CN109558366A - A kind of firewall based on multiple processor structure - Google Patents
A kind of firewall based on multiple processor structure Download PDFInfo
- Publication number
- CN109558366A CN109558366A CN201811359856.2A CN201811359856A CN109558366A CN 109558366 A CN109558366 A CN 109558366A CN 201811359856 A CN201811359856 A CN 201811359856A CN 109558366 A CN109558366 A CN 109558366A
- Authority
- CN
- China
- Prior art keywords
- coprocessor
- primary processor
- firewall
- processor
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F15/00—Digital computers in general; Data processing equipment in general
- G06F15/16—Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
- G06F15/163—Interprocessor communication
- G06F15/17—Interprocessor communication using an input/output type connection, e.g. channel, I/O port
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer And Data Communications (AREA)
Abstract
A kind of firewall based on multiple processor structure, comprising: the primary processor that the management process of firewall is handled;The coprocessor of parallel processing is carried out to the operation flow of firewall;It is mutually indepedent between primary processor and the coprocessor, it is communicated by communication interface.Firewall of the invention uses dual processor framework, it is mutually indepedent between two processors, finite communication is carried out by communication interface, when primary processor is by network attack or primary processor cisco unity malfunction, the Service Processing Unit of coprocessor still is able to normal processing business process.The modules such as firewall of the invention matches message deep analysis, basic scheme matching, the matching of industry control protocol function code, industry control protocol parameter, warning information uploads, compared with other industry control firewalls, the processing time of reduction reaches several orders of magnitude, reaches 100% handling capacity in gigabit rate linear speed, 64 byte ether network packet.
Description
Technical field
The present invention relates to firewall technology fields, and in particular to a kind of firewall based on multiple processor structure.
Background technique
Hardware based tradition industry control firewall generally uses several frameworks of mainstream in hardware aspect: X86, ASIC,
NP, MIPS and ARM.Commonly using the mostly of operating system use due to it is to be based on the general-purpose operating system, and the general-purpose operating system is not filled
Point considering the safety of operating system itself, security mechanism is unsound to lead to that there are many security breaches and hidden danger, e.g., fire prevention
Wall is by the attack more and more based on Loopholes of OS, the virus at back door and wooden horse.Modify operating system kernel generation
Code difficulty is huge, and only arranges in the various safe practices of operating system periphery increase and protection not modifying operating system kernel code
It applies, all cannot fundamentally solve safety problem.
Industrial control equipment is very high for real-time transmission feedback request in environment of industrial network, and response timeout this may result in
Some switch stops response, and this requires the industry control firewalls of access must also have the requirement of real-time of industrial network.And it passes
System industry control firewall is mostly based on the processor that sequence executes, and is carrying out depth Packet analyzing by the data packet to industrial protocol,
Validity checking is carried out to information such as the industrial protocol instruction transmitted in message and operation datas, industry control firewall processing delay will
It greatly increases, or even influences the normal operation of industrial control system.
Therefore, there is following defects for traditional firewall:
(1) because the general-purpose operating system does not fully consider the safety of operating system itself, security mechanism is unsound to be caused to deposit
In many security breaches and hidden danger, when the security breaches of operating system, back door be utilized the firewall box that will lead to it is abnormal,
Restart or security mechanism failure etc.;
(2) because the processor of traditional firewall is mostly that sequence executes, and industry control firewall needs the data to industrial protocol
Packet analyzing depth Packet analyzing carries out validity checking to industrial protocol instruction and operand, causes the increasing of firewall processing delay
Add, cannot transmit in the very high industrial control system of feedback request and apply in real-time.
Summary of the invention
The application provides a kind of firewall based on multiple processor structure, comprising:
The primary processor that the management process of firewall is handled;
The coprocessor of parallel processing is carried out to the operation flow of firewall;
It is mutually indepedent between the primary processor and the coprocessor, it is communicated by parallel port.
In a kind of embodiment, there is the interface mutually detected between the primary processor and the coprocessor, makes described
When primary processor detects the coprocessor exception, automatically controls the coprocessor and restore to normal operating conditions, and remember
When record exception code and the coprocessor detect the primary processor exception, automatically controls the primary processor and restore to just
Normal working condition, and recording exceptional code.
In a kind of embodiment, status monitoring is mutually carried out between the primary processor and the coprocessor, specific:
Heartbeat inspecting register, subject processor state register and association's processing are equipped in the shared RAM of the coprocessor
Device status register;
The subject processor state register stores each process of the primary processor, the status code of module operating status, and
The primary processor timing updates the status code stored in the subject processor state register;
The coprocessor state register stores each process of the coprocessor, the status code of module operating status, and
The coprocessor timing updates the status code stored in the coprocessor state register;
The primary processor and coprocessor timing in turn overturn the value in the heartbeat inspecting register, if institute
The overturning of value time-out or the mistake in heartbeat inspecting register are stated, then determines partner state exception, and enter abnormality processing.
In a kind of embodiment, the abnormality processing is divided into three grades: exception record, exception record and isolation, abnormal note
Record and reset.
In a kind of embodiment, the processing mode of the exception record are as follows:
When the primary processor determines the coprocessor state exception, the primary processor reads the coprocessor shape
The status code of state register storage, and the status code of reading is stored into journal file;
And the coprocessor, when determining the subject processor state exception, the coprocessor reads the main process task
The status code of device status register storage, and the status code of reading is stored into journal file.
