CN104579939A - Protecting method and device for gateway - Google Patents
Protecting method and device for gateway Download PDFInfo
- Publication number
- CN104579939A CN104579939A CN201410848738.3A CN201410848738A CN104579939A CN 104579939 A CN104579939 A CN 104579939A CN 201410848738 A CN201410848738 A CN 201410848738A CN 104579939 A CN104579939 A CN 104579939A
- Authority
- CN
- China
- Prior art keywords
- packet
- address
- conditioned
- client
- destination
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The invention discloses a protecting method and a device for a gateway. The protecting method for the gateway comprises: receiving a data package sent from a source end; judging whether the data package matches a preset condition which is preset before; when the judged data package matches the preset condition, sending the data package to a target end; when the judged data package does not match the preset condition, and discarding the data package. According to the protecting method and the device for the gateway, the problem that the gateway is prone to attack resulting the network paralysis in the prior art is solved, and therefore the effect of the stable and safe network running is achieved.
Description
Technical field
The present invention relates to internet arena, in particular to a kind of guard method and device of gateway.
Background technology
The IP address of current gateway equipment generally all needs to carry out actual disposition according to the physical interface of gateway device, and the IP address of different physical interface can not be identical, and the IP number of addresses of each physical interface generally has certain restriction.The IP address of the physical interface of gateway device is generally used for and the network interconnection of upper and lower attached device, routing forwarding etc.
NAT (network address translation, Network Address Translation) address pool technology is the many a kind of technology used at present, and this technology specifically configures one section of IP address range on gateway.When gateway device receive ARP (address resolution protocol, Address Resolution Protocol) ask time, if request is IP address in nat address pool, gateway device responds too.
For IP address, all necessary when carrying out network interconnection and routing forwarding, and there is no the alternative IP address of other scheme at present, but when using IP address to do Intranet NAT address maps or outer net IP address maps, the direct external disclosure in IP address of gateway device, be very easy to be subject to hacker or other has the people of malicious act to attack, cause network paralysis.
Fig. 1 is the flow chart schematic diagram of PC access Internet in prior art.As shown in Figure 1, when Internet accessed by the internal network PC on the left side, implementation of the prior art is through exit gateway at packet, be the interface IP address of eth3 by the IP address transition of all Intranets, wherein, the address of eth3 interface is the address in the IP address of exit gateway actual disposition or certain nat address pool.Disclosed in the address of eth3 interface is externally, and direct and outer net interconnects, the operations such as outer net can be scanned gateway by this address, detection, thus hacker or have the people of malicious act can be attacked gateway by the address of above-mentioned external disclosure, and then cause network paralysis.
Easily under attack for gateway in prior art, cause the problem of network paralysis, not yet propose effective solution at present.
Summary of the invention
Main purpose of the present invention is the guard method and the device that provide a kind of gateway, easily under attack to solve gateway in prior art, causes the problem of network paralysis.
To achieve these goals, according to an aspect of the embodiment of the present invention, a kind of guard method of gateway is provided.
Guard method according to gateway of the present invention comprises: receive the packet that source sends; Judge whether described packet meets pre-set pre-conditioned; When judge described packet meet described pre-conditioned, described packet is forwarded to destination; And when judge described packet do not meet described pre-conditioned, abandon described packet.
Further, described source is client, wherein: judge whether described packet meets pre-set pre-conditioned and comprise: judge whether to there is the preset IP address corresponding with the initial ip address of described client; When judge described packet meet pre-set pre-conditioned, described packet is forwarded to destination comprise: when judging to there is the described preset IP address corresponding with the described initial ip address of described client, set up the contingency table of described client and described destination, and the described initial ip address in described packet is changed to described preset IP address, the described packet after upgrading is forwarded to described destination.
Further, before judging whether to there is the preset IP address corresponding with the initial ip address of described source, judge whether described packet meets pre-set pre-conditioned and also comprise: judge whether described packet meets access profile pre-conditioned; When judge described packet meet pre-set pre-conditioned, described packet is forwarded to destination comprise: when to judge that described packet meets described access profile pre-conditioned and when judging to there is corresponding with the described initial ip address of described client described preset IP address, set up the described contingency table of described client and described destination, and the described initial ip address in described packet is changed to described preset IP address, the described packet after upgrading is forwarded to described destination.
Further, after the packet receiving source transmission, described guard method also comprises: judge whether the contingency table that there is described source and described destination, wherein, when judging to there is described contingency table, directly forward described packet to described destination; When judging to there is not described contingency table, judge whether described packet meets described pre-conditioned, and when judge described packet meet described pre-conditioned, described packet is forwarded to described destination.
Further, described source is client, and before the packet receiving source transmission, described guard method also comprises: receive and add instruction, described interpolation instruction is for adding preset IP address; Receive configuration-direct; And according to described configuration-direct and described interpolation instruction, configure described pre-conditioned.
To achieve these goals, according to the another aspect of the embodiment of the present invention, provide a kind of protective device of gateway.
Protective device according to gateway of the present invention comprises: the first receiving element, for receiving the packet that source sends; First judging unit, for judging whether described packet meets pre-set pre-conditioned; First processing unit, for when judge described packet meet described pre-conditioned, described packet is forwarded to destination; And second processing unit, for when judge described packet do not meet described pre-conditioned, abandon described packet.
Further, described source is client, wherein: described first judging unit comprises: the first judge module, there is the preset IP address corresponding with the initial ip address of described client for judging whether; Described first processing unit comprises: the first processing module, for when judging to there is the described preset IP address corresponding with the described initial ip address of described client, set up the contingency table of described client and described destination, and the described initial ip address in described packet is changed to described preset IP address, the described packet after upgrading is forwarded to described destination.
Further, described first judging unit also comprises: the second judge module, for before judging whether to there is the preset IP address corresponding with the initial ip address of described source, judges whether described packet meets access profile pre-conditioned; Described first processing unit also comprises: the second processing module, for when to judge that described packet meets described access profile pre-conditioned and when judging to there is corresponding with the described initial ip address of described client described preset IP address, set up the described contingency table of described client and described destination, and the described initial ip address in described packet is changed to described preset IP address, the described packet after upgrading is forwarded to described destination.
Further, described protective device also comprises: the second judging unit, for after the packet receiving source transmission, judge whether the contingency table that there is described source and described destination, wherein, when described second judging unit judges to there is described contingency table, directly forward described packet to described destination; When described second judging unit judges to there is not described contingency table, judge whether described packet meets described pre-conditioned, and when judge described packet meet described pre-conditioned, described packet is forwarded to described destination.
Further, described source is client, and described protective device also comprises: the second receiving element, and for before the packet receiving source transmission, receive and add instruction, described interpolation instruction is for adding preset IP address; 3rd receiving element, for receiving configuration-direct; And dispensing unit, for according to described configuration-direct and described interpolation instruction, configure described pre-conditioned.
According to inventive embodiments, adopt the packet receiving source and send; Judge whether described packet meets pre-set pre-conditioned; When judge described packet meet described pre-conditioned, described packet is forwarded to destination; And when judge described packet do not meet described pre-conditioned, abandon described packet.Pre-conditioned by judging whether packet meets, when packet meets or do not meet pre-conditioned, there is different processing modes respectively.When packet meets pre-conditioned, packet is forwarded to destination; illustrate that above-mentioned to meet pre-conditioned packet be the packet that can not work the mischief to gateway; when packet does not meet pre-conditioned; this data packet discarding is not done in place; be conducive to the actual address protecting gateway; avoid hacker or other have the attack of people to gateway of malicious act; solve gateway in prior art easily under attack; cause the problem of network paralysis, and then reach the effect improving network operation stability and fail safe.
Accompanying drawing explanation
The accompanying drawing forming a application's part is used to provide a further understanding of the present invention, and schematic description and description of the present invention, for explaining the present invention, does not form inappropriate limitation of the present invention.In the accompanying drawings:
Fig. 1 is the flow chart schematic diagram of PC access Internet in prior art;
Fig. 2 is the flow chart of the guard method of gateway according to the embodiment of the present invention;
Fig. 3 is the flow chart of the guard method of a kind of optional gateway according to the embodiment of the present invention; And
Fig. 4 is the schematic diagram of the protective device of gateway according to the embodiment of the present invention.
Embodiment
The present invention program is understood better in order to make those skilled in the art person, below in conjunction with the accompanying drawing in the embodiment of the present invention, technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is only the embodiment of a part of the present invention, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, should belong to the scope of protection of the invention.
It should be noted that, term " first ", " second " etc. in specification of the present invention and claims and above-mentioned accompanying drawing are for distinguishing similar object, and need not be used for describing specific order or precedence.Should be appreciated that the data used like this can be exchanged in the appropriate case, so as embodiments of the invention described herein can with except here diagram or describe those except order implement.In addition, term " comprises " and " having " and their any distortion, intention is to cover not exclusive comprising, such as, contain those steps or unit that the process of series of steps or unit, method, system, product or equipment is not necessarily limited to clearly list, but can comprise clearly do not list or for intrinsic other step of these processes, method, product or equipment or unit.
Embodiment 1
According to the embodiment of the present invention, provide a kind of embodiment of the method that may be used for implementing the application's device embodiment, it should be noted that, can perform in the computer system of such as one group of computer executable instructions in the step shown in the flow chart of accompanying drawing, and, although show logical order in flow charts, in some cases, can be different from the step shown or described by order execution herein.
According to the embodiment of the present invention, provide a kind of guard method of gateway.Fig. 2 is the flow chart of the guard method of gateway according to the embodiment of the present invention.As shown in Figure 2, the method comprises following step S202 to step S208:
S202: receive the packet that source sends.Particularly, the information such as source address, destination address, source port and destination interface are comprised in packet.In embodiments of the present invention, source can be client, also can be the server end of certain website.If source is client, so packet is access request, and this access request is used for picture, file or video etc. in request access network; If source is the server end of certain website, so packet is for responding the access request of user.
S204: judge whether packet meets pre-set pre-conditioned.
S206: when judging that packet meets pre-conditioned, is forwarded to destination by packet.If source is client, so destination is the server end of certain website, that is, when the access request of user meet pre-set pre-conditioned, the packet about above-mentioned access request is sent to server end; If source is the server end of certain website, so destination is client, that is, when the packet of the response user access request that the server end of certain website sends meets pre-conditioned, the packet of above-mentioned response user access request is sent to client.
S208: when judging that packet does not meet pre-conditioned, packet discard, namely, when packet does not meet pre-conditioned, the access request of user is not sent to certain website server end or not by response user access request Packet Generation to client, be also left intact to not meeting pre-conditioned packet with regard to being equivalent to.
In embodiments of the present invention, pre-conditioned by judging whether packet meets, when packet meets or do not meet pre-conditioned, there is different processing modes respectively.When packet meets pre-conditioned, packet is forwarded to destination; illustrate that above-mentioned to meet pre-conditioned packet be the packet that can not work the mischief to gateway; when packet does not meet pre-conditioned; this data packet discarding is not done in place; be conducive to the actual address protecting gateway; avoid hacker or other have the attack of people to gateway of malicious act; solve gateway in prior art easily under attack; cause the problem of network paralysis, and then reach the raising stability of the network operation and the effect of fail safe.
Preferably, in embodiments of the present invention, source is client, so judge whether packet meets and judge whether to there is the preset IP address corresponding with the initial ip address of client pre-conditioned the comprising pre-set, particularly, initial ip address is the IP address to client actual allocated, and preset IP address is the virtual IP address of of arranging to gateway interface about above-mentioned client, this preset IP address is not the actual address of gateway, neither address in nat address pool; When judge packet meet pre-set pre-conditioned, packet is forwarded to destination namely when judging to there is the preset IP address corresponding with the initial ip address of client, set up the contingency table between client and destination, and the initial ip address in packet is changed to preset IP address, the packet after upgrading is forwarded to destination.
In embodiments of the present invention, server end is issued after the initial ip address in packet being converted to default virtual IP address, if the packet behind conversion IP address is had the people of malicious act to obtain by hacker or other, even if hacker or other have the people of malicious act according in packet IP address attack gateway, because above-mentioned IP address is a virtual address, instead of the actual address of gateway, hacker or other have the people of malicious act to find gateway, thus can not attack gateway, and then reach the effect of protection gateway safe operation.Such as: the real ip address of certain interface of gateway C is A, but this interface is that the name being B with IP address is sent to destination when sending packet now, if hacker or other have the people of malicious act by the address in packet (namely, IP address B) find gateway, so can not find gateway C according to address above mentioned, thus can not attack gateway C.
Preferably, in embodiments of the present invention, before judging whether to there is the preset IP address corresponding with the initial ip address of source, judge whether packet meets pre-set pre-conditioned and also comprise: judge whether packet meets access profile pre-conditioned, the access profile of client is provided with during this access profile is pre-conditioned, such as: which website can be accessed, which website can not be accessed, and concrete access profile can be arranged according to demand.Such as: user A is the request of access websites WWW.A.COM by the packet that his client sends, so need to judge whether website WWW.A.COM is the website allowing user A access.Now, when judge packet meet pre-set pre-conditioned, packet is forwarded to destination comprise: when to judge that packet meets access profile pre-conditioned and when judging to there is corresponding with the initial ip address of client preset IP address, set up the contingency table of client and destination, and the initial ip address in packet is changed to preset IP address, the packet after upgrading is forwarded to destination.The embodiment of the present invention namely, only has packet to meet access profile pre-conditioned, and when client exists preset IP address, just can be sent to the server end of certain website to client after the initial IP in the packet send changes to preset IP address.If it is pre-conditioned that packet does not meet access profile, namely in packet, the website of request access is the website of forbidding that user accesses, so by this data packet discarding, the server of website corresponding to access request can not be issued, thus can not access request in response data packet.Continue to adopt above-mentioned citing to be described, namely judging to allow user A access websites WWW.A.COM, and when there is the preset IP address corresponding with the initial ip address of this client in the client of user A, set up about the contingency table between client and the server of website WWW.A.COM, and change to preset IP address by about the initial ip address in the packet of access websites WWW.A.COM, be then the server of Packet Generation to website WWW.A.COM of preset IP address by IP address.
In embodiments of the present invention, pre-conditioned also to comprise access profile pre-conditioned, and user may the lower website of access security, avoids client when receiving the back message of bag of the response request that above-mentioned website returns, infect virus, thus reach the effect improving Terminal security.
Particularly, after the packet receiving source transmission, the guard method of the gateway that the embodiment of the present invention provides also comprises: judge whether the contingency table that there is source and destination, wherein, when judging to there is contingency table, direct forwarding data bag is to destination; When judging to there is not contingency table, judge whether packet meets pre-set pre-conditioned, and when judge packet meet pre-set pre-conditioned, packet is forwarded to destination.Particularly, information such as comprising source address, destination address, source port and destination interface is comprised in contingency table.In embodiments of the present invention, receiving the packet about access request that client sends or when receiving the packet of response user access request that server sends, first can judge whether to exist about the contingency table between client and this server, if there is contingency table, website corresponding to above-mentioned server was accessed before this user is described, no matter be now the packet of the packet about user access request of client transmission or the response user access request of server transmission, all directly according to the information in contingency table, above-mentioned packet is forwarded to client or server, if there is no contingency table, did not access website corresponding to this server before this user is described, so needing to judge whether packet meets pre-conditioned, when meeting pre-conditioned, packet being forwarded to destination.
Preferably; source is client; before the packet receiving source transmission; the guard method of the gateway that the embodiment of the present invention provides also comprises: receive and add instruction; add instruction for adding preset IP address; namely according to interpolation instruction, specify the preset IP address corresponding with the initial ip address of client.If client is multiple, be then respectively each client and add the preset IP address corresponding with the initial ip address of this client, the preset IP address that the initial ip address of multiple client is corresponding is different.Particularly, before instruction is added in reception, can pre-set one or more address object, and comprise multiple IP address in each address object, preset IP address can be any IP address in certain address object; Receive configuration-direct, particularly, configuration-direct is for arranging the access profile of client; According to configuration-direct and interpolation instruction, configure pre-conditioned, namely according to interpolation instruction and configuration-direct, generate pre-conditioned.
In embodiments of the present invention; the IP number of addresses not restriction of the physical interface of gateway device; there are how many clients; just can there be how many preset IP address; be compared in prior art; there is the situation of restricted number the IP address of the physical interface of gateway device, and the guard method of the gateway of the embodiment of the present invention reaches the effect of the practicality improving gateway device.
In addition; the guard method of the gateway that the embodiment of the present invention provides can also perform according to the idiographic flow shown in Fig. 3; namely; Fig. 3 is the flow chart of the guard method of a kind of optional gateway according to the embodiment of the present invention; as shown in Figure 3, the method comprises following step S302 to step S318:
S302: receive packet, this step is equivalent to step S102.Same, the packet received can be that client sends, and also can be that the server end of website sends.
S304: judge whether connection table searches successfully, this step is equivalent to judge whether to there is the contingency table about packet, is not repeated.Connection table herein i.e. contingency table.Under judging that connection table searches successful situation, perform step S306; When judging that connection table searches failure, perform step S308.
S306: according to connection table information forwarding data, namely when judging the contingency table existed between client and the server end of certain website, forward the data to destination according to the information in contingency table.
S308: judge whether security strategy searches successfully, namely judge whether the content in packet is the access profile that security strategy allows, it is pre-conditioned that this step is equivalent to judge whether packet meets access profile, be not repeated, wherein, the security strategy in this step i.e. access profile pre-conditioned.Under judging that security strategy searches successful situation, perform step S312; When judging that security strategy searches failure, perform step S310.
S310: packet discard, when the content namely judging in packet is not in the access profile that allows of security strategy, by data packet discarding, is left intact.
S312: judge whether NAT strategy is searched successfully.Particularly, this step exists by NAT mode for judging whether, the IP address after being changed by the initial ip address of client.Same, described change after IP address be virtual ip address, be not the real ip address of gateway interface.This step is equivalent to judge whether to there is the preset IP address corresponding with the initial ip address of client, is not repeated.Under judging that NAT strategy searches successful situation, perform step S314; When judging that NAT strategy searches failure, perform step S310.
S314: connect table.Particularly, after the table that connects, no matter be sent to the packet of the server end transmission of packet or website in the upper client once received, directly packet can be forwarded to the server end of client or website according to the information in connection table.
S316: data packet addressed is changed, and this step is equivalent to the initial ip address in packet to change to preset IP address, is not repeated.
S318: data retransmission, is namely forwarded to destination by the packet that source sends.This step is equivalent to, in step S106, packet is forwarded to destination, is not repeated.
It should be noted that, for aforesaid each embodiment of the method, in order to simple description, therefore it is all expressed as a series of combination of actions, but those skilled in the art should know, the present invention is not by the restriction of described sequence of movement, because according to the present invention, some step can adopt other orders or carry out simultaneously.Secondly, those skilled in the art also should know, the embodiment described in specification all belongs to preferred embodiment, and involved action and module might not be that the present invention is necessary.
Through the above description of the embodiments, those skilled in the art can be well understood to the mode that can add required general hardware platform by software according to the method for above-described embodiment and realize, hardware can certainly be passed through, but in a lot of situation, the former is better execution mode.Based on such understanding, technical scheme of the present invention can embody with the form of software product the part that prior art contributes in essence in other words, this computer software product is stored in a storage medium (as ROM/RAM, magnetic disc, CD), comprising some instructions in order to make a station terminal equipment (can be mobile phone, computer, server, or the network equipment etc.) perform method described in each embodiment of the present invention.
Embodiment 2
According to the embodiment of the present invention; additionally provide a kind of protective device of gateway of the guard method for implementing above-mentioned gateway; this protective device is mainly used in the guard method that execution embodiment of the present invention foregoing provides, and does concrete introduction below to the protective device of the gateway that the embodiment of the present invention provides:
Fig. 4 is the schematic diagram of the protective device of gateway according to the embodiment of the present invention.As shown in Figure 4, this device mainly comprises the first receiving element 10, first judging unit 20, first processing unit 30 and the second processing unit 40, wherein:
The packet that first receiving element 10 sends for receiving source.Particularly, the information such as source address, destination address, source port and destination interface are comprised in packet.In embodiments of the present invention, source can be client, also can be the server end of certain website.If source is client, so packet is access request, and this access request is used for picture, file or video etc. in request access network; If source is the server end of certain website, so packet is for responding the access request of user.
First judging unit 20 is for judging whether packet meets pre-set pre-conditioned;
Packet, for when judging that packet meets pre-conditioned, is forwarded to destination by the first processing unit 30.If source is client, so destination is the server end of certain website, that is, when the access request of user meet pre-set pre-conditioned, the packet about above-mentioned access request is sent to server end; If source is the server end of certain website, so destination is client, that is, when the packet of the response user access request that the server end of certain website sends meets pre-conditioned, the packet of above-mentioned response user access request is sent to client.
Second processing unit 40 is for when judging that packet does not meet pre-conditioned, packet discard, namely, when packet does not meet pre-conditioned, the access request of user is not sent to certain website server end or not by response user access request Packet Generation to client, be also left intact to not meeting pre-conditioned packet with regard to being equivalent to.
In embodiments of the present invention, pre-conditioned by judging whether packet meets, when packet meets or do not meet pre-conditioned, there is different processing modes respectively.When packet meets pre-conditioned, packet is forwarded to destination; illustrate that above-mentioned to meet pre-conditioned packet be the packet that can not work the mischief to gateway; when packet does not meet pre-conditioned; this data packet discarding is not done in place; be conducive to the actual address protecting gateway; avoid hacker or other have the attack of people to gateway of malicious act; solve gateway in prior art easily under attack; cause the problem of network paralysis, and then reach the raising stability of the network operation and the effect of fail safe.
Preferably, in embodiments of the present invention, source is client, first judging unit 20 comprises the first judge module, first processing unit 30 comprises the first processing module, wherein, the preset IP address corresponding with the initial ip address of client is there is in the first judge module for judging whether, particularly, initial ip address is the IP address to client actual allocated, preset IP address is the virtual IP address of of arranging to gateway interface about above-mentioned client, and this preset IP address is not the actual address of gateway, neither address in nat address pool; First processing module is used for when judging to there is the preset IP address corresponding with the initial ip address of client, set up the contingency table of client and destination, and the initial ip address in packet is changed to preset IP address, the packet after upgrading is forwarded to destination.
In embodiments of the present invention, server end is issued after the initial ip address in packet being converted to default virtual IP address, if the packet behind conversion IP address is had the people of malicious act to obtain by hacker or other, even if hacker or other have the people of malicious act according in packet IP address attack gateway, because above-mentioned IP address is a virtual address, instead of the actual address of gateway, hacker or other have the people of malicious act to find gateway, thus can not attack gateway, and then reach the effect of protection gateway safe operation.Such as: the real ip address of certain interface of gateway C is A, but this interface is that the name being B with IP address is sent to destination when sending packet now, if hacker or other have the people of malicious act by the address in packet (namely, IP address B) find gateway, so can not find gateway C according to address above mentioned, thus can not attack gateway C.
Preferably, in embodiments of the present invention, the first judging unit 20 also comprises the second judge module, and the first processing unit 30 also comprises the second processing module, wherein:
Second judge module is used for before judging whether to there is the preset IP address corresponding with the initial ip address of source, judge whether packet meets access profile pre-conditioned, the access profile of client is provided with during this access profile is pre-conditioned, such as: which website can be accessed, which website can not be accessed, and concrete access profile can be arranged according to demand.Such as: user A is the request of access websites WWW.A.COM by the packet that his client sends, so need to judge whether website WWW.A.COM is the website allowing user A access.
Second processing module is used for when to judge that packet meets access profile pre-conditioned and when judging to there is corresponding with the initial ip address of client preset IP address, set up the contingency table of client and destination, and the initial ip address in packet is changed to preset IP address, the packet after upgrading is forwarded to destination.The embodiment of the present invention namely, only has packet to meet access profile pre-conditioned, and when client exists preset IP address, just can be sent to the server end of certain website to client after the initial IP in the packet send changes to preset IP address.If it is pre-conditioned that packet does not meet access profile, namely in packet, the website of request access is the website of forbidding that user accesses, so by this data packet discarding, the server of website corresponding to access request can not be issued, thus can not access request in response data packet.Continue to adopt above-mentioned citing to be described, namely judging to allow user A access websites WWW.A.COM, and when there is the preset IP address corresponding with the initial ip address of this client in the client of user A, set up about the contingency table between client and the server of website WWW.A.COM, and change to preset IP address by about the initial ip address in the packet of access websites WWW.A.COM, be then the server of Packet Generation to website WWW.A.COM of preset IP address by IP address.
In embodiments of the present invention, pre-conditioned also to comprise access profile pre-conditioned, and user may the lower website of access security, avoids client when receiving the back message of bag of the response request that above-mentioned website returns, infect virus, thus reach the effect improving Terminal security.
Particularly, the protective device of the gateway that the embodiment of the present invention provides also comprises the second judging unit, second judging unit is used for after the packet receiving source transmission, judge whether the contingency table that there is source and destination, wherein, when the second judging unit judges to there is contingency table, direct forwarding data bag is to destination; When the second judging unit judges to there is not contingency table, judge whether packet meets pre-set pre-conditioned, and when judge packet meet pre-set pre-conditioned, packet is forwarded to destination.Particularly, information such as comprising source address, destination address, source port and destination interface is comprised in contingency table.In embodiments of the present invention, receiving the packet about access request that client sends or when receiving the packet of response user access request that server sends, first can judge whether to exist about the contingency table between client and this server, if there is contingency table, website corresponding to above-mentioned server was accessed before this user is described, no matter be now the packet of the packet about user access request of client transmission or the response user access request of server transmission, all directly according to the information in contingency table, above-mentioned packet is forwarded to client or server, if there is no contingency table, did not access website corresponding to this server before this user is described, so needing to judge whether packet meets pre-conditioned, when meeting pre-conditioned, packet being forwarded to destination.
Preferably, in embodiments of the present invention, source is client, and the protective device of gateway also comprises the second receiving element, the 3rd receiving element and dispensing unit, wherein:
Second receiving element is used for, before the packet receiving source transmission, receiving and adding instruction, adds instruction for adding preset IP address, namely according to interpolation instruction, specifies the preset IP address corresponding with the initial ip address of client.If client is multiple, be then respectively each client and add the preset IP address corresponding with the initial ip address of this client, the preset IP address that the initial ip address of multiple client is corresponding is different.Particularly, before instruction is added in reception, can pre-set one or more address object, and comprise multiple IP address in each address object, preset IP address can be any IP address in certain address object
3rd receiving element is for receiving configuration-direct, and particularly, configuration-direct is for arranging the access profile of client.
Dispensing unit is used for according to configuration-direct and adds instruction, configures pre-conditioned, namely according to interpolation instruction and configuration-direct, generates pre-conditioned.
In embodiments of the present invention; the IP number of addresses not restriction of the physical interface of gateway device; there are how many clients; just can there be how many preset IP address; be compared in prior art; there is the situation of restricted number the IP address of the physical interface of gateway device, and the guard method of the gateway of the embodiment of the present invention reaches the effect of the practicality improving gateway device.
As can be seen from the above description, the invention solves gateway in prior art easily under attack, cause the problem of network paralysis, and then reach the raising stability of the network operation and the effect of fail safe.
The invention described above embodiment sequence number, just to describing, does not represent the quality of embodiment.
In the above embodiment of the present invention, the description of each embodiment is all emphasized particularly on different fields, in certain embodiment, there is no the part described in detail, can see the associated description of other embodiments.
In several embodiments that the application provides, should be understood that, disclosed client, the mode by other realizes.Wherein, device embodiment described above is only schematic, the such as division of described unit, be only a kind of logic function to divide, actual can have other dividing mode when realizing, such as multiple unit or assembly can in conjunction with or another system can be integrated into, or some features can be ignored, or do not perform.Another point, shown or discussed coupling each other or direct-coupling or communication connection can be by some interfaces, and the indirect coupling of unit or module or communication connection can be electrical or other form.
The described unit illustrated as separating component or can may not be and physically separates, and the parts as unit display can be or may not be physical location, namely can be positioned at a place, or also can be distributed in multiple network element.Some or all of unit wherein can be selected according to the actual needs to realize the object of the present embodiment scheme.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, also can be that the independent physics of unit exists, also can two or more unit in a unit integrated.Above-mentioned integrated unit both can adopt the form of hardware to realize, and the form of SFU software functional unit also can be adopted to realize.
If described integrated unit using the form of SFU software functional unit realize and as independently production marketing or use time, can be stored in a computer read/write memory medium.Based on such understanding, the part that technical scheme of the present invention contributes to prior art in essence in other words or all or part of of this technical scheme can embody with the form of software product, this computer software product is stored in a storage medium, comprises all or part of step of some instructions in order to make a computer equipment (can be personal computer, server or the network equipment etc.) perform method described in each embodiment of the present invention.And aforesaid storage medium comprises: USB flash disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), portable hard drive, magnetic disc or CD etc. various can be program code stored medium.
The above is only the preferred embodiment of the present invention; it should be pointed out that for those skilled in the art, under the premise without departing from the principles of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.
Claims (10)
1. a guard method for gateway, is characterized in that, comprising:
Receive the packet that source sends;
Judge whether described packet meets pre-set pre-conditioned;
When judge described packet meet described pre-conditioned, described packet is forwarded to destination; And
When judge described packet do not meet described pre-conditioned, abandon described packet.
2. guard method according to claim 1, is characterized in that, described source is client, wherein:
Judge whether described packet meets pre-set pre-conditioned and comprise: judge whether to there is the preset IP address corresponding with the initial ip address of described client;
When judge described packet meet pre-set pre-conditioned, described packet is forwarded to destination comprise: when judging to there is the described preset IP address corresponding with the described initial ip address of described client, set up the contingency table of described client and described destination, and the described initial ip address in described packet is changed to described preset IP address, the described packet after upgrading is forwarded to described destination.
3. guard method according to claim 2, is characterized in that,
Before judging whether to there is the preset IP address corresponding with the initial ip address of described source, judge whether described packet meets pre-set pre-conditioned and also comprise: judge whether described packet meets access profile pre-conditioned;
When judge described packet meet pre-set pre-conditioned, described packet is forwarded to destination comprise: when to judge that described packet meets described access profile pre-conditioned and when judging to there is corresponding with the described initial ip address of described client described preset IP address, set up the described contingency table of described client and described destination, and the described initial ip address in described packet is changed to described preset IP address, the described packet after upgrading is forwarded to described destination.
4. guard method according to claim 1, is characterized in that, after the packet receiving source transmission, described guard method also comprises:
Judge whether the contingency table that there is described source and described destination,
Wherein, when judging to there is described contingency table, directly forward described packet to described destination; When judging to there is not described contingency table, judge whether described packet meets described pre-conditioned, and when judge described packet meet described pre-conditioned, described packet is forwarded to described destination.
5. guard method according to claim 1, is characterized in that, described source is client, and before the packet receiving source transmission, described guard method also comprises:
Receive and add instruction, described interpolation instruction is for adding preset IP address;
Receive configuration-direct; And
According to described configuration-direct and described interpolation instruction, configure described pre-conditioned.
6. a protective device for gateway, is characterized in that, comprising:
First receiving element, for receiving the packet that source sends;
First judging unit, for judging whether described packet meets pre-set pre-conditioned;
First processing unit, for when judge described packet meet described pre-conditioned, described packet is forwarded to destination; And
Second processing unit, for when judge described packet do not meet described pre-conditioned, abandon described packet.
7. protective device according to claim 6, is characterized in that, described source is client, wherein:
Described first judging unit comprises: the first judge module, there is the preset IP address corresponding with the initial ip address of described client for judging whether;
Described first processing unit comprises: the first processing module, for when judging to there is the described preset IP address corresponding with the described initial ip address of described client, set up the contingency table of described client and described destination, and the described initial ip address in described packet is changed to described preset IP address, the described packet after upgrading is forwarded to described destination.
8. protective device according to claim 7, is characterized in that,
Described first judging unit also comprises: the second judge module, for before judging whether to there is the preset IP address corresponding with the initial ip address of described source, judges whether described packet meets access profile pre-conditioned;
Described first processing unit also comprises: the second processing module, for when to judge that described packet meets described access profile pre-conditioned and when judging to there is corresponding with the described initial ip address of described client described preset IP address, set up the described contingency table of described client and described destination, and the described initial ip address in described packet is changed to described preset IP address, the described packet after upgrading is forwarded to described destination.
9. protective device according to claim 6, is characterized in that, described protective device also comprises:
Second judging unit, for after the packet receiving source transmission, judges whether the contingency table that there is described source and described destination,
Wherein, when described second judging unit judges to there is described contingency table, directly forward described packet to described destination; When described second judging unit judges to there is not described contingency table, judge whether described packet meets described pre-conditioned, and when judge described packet meet described pre-conditioned, described packet is forwarded to described destination.
10. protective device according to claim 6, is characterized in that, described source is client, and described protective device also comprises:
Second receiving element, for before the packet receiving source transmission, receive and add instruction, described interpolation instruction is for adding preset IP address;
3rd receiving element, for receiving configuration-direct; And
Dispensing unit, for according to described configuration-direct and described interpolation instruction, configures described pre-conditioned.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410848738.3A CN104579939B (en) | 2014-12-29 | 2014-12-29 | Gateway protection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410848738.3A CN104579939B (en) | 2014-12-29 | 2014-12-29 | Gateway protection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104579939A true CN104579939A (en) | 2015-04-29 |
| CN104579939B CN104579939B (en) | 2021-02-12 |
Family
ID=53095181
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410848738.3A Active CN104579939B (en) | 2014-12-29 | 2014-12-29 | Gateway protection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104579939B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105743788A (en) * | 2016-01-26 | 2016-07-06 | 北京小米移动软件有限公司 | Data packet forwarding method and device |
| CN107104929A (en) * | 2016-02-23 | 2017-08-29 | 阿里巴巴集团控股有限公司 | The methods, devices and systems of defending against network attacks |
| CN107979517A (en) * | 2016-10-25 | 2018-05-01 | 北京国双科技有限公司 | A kind of processing method and processing device of network request |
| CN108123916A (en) * | 2016-11-28 | 2018-06-05 | 中国移动通信集团辽宁有限公司 | Network safety protection method, device, server and system |
Citations (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1216657A (en) * | 1996-04-24 | 1999-05-12 | 北方电讯有限公司 | Internet protocol filter |
| US6353607B1 (en) * | 1998-11-20 | 2002-03-05 | Ericsson Inc. | IP base GSM inter-MSC handover |
| CN1992675A (en) * | 2005-12-31 | 2007-07-04 | 中兴通讯股份有限公司 | Method for guarantying interconnection between network address conversion apparatus and external network |
| CN101106450A (en) * | 2007-08-16 | 2008-01-16 | 杭州华三通信技术有限公司 | Secure protection device and method for distributed packet transfer |
| CN101132424A (en) * | 2007-09-29 | 2008-02-27 | 杭州华三通信技术有限公司 | Network address conversion method and device thereof |
| US20080127297A1 (en) * | 2006-11-29 | 2008-05-29 | Red Hat, Inc. | Method and system for sharing labeled information between different security realms |
| EP1940112A2 (en) * | 2006-12-27 | 2008-07-02 | Fujitsu Ltd. | Method for protecting against failures of the Mobile IP home agent, AAA server, and radio access network gateway apparatus |
| CN101286884A (en) * | 2008-05-15 | 2008-10-15 | 杭州华三通信技术有限公司 | Method for implementing non-status multi-host backup and proxy gateway |
| CN101753637A (en) * | 2009-12-17 | 2010-06-23 | 北京星网锐捷网络技术有限公司 | Method and network address translation device preventing network attacks |
| CN101989909A (en) * | 2009-08-04 | 2011-03-23 | 西安交大捷普网络科技有限公司 | Access link overwriting method of SSL VPN |
| CN102014115A (en) * | 2010-07-09 | 2011-04-13 | 北京哈工大计算机网络与信息安全技术研究中心 | Method, device and system for anonymizing gateway node |
| US20120096271A1 (en) * | 2010-10-15 | 2012-04-19 | Microsoft Corporation | Remote Access to Hosted Virtual Machines By Enterprise Users |
| CN103491088A (en) * | 2013-09-22 | 2014-01-01 | 成都卫士通信息产业股份有限公司 | Method for processing IPSec VPN gateway data |
| CN103731820A (en) * | 2014-01-12 | 2014-04-16 | 绵阳师范学院 | Method for access control based on MAC address conversion in IPv6 wireless router |
| US20140223540A1 (en) * | 2002-09-20 | 2014-08-07 | Fortinet, Inc. | Firewall interface configuration to enable bi-directional voip traversal communications |
| US20140283004A1 (en) * | 2013-03-12 | 2014-09-18 | Centripetal Networks, Inc. | Filtering network data transfers |
-
2014
- 2014-12-29 CN CN201410848738.3A patent/CN104579939B/en active Active
Patent Citations (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1216657A (en) * | 1996-04-24 | 1999-05-12 | 北方电讯有限公司 | Internet protocol filter |
| US6353607B1 (en) * | 1998-11-20 | 2002-03-05 | Ericsson Inc. | IP base GSM inter-MSC handover |
| US20140223540A1 (en) * | 2002-09-20 | 2014-08-07 | Fortinet, Inc. | Firewall interface configuration to enable bi-directional voip traversal communications |
| CN1992675A (en) * | 2005-12-31 | 2007-07-04 | 中兴通讯股份有限公司 | Method for guarantying interconnection between network address conversion apparatus and external network |
| US20080127297A1 (en) * | 2006-11-29 | 2008-05-29 | Red Hat, Inc. | Method and system for sharing labeled information between different security realms |
| EP1940112A2 (en) * | 2006-12-27 | 2008-07-02 | Fujitsu Ltd. | Method for protecting against failures of the Mobile IP home agent, AAA server, and radio access network gateway apparatus |
| CN101106450A (en) * | 2007-08-16 | 2008-01-16 | 杭州华三通信技术有限公司 | Secure protection device and method for distributed packet transfer |
| CN101132424A (en) * | 2007-09-29 | 2008-02-27 | 杭州华三通信技术有限公司 | Network address conversion method and device thereof |
| CN101286884A (en) * | 2008-05-15 | 2008-10-15 | 杭州华三通信技术有限公司 | Method for implementing non-status multi-host backup and proxy gateway |
| CN101989909A (en) * | 2009-08-04 | 2011-03-23 | 西安交大捷普网络科技有限公司 | Access link overwriting method of SSL VPN |
| CN101753637A (en) * | 2009-12-17 | 2010-06-23 | 北京星网锐捷网络技术有限公司 | Method and network address translation device preventing network attacks |
| CN102014115A (en) * | 2010-07-09 | 2011-04-13 | 北京哈工大计算机网络与信息安全技术研究中心 | Method, device and system for anonymizing gateway node |
| US20120096271A1 (en) * | 2010-10-15 | 2012-04-19 | Microsoft Corporation | Remote Access to Hosted Virtual Machines By Enterprise Users |
| US20140283004A1 (en) * | 2013-03-12 | 2014-09-18 | Centripetal Networks, Inc. | Filtering network data transfers |
| CN103491088A (en) * | 2013-09-22 | 2014-01-01 | 成都卫士通信息产业股份有限公司 | Method for processing IPSec VPN gateway data |
| CN103731820A (en) * | 2014-01-12 | 2014-04-16 | 绵阳师范学院 | Method for access control based on MAC address conversion in IPv6 wireless router |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105743788A (en) * | 2016-01-26 | 2016-07-06 | 北京小米移动软件有限公司 | Data packet forwarding method and device |
| CN107104929A (en) * | 2016-02-23 | 2017-08-29 | 阿里巴巴集团控股有限公司 | The methods, devices and systems of defending against network attacks |
| CN107979517A (en) * | 2016-10-25 | 2018-05-01 | 北京国双科技有限公司 | A kind of processing method and processing device of network request |
| CN107979517B (en) * | 2016-10-25 | 2021-05-18 | 北京国双科技有限公司 | Network request processing method and device |
| CN108123916A (en) * | 2016-11-28 | 2018-06-05 | 中国移动通信集团辽宁有限公司 | Network safety protection method, device, server and system |
| CN108123916B (en) * | 2016-11-28 | 2021-10-29 | 中国移动通信集团辽宁有限公司 | Network security protection method, device, server and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104579939B (en) | 2021-02-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106376003B (en) | Detect WLAN connection and WLAN data transmission method for uplink and its device | |
| CN103036810B (en) | The extranet access control method exported based on many outer nets and access device | |
| CN105939239B (en) | Data transmission method and device of virtual network card | |
| TWI439091B (en) | Network communication system with protecting phishing attacks and method of protecting phishing attacks using the seme | |
| CN106161335A (en) | A kind for the treatment of method and apparatus of network packet | |
| CN104506511A (en) | Moving target defense system and moving target defense method for SDN (self-defending network) | |
| CN107645431B (en) | Message forwarding method and device | |
| KR20160122992A (en) | Integrative Network Management Method and Apparatus for Supplying Connection between Networks Based on Policy | |
| US6490290B1 (en) | Default internet traffic and transparent passthrough | |
| CN104579939A (en) | Protecting method and device for gateway | |
| US8472420B2 (en) | Gateway device | |
| CN1925452A (en) | Data transferring system, method and network transferring apparatus | |
| US20180309726A1 (en) | Packet cleaning method and apparatus | |
| CN106657035B (en) | A kind of network message transmission method and device | |
| CN111131448B (en) | Edge management method, edge proxy equipment and computer readable storage medium for ADSL Nat operation and maintenance management | |
| CN101741902A (en) | System and method for Internet terminal to quickly access to Internet server | |
| CN107360089A (en) | A kind of method for routing foundation, business datum conversion method and device | |
| CN108737407A (en) | A kind of method and device for kidnapping network flow | |
| CN101141396B (en) | Packet processing method and network appliance | |
| CN102970391B (en) | Inquiry of the domain name processing method, server and system | |
| CN102025641B (en) | Message filtering method and exchange equipment | |
| CN104486217A (en) | Cross network message transmitting method and equipment | |
| CN104581977B (en) | WLAN user management method, apparatus and system | |
| CN106060006A (en) | Access method and device | |
| CN103001966A (en) | Processing and identifying method and device for private network IP |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 2nd Floor, Building 1, Yard 26, Xizhimenwai South Road, Xicheng District, Beijing, 100032 Patentee after: Qianxin Wangshen information technology (Beijing) Co.,Ltd. Address before: 100085 1st floor, Section II, No.7 Kaifa Road, Shangdi Information Industry base, Haidian District, Beijing Patentee before: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc. |