CN107979609A - Reaction equation means of defence and autonomous learning type firewall system afterwards - Google Patents
Reaction equation means of defence and autonomous learning type firewall system afterwards Download PDFInfo
- Publication number
- CN107979609A CN107979609A CN201711342272.XA CN201711342272A CN107979609A CN 107979609 A CN107979609 A CN 107979609A CN 201711342272 A CN201711342272 A CN 201711342272A CN 107979609 A CN107979609 A CN 107979609A
- Authority
- CN
- China
- Prior art keywords
- data
- request
- external network
- network
- request data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
Abstract
The invention discloses reaction equation means of defence after a kind of, change the problem of influencing Firewall Protection function for computer software and hardware, there is provided following technical scheme:Access request based on external network, request data enter internal network by firewall engine;Request data enters internal network, is sent to inside terminals request data mirror image and can carry out the virtual terminal of network service using identical IP with inside terminals;Corresponding to received request data, feedback data corresponding with the data packet is made by virtual terminal and is first sent to external network, and communication is by firewall engine one-way isolation between inside terminals external network;Firewall engine is directed to request data and external networks the associated data that feedback data is passed back again and carries out safety analysis;Safety analysis is by the way that the isolation of inside terminals to external network is cancelled, and the actual feedback data external network of inside terminals is transmitted, and improves the adaptability to computer system software and hardware to a certain extent.
Description
Technical field
The present invention relates generally to computer systems and networks security.It is more particularly related to reacted after one kind
Formula means of defence and autonomous learning type firewall system.
Background technology
Fire wall is the system of one or a set of implementation access control policy.His internal network(Dedicated network)With outside
Network(Common network)Between form one of safeguard protection barrier, prevent the illegal of resource on unauthorized users to access internal network
Internal information is outwards transmitted, while being also prevented from this kind of illegal and malice network behavior causes internal network operation to be destroyed.
Its basic function is to filter and may stop that the data between local network or some part of network and Internet transmit
(Data packet).Data packet is exactly a section data in fact, wherein including at the same time for sending them to respective purpose
Information necessary to ground.Data packet can be imagined as a mailbag:Data in data packet inherently mailbag, and on envelope
It is then all for these information being sent to the letter taken in correct machine and correct program new line, it is also included at the same time
The information of return address etc..It can implement more extensive security strategy and carry out control information stream, prevent unexpected
Invasion destroy.Fire rated wall structure can use the various structures such as double-hosted host structure, host filtration, subnet filtering.
Wall with flues needs have higher anti-attack ability in itself, should be arranged at the bottom of system and procotol, access with
Accessed port must be provided with stringent access rule, to cut off the network connection beyond all rules.Secondly, in architecture
On, the fire savety of building, is by each relevant speciality and relevant device common guarantee.And on the computer systems, prevent
The security protection performance of wall with flues is by fire wall, the rule of user setting and computer system common guarantee itself.In addition exist
On architecture, the change of original material and arrangement, will make fire wall ineffective, and over time, some are by resistance
The material of processing is fired, its anti-flammability is also progressively lost.On the computer systems and in this way, the change of computer system network,
The change of system hardware and software environment, will also make fire wall ineffective, and over time, the original safety of fire wall is prevented
Shield technology starts to fall behind, and safeguard function also just reduces at leisure.
The content of the invention
In view of the deficienciess of the prior art, the first object of the present invention is to provide a kind of rear reaction equation means of defence,
It is good to the continuous change adaptability of computer system software and hardware to have the advantages that.
To achieve the above object, the present invention provides following technical solution:
Reaction equation means of defence after a kind of, it is described protect be adapted to fire wall between internal network and external network, it is described
Fire wall framework further comprises the firewall engine with multiple mounted wave filters, the described method includes:
Access request based on external network, request data enter internal network by firewall engine;
After request data enters internal network, inside terminals are sent to request data mirror image and can use phase with inside terminals
The virtual terminal of network service is carried out with IP;
Corresponding to received request data, feedback data corresponding with the data packet is made by virtual terminal and is first sent to outside
Network, and communication is by firewall engine one-way isolation between inside terminals external network;
Firewall engine is directed to request data and external networks the associated data that feedback data is passed back again and carries out afterwards
Safety analysis;
Safety analysis is by rear, and the reverse isolation between inside terminals and external network is cancelled, the actual feedback number of inside terminals
Transmitted according to external network.
Using above-mentioned technical proposal, when external network has access request to internal network, firewall engine first records this
Partial data, firewall engine is always by one-way isolation between inside terminals and external network at this time, and by virtual terminal with
The identical IP external networks transmission feedback data of inside terminals, these feedback data are corresponding with request data, virtual afterwards whole
End receive again external network for feedback data send back come associated data, firewall engine is to request data and secondary biography
The associated data come carries out safety analysis, and the company between inside terminals and external network is determined according to the result of safety analysis
It is logical, when safety analysis by after, firewall engine cancels isolation, and actual feedback data can be sent to extranets by inside terminals
Network, from regardless of whether how the software and hardware of inside terminals changes, as long as virtual terminal request data can be made it is targetedly anti-
Present data, it is possible to determine whether to isolate by carrying out safety analysis to request data and associated data, certain journey
The adaptability to computer system software and hardware is improved on degree.
Preferably, the safety analysis includes:
By the request stage of external network, the context data structure of request data and request data is connect from external network;
By the feedback stage of external network, the associated data bag and incidence number for being directed to feedback data are received from external network
According to the context data structure of bag;
Pass through request stage and feedback stage, the identification parameter set associated with request data and associated data;
Send classification to call, classification, which is called, includes the parameter set associated with request data and associated data;
By the parameter set of request data and associated data compared with the filtering condition of multiple wave filters and identify matching please
The associated fire wall sought at least one wave filter of data and associated data parameter set and specified by least one wave filter
Strategy;
In response to classification call, according to associated firewall policy come determine to receive and/or isolation act.
Preferably, the data of the safety analysis can also extend to
Associated data and/or the request data of association phase the latter half on request stage previous stage.
Preferably, the request data is the inbound communication bag received from external network;Also, wherein, parameter set includes
Information, association phase analyze information according to the agreement performed by association phase from inbound communication bag.
Preferably, the associated data is sent to the outbound information bag that the network equipment is gone;Also, wherein, parameter set bag
Include the agreement according to performed by request stage and be added into the information of packet.
Preferably, further comprise:
By increasing parameter set, carry out modification information bag context data structure.
Preferably, the parameter in the parameter set includes request stage, the mark of association phase, parameter type and value.
Preferably, when virtual terminal receives request data,
The data packet that virtual terminal is stored, and will be with the matched data of request data compared with received request data
Bag passes external network back in the form of feedback data by the virtual IP address identical with inside terminals.
Preferably, virtual terminal can self-teaching to the increase of interior data storehouse supplement new data packet.
In view of the deficienciess of the prior art, the second object of the present invention is to provide a kind of autonomous learning type fire wall system
System, it is good to the continuous change adaptability of computer system software and hardware to have the advantages that.
To achieve the above object, the present invention provides following technical solution:
A kind of autonomous learning type firewall system, including
Firewall engine, including multiple mounted wave filters, for safety analysis request data and associated data, and are pacifying
Matched security strategy isolation or connection internal network and external network are performed after complete analysis;
Inside terminals, connect between internal network, are protected by firewall engine, and isolate or connect by firewall engine
External network;
Virtual terminal, can match corresponding data packet for request data in database, use IP generations identical with inside terminals
Data packet external network is fed back for inside terminals.
Using above-mentioned technical proposal, when external network has access request to internal network, firewall engine first records this
Partial data, firewall engine is always by one-way isolation between inside terminals and external network at this time, and by virtual terminal with
The identical IP external networks transmission feedback data of inside terminals, these feedback data are corresponding with request data, virtual afterwards whole
End receive again external network for feedback data send back come associated data, firewall engine is to request data and secondary biography
The associated data come carries out safety analysis, and the company between inside terminals and external network is determined according to the result of safety analysis
It is logical, when safety analysis by after, firewall engine cancels isolation, and actual feedback data can be sent to extranets by inside terminals
Network, from regardless of whether how the software and hardware of inside terminals changes, as long as virtual terminal request data can be made it is targetedly anti-
Present data, it is possible to determine whether to isolate by carrying out safety analysis to request data and associated data, certain journey
The adaptability to computer system software and hardware is improved on degree.
In conclusion the invention has the advantages that:
1. in exterior network request access internal network, only allow one way data communication from outside to inside, only in safety point
Analysis could allow being pierced by for internal data, the safety of enhancing data storage after passing through;
2. computer network software and hardware changes, as long as virtual terminal can make specific aim according to the request data of external network
Feedback, so that it may carry out safety analysis for request data and associated data, prevented so as to match corresponding security strategy
Shield, adaptability are high;
3. virtual terminal can self-teaching to the increase of interior data storehouse supplement new data packet, to continually changing extranets
Network and the enhancing of computer software and hardware adaptability.
Brief description of the drawings
Fig. 1 is the functional block diagram of rear reaction equation means of defence in the present invention;
Fig. 2 is the principle schematic of learning type firewall system of the present invention;
Fig. 3 is the schematic diagram of Computer system of the present invention.
Embodiment
With reference to the accompanying drawings and embodiments, the present invention will be described in detail.
Below in conjunction with the attached drawing in the embodiment of the present invention, the technical solution in the embodiment of the present invention is carried out clear, complete
Site preparation describes, it is clear that described embodiment only part of the embodiment of the present invention, rather than whole embodiments.Based on this
Embodiment in invention, the every other reality that those of ordinary skill in the art are obtained without creative efforts
Example is applied, belongs to the scope of protection of the invention.
Embodiment 1
Reaction equation means of defence, this method are based on particular host, particular port and application-specific, are adapted to and set after a kind of
The fire wall between external network and internal network is put, and Fire Wire architecture further comprises thering is multiple mounted filters
The firewall engine of ripple device, with reference to Fig. 1, this method includes:
Access request based on external network, request data enter internal network by firewall engine;
After request data enters internal network, inside terminals are sent to request data mirror image and can use phase with inside terminals
The virtual terminal of network service is carried out with IP;
Corresponding to received request data, feedback data corresponding with the data packet is made by virtual terminal and is first sent to outside
Network, and communication is by firewall engine one-way isolation between inside terminals external network;
Firewall engine is directed to request data and external networks the associated data that feedback data is passed back again and carries out afterwards
Safety analysis;
Safety analysis is by rear, and the reverse isolation between inside terminals and external network is cancelled, the actual feedback number of inside terminals
Transmitted according to external network.
When external network is to internal network request access, external data needs to enter in-house network by firewall engine
Network, firewall engine is by checking the source address of each data packet, destination address, port numbers used, agreement shape in data flow
The factors such as state, or combinations thereof determine whether that the data packet passes through.
The request data being filtered through for firewall engine, it will what is be mirrored is sent to inside terminals and virtual end
End, the two is synchronously acted, and is carried out for the actual feedback data that inside terminals produce request data, firewall engine
It is temporarily isolating, that is, realizes the unidirectional blocking of internal network external network.At the same time, virtual terminal receives identical request
Data, by the request data received compared with the data packet in own database, and will be matched with request data
Data packet passes external network back in the form of feedback data by the virtual IP address identical with inside terminals.
For the data packet in virtual terminal data storehouse, virtual terminal can be in backstage self-teaching to interior data storehouse
Increase supplements new data packet.
Specifically, safety analysis includes:By the request stage of external network, connect request data from external network and ask
Seek the context data structure of data;
By the feedback stage of external network, the associated data bag and incidence number for being directed to feedback data are received from external network
According to the context data structure of bag;
Pass through request stage and feedback stage, the identification parameter set associated with request data and associated data;
Send classification to call, classification, which is called, includes the parameter set associated with request data and associated data;
By the parameter set of request data and associated data compared with the filtering condition of multiple wave filters and identify matching please
The associated fire wall sought at least one wave filter of data and associated data parameter set and specified by least one wave filter
Strategy;
In response to classification call, according to associated firewall policy come determine to receive and/or isolation act.
In addition, the data of safety analysis can also extend to the associated data on request stage previous stage and/or association
The request data of the latter half in stage.
Request data is the inbound communication bag received from external network;Also, wherein, parameter set includes information, rank is associated
Section analyzes information according to the agreement performed by association phase from inbound communication bag.
Associated data is sent to the outbound information bag that the network equipment is gone;Also, wherein, parameter set is included according to request rank
Section performed by agreement and be added into the information of packet.
This method makes the wave filter that network information bag is subordinate at multiple layers in protocol stack.In the processing of multiple operating systems
This method and fire rated wall structure are performed in (being referred to as " core schema processing " and " user model processing ").Alternatively, in list
In the processing of one operating system, or held in the one or more program modules or application program performed beyond the operating system
Row this method and structure.
Core schema processing includes protocol stack, core firewall engine and one or more exhalation.The protocol stack
Stack includes application layer, transport layer, network layer and link layer.Increase on demand or extra layer is deleted from the system.These layers
Each forms requesting layer, which receives in the network information bag and corresponding packet from previous layer or processing there
Context data.Then, which issues the core firewall engine via layer API by classification request.Classification request includes
The packet, the packet context and the one group of layer parameter associated with the requesting layer received by the requesting layer.
The core firewall engine handles the request, and return action.For example, how which indicates the requesting layer
Dispose the packet (such as, it is allowed to or retardance).If the action is to allow, which handles the letter according to layer protocol
Breath bag, which is arrived down into including these layer parameters, and by the packet and packet context transfer
One layer.If the action is retardance, which loses the packet, and the packet is not delivered to this next layer.
As the block action as a result, the requesting layer may perform extra function (for example, demolition TCP connections).The core is prevented
Wall with flues engine includes this layer of API, one group of wave filter being mounted and exhalation API.This mounted wave filter is concentrated each
Wave filter includes one group of filter conditions and an associated action.The core firewall engine is by identifying one or more
With wave filter, to handle the classification request sent from requesting layer there.These matched filters have joins with these layers
The filter conditions that number and packet context match.Once these matched filters are identified, just by filter precedence
Order applies them.If this action for the filtering being employed is permission or retardance,
This action is then returned into the requesting layer.If the action is exhalation, the classification which is sent please
The company of asking
These exhalation moulds exhalation module in the block is delivered to together with matched filter mark.The exhalation module performs its quilt
The function of programming, and action is returned into the core firewall engine.If not identifying matched filter for packet, to
The requesting layer notifies:Not it has been found that matched filter;Then, which determines how to dispose the packet.
Example user mode treatment includes user model firewall engine and one or more policy provisioning persons.These plans
Supplier is omited from any suitable source (for example, volatile and nonvolatile memory) acquisition strategy.The strategy is to be used to present newly
Wave filter information source, including this of filter conditions and relevant action set.The user's firewall engine is via filtering
This new wave filter, is added this mounted wave filter collection in the core firewall engine by device engine API.
The user's pattern also includes the example of the core firewall engine, so as to allow to create user model layer.Then, this
A little user model layers identify the filtering with one group of match parameters using the user's schema instance of the core firewall engine
Device, this group of parameter allow within the user's pattern using filtering.
In an embodiment of the present invention, substantially permit from the core firewall engine to the exhalation interface of one group of exhalation module
Perhaps the infinite expanding of these fire wall performances.For example, the exhalation of HTTP contexts is by identifying acceptable and cannot receive
URL addresses, to provide parents' feature." internet security " (IPSec) exhalation verification:Packet is suitably subjected to always
IPSec processing.The packet for meeting established standard is charged in record exhalation, so that the inspection after promoting to packet.Invade
Enter detection exhalation and suspicious packet is identified according to known algorithm.
The present invention is shown as being performed in suitable computing environment.Although being not required, will be just by a
The present invention described in the general context for the computer executable instructions (for example, program module) that people's computer performs.In general, journey
Sequence module includes execution special duty or the routine for implementing special abstract data type, program, object, component, data
Structure etc..The present invention can also be put into practice in a distributed computing environment, in these distributed computing environment, by passing through communication network
Network and connected remote processing devices perform task.In a distributed computing environment, program module can be located locally note
Recall in storage device and remote memory storage devices.
Embodiment 2
A kind of autonomous learning type firewall system, based on the rear reaction equation means of defence in embodiment 1, with reference to Fig. 2, including:
Firewall engine, including multiple mounted wave filters, for safety analysis request data and associated data, and are pacifying
Matched security strategy isolation or connection internal network and external network are performed after complete analysis;
Inside terminals, connect between internal network, are protected by firewall engine, and isolate or connect by firewall engine
External network;
Virtual terminal, can match corresponding data packet for request data in database, use IP generations identical with inside terminals
Data packet external network is fed back for inside terminals.
Fig. 3 illustrates the example that can perform the suitable computing system environment of the present invention on it.Computing system environment is
One example of suitable computing environment, it is not intended to use or functional scope proposition any restrictions to the present invention.
Computing environment should not be also construed to have any one component or component combination for being related to and being shown in exemplary operational environment
Any dependence or requirement.
The present invention can be used for the universal or special computing system environment of numerous others or configuration.It is likely to be suited for the present invention's
Well-known computing system, environment and/or the example of configuration include but is not limited to personal computer, server calculates
Machine, handheld device or portable set, multicomputer system, the system based on microprocessor, set top box, programmable consumption electricity
Sub- equipment, network PC, minicom, mainframe computer include the distributed computing environment of any of the above system or equipment, with
And the like.
It can be retouched in the general context of positive computer executable instructions (for example, program module)
State the present invention.In general, program module includes performing special duty or implements the routine of special abstract data type, journey
Sequence, object, component, data structure etc..The present invention can also be put into practice in a distributed computing environment, in these Distributed Calculation rings
In border, by performing task by communication network and connected remote processing devices.In a distributed computing environment, program mould
Block can be located in the local computer storage medium and remote computer storage medium that include memory storage devices.
With reference to Fig. 3, the demonstration system for performing the present invention includes the universal computing device for taking the form of computer.Meter
The component of calculation machine can include but is not limited to processing unit, system storage and system bus, and system bus will include should
The various couple system components of system storage are to processing unit.System bus can be several types bus structures (including
Memory bus or memory controller, peripheral bus and the local bus using any bus architecture in various bus architectures) in
Any bus structures.(it is not restricted) for example, this class formation includes " industrial standard architectures " (ISA) bus, " microchannel
Structure " (MCA) bus, " ISA " (EISA) bus of enhancing, " Video Electronics Standards Association " (VESA) local bus and also claimed
Make " peripheral parts interconnected " (PCI) bus of " mezzanine (Mezzanine) bus ".
Computer generally includes various computer-readable mediums.Computer-readable medium can be accessible by a computer
Any usable medium, it includes volatile and nonvolatile medium, removable and immovable medium.(do not limit for example
System), computer-readable medium can include computer storage media and communication media.Computer-readable storage medium includes volatile and non-
Volatile removable and immovable medium, these media with information (for example, computer-readable instruction, data structure,
Program module or other data) any method or technique of storage performed.Computer-readable storage medium includes (but not limiting to
In) RAM, ROM, EEPROM, flash memory or other memory technologies, CD-ROM, digital versatile disc (DVD) or other CDs
Memory, cassette tape, tape, magnetic disk storage or other magnetic storage apparatus can be used to store the information needed
And can be by computer come into other any media of line access.The usual specific manifestation computer-readable instruction of communication media, number
According to other data in structure, program module or modulated data signal (for example, carrier wave or other transfer mechanisms), it includes any
Information transmitting medium.Term " modulated data signal " means a kind of signal, and the one or more features of the signal are by such
Mode is set or is changed, to be the information coding in the signal.(it is not restricted) for example, communication media includes
Wire medium (for example, cable network or straight line connection) and wireless medium are (for example, sound, RF, infrared ray and other wireless Jie
Matter).The combination of any of the above content should be also included within the scope of computer readable media.
System storage includes taking volatile and/or nonvolatile storage (for example, read-only storage (ROM) and depositing at random
The computer-readable storage medium of the form of access to memory (RAM).Basic input/output (BIOS) is typically stored within ROM
In, which, which includes, contributes between each element in computer to transmit information (for example, starting
Period) these basic routines.RAM is generally comprised can be immediately by processing unit access and/or at present just by handling
The data and/or program module that unit is operated.(it is not restricted) for example, Fig. 3 illustrates operating system, using journey
Sequence, other program modules and routine data.
Computer can also include other removable/nonremovable volatile/nonvolatile computer storage medias.Only illustrate
For, Fig. 3 illustrate read from immovable nonvolatile magnetic media or it write hard disk drive, from moveable
Nonvolatile magnetic disk is read or the disc driver that is write to it, and from moveable nonvolatile optical disk (for example, CDROM or its
His optical medium) CD drive that reads or write to it.Can be used in the exemplary operational environment other are removable/
Immovable volatile/nonvolatile computer storage media include but is not limited to cassette, flash memory cards,
Digital versatile disc, digital video tape, solid-state RAM, solid-state ROM and similar storage medium.Hard disk drive is not usually by
Moveable memory interface (for example, interface) and be connected to system bus, disc driver and CD drive are usually by can
Mobile memory interface (for example, interface) is connected to system bus.
These drivers discussed above and demonstrated in Figure 3 and its associated computer-readable storage medium are computer
The storage of computer-readable instruction, data structure, program module and other data is provided.In figure 3, for example, hard disk drive
It is shown as storage program area, application program, other program modules and routine data.Note that these components can be equal to
Or different from operating system, application program, other program modules and routine data.Here for operating system, application program, other
Program module and routine data provide different numbers, with displaying:They are at least different copies.User can pass through input
Equipment (for example, keyboard) and pointing device (being commonly referred to as " mouse ", " tracking ball " or " touch pad "), by order and information
Input computer.Other input equipment (not shown) can include microphone, control stick, game mat, satellite dish,
Scanner or similar input equipment.The input equipment of these and other is defeated frequently by the user for being coupled to the system bus
Incoming interface and be connected to processing unit, but can also be by other interfaces and bus structures (for example, parallel port, game port
Or Universal Serial Bus (USB)) connected.Monitor or other kinds of display device are also via interface (for example, video
Interface) and it is connected to system bus.In addition to the monitor, computer can also include other peripheral output devices (for example,
Loudspeaker and printer), these peripheral output devices can be connected by peripheral interface.
In the above-described embodiments, the description to each embodiment emphasizes particularly on different fields, and does not have the part being described in detail in some embodiment,
It may refer to the associated description of other embodiment.
It should be noted that for foregoing each method embodiment, in order to be briefly described, therefore it is all expressed as a series of
Combination of actions, but those skilled in the art should know, the present invention and from the limitation of described sequence of movement because
According to the present invention, some steps may use other orders or be carried out at the same time.Secondly, those skilled in the art should also know
Know, embodiment described in this description belongs to preferred embodiment, the action being related to and module not necessarily this hair
Necessary to bright.
In several embodiments provided herein, it should be understood that disclosed device, can be real in other way
It is existing.For example, device embodiment described above is only schematical, such as the division of said units, it is only that one kind is patrolled
The division of volume function, can there is an other dividing mode when actually realizing, such as multiple units or component can combine or can be with
Another system is integrated into, or some features can be ignored, or do not perform.It is another, it is shown or discussed mutual
Coupling or communication connection can be INDIRECT COUPLING or communication connection between device or unit by some interfaces, can be electricity
Letter or other forms.
The above-mentioned unit illustrated as separating component may or may not be physically separate, be shown as unit
The component shown may or may not be physical location, you can with positioned at a place, or can also be distributed to multiple
In network unit.Some or all of unit therein can be selected to realize the mesh of this embodiment scheme according to the actual needs
's.
The above, the above embodiments are merely illustrative of the technical solutions of the present invention, and without limiting it;Although reference
The present invention will be described in detail for previous embodiment, it will be understood by those of ordinary skill in the art that:It still can be to preceding
State the technical solution described in each embodiment to modify, or equivalent substitution is carried out to which part technical characteristic;And these
Modification is replaced, and the essence of appropriate technical solution is departed from the spirit and scope of various embodiments of the present invention technical solution.
Claims (10)
1. reaction equation means of defence after a kind of, it is described protect be adapted to fire wall between internal network and external network, institute
The firewall engine that fire wall framework further comprises having multiple mounted wave filters is stated, the described method includes:
Access request based on external network, request data enter internal network by firewall engine;
After request data enters internal network, inside terminals are sent to request data mirror image and can use phase with inside terminals
The virtual terminal of network service is carried out with IP;
Corresponding to received request data, feedback data corresponding with the data packet is made by virtual terminal and is first sent to outside
Network, and communication is by firewall engine one-way isolation between inside terminals external network;
Firewall engine is directed to request data and external networks the associated data that feedback data is passed back again and carries out afterwards
Safety analysis;
Safety analysis is by rear, and the reverse isolation between inside terminals and external network is cancelled, the actual feedback number of inside terminals
Transmitted according to external network.
2. the method as described in claim 1, the safety analysis includes:
By the request stage of external network, the context data structure of request data and request data is connect from external network;
By the feedback stage of external network, the associated data bag and incidence number for being directed to feedback data are received from external network
According to the context data structure of bag;
Pass through request stage and feedback stage, the identification parameter set associated with request data and associated data;
Send classification to call, classification, which is called, includes the parameter set associated with request data and associated data;
By the parameter set of request data and associated data compared with the filtering condition of multiple wave filters and identify matching please
The associated fire wall sought at least one wave filter of data and associated data parameter set and specified by least one wave filter
Strategy;
In response to classification call, according to associated firewall policy come determine to receive and/or isolation act.
3. method as claimed in claim 2, the data of the safety analysis can also extend to
Associated data and/or the request data of association phase the latter half on request stage previous stage.
4. method as claimed in claim 2, the request data is the inbound communication bag received from external network;Also, its
In, parameter set includes information, and association phase analyzes information according to the agreement performed by association phase from inbound communication bag.
5. method as claimed in claim 2, the associated data is sent to the outbound information bag that the network equipment is gone;Also,
Wherein, parameter set includes the agreement according to performed by request stage and is added into the information of packet.
6. method as claimed in claim 2, further comprises:
By increasing parameter set, carry out modification information bag context data structure.
7. method as claimed in claim 6, the parameter in the parameter set includes request stage, the mark of association phase, ginseng
Several classes of types and value.
8. the method as described in claim 1, when virtual terminal receives request data,
The data packet that virtual terminal is stored, and will be with the matched data of request data compared with received request data
Bag passes external network back in the form of feedback data by the virtual IP address identical with inside terminals.
9. method as claimed in claim 8, virtual terminal can self-teaching to the increase of interior data storehouse supplement new number
According to bag.
A kind of 10. autonomous learning type firewall system applied such as any the method for claim 1 to 9, it is characterised in that bag
Include:
Firewall engine, including multiple mounted wave filters, for safety analysis request data and associated data, and are pacifying
Matched security strategy isolation or connection internal network and external network are performed after complete analysis;
Inside terminals, connect between internal network, are protected by firewall engine, and isolate or connect by firewall engine
External network;
Virtual terminal, can match corresponding data packet for request data in database, use IP generations identical with inside terminals
Data packet external network is fed back for inside terminals.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711342272.XA CN107979609B (en) | 2017-12-14 | 2017-12-14 | Post-reaction type protection method and autonomous learning type firewall system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711342272.XA CN107979609B (en) | 2017-12-14 | 2017-12-14 | Post-reaction type protection method and autonomous learning type firewall system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107979609A true CN107979609A (en) | 2018-05-01 |
CN107979609B CN107979609B (en) | 2020-09-22 |
Family
ID=62006558
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711342272.XA Active CN107979609B (en) | 2017-12-14 | 2017-12-14 | Post-reaction type protection method and autonomous learning type firewall system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107979609B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115277043A (en) * | 2022-05-11 | 2022-11-01 | 北京中安星云软件技术有限公司 | Method and system for realizing API audit firewall |
CN116015852A (en) * | 2022-12-26 | 2023-04-25 | 国网江苏省电力有限公司扬州供电分公司 | Virtual cloud desktop security management method based on national power grid information |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040148521A1 (en) * | 2002-05-13 | 2004-07-29 | Sandia National Laboratories | Method and apparatus for invisible network responder |
CN1574792A (en) * | 2003-06-06 | 2005-02-02 | 微软公司 | Multi-layer based method for implementing network firewalls |
CN1748395A (en) * | 2003-02-05 | 2006-03-15 | 日本电信电话株式会社 | Firewall device |
CN105099821A (en) * | 2015-07-30 | 2015-11-25 | 北京奇虎科技有限公司 | Flow monitoring method and apparatus based on cloud virtual environment |
US20160308835A1 (en) * | 2010-06-25 | 2016-10-20 | Salesforce.Com, Inc. | Methods and systems for context-based application firewalls |
-
2017
- 2017-12-14 CN CN201711342272.XA patent/CN107979609B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040148521A1 (en) * | 2002-05-13 | 2004-07-29 | Sandia National Laboratories | Method and apparatus for invisible network responder |
CN1748395A (en) * | 2003-02-05 | 2006-03-15 | 日本电信电话株式会社 | Firewall device |
CN1574792A (en) * | 2003-06-06 | 2005-02-02 | 微软公司 | Multi-layer based method for implementing network firewalls |
US20160308835A1 (en) * | 2010-06-25 | 2016-10-20 | Salesforce.Com, Inc. | Methods and systems for context-based application firewalls |
CN105099821A (en) * | 2015-07-30 | 2015-11-25 | 北京奇虎科技有限公司 | Flow monitoring method and apparatus based on cloud virtual environment |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115277043A (en) * | 2022-05-11 | 2022-11-01 | 北京中安星云软件技术有限公司 | Method and system for realizing API audit firewall |
CN116015852A (en) * | 2022-12-26 | 2023-04-25 | 国网江苏省电力有限公司扬州供电分公司 | Virtual cloud desktop security management method based on national power grid information |
Also Published As
Publication number | Publication date |
---|---|
CN107979609B (en) | 2020-09-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN1574764B (en) | Method for managing network filter based policies | |
CN1574839B (en) | Multi-layered firewall architecture | |
CN1574792B (en) | Multi-layer based method for implementing network firewalls | |
Sanders | Practical packet analysis: Using Wireshark to solve real-world network problems | |
US10104120B2 (en) | Command and control cyber vaccine | |
Kizza | Computer network security and cyber ethics | |
US20190158591A1 (en) | Device and related method for dynamic traffic mirroring | |
Northcutt et al. | Network intrusion detection | |
US9130826B2 (en) | System and related method for network monitoring and control based on applications | |
CN107251614A (en) | Access point is turned to | |
US9584393B2 (en) | Device and related method for dynamic traffic mirroring policy | |
CN107667505A (en) | System for monitoring and managing data center | |
EP2501101A1 (en) | SOC-Based Device for Packet Filtering and Packet Filtering Method thereof | |
US20140279768A1 (en) | Device and related method for scoring applications running on a network | |
WO2014085952A1 (en) | Policy processing method and network device | |
EP3192226B1 (en) | Device and method for controlling a communication network | |
CN105450619A (en) | Method, device and system of protection of hostile attacks | |
DE112012003293T5 (en) | Apparatus and method for improving data security in a host computer device and a peripheral device | |
AU2011350978A1 (en) | Method and device for controlling access to a computer system | |
Nathans | Designing and building security operations center | |
CN103227798A (en) | Immunological network system | |
CN104901971A (en) | Method and device for carrying out safety analysis on network behaviors | |
EP2974355B1 (en) | A device and a related method for dynamic traffic mirroring and policy, and the determination of applications running on a network | |
KR20220125251A (en) | Programmable Switching Device for Network Infrastructures | |
CN107979609A (en) | Reaction equation means of defence and autonomous learning type firewall system afterwards |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |