CN102986194A - Network security processing method, system, and network card - Google Patents
Network security processing method, system, and network card Download PDFInfo
- Publication number
- CN102986194A CN102986194A CN201280000637XA CN201280000637A CN102986194A CN 102986194 A CN102986194 A CN 102986194A CN 201280000637X A CN201280000637X A CN 201280000637XA CN 201280000637 A CN201280000637 A CN 201280000637A CN 102986194 A CN102986194 A CN 102986194A
- Authority
- CN
- China
- Prior art keywords
- message
- interface card
- network interface
- safe handling
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 9
- 238000012545 processing Methods 0.000 claims abstract description 158
- 238000000034 method Methods 0.000 claims abstract description 16
- 238000001914 filtration Methods 0.000 claims description 44
- 238000001514 detection method Methods 0.000 claims description 15
- 238000005516 engineering process Methods 0.000 claims description 5
- 230000006870 function Effects 0.000 description 6
- 230000009897 systematic effect Effects 0.000 description 5
- 238000004458 analytical method Methods 0.000 description 4
- 230000009467 reduction Effects 0.000 description 4
- 230000004044 response Effects 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 230000000977 initiatory effect Effects 0.000 description 3
- 230000002155 anti-virotic effect Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 239000012141 concentrate Substances 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Embodiments of the present invention provide a network security processing method, system, and network card. The method comprises: a network card receiving a packet; the network card performing first security processing on the packet, the first security processing being used to address at least a part of network security problems; if the network card determines that subsequent security processing needs to be performed on the packet, the network card sending the packet after the first security processing to a security processing device, and the security processing device performing second security processing on the packet after the first security processing, the second security processing being used to address another part of network security problems.; The embodiments of the present invention can ensure network security on the conditions that the network traffic is heavy and the network security boundaries are unclear.
Description
Network security processing method, system and network interface card
Technical field
The present invention relates to network communication technology field, more particularly to a kind of network security processing method, system and network interface card.Background technology
Existing network is in order to ensure the general all appropriate positions in a network of network security(Mainly at the secure border of network, between the entrance, client-server such as network)Safety means are configured, for example, configures firewall box, anti-virus equipment in Web portal, intruding detection system is configured before server key(Intrusion Detection System, IDS), anti-virus equipment.With the appearance and development of the rise of cloud computing, particularly desktop cloud, client computer is with server simultaneously positioned at data center, and network security border thickens.Network bandwidth lower deployment cost reduction simultaneously, can the bigger network bandwidth of low cost offer.In the prior art, safe handling is concentrated and carried out by safety processing device, because cloud computing data traffic is very big, the message of these big flows is all handled the safety processing device, it is necessary to more by safety processing device, causes cost to increase, in addition, all safe handlings are all concentrated at safety processing device, and network bottleneck can be also caused at safety processing device, influence systematic function.
With the increase of service access bandwidth, and network security border is fuzzy, and the safety means for concentrating deployment independent become difficult.The content of the invention
The embodiment of the present invention provides a kind of network security processing method, system and network interface card, the network security problem for solving that network traffics are big, under conditions of network security obscure boundary Chu.
The embodiments of the invention provide a kind of network security processing method, including:
Network interface card receives message;
The network interface card carries out the first safe handling to the message, and first safe handling is used to handle at least a portion network security problem;
If the network interface card determines to need to carry out Subsequent secure processing to the message, the message after the first safe handling is sent to safety processing device, by the safety processing device to the report after first safe handling
Text carries out the second safe handling, and second safe handling is used to handle another part network security problem.The embodiments of the invention provide a kind of network interface card, including:
Receiving module, for receiving message;
Secure processing module, the message for being received to the receiving module carries out the first safe handling, and determines the need for carrying out the message Subsequent secure processing, and first safe handling is used to handle at least a portion network security problem;;
Sending module, for when the secure processing module determines to need to carry out Subsequent secure processing to the message, message after first safe handling is sent to safety processing device, the second safe handling is carried out to the message after first safe handling by the safety processing device, second safe handling is used to handle another part network security problem.
The embodiments of the invention provide a kind of network security processing system, including:
Network interface card, the first safe handling is carried out for the message to reception, and first safe handling is used to handle at least a portion network security problem;
Safety processing device, carries out the second safe handling, second safe handling is used to handle another part network security problem for carrying out the message after the first safe handling to the network interface card.
As shown from the above technical solution, the embodiment of the present invention on network interface card by carrying out at least one of safe handling, the flow of safety processing device can be shared, reducing safety processing device needs message flow to be processed, safety problem when reduction needs to dispose the cost of multiple safety processing devices and solve network security obscure boundary Chu;It is distributed across again due to network interface card in different equipment, bottleneck problem caused by concentrated setting safety processing device can be avoided, improves systematic function.Technical scheme in illustrating in order to illustrate the embodiments of the present invention more clearly, the accompanying drawing used required in being described below to embodiment is briefly described, apparently, drawings in the following description are some embodiments of the present invention, for those of ordinary skill in the art, without having to pay creative labor, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is the schematic flow sheet of the embodiment of inventive network security processing one;
Fig. 2 unifies the structural representation of embodiment for network security processing system in the present invention;
Fig. 3 is the schematic flow sheet of another embodiment of inventive network security processing;
Fig. 4 is the schematic flow sheet of another embodiment of inventive network security processing;
Fig. 5 is the structural representation of the embodiment of network interface card one of the present invention;
Fig. 6 is the structural representation of another embodiment of network interface card of the present invention;
Fig. 7 is the structural representation of another embodiment of network interface card of the present invention;
Fig. 8 is the structural representation of another embodiment of network interface card of the present invention;
Fig. 9 is the structural representation of another embodiment of network interface card of the present invention;
Figure 10 is the structural representation of the embodiment of inventive network safe processing system one.Embodiment is to make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with the accompanying drawing in the embodiment of the present invention, technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is a part of embodiment of the invention, rather than whole embodiments.Based on the embodiment in the present invention, the every other embodiment that those of ordinary skill in the art are obtained under the premise of creative work is not made belongs to the scope of protection of the invention.
Fig. 1 is the schematic flow sheet of the embodiment of inventive network security processing one, including:Step 11:Network interface card receives message;
Wherein, the network interface card can be the physical network card used in virtualization technology, i.e. physical network card is each virtual machine distribution queue or Microsoft Loopback Adapter, message is sent to the physical network card by virtual machine by corresponding queue or Microsoft Loopback Adapter afterwards, and carrying out at least one of security strategy corresponding with virtual machine by physical network card is handled.
Step 12:The network interface card carries out the first safe handling to the message, and first safe handling is used to handle at least a portion network security problem;
Step 13:If the network interface card determines to need to carry out Subsequent secure processing to the message, the message after the first safe handling is then sent to safety processing device, the second safe handling is carried out to the message after first safe handling by the safety processing device, second safe handling is used to handle another part network security problem.
Generally, the safety processing device of one or several concentrations can carry out higher and complicated safe handling by deployment.
In the present embodiment, network interface card at least carries out the safe handling of a part, can share the flow of safety processing device, and reducing safety processing device needs message flow to be processed, reduces the cost of safety processing device;It is distributed across again due to network interface card in different equipment, concentrated setting safety processing device can be avoided to cause
Bottleneck problem, improve systematic function.
Fig. 2 unifies the structural representation of embodiment for network security processing system in the present invention, and Fig. 3 is the schematic flow sheet of another embodiment of inventive network security processing.
Referring to Fig. 2, in virtualization technology, multiple virtual machines can be fictionalized on same physical equipment(Virtual Machine, VM), the VM in Fig. 2 is respectively VM attackers 21 and VM servers 22, it is assumed that VM attackers 21 launch a offensive to VM servers 22.
Equally, network interface card is also included in physical equipment(Network Interface Card, NIC) 24 and the virtual machine monitor that runs between physical module and operating system(Virtual Machine Monitor, VMM) 23, VMM is referred to as Hypervisor.Hypervisor is a kind of intermediate software layer operated between basic physicses server and operating system, can allow multiple operating systems and Application share hardware.Hypervisor is a kind of " member " operating system in virtual environment, it can access on server comprising all physical equipments including disk and internal memory, Hypervisor not only coordinates the access of these hardware resources, also applies protection between each virtual machine simultaneously.When startup of server and when performing Hypervisor, it can load the operating system of all virtual-machine clients while each appropriate internal memory of virtual machine, CPU, network and disk can be distributed to.
After VM is started, each VM can be allocated one or more queues or Microsoft Loopback Adapter(Virtual Network Interface Card, vNIC), by taking vNIC as an example, VM receives and dispatches message by each self-corresponding Microsoft Loopback Adapter 25.
In order to adapt to the requirement under virtual environment to safe handling, the present embodiment is completed the safe handling to message by network interface card, rather than such as concentrated setting safety processing device is handled in the prior art.Network interface card can include to the safe handling flow of message:
Network interface card receives message, and the network interface card carries out the first safe handling to the message, for handling at least a portion network security problem.
Further, the first safe handling can include:According to transmission control protocol/User Datagram Protocol (Transmission Control Protocol/ User Datagram Protocol, TCP/UDP) four layer conversation state tables carry out filtration treatment to the blunt text, and the session status table is that the network interface card is set up during session establishment.
Further, it can also include:
The network interface card is according to the accesses control list pre-established(Access Control List, ACL), determining needs the message of safe handling;
The network interface card carries out filtration treatment according to the layer conversation state tables of TCP/UDP tetra- to the message for needing safe handling.
Optionally, it is above-mentioned that message progress filtration treatment can be included:Lv Lost were carried out to the attack message in the message abandon or limit connection to set up or limit message transmitting spped rate or only alarm statistics are not processed.
Specifically, referring to Fig. 3, the flow of the present embodiment includes:
Step 31:VM attackers send attack message.
In the present embodiment, it is synchronous as TCP that 4 Jia set attack(SYN) attack.
Generally during TCP connections foundation, promoter sends TCP SYN messages to object-computer first;Object-computer is received after TCP SYN messages, and TCP link control modules are created in internal memory, rear send TCP ACK messages to promoter and wait promoter's response;Promoter is received to object-computer response ACK messages after TCP ACK messages, and such TCP connections are just set up.
Attacker can realize TCP ssyn attacks using said process, now, promoter first sends TCP SYN messages, object-computer can also set up TCP link control modules and return to TCP ACK messages, but promoter receives and do not respond ACK messages after TCP ACK messages, and it is to continue with sending TCP SYN messages.This may result in object-computer and sets up substantial amounts of TCP transient state session, consume the resource of object-computer, until object-computer collapse.
Step 32:The attack message that VM attackers send passes through virtual machine monitor(Hypervisor network interface card) is reached.
In the prior art, the exchange of message can be realized on Hypervisor, i.e., the blunt text of the ability that one VM is sent is reached after Hypervisor, and another VM is transmitted to by Hypervisor.
But, safe handling is carried out to message due to needing in the present embodiment, the Hypervisor in the present embodiment no longer carries out MESSAGE EXCHANGE, but message transmission is carried out into MESSAGE EXCHANGE by network interface card to network interface card.
Step 33:Network interface card is according to the ACL being pre-configured with, and determining needs the message of safe handling.
Wherein, the message of reception may indicate that in filtration treatment, ACL in ACL and need the text of safe handling, for example, when the blunt literary source IP address of ^ and/or purpose IP address meet the condition set, the message is exactly to need the message of safe handling.
In virtual technology, one Microsoft Loopback Adapter of each VM correspondences, the VM sends message by itself corresponding Microsoft Loopback Adapter.Therefore, one ACL can be set for the corresponding Microsoft Loopback Adapters of each VM on network interface card, after network interface card receives the message from some Microsoft Loopback Adapter, according to Microsoft Loopback Adapter and ACL pair
It should be related to, find the corresponding ACL of the Microsoft Loopback Adapter, then use the ACL to judge the message received whether to need the message of safe handling.
In addition, the step is optional step, for example, ACL can be not provided with, but gives tacit consent to and safe handling is carried out to all messages.
Step 34:Network interface card carries out filtration treatment according to the layer conversation state tables of TCP/UDP tetra- to the message for needing safe handling.
Network interface card can set up session status table during session establishment, and the firewall functionality based on TCP/UDP states is realized by session status table.Can record some corresponding session status of IP five-tuples when person carries out TCP ssyn attacks, in the session status table is:Always initiate TCP SYN messages and without acknowledgement character response.
For example, when recorded in session status table some VM initiation the corresponding session status of IP five-tuples be always initiate TCP SYN messages and without acknowledgement character response, it is to carry out TCP ssyn attacks, can handled afterwards according to the filtering policy of configuration that the corresponding initiation VM of the IP five-tuples, which can then be determined,.The filtering policy of configuration can be:Alarm, Lost are abandoned, are limited connection, limiting speed, alarm statistics etc..For example, when the filtering policy of configuration demonstrates the need for carrying out limitation connection to the VM for initiating TCP ssyn attacks, then limiting the virtual machine quantity of giving out a contract for a project of TCP SYN in a period of time.So, network interface card Hui Lost abandon the TCP SYN messages of the quantity exceeded in the unit interval.
Certainly, corresponding session status table can also be set up by different virtual machine in the case where virtualizing network interface card and corresponding filtering policy is configured, to realize that Microsoft Loopback Adapter carries out filtration treatment to different virtual machine.
The present embodiment carries out safe handling by network interface card to message, attacker can be avoided to impact the webserver, attack traffic is just intercepted on network interface card, it is to avoid uploading to progress processing in network security processing equipment causes network security processing equipment to turn into the bottleneck of network performance.The present embodiment by network interface card carry out safe handling, can measure with high safety recently, by network interface card carry out tetra- layers of security strategies of TCP/UDP, can to most of data progress analysis;Due to need to only carry out tetra- layers of securities of TCP/UDP and simple content analysis on network interface card, cost is carried out on network interface card little.
From unlike the Attack Scenarios described in above example, attacker needs to initiate to steal to include some specific character string A in system manager's password of server, attack message now under some scenes.
Due to message now be normal HTTP (hypertext transport protocol,
HTTP) message, be from this message from the perspective of tetra- layers of fire walls of TCP/UDP it is normal, can be by the filtering of fire wall.
Then further, network interface card can also carry out deep message detection to message(I.e. content detection, is analyzed such as, and network interface card carries out the first safe handling to text to be included:
The network interface card carries out deep message detection to carrying out the message after filtration treatment according to the layer conversation state tables of TCP/UDP tetra-, detects that obtained message content carries out safe handling according to deep message.
Optionally, above-mentioned safe handling can include:To the message of setting content, Lv Lost were carried out and abandon or limit connection to set up or limit message transmitting spped rate or only alarm statistics are not processed.
Optionally, if network interface card is when deep message is detected, the strategy of configuration demonstrates the need for carrying out subsequent packet detection to the message of setting content, it is determined that need to carry out Subsequent secure processing to the message of setting content.Afterwards, the message for needing to carry out Subsequent secure processing is sent to safety processing device by network interface card, the second safe handling is carried out by safety processing device.
Optionally, if the safety processing device determines that the message is attack message when carrying out the second safe handling, then the network interface card receives the filtering rule that the safety processing device is issued, and carries out filtration treatment to follow-on attack message according to the filtering rule, for example:Lost abandons or limited connection foundation or limit message transmitting spped rate or only alarm statistics are not processed.
Fig. 4 is the schematic flow sheet of another embodiment of inventive network security processing, including:Step 41:VM attackers send attack message.
Step 42:The attack message that VM attackers send passes through virtual machine monitor(Hypervisor network interface card) is reached.
Step 43:Network interface card is according to the acl rule being pre-configured with, and determining needs the message of safe handling.In the case where virtualizing network interface card, acl rule can also be configured by virtual machine or Microsoft Loopback Adapter.Step 44:Network interface card carries out filtration treatment according to the layer conversation state tables of TCP/UDP tetra- to the message for needing safe handling.
Network interface card can set up session status table during session establishment, and the firewall functionality based on TCP/UDP states is realized by session status table.Table. ' "
The specific handling process of step 41 44 may refer to the step 31 34 of an embodiment respectively.
Step 45:Network interface card carries out deep message detection to message, detects that obtained message content carries out safe handling according to deep message.
The step is optional, if network interface card does not have content detection ability, message can be sent to safety processing device by network interface card.
Assuming that network interface card has interior unanimous survey ability, network interface card can obtain message content by deep message detection, if obtained message content includes specific character string, then safe handling can be carried out to the message comprising the specific character string according to the filtering policy of configuration, the filtering policy of such as configuration shows that Xu Yaos Lost and abandons the message for including the specific character string, then network interface card abandons processing to the message Jin Hang Lost comprising specific character sequence.Under virtualization network interface card environment, character string can also be configured by virtual machine or Microsoft Loopback Adapter.
Further, if the strategy of configuration shows to also need to further content matching, for example, not only need to include specific character string, and the content of message when also needing to meet remaining condition ability Jin Hang Lost abandon processing, and network interface card, when not possessing the ability matched again, the network security processing method can also include steps 46-47:Manage equipment and carry out second safe handling.
Step 47:Safety processing device carries out the second safe handling to the message of reception.
It can specifically include:Safety processing device carries out the second safe handling to the message of reception, if safety processing device determines that the message after the first safe handling is attack message when carrying out the second safe handling, after filter rule, filtration treatment can be carried out to follow-on attack message according to the filtering rule, for example:Lost abandons or limited connection foundation or limit message transmitting spped rate or only alarm statistics are not processed.
For example, if safety processing device is by further complicated accurately matching, determine that a message is Yaoed after the message that Lost abandons for Xu, result can be notified to network interface card, afterwards, the list item that network interface card can Yao the Xu in the corresponding session status table of message that Lost abandons sets Zhi and abandons state as Lost or delete corresponding list item, and so follow-up Xu Yaos the message that Lost abandons, and just get Yi Lost are abandoned on network interface card, avoid being uploaded to safety processing device, reduce the burden of safety processing device.
The present embodiment carries out the safe handling of a part by network interface card to message, it is possible to reduce is sent to the flow on safety processing device, reduces cost and avoid performance bottleneck.The present embodiment carries out safe handling by network interface card, can measure with high safety recently, pass through progress tetra- layers of security strategies of TCP/UDP and letter on network interface card
After single interior unanimous survey, most of secure data can be judged;For needing the complicated flow judged, concentrate the safety processing device disposed to be analyzed by above sending, greatly reduce the analysis flow of safety processing device;Due to need to only carry out tetra- layers of securities of TCP/UDP and simple content analysis on network interface card, cost is carried out on network interface card little.The safe handling of the layered distribution type based on network interface card is also achieved that by the above method.
Fig. 5 is the structural representation of the embodiment of network interface card one of the present invention, including receiving module 51, secure processing module 52 and sending module 53;Receiving module 51 is used to receive message;Secure processing module 52 is used to carry out the first safe handling to the message that the receiving module 51 is received, and text progress Subsequent secure processing blunt to the ability is determined the need for, first safe handling is used to handle at least a portion network security problem;Sending module 53 is used for when the secure processing module 52 determines to need to carry out Subsequent secure processing to the message, message after first safe handling is sent to safety processing device, the second safe handling is carried out to the message after first safe handling by the safety processing device, second safe handling is used to handle another part network security problem.
Referring to Fig. 6, secure processing module 52 can include:Determining unit 520, is used to determine whether to need to carry out Subsequent secure processing to the message.First processing units 521, the first safe handling that first processing units 521 are carried out with module 52 is the safe handling that first processing units 521 are carried out.First processing units 521, are additionally operable to set up the TCP/UDP session status table during session establishment, and the firewall functionality based on TCP/UDP states is realized will pass through session status table.
Referring to Fig. 7, secure processing module 52 can also include:Second processing unit 522, second processing unit 522 is used for according to the ACL pre-established, and determining needs the message of safe handling;The first processing units 521 are specifically for according to the layer conversation state tables of TCP/UDP tetra-, filtration treatment is carried out to the message that safe handling is needed determined by the second processing unit 522.Optionally, the first processing units 521 carry out filtration treatment, are specially to carry out filtration treatment to the text, for example:Carried out Lv Lost and abandon or limit connection to set up or limit message transmitting spped rate or only alarm statistics are not processed.Now, the safe handling that the first safe handling that secure processing module 52 is carried out is carried out by first processing units 521 and second processing unit 522.
Referring to Fig. 8, secure processing module 52 can also include:Message after 3rd processing unit 523, the 3rd processing row filtration treatment carries out deep message detection(Content detection is carried out, the specific of message is analyzed
Content), detect that obtained message content carries out safe handling according to deep message.In the 3rd processing unit
During 523 progress deep message detection, determining unit 520 is additionally operable to be determined the need for carrying out Subsequent secure processing to the message of the setting content according to the strategy of configuration, and the second safe handling is carried out by safety processing device.Now, the safe handling that the first safe handling that secure processing module 52 is carried out is carried out by the second processing unit 522 of first processing units 521 and the 3rd processing unit 523.
Optionally, the first processing units 521 are additionally operable to the message to setting content, carry out Lv Lost and abandon or limit connection to set up or limit message transmitting spped rate or only alarm statistics are not processed.
Further, receiving module 51, it is additionally operable to receive the filtering rule that the safety processing device is issued, secure processing module 52, it is additionally operable to carry out the message filter Lost according to the filtering rule to abandon or limit connection and sets up or limit message transmitting spped rate or only alarm statistics are not processed, the filtering rule safety processing device is issued when determining that the message is attack message when carrying out the second safe handling.In figure
In embodiment shown in 68, the operation that secure processing module 52 carries out the processing according to the filtering rule to the message can be responsible for implementation by first processing units 521 therein.
Certainly, referring to Fig. 9, the network interface card in the present embodiment can also further comprise in the case of virtualization network interface card in network interface card:Distribute module 54, for for each virtual machine distribution queue or Microsoft Loopback Adapter, so as to the message that is received according to the receiving module 51 from queue or Microsoft Loopback Adapter determine corresponding virtual machine, in the case of virtualization network interface card, receiving module 51, for receiving message, the message is also to carry out self virtualizing machine, and receiving module is transparent to by virtual machine monitor.
In the case of virtualization network interface card, secure processing module 52 in Fig. 9, the physical locations such as first processing units 521, second processing unit 522, the 3rd processing unit 523, determining unit 520 can also be included shown in similar Fig. 6 Fig. 8, and possess corresponding function, here no longer it is described in detail, specifically refers to the corresponding description in Fig. 6 Fig. 8.Wherein access control listses, the layer conversation state tables of TCP/UDP tetra-, the present embodiment on network interface card by carrying out at least one of safe handling, the flow of safety processing device can be shared, message flow to be processed is needed so as to reduce safety processing device, reduction needs the cost of deployment secure processing equipment;It is distributed across again due to network interface card in different equipment, bottleneck problem caused by concentrated setting safety processing device can be avoided, improves systematic function.
Figure 10 is the structural representation of the embodiment of inventive network safe processing system one, including network interface card 101 and safety processing device 102;Network interface card 101 is used to carry out the message of reception the first safe handling, processing
At least a portion network security problem;Safety processing device 102 is used to carry out the network interface card message the second safe handling of progress after the first safe handling, handles another part network security problem.
Optionally, the safety processing device 102 is additionally operable to the result after the second safe handling being sent to the network interface card, and the network interface card is according to the result treatment subsequent packet after the second safe handling.For example, equipment safety control determines that the message after the first safe handling is attack message when carrying out the second safe handling, then filtering rule is issued to the network interface card, the network interface card is handled subsequent packet according to filtering rule.
Optionally, network interface card 101 can be as shown in Fig. 5 Fig. 9 be any.
The present embodiment can share the flow of safety processing device by carrying out at least one of safe handling on network interface card, and can reduce safety processing device needs message flow to be processed, and reduction needs to dispose the cost of multiple safety processing devices;It is distributed across again due to network interface card in different equipment, bottleneck problem caused by concentrated setting safety processing device can be avoided, improves systematic function.
One of ordinary skill in the art will appreciate that:Realizing all or part of step of above method embodiment can be completed by the related hardware of programmed instruction, foregoing program can be stored in a computer read/write memory medium, the program upon execution, performs the step of including above method embodiment;And foregoing storage medium includes:ROM, RAM, magnetic disc or CD etc. are various can be with the medium of store program codes.
Finally it should be noted that:The above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although the present invention is described in detail with reference to the foregoing embodiments, it will be understood by those within the art that:It can still modify to the technical scheme described in foregoing embodiments, or carry out equivalent substitution to which part technical characteristic;And these modifications or replacement, the essence of appropriate technical solution is departed from the scope of various embodiments of the present invention technical scheme.
Claims (25)
- Claims1st, a kind of network security processing method, it is characterised in that including:Network interface card receives message;The network interface card carries out the first safe handling to the message, and first safe handling is used to handle at least a portion network security problem;If the network interface card determines to need to described>Text carries out Subsequent secure processing, the message after the first safe handling is then sent to safety processing device, the second safe handling is carried out to the message after first safe handling by the safety processing device, second safe handling is used to handle another part network security problem.2nd, according to the method described in claim 1, it is characterised in that the network interface card to the message carry out the first safe handling, including:Filtration treatment is carried out to the message according to the layer conversation state tables of TCP/UDP tetra-.3rd, method according to claim 2, it is characterised in that the session status table is that the network interface card is set up during session establishment.4th, according to the method in claim 2 or 3, it is characterised in that the four layer conversation state tables according to TCP/UDP to the message carry out filtration treatment, including:According to the accesses control list pre-established, determining needs the message of safe handling;According to the layer conversation state tables of TCP/UDP tetra-, filtration treatment is carried out to the message for needing safe handling.5th, the method according to any one of claim 2 to 4, it is characterised in that described to include to message progress filtration treatment:Lv Lost were carried out to the attack message in the message abandon or limit connection to set up or limit message transmitting spped rate or only alarm statistics are not processed.6th, the method according to any one of claim 2 to 5, it is characterised in that the network interface card carries out the first safe handling to the message, in addition to:The network interface card carries out deep message detection to the message after the progress filtration treatment according to the layer conversation state tables of TCP/UDP tetra-, detects that obtained message content carries out safe handling according to the deep message.7th, method according to claim 6, it is characterised in that also include:If when the deep message is detected, the strategy of configuration demonstrates the need for entering the message of setting content Row subsequent packet is detected, it is determined that need to carry out Subsequent secure processing to the message of the setting content, second safe handling is carried out by the safety processing device.8th, method according to claim 6, it is characterised in that described to detect that obtained message content carries out safe handling and included according to the deep message:To the message of setting content, Lv Lost were carried out and abandon or limit connection to set up or limit message transmitting spped rate or only alarm statistics are not processed.9th, the method according to any one of claim 1 to 8, it is characterised in that also include:If the safety processing device determines that the message after first safe handling is attack message when carrying out the second safe handling, then the network interface card receives the filtering rule that the safety processing device is issued, and carries out filtration treatment to subsequent packet according to the filtering rule.10th, the method according to any one of claim 1 to 9, it is characterised in that the network interface card receives message, including:The network interface card receives the message for carrying out self virtualizing machine, and the message is transparent to the network interface card by virtual machine monitor.11st, the method according to any one of claim 1 to 10, it is characterised in that the network interface card carries out the first safe handling to the message, including:The network interface card according to the message from queue or Microsoft Loopback Adapter determine corresponding virtual machine, according to security strategy corresponding with the virtual machine to described>Text carries out the first safe handling, and the network interface card is the physical network card that uses in virtualization technology.12nd, a kind of network interface card, it is characterised in that including:Receiving module, for receiving message;Secure processing module, the message for being received to the receiving module carries out the first safe handling, and determines the need for carrying out the message Subsequent secure processing, and first safe handling is used to handle at least a portion network security problem;Sending module, for when the secure processing module determines to need to carry out Subsequent secure processing to the message, message after first safe handling is sent to safety processing device, the second safe handling is carried out to the message after first safe handling by the safety processing device, second safe handling is used to handle another part network security problem.13rd, network interface card according to claim 12, it is characterised in that the secure processing module includes: Processing.Determining unit, is used to determine whether to need to carry out Subsequent secure processing to the message.14th, network interface card according to claim 13, it is characterised in thatThe first processing units, are additionally operable to set up the TCP/UDP session status table during session establishment.15th, the network interface card according to claim 13 or 14, it is characterised in that the secure processing module also includes:Second processing unit, for according to the ACL pre-established, determining to need the message of safe handling;The message for needing safe handling that second processing unit is determined carries out filtration treatment.16th, the network interface card according to any one of claim 13 to 15, it is characterized in that, the first processing units carry out the filtration treatment, are specially to carry out Lv Lost to the attack message in the message to abandon or limit that message transmitting spped rate is set up or limited in connection or only alarm statistics are not processed.17th, the network interface card according to any one of claim 13 to 16, it is characterised in that the secure processing module also includes:3rd processing unit, deep message detection is carried out for the first processing units to be carried out with the message after filtration treatment according to the layer conversation state tables of TCP/UDP tetra-, detects that obtained message content carries out safe handling according to the deep message.18th, network interface card according to claim 17, it is characterized in that, when the 3rd processing unit carries out the deep message detection, the determining unit is additionally operable to be determined the need for carrying out Subsequent secure processing to the message of the setting content according to the strategy of configuration, and second safe handling is carried out by the safety processing device.19th, the network interface card according to claim 17 or 18, it is characterised in that the first processing units are additionally operable to the message to setting content, carried out Lv Lost and abandons or limit connection to set up or limit message transmitting spped rate or only alarm statistics are not processed.20th, network interface card according to claim 12, it is characterised in that:The receiving module, is additionally operable to receive the filtering rule that the safety processing device is issued, the filtering rule safety processing device is issued when determining that the message is attack message when carrying out second safe handling;The secure processing module, is additionally operable to according to the filtering rule to the attack message in subsequent packet Carried out Lv Lost and abandon or limit connection to set up or limit message transmitting spped rate or only alarm statistics are not processed.21st, the network interface card according to any one of claim 12 to 20, it is characterised in that:The receiving module receives the message for carrying out self virtualizing machine, and the message is transparent to the network interface card by virtual machine monitor.22nd, according to any described network interface card of claim 12 to 21, it is characterised in that also include:Distribute module, for for each virtual machine distribution queue or Microsoft Loopback Adapter, so as to the message that is received according to the receiving module from queue or Microsoft Loopback Adapter determine corresponding virtual machine, first safe handling is carried out to the message according to security strategy corresponding with the virtual machine.23rd, a kind of network security processing system, it is characterised in that including:Network interface card, the first safe handling is carried out for the message to reception, and first safe handling is used to handle at least a portion network security problem;Safety processing device, carries out the second safe handling, second safe handling is used to handle another part network security problem for carrying out the message after the first safe handling to the network interface card.24th, system according to claim 23, it is characterised in that the safety processing device is additionally operable to the result after the second safe handling being sent to the network interface card, and the network interface card is according to the result treatment subsequent packet.25th, the system according to claim 23 or 24, it is characterised in thatThe network interface card is the network interface card as described in claim any one of 12-22.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/CN2012/073528 WO2012103846A2 (en) | 2012-04-05 | 2012-04-05 | Network security processing method, system, and network card |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102986194A true CN102986194A (en) | 2013-03-20 |
| CN102986194B CN102986194B (en) | 2015-08-19 |
Family
ID=46603146
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201280000637.XA Active CN102986194B (en) | 2012-04-05 | 2012-04-05 | Network security processing method, system and network interface card |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN102986194B (en) |
| WO (1) | WO2012103846A2 (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108092941A (en) * | 2016-11-23 | 2018-05-29 | 中国移动通信有限公司研究院 | A kind of network safety protection method, apparatus and system |
| CN113595957A (en) * | 2020-04-30 | 2021-11-02 | 华为技术有限公司 | Network defense method and security detection equipment |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104468601A (en) * | 2014-12-17 | 2015-03-25 | 中山大学 | P2P worm detecting system and method |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101068229A (en) * | 2007-06-08 | 2007-11-07 | 北京工业大学 | Content filtering gateway realizing method based on network filter |
| US20090235355A1 (en) * | 2008-03-17 | 2009-09-17 | Inventec Corporation | Network intrusion protection system |
| CN101610264A (en) * | 2009-07-24 | 2009-12-23 | 深圳市永达电子股份有限公司 | The management method of a kind of firewall system, safety service platform and firewall system |
| CN102387151A (en) * | 2011-11-01 | 2012-03-21 | 天津大学 | Block-based virus detection method in P2P (peer-to-peer) network |
-
2012
- 2012-04-05 WO PCT/CN2012/073528 patent/WO2012103846A2/en active Application Filing
- 2012-04-05 CN CN201280000637.XA patent/CN102986194B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101068229A (en) * | 2007-06-08 | 2007-11-07 | 北京工业大学 | Content filtering gateway realizing method based on network filter |
| US20090235355A1 (en) * | 2008-03-17 | 2009-09-17 | Inventec Corporation | Network intrusion protection system |
| CN101610264A (en) * | 2009-07-24 | 2009-12-23 | 深圳市永达电子股份有限公司 | The management method of a kind of firewall system, safety service platform and firewall system |
| CN102387151A (en) * | 2011-11-01 | 2012-03-21 | 天津大学 | Block-based virus detection method in P2P (peer-to-peer) network |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108092941A (en) * | 2016-11-23 | 2018-05-29 | 中国移动通信有限公司研究院 | A kind of network safety protection method, apparatus and system |
| CN113595957A (en) * | 2020-04-30 | 2021-11-02 | 华为技术有限公司 | Network defense method and security detection equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2012103846A2 (en) | 2012-08-09 |
| CN102986194B (en) | 2015-08-19 |
| WO2012103846A3 (en) | 2013-03-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8886927B2 (en) | Method, apparatus and system for preventing DDoS attacks in cloud system | |
| CN107613020B (en) | Equipment management method and device | |
| US10333827B2 (en) | Adaptive session forwarding following virtual machine migration detection | |
| CN101645873B (en) | Method for realizing network isolation in environments of computer and virtual machine | |
| CN101495993B (en) | System and method for distributed multi-processing security gateway | |
| CN105100026B (en) | A kind of safe retransmission method of message and device | |
| US20160323245A1 (en) | Security session forwarding following virtual machine migration | |
| US9749354B1 (en) | Establishing and transferring connections | |
| CN104125243A (en) | Method of penetrating internal network to remotely connect large-scale virtual machines | |
| CN103051605B (en) | A kind of data package processing method, device and system | |
| US10191760B2 (en) | Proxy response program, proxy response device and proxy response method | |
| CN102761534B (en) | Realize the method and apparatus of media access control layer Transparent Proxy | |
| JP7045050B2 (en) | Communication monitoring system and communication monitoring method | |
| CN108809975B (en) | Internal and external network isolation system and method for realizing internal and external network isolation | |
| TWI520002B (en) | Protection Method and System of Cloud Virtual Network Security | |
| CN110266678A (en) | Security attack detection method, device, computer equipment and storage medium | |
| CN102986194A (en) | Network security processing method, system, and network card | |
| Verma et al. | A service governance and isolation based approach to mitigate internal collateral damages in cloud caused by DDoS attack | |
| US20180034848A1 (en) | Mitigating TCP SYN DDoS Attacks Using TCP Reset | |
| WO2014178826A1 (en) | Governing bare metal guests | |
| US20150334115A1 (en) | Dynamic provisioning of virtual systems | |
| CN103973584B (en) | The method and apparatus of the pass-through mode of switching at runtime packet | |
| Li et al. | Prospect for the future internet: A study based on TCP/IP vulnerabilities | |
| Rathod et al. | Secure live vm migration in cloud computing: A survey | |
| CN111526124B (en) | Isolated communication system and method based on internal and external networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20211221 Address after: 450046 Floor 9, building 1, Zhengshang Boya Plaza, Longzihu wisdom Island, Zhengdong New Area, Zhengzhou City, Henan Province Patentee after: xFusion Digital Technologies Co., Ltd. Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen Patentee before: HUAWEI TECHNOLOGIES Co.,Ltd. |