In a kind of embodiment, the processing mode of the exception record and isolation are as follows:
When the primary processor determines the coprocessor state exception, the primary processor reads the coprocessor shape
Then the status code of state register storage blocks the communication interface between the coprocessor, makes the primary processor and institute
It states and is isolated between coprocessor, and the status code of reading is stored into journal file;
And the coprocessor, when determining the subject processor state exception, the coprocessor reads the main process task
Then the status code of device status register storage blocks the communication interface between the primary processor, makes the coprocessor
It is isolated between the primary processor, and the status code of reading is stored into journal file.
In a kind of embodiment, the processing mode of the exception record and reset are as follows:
When the primary processor determines the coprocessor state exception, the primary processor reads the coprocessor shape
The status code of state register storage, the status code of reading is stored into journal file, and controls two of the coprocessor
Network interface is in pass-through state with normal communication, and exports low level reset signal to the coprocessor, at the association
After the completion of managing device reset, the coprocessor reloads security strategy, and controls two network interfaces and be in security control shape
State;
And the coprocessor, when determining the primary processor exception, the coprocessor is read to the primary processor
The status code of status register storage, the status code of reading is stored into journal file, and low to primary processor output
The journal file is sent to the primary processor after the completion of primary processor reset by level reset signal.
In a kind of embodiment, the primary processor handles the management process of firewall, and by received safe plan
Slightly be sent to the coprocessor, the coprocessor receives and stores security strategy, according to security strategy to enter firewall
Message carry out depth safety inspection, and legal message is forwarded.
In a kind of embodiment, the primary processor is arm processor, and the coprocessor is FPGA processor.
In a kind of embodiment, the coprocessor includes:
Matching module is filtered, basic validity checking, the parsing of industry control protocol depth, work are carried out to received ether network packet
Control protocol instructions validity checking and industry control protocol parameter validity checking;
MAC module, the MAC module receives Ethernet heading, and carries out the time to message by timestamp module
Mark, time precision are accurate to Microsecond grade, and every message is made to have accurate temporal information;And the MAC module receive with
It too after network packet head, and receives message data and Ethernet heading is sent to the filtering matching module before, make described
It filters matching module and safety inspection is carried out to Ethernet heading in advance;
Forwarding module is stored, stores the ether network packet that the MAC module is sent, and according to the filtering matching module
The ether network packet that matching result, forwarding or blocking receive.
In a kind of embodiment, the coprocessor further includes policy management module, and the policy management module is for independent
Security strategy is provided to the filtering matching module, so that the filtering matching module is according to security strategy to entrance firewall
Message carries out basic validity checking, the parsing of industry control protocol depth, the validity checking of industry control protocol instructions and industry control protocol parameter
Validity checking.
In a kind of embodiment, the basis validity checking, the parsing of industry control protocol depth, the inspection of industry control protocol instructions legitimacy
It looks into, industry control protocol parameter validity checking is parallel processing;And in security-check process, as long as there is a check process leading
When providing illegal judgement fruit, other check process will terminate in advance the Ethernet Message processing process.
According to the firewall of above-described embodiment, technical effect below can be reached:
(1) firewall of the invention uses dual processor framework.One for ARM primary processor provide identification to user and
Permission control and reception, the upload of alarm log of prevention policies etc. are provided using the (SuSE) Linux OS that depth customizes
The service of minimum is reduced because of operating system security loophole bring security threat;Another is provided using FPGA coprocessor
Highly reliable logic circuit Service Processing Unit includes that basic validity checking, the deep analysis of industry control agreement, industrial protocol refer to
Validity checking and industry control protocol parameter validity checking are enabled, using fixed process flow and efficient parallel processing capability energy
It is enough effectively to resist the network attack from functional area;It is mutually indepedent between two processors, finite communication is carried out by parallel port,
When ARM primary processor is by network attack or ARM primary processor cisco unity malfunction, the business processing list of FPGA coprocessor
Member still is able to normal processing business process.
(2) firewall of the invention matches the parsing of industry control protocol depth, basic scheme, industry control protocol instructions match, work
Control the modular concurrents processing such as protocol parameter matching, warning information upload.Compared with the industry control firewall of mainstream, when the processing of reduction
Between reach several orders of magnitude, reach 100% handling capacity in gigabit rate linear speed, 64 byte ether network packet.
Detailed description of the invention
Fig. 1 is firewall functional block diagram;
Fig. 2 is filtering matching module schematic diagram;
Fig. 3 is FPGA processor and arm processor interface diagram;
Fig. 4 is firewall management data time sequence figure;
Fig. 5 is firewall services data time sequence figure;
Fig. 6 is communication basic flow chart.
Specific embodiment
Below by specific embodiment combination attached drawing, invention is further described in detail.
In embodiments of the present invention, the firewall of multiple processor structure is provided, to solve traditional firewall security mechanism not
Sound, real-time difference problem.
This example illustrates the firewall working principle of multiple processor structure, schematic diagram such as Fig. 1 by taking dual processor framework as an example
It is shown, the primary processor handled including the management process to firewall and the operation flow progress parallel processing to firewall
Coprocessor, it is mutually indepedent between primary processor and coprocessor, communicated by port.Wherein, the pipe of firewall
Reason process includes the non real-time process such as tactical management and alarm log management, and the operation flow of firewall includes protocol analysis, closes
The real time process flows such as method inspection, forwarding.
This example is mutually indepedent by primary processor and coprocessor, to realize firewall services process and management process physics
Isolation, specifically, being communicated between primary processor and coprocessor by communication interface, management of the primary processor to firewall
Process is handled, and received security strategy is sent to coprocessor, and coprocessor receives and store security strategy, according to
Security strategy carries out depth safety inspection to the message for entering firewall, and is forwarded to legal Ethernet message, therefore, i.e.,
Make primary processor under abnormality, coprocessor still is able to be worked normally.
Wherein, primary processor is preferably arm processor, and arm processor customizes linux minimum system using depth,
Minimum service is provided, coprocessor is preferably FPGA processor, and FPGA processor is provided at stable business using logic circuit
Unit is managed, therefore, even if the Service Processing Unit of FPGA processor also can normal work in arm processor system crash
Make, effectively solves the security breaches of operating system due to firewall, unit exception or restarts, safe plan caused by back door
Slightly failure etc. threatens event, guarantees industrial control system safe operation.
In addition, for business datum coprocessor using the parallel advantage of FPGA hardware, by ether network packet deep analysis,
Basic scheme matching, the matching of industry control protocol instructions code, the matching real-time parallel processing of industry control protocol parameter, in 1000M linear speed situation
10 microseconds of lower processing delay, the processing time than other 100 microseconds of industrial fireproof wall reduces by several orders of magnitude, in gigabit rate
Reach 100% handling capacity in the case of linear speed, 64 byte ether network packets.
In conclusion the firewall that this example provides is dual processor framework, field control is realized in industrial control network
The validity checking of layer and supervisory layers traffic data blocks according to inspection result or forwards ether network packet;Industry control firewall
Respond authentication information, security strategy configuration information from management software client, industry control firewall according to security strategy into
The message for entering industry control firewall carries out depth safety inspection, is forwarded to legal message, carries out blocking and prestige to invalid packet
Side of body alarm, time of the warning information comprising message, MAC Address, IP address, protocol type, threat event type etc., which are sent to, matches
Management application software is set, configuration management application software is recorded, and forms relevant event, operation log, and unite to it
It is shown to user in the form of statements after meter analysis.
Be described in detail below with reference to fire rated wall structure of the Fig. 1 to this example, specifically, the primary processor of this example include with
Under several modules:
Telecommunication management control module, including authentication management unit, encryption/decryption element, long connection heartbeat administrative unit and user
Administrative unit;
Policy management module, including basic white list strategy, industry control instruction white list strategy (including Siemens S7,
Several industry control agreements of modbus, IEC104, DNP, OPC, profinet etc. ten), industry control protocol parameter white list (including Siemens
Several industry control agreements of S7, modbus, IEC104, DNP, OPC, profinet etc. ten), policy lookup, strategy modification, strategy delete
It removes;
Reporting module is threatened, is responsible for needing when there is the message for violating policing rule to pass through functional area by invalid packet
Time, MAC Address, IP address, protocol type, threat event are reported to management software in time and check for user;
Statistical information reporting module receives the statistical information that the flow statistical module of FPGA processor is sent, periodically to number
Statistical information message is sent according to server.
Coprocessor includes: MAC module, filtering matching module and storage forwarding module, in which:
MAC module realizes the reception and transmission of PHY register configuration, data message, supports 10/100/1000M adaptive,
Specifically, MAC module receives Ethernet heading, and time identifier, time precision are carried out to message by timestamp module
It is accurate to Microsecond grade, makes every message that there is accurate temporal information;And after MAC module receives Ethernet heading, and
Ethernet heading is sent to filtering matching module before receiving message data, makes to filter matching module in advance to Ethernet report
Literary head carries out safety inspection.
It that is to say, the functional module of the MAC module design optimization redundancy of this example reaches effect are as follows: 1) reduce delay, improve
Stability;2) increase timestamp function, precisely identify the timestamp of every message.
1, low time delay, high stable
After MAC module receives Ethernet heading, just Ethernet heading is sent before receiving message data
Packet parsing module is given, is better than versatile MAC core, message reading manner is reinformed after the completion of packet buffer, it is slow to reduce data
Deposit the time.
2, Perfect Time stabs
When Ethernet heading one enters MAC module, the timestamp module id time, time precision is accurate to Microsecond grade.
When the message for entering firewall is determined as invalid packet, accurate alarm time is conducive to comprehensive statistics analysis and alarm thing
Part positioning.
Matching module is filtered, basic validity checking, the parsing of industry control protocol depth, industry control are carried out to received data message
Protocol instructions validity checking and industry control protocol parameter validity checking;And basic validity checking, industry control protocol depth solution
Analysis, the retrieval of industry control protocol instructions legitimacy, industry control protocol parameter validity checking are parallel processing, and in security-check process
In, as long as have a check process to provide illegal judgement result in advance, other check process will terminate in advance the Ethernet report
Literary process flow.
Wherein, basic validity checking includes PORT matching, IP matching, protocol type matching, MAC matching;Industry control agreement
Deep analysis includes several industry control protocol depth parsings of Siemens S7, modbus, IEC104, DNP, OPC, profinet etc. ten,
Industry control protocol instructions validity checking includes several industry controls of Siemens S7, modbus, IEC104, DNP, OPC, profinet etc. ten
Protocol instructions validity checking, industry control protocol parameter validity checking include Siemens S7, modbus, IEC104, DNP, OPC,
Several industry control protocol parameter validity checkings of profinet etc. ten.
Further, coprocessor further includes policy management module, and policy management module is for independent to filtering matching module
Security strategy is provided, specifically, policy management module includes configuration strategy analyzing sub-module and configuration strategy sub-module stored, plan
Slightly management module receives the security strategy that parsing primary processor issues, by configuration strategy storage into internal RAM, while based on
Validity checking, the validity checking of industry control protocol instructions, industry control protocol parameter validity checking provide security strategy, so that filtering
Matching module carries out basic validity checking, industry control protocol depth solution to the ether network packet for entering firewall according to security strategy
Analysis, the validity checking of industry control protocol instructions and industry control protocol parameter validity checking, when configuration strategy does not issue, filtering matching mould
It is that it fails to match that block, which defaults matching result,.
Forwarding module is stored, stores the ether network packet that MAC module is sent, and according to the matching knot of filtering matching module
The ether network packet that fruit, forwarding or blocking receive.The module can receive simultaneously, handle MAC_A, MAC_B both direction
Ethernet message data.
In addition, network interface involved in Fig. 1 (PORT A): connection PLC or other live layer network devices, network connect
Mouth (PORT B): connection configuration, monitoring computer, network interface (PORT D): connection data server, by the group of PORT D
State information, threat warning information, statistical information etc. issue server after encryption.
Filter matching module matching filtering process as shown in Fig. 2, message deep analysis module first to received message into
Row parsing, basic validity checking module obtains basic scheme index and basic scheme, protocol instructions validity checking module obtain
Instruction fetch index and instruction strategy, protocol parameter validity checking module obtains parameter strategy, in conjunction with basic validity checking, association
View instruction validity checking and protocol parameter validity checking turn storage to the corresponding matching result of storage forwarding module output
Hair module is forwarded the packet according to matching result.
As shown in figure 3, the interface between coprocessor (FPGA) and primary processor (ARM) is realized, wherein FPGA processor
Inside is RAM, address wire 13bit, the data-line width 16bit of 8192 word of twoport, specifically, 8192 word of twoport
RAM is divided to for each 2,048 two buffer areas: buffer area A and buffer area B, wherein buffer area A is that FPGA processor reads arm processor
Area is write, is used for storage configuration policy distribution data, buffer area B is that FPGA processor writes arm processor reading area, for storing alarm
Information uploads data.
Further, in order to realize firewall box self-recovering function, have between the primary processor and coprocessor of this example
The interface mutually detected when primary processor being made to detect coprocessor exception, automatically controls coprocessor and restores to working normally
State, and when recording exceptional code and coprocessor detect primary processor exception, it automatically controls primary processor and restores to normal work
Make state, and recording exceptional code;Specifically, there is the interface mutually detected between the FPGA processor and arm processor of this example,
When FPGA processor being made to detect arm processor exception, automatically controls arm processor and restore to normal operating conditions and ARM
When reason device detects FPGA processor exception, automatically controls FPGA processor and restore to normal operating conditions, specifically, firewall
Equipment self- recoverage includes two pieces of contents: 1) FPGA processor and arm processor monitoring running state and exception record;2) exception
It manages (processing mode user is settable).
1, the specific embodiment of status monitoring and record is:
Firewall box is provided with heartbeat inspecting register, subject processor state deposit in the shared RAM of coprocessor
Device and coprocessor state register, in which:
Subject processor state register stores each process of primary processor, the status code of module operating status, and primary processor
Timing updates the status code stored in subject processor state register;
Coprocessor state register stores each process of coprocessor, the status code of module operating status, and coprocessor
Timing updates the status code stored in coprocessor state register.
Heartbeat inspecting register: bit wide 8bit, after initial value is arranged in primary processor (ARM), primary processor and coprocessor
(FPGA) timing in turn overturns the value, such as time-out overturning or register value mistake, then determines partner state exception.
The bit wide of subject processor state register and coprocessor state register is all 16bit.
Status monitoring and record operational process:
1) after firewall box powers on, it is 0xaa that heartbeat inspecting register initial value, which is arranged, in ARM, starts heartbeat timeout meter
Number, and timing updates the status code stored in subject processor state register;
2) FPGA monitors heartbeat inspecting register not when being initial value 0, starts heartbeat inspecting function, within the set time
Heartbeat inspecting register value is overturn from " 0xaa " as " 0x55 ", starts heartbeat timeout and counts, and timing updates coprocessor shape
The status code stored in state register;
3) ARM and FPGA timing in turn overturns heartbeat inspecting register value, and such as time-out overturning or register value are wrong
Accidentally, then partner state exception is determined, into abnormality processing.
2, the type and processing mode of abnormality processing
Abnormality processing is divided into three grades: level-one exception record, and second level exception record is isolated with CPU, three-level exception record
With cpu reset.Abnormality processing grade can be arranged in user according to demand.
