Switch configuration method and device, storage medium and electronic equipment | |
| Amjad et al. | An Active Network‐Based Open Framework for IoT |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130424 Termination date: 20131208 |