CN106685924A - Network security detection system based on firewall - Google Patents
Network security detection system based on firewall Download PDFInfo
- Publication number
- CN106685924A CN106685924A CN201611049656.8A CN201611049656A CN106685924A CN 106685924 A CN106685924 A CN 106685924A CN 201611049656 A CN201611049656 A CN 201611049656A CN 106685924 A CN106685924 A CN 106685924A
- Authority
- CN
- China
- Prior art keywords
- module
- outfan
- data
- network
- fire wall
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Alarm Systems (AREA)
Abstract
The invention discloses a network security detection system based on a firewall. The input end of a network data detection module is connected to a large database, and the data end of the large database is connected to a data acquisition card and a field compilation module. The data end of the field compilation module is connected to a network message detection module through a control line, and the output end of the field compilation module is connected to a network card driver. A LAN bus is provided with a plurality of serial ports, and a central policy server and a desktop machine used for installing the distributed firewall are connected to the data port of the LAN bus. A boundary firewall program is written at the output port of the LAN bus through an embedded controller, and the safe and convenient management of packet filtering rules is realized. Meanwhile, an IP layer security module and a packet filtering router are combined to be realized. The whole device is simple in structure and high in practicability.
Description
Technical field
The present invention relates to fire wall detection field, more particularly to a kind of network security detection system based on fire wall.
Background technology
The Internet is the miracle in 20th century, and by the Internet people the share of resources has been conveniently realized, the Internet
Power comes from the extensive connective and open of it, and this also exactly result in its insecurity, in network boundary
It is one of Main Means of safety precaution that porch install fire wall to be used for preventing to attack, fire wall hope countless hackers and
Step, fire wall has made distinctions won on the battlefield in protection network secure context, but, with the development that the Internet makes rapid progress, tradition
The limitation of perimeter firewall starts to reveal, for example, increasingly diversified method of attachment (dialing, wirelessly, tunnel), outreach
Net, the appearance of coded communication, continuous improvement of bandwidth etc., in the face of these new situations, traditional boundary fire wall seems helpless,
The problems referred to above urgent need to resolve.
The content of the invention
For problem above, the invention provides a kind of network security detection system based on fire wall, is examined using two-layer
Meter, upper strata is that fire wall is analyzed audit according to the journal file of oneself, and lower floor is by fire wall active user's
AUTHID audits to user, and using B2 systems reading audit information is called, and then carries out audit analysis, can be with effectively solving
Problem in background technology.
For this purpose, the invention provides a kind of network security detection system based on fire wall, described network data detection
The input of module is connected with large database concept, and the data terminal of the large database concept is connected to data collecting card and scene volume
Module is translated, the data terminal of the live collector is connected by control line with network message detection module, the scene is compiled
The outfan for translating module is also associated with network card driver, and the network card driver is also genuinely convinced with by user's space detection module
Business device is connected, and in the outfan of central server LAN buses are also associated with;
Multiple serial ports are additionally provided with the LAN buses, on the FPDP of LAN buses Central policy server is also associated with
And for installing the tabletop machine of distributed fire wall, also write by embedded controller on the output port of LAN buses
Perimeter firewall program, and the outfan in embedded controller is additionally provided with mobile master for installing distributed fire wall
Machine.
Preferably, the embedded controller adopts the process chip of the ARM9 series of 32, in embedded controller
Data terminal is additionally provided with parallel AccessPort module, and the digital input end of embedded controller is powered using 5V.
Preferably, the network data detection module includes encryption key distribution management module, the encryption key distribution management module
Outfan be connected to security association storehouse and data management module, the outfan in the security association storehouse is also associated with IP peaces
Whole file module, the outfan of the IP secure files module is connected by bidirectional port control line with data management module,
The outfan of the data management module is also connected to filtering module and management interface module by bidirectional port control line.
Preferably, the outfan of the management interface module is also associated with filtering rule storehouse, the number in the filtering rule storehouse
Also it is connected with regular configuration file by control line according to end.
Preferably, multiple connecting interfaces are additionally provided with inside the central server and enter row data communication with the external world.
Preferably, the input of the mobile host is connected with wireless controller, is also connected with the inside of wireless controller
There is LAN to connect controller, the outfan of the mobile host is also associated with the branch's machine for installing Distributed wall
Structure.
Preferably, the power end of the embedded controller is also associated with solar powered module, described solar powered
The input of module is connected to power module and power supply circuits detection module.
Preferably, the data terminal of the embedded controller is also associated with downloading debugging interface module, the download debugging
The outfan of interface module is also connected by control line with LCD MODULE, in the data terminal for downloading debugging interface module also
It is connected with KBC.
Compared with prior art, the invention has the beneficial effects as follows:The network security detection system of fire wall should be based on, be adopted
Two-layer is audited, and upper strata is that fire wall is analyzed audit according to the journal file of oneself, and lower floor is by fire wall active user
AUTHID user is audited, reading audit information is called using B2 systems, and then carry out audit analysis, by data pipe
Reason module receives the data for carrying out automatic network, and the matching of line discipline is entered to it by filtering module, so as to control to enter the number of in-house network
According to bag, while the maintenance and safety in view of system, the system sets up supervisor, realizes the safe ready to packet filtering rules
Management. while IP layers security module is combined together realization by us with packet filter, whole device simple structure is practical
Property is strong.
Description of the drawings
Fig. 1 is schematic structural view of the invention;
Fig. 2 is inventive network data structure detection module internal structure schematic diagram;
In figure:1- network data detection modules;2- large database concepts;3- data collecting cards;4- scenes collector;5- network messages
Detection module;6- network card drivers;7- user's space detection modules;8- central servers;9-LAN buses;10- Central Policies take
Business device;11- tabletop machines;12- embedded controllers;13- mobile hosts;The parallel AccessPort modules of 14-;15- encryption key distribution pipes
Reason module;16- security associations storehouse;17- data management modules;18-IP secure file modules;19- filtering modules;20- management connects
Mouth mold block;21- filtering rules storehouse;22- rule configuration files;23- wireless controllers;24- LANs connect controller;25- point
Prop up mechanism;26- solar powered modules;27- power modules;28- power supply circuits detection modules;29- downloads debugging interface module;
30- LCD MODULE;31- KBCs.
Specific embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete
Site preparation is described, it is clear that described embodiment is only a part of embodiment of the invention, rather than the embodiment of whole, is based on
Embodiment in the present invention, it is every other that those of ordinary skill in the art are obtained under the premise of creative work is not made
Embodiment, belongs to the scope of protection of the invention.
Embodiment:
Fig. 1, Fig. 2 are referred to, the present invention provides a kind of technical scheme:A kind of network security detection system based on fire wall, institute
The input of the network data detection module 1 stated is connected with large database concept 2, and the data terminal of the large database concept 2 connects respectively
There are data collecting card 3 and live collector 4, the data terminal of the live collector 4 is examined by control line with network message
Survey module 5 to be connected, the outfan of the live collector 4 is also associated with network card driver 6, and the network card driver 6 is also
It is connected with central server 8 by user's space detection module 7, multiple connections is additionally provided with inside the central server 8
Interface enters row data communication with the external world, and in the outfan of central server 8 LAN buses 9, the network data detection are also associated with
Module 1 includes encryption key distribution management module 15, and the outfan of the encryption key distribution management module 15 is connected to security association
Storehouse 16 and data management module 17, the outfan in the security association storehouse 16 is also associated with IP secure files module 18, the IP
The outfan of secure file module 18 is connected by bidirectional port control line with data management module 17, the data management mould
The outfan of block 17 is also connected to filtering module 19 and management interface module 20, the management by bidirectional port control line
The outfan of interface module 20 is also associated with filtering rule storehouse 21, the data terminal in the filtering rule storehouse 21 also by control line with
Regular configuration file 22 is connected;
Multiple serial ports are additionally provided with the LAN buses 9, Central Policy service is also associated with the FPDP of LAN buses 9
Device 10 and the tabletop machine 11 for installing distributed fire wall, also pass through embedded Control on the output port of LAN buses 9
Device 12 has write perimeter firewall program, and the power end of the embedded controller 12 is also associated with solar powered module 26,
The input of the solar powered module 26 is connected to power module 27 and power supply circuits detection module 28, and embedded
The outfan of formula controller 12 is additionally provided with the mobile host 13 for installing distributed fire wall, the embedded controller 12
Using the process chip of the ARM9 series of 32, in the data terminal of embedded controller 12 parallel AccessPort module is additionally provided with
14, and the digital input end of embedded controller 12 powered using 5V, the input of the mobile host 13 is connected with wireless controlled
Device processed 23, in the inside of wireless controller 23 LAN connection controller 24, the outfan of the mobile host 13 are also associated with
The branch 25 for installing Distributed wall is also associated with, the data terminal of the embedded controller 12 is also associated with down
Debugging interface module 29 is carried, the outfan for downloading debugging interface module 29 is also by control line and the phase of LCD MODULE 30
Connection, is also connected in the data terminal for downloading debugging interface module 29 with KBC 31.
Using two packet filter routers and the mobile host of a distributed fire wall, they are separately formed the present invention
One subnet, between internally positioned subnet and Internet, referred to as screen subnet. outside router is between Internet and screen
Cover between subnet, and internal router is between screen subnet and internal credible subnet, two routers can carry out not at the same level
Other filtration, screen subnet only allows Internet and internal subnet to be linked in the mobile host of distributed fire wall, but tries
Figure bypasses its flow and all will be blocked.
The internal router is believed first for the flow of the mobile host from distributed fire wall according to source address etc.
The level of security of each main frame is filtered again in breath and subnet, then according to actual address in the subnet of the packet, to this
Packet carries out ESP encapsulation encryption (source of key is retrieved from bastion host), the packet is then forwarded to destination, for inside
When router leads to the flow of Internet in place's reason subnet, first to the packet deciphering, then according to each main frame not
Filtered with the security strategy of authority and the system, by flow be packaged by bastion host encryption after forward.
The operation principle of the present invention:The network security detection system of fire wall should be based on, be audited using two-layer, upper strata was anti-
Wall with flues is analyzed audit according to the journal file of oneself, and lower floor is carried out by the AUTHID to fire wall active user to user
Audit, using B2 systems reading audit information is called, and then carries out audit analysis, by data management module reception come automatic network
Data, the matching of line discipline is entered to it by filtering module, so as to control to enter the packet of in-house network, while the system of considering
Maintenance and safety, the system sets up supervisor, realizes the management of the safe ready to packet filtering rules, while we are by IP layers
Security module is combined together realization with packet filter, and whole device simple structure is practical.
Presently preferred embodiments of the present invention is the foregoing is only, not to limit the present invention, all essences in the present invention
Any modification, equivalent and improvement made within god and principle etc., should be included within the scope of the present invention.
Claims (8)
1. a kind of network security detection system based on fire wall, it is characterised in that described network data detection module(1)'s
Input and large database concept(2)It is connected, the large database concept(2)Data terminal be connected to data collecting card(3)With it is existing
Field collector(4), the live collector(4)Data terminal by control line and network message detection module(5)It is connected
Connect, the live collector(4)Outfan be also associated with network card driver(6), the network card driver(6)Also by using
Family space detection module(7)With central server(8)It is connected, in central server(8)Outfan be also associated with LAN buses
(9);
The LAN buses(9)On be additionally provided with multiple serial ports, in LAN buses(9)FPDP on be also associated with Central Policy
Server(10)And for installing the tabletop machine of distributed fire wall(11), in LAN buses(9)Output port on also pass through
Embedded controller(12)Perimeter firewall program has been write, and in embedded controller(12)Outfan be additionally provided with for
The mobile host of distributed fire wall is installed(13).
2. the network security detection system of fire wall is based on as claimed in claim 1, it is characterised in that the embedded Control
Device(12)Using the process chip of the ARM9 series of 32, in embedded controller(12)Data terminal be additionally provided with parallel serial ports
Debugging module(14), and embedded controller(12)Digital input end powered using 5V.
3. the network security detection system of fire wall is based on as claimed in claim 1, it is characterised in that the network data inspection
Survey module(1)Including encryption key distribution management module(15), the encryption key distribution management module(15)Outfan be connected to
Security association storehouse(16)And data management module(17), the security association storehouse(16)Outfan be also associated with IP secure files
Module(18), the IP secure files module(18)Outfan by bidirectional port control line and data management module(17)Phase
Connection, the data management module(17)Outfan also filtering module is connected to by bidirectional port control line(19)With
Management interface module(20).
4. the network security detection system of fire wall is based on as claimed in claim 3, it is characterised in that the management interface mould
Block(20)Outfan be also associated with filtering rule storehouse(21), the filtering rule storehouse(21)Data terminal also by control line with
Regular configuration file(22)It is connected.
5. the network security detection system of fire wall is based on as claimed in claim 1, it is characterised in that the central server
(8)Inside is additionally provided with multiple connecting interfaces and enters row data communication with the external world.
6. the network security detection system based on fire wall according to claim 1, it is characterised in that the mobile host
(13)Input be connected with wireless controller(23), in wireless controller(23)Inside be also associated with LAN connection control
Device(24), the mobile host(13)The outfan branch that is also associated with for installing Distributed wall(25).
7. the network security detection system based on fire wall according to claim 1, it is characterised in that the embedded control
Device processed(12)Power end be also associated with solar powered module(26), the solar powered module(26)Input difference
It is connected with power module(27)With power supply circuits detection module(28).
8. the network security detection system based on fire wall according to claim 1, it is characterised in that the embedded control
Device processed(12)Data terminal be also associated with download debugging interface module(29), the download debugging interface module(29)Outfan
Also by control line and LCD MODULE(30)It is connected, is downloading debugging interface module(29)Data terminal also with keyboard control
Device processed(31)It is connected.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611049656.8A CN106685924A (en) | 2016-11-25 | 2016-11-25 | Network security detection system based on firewall |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611049656.8A CN106685924A (en) | 2016-11-25 | 2016-11-25 | Network security detection system based on firewall |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106685924A true CN106685924A (en) | 2017-05-17 |
Family
ID=58866081
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611049656.8A Pending CN106685924A (en) | 2016-11-25 | 2016-11-25 | Network security detection system based on firewall |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106685924A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110138806A (en) * | 2019-06-12 | 2019-08-16 | 武汉通威电子有限公司 | A kind of firewall system for realizing high reliability |
| CN110290151A (en) * | 2019-07-16 | 2019-09-27 | 迈普通信技术股份有限公司 | File transmitting method, device and read/write memory medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102025735A (en) * | 2010-12-08 | 2011-04-20 | 北京航空航天大学 | Distributed network firewall system of Linux based on defense strategy |
| CN104202333A (en) * | 2014-09-16 | 2014-12-10 | 浪潮电子信息产业股份有限公司 | Implementation method of distributed firewall |
-
2016
- 2016-11-25 CN CN201611049656.8A patent/CN106685924A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102025735A (en) * | 2010-12-08 | 2011-04-20 | 北京航空航天大学 | Distributed network firewall system of Linux based on defense strategy |
| CN104202333A (en) * | 2014-09-16 | 2014-12-10 | 浪潮电子信息产业股份有限公司 | Implementation method of distributed firewall |
Non-Patent Citations (2)
| Title |
|---|
| 刘克龙等: "一种新型的防火墙系统", 《计 算 机 学 报》 * |
| 范英磊: "分布式防火墙的研究与设计", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110138806A (en) * | 2019-06-12 | 2019-08-16 | 武汉通威电子有限公司 | A kind of firewall system for realizing high reliability |
| CN110290151A (en) * | 2019-07-16 | 2019-09-27 | 迈普通信技术股份有限公司 | File transmitting method, device and read/write memory medium |
| CN110290151B (en) * | 2019-07-16 | 2021-10-08 | 迈普通信技术股份有限公司 | Message sending method and device and readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104301321B (en) | A kind of method and system for realizing distributed network security protection | |
| CN103259735B (en) | A kind of communication means of the programmable virtual router based on NetFPGA | |
| CN101958903B (en) | Method for realizing high-performance firewall based on SOC and parallel virtual firewall | |
| CN102255903B (en) | Safety isolation method for virtual network and physical network of cloud computing | |
| CN104853003B (en) | A kind of address based on Netfilter, port-hopping Realization Method of Communication | |
| CN105490931B (en) | Multifunctional internet of things gateway device based on FPGA | |
| CN104158767B (en) | A kind of network admittance device and method | |
| CN101651597B (en) | Deployment method of IPSec-VPN in address discrete mapping network | |
| CN105245555B (en) | One kind is used for electric power serial server communication protocol security protection system | |
| CN106302371A (en) | A kind of firewall control method based on subscriber service system and system | |
| CN102611700A (en) | Method for realizing VPN (Virtual Private Network) access under transparent mode | |
| CN106936684A (en) | The method and system in tunnel are set up under a kind of transparent mode without IP address | |
| CN106789865A (en) | A kind of network safety protection method based on GRE network integration SDN technologies and Honeypot Techniques | |
| CN107888613A (en) | A kind of management system framework based on cloud platform | |
| CN104539600B (en) | A kind of industry control method of realizing fireproof wall for supporting to filter IEC104 agreements | |
| CN106685924A (en) | Network security detection system based on firewall | |
| CN102130831A (en) | Networking method based on super virtual local area network (Super VLAN) technology | |
| CN105897536A (en) | Network game accelerating system based on overlay network | |
| CN106059881B (en) | A kind of SDN and its flow lead-in and lead-out method | |
| CN107566218A (en) | A kind of flux auditing method suitable for cloud environment | |
| CN102984202B (en) | A kind of cross-over NAT equipment realizes the System and method for of Telnet webmaster | |
| CN107659582A (en) | A kind of depth defense system for successfully managing APT attacks | |
| CN106302538A (en) | Xegregating unit between a kind of Network Video Surveillance camera node and server | |
| CN104683139B (en) | A kind of remote operation maintaining method of communication equipment | |
| CN206195823U (en) | Network video monitoring takes photograph isolation devices between camera node and server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20170517 |