The processing mode of level-one exception record are as follows: when primary processor determines coprocessor state exception, primary processor is read
The status code of the coprocessor state register storage, and the status code of reading is stored into journal file;
And when coprocessor judgement subject processor state exception, coprocessor reads the storage of subject processor state register
Status code, and the status code of reading is stored into journal file.
It is specific: after exception handling triggering, to read the status code of other side's CPU state register storage, and be stored into
In journal file.
The processing mode of second level exception record and isolation are as follows: when primary processor determines coprocessor state exception, main process task
Device reads the status code of coprocessor state register storage, then blocks the communication interface between coprocessor, makes main place
It is isolated between reason device and coprocessor, and the status code of reading is stored into journal file;
And when coprocessor judgement subject processor state exception, coprocessor reads the storage of subject processor state register
Status code, then block and primary processor between communication interface, make to be isolated between coprocessor and the primary processor, and
The status code of reading is stored into journal file.
It is specific: after exception handling triggering, to read the status code of other side's CPU state register storage, then block
It communicates with other side CPU, is isolated with abnormal CPU, and the status code read is stored into journal file.
The processing mode of three-level exception record and reset are as follows: when primary processor determines coprocessor state exception, main process task
Device reads the status code of the coprocessor state register storage, and the status code of reading is stored into journal file, and is controlled
Two network interfaces of coprocessor processed are in pass-through state with normal communication, and reset letter to coprocessor output low level
Number, after the completion of coprocessor reset, coprocessor reloads security strategy, and controls two network interfaces and be in safety control
State processed;
And when coprocessor judgement primary processor exception, the subject processor state register is deposited in coprocessor reading
The status code of storage stores the status code of reading into journal file, and exports low level reset signal to primary processor, wait lead
After the completion of processor reset, journal file is sent to primary processor.
Specifically, reading the status code of other side's CPU state register storage, storage to day when 1. ARM determines FPGA exception
It in will file, and controls two functional areas (PORT A and PORT B) and is in pass-through state, guarantee business datum normal communication, it is defeated
Business CPU low level reset signal out after the completion of reset, reloads security strategy, functional area at revocation two (PORT A and
PORT B) it is in safe control condition;2. FPGA determines ARM exception, the state of other side's CPU state register storage is read
Code is stored into journal file, exports ARM low level reset signal and journal file is sent to ARM after the completion of ARM resets.
The firewall management data time sequence figure of this example is as shown in figure 4, specifically include following procedure:
1, message receives: after identity identifies, telecommunication management receives management message;
2, user management: user management module receives user management data;
3, tactical management: policy management module receives tactical management data;
4, industry control strategy: policy management module inquires industry control strategy after storing to industry control policy library;
5, log management: log management module provides log query, storage, modification;
6, message response: communication module responds received message.
The firewall services data time sequence figure of this example is as shown in figure 5, specifically include following procedure:
1, ether network packet: after Ethernet transceiver module receives service message, to header parsing module and industry control agreement
Deep analysis module sends message data simultaneously;
2, heading data: header parsing module sends header data to data interaction module;
3, header data: data interaction module sends header data to basic matching module;
4, basic scheme: basic matching module responds basic scheme to basic scheme library inquiry strategy, basic scheme library;
5, industry control strategy: industry control protocol depth parses matching module to industry control strategy library inquiry industry control strategy, industry control strategy
Library responds industry control strategy;
6, conventional security result: conventional security control module configures generation conventional security result according to strategy and is sent to data
Interactive module;
7, ARM matching result: ARM matching result is sent to storage forwarding control module by data interaction module;
8, industry control matching result: industry control protocol depth parses matching module and industry control matching result is sent to storage forwarding control
Molding block;
9, comprehensive matching result: comprehensive matching result is sent to data interaction module for log by storage forwarding control module
Record;
10, message forwards: storage forwarding control module forwards the message to Ethernet transceiver module.
Client and firewall communication process are as shown in fig. 6, can substantially be divided into following several stages:
1, it establishes TCP connection: thering is user end to server to initiate TCP connection.
2, authentication: user end to server initiates ID authentication request, and server carries out authentication, authentication
By rear, follow-up business processing just can be carried out.
3, business processing: client and server are using question and answer mode progress business processing.
4, authentication is exited: client actively exits the certification with server.
5, disconnect TCP connection: client and the TCP connection of server disconnect.
The firewall of this example uses dual processor framework, the Linux behaviour customized for ARM primary processor using depth
Make system and the service minimized is provided, reduces because of operating system security loophole bring security threat;Another is assisted using FPGA
Processor provides highly reliable logic circuit Service Processing Unit, using fixed process flow and efficient parallel processing capability
The network attack from functional area can effectively be resisted;It is mutually indepedent between two processors, it is carried out by parallel port limited logical
Letter, when ARM primary processor is by network attack or ARM primary processor cisco unity malfunction, at the business of FPGA coprocessor
Reason unit still is able to normal processing business process.
The firewall of this example greatly reduces processing delay using concurrent service processing unit, utilizes the spy of FPGA parallel processing
Property, message deep analysis, basic scheme matching, the matching of industry control protocol instructions, the matching of industry control protocol parameter, warning information are uploaded
Equal modular concurrents processing, reduces processing latency.Compared with other industry control firewalls, the processing time phase difference of reduction is several
The order of magnitude, and reach 100% handling capacity, packet loss and error code in gigabit rate linear speed, 64 byte ether network packet
Rate is all 0.
On basic conception of the invention, those skilled in the art can also be real using following alternative solution by transformation
It is existing:
1. primary processor+multiple coprocessors scheme
The interfacing and bus specification of high speed are used between primary processor and multiple coprocessors, primary processor is responsible for association
The management of processor, the distribution of task, multiple coprocessors concurrently carry out message deep analysis, basic scheme matching, industry control association
Function code matching, the matching of industry control protocol parameter, warning information upload, message forwarding, tactical management etc. are discussed, is based on main process task in this way
The processing delay of device+coprocessor industry control firewall is greatly improved.
2. network processing unit scheme
Include multiple interior microprocessors inside network processing unit, constitutes multicomputer system.Piece inner treater presses task
The division of labor is broadly divided into management and forwarding matching engine two types.Management engine is for system maintenance and tactical management and prestige
Side of body alarm, strategy distribution, forwarding matching is for message deep analysis, basic scheme matching, the matching of industry control protocol function code, industry control
The functions such as protocol parameter matching, the characteristic of multiprocessor make industry control firewall have good parallel high-speed process performance.
Use above specific case is illustrated the present invention, is merely used to help understand the present invention, not to limit
The system present invention.For those skilled in the art, according to the thought of the present invention, can also make several simple
It deduces, deform or replaces.
Claims (12)
1. a kind of firewall based on multiple processor structure characterized by comprising
The primary processor that the management process of firewall is handled;
The coprocessor of parallel processing is carried out to the operation flow of firewall;
It is mutually indepedent between the primary processor and the coprocessor, it is communicated by communication interface.
2. firewall as described in claim 1, which is characterized in that have phase between the primary processor and the coprocessor
The interface mutually detected when the primary processor being made to detect the coprocessor exception, automatically controls the coprocessor and restores
To normal operating conditions, and when recording exceptional code and the coprocessor detect the primary processor exception, institute is automatically controlled
Primary processor is stated to restore to normal operating conditions, and recording exceptional code.
3. firewall as claimed in claim 2, which is characterized in that between the primary processor and the coprocessor mutually into
Row status monitoring, specific:
Heartbeat inspecting register, subject processor state register and coprocessor shape are equipped in the shared RAM of the coprocessor
State register;
The subject processor state register stores each process of the primary processor, the status code of module operating status, and described
Primary processor timing updates the status code stored in the subject processor state register;
The coprocessor state register stores each process of the coprocessor, the status code of module operating status, and described
Coprocessor timing updates the status code stored in the coprocessor state register;
The primary processor and coprocessor timing in turn overturn the value in the heartbeat inspecting register, if the heart
The overturning of value time-out or the mistake in monitoring register are jumped, then determines partner state exception, and enter abnormality processing.
4. firewall as claimed in claim 3, which is characterized in that the abnormality processing is divided into three grades: exception record, different
Often record and isolation, exception record and reset.
5. firewall as claimed in claim 4, which is characterized in that the processing mode of the exception record are as follows:
When the primary processor determines the coprocessor state exception, the primary processor reads the coprocessor state and posts
The status code of storage storage, and the status code of reading is stored into journal file;
And the coprocessor, when determining the subject processor state exception, the coprocessor reads the primary processor shape
The status code of state register storage, and the status code of reading is stored into journal file.
6. firewall as claimed in claim 4, which is characterized in that the processing mode of the exception record and isolation are as follows:
When the primary processor determines the coprocessor state exception, the primary processor reads the coprocessor state and posts
Then the status code of storage storage blocks the communication interface between the coprocessor, makes the primary processor and the association
It is isolated between processor, and the status code of reading is stored into journal file;
And the coprocessor, when determining the subject processor state exception, the coprocessor reads the primary processor shape
Then the status code of state register storage blocks the communication interface between the primary processor, makes the coprocessor and institute
It states and is isolated between primary processor, and the status code of reading is stored into journal file.
7. firewall as claimed in claim 4, which is characterized in that the processing mode of the exception record and reset are as follows:
When the primary processor determines the coprocessor state exception, the primary processor reads the coprocessor state and posts
The status code of storage storage, the status code of reading is stored into journal file, and control two networks of the coprocessor
Interface is in pass-through state with normal communication, and exports low level reset signal to the coprocessor, to the coprocessor
After the completion of reset, the coprocessor reloads security strategy, and controls two network interfaces and be in safe control condition;
And the coprocessor, when determining the primary processor exception, the coprocessor is read to the subject processor state
The status code of register storage, the status code of reading is stored into journal file, and exports low level to the primary processor
The journal file is sent to the primary processor after the completion of primary processor reset by reset signal.
8. firewall as claimed in claim 1 or 2, which is characterized in that the primary processor to the management process of firewall into
Row processing, and received security strategy is sent to the coprocessor, the coprocessor receives and stores security strategy, root
Depth safety inspection is carried out to the message for entering firewall according to security strategy, and legal message is forwarded.
9. firewall as claimed in claim 8, which is characterized in that the primary processor is arm processor, the coprocessor
For FPGA processor.
10. firewall as claimed in claim 8, which is characterized in that the coprocessor includes:
Matching module is filtered, basic validity checking, the parsing of industry control protocol depth, industry control protocol instructions are carried out to received message
Validity checking and industry control protocol parameter validity checking;
MAC module, the MAC module receives Ethernet heading, and carries out time identifier to message by timestamp module,
Time precision is accurate to Microsecond grade, and every message is made to have accurate temporal information;And the MAC module receives Ethernet report
It after literary head, and receives message data and Ethernet heading is sent to the filtering matching module before, make the filtering
Safety inspection is carried out to Ethernet heading in advance with module;
Forwarding module is stored, stores the message that the MAC module is sent, and according to the matching result of the filtering matching module,
Forwarding blocks the message received.
11. firewall as claimed in claim 10, which is characterized in that the coprocessor further includes policy management module, institute
Policy management module is stated for independent to filtering matching module offer security strategy so that the filtering matching module according to
Security strategy carries out basic validity checking, the parsing of industry control protocol depth, the conjunction of industry control protocol instructions to the message for entering firewall
Method inspection and industry control protocol parameter validity checking.
12. firewall as claimed in claim 10, which is characterized in that the basis validity checking, industry control protocol depth solution
Analysis, industry control protocol instructions legitimacy are looked into, industry control protocol parameter validity checking is parallel processing;And in security-check process,
As long as have a check process to provide illegal judgement result in advance, other check process will be terminated in advance at the ether network packet
Manage process.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811359856.2A CN109558366B (en) | 2018-11-15 | 2018-11-15 | Firewall based on multiprocessor architecture |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811359856.2A CN109558366B (en) | 2018-11-15 | 2018-11-15 | Firewall based on multiprocessor architecture |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109558366A true CN109558366A (en) | 2019-04-02 |
| CN109558366B CN109558366B (en) | 2023-03-31 |
Family
ID=65866507
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811359856.2A Active CN109558366B (en) | 2018-11-15 | 2018-11-15 | Firewall based on multiprocessor architecture |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109558366B (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109922085A (en) * | 2019-04-11 | 2019-06-21 | 江苏亨通工控安全研究院有限公司 | A kind of security protection system and method based on CIP agreement in PLC |
| CN110941862A (en) * | 2019-12-11 | 2020-03-31 | 博依特(广州)工业互联网有限公司 | Data isolation system based on FPGA + ARM |
| CN110995726A (en) * | 2019-12-11 | 2020-04-10 | 博依特(广州)工业互联网有限公司 | Network isolation system of FPGA chip based on embedded ARM |
| CN111190758A (en) * | 2019-12-19 | 2020-05-22 | 江苏新质信息科技有限公司 | Method for realizing equipment state self-recovery based on combination of FPGA (field programmable Gate array) calculation rule and RPC (remote procedure call) monitoring |
| CN112558505A (en) * | 2019-09-10 | 2021-03-26 | 阿里巴巴集团控股有限公司 | Control processing method and device for industrial control system, industrial control system and electronic equipment |
| CN114115099A (en) * | 2021-11-08 | 2022-03-01 | 浙江高信技术股份有限公司 | PLC system supporting network security |
| CN115150420A (en) * | 2021-03-29 | 2022-10-04 | 中移(上海)信息通信科技有限公司 | Service processing method, device and related equipment |
| CN115174219A (en) * | 2022-07-06 | 2022-10-11 | 哈尔滨工业大学(威海) | Management system capable of adapting to multiple industrial firewalls |
| CN116015696A (en) * | 2021-10-20 | 2023-04-25 | 中移系统集成有限公司 | Firewall system, malicious software detection method and device |
| CN116684203A (en) * | 2023-08-03 | 2023-09-01 | 南京南自华盾数字技术有限公司 | Method and system for realizing ModbusTCP protocol security protection without code variation |
| CN118555147A (en) * | 2024-07-30 | 2024-08-27 | 湖南博盛芯微电子科技有限公司 | Protection method, firewall system and equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101014048A (en) * | 2007-02-12 | 2007-08-08 | 杭州华为三康技术有限公司 | Distributed firewall system and method for realizing content diction of firewall |
| CN106230771A (en) * | 2016-07-07 | 2016-12-14 | 国网青海省电力公司 | Industrial control system industrial fireproof wall based on polycaryon processor |
| CN106576082A (en) * | 2014-08-22 | 2017-04-19 | 霍尼韦尔国际公司 | Hardware assist for redundant ethernet network |
| US20170155511A1 (en) * | 2015-11-30 | 2017-06-01 | Honeywell International, Inc. | Embedded security architecture for process control systems |
-
2018
- 2018-11-15 CN CN201811359856.2A patent/CN109558366B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101014048A (en) * | 2007-02-12 | 2007-08-08 | 杭州华为三康技术有限公司 | Distributed firewall system and method for realizing content diction of firewall |
| CN106576082A (en) * | 2014-08-22 | 2017-04-19 | 霍尼韦尔国际公司 | Hardware assist for redundant ethernet network |
| US20170155511A1 (en) * | 2015-11-30 | 2017-06-01 | Honeywell International, Inc. | Embedded security architecture for process control systems |
| CN106230771A (en) * | 2016-07-07 | 2016-12-14 | 国网青海省电力公司 | Industrial control system industrial fireproof wall based on polycaryon processor |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109922085A (en) * | 2019-04-11 | 2019-06-21 | 江苏亨通工控安全研究院有限公司 | A kind of security protection system and method based on CIP agreement in PLC |
| CN112558505A (en) * | 2019-09-10 | 2021-03-26 | 阿里巴巴集团控股有限公司 | Control processing method and device for industrial control system, industrial control system and electronic equipment |
| CN110941862A (en) * | 2019-12-11 | 2020-03-31 | 博依特(广州)工业互联网有限公司 | Data isolation system based on FPGA + ARM |
| CN110995726A (en) * | 2019-12-11 | 2020-04-10 | 博依特(广州)工业互联网有限公司 | Network isolation system of FPGA chip based on embedded ARM |
| CN110941862B (en) * | 2019-12-11 | 2021-04-02 | 博依特(广州)工业互联网有限公司 | Data isolation system based on FPGA + ARM |
| CN111190758A (en) * | 2019-12-19 | 2020-05-22 | 江苏新质信息科技有限公司 | Method for realizing equipment state self-recovery based on combination of FPGA (field programmable Gate array) calculation rule and RPC (remote procedure call) monitoring |
| CN111190758B (en) * | 2019-12-19 | 2022-01-14 | 江苏新质信息科技有限公司 | Method for realizing equipment state self-recovery based on combination of FPGA (field programmable Gate array) calculation rule and RPC (remote procedure call) monitoring |
| CN115150420A (en) * | 2021-03-29 | 2022-10-04 | 中移(上海)信息通信科技有限公司 | Service processing method, device and related equipment |
| CN115150420B (en) * | 2021-03-29 | 2024-04-09 | 中移(上海)信息通信科技有限公司 | Service processing method and device and related equipment |
| CN116015696A (en) * | 2021-10-20 | 2023-04-25 | 中移系统集成有限公司 | Firewall system, malicious software detection method and device |
| CN114115099A (en) * | 2021-11-08 | 2022-03-01 | 浙江高信技术股份有限公司 | PLC system supporting network security |
| CN114115099B (en) * | 2021-11-08 | 2024-01-02 | 浙江高信技术股份有限公司 | PLC system supporting network security |
| CN115174219A (en) * | 2022-07-06 | 2022-10-11 | 哈尔滨工业大学(威海) | Management system capable of adapting to multiple industrial firewalls |
| CN115174219B (en) * | 2022-07-06 | 2024-04-19 | 哈尔滨工业大学(威海) | Management system capable of adapting to various industrial firewalls |
| CN116684203A (en) * | 2023-08-03 | 2023-09-01 | 南京南自华盾数字技术有限公司 | Method and system for realizing ModbusTCP protocol security protection without code variation |
| CN116684203B (en) * | 2023-08-03 | 2023-12-22 | 南京南自华盾数字技术有限公司 | Method and system for realizing ModbusTCP protocol security protection without code variation |
| CN118555147A (en) * | 2024-07-30 | 2024-08-27 | 湖南博盛芯微电子科技有限公司 | Protection method, firewall system and equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109558366B (en) | 2023-03-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109558366A (en) | A kind of firewall based on multiple processor structure | |
| EP3304824B1 (en) | Policy-driven compliance | |
| CN104063473B (en) | A kind of database audit monitoring system and its method | |
| CN106612225B (en) | Openstack-based agent deployment system and method | |
| JP3968724B2 (en) | Network security system and operation method thereof | |
| CN109561091B (en) | Network safety protection system for civil air defense engineering | |
| CN109479013B (en) | Logging of traffic in a computer network | |
| CN108040055A (en) | A kind of fire wall combined strategy and safety of cloud service protection | |
| CN105516189B (en) | Network security enforcement system and method based on big data platform | |
| CN104700024B (en) | A kind of method and system of Unix classes host subscriber operational order audit | |
| CN109462599A (en) | A kind of honey jar management system | |
| CN107659618A (en) | A kind of cloud auditing system | |
| CN108028828A (en) | A kind of distributed denial of service ddos attack detection method and relevant device | |
| Neu et al. | Lightweight IPS for port scan in OpenFlow SDN networks | |
| CN202979014U (en) | Network isolation device | |
| CN112437070A (en) | Operation-based spanning tree state machine integrity verification calculation method and system | |
| KR102494831B1 (en) | Network intrusion detection system for information processing system of nuclear power plants | |
| CN108270718A (en) | A kind of control method and system based on Hadoop clusters | |
| CN113965388A (en) | Safe transmission device for calculating check sum according to classification | |
| CN203911973U (en) | Expansible network system suitably used for large-scale local area network security | |
| CN106657087B (en) | Method for realizing industrial firewall dynamically tracked by Ethernet/Ip protocol | |
| CN205071043U (en) | Network security system based on electronic commerce platform is used | |
| CN110572353A (en) | Cloud computing network security service | |
| CN205486301U (en) | E -Government platform data management system | |
| CN201742439U (en) | Network device based on firewall and intrusion prevention system (IPS) |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |