CN107979609B - Post-reaction type protection method and autonomous learning type firewall system - Google Patents

Abstract

The invention discloses a post-reaction type protection method, which aims at the problem that the change of computer software and hardware affects the protection function of a firewall and provides the following technical scheme: based on an access request of an external network, requesting data to enter an internal network through a firewall engine; the request data enters an internal network, and is transmitted to an internal terminal in a mirror image manner and a virtual terminal which can perform network communication with the internal terminal by using the same IP; corresponding to the received request data, the virtual terminal makes feedback data corresponding to the data packet and transmits the feedback data to the external network, and the communication between the internal terminal and the external network is isolated in a single direction by the firewall engine; the firewall engine carries out security analysis on the request data and the associated data returned by the external network aiming at the feedback data; the safety analysis is carried out, the isolation from the internal terminal to the external network is cancelled, the actual feedback data of the internal terminal is transmitted to the external network, and the adaptability to software and hardware of the computer system is improved to a certain extent.

Description

Post-reaction type protection method and autonomous learning type firewall system

Technical Field

The present invention relates generally to computer system and network security. More particularly, the present invention relates to a post-reaction type protection method and an autonomous learning type firewall system.

Background

A firewall is a system or set of systems that enforce access control policies. A safety protection barrier is formed between an internal network (private network) and an external network (public network) of the user, so that illegal users are prevented from accessing resources on the internal network and transmitting internal information outwards illegally, and meanwhile, the operation of the internal network is prevented from being damaged due to illegal and malicious network behaviors. Its basic function is to filter and possibly block data transfers (packets) between the local network or some part of the network and the Internet. A data packet is actually a piece of data that includes the information necessary to transmit them to their respective destinations. The data packet can be thought of as a parcel: the data packet is the data in the postal packet, and the envelope is the head of all letters used for sending the information to the correct machine and the correct program, and contains the information of the return address and the like. It can implement a wider range of security policies to control information flow and prevent unpredictable intrusion damage. The firewall structure can adopt a double-host structure, a host filtering structure, subnet filtering and other structures.

The fire wall needs to have higher anti-attack capability, and should be arranged at the bottom layer of a system and a network protocol, and a port accessed and accessed must be provided with strict access rules to cut off network connection except all rules. Secondly, in architecture, the fire safety of the building is ensured by all related specialties and corresponding equipment. On a computer system, the safety protection performance of the firewall is ensured by the firewall, the rules set by a user and the computer system. In addition, in architecture, the fire-proof wall is disabled by the change of the original materials and arrangement, and the fire-proof performance of some materials after the fire-proof treatment is gradually lost along with the time. The same is true on a computer system, the change of a computer system network and the change of the software and hardware environment of the system can also lead the firewall to lose the function, and the original safety protection technology of the firewall begins to lag behind and the protection function is slowly weakened as time goes on.

Disclosure of Invention

In view of the deficiencies of the prior art, a first objective of the present invention is to provide a post-reaction type protection method, which has the advantage of good adaptability to the continuous changes of the software and hardware of a computer system.

In order to achieve the purpose, the invention provides the following technical scheme:

a method of post-reactive protection between an internal network and an external network adapted to a firewall, the framework of the firewall further comprising a firewall engine having a plurality of installed filters, the method comprising:

based on an access request of an external network, requesting data to enter an internal network through a firewall engine;

after the request data enters the internal network, the request data is transmitted to the internal terminal in a mirror image mode and the virtual terminal which can perform network communication with the internal terminal by using the same IP;

corresponding to the received request data, the virtual terminal makes feedback data corresponding to the data packet and transmits the feedback data to the external network, and the communication between the internal terminal and the external network is isolated in a single direction by the firewall engine;

then the firewall engine carries out security analysis on the request data and the associated data which is returned again by the external network aiming at the feedback data;

after the safety analysis is passed, the reverse isolation between the internal terminal and the external network is cancelled, and the actual feedback data of the internal terminal is transmitted to the external network.

By adopting the technical scheme, when an external network has an access request to an internal network, a firewall engine records the data, the firewall engine always isolates the internal terminal from the external network in a single direction, a virtual terminal transmits feedback data to the external network by the same IP as the internal terminal, the feedback data correspond to the request data, then the virtual terminal receives associated data transmitted back by the external network aiming at the feedback data, the firewall engine carries out security analysis on the request data and the associated data transmitted for the second time and determines the communication between the internal terminal and the external network according to the result of the security analysis, after the security analysis is passed, the firewall engine cancels the isolation, the internal terminal can transmit the actual feedback data to the external network, thereby no matter how the software and hardware of the internal terminal change, as long as the virtual terminal can make targeted feedback data on the request data, whether isolation is performed or not can be determined by performing security analysis on the request data and the associated data, so that the adaptability to software and hardware of a computer system is improved to a certain extent.

Preferably, the security analysis comprises:

receiving request data and a context data structure of the request data from an external network through a request stage of the external network;

receiving, from the external network, an associated data packet for the feedback data and a context data structure of the associated data packet through a feedback stage of the external network;

identifying, by the request phase and the feedback phase, a set of parameters associated with the request data and the associated data;

issuing a classification call, the classification call comprising a set of parameters associated with the request data and the associated data;

comparing the request data and the set of parameters associated with the data to the filtering conditions of the plurality of filters and identifying at least one filter matching the request data and the set of parameters associated with the data and an associated firewall policy specified by the at least one filter;

in response to the classification call, a decision is made to receive and/or isolate an action according to the associated firewall policy.

Preferably, the data of the security analysis can also be extended

The association data of the previous stage of the request stage and/or the request data of the next stage of the association stage.

Preferably, the request data is an inbound packet received from an external network; and wherein the set of parameters includes information, the association stage analyzing the information from the inbound packet according to a protocol performed by the association stage.

Preferably, the associated data is an outbound packet transmitted to the network device; and wherein the parameter set includes information to be added to the packet in accordance with the protocol executed during the request phase.

Preferably, the method further comprises the following steps:

the packet context data structure is modified by adding parameter sets.

Preferably, the parameters in the parameter set include an identifier of a request phase and an associated phase, a parameter type and a value.

Preferably, when the virtual terminal receives the request data,

the virtual terminal compares its stored data packet with the received request data and transmits the data packet matching the request data back to the external network in the form of feedback data through the same virtual IP as the internal terminal.

Preferably, the virtual terminal can add new data packets to its internal database in a self-learning manner.

In view of the deficiencies of the prior art, a second objective of the present invention is to provide an autonomous learning firewall system, which has the advantage of good adaptability to the continuous changes of the software and hardware of the computer system.

In order to achieve the purpose, the invention provides the following technical scheme:

an autonomous learning type firewall system comprises

A firewall engine including a plurality of installed filters for security analyzing the request data and the associated data and performing a matched security policy after the security analysis to isolate or communicate the internal network and the external network;

the internal terminal is communicated between internal networks, is protected by the firewall engine, and is isolated or communicated with an external network through the firewall engine;

and the virtual terminal can use the same IP as the internal terminal to replace the internal terminal to feed back the data packet to the external network aiming at the data packet corresponding to the request data matched in the database.

By adopting the technical scheme, when an external network has an access request to an internal network, a firewall engine records the data, the firewall engine always isolates the internal terminal from the external network in a single direction, a virtual terminal transmits feedback data to the external network by the same IP as the internal terminal, the feedback data correspond to the request data, then the virtual terminal receives associated data transmitted back by the external network aiming at the feedback data, the firewall engine carries out security analysis on the request data and the associated data transmitted for the second time and determines the communication between the internal terminal and the external network according to the result of the security analysis, after the security analysis is passed, the firewall engine cancels the isolation, the internal terminal can transmit the actual feedback data to the external network, thereby no matter how the software and hardware of the internal terminal change, as long as the virtual terminal can make targeted feedback data on the request data, whether isolation is performed or not can be determined by performing security analysis on the request data and the associated data, so that the adaptability to software and hardware of a computer system is improved to a certain extent.

In conclusion, the invention has the following beneficial effects:

1. when an external network requests to access an internal network, only one-way data communication from outside to inside is allowed, and only after the security analysis is passed, the internal data can be allowed to pass out, so that the security of data storage is enhanced;

2. when computer network software and hardware change, as long as the virtual terminal can make targeted feedback according to the request data of the external network, security analysis can be performed on the request data and the associated data, so that corresponding security strategies are matched for protection, and the adaptability is high;

3. the virtual terminal can add and supplement a new data packet to an internal database in a self-learning way, and the adaptability of the virtual terminal to a constantly changing external network and computer software and hardware is enhanced.

Drawings

FIG. 1 is a schematic block diagram of a post-reactive protection method according to the present invention;

FIG. 2 is a schematic diagram of a learning-type firewall system of the present invention;

FIG. 3 is a diagram of a computer system according to the present invention.

Detailed Description

The present invention will be described in detail below with reference to the accompanying drawings and examples.

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

Example 1

A post-reactive protection method which is adapted to a firewall provided between an external network and an internal network based on a specific host, a specific port, and a specific application, and whose framework further includes a firewall engine having a plurality of installed filters, with reference to fig. 1, the method comprising:

based on an access request of an external network, requesting data to enter an internal network through a firewall engine;

after the request data enters the internal network, the request data is transmitted to the internal terminal in a mirror image mode and the virtual terminal which can perform network communication with the internal terminal by using the same IP;

corresponding to the received request data, the virtual terminal makes feedback data corresponding to the data packet and transmits the feedback data to the external network, and the communication between the internal terminal and the external network is isolated in a single direction by the firewall engine;

then the firewall engine carries out security analysis on the request data and the associated data which is returned again by the external network aiming at the feedback data;

after the safety analysis is passed, the reverse isolation between the internal terminal and the external network is cancelled, and the actual feedback data of the internal terminal is transmitted to the external network.

When an external network requests access to an internal network, external data needs to enter the internal network through a firewall engine, and the firewall engine determines whether to allow each data packet in the data flow to pass through by checking the source address, the destination address, the used port number, the protocol state and other factors of the data packet, or a combination of the source address, the destination address, the used port number, the protocol state and the like.

The firewall engine performs temporary isolation on actual feedback data generated by the internal terminal on the request data, namely, realizes unidirectional blocking of the internal network to the external network. Meanwhile, the virtual terminal receives the same request data, compares the received request data with the data packets in the database of the virtual terminal, and transmits the data packets matched with the request data back to the external network through the same virtual IP as the internal terminal in the form of feedback data.

For the data packets in the virtual terminal database, the virtual terminal can add new data packets to the internal database in a background self-learning manner.

Specifically, the security analysis includes: receiving request data and a context data structure of the request data from an external network through a request stage of the external network;

receiving, from the external network, an associated data packet for the feedback data and a context data structure of the associated data packet through a feedback stage of the external network;

identifying, by the request phase and the feedback phase, a set of parameters associated with the request data and the associated data;

issuing a classification call, the classification call comprising a set of parameters associated with the request data and the associated data;

comparing the request data and the set of parameters associated with the data to the filtering conditions of the plurality of filters and identifying at least one filter matching the request data and the set of parameters associated with the data and an associated firewall policy specified by the at least one filter;

in response to the classification call, a decision is made to receive and/or isolate an action according to the associated firewall policy.

In addition, the data of the security analysis may also be extended to the associated data of the previous stage of the request stage and/or the request data of the next stage of the associated stage.

The request data is an inbound packet received from the external network; and wherein the set of parameters includes information, the association stage analyzing the information from the inbound packet according to a protocol performed by the association stage.

The associated data is an outbound packet transmitted to the network device; and wherein the parameter set includes information to be added to the packet in accordance with the protocol executed during the request phase.

The method subjects the network packet to filters at multiple layers in a protocol stack. The method and firewall architecture are performed in multiple operating system processes (referred to as "kernel mode processing" and "user mode processing"). Alternatively, the methods and structures may be performed in a single operating system process, or in one or more program modules or application programs executing outside of the operating system.

The kernel mode processing includes a protocol stack, a kernel firewall engine, and one or more outgoing calls. The protocol stack includes an application layer, a transport layer, a network layer, and a link layer. Additional layers are added or removed from the system as needed. Each of these layers constitutes a request layer that receives the network packet and corresponding packet context data from a previous layer or process. The request layer then issues a classification request to the core firewall engine via a layer API. The classification request includes the packet received by the requesting layer, the packet context, and a set of layer parameters associated with the requesting layer.

The core firewall engine processes the request and returns an action. For example, the action indicates how the requesting layer handles the packet (e.g., allowed or blocked). If the action is allowed, the requesting layer processes the packet according to a layer protocol, modifies the packet context to include the layer parameters, and passes the packet and the packet context to the next layer. If the action is blocking, the requesting layer loses the packet and does not pass the packet to this next layer. As a result of the blocking action, the requesting layer may perform additional functions (e.g., tear down the TCP connection). The core firewall engine includes the layer API, a set of installed filters, and a call out API. Each filter in the installed filter set includes a set of filter conditions and an associated action. The core firewall engine processes the classification request sent from the request layer by identifying one or more matched filters. The matched filters have filter conditions that match the layer parameters and packet context. Once these matched filters are identified, they are applied in order of filter priority. If this action of the filtering being applied is allow or block,

this action is returned to the requesting layer. If the action is an outgoing call, the classification request issued by the request layer is concatenated

Along with a matched filter identification to one of the outbound modules. The callout module performs its programmed functions and returns actions to the core firewall engine. If no matched filter is identified for the packet, the requesting layer is notified of: no matched filter was found; the requesting layer then decides how to handle the packet.

Exemplary user mode processing includes a user mode firewall engine and one or more policy providers. These policy providers obtain policies from any suitable source (e.g., volatile or non-volatile memory). The policy is the source of information for presenting the new filter, including this set of filter conditions and associated actions. The user firewall engine adds the new filter to the set of installed filters in the core firewall engine via the filter engine API.

The user mode also includes an instance of the core firewall engine, allowing a user mode layer to be created. The user mode layers then use the user mode instance of the core firewall engine to identify filters that match a set of parameters that allow filtering to be applied within the user mode.

In embodiments of the present invention, the outgoing interface from the core firewall engine to a set of outgoing modules allows for virtually unlimited expansion of the firewall capabilities. For example, HTTP context callouts provide a parent feature by identifying acceptable and unacceptable URL addresses. Internet security (IPSec) outgoing call verification: the packet is always subjected to IPSec processing as appropriate. Outgoing calls are recorded for packets that meet established criteria, thereby facilitating later inspection of the packets. Intrusion detection outgoing calls identify suspicious packets according to known algorithms.

The invention is illustrated as being implemented in a suitable computing environment. Although not required, the invention will be described in the general context of computer-executable instructions, such as program modules, being executed by a personal computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The invention may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote memory storage devices.

Example 2

An autonomous learning firewall system, based on the post-reaction type protection method in embodiment 1, with reference to fig. 2, includes:

a firewall engine including a plurality of installed filters for security analyzing the request data and the associated data and performing a matched security policy after the security analysis to isolate or communicate the internal network and the external network;

the internal terminal is communicated between internal networks, is protected by the firewall engine, and is isolated or communicated with an external network through the firewall engine;

and the virtual terminal can use the same IP as the internal terminal to replace the internal terminal to feed back the data packet to the external network aiming at the data packet corresponding to the request data matched in the database.

FIG. 3 illustrates an example of a suitable computing system environment on which the invention may be implemented. The computing system environment is only one example of a suitable computing environment and is not intended to suggest any limitation as to the scope of use or functionality of the invention. Neither should the computing environment be interpreted as having any dependency or requirement relating to any one or combination of components illustrated in the exemplary operating environment.

The invention is operational with numerous other general purpose or special purpose computing system environments or configurations. Examples of well known computing systems, environments, and/or configurations that may be suitable for use with the invention include, but are not limited to, personal computers, server computers, hand-held or portable devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable consumer electronics, network PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like.

The invention may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The invention may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.

With reference to FIG. 3, an exemplary system for implementing the invention includes a general purpose computing device in the form of a computer. Components of the computer may include, but are not limited to, a processing unit, a system memory, and a system bus that couples various system components including the system memory to the processing unit. The system bus may be any of several types of bus structures including a memory bus or memory controller, a peripheral bus, and a local bus using any of a variety of bus architectures. By way of example, and not limitation, such architectures include Industry Standard Architecture (ISA) bus, Micro Channel Architecture (MCA) bus, Enhanced ISA (EISA) bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus also known as Mezzanine bus.

A computer typically includes a variety of computer-readable media. Computer readable media can be any available media that can be accessed by the computer and includes both volatile and nonvolatile media, removable and non-removable media. By way of example, and not limitation, computer readable media may comprise computer storage media and communication media. Computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, Digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by a computer. Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. The term "modulated data signal" means a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, communication media includes wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, RF, infrared and other wireless media. Combinations of any of the above should also be included within the scope of computer readable media.

The system memory includes computer storage media in the form of volatile and/or nonvolatile memory such as Read Only Memory (ROM) and Random Access Memory (RAM), a basic input/output system (BIOS), containing the basic routines that help to transfer information between elements within the computer, such as during start-up, is typically stored in ROM, and RAM typically contains data and/or program modules that are immediately accessible to and/or presently being operated on by the processing unit, by way of example, and not limitation, fig. 3 illustrates an operating system, application programs, other program modules, and program data.

The computer may also include other removable/non-removable volatile/nonvolatile computer storage media. By way of example only, FIG. 3 illustrates a hard disk drive that reads from or writes to non-removable, nonvolatile magnetic media, a magnetic disk drive that reads from or writes to a removable, nonvolatile magnetic disk, and an optical disk drive that reads from or writes to a removable, nonvolatile optical disk such as a CDROM or other optical media. Other removable/non-removable, volatile/nonvolatile computer storage media that can be used in the exemplary operating environment include, but are not limited to, magnetic tape cassettes, flash memory cards, digital versatile disks, digital video tape, solid state RAM, solid state ROM, and the like. The hard disk drive is typically connected to the system bus through a non-removable memory interface (e.g., an interface), and magnetic disk drive and optical disk drive are typically connected to the system bus by a removable memory interface (e.g., an interface).

The drives and their associated computer storage media discussed above and illustrated in FIG. 3, provide storage of computer readable instructions, data structures, program modules and other data for the computer. In FIG. 3, for example, a hard disk drive is illustrated as storing an operating system, application programs, other program modules, and program data. Note that these components can either be the same as or different from operating system, application programs, other program modules, and program data. Operating systems, application programs, other program modules, and program data are given different numbers here to illustrate that: they are at least different copies. A user may enter commands and information into the computer through input devices (e.g., a keyboard) and a pointing device, commonly referred to as a "mouse," trackball, "or" touch pad. Other input devices (not shown) may include a microphone, joystick, game pad, satellite dish, scanner, or the like. These and other input devices are often connected to the processing unit through a user input interface that is coupled to the system bus, but may be connected by other interface and bus structures, such as a parallel port, game port or a Universal Serial Bus (USB). A monitor or other type of display device is also connected to the system bus via an interface, such as a video interface. In addition to the monitor, computers may also include other peripheral output devices such as speakers and printer, which may be connected through an output peripheral interface.

In the foregoing embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.

It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the invention. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required by the invention.

In the embodiments provided in the present application, it should be understood that the disclosed apparatus may be implemented in other manners. For example, the above-described embodiments of the apparatus are merely illustrative, and for example, the above-described division of the units is only one type of division of logical functions, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or communication connection may be an indirect coupling or communication connection between devices or units through some interfaces, and may be in a telecommunication or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

The above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; although the present invention is described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (10)

1. A method of post-reactive protection, wherein the protection is between an internal network and an external network adapted to a firewall, the framework of the firewall further comprising a firewall engine having a plurality of installed filters, the method comprising:

based on an access request of an external network, requesting data to enter an internal network through a firewall engine;

after the request data enters the internal network, the request data is transmitted to the internal terminal in a mirror image mode and the virtual terminal which can perform network communication with the internal terminal by using the same IP;

corresponding to the received request data, the virtual terminal makes feedback data corresponding to the data packet and transmits the feedback data to the external network, and the communication between the internal terminal and the external network is isolated in a single direction by the firewall engine;

then the firewall engine carries out security analysis on the request data and the associated data which is returned again by the external network aiming at the feedback data;

after the safety analysis is passed, the reverse isolation between the internal terminal and the external network is cancelled, and the actual feedback data of the internal terminal is transmitted to the external network.

2. The method of claim 1, wherein the security analysis comprises:

receiving request data and a context data structure of the request data from an external network through a request stage of the external network;

receiving, from the external network, an associated data packet for the feedback data and a context data structure of the associated data packet through a feedback stage of the external network;

identifying, by the request phase and the feedback phase, a set of parameters associated with the request data and the associated data;

issuing a classification call, the classification call comprising a set of parameters associated with the request data and the associated data;

comparing the request data and the set of parameters associated with the data to the filtering conditions of the plurality of filters and identifying at least one filter matching the request data and the set of parameters associated with the data and an associated firewall policy specified by the at least one filter;

in response to the classification call, a decision is made to receive and/or isolate an action according to the associated firewall policy.

3. The method of claim 2, wherein the data of the security analysis is further extensible

The association data of the previous stage of the request stage and/or the request data of the next stage of the association stage.

4. The method of claim 2, wherein the request data is an inbound packet received from an external network; and wherein the set of parameters includes information, the association stage analyzing the information from the inbound packet according to a protocol performed by the association stage.

5. The method of claim 2, wherein the association data is an outbound packet transmitted to the network device; and wherein the parameter set includes information to be added to the packet in accordance with the protocol executed during the request phase.

6. The method of claim 2, further comprising:

the packet context data structure is modified by adding parameter sets.

7. The method of claim 6, wherein the parameters in the parameter set include an identification of a request phase, an association phase, a parameter type, and a value.

8. The method of claim 1, wherein upon receipt of the request data by the virtual terminal,

the virtual terminal compares its stored data packet with the received request data and transmits the data packet matching the request data back to the external network in the form of feedback data through the same virtual IP as the internal terminal.

9. The method of claim 8, wherein the virtual terminal can add supplementary new data packets to its internal database in a self-learning manner.

10. An autonomous learning firewall system applying the method according to any of claims 1 to 9, comprising:

a firewall engine including a plurality of installed filters for security analyzing the request data and the associated data and performing a matched security policy after the security analysis to isolate or communicate the internal network and the external network;

the internal terminal is communicated between internal networks, is protected by the firewall engine, and is isolated or communicated with an external network through the firewall engine;

and the virtual terminal can use the same IP as the internal terminal to replace the internal terminal to feed back the data packet to the external network aiming at the data packet corresponding to the request data matched in the database.

Images