CN103220287A - Method for service matching of messages by means of access control list (ACL) - Google Patents
Method for service matching of messages by means of access control list (ACL) Download PDFInfo
- Publication number
- CN103220287A CN103220287A CN201310124039XA CN201310124039A CN103220287A CN 103220287 A CN103220287 A CN 103220287A CN 201310124039X A CN201310124039X A CN 201310124039XA CN 201310124039 A CN201310124039 A CN 201310124039A CN 103220287 A CN103220287 A CN 103220287A
- Authority
- CN
- China
- Prior art keywords
- acl
- message
- address
- messages
- service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The invention relates to a firewall technique, and particularly discloses a method for service matching of messages by means of an access control list (ACL). The method includes that a firewall classifies all IP addresses of the messages, the IP addresses of N types are obtained, the ACL is respectively distributed for the IP addresses of N types, N ACLs are obtained, and the N ACLs respectively record service types which need to be executed by the messages corresponding to the IP address of each type. When receiving the messages, the firewall finds the corresponding ACL in the N ACLs for matching according to the IP addresses of the messages, and therefore the service types which need to be executed by the messages are obtained. The firewall sends the messages to a corresponding service processing module for processing according to the service types which need to be executed by the messages. By means of the technical scheme, when the firewall processes the messages, the ACL needs to be matched only once, and therefore people can know what services the messages need to carry out. By means of the method, the speed of processing the messages is greatly increased.
Description
Technical field
The present invention relates to the firewall technology field, particularly a kind of ACL of utilization carries out the method for professional coupling to message.
Background technology
On firewall box, use the most basic also be the most frequent be exactly acl feature, the ACL full name is Access Control List, i.e. Access Control List (ACL).Acl feature can configuration message five-tuple, comprise source IP address, purpose IP address, protocol number, source port number, destination slogan.Acl feature combines with other function and has formed the mode of specifically message being carried out action.For example, it is encrypted that ipsec tunnel uses acl feature to judge which message needs, and which message need be dropped, and which message need be let pass; The NAT conversion uses acl feature to judge which message need by which IP address transition; Three layers of security control use ACL to judge which message can be forwarded, and which need be dropped; The strategy route uses ACL to judge which message is based on the outgoing interface that directly message is forwarded to appointment on the route querying.When above all functions were used together, each Service Processing Module all needed to dispose independently ACL, and each message will carry out the business coupling respectively round each module then, judges whether to do this business.For example, disposed after all above business, the handling process of each message has just become mates three layers of safety control module, NAT modular converter, tactful routing module, ipsec tunnel encrypting module respectively, be equivalent to all to mate privately owned acl feature this moment in each Service Processing Module, needs coupling 4 times altogether.But common ground as can be seen from above 4 modules is exactly all to have used ACL as whether carrying out this professional determination methods.So, if the ACL coupling is extracted into an independently module, when configuration time the behavior record after with the ACL coupling in the ACL item, just only need ACL of coupling when so message being handled, just can know that then which business this message need do, and can accelerate to handle the speed of message by this method greatly.
Summary of the invention
(1) technical problem to be solved
The object of the present invention is to provide a kind of ACL of utilization message to be carried out the method for professional coupling, to solve existing fire compartment wall when the message that receives being carried out the business coupling, need to carry out the ACL coupling by each Service Processing Module successively, thus the problem that causes message processing speed to slow down.
(2) technical scheme
In order to solve the problems of the technologies described above, the present invention proposes a kind of ACL of utilization message is carried out professional method of mating, said method comprising the steps of:
S1, fire compartment wall are classified the IP address of all messages, obtain N class IP address, and dispose ACL respectively for described N class IP address, thereby obtain N ACL, wherein, N is a positive integer, and a described N ACL writes down the type of service that the message of every class IP address correspondence need be carried out respectively;
S2, when described fire compartment wall receives message, according to the IP address of described message, in a described N ACL, find corresponding ACL to mate, thereby obtain the type of service that described message need be carried out;
The type of service that S3, described fire compartment wall are carried out according to described message needs sends to the corresponding service processing module with described message and handles.
Optionally, described IP address comprises source IP address or purpose IP address.
Optionally, among the step S1, the type of service that the message of every class IP address correspondence need be carried out comprises three layers of security control, NAT conversion, tactful route or ipsec encryption; Among the step S3, described Service Processing Module comprises three layers of safety control module, NAT modular converter, tactful routing module or ipsec encryption module.
Optionally, among the step S1, when the type of service that need carry out when the message of certain class IP address correspondence comprised ipsec encryption, corresponding with it ACL specified a fixing ipsec tunnel to encrypt.
(3) beneficial effect
The technical scheme that the present invention proposes extracts the ACL matching module separately, it is independent of on each Service Processing Module, when fire compartment wall receives message, only need to carry out the ACL coupling one time according to the IP address of message, just can know which Business Processing this message need do.The number of times of ACL coupling can be reduced to each message so on the one hand only needs once; On the other hand, the type of service of carrying out according to the message actual needs sends to the corresponding service processing module with message and handles, and can avoid message to follow unnecessary Service Processing Module to carry out business and mate.In a word, the method for the present invention's proposition can be accelerated the processing speed of fire compartment wall to message greatly.
Description of drawings
Fig. 1 is that the ACL that utilizes that the present invention proposes carries out the basic flow sheet of the method for professional coupling to message.
Embodiment
Below in conjunction with drawings and Examples, the specific embodiment of the present invention is described in further detail.
As shown in Figure 1, the ACL that utilizes that the present invention proposes may further comprise the steps the method that message carries out professional coupling:
S1, fire compartment wall are classified the IP address of all messages, obtain N class IP address, and dispose ACL respectively for described N class IP address, thereby obtain N ACL, wherein, N is a positive integer, and a described N ACL writes down the type of service that the message of every class IP address correspondence need be carried out respectively;
S2, when described fire compartment wall receives message, according to the IP address of described message, in a described N ACL, find corresponding ACL to mate, thereby obtain the type of service that described message need be carried out;
The type of service that S3, described fire compartment wall are carried out according to described message needs sends to the corresponding service processing module with described message and handles.
Described IP address both can be the source IP address of message, also can be the purpose IP address of message.
Below by an embodiment implementation procedure of said method is elaborated.
In the present embodiment, IP address with all messages is divided into 4 classes altogether, and dispose 4 ACL accordingly, the type of service that the message of every class IP address correspondence need be carried out comprises three layers of security control, NAT conversion, tactful route or ipsec encryption, the Service Processing Module that relates to comprises three layers of safety control module, NAT modular converter, tactful routing module and ipsec encryption module, and is specific as follows:
Dispose an ACL1, the IP address of coupling is 1.1.1.1-1.1.1.10, and the action of execution is to abandon;
Dispose an ACL2, the IP address of coupling is 2.2.2.1-2.2.2.10, and the action of execution is clearance and makes the NAT module converts that the IP address of conversion is public network IP address 202.1.1.1;
Dispose an ACL3, the IP address of coupling is 3.3.3.1-3.3.3.10, and the action of execution is to let pass, and does the NAT module converts, and the IP address of conversion is public network IP address 202.1.1.2, and does tactful route, and specifying outgoing interface is 0/0/1;
Dispose an ACL4, the IP address of coupling is 4.4.4.1-4.4.4.10, and the action of execution is to let pass, and does the NAT module converts, and the IP address of conversion is public network IP address 202.1.1.3, does tactful route, and specifying outgoing interface is 0/0/1, and does ipsec tunnel and encrypt.
As the IP address message that is 1.1.1.1 during by fire compartment wall, according to the coupling of ACL, on the coupling ACL1 rule, Rule content is to abandon, and then directly abandons this message.
When the IP address message that is 4.4.4.1 during by fire compartment wall, according to the coupling of ACL, on the coupling ACL4, then this message need carry out successively that NAT changes, tactful route and ipsec tunnel encryption.
When message need be carried out the ipsec tunnel coupling, if disposed a plurality of ipsec tunnels this moment, because the ACL of each ipsec tunnel is exclusive, so ACL4 can specify a fixing ipsec tunnel to encrypt.
In the above-described embodiments, if according to existing mode, if each Service Processing Module needs 10 ACL of configuration, 4 modules just need 40 ACL of configuration so, but often the ACL of intermodule configuration can repetition in configuration.But,, according to the action of being disposed in the list item message is handled again if the method that adopts the present invention to propose will make a message match the ACL list item in the ACL of integral body table.For example, ACL4 needs 4 whole modules to handle, and so just is equivalent to 4 ACL couplings of the original needs of a message, and reduces to the ACL coupling now 1 time, has so just improved the processing speed of fire compartment wall to message greatly.
The type that it is pointed out that Service Processing Module is not limited to the described 4 kinds of modules of the foregoing description, and Service Processing Module is that the actual functional capability according to each fire compartment wall is configured.Therefore, classified in the IP address of message and when disposing corresponding ACL, also need to be provided with flexibly according to the concrete function of fire compartment wall and the type of message.
The above only is a preferred implementation of the present invention; should be pointed out that for the person of ordinary skill of the art, under the prerequisite that does not break away from the technology of the present invention principle; can also make some improvement and replacement, these improvement and replacement also should be considered as protection scope of the present invention.
Claims (4)
1. one kind is utilized ACL that message is carried out professional method of mating, and it is characterized in that, said method comprising the steps of:
S1, fire compartment wall are classified the IP address of all messages, obtain N class IP address, and dispose ACL respectively for described N class IP address, thereby obtain N ACL, wherein, N is a positive integer, and a described N ACL writes down the type of service that the message of every class IP address correspondence need be carried out respectively;
S2, when described fire compartment wall receives message, according to the IP address of described message, in a described N ACL, find corresponding ACL to mate, thereby obtain the type of service that described message need be carried out;
The type of service that S3, described fire compartment wall are carried out according to described message needs sends to the corresponding service processing module with described message and handles.
2. method according to claim 1 is characterized in that, described IP address comprises source IP address or purpose IP address.
3. method according to claim 1 is characterized in that, among the step S1, the type of service that the message of every class IP address correspondence need be carried out comprises three layers of security control, NAT conversion, tactful route or ipsec encryption; Among the step S3, described Service Processing Module comprises three layers of safety control module, NAT modular converter, tactful routing module or ipsec encryption module.
4. method according to claim 3 is characterized in that, among the step S1, when the type of service that need carry out when the message of certain class IP address correspondence comprised ipsec encryption, corresponding with it ACL specified a fixing ipsec tunnel to encrypt.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310124039.XA CN103220287B (en) | 2013-04-11 | 2013-04-11 | Utilize the method that ACL carries out business coupling to message |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310124039.XA CN103220287B (en) | 2013-04-11 | 2013-04-11 | Utilize the method that ACL carries out business coupling to message |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103220287A true CN103220287A (en) | 2013-07-24 |
CN103220287B CN103220287B (en) | 2016-12-28 |
Family
ID=48817751
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310124039.XA Expired - Fee Related CN103220287B (en) | 2013-04-11 | 2013-04-11 | Utilize the method that ACL carries out business coupling to message |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103220287B (en) |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103516613A (en) * | 2013-09-25 | 2014-01-15 | 汉柏科技有限公司 | Quick message forwarding method |
WO2015051741A1 (en) * | 2013-10-10 | 2015-04-16 | Hangzhou H3C Technologies Co., Ltd. | Packet processing |
CN105591926A (en) * | 2015-12-11 | 2016-05-18 | 杭州华三通信技术有限公司 | Network flow protection method and device |
CN105635343A (en) * | 2016-02-02 | 2016-06-01 | 中国互联网络信息中心 | IP address list storage and query method applied to DNS query |
CN107135203A (en) * | 2017-04-05 | 2017-09-05 | 北京明朝万达科技股份有限公司 | A kind of method and system of terminal access control strategy optimization |
CN107566201A (en) * | 2016-06-30 | 2018-01-09 | 华为技术有限公司 | Message processing method and device |
CN107968770A (en) * | 2016-10-19 | 2018-04-27 | 北京计算机技术及应用研究所 | Network firewall and its data processing method based on domestic autonomous hardware and software platform |
CN112787847A (en) * | 2020-12-24 | 2021-05-11 | 凌云天博光电科技股份有限公司 | Method and device for rapidly processing large number of Trap based on network management system EPON |
CN113079097A (en) * | 2021-03-24 | 2021-07-06 | 新华三信息安全技术有限公司 | Message processing method and device |
CN113132241A (en) * | 2021-05-07 | 2021-07-16 | 杭州迪普信息技术有限公司 | ACL template dynamic configuration method and device |
CN113452615A (en) * | 2021-06-28 | 2021-09-28 | 烽火通信科技股份有限公司 | Method and device for improving matching efficiency of large-specification ACL |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050055573A1 (en) * | 2003-09-10 | 2005-03-10 | Smith Michael R. | Method and apparatus for providing network security using role-based access control |
CN1781286A (en) * | 2003-06-10 | 2006-05-31 | 思科技术公司 | Method and apparatus for packet classification and rewriting |
CN101035060A (en) * | 2006-03-08 | 2007-09-12 | 中兴通讯股份有限公司 | Integrated processing method for three-folded content addressable memory message classification |
CN101340370A (en) * | 2008-08-14 | 2009-01-07 | 杭州华三通信技术有限公司 | Link selection method and apparatus |
CN101631121A (en) * | 2009-08-24 | 2010-01-20 | 杭州华三通信技术有限公司 | Message control method and access equipment in endpoint admission defense |
CN101667964A (en) * | 2009-09-18 | 2010-03-10 | 中兴通讯股份有限公司 | Collocation method and device of access control list (ACL) regulations |
-
2013
- 2013-04-11 CN CN201310124039.XA patent/CN103220287B/en not_active Expired - Fee Related
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1781286A (en) * | 2003-06-10 | 2006-05-31 | 思科技术公司 | Method and apparatus for packet classification and rewriting |
US20050055573A1 (en) * | 2003-09-10 | 2005-03-10 | Smith Michael R. | Method and apparatus for providing network security using role-based access control |
CN101035060A (en) * | 2006-03-08 | 2007-09-12 | 中兴通讯股份有限公司 | Integrated processing method for three-folded content addressable memory message classification |
CN101340370A (en) * | 2008-08-14 | 2009-01-07 | 杭州华三通信技术有限公司 | Link selection method and apparatus |
CN101631121A (en) * | 2009-08-24 | 2010-01-20 | 杭州华三通信技术有限公司 | Message control method and access equipment in endpoint admission defense |
CN101667964A (en) * | 2009-09-18 | 2010-03-10 | 中兴通讯股份有限公司 | Collocation method and device of access control list (ACL) regulations |
Cited By (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103516613A (en) * | 2013-09-25 | 2014-01-15 | 汉柏科技有限公司 | Quick message forwarding method |
WO2015051741A1 (en) * | 2013-10-10 | 2015-04-16 | Hangzhou H3C Technologies Co., Ltd. | Packet processing |
CN104579940A (en) * | 2013-10-10 | 2015-04-29 | 杭州华三通信技术有限公司 | Method and apparatus for searching ACL |
CN104579940B (en) * | 2013-10-10 | 2017-08-11 | 新华三技术有限公司 | Search the method and device of accesses control list |
CN105591926A (en) * | 2015-12-11 | 2016-05-18 | 杭州华三通信技术有限公司 | Network flow protection method and device |
CN105591926B (en) * | 2015-12-11 | 2019-06-07 | 新华三技术有限公司 | A kind of flow rate protecting method and device |
CN105635343B (en) * | 2016-02-02 | 2019-06-04 | 中国互联网络信息中心 | IP address list storage and querying method applied to DNS query |
CN105635343A (en) * | 2016-02-02 | 2016-06-01 | 中国互联网络信息中心 | IP address list storage and query method applied to DNS query |
WO2017133344A1 (en) * | 2016-02-02 | 2017-08-10 | 中国互联网络信息中心 | Ip address table storage and query method applicable in dns querying |
CN107566201A (en) * | 2016-06-30 | 2018-01-09 | 华为技术有限公司 | Message processing method and device |
CN107566201B (en) * | 2016-06-30 | 2020-08-25 | 华为技术有限公司 | Message processing method and device |
CN107968770A (en) * | 2016-10-19 | 2018-04-27 | 北京计算机技术及应用研究所 | Network firewall and its data processing method based on domestic autonomous hardware and software platform |
CN107135203A (en) * | 2017-04-05 | 2017-09-05 | 北京明朝万达科技股份有限公司 | A kind of method and system of terminal access control strategy optimization |
CN112787847A (en) * | 2020-12-24 | 2021-05-11 | 凌云天博光电科技股份有限公司 | Method and device for rapidly processing large number of Trap based on network management system EPON |
CN113079097A (en) * | 2021-03-24 | 2021-07-06 | 新华三信息安全技术有限公司 | Message processing method and device |
CN113079097B (en) * | 2021-03-24 | 2022-03-22 | 新华三信息安全技术有限公司 | Message processing method and device |
CN113132241A (en) * | 2021-05-07 | 2021-07-16 | 杭州迪普信息技术有限公司 | ACL template dynamic configuration method and device |
CN113452615A (en) * | 2021-06-28 | 2021-09-28 | 烽火通信科技股份有限公司 | Method and device for improving matching efficiency of large-specification ACL |
CN113452615B (en) * | 2021-06-28 | 2022-07-08 | 烽火通信科技股份有限公司 | Method and device for improving matching efficiency of large-specification ACL |
Also Published As
Publication number | Publication date |
---|---|
CN103220287B (en) | 2016-12-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103220287A (en) | Method for service matching of messages by means of access control list (ACL) | |
US20070094394A1 (en) | Methods, systems, and computer program products for transmission control of sensitive application-layer data | |
CN105591926A (en) | Network flow protection method and device | |
CN101309273B (en) | Method and device for generating safety alliance | |
CN104104561A (en) | SDN (self-defending network) firewall state detecting method and system based on OpenFlow protocol | |
CN104253770A (en) | Method and equipment for realizing distributed virtual switch system | |
CN104767752A (en) | Distributed network isolating system and method | |
CN102710639B (en) | A kind of based on ActiveMQ data/address bus across power ampere whole district Real Data Exchangs method | |
CN102724175A (en) | Remote communication security management architecture of ubiquitous green community control network and method for constructing the same | |
CN103237039A (en) | Message forwarding method and message forwarding device | |
CN101605136B (en) | A method and an apparatus for Internet protocol security IPSec processing to packets | |
CN102932377A (en) | Method and device for filtering IP (Internet Protocol) message | |
CN101707545B (en) | Method and system for realizing private virtual local area network | |
CN102739665B (en) | Method for realizing network virtual security domain | |
WO2016070633A1 (en) | Network log generation method and device | |
CN105812322A (en) | Method and device for establishing Internet safety protocol safety alliance | |
CN105743868B (en) | A kind of data collection system and method for supporting encryption and non-encrypted agreement | |
CN101616084A (en) | A kind of distributed IPSec load sharing device and method | |
CN105227403A (en) | A kind of OpenStack network flow monitoring method | |
CN102932229B (en) | A kind of method of packet being carried out to encryption and decryption process | |
CN101202706A (en) | Virtual switchboard system | |
CN103001966A (en) | Processing and identifying method and device for private network IP | |
Saksonov et al. | Organization of information security in Industrial Internet of Things systems | |
CN103442096B (en) | NAT method based on mobile Internet and system | |
CN102684971A (en) | VLAN (Virtual Local Area Network) function realizing method and Linux system LAN gateway |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20161228 Termination date: 20180411 |
|
CF01 | Termination of patent right due to non-payment of annual fee |