CN105721334A - Method and device for determining transmission path and updating ACL (access control list) - Google Patents
Method and device for determining transmission path and updating ACL (access control list) Download PDFInfo
- Publication number
- CN105721334A CN105721334A CN201410730053.9A CN201410730053A CN105721334A CN 105721334 A CN105721334 A CN 105721334A CN 201410730053 A CN201410730053 A CN 201410730053A CN 105721334 A CN105721334 A CN 105721334A
- Authority
- CN
- China
- Prior art keywords
- message
- rule information
- transmission
- controller
- solicited message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention relates to the technical field of network communication, and especially relates to a method and device for determining a transmission path and updating an ACL (access control list), so as to solve a problem that a current firewall is excessively large in load pressure. The method comprises the steps: determining the transmission rule information for request information from a first ACL according to the request information after a controller receives the request information which is transmitted by a transmitting end and is used for applying for the communication; determining a transmission path from the transmitting end to a receiving end according to the transmission rule information after the transmitting end is determined to be able to transmit the information to the receiving end; and notifying a switcher in the transmission path of the transmission path. According to the technical scheme of the invention, because the first ACL, which is transmitted by the transmitting end and can be used for the detection of the request information for applying the communication, is added to the controller, the controller can determine the transmission rule information of the request information according to the corresponding configuration information in the ACL, thereby reducing the load pressure of a firewall.
Description
Technical field
The present invention relates to network communication technology field, particularly to determining transmission path and updating the method and apparatus of ACL.
Background technology
In computer network field; fire wall is combined by software and hardware equipment; it is that a kind of assistance guarantees information security and the protection network equipment from the intrusion of disabled user, including service access rule, verification tool, packet filtering and 4 parts of application gateway.
Fire wall is that the one performed when network communication accesses control yardstick, and it can access the packet of computer by accessing control list definition.It can set that the packet run through, it is also possible to sets the packet not allowing to pass through, it is also possible to stops the malicious access in network.
In SDN (SoftwareDefinedNetwork, software defined network), in order to protect information security, it is allowed to or limiting the data transmitted passes through, and fire wall is requisite.In prior art, in SDN, the technical scheme of interior firewall is as follows:
The good security strategy based on the information such as port, agreement of configuration on fire wall in advance;When main frame needs to communicate, deliver a packet to direct-connected switch, reported controller by switch again;Controller calculates forward-path, issues the path through fire wall to switch;The packet of all inflows is processed by fire wall according to existing security strategy.
That is in prior art, all message also will be sent to fire wall and detect, it is easy to cause that firewall load pressure is excessive so that message cannot be carried out normal transmission.
In sum, detect owing to all message will be sent to fire wall at present so that firewall load pressure is excessive.
Summary of the invention
The present invention provides a kind of method and apparatus determined transmission path and update ACL, detects owing to all message will be sent to fire wall in order to solve the current of existence in prior art so that the problem that firewall load pressure is excessive.
Embodiments provide a kind of method determining transmission path, including:
Controller receive sent by transmitting terminal for, after applying for the solicited message communicated, according to described solicited message, determining the transmission rule information of solicited message from the first access control list ACL;
Described controller is according to described transmission rule information, after determining that transmitting terminal can transmit the message to receiving terminal, it is determined that transmitting terminal is to the transmission path of receiving terminal;
Described transmission Centralized path notification is given the switch in transmission path by described controller.
Owing to adding the ACL that detects of solicited message for applying for communication that transmitting terminal can be sent in the controller, enable the controller to determine the transmission rule information of solicited message according to configuration corresponding information in ACL, thus reducing the load pressure of fire wall.
It is preferred that described controller receive sent by transmitting terminal for, after applying for the solicited message communicated, also including:
Described controller cannot determine the transmission rule information of solicited message according to described solicited message from a described ACL, and described solicited message is sent to fire wall;
Described controller receive described fire wall send described solicited message transmission rule information after, an ACL according to the transmission rule information updating of described solicited message, from a described ACL, determine the transmission rule information of solicited message;
Described controller is according to described transmission rule information, after determining that transmitting terminal can transmit the message to receiving terminal, it is determined that transmitting terminal is to the transmission path of receiving terminal;
Described transmission Centralized path notification is given the switch in transmission path by described controller.
Owing to controller is not when can determine that the transmission rule information of solicited message, sending it to fire wall and carrying out detecting the transmission rule information determining solicited message, thus reducing the load pressure of fire wall.
It is preferred that described controller is receiving after the transmission rule information of the described solicited message of described fire wall, also include:
If described fire wall does not pass through the 2nd ACL and sends the transmission rule information of solicited message, described solicited message and the transmission rule information of described solicited message that receives are placed in a described ACL by described controller;Or
If described fire wall sends the transmission rule information of solicited message by the 2nd ACL, described controller updates an ACL according to the 2nd ACL received.
Due to controller according to the 2nd ACL after fire wall renewal or transmission rule information updating the oneth ACL, make controller just directly can determine the transmission rule information of this solicited message after receiving identical solicited message according to an ACL, and determine transmission path according to the transmission rule information determined, enable the controller to determine different transmission paths according to different solicited messages, create a further reduction the load pressure of fire wall.
It is preferred that according to following manner, described controller determines whether that transmitting terminal transmits the message to receiving terminal:
If described transmission rule information is for allowing request or security request, described controller determines that permission transmitting terminal transmits the message to receiving terminal;
If described transmission rule information is suspicious requests, described solicited message is sent to fire wall by described controller, and the notice according to described fire wall determines whether that transmitting terminal transmits the message to receiving terminal;
If described transmission rule information is refusal request, described controller is determined and is not allowed transmitting terminal to transmit the message to receiving terminal.
Owing to solicited message when receiving solicited message, can be carried out preliminary judgement by controller, so that controller can have transmission path most according to what different transmission rule information determined message.
It is preferred that if described transmission rule information is allow request or described transmission rule information to be suspicious requests and allow transmitting terminal to transmit the message to receiving terminal according to the notice of described fire wall, then described transmission path includes fire wall;
If described transmission rule information is security request, then described transmission path does not include fire wall.
Owing to controller can according to different transmission rule information, it is determined that different transmission paths, thus reducing the load pressure of fire wall.
It is preferred that described controller by described transmission Centralized path notification give transmission path in switch after, also include:
Described controller receive fire wall send renewal transmission rule information after, transmission rule information updating the oneth ACL according to described renewal;
Described controller, according to the ACL after updating, redefines the transmission rule information of described solicited message;
Described controller is according to described transmission rule information, after determining that transmitting terminal can transmit the message to receiving terminal, it is determined that transmitting terminal is to the transmission path of receiving terminal;
Described transmission Centralized path notification is given the switch in transmission path by described controller.
Owing to asking the transmission rule information of message can change dynamically as required, so that control can determine transmission path dynamically according to transmission rule information.
It is preferred that described controller by described transmission Centralized path notification give transmission path in switch after, receive fire wall notice described solicited message renewal transmission rule information before, also include:
The message that the described solicited message of transmission between transmitting terminal and receiving terminal is corresponding is sampled by described controller, and message corresponding for the described solicited message after sampling is sent to fire wall.
Due to the mechanism adopting the message to transmission to be sampled, thus further ensuring the safety of message transmission.
It is preferred that described controller is according to the ACL after updating, after redefining the transmission rule information of described solicited message, also include:
If the transmission rule information redefining described solicited message is suspicious requests, the message corresponding to other solicited messages of transmission between described transmitting terminal and receiving terminal is sampled by described controller, and message corresponding for other solicited messages described in after sampling is sent to fire wall.
Owing to when after the transmission rule information determining solicited message is suspicious requests, whole message being sampled, add the safety of information transmission.
It is preferred that after described controller determines the transmission rule information of described solicited message, also include:
The described controller transmission rule information according to described solicited message, after determining and not allowing transmitting terminal can transmit the message to receiving terminal, all switches that notice is connected with transmitting terminal.
Embodiments provide a kind of method updating access control list ACL, including:
Fire wall, after receiving the solicited message that controller sends, determines the transmission rule information of described solicited message according to default security strategy;
Transmission rule information or the 2nd ACL that comprises the transmission rule information determined are sent to controller by described fire wall, so that described controller according to that receive transmission rule information or the 2nd ACL, updates the ACL for determining whether transmission corresponding to the information that makes requests on.
Owing to transmission rule information or the 2nd ACL comprising the transmission rule information determined can be sent to controller by fire wall, enable the controller to according to that receive transmission rule information or the 2nd ACL, update the ACL for determining whether transmission corresponding to the information that makes requests on, thus reducing the load pressure of fire wall.
It is preferred that the method also includes:
Described fire wall is after receiving transmitting terminal and issue the message of receiving terminal, according to default security strategy, it is determined that judge described message whether safety;
If it is, according to the address information of record in message, send the message to the switch of correspondence;
Otherwise, notify that described controller refusal transmits described message.
It is preferred that described fire wall is after receiving the solicited message that controller sends, determine the transmission rule information of described solicited message according to default security strategy:
If it is determined that the transmission rule information of described solicited message be suspicious requests, the message that other solicited messages of transmission between transmitting terminal and receiving terminal are corresponding is detected by described fire wall;
Wherein, described transmitting terminal and receiving terminal are for transmitting the transmitting terminal of the corresponding message of described solicited message and receiving terminal.
It is preferred that transmission rule information or the 2nd ACL after updating are sent to controller by described fire wall, after being used for updating an ACL, also include:
Described fire wall, according to the security strategy preset, detects to the sampling message from described controller;
Described fire wall, after detecting that described sampling message is suspect message, notifies described controller.
Embodiments provide a kind of controller determining transmission path, including:
First determines module, for receive sent by transmitting terminal for, after applying for the solicited message communicated, according to described solicited message, determining the transmission rule information of solicited message from the first access control list ACL;
Second determines module, for according to described transmission rule information, after determining that transmitting terminal can transmit the message to receiving terminal, it is determined that transmitting terminal is to the transmission path of receiving terminal;
Notification module, for giving the switch in transmission path by described transmission Centralized path notification.
It is preferred that described first determines that module is additionally operable to:
Receive sent by transmitting terminal for after applying for the solicited message communicated, the transmission rule information of solicited message cannot be determined from a described ACL according to described solicited message, described solicited message is sent to fire wall, and after the transmission rule information receiving the described solicited message that described fire wall sends, an ACL described in transmission rule information updating according to described solicited message, determines the transmission rule information of solicited message from a described ACL;
Described second determines that module is additionally operable to:
Receive sent by transmitting terminal for after applying for the solicited message communicated, according to described transmission rule information, after determining that transmitting terminal can transmit the message to receiving terminal, it is determined that transmitting terminal is to the transmission path of receiving terminal;
Described notification module is additionally operable to:
Receive sent by transmitting terminal for after applying for the solicited message communicated, described transmission Centralized path notification is given the switch in transmission path.
It is preferred that described first determines that module is additionally operable to:
Receiving after the transmission rule information of the described solicited message of described fire wall, if described fire wall does not pass through the 2nd ACL and sends the transmission rule information of solicited message, described solicited message and the transmission rule information of described solicited message that receives are placed in a described ACL;If or described fire wall sends the transmission rule information of solicited message by the 2nd ACL, the 2nd ACL according to receiving updates an ACL.
It is preferred that described second determines that module is additionally operable to:
If described transmission rule information is for allowing request or security request, it is determined that allow transmitting terminal to transmit the message to receiving terminal;If described transmission rule information is suspicious requests, described solicited message is sent to fire wall, and the notice according to described fire wall determines whether that transmitting terminal transmits the message to receiving terminal;If described transmission rule information is refusal request, it is determined that do not allow transmitting terminal to transmit the message to receiving terminal.
It is preferred that described first determines that module is additionally operable to:
After described transmission Centralized path notification is given the switch in transmission path, after the transmission rule information receiving the renewal that fire wall sends, transmission rule information updating the oneth ACL according to described renewal;According to the ACL after updating, redefine the transmission rule information of described solicited message;
Described second determines that module is additionally operable to:
After described transmission Centralized path notification is given the switch in transmission path, according to described transmission rule information, after determining that transmitting terminal can transmit the message to receiving terminal, it is determined that transmitting terminal is to the transmission path of receiving terminal;
Described notification module is additionally operable to:
After described transmission Centralized path notification is given the switch in transmission path, described transmission Centralized path notification is given the switch in transmission path.
It is preferred that also include:
Decimation blocks, after described transmission Centralized path notification is given the switch in transmission path, before receiving the renewal transmission rule information of described solicited message of fire wall notice, the message that the described solicited message of transmission between transmitting terminal and receiving terminal is corresponding is sampled, and message corresponding for the described solicited message after sampling is sent to fire wall.
It is preferred that described decimation blocks is additionally operable to:
According to the ACL after updating, after redefining the transmission rule information of described solicited message, if the transmission rule information redefining described solicited message is suspicious requests, the message corresponding to other solicited messages of transmission between described transmitting terminal and receiving terminal is sampled, and message corresponding for other solicited messages described in after sampling is sent to fire wall.
It is preferred that described notification module is additionally operable to:
After determining the transmission rule information of described solicited message, the transmission rule information according to described solicited message, after determining and not allowing transmitting terminal can transmit the message to receiving terminal, all switches that notice is connected with transmitting terminal.
Embodiments provide a kind of firewall box updating access control list ACL, including:
3rd determines module, for, after receiving the solicited message that controller sends, determining the transmission rule information of described solicited message according to default security strategy;
More new module, for transmission rule information or the 2nd ACL that comprises the transmission rule information determined are sent to controller, so that described controller according to that receive transmission rule information or the 2nd ACL, updates the ACL for determining whether transmission corresponding to the information that makes requests on.
It is preferred that the described 3rd determines that module is additionally operable to:
After receiving transmitting terminal and issue the message of receiving terminal, according to default security strategy, it is determined that judge described message whether safety;
If it is, according to the address information of record in message, send the message to the switch of correspondence;
Otherwise, notify that described controller refusal transmits described message.
It is preferred that the described 3rd determines that module is additionally operable to:
After receiving the solicited message that controller sends, the transmission rule information of described solicited message is determined according to default security strategy, if it is determined that the transmission rule information of described solicited message be suspicious requests, the message that other solicited messages of transmission between transmitting terminal and receiving terminal are corresponding is detected;
Wherein, described transmitting terminal and receiving terminal are for transmitting the transmitting terminal of the corresponding message of described solicited message and receiving terminal.
It is preferred that described more new module is additionally operable to:
The 2nd ACL after transmission rule information or renewal is sent to controller, after updating an ACL, according to default security strategy, detect to the sampling message from described controller, and after detecting that described sampling message is suspect message, notify described controller.
Accompanying drawing explanation
Fig. 1 is the schematic flow sheet that the embodiment of the present invention one determines the method in transmission path;
Fig. 2 is a kind of firewall security configuration diagram based on SDN;
Fig. 3 is the method flow schematic diagram that the embodiment of the present invention two determines transmission path;
Fig. 4 is the method flow schematic diagram that the embodiment of the present invention three determines transmission path;
Fig. 5 is the controller schematic diagram that the embodiment of the present invention four determines transmission path;
Fig. 6 is the firewall box schematic diagram that the embodiment of the present invention five updates access control list ACL.
Detailed description of the invention
The controller of the embodiment of the present invention receive sent by transmitting terminal for, after applying for the solicited message communicated, according to described solicited message, determining the transmission rule information of solicited message from the first access control list ACL;And according to described transmission rule information, after determining that transmitting terminal can transmit the message to receiving terminal, it is determined that transmitting terminal is to the transmission path of receiving terminal;Then described transmission Centralized path notification is given the switch in transmission path.Owing to adding the ACL that detects of solicited message for applying for communication that transmitting terminal can be sent in the controller in this technical scheme, enable the controller to determine the transmission rule information of solicited message according to configuration corresponding information in ACL, thus reducing the load pressure of fire wall.
The fire wall of the embodiment of the present invention, after receiving the solicited message that controller sends, determines the transmission rule information of described solicited message according to default security strategy;Transmission rule information or the 2nd ACL that comprises the transmission rule information determined are sent to controller, so that described controller according to that receive transmission rule information or the 2nd ACL, updates the ACL for determining whether transmission corresponding to the information that makes requests on.Transmission rule information or the 2nd ACL comprising the transmission rule information determined can be sent to controller due to fire wall by this technical scheme, enable the controller to update an ACL according to that receive transmission rule information or the 2nd ACL, so that the more enough transmission rule information determining solicited message according to the ACL after updating of controller, thus reducing the load pressure of fire wall.
Below in conjunction with Figure of description, the embodiment of the present invention is described in further detail.
As it is shown in figure 1, the method that the embodiment of the present invention one determines transmission path, including:
Step 100, controller receive sent by transmitting terminal for, after applying for the solicited message communicated, according to solicited message, determining the transmission rule information of solicited message from the first access control list ACL;
Step 101, controller is according to transmission rule information, after determining that transmitting terminal can transmit the message to receiving terminal, it is determined that transmitting terminal is to the transmission path of receiving terminal;
Step 102, transmission Centralized path notification is given the switch in transmission path by controller.
The embodiment of the present invention can apply to any framework.If the embodiment of the present invention is applied to SDN (SoftwareDefinedNetwork as shown in Figure 2, software defined network) framework, then an ACL storage is possibly stored in firewall agent application software (FirewallAgentApplication), and controller can pass through firewall agent application software inquiry the oneth ACL.
When solicited message is the request that the oriented receiving terminal of transmitting terminal sends message, the solicited message that transmitting terminal sends to controller, the information such as this solicited message includes the address information between receiving terminal and receiving terminal, transmitting terminal sends to receiving terminal type of message, size.
Transmission rule information is need the self-defined different identification code added in netconf agreement empty field according to user, and wherein different identification codes represents different transmission rule information.
It is as shown in table 1 that null field in netconf agreement adds different identification codes.
Table 1
| Identification code | Explanation of field |
| 001 | Allow request |
| 002 | Refusal request |
| 003 | Security request |
| 004 | Suspicious requests |
When identification code is 001, represents and allow request;When identification code is 002, represent refusal request;When identification code is 003, represent security request;When identification code is 004, represent suspicious requests.
Wherein, it is allowed to request represents that controller determines that transmitting terminal can transmit the message to receiving terminal, but message needs to re-send to receiving terminal through fire wall;
Refusal request represents that controller determines that transmitting terminal can not transmit the message to receiving terminal, sends the notice of refusal this time request to the switch being connected with transmitting terminal;
Security request represents that controller determines that transmitting terminal can transmit the message to receiving terminal, and message needs not move through fire wall and is sent to receiving terminal either directly through switch;
Suspicious requests represents that controller detects from the fractional samples that transmitting terminal is sent to receiving terminal message and is changed into gross sample detection.
Wherein, identification code 001 can also represent suspicious requests or refusal request or security request or other request outside these four, and identification code 002, identification code 003, identification code 004 are similar with identification code 001, do not repeat them here.And identification code can also be one, it is also possible to two, it is also possible to being four, user can be arranged as required accordingly, additionally, transmission rule information can also be carried out the increase of personalization, deletes or revise by user as required.
The controller transmission rule information according to solicited message, it is determined that after transmitting terminal can transmit the message to receiving terminal, then determine the transmitting terminal transmission path to receiving terminal.
If the transmission rule information that controller is according to solicited message, it is determined that transmitting terminal can not transmit the message to receiving terminal, then controller sends the notice of refusal this time request to the switch being connected with transmitting terminal.
It is preferred that described controller receive sent by transmitting terminal for, after applying for the solicited message communicated, also including:
Described controller cannot determine the transmission rule information of solicited message according to described solicited message from a described ACL, and described solicited message is sent to fire wall;
Described controller receive described fire wall send described solicited message transmission rule information after, an ACL according to the transmission rule information updating of described solicited message, from a described ACL, determine the transmission rule information of solicited message;
Described controller is according to described transmission rule information, after determining that transmitting terminal can transmit the message to receiving terminal, it is determined that transmitting terminal is to the transmission path of receiving terminal;
Described transmission Centralized path notification is given the switch in transmission path by described controller.
That is, when controller is when receiving new solicited message, the transmission rule information of this request message cannot be determined according to the ACL in controller, then this request message is sent to fire wall by controller, and fire wall determines transmission rule information i.e. the identification code of this solicited message according to the security strategy preset.
After the transmission rule information of this request message determined by fire wall, send it to controller, controller by this solicited message and identity code as, in an ACL, updating an ACL, so that controller is receiving identical solicited message, it is not necessary to again this solicited message is sent to fire wall and judges.
Illustrate with the network architecture of Fig. 2 and illustrate, when server A first application sends message to server B, server A sends solicited message to controller, owing to the ACL of controller not having the transmission rule information of corresponding requests information, it is thus desirable to the solicited message that server A sends is sent to fire wall, fire wall is had to determine the transmission rule information of solicited message according to the security strategy preset, transmission rule information is sent to controller by fire wall after determining the transmission rule information of this solicited message, controller is according to the ACL in this transmission rule information updating controller, then the transmission rule information of solicited message determined by controller according to the ACL in controller, after determining that the message that transmitting terminal sends can be sent to receiving terminal, determine the transmission path of message.
It is preferred that described controller is receiving after the transmission rule information of the described solicited message of described fire wall, also include:
If described fire wall does not pass through the 2nd ACL and sends the transmission rule information of solicited message, described solicited message and the transmission rule information of described solicited message that receives are placed in a described ACL by described controller;Or
If described fire wall sends the transmission rule information of solicited message by the 2nd ACL, described controller updates an ACL according to the 2nd ACL received.
It is to say, controller can according to transmission rule information updating the oneth ACL of the solicited message of fire wall transmission, it is also possible to update an ACL according to the 2nd ACL after the renewal that fire wall sends.
For the network architecture of Fig. 2, the ACL after renewal is sent to controller by fire wall, and controller updates the ACL in controller according to the ACL after updating;Transmission rule information can also be sent to controller by fire wall, and the ACL in controller is updated by controller according to transmission rule information.
It is preferred that according to following manner, described controller determines whether that transmitting terminal transmits the message to receiving terminal:
If described transmission rule information is for allowing request or security request, described controller determines that permission transmitting terminal transmits the message to receiving terminal;
If described transmission rule information is suspicious requests, described solicited message is sent to fire wall by described controller, and the notice according to described fire wall determines whether that transmitting terminal transmits the message to receiving terminal;
If described transmission rule information is refusal request, described controller is determined and is not allowed transmitting terminal to transmit the message to receiving terminal.
It is preferred that if described transmission rule information is allow request or described transmission rule information to be suspicious requests and allow transmitting terminal to transmit the message to receiving terminal according to the notice of described fire wall, then described transmission path includes fire wall.
If described transmission rule information is security request, then described transmission path does not include fire wall.
It is to say, when transmission rule information i.e. identification code are security request, then transmitting terminal is sent to the message of receiving terminal and determines it is safe, then without transmitting the message to fire wall,
When transmitting transmission rule information i.e. identification code for allowing request, then transmitting terminal is sent to the message of receiving terminal and determines and be able to be transmitted, then need to transmit the message to fire wall and judge.
For the network architecture of Fig. 2, when server C asks to the transmission rule information of the server D solicited message transmitted for permission, its transmission path can be server C-> switch I-> fire wall-> switch I-> server D;The transmission rule information of the solicited message transmitted to server B when server A is suspicious requests, and after determining that permission transmitting terminal transmits the message to receiving terminal according to the notice of described fire wall, its transmission path can be server A-> switch II-> fire wall-> switch II-> server B.
When server B to the transmission rule information of the server C solicited message sent be security request time, the transmission path that then controller is determined is server B-> switch III-> server C, its this path is optimal transmission paths, and the equipment of its forwarding process is minimum, and switch is in normal operating conditions.
It is preferred that described controller by described transmission Centralized path notification give transmission path in switch after, also include:
Described controller receive fire wall send renewal transmission rule information after, transmission rule information updating the oneth ACL according to described renewal;
Described controller, according to the ACL after updating, redefines the transmission rule information of described solicited message;
Described controller is according to described transmission rule information, after determining that transmitting terminal can transmit the message to receiving terminal, it is determined that transmitting terminal is to the transmission path of receiving terminal;
Described transmission Centralized path notification is given the switch in transmission path by described controller.
Specifically, if the transmission rule information of solicited message i.e. identification code are for allowing request, it is safe in threshold range according to the security strategy that fire wall is preset, as within a period of time, the message allowing request corresponding through fire wall is safe, the transmission rule information of solicited message corresponding for this message is revised as security request by fire wall, and amended transmission rule information is sent to controller, then transmitting terminal is sent to the message of receiving terminal without needing to judge through fire wall again.
If the transmission rule information of solicited message i.e. identification code are for allowing request, the security strategy preset according to fire wall, as detection 100 message after be all safe, then the transmission rule information of solicited message corresponding for this message is revised as security request by fire wall, wherein the security strategy preset of fire wall can carry out different settings according to different needs, is not limited to the mode of above-mentioned dynamic amendment transmission rule information.
In force, the transmission rule information of solicited message is not always constant, can change the transmission rule information of solicited message dynamically according to the security strategy preset in fire wall, the security strategy wherein preset in fire wall needs to be arranged in fire wall according to user.
It is preferred that described controller by described transmission Centralized path notification give transmission path in switch after, receive fire wall notice described solicited message renewal transmission rule information before, also include:
The message that the described solicited message of transmission between transmitting terminal and receiving terminal is corresponding is sampled by described controller, and message corresponding for the described solicited message after sampling is sent to fire wall.
The message of its transmission is sent to controller according to the condition preset as passed through a period of time notice switch determined by controller, or switch often sends and the 100th message is sent a controller after 99 message, realize the controller sampling to transmission message, the form of its sampling is not limited to aforesaid way, as long as controller is obtained in that the message of transmission.
It is preferred that described controller is according to the ACL after updating, after redefining the transmission rule information of described solicited message, also include:
If the transmission rule information redefining described solicited message is suspicious requests, the message corresponding to other solicited messages of transmission between described transmitting terminal and receiving terminal is sampled by described controller, and message corresponding for other solicited messages described in after sampling is sent to fire wall.
That is, after controller updates an ACL, redefining solicited message is after suspicious requests, the message 100% that then transmitting terminal and receiving terminal are sent by controller is sampled, namely 100% it is monitored, after detection a period of time, the security strategy preset according to fire wall, if not finding invalid message or danger message, redefine the transmission rule information of solicited message.
Illustrate for Fig. 2, controller receive server A to server B application send message solicited message after determine that this solicited message is suspicious requests, then controller detects other message of transmission between server A and server B are sent to fire wall, after fire wall detects a period of time, or after full 100 message of detection, or the security strategy of other forms, no abnormal, then the transmission rule information of message corresponding requests information being dynamically revised as security request, controller recovers the sampling Detection of message between A, B.
It is preferred that after described controller determines the transmission rule information of described solicited message, also include:
The described controller transmission rule information according to described solicited message, after determining and not allowing transmitting terminal can transmit the message to receiving terminal, all switches that notice is connected with transmitting terminal.
Illustrate for Fig. 2, if according to an ACL, controller determines that the transmission rule information of solicited message that server A application communicates to server B is refusal request, then the switch I that notifies to be connected with server A, switch II, switch III, switch IV ... wait refusal this time to ask.
As it is shown on figure 3, the method that the embodiment of the present invention two updates access control list ACL, including:
Step 300, fire wall, after receiving the solicited message that controller sends, determines the transmission rule information of solicited message according to default security strategy;
Step 301, transmission rule information or the 2nd ACL that comprises the transmission rule information determined are sent to controller by fire wall, so that controller according to that receive transmission rule information or the 2nd ACL, updates the ACL for determining whether transmission corresponding to the information that makes requests on.
It should be noted that when controller cannot determine the transmission rule information of solicited message, request message just can be sent to fire wall by controller.
After updating, the 2nd ACL determining transmission rule information is comprised or transmission rule information is sent to controller and updates an ACL of controller by fire wall, so that when controller receives identical solicited message again, directly can determine the transmission path of message according to an ACL, it is not necessary to be sent to fire wall.
It is preferred that described fire wall is after receiving transmitting terminal and issue the message of receiving terminal, according to default security strategy, it is determined that judge described message whether safety;
If it is, according to the address information of record in message, send the message to the switch of correspondence;
Otherwise, notify that described controller refusal transmits described message.
When transmission rule information owing to determining solicited message when controller is asked for permission, it is necessary to transmit the message to fire wall and judge.
If this message is safe, then by according to the address information of record in message, return it into the switch being sent to fire wall;If this message is unsafe, then the transmission rule information of amendment message corresponding requests information is asked for refusal, and this transmission rule information is sent to controller, notification controller refusal transmits this message, and the switch that controller notice is connected with transmitting terminal abandons this message.
Illustrate for Fig. 2, fire wall is after receiving the message that server A sends to server B, determine the safety of this message, if controller determines that the transmission path of this message is server A-> switch I-> fire wall-> switch I-> server B, then determine that this message is security message at fire wall, then this message is returned switch I;Otherwise the transmission rule information of this message corresponding requests information is revised as refusal request, is sent to controller, then is notified that switch I refuses this time request by controller.
It is preferred that described fire wall is after receiving the solicited message that controller sends, determine the transmission rule information of described solicited message according to default security strategy:
If it is determined that the transmission rule information of described solicited message be suspicious requests, the message that other solicited messages of transmission between transmitting terminal and receiving terminal are corresponding is detected by described fire wall;
Wherein, described transmitting terminal and receiving terminal are for transmitting the transmitting terminal of the corresponding message of described solicited message and receiving terminal.
Illustrate for Fig. 2, it is determined that the transmission rule information of the solicited message between server A and server B is suspicious requests, then the message that other solicited messages between server A with server B are corresponding is detected by fire wall.
It is preferred that transmission rule information or the 2nd ACL after updating are sent to controller by described fire wall, after being used for updating an ACL, also include:
Described fire wall, according to the security strategy preset, detects to the sampling message from described controller;
Described fire wall, after detecting that described sampling message is suspect message, notifies described controller.
Illustrate for Fig. 2, if fire wall receives the transmission message that controller is sampled between server A and server B, then sampling message is detected according to the security strategy preset, if suspect message, notification controller, so that all message between server A, server B are detected by controller.
As shown in Figure 4, the embodiment of the present invention three determines the method in transmission path, including:
Step 400, controller receive sent by transmitting terminal for after applying for the solicited message communicated.
Step 401, can controller be according to solicited message, it is judged that determine the transmission rule information of solicited message from an ACL, if can determine, then performs step 403, otherwise performs step 402.
Step 402, this solicited message is sent to fire wall by controller, and fire wall determines the transmission rule information of this solicited message according to the security strategy preset, and this transmission rule information is sent to controller.
Step 403, controller is according to transmission rule information, after determining that transmitting terminal can transmit the message to receiving terminal, it is determined that transmitting terminal is to the transmission path of receiving terminal.
Step 404, controller transmits Centralized path notification to the switch in transmission path by what determine.
Based on same inventive concept, the embodiment of the present invention additionally provides a kind of controller determining transmission path, owing to the embodiment of the present invention determines that the method that the controller transmitting path is corresponding is the method determining transmission path, therefore the enforcement of embodiment of the present invention device may refer to the enforcement of method, repeats part and repeats no more.
As it is shown in figure 5, the embodiment of the present invention four determines the controller in transmission path, including:
First determines module 500, for receive sent by transmitting terminal for, after applying for the solicited message communicated, according to described solicited message, determining the transmission rule information of solicited message from the first access control list ACL;
Second determines module 501, for according to described transmission rule information, after determining that transmitting terminal can transmit the message to receiving terminal, it is determined that transmitting terminal is to the transmission path of receiving terminal;
Notification module 502, for giving the switch in transmission path by described transmission Centralized path notification.
It is preferred that described first determines that module 500 is additionally operable to:
Receive sent by transmitting terminal for after applying for the solicited message communicated, the transmission rule information of solicited message cannot be determined from a described ACL according to described solicited message, described solicited message is sent to fire wall, and after the transmission rule information receiving the described solicited message that described fire wall sends, an ACL described in transmission rule information updating according to described solicited message, determines the transmission rule information of solicited message from a described ACL;
Described second determines that module 501 is additionally operable to:
Receive sent by transmitting terminal for after applying for the solicited message communicated, according to described transmission rule information, after determining that transmitting terminal can transmit the message to receiving terminal, it is determined that transmitting terminal is to the transmission path of receiving terminal;
Described notification module 502 is additionally operable to:
Receive sent by transmitting terminal for after applying for the solicited message communicated, described transmission Centralized path notification is given the switch in transmission path.
It is preferred that described first determines that module 500 is additionally operable to:
Receiving after the transmission rule information of the described solicited message of described fire wall, if described fire wall does not pass through the 2nd ACL and sends the transmission rule information of solicited message, described solicited message and the transmission rule information of described solicited message that receives are placed in a described ACL;If or described fire wall sends the transmission rule information of solicited message by the 2nd ACL, the 2nd ACL according to receiving updates an ACL.
It is preferred that described second determines that module 501 is additionally operable to:
If described transmission rule information is for allowing request or security request, it is determined that allow transmitting terminal to transmit the message to receiving terminal;If described transmission rule information is suspicious requests, described solicited message is sent to fire wall, and the notice according to described fire wall determines whether that transmitting terminal transmits the message to receiving terminal;If described transmission rule information is refusal request, it is determined that do not allow transmitting terminal to transmit the message to receiving terminal.
It is preferred that described first determines that module 500 is additionally operable to:
After described transmission Centralized path notification is given the switch in transmission path, after the transmission rule information receiving the renewal that fire wall sends, transmission rule information updating the oneth ACL according to described renewal;According to the ACL after updating, redefine the transmission rule information of described solicited message;
Described second determines that module 501 is additionally operable to:
After described transmission Centralized path notification is given the switch in transmission path, according to described transmission rule information, after determining that transmitting terminal can transmit the message to receiving terminal, it is determined that transmitting terminal is to the transmission path of receiving terminal;
Described notification module 502 is additionally operable to:
After described transmission Centralized path notification is given the switch in transmission path, described transmission Centralized path notification is given the switch in transmission path.
It is preferred that also include:
Decimation blocks 503, after described transmission Centralized path notification is given the switch in transmission path, before receiving the renewal transmission rule information of described solicited message of fire wall notice, the message that the described solicited message of transmission between transmitting terminal and receiving terminal is corresponding is sampled, and message corresponding for the described solicited message after sampling is sent to fire wall.
It is preferred that described decimation blocks 503 is additionally operable to:
According to the ACL after updating, after redefining the transmission rule information of described solicited message, if the transmission rule information redefining described solicited message is suspicious requests, the message corresponding to other solicited messages of transmission between described transmitting terminal and receiving terminal is sampled, and message corresponding for other solicited messages described in after sampling is sent to fire wall.
It is preferred that described notification module 502 is additionally operable to:
After determining the transmission rule information of described solicited message, the transmission rule information according to described solicited message, after determining and not allowing transmitting terminal can transmit the message to receiving terminal, all switches that notice is connected with transmitting terminal.
Based on same inventive concept, the embodiment of the present invention additionally provides the firewall box updating access control list ACL, the method corresponding due to the firewall box of embodiment of the present invention renewal access control list ACL is the method updating access control list ACL, therefore the enforcement of embodiment of the present invention device may refer to the enforcement of method, repeats part and repeats no more.
As shown in Figure 6, the embodiment of the present invention five updates the firewall box of access control list ACL, including:
3rd determines module 600, for, after receiving the solicited message that controller sends, determining the transmission rule information of described solicited message according to default security strategy;
More new module 601, for transmission rule information or the 2nd ACL that comprises the transmission rule information determined are sent to controller, so that described controller according to that receive transmission rule information or the 2nd ACL, updates the ACL for determining whether transmission corresponding to the information that makes requests on.
It is preferred that the described 3rd determines that module 600 is additionally operable to:
After receiving transmitting terminal and issue the message of receiving terminal, according to default security strategy, it is determined that judge described message whether safety;
If it is, according to the address information of record in message, send the message to the switch of correspondence;
Otherwise, notify that described controller refusal transmits described message.
It is preferred that the described 3rd determines that module 600 is additionally operable to:
After receiving the solicited message that controller sends, the transmission rule information of described solicited message is determined according to default security strategy, if it is determined that the transmission rule information of described solicited message be suspicious requests, the message that other solicited messages of transmission between transmitting terminal and receiving terminal are corresponding is detected;
Wherein, described transmitting terminal and receiving terminal are for transmitting the transmitting terminal of the corresponding message of described solicited message and receiving terminal.
It is preferred that described more new module 601 is additionally operable to:
The 2nd ACL after transmission rule information or renewal is sent to controller, after updating an ACL, according to default security strategy, detect to the sampling message from described controller, and after detecting that described sampling message is suspect message, notify described controller.
Those skilled in the art are it should be appreciated that embodiments of the invention can be provided as method, system or computer program.Therefore, the present invention can adopt the form of complete hardware embodiment, complete software implementation or the embodiment in conjunction with software and hardware aspect.And, the present invention can adopt the form at one or more upper computer programs implemented of computer-usable storage medium (including but not limited to disk memory, CD-ROM, optical memory etc.) wherein including computer usable program code.
The present invention is that flow chart and/or block diagram with reference to method according to embodiments of the present invention, equipment (system) and computer program describe.It should be understood that can by the combination of the flow process in each flow process in computer program instructions flowchart and/or block diagram and/or square frame and flow chart and/or block diagram and/or square frame.These computer program instructions can be provided to produce a machine to the processor of general purpose computer, special-purpose computer, Embedded Processor or other programmable data processing device so that the instruction performed by the processor of computer or other programmable data processing device is produced for realizing the device of function specified in one flow process of flow chart or multiple flow process and/or one square frame of block diagram or multiple square frame.
These computer program instructions may be alternatively stored in and can guide in the computer-readable memory that computer or other programmable data processing device work in a specific way, the instruction making to be stored in this computer-readable memory produces to include the manufacture of command device, and this command device realizes the function specified in one flow process of flow chart or multiple flow process and/or one square frame of block diagram or multiple square frame.
These computer program instructions also can be loaded in computer or other programmable data processing device, make on computer or other programmable devices, to perform sequence of operations step to produce computer implemented process, thus the instruction performed on computer or other programmable devices provides for realizing the step of function specified in one flow process of flow chart or multiple flow process and/or one square frame of block diagram or multiple square frame.
Although preferred embodiments of the present invention have been described, but those skilled in the art are once know basic creative concept, then these embodiments can be made other change and amendment.So, claims are intended to be construed to include preferred embodiment and fall into all changes and the amendment of the scope of the invention.
Obviously, the present invention can be carried out various change and modification without deviating from the spirit and scope of the present invention by those skilled in the art.So, if these amendments of the present invention and modification belong within the scope of the claims in the present invention and equivalent technologies thereof, then the present invention is also intended to comprise these change and modification.
Claims (25)
1. the method determining transmission path, it is characterised in that the method includes:
Controller receive sent by transmitting terminal for, after applying for the solicited message communicated, according to described solicited message, determining the transmission rule information of solicited message from the first access control list ACL;
Described controller is according to described transmission rule information, after determining that transmitting terminal can transmit the message to receiving terminal, it is determined that transmitting terminal is to the transmission path of receiving terminal;
Described transmission Centralized path notification is given the switch in transmission path by described controller.
2. the method for claim 1, it is characterised in that described controller receive sent by transmitting terminal for, after applying for the solicited message communicated, also including:
Described controller cannot determine the transmission rule information of solicited message according to described solicited message from a described ACL, and described solicited message is sent to fire wall;
Described controller receive described fire wall send described solicited message transmission rule information after, an ACL according to the transmission rule information updating of described solicited message, from a described ACL, determine the transmission rule information of solicited message;
Described controller is according to described transmission rule information, after determining that transmitting terminal can transmit the message to receiving terminal, it is determined that transmitting terminal is to the transmission path of receiving terminal;
Described transmission Centralized path notification is given the switch in transmission path by described controller.
3. method as claimed in claim 2, it is characterised in that described controller is receiving after the transmission rule information of the described solicited message of described fire wall, also includes:
If described fire wall does not pass through the 2nd ACL and sends the transmission rule information of solicited message, described solicited message and the transmission rule information of described solicited message that receives are placed in a described ACL by described controller;Or
If described fire wall sends the transmission rule information of solicited message by the 2nd ACL, described controller updates an ACL according to the 2nd ACL received.
4. the method for claim 1, it is characterised in that according to following manner, described controller determines whether that transmitting terminal transmits the message to receiving terminal:
If described transmission rule information is for allowing request or security request, described controller determines that permission transmitting terminal transmits the message to receiving terminal;
If described transmission rule information is suspicious requests, described solicited message is sent to fire wall by described controller, and the notice according to described fire wall determines whether that transmitting terminal transmits the message to receiving terminal;
If described transmission rule information is refusal request, described controller is determined and is not allowed transmitting terminal to transmit the message to receiving terminal.
5. method as claimed in claim 4, it is characterized in that, if described transmission rule information is allow request or described transmission rule information to be suspicious requests and allow transmitting terminal to transmit the message to receiving terminal according to the notice of described fire wall, then described transmission path includes fire wall;
If described transmission rule information is security request, then described transmission path does not include fire wall.
6. method as claimed in claim 4, it is characterised in that described controller also includes after described transmission Centralized path notification is given the switch in transmission path:
Described controller receive fire wall send renewal transmission rule information after, transmission rule information updating the oneth ACL according to described renewal;
Described controller, according to the ACL after updating, redefines the transmission rule information of described solicited message;
Described controller is according to described transmission rule information, after determining that transmitting terminal can transmit the message to receiving terminal, it is determined that transmitting terminal is to the transmission path of receiving terminal;
Described transmission Centralized path notification is given the switch in transmission path by described controller.
7. method as claimed in claim 6, it is characterised in that after described transmission Centralized path notification is given the switch in transmission path by described controller, before receiving the renewal transmission rule information of described solicited message of fire wall notice, also includes:
The message that the described solicited message of transmission between transmitting terminal and receiving terminal is corresponding is sampled by described controller, and message corresponding for the described solicited message after sampling is sent to fire wall.
8. method as claimed in claim 7, it is characterised in that described controller, according to the ACL after updating, after redefining the transmission rule information of described solicited message, also includes:
If the transmission rule information redefining described solicited message is suspicious requests, the message corresponding to other solicited messages of transmission between described transmitting terminal and receiving terminal is sampled by described controller, and message corresponding for other solicited messages described in after sampling is sent to fire wall.
9. the method as described in as arbitrary in claim 1~8, it is characterised in that described controller also includes after determining the transmission rule information of described solicited message:
The described controller transmission rule information according to described solicited message, after determining and not allowing transmitting terminal can transmit the message to receiving terminal, all switches that notice is connected with transmitting terminal.
10. the method updating access control list ACL, it is characterised in that the method includes:
Fire wall, after receiving the solicited message that controller sends, determines the transmission rule information of described solicited message according to default security strategy;
Transmission rule information or the 2nd ACL that comprises the transmission rule information determined are sent to controller by described fire wall, so that described controller according to that receive transmission rule information or the 2nd ACL, updates the ACL for determining whether transmission corresponding to the information that makes requests on.
11. method as claimed in claim 10, it is characterised in that the method also includes:
Described fire wall is after receiving transmitting terminal and issue the message of receiving terminal, according to default security strategy, it is determined that judge described message whether safety;
If it is, according to the address information of record in message, send the message to the switch of correspondence;
Otherwise, notify that described controller refusal transmits described message.
12. method as claimed in claim 10, it is characterised in that described fire wall, after receiving the solicited message that controller sends, determines the transmission rule information of described solicited message according to default security strategy:
If it is determined that the transmission rule information of described solicited message be suspicious requests, the message that other solicited messages of transmission between transmitting terminal and receiving terminal are corresponding is detected by described fire wall;
Wherein, described transmitting terminal and receiving terminal are for transmitting the transmitting terminal of the corresponding message of described solicited message and receiving terminal.
13. method as claimed in claim 10, it is characterised in that transmission rule information or the 2nd ACL after updating are sent to controller by described fire wall, after being used for updating an ACL, also include:
Described fire wall, according to the security strategy preset, detects to the sampling message from described controller;
Described fire wall, after detecting that described sampling message is suspect message, notifies described controller.
14. the controller determining transmission path, it is characterised in that this controller includes:
First determines module, for receive sent by transmitting terminal for, after applying for the solicited message communicated, according to described solicited message, determining the transmission rule information of solicited message from the first access control list ACL;
Second determines module, for according to described transmission rule information, after determining that transmitting terminal can transmit the message to receiving terminal, it is determined that transmitting terminal is to the transmission path of receiving terminal;
Notification module, for giving the switch in transmission path by described transmission Centralized path notification.
15. controller as claimed in claim 14, it is characterised in that described first determines that module is additionally operable to:
Receive sent by transmitting terminal for after applying for the solicited message communicated, the transmission rule information of solicited message cannot be determined from a described ACL according to described solicited message, described solicited message is sent to fire wall, and after the transmission rule information receiving the described solicited message that described fire wall sends, an ACL described in transmission rule information updating according to described solicited message, determines the transmission rule information of solicited message from a described ACL;
Described second determines that module is additionally operable to:
Receive sent by transmitting terminal for after applying for the solicited message communicated, according to described transmission rule information, after determining that transmitting terminal can transmit the message to receiving terminal, it is determined that transmitting terminal is to the transmission path of receiving terminal;
Described notification module is additionally operable to:
Receive sent by transmitting terminal for after applying for the solicited message communicated, described transmission Centralized path notification is given the switch in transmission path.
16. controller as claimed in claim 15, it is characterised in that described first determines that module is additionally operable to:
Receiving after the transmission rule information of the described solicited message of described fire wall, if described fire wall does not pass through the 2nd ACL and sends the transmission rule information of solicited message, described solicited message and the transmission rule information of described solicited message that receives are placed in a described ACL;If or described fire wall sends the transmission rule information of solicited message by the 2nd ACL, the 2nd ACL according to receiving updates an ACL.
17. controller as claimed in claim 14, it is characterised in that described second determines that module is additionally operable to:
If described transmission rule information is for allowing request or security request, it is determined that allow transmitting terminal to transmit the message to receiving terminal;If described transmission rule information is suspicious requests, described solicited message is sent to fire wall, and the notice according to described fire wall determines whether that transmitting terminal transmits the message to receiving terminal;If described transmission rule information is refusal request, it is determined that do not allow transmitting terminal to transmit the message to receiving terminal.
18. controller as claimed in claim 17, it is characterised in that described first determines that module is additionally operable to:
After described transmission Centralized path notification is given the switch in transmission path, after the transmission rule information receiving the renewal that fire wall sends, transmission rule information updating the oneth ACL according to described renewal;According to the ACL after updating, redefine the transmission rule information of described solicited message;
Described second determines that module is additionally operable to:
After described transmission Centralized path notification is given the switch in transmission path, according to described transmission rule information, after determining that transmitting terminal can transmit the message to receiving terminal, it is determined that transmitting terminal is to the transmission path of receiving terminal;
Described notification module is additionally operable to:
After described transmission Centralized path notification is given the switch in transmission path, described transmission Centralized path notification is given the switch in transmission path.
19. controller as claimed in claim 18, it is characterised in that also include:
Decimation blocks, after described transmission Centralized path notification is given the switch in transmission path, before receiving the renewal transmission rule information of described solicited message of fire wall notice, the message that the described solicited message of transmission between transmitting terminal and receiving terminal is corresponding is sampled, and message corresponding for the described solicited message after sampling is sent to fire wall.
20. controller as claimed in claim 19, it is characterised in that described decimation blocks is additionally operable to:
According to the ACL after updating, after redefining the transmission rule information of described solicited message, if the transmission rule information redefining described solicited message is suspicious requests, the message corresponding to other solicited messages of transmission between described transmitting terminal and receiving terminal is sampled, and message corresponding for other solicited messages described in after sampling is sent to fire wall.
21. the controller as described in as arbitrary in claim 14~20, it is characterised in that described notification module is additionally operable to:
After determining the transmission rule information of described solicited message, the transmission rule information according to described solicited message, after determining and not allowing transmitting terminal can transmit the message to receiving terminal, all switches that notice is connected with transmitting terminal.
22. the firewall box updating access control list ACL, it is characterised in that this equipment includes:
3rd determines module, for, after receiving the solicited message that controller sends, determining the transmission rule information of described solicited message according to default security strategy;
More new module, for transmission rule information or the 2nd ACL that comprises the transmission rule information determined are sent to controller, so that described controller according to that receive transmission rule information or the 2nd ACL, updates the ACL for determining whether transmission corresponding to the information that makes requests on.
23. firewall box as claimed in claim 22, it is characterised in that the described 3rd determines that module is additionally operable to:
After receiving transmitting terminal and issue the message of receiving terminal, according to default security strategy, it is determined that judge described message whether safety;If it is, according to the address information of record in message, send the message to the switch of correspondence;Otherwise, notify that described controller refusal transmits described message.
24. firewall box as claimed in claim 22, it is characterised in that the described 3rd determines that module is additionally operable to:
After receiving the solicited message that controller sends, the transmission rule information of described solicited message is determined according to default security strategy, if it is determined that the transmission rule information of described solicited message be suspicious requests, the message that other solicited messages of transmission between transmitting terminal and receiving terminal are corresponding is detected;
Wherein, described transmitting terminal and receiving terminal are for transmitting the transmitting terminal of the corresponding message of described solicited message and receiving terminal.
25. firewall box as claimed in claim 22, it is characterised in that described more new module is additionally operable to:
The 2nd ACL after transmission rule information or renewal is sent to controller, after updating an ACL, according to default security strategy, detect to the sampling message from described controller, and after detecting that described sampling message is suspect message, notify described controller.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410730053.9A CN105721334B (en) | 2014-12-04 | 2014-12-04 | Method and equipment for determining transmission path and updating ACL |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410730053.9A CN105721334B (en) | 2014-12-04 | 2014-12-04 | Method and equipment for determining transmission path and updating ACL |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105721334A true CN105721334A (en) | 2016-06-29 |
| CN105721334B CN105721334B (en) | 2020-02-18 |
Family
ID=56143397
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410730053.9A Active CN105721334B (en) | 2014-12-04 | 2014-12-04 | Method and equipment for determining transmission path and updating ACL |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105721334B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018095263A1 (en) * | 2016-11-23 | 2018-05-31 | 中国银联股份有限公司 | Sdn-network-based data transmission method |
| CN110896380A (en) * | 2019-11-28 | 2020-03-20 | 迈普通信技术股份有限公司 | Flow table screening method and device, electronic equipment and readable storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060090007A1 (en) * | 2003-03-12 | 2006-04-27 | Nec Corporation | Message delivery apparatus, method thereof, system thereof, and program thereof |
| US20100241715A1 (en) * | 2009-03-19 | 2010-09-23 | Fujitsu Limited | Method of realizing uniqueness assurance and method of determining message destination |
| CN103051557A (en) * | 2012-12-27 | 2013-04-17 | 华为技术有限公司 | Data stream processing method and system, controller and switching equipment |
| CN103428013A (en) * | 2012-05-18 | 2013-12-04 | 华为终端有限公司 | Device managing method and system and gateway device |
-
2014
- 2014-12-04 CN CN201410730053.9A patent/CN105721334B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060090007A1 (en) * | 2003-03-12 | 2006-04-27 | Nec Corporation | Message delivery apparatus, method thereof, system thereof, and program thereof |
| US20100241715A1 (en) * | 2009-03-19 | 2010-09-23 | Fujitsu Limited | Method of realizing uniqueness assurance and method of determining message destination |
| CN103428013A (en) * | 2012-05-18 | 2013-12-04 | 华为终端有限公司 | Device managing method and system and gateway device |
| CN103051557A (en) * | 2012-12-27 | 2013-04-17 | 华为技术有限公司 | Data stream processing method and system, controller and switching equipment |
Non-Patent Citations (1)
| Title |
|---|
| 吴锦辉: "SDN控制器架构研究与功能开发", 《万方数据知识服务平台》 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018095263A1 (en) * | 2016-11-23 | 2018-05-31 | 中国银联股份有限公司 | Sdn-network-based data transmission method |
| TWI665891B (en) * | 2016-11-23 | 2019-07-11 | 大陸商中國銀聯股份有限公司 | Data transmission method based on SDN network |
| CN110896380A (en) * | 2019-11-28 | 2020-03-20 | 迈普通信技术股份有限公司 | Flow table screening method and device, electronic equipment and readable storage medium |
| CN110896380B (en) * | 2019-11-28 | 2021-09-17 | 迈普通信技术股份有限公司 | Flow table screening method and device, electronic equipment and readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105721334B (en) | 2020-02-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR101453364B1 (en) | SYSTEM FOR DYNAMIC IDENTIFICATION OF IoT DEVICES IN INTERNET OF THINGS AND METHOD THEREOF | |
| CN108512870B (en) | Method for accessing Internet of things platform, Internet of things platform and Internet of things equipment | |
| KR101641844B1 (en) | Information Processing Method, and Priority Information Sending Method and Device | |
| CN103327119B (en) | Remote control method, device and system | |
| KR101521808B1 (en) | Apparatus, method, and system of context-aware security control of cloud environment | |
| CN108156240B (en) | Method and system for accessing industrial adapter to server | |
| CN105228111A (en) | resource subscription processing method and device | |
| CN110650503B (en) | Network access method, device, system and computer readable storage medium | |
| EP3200486A1 (en) | Connection establishment method, device, and system | |
| CN104540135A (en) | Safety access method of wireless network, device and terminal | |
| EP2922325A1 (en) | Method and apparatus for communication security processing | |
| CN104270317B (en) | A kind of control method, system and the router of router operation application program | |
| CN104023001B (en) | Method for AC equipment to forward unauthorized message information | |
| CN105721334A (en) | Method and device for determining transmission path and updating ACL (access control list) | |
| CN102421089A (en) | Service request processing method, platform thereof and system thereof | |
| EP3169031A1 (en) | Method, device and platform for sharing wireless local area network | |
| CN110535746B (en) | Virtual private network VPN sharing method and device, electronic equipment and storage medium | |
| CN105785854A (en) | Master-slave system control method and master-slave system | |
| CN108632355B (en) | Routing method for household appliance network, control terminal, readable storage medium and equipment | |
| CN1957582B (en) | Route server monitor | |
| FI128754B (en) | Access to a service | |
| EP3236633A1 (en) | Method and apparatus for processing resource operation request | |
| KR20190002268A (en) | System and Method for Controlling and Managing MAC Address in SDN(Software Defined Networking) Environment | |
| CN105827427B (en) | Information processing method and electronic equipment | |
| JP2018097805A (en) | Attack notification system and attack notification method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |