CN109558366B - Firewall based on multiprocessor architecture - Google Patents
Firewall based on multiprocessor architecture Download PDFInfo
- Publication number
- CN109558366B CN109558366B CN201811359856.2A CN201811359856A CN109558366B CN 109558366 B CN109558366 B CN 109558366B CN 201811359856 A CN201811359856 A CN 201811359856A CN 109558366 B CN109558366 B CN 109558366B
- Authority
- CN
- China
- Prior art keywords
- coprocessor
- main processor
- state
- firewall
- industrial control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F15/00—Digital computers in general; Data processing equipment in general
- G06F15/16—Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
- G06F15/163—Interprocessor communication
- G06F15/17—Interprocessor communication using an input/output type connection, e.g. channel, I/O port
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer And Data Communications (AREA)
Abstract
A firewall based on a multiprocessor architecture, comprising: a main processor for processing the management flow of the firewall; coprocessor for parallel processing the service flow of firewall; the main processor and the coprocessor are mutually independent and communicate through a communication interface. The firewall of the invention adopts a dual-processor architecture, the two processors are mutually independent, limited communication is carried out through the communication interface, and when the main processor is attacked by a network or the main processor can not work normally, the service processing unit of the coprocessor can still process the service flow normally. Compared with other industrial control firewalls, the firewall enables message deep analysis, basic strategy matching, industrial control protocol function code matching, industrial control protocol parameter matching, alarm information uploading and other modules to achieve processing time reduction of several orders of magnitude and achieve 100% throughput under the conditions of gigabit rate line speed and 64 byte Ethernet messages.
Description
Technical Field
The invention relates to the technical field of firewalls, in particular to a firewall based on a multiprocessor architecture.
Background
The traditional industrial control firewall based on hardware generally adopts several mainstream architectures in terms of hardware: x86, ASIC, NP, MIPS and ARM. Because most of the common operating systems are based on the general operating system, and the general operating system does not fully consider the security of the operating system, the security mechanism is not sound, which results in many security holes and hidden dangers, for example, the firewall is attacked by more and more operating system holes, backdoor viruses and trojans. The difficulty of modifying the kernel code of the operating system is huge, and the problem of safety can not be fundamentally solved if various safety technologies and protective measures are only added on the periphery of the operating system without modifying the kernel code of the operating system.
Industrial control equipment in an industrial network environment has a very high requirement for real-time transmission feedback, and a response timeout may cause a switch to stop responding, so that an accessed industrial control firewall must have the real-time requirement of the industrial network. However, most of the conventional industrial control firewalls are based on a processor which executes in sequence, deep packet analysis is performed on data packets of an industrial protocol, validity check is performed on information such as industrial protocol instructions and operation data transmitted in messages, processing delay of the industrial control firewall is greatly increased, and even normal operation of an industrial control system is affected.
Therefore, the conventional firewall has the following defects:
(1) Because the general operating system does not fully consider the safety of the operating system, the safety mechanism is not perfect, so that a plurality of safety holes and hidden dangers exist, and when the safety holes of the operating system and a back door are utilized, firewall equipment is abnormal, restarted or the safety mechanism is invalid and the like;
(2) Because processors of the traditional firewall are mostly executed in sequence, and the industrial control firewall needs to analyze deep packets of data packets of an industrial protocol and check the legality of instructions and operands of the industrial protocol, the processing delay of the firewall is increased, and the firewall cannot be applied to an industrial control system with high real-time transmission feedback requirements.
Disclosure of Invention
The application provides a firewall based on a multiprocessor architecture, comprising:
a main processor for processing the management flow of the firewall;
a coprocessor for processing the firewall service flow in parallel;
the main processor and the coprocessor are mutually independent and communicate through a parallel port.
In one embodiment, a mutual detection interface is arranged between the main processor and the coprocessor, so that when the main processor detects that the coprocessor is abnormal, the coprocessor is automatically controlled to be restored to a normal working state and abnormal codes are recorded, and when the coprocessor detects that the main processor is abnormal, the main processor is automatically controlled to be restored to the normal working state and abnormal codes are recorded.
In one embodiment, the main processor and the coprocessor perform state monitoring with each other, specifically:
a heartbeat monitoring register, a main processor state register and a coprocessor state register are arranged in a shared RAM of the coprocessor;
the main processor state register stores the state codes of the running states of all processes and modules of the main processor, and the main processor updates the state codes stored in the main processor state register at regular time;
the coprocessor state register stores state codes of running states of processes and modules of the coprocessor, and the coprocessor updates the state codes stored in the coprocessor state register at regular time;
and the main processor and the coprocessor alternately turn over the value in the heartbeat monitoring register at regular time, and if the value in the heartbeat monitoring register is turned over overtime or is wrong, the state of the other side is judged to be abnormal, and the abnormal processing is carried out.
In one embodiment, the exception handling is divided into three levels: exception logging, exception logging and isolation, exception logging and reset.
In one embodiment, the exception record is processed in the following manner:
when the main processor judges that the state of the coprocessor is abnormal, the main processor reads the state code stored in the coprocessor state register and stores the read state code into a log file;
and when the coprocessor judges that the state of the main processor is abnormal, the coprocessor reads the state code stored in the state register of the main processor and stores the read state code into a log file.
In one embodiment, the exception logging and isolation processing method includes:
when the main processor judges that the state of the coprocessor is abnormal, the main processor reads the state code stored in the coprocessor state register, then blocks a communication interface with the coprocessor, isolates the main processor from the coprocessor, and stores the read state code into a log file;
and when the coprocessor judges that the state of the main processor is abnormal, the coprocessor reads the state code stored in the state register of the main processor, then blocks a communication interface with the main processor, isolates the coprocessor from the main processor, and stores the read state code into a log file.
In one embodiment, the exception recording and resetting are processed in the following manner:
when the main processor judges that the state of the coprocessor is abnormal, the main processor reads the state code stored in the coprocessor state register, stores the read state code into a log file, controls two network interfaces of the coprocessor to be in a direct connection state to normally communicate, outputs a low level reset signal to the coprocessor, and reloads a security policy after the coprocessor is reset, and controls the two network interfaces to be in a security control state;
and when the coprocessor judges that the main processor is abnormal, the coprocessor reads the state code stored in the state register of the main processor, stores the read state code into a log file, outputs a low-level reset signal to the main processor, and sends the log file to the main processor after the main processor is reset.
In one embodiment, the main processor processes a management flow of a firewall and sends a received security policy to the coprocessor, and the coprocessor receives and stores the security policy, performs deep security inspection on a message entering the firewall according to the security policy, and forwards a legal message.
In one embodiment, the main processor is an ARM processor and the coprocessor is an FPGA processor.
In one embodiment, the coprocessor comprises:
the filtering matching module is used for carrying out basic validity check, industrial control protocol deep analysis, industrial control protocol instruction validity check and industrial control protocol parameter validity check on the received Ethernet message;
the MAC module receives the Ethernet message header and carries out time identification on the message through the timestamp module, and the time precision reaches microsecond level, so that each message has precise time information; after the MAC module receives the Ethernet message header and before the message data is received, the Ethernet message header is sent to the filtering and matching module, so that the filtering and matching module carries out security check on the Ethernet message header in advance;
and the storage and forwarding module is used for storing the Ethernet message sent by the MAC module and forwarding or blocking the received Ethernet message according to the matching result of the filtering and matching module.
In one embodiment, the coprocessor further includes a policy management module, and the policy management module is configured to independently provide a security policy to the filtering and matching module, so that the filtering and matching module performs, according to the security policy, basic validity check, industrial control protocol deep parsing, industrial control protocol instruction validity check, and industrial control protocol parameter validity check on a packet entering the firewall.
In one embodiment, the basic validity check, the industrial control protocol deep analysis, the industrial control protocol instruction validity check and the industrial control protocol parameter validity check are processed in parallel; in the process of security check, as long as one check flow gives an illegal judgment result in advance, other check flows end the Ethernet message processing flow in advance.
According to the firewall of the embodiment, the following technical effects can be achieved:
(1) The firewall of the invention adopts a dual processor architecture. One provides the ARM main processor with the functions of user authentication, authority control, protection strategy receiving, alarm log uploading and the like, and adopts a deeply customized Linux operating system to provide minimum service, thereby reducing the security threat caused by security loopholes of the operating system; the other logic circuit service processing unit which adopts the FPGA coprocessor to provide high reliability comprises basic validity check, deep analysis of industrial control protocol, validity check of industrial protocol instruction and validity check of industrial control protocol parameter, and network attack from a service port can be effectively resisted by adopting a fixed processing flow and high-efficiency parallel processing capacity; the two processors are mutually independent, limited communication is carried out through the parallel port, and when the ARM main processor is attacked by a network or the ARM main processor cannot work normally, the service processing unit of the FPGA coprocessor can still process a service flow normally.
(2) The firewall of the invention carries out parallel processing on modules such as industrial control protocol deep analysis, basic strategy matching, industrial control protocol instruction matching, industrial control protocol parameter matching, alarm information uploading and the like. Compared with the mainstream industrial control firewall, the processing time is reduced by several orders of magnitude, and the throughput is 100% under the conditions of gigabit rate line speed and 64 bytes Ethernet message.
Drawings
FIG. 1 is a schematic block diagram of a firewall;
FIG. 2 is a schematic diagram of a filter matching module;
FIG. 3 is a schematic diagram of an interface between an FPGA processor and an ARM processor;
FIG. 4 is a timing diagram of firewall management data;
FIG. 5 is a timing diagram of firewall traffic data;
fig. 6 is a basic flow chart of communication.
Detailed Description
The present invention will be described in further detail with reference to the following detailed description and accompanying drawings.
In the embodiment of the invention, the firewall with the multiprocessor architecture is provided to solve the problems of the traditional firewall that the security mechanism is not perfect and the real-time performance is poor.
The present example illustrates the firewall operating principle of the multiprocessor architecture by taking a dual-processor architecture as an example, and the schematic diagram of the firewall operating principle is shown in fig. 1, which includes a main processor for processing the management flow of the firewall and a coprocessor for processing the service flow of the firewall in parallel, where the main processor and the coprocessor are independent from each other and communicate through a communication port. The management process of the firewall comprises non-real-time processes such as policy management, alarm log management and the like, and the service process of the firewall comprises real-time processes such as protocol analysis, validity check, forwarding and the like.
The coprocessor receives and stores the security policy, carries out deep security inspection on a message entering the firewall according to the security policy, and forwards a legal Ethernet message, so that the coprocessor can still normally work even if the main processor is in an abnormal state.
The main processor is preferably an ARM processor, the ARM processor adopts a deeply customized linux minimum system to provide minimum service, the coprocessor is preferably an FPGA processor, and the FPGA processor adopts a logic circuit to provide a stable service processing unit, so that the service processing unit of the FPGA processor can work normally even under the condition that the ARM processor system is crashed, the problem of equipment exception or restart, safety strategy failure and other threat events caused by security holes of an operating system of a firewall and a back door is effectively solved, and the safe operation of an industrial control system is ensured.
In addition, aiming at the advantage that the service data coprocessor utilizes FPGA hardware parallelism, the Ethernet message deep analysis, the basic strategy matching, the industrial control protocol instruction code matching and the industrial control protocol parameter matching are processed in parallel in real time, the processing delay is 10 microseconds under the condition of 1000M linear speed, the processing time is reduced by several orders of magnitude compared with the processing time of 100 microseconds of other industrial firewalls, and the throughput is 100 percent under the conditions of gigabit linear speed and 64 byte Ethernet messages.
In summary, the firewall provided in this embodiment is a dual-processor architecture, and implements validity check of service flow data of the field control layer and the monitoring layer in the industrial control network, and blocks or forwards an ethernet packet according to a check result; the industrial control firewall responds to authentication information and security policy configuration information from a management software client, the industrial control firewall carries out deep security check on a message entering the industrial control firewall according to a security policy, forwards a legal message, and blocks and threatens an alarm on an illegal message, the alarm information comprises the time, the MAC address, the IP address, the protocol type, the type of a threat event and the like of the message and is sent to configuration management application software, the configuration management application software records the message to form a related event and an operation log, and the related event and operation log is displayed to a user in a report form after being subjected to statistical analysis.
The firewall structure of this embodiment is described in detail with reference to fig. 1, and specifically, the main processor of this embodiment includes the following modules:
the communication management control module comprises an authentication management unit, an encryption and decryption unit, a long-connection heartbeat management unit and a user management unit;
the strategy management module comprises a basic white list strategy, an industrial control instruction white list strategy (comprising more than ten industrial control protocols such as Siemens S7, modbus, IEC104, DNP, OPC and profinet), an industrial control protocol parameter white list (comprising more than ten industrial control protocols such as Siemens S7, modbus, IEC104, DNP, OPC and profinet), a strategy query module, a strategy modification module and a strategy deletion module;
the threat reporting module is responsible for reporting the time, the MAC address, the IP address, the protocol type and the threat event of the illegal message to the management software in time for the user to check when the message violating the policy rule passes through the service port;
and the statistical information reporting module is used for receiving the statistical information sent by the flow statistical module of the FPGA processor and sending a statistical information message to the data server at regular time.
The coprocessor includes: MAC module, filtration matching module and store-and-forward module, wherein:
the MAC module realizes PHY register configuration and data message receiving and sending, supports 10/100/1000M self-adaptation, and specifically, the MAC module receives an Ethernet message header, carries out time identification on the message through a timestamp module, and ensures that the time precision is accurate to microsecond level, so that each message has accurate time information; after the MAC module receives the Ethernet message header and before the message data is received, the Ethernet message header is sent to the filtering and matching module, so that the filtering and matching module carries out security check on the Ethernet message header in advance.
That is, the MAC module of this embodiment optimizes the redundant functional module, and achieves the following effects: 1) Delay is reduced, and stability is improved; 2) And a timestamp function is added, and the timestamp of each message is accurately identified.
1. Low time delay and high stability
After the MAC module receives the Ethernet message header, the Ethernet message header is sent to the message analysis module before the message data is received, the message analysis module is superior to a general MAC core, and a message reading mode is informed after the message caching is finished, so that the data caching time is shortened.
2. Accurate time stamp
When the first Ethernet message head enters the MAC module, the time stamp module marks time, and the time precision is accurate to microsecond level. When the message entering the firewall is judged to be an illegal message, the accurate alarm time is beneficial to comprehensive statistical analysis and alarm event positioning.
The filtering and matching module is used for carrying out basic validity check, industrial control protocol deep analysis, industrial control protocol instruction validity check and industrial control protocol parameter validity check on the received data message; and basic validity check, industrial control protocol deep analysis, industrial control protocol instruction validity retrieval and industrial control protocol parameter validity check are parallel processing, and in the safety check process, as long as one check flow gives an illegal judgment result in advance, other check flows end the Ethernet message processing flow in advance.
Wherein, the basic validity check comprises PORT matching, IP matching, protocol type matching and MAC matching; the industrial control protocol deep analysis comprises siemens S7, modbus, IEC104, DNP, OPC, profinet and other dozens of industrial control protocol deep analysis, the industrial control protocol instruction validity checks comprise siemens S7, modbus, IEC104, DNP, OPC, profinet and other dozens of industrial control protocol instruction validity checks, and the industrial control protocol parameter validity checks comprise siemens S7, modbus, IEC104, DNP, OPC, profinet and other dozens of industrial control protocol parameter validity checks.
The coprocessor further comprises a policy management module, wherein the policy management module is used for independently providing a security policy for the filtering matching module, specifically, the policy management module comprises a configuration policy analysis sub-module and a configuration policy storage sub-module, the policy management module receives the security policy issued by the analysis main processor, stores the configuration policy into an internal RAM, and simultaneously provides the security policy for basic validity check, industrial control protocol instruction validity check and industrial control protocol parameter validity check, so that the filtering matching module performs the basic validity check, the industrial control protocol deep analysis, the industrial control protocol instruction validity check and the industrial control protocol parameter validity check on the Ethernet message entering the firewall according to the security policy, and when the configuration policy is not issued, the filtering matching module defaults the matching result to be matching failure.
And the storage forwarding module is used for storing the Ethernet message sent by the MAC module and forwarding or blocking the received Ethernet message according to the matching result of the filtering matching module. The module can receive and process Ethernet message data in two directions of MAC _ A, MAC _ B at the same time.
In addition, the network interface (PORT a) referred to in fig. 1: connecting PLC or other field layer network devices, network interface (PORT B): connection configuration, monitoring computer, network interface (PORT D): and connecting the data server, encrypting the configuration information, threat alarm information, statistical information and the like of the PORT D, and sending the encrypted information to the server.
The matching and filtering flow of the filtering and matching module is shown in fig. 2, the message deep analysis module analyzes the received message, the basic validity check module obtains the basic policy index and the basic policy, the protocol instruction validity check module obtains the instruction index and the instruction policy, the protocol parameter validity check module obtains the parameter policy, and outputs a corresponding matching result to the storing and forwarding module by combining the basic validity check, the protocol instruction validity check and the protocol parameter validity check, so that the storing and forwarding module forwards the message according to the matching result.
As shown in fig. 3, an interface between a coprocessor (FPGA) and a main processor (ARM) is implemented, where an internal part of the FPGA processor is a RAM with a dual port 8192 word, an address line is 13bit, a data line width is 16bit, and specifically, the RAM with the dual port 8192 word is divided into 2048 buffer areas: the system comprises a buffer area A and a buffer area B, wherein the buffer area A is an ARM processor writing area read by the FPGA processor and used for storing configuration strategy issued data, and the buffer area B is an ARM processor reading area write by the FPGA processor and used for storing alarm information uploaded data.
Further, in order to realize the self-recovery function of the firewall equipment, a mutual detection interface is arranged between the main processor and the coprocessor, so that when the main processor detects that the coprocessor is abnormal, the coprocessor is automatically controlled to recover to a normal working state and record abnormal codes, and when the coprocessor detects that the main processor is abnormal, the main processor is automatically controlled to recover to the normal working state and record the abnormal codes; specifically, the interface that mutual detection was had between the FPGA treater of this example and the ARM treater makes the FPGA treater detect when the ARM treater is unusual, and the automatic control ARM treater resumes to normal operating condition, and when the ARM treater detects the FPGA treater is unusual, the automatic control FPGA treater resumes to normal operating condition, and is specific, and the fire wall equipment self-resuming contains two blocks of contents: 1) Monitoring and recording abnormal running states of the FPGA processor and the ARM processor; 2) Exception handling (handling mode user settable).
1. The specific implementation of the state monitoring and recording is as follows:
the firewall device is provided with a heartbeat monitoring register, a main processor state register and a coprocessor state register in a shared RAM of the coprocessor, wherein:
the main processor state register stores the state codes of the running states of all processes and modules of the main processor, and the main processor updates the state codes stored in the main processor state register at regular time;
the coprocessor state register stores the state codes of the running states of processes and modules of the coprocessor, and the coprocessor updates the state codes stored in the coprocessor state register at regular time.
A heartbeat monitoring register: the bit width is 8bit, after the main processor (ARM) sets an initial value, the main processor and the coprocessor (FPGA) turn over the value in turn at regular time, and if the value is turned over overtime or the value of the register is wrong, the state of the other party is judged to be abnormal.
The bit width of the main processor status register and the coprocessor status register are both 16 bits.
And (3) monitoring and recording the operation process:
1) After the firewall equipment is powered on, the ARM sets the initial value of the heartbeat monitoring register to be 0xaa, starts heartbeat timeout counting and updates the state code stored in the state register of the main processor at regular time;
2) When the FPGA monitors that the heartbeat monitoring register is not an initial value 0, starting a heartbeat monitoring function, turning over the value of the heartbeat monitoring register from '0 xaa' to '0 x 55' within a set time, starting heartbeat timeout counting, and updating the state code stored in the coprocessor state register at regular time;
3) And the ARM and the FPGA turn over the heartbeat monitoring register value in turn at regular time, if the heartbeat monitoring register value is turned over overtime or the heartbeat monitoring register value is wrong, the state of the other side is judged to be abnormal, and the abnormal processing is carried out.
2. Type and mode of exception handling
Exception handling is divided into three levels: and the first-stage exception record, the second-stage exception record and the CPU are isolated, and the third-stage exception record and the CPU are reset. The user can set the exception handling level as required.
The processing mode of the first-level exception record is as follows: when the main processor judges that the state of the coprocessor is abnormal, the main processor reads the state code stored by the coprocessor state register and stores the read state code into a log file;
and when the coprocessor judges that the state of the main processor is abnormal, the coprocessor reads the state code stored in the state register of the main processor and stores the read state code into a log file.
Specifically, the method comprises the following steps: and after the exception handling mechanism is triggered, reading the state code stored in the state register of the CPU of the opposite side and storing the state code into a log file.
The processing mode of the second-level exception recording and isolation is as follows: when the main processor judges that the state of the coprocessor is abnormal, the main processor reads the state code stored in the coprocessor state register, then blocks a communication interface with the coprocessor, isolates the main processor from the coprocessor, and stores the read state code into a log file;
and when the coprocessor judges that the state of the main processor is abnormal, the coprocessor reads the state code stored in the state register of the main processor, then blocks a communication interface with the main processor, isolates the coprocessor from the main processor, and stores the read state code into a log file.
Specifically, the method comprises the following steps: and after the exception handling mechanism is triggered, reading the state code stored in the state register of the opposite side CPU, then blocking the communication with the opposite side CPU, isolating the abnormal CPU and storing the read state code into a log file.
The processing mode of three-level exception recording and resetting is as follows: when the main processor judges that the state of the coprocessor is abnormal, the main processor reads the state code stored in the state register of the coprocessor, stores the read state code into a log file, controls two network interfaces of the coprocessor to be in a direct-connection state to normally communicate, outputs a low-level reset signal to the coprocessor, reloads a safety strategy by the coprocessor after the coprocessor is reset, and controls the two network interfaces to be in a safety control state;
and when the coprocessor judges that the main processor is abnormal, the coprocessor reads the state code stored in the state register of the main processor, stores the read state code into a log file, outputs a low-level reset signal to the main processor, and sends the log file to the main processor after the main processor is reset.
Specifically, (1) when the ARM judges that the FPGA is abnormal, reading a state code stored in a state register of a CPU of the other party, storing the state code into a log file, controlling two service PORTs (PORT A and PORT B) to be in a direct connection state, ensuring normal communication of service data, outputting a low-level reset signal of the service CPU, reloading a safety strategy after the reset is completed, and canceling the two service PORTs (PORT A and PORT B) to be in a safety control state; (2) when the FPGA judges that the ARM is abnormal, the state code stored in the state register of the CPU of the other side is read and stored in the log file, an ARM low-level reset signal is output, and after the ARM reset is completed, the log file is sent to the ARM.
The firewall management data sequence diagram of this example is shown in fig. 4, and specifically includes the following procedures:
1. message receiving: after the identity is identified, the communication management receives a management message;
2. user management: the user management module receives user management data;
3. and (3) policy management: the strategy management module receives strategy management data;
4. an industrial control strategy is as follows: the strategy management module inquires the industrial control strategy after storing the industrial control strategy library;
5. log management: the log management module provides log query, storage and modification;
6. message response: the communication module responds to the received message.
The firewall service data sequence diagram of this example is shown in fig. 5, and specifically includes the following processes:
1. ethernet message: after receiving the service message, the Ethernet transceiving module sends message data to the header analysis module and the industrial control protocol deep analysis module simultaneously;
2. message header data: the header analysis module sends header data to the data interaction module;
3. header data: the data interaction module sends header data to the basic matching module;
4. basic strategy: the basic matching module queries the strategy from the basic strategy library, and the basic strategy library responds to the basic strategy;
5. an industrial control strategy is as follows: the industrial control protocol deep analysis matching module inquires an industrial control strategy from an industrial control strategy library, and the industrial control strategy library responds to the industrial control strategy;
6. traditional safety results: the traditional security control module generates a traditional security result according to the strategy configuration and sends the traditional security result to the data interaction module;
7. ARM matching result: the data interaction module sends the ARM matching result to the storage and forwarding control module;
8. and (3) industrial control matching result: the industrial control protocol deep analysis matching module sends an industrial control matching result to the storage forwarding control module;
9. and (3) integrating matching results: the storage and forwarding control module sends the comprehensive matching result to the data interaction module for log recording;
10. message forwarding: the storage forwarding control module forwards the message to the Ethernet transceiving module.
The client-side firewall communication process is shown in fig. 6, and can be roughly divided into the following stages:
1. establishing a TCP connection: there is a client initiating a TCP connection to the server.
2. Identity authentication: the client side sends an identity authentication request to the server, the server performs identity authentication, and subsequent service processing can be performed only after the identity authentication is passed.
3. And (3) service processing: the client and the server adopt a question-and-answer mode to perform service processing.
4. And (4) identity authentication quitting: the client actively quits the authentication with the server.
5. And (3) disconnecting the TCP connection: the TCP connection of the client and the server is disconnected.
The firewall of the embodiment adopts a dual-processor architecture, one provides minimized service for the ARM main processor by adopting a deeply customized Linux operating system, and reduces the security threat caused by the security loopholes of the operating system; the other logic circuit service processing unit is provided by adopting the FPGA coprocessor, and network attacks from a service port can be effectively resisted by adopting a fixed processing flow and high-efficiency parallel processing capacity; the two processors are mutually independent, limited communication is carried out through the parallel port, and when the ARM main processor is attacked by a network or the ARM main processor cannot work normally, the service processing unit of the FPGA coprocessor can still process a service flow normally.
The firewall of the embodiment adopts the parallel service processing unit to greatly reduce the processing time delay, and utilizes the characteristics of FPGA parallel processing to carry out parallel processing on modules such as message deep analysis, basic strategy matching, industrial control protocol instruction matching, industrial control protocol parameter matching, alarm information uploading and the like, thereby reducing the processing waiting time. Compared with other industrial control firewalls, the reduced processing time is different by several orders of magnitude, 100% throughput is achieved under the conditions of gigabit rate line speed and 64-byte Ethernet messages, and both packet loss rate and bit error rate are 0.
On the basis of the basic idea of the invention, the following alternatives can also be adopted by the skilled person by means of a change:
1. host processor + multiple coprocessor scheme
The main processor is in charge of management of the coprocessors and distribution of tasks, and the plurality of coprocessors concurrently carry out deep message analysis, basic strategy matching, industrial control protocol function code matching, industrial control protocol parameter matching, alarm information uploading, message forwarding, strategy management and the like, so that the processing delay of the industrial control firewall based on the main processor and the coprocessors is greatly improved.
2. Network processor scheme
The network processor comprises a plurality of on-chip microprocessors inside to form a multiprocessor system. On-chip processors can be roughly divided into two types of management and forwarding matching engines according to task division. The management engine is used for system maintenance and strategy management, threat alarm and strategy distribution, forwarding matching is used for functions of message deep analysis, basic strategy matching, industrial control protocol function code matching, industrial control protocol parameter matching and the like, and the characteristics of the multiple processors enable the industrial control firewall to have good parallel high-speed processing performance.
The present invention has been described in terms of specific examples, which are provided to aid in understanding the invention and are not intended to be limiting. For a person skilled in the art to which the invention pertains, several simple deductions, modifications or substitutions may be made according to the idea of the invention.
Claims (11)
1. A firewall based on a multiprocessor architecture, comprising:
a main processor for processing the management flow of the firewall;
coprocessor for parallel processing the service flow of firewall;
the main processor and the coprocessor are mutually independent and communicate through a communication interface;
the main processor and the coprocessor are provided with interfaces for mutual detection,
a heartbeat monitoring register, a main processor state register and a coprocessor state register are arranged in a shared RAM of the coprocessor;
the main processor state register stores the state codes of the running states of all processes and modules of the main processor, and the main processor updates the state codes stored in the main processor state register at regular time;
the coprocessor state register stores state codes of running states of processes and modules of the coprocessor, and the coprocessor updates the state codes stored in the coprocessor state register at regular time;
and the main processor and the coprocessor alternately turn over the value in the heartbeat monitoring register at regular time, and if the value in the heartbeat monitoring register is turned over overtime or is wrong, the state of the other side is judged to be abnormal, and the abnormal processing is carried out.
2. The firewall according to claim 1, wherein the coprocessor is automatically controlled to return to a normal operating state and record exception codes when the coprocessor is detected by the main processor, and the coprocessor is automatically controlled to return to a normal operating state and record exception codes when the coprocessor is detected by the main processor.
3. The firewall according to claim 2, wherein said exception handling is classified into three levels: exception logging, exception logging and isolation, exception logging and reset.
4. The firewall according to claim 3, wherein the exception record is processed by:
when the main processor judges that the state of the coprocessor is abnormal, the main processor reads the state code stored in the coprocessor state register and stores the read state code into a log file;
and when the coprocessor judges that the state of the main processor is abnormal, the coprocessor reads the state code stored in the state register of the main processor and stores the read state code into a log file.
5. The firewall according to claim 3, wherein the exception logging and isolation is handled by:
when the main processor judges that the state of the coprocessor is abnormal, the main processor reads the state code stored in the coprocessor state register, then blocks a communication interface with the coprocessor, isolates the main processor from the coprocessor, and stores the read