Embodiment
There are very flexible and inefficient problem when carrying out the firewall system test in the prior art for solving; The invention provides a kind of method and apparatus that can adjust the firewall system test traffic automatically, the present invention is through providing unified configuration file, and the analysis configuration file carries out the simulation of system testing; The process of manual adjustment configuration and flow in the analogue system test; The whole system test process need not tester's monitoring, and the tester only need provide the test thinking, is applied to the test thinking in the configuration file; The system testing process can be configured and adjust flow according to content in the configuration file automatically, and its test result can detect and monitor automatically.Below in conjunction with accompanying drawing and embodiment, the present invention is further elaborated.Should be appreciated that specific embodiment described herein only in order to explain the present invention, does not limit the present invention.
Fig. 3 can adjust the logical architecture figure of the method for firewall system test traffic automatically for the present invention; As shown in Figure 3, the method that the present invention can adjust the firewall system test traffic automatically specifically comprises the generation configuration file, configuration file is converted into the control script, automatically performs three parts of firewall system test according to the control script.
Wherein configuration file is that the tester need pay close attention to, and the control script is to resolve configuration file content by convert file to generate, and follow-up transmitting apparatus configuration and adjustment flow are all by the control of control script.
What configuration file embodied is tester's thought, specifically comprise needs send in stage, stage of test needs flow, according to test needs send to configuration of devices order, according to equipment state and stage to the adjustment order of flow etc.The follow-up system testing that the analysis configuration file is converted into this thought automatically automation; Because of each properties of product are different, it can transmit different with the flow of handling, and needs the tester in configuration file, to embody; The tester generally can have certain judgement to product performance and flow substantially when configuration file, some deviations may occur in the test process, can come adjustment flow automatically according to equipment state.
The control script is the converted executable script of configuration file, and tester's thought of having been translated comprises configuration, flow and the time etc. that need control in the follow-up test.
After carrying out the control script, the transmission of its follow-up test process flow and adjustment are transparent for the tester, are accomplished automatically by system, and its implementation part comprises: send minimum flow, judge test phase and equipment state, transmitting apparatus configuration and adjustment flow.
1) minimum flow generates: generate corresponding minimum flow according to configuration file; Minimum flow generally generates in the test phase I, and its discharge pattern comprises normal two or three laminar flow amounts, improper message flow, attack traffic, application layer traffic; Minimum flow is mainly two or three laminar flow amounts, and a small amount of attack traffic and application layer traffic are arranged.
2) judge test phase and equipment state: can provide the duration in each stage in the configuration file, each stage test emphasis is different, and its test configurations is also just different with transmitted traffic; Setting according to the stage in the configuration file judges that each stage begins and finish to need the judgment device communications status, in daily record, writes down corresponding information when devices communicating goes wrong; In the stage, also need judgment device cpu utilance and process status, according to the size of cpu utilance and process status adjustment transmitted traffic.
3) automatic transmitting equipment configuration and adjustment flow: before each stage begins to test, the configuration of automatic transmitting equipment, test process also needs carry out the adjustment of test traffic according to stage and equipment state; The adjustment flow is on the basis of minimum flow, to increase or reduce certain type flow; Can detect equipment cpu utilance or process cpu in the adjustment discharge process; Generally in configuration file, clearly be provided with, its type that need increase or reduce be set and need reach the cpu state by the tester.
Specify the implementation procedure that to adjust the method for firewall system test traffic automatically provided by the invention through a preferred embodiment below.
With certain fire compartment wall is example, comprises environment part and network components as the system testing environment of realizing basic condition; The tester need carry out the system testing stage design on basic condition, and design is embodied in mentality of designing in the configuration file after accomplishing; Then be to automatically perform test process afterwards according to the control script that configuration file is converted to.
Fig. 4 is among this embodiment, and the logic diagram of firewall system test is as shown in Figure 4, and the system testing environment comprises that PC node, tested fire compartment wall and system testing realize script; The system testing network has two kinds; A kind of is Control Network; Its Control Network of whole system test environment communicates entirely, sends each PC node through Control Network and need produce device command and the judgment device status command that the script command of flow, tested fire compartment wall need dispose; A kind of is test network, and test traffic all is to be produced by test network.
Among this embodiment, the design of firewall system test phase is as shown in Figure 5, specifically comprises:
Phase I is two or three layers of test.Be mainly the transmission of minimum flow, various flow sizes and combination pressure test for some time in the minimum flow process of transmitting; At first be two or three layers of normal discharge, a kind of type flow of every transmission continues for example 5 minutes a bit of time, checks that equipment cpu utilance changes, if the cpu utilance reaches 90%, follow-up flow no longer sends; If send less than 90%, begin to repeat to send from the flow of initial definition, the cpu utilance was controlled at 90% during flow sent; Pressure continues a period of time for example after one hour; Reduce two, three layers of normal discharge; The cpu utilance reaches 50%, increases background error message (checksum error message, fragment message etc.) and attack traffic (synflood, udpfllod, smurf etc.), and the cpu utilance rises to 90%; Lasting a period of time of pressure for example after one hour, reduces normal discharge and attack traffic, and equipment cpu utilance is controlled to be 40%; Increase application layer traffic, equipment cpu utilance is controlled to be 90%; Lasting a period of time for example after one hour, reduces attack traffic, and the cpu utilance reaches 70%; Increase application layer traffic, for example HTTP (HTTP), FTP (FTP), MAIL (mail), DNS (domain name system), TFTP (TFTP), TELENT (Telnet) etc., the cpu utilance rises to 90%.
Second stage is an attack test.On the basis of phase I, reduce two or three layers of normal discharge, the cpu utilance reaches 50%; Increase IDS (Intrusion Detection Systems, intruding detection system) configuration, configuration order provides in command file; Increase various IDS flows, every increase is a kind of, checks the cpu utilance; Its final cpu busy percentage is no more than 90%, for example controlledly is made as 90%.
Phase III is the application layer test.Reduce the IDS attack traffic, the cpu utilance reduces to 40%, strengthens application layer traffic (HTTP, FTP, MAIL, DNS, TFTP, TELENT etc.), and every increase is a kind of, checks the cpu utilance, and its final cpu utilance is no more than 90%, for example controlledly is made as 90%.The application layer traffic emphasis has two kinds: a kind of linking number is many, and its application layer data partial discharge is less, and a kind of linking number is fewer, and its application layer partial discharge is bigger; The test emphasis of two kinds of correspondences is different, and is different for the test emphasis, sends the flow difference, also can provide the setting of process cpu utilance.With tested fire compartment wall is example, and its application layer mainly contains the agency and virus killing is handled, if test emphasis the agency, and can be by first kind of application layer traffic test, if the test emphasis in virus killing, can be tested by second kind of application layer traffic.
Before beginning and finish, each stage all communicates inspection, if the inspection communication failure, EOT; This part does not embody in configuration file, is solidificated in the concrete script realization.
Certainly, the present invention also can be divided into more than three the firewall system test process or the following stage according to actual needs.
After the system testing stage design; Follow-up is the system testing implementation part; Be configured file edit by the tester according to system testing design, write the back and convert the control script into, carry out behind the control script it and call each basic script and carry out system testing and realize automatically by the conversion script.
Fig. 6 is the test implementation part schematic flow sheet of the embodiment of the invention; As shown in Figure 6; After carrying out the control script, system call connects the middle script base.tcl of client, on client, carries out the script that produces flow and automatically performs the transmission of system testing flow, adjustment and device command configuration.Its invoked procedure is: the control script->connect client and call the middle script base.tcl->transmission test traffic basis script of flow process of transmitting and the basic script of other miscellaneous function.Particularly, the test implementation part flow process of the embodiment of the invention comprises:
(1) configuration file
A plurality of stages are arranged in the system testing, and each stage is made up of a plurality of testcase (test case); The said system Test Design has three phases, and each stage is made up of the testcase that flow sends, and among the testcase there is particular content: the transmission of certain type flow, increase or reduce transmitted traffic, configuration transmission according to the cpu state.The test case design framework is as shown in Figure 7.
According to the said system stage design, the configuration file particular content is following:
[conf start] # represents the beginning of whole system test;
Whether Phase1=1 # identification phase carries out test, and 1 representative is carried out, and 0 representative is not carried out;
Each stage of P1_testcase1=1 # comprises a plurality of testcase, and each case defines a kind of transmission of discharge pattern, and this testcase is carried out in 1 representative, and 0 representative is not carried out;
Time that each testcase of P1_case1_time=0.5 # test continues is hour being unit;
P1_testcase2=1
P1_case2_time=0.5
P1_testcase3=1
P1_case3_time=0.5
P1_testcase4=1
P1_case4_time=0.5
P1_testcase5=1
P1_case5_time=0.5
............
............
The # phase I is generally the generation of several kinds of minimum flows, can make amendment according to testing equipment is different with needs;
[phase1 start] # represents the beginning of phase1, and Alpha test begins;
[testcase1 start] # represents the beginning of first testcase of phase I, sends normal two or three laminar flow amounts;
The flow size and the maximum that below are respectively client area, server zone, discharge pattern, each test node transmission are no more than size:
A B TCP 1M 10M
A B UDP 1M 10M
A B ICMP 1M 10M
............
............
On behalf of the definition of testcase1 among the phase1, [testcase1 end] # finish, and transmitted traffic finishes among its case but do not represent;
[testcase2 start] #testcase1 carried out after 0.5 hour, and testcase2 among the beginning phase1 increases by two or three laminar flow amounts, and equipment cpu reaches about 90%;
Increase?p1_testcase1?cpu?90%
Testcase2 finishes among [testcase2 end] #phase1;
[testcase3 start] # begins testcase3 among the phase1, reduces by two or three laminar flow amounts, reaches about cpu50%;
Decrease?p1_testcase1?cpu?50%
Testcase3 finishes among [testcase3 end] #phase1;
[testcase4 start] # begins testcase4 among the phase1, the transmission of error message and attack message;
Below be respectively size and the maximum that client area, server zone, error message or attack type, each test node need send and be no more than size:
# client area server zone fragment message 0.2M 1M
A B ?fragmentation 0.2M?1M
# client area server zone checksum error 0.2M 1M
A B ?badchecksum 0.2M?1M
# client area server zone syn attacks 0.2M 1M
A B ?synflood ?0.2M?1M
............
............
Testcase4 finishes among [testcase4 end] #Phase1;
[testcase5 start] # begins testcase5 among the phase1, and cpu is reached about 90%;
Increase?p1_testcase4?cpu?90%
Testcase5 finishes among [testcase5 end] #phase1;
[testcase6 start] # begins testcase6 among the phase1, reduces attack traffic, and equipment cpu reaches about 70%;
Decrease?p1_testcase4?cpu?70%
Testcase6 finishes among [testcase6 end] #phase1;
Testcase7 begins the transmission of application layer amount among [testcase7 start] #Phase1
Below be respectively the type of client area, server zone, application layer traffic, file size and the maximum that each test node need send is no more than size:
A B ?HTTP 1M 5M
A B ?FTP ?1M 5M
............
............
[testcase7?end]
[testcase8?start]
Increase?p1_testcase7?cpu?90%
[testcase8?end]
[phase1?end]
The # second stage begins, and generally this stage is main to send attack.
[phase2?start]
[testcase1?start]
Decrease p1_testcase1 cpu 50% # reduces normal two or three laminar flow amounts
[testcase1?end]
# disposes transmission, and generally this stage is for attacking configuration.
[testcase2?start]
Dut ids.conf superman talent # provides the username and password of connection device, and concrete configuration is ordered in ids.conf;
[testcase2?end]
[testcase3?start]
Increase p1_testcase4 cpu 90% # increases error message and attack traffic;
[testcase3?end]
[phase2?end]
The # phase III, generally this stage is main to send application layer traffic;
[phase3?start]
[testcase1?start]
Decrease p1_testcase4 cpu 40% # reduces attack traffic;
[testcase1?end]
[testcase2 start] # disposes transmission, and generally this stage is the application layer configuration;
Dut dpi.conf superman talent # application layer configuration order is in dpi.conf;
[testcase2?end]
[testcase3?start]
Increase p2_testcase7 cpu 90% # increases application layer traffic among the phase I testcase7, and equipment cpu reaches about 90%;
[testcase3?end]
[phase3?end]
(2) test node file
The tester only need dispose the source and destination zone when each flow of configuration sends, can be from regional document when flow sends main frame and used IP address in the seek area automatically;
Zone build-in test node file (area file) particular content:
Zone A:
Test network IP address, host name Control Network IP address
As:
Zone A:
A1 8.0.1.2 202.0.0.20
(3) after configuration file is accomplished, through changing the script configuration file, generate the control script, content is corresponding in analyzing the conversion generative process and controlling script.
Fig. 8 be the embodiment of the invention according to control script executing test process sketch map, as shown in Figure 8, specifically the comprising of the embodiment of the invention according to control script executing test process:
Judge test phase: be judged as which test phase and testcase, whether this stage and case carry out;
Stage begins the communication of part checkout facility: each stage begins preceding checkout equipment communication conditions (ping communicates by letter with http); The communication of each node in the inspection area, if communication is unsuccessful, inspection once more; Check and still can not communicate by letter the transmission of ends with system test traffic and test three times; The while log, content is the stage of current executed in the daily record, so also more helps carrying out the location and the reproduction of problem.
Configuration device and transmission test traffic: according to configuration of deploy content transmitting apparatus and test traffic in the stage; In said system Test Design and configuration file, second stage need be sent the IDS configuration, and the phase III need be sent DPI (Deep Packet Inspection, deep-packet detection) configuration.
The judgment device state: every kind of flow sends and finishes the back connection device and judge its cpu state, judges and controls according to set point.
According to order adjustment test traffic in the stage: increase or reduce test traffic according to setting in the stage, every increase or check whether cpu reaches set condition when reducing a kind of flow; Check cpu earlier when increasing or reducing,, no longer increase or reduce flow according to configuration order if cpu has reached set point; Every transmission or reduce a kind of flow delays one fen kind and sends or reduce a kind of flow down, and taking equipment cpu is three times within one minute, and three calculating mean values, cpu and predetermined cpu (as 90%) differ and are no more than 5% judgement and reach setting cpu state; If connection device is unsuccessful in the judgment device state procedure, the transmission of ends with system test traffic and test; The while log, the stage of record current executed in the daily record.
Stage finishes back checkout facility communication: each stage finishes back checkout facility communication conditions (ping communicates by letter with http), no longer continues follow-up test after going wrong; The while log, the stage of record current executed in the daily record.
The part of checkout facility communication conditions partial design for solidifying, this part also can expand to non-curing can be provided with part in designing at present.
(4) conversion script
Through regular expressions analysis configuration file, write the corresponding scripts content after the analysis, the control scenario process that generates at last is corresponding with above-mentioned Fig. 8 control procedure; The concrete implementation procedure of conversion script is as shown in Figure 9, specifically comprises:
# judges whether file finishes
Whether # each stage of analysis needs to carry out, and is recorded in the variable;
Whether # analyzes is the beginning in a stage, if the communication check action that record needs is in the control script;
Whether # analyzes is the beginning of a testcase, if, record stage testcase title and case duration;
# analyzes and is which kind of flow, and the record flow parameter is in corresponding flow tabulation variable; Have in the flow parameter: flow, maximum total flow that source client area, destination server zone, each node need send;
After # one testcase flow analysis finishes, write down stage testcase title and all flow that need produce tabulations, tabulation of every kind of discharge pattern comprises source region, purpose zone, each node flow size, maximum stream flow in the tabulation; As: its content of http_para be A B 1 10}{C D 1 10}}, this variable is a global variable; The middle script base.tcl that the corresponding case of control script calls handles, unification is handled and is sent one type flow according to flow tabulation variable in middle script, and record produces process number simultaneously;
All flow parameter variablees of testcase have also been write down in control in the script, read its flow parameter content again during follow-up increase flow and give global variable, so can according to before flow parameter transmitted traffic among the case;
Puts control script " set } "
Puts$ controls script " set http_para_pN_caseN "
Puts$ controls script " lappend http_para_pN_caseN "
#action phase_case cpu, the cpu utilance generally has appointment in increase, other transmitted traffic process acquiescence 90%;
Puts$ controls script " action "
# controls the case time of implementation, and the timed process was calculated according to the case duration, up to reaching setting-up time, just begins judgement and the execution of next case;
Puts$ controls script " timed "
............
............
#Increase is the testcase flow in the stage;
The flow parameter in each stage has a list records in the control script; List content is the flow parameter variable; Like pN_caseN, list content be http_para_pN_caseN ftp_para_pN_caseN} decomposes variable in its tabulation when increasing flow; get in the variable content and call the flow transmit operation, action pN_caseN; The flow that every increase is one type, inquiry cpu state is checked according to the cpu state of setting, and differs within 5% and finishes;
#Decrease is the testcase flow in the stage:
Can write down the process number of transmitted traffic on node and the node after each flow sends, content recorded is:
The stage+testcase title, discharge pattern, Control Network IP address, process number, be recorded in the variable with the form of tabulation; As: active_pid{{phaseN_testcaseN HTTP 8.0.1.4 2198}{phaseN_testcaseN FTP 8.0.1.2 2288}};
Search stage in the tabulation, testcase during the Decrease operation, the corresponding process of kill reduces flow; A kind of flow of every minimizing, corresponding contents in the delete list, and check equipment state, and check according to the cpu state of setting, differ within 5% and finish; Only reduce in this instance, can expand to according to the corresponding discharge pattern of testcase in the stage and reduce according to flow generation stage and testcase;
# sends configuration to equipment:
Identical with other flow parameter, the command file that need to send is recorded in the variable list, is follow-uply sent command procedure and is accomplished by the unified dut that calls of action;
So analogize, generated the control content for script, the transmission of control flow, time and adjustment;
Correspondence control script after the conversion:
package?require?Itcl
package?require?Expect
#source basis script
source?sshcon.tcl
source?ftp.tcl
source?mail.tcl
source?http.tcl
source?tftp.tcl
source?bt.tcl
source?base.tcl
source?dut.tcl
source?getdutinfo.tcl
source?telnet.tcl
source?stopexec.tcl
.............
...........
Whether case carries out and the variable of each case duration in each stage of #, each stage:
set?phase1?1
set?p1_case1?1
set?p1_case1_time?1
The inspection that each stage of # begins and finishes; This process of check_commu is solidified, and (domain test node file is defaulted as area_file) chosen first client and server and carried out ping and http communication check from each zone, if communicate by letter successfully, through; If communication is success not, triplicate is still unsuccessful, and failure stops all test traffics, the while log, and log content is the stage of current executed;
Check_commu?phase
When beginning, calculates the case duration #testcase;
set?case_starttime[clock?seconds]
set?after_time[expr$pN_caseN_time*3600]
set?case_time[expr?$case_starttime+$after_time]
The #testcase flow sends and control:
# flow list parameter
set?http_para{{A?B?1?10}{C?D?1?10}}
set?http_para_pN_caseN?$http_para
lappend?$phaseN_testcaseN?http_para_pN_caseN
............
............
action?phaseN_testcaseN
After the # flow sends and finishes, by timed process control case duration (being the time that next case begins to carry out);
timed$case_time
Certain type flow in certain stage of #Increase:
The flow in certain stage of #Decrease:
# transmitting apparatus configuration order is called:
set?dut_conf{{superman?talent?ids.conf}{superman?talent?dpi.conf}
action?phaseN_testcaseN
(5) script (base.tcl) in the middle of
Middle script has two types processing, and a kind of is that configuration device is handled, and a kind of flow sends to be handled.
Script is shown in figure 10 to the processing procedure of configuration device wherein; It at first generates dut (device under testing; Equipment under test) object connects the dut equipment of serial through object then, calls after the successful connection among the dut.tcl and orders among the main procedure dut order transmission .conf.
The processing procedure that middle script convection current amount is sent is shown in figure 11; At first analyze source region and purpose zone; Obtain the client-side management network address and server test network address; Connect client from the client-side management network address then, on client, call minimum flow script transmitted traffic, call the miscellaneous function script and equipment cpu is checked and control.
The processing of middle script is specific as follows:
The #http parameter list is handled (http_para), analyzes client and destination server, connects client and sends the http flow with calling, record transmitted traffic process;
(6) basic script
The basis script is a kind of to be the special script that produces minimum flow, and a kind of is the basic script of miscellaneous function, cpu control, configuration device order etc.
The minimum flow script sends various minimum flows, like HTTP, FTP, MAIL, DNS etc.; The present invention uses the relatively more real application process of user's common tool simulation;
Be that HTTP flow transmitting section realizes below: script name http.tcl, the size of server file is by providing in the configuration file, if do not reduce the flow operation, this flow continues always, up to whole EOT, its main procedure is geturl;
Cpu controls script: the connection device serial ports, take the order of cpu through expect transmission inspection cpu state or process, and if meet the cpu of setting, differ about 5%, then stop to increase or reduce flow and send; Also can be cpu detection in the multinuclear, as: the detection of cpu0 utilance and other cpu utilance;
Main procedure is that cpu_control realizes:
Script (dut.tcl) is sent in device command: be placed on to the order that dut sends and set in the conf file; User name, password, transmission command file have been arranged in the configuration file; Catch up with and state the cpu control section and realize identical; Its main procedure dut_order carries out configuration of devices through expect simulation man-machine interaction, from the conf file, takes out configuration order successively equipment is configured.
Figure 12 is the apparatus structure sketch map that can adjust the firewall system test traffic automatically of the embodiment of the invention; Shown in figure 12, the device that can adjust the firewall system test traffic automatically of the embodiment of the invention comprises configuration file generation module 1201, control script generation module 1202 and testing execution module 1203.
Wherein, configuration file generation module 1201 is used to generate configuration file.
The content of configuration file comprise needs send in stage, stage of test needs flow, according to the test needs send to the configuration of devices order, according to equipment state and stage to the adjustment order of flow etc.
The embodiment of the invention is divided the firewall system test process for three phases in configuration file, and wherein the phase I is two or three layers of test, and second stage is an attack test, and the phase III is the application layer test.Certainly, also can be divided into more than three the firewall system test process or the following stage according to actual needs.
Control script generation module 1201 is used for the analysis configuration file, writes the corresponding scripts content, generates the control script.
Testing execution module 1203 is used for according to the test of control script executing firewall system.
According to the test of control script executing firewall system, specifically comprise:
According to said configuration file formation base flow;
Judge test phase and equipment state;
According to said test phase and equipment state, transmitting apparatus configuration and adjustment flow.
Wherein, minimum flow comprises two or three layers of normal discharge, improper message flow, attack traffic and application layer traffic.
The adjustment flow is meant and increases or reduce a kind of flow in the said minimum flow, and control cpu utilance.
The embodiment details that the present invention can adjust the device of firewall system test traffic automatically can repeat no more referring to the above specific descriptions that can adjust the method for firewall system test traffic automatically to the present invention here.
Adopt the invention described above technical scheme; The whole system test process need not tester's monitoring; The tester only needs beginning to provide the test thinking most; Be applied to the test thinking in the configuration file, the system testing process can be configured and adjust flow according to content in the configuration file automatically, and its test result can detect and monitor automatically.The present invention also has following advantage:
(1) the simple configuration file is provided, the configuration caseization, the tester can be applied to the test thinking in the configuration file, and mode is more flexible;
(2) extensibility is good, and environment for use is simple, does not need special translation and compiling environment, all is to be realized by script, and script relatively all compares independent, and ratio is more convenient simple;
(3) the system testing flow can and obtain equipment state and dynamically adjust according to the setting stage in the configuration, saves tester's time, improves testing efficiency;
(4) but test result automatic inspection and monitoring improve testing efficiency;
(5) test traffic is truer, calls each real access request under the test node mostly;
(6) test process can repeat, and in the time of need testing again, carries out corresponding scripts and then can test automatically, does not need manual configuration equipment and adjustment test traffic.
Although be the example purpose, the preferred embodiments of the present invention are disclosed, it also is possible those skilled in the art will recognize various improvement, increase and replacement, therefore, scope of the present invention should be not limited to the foregoing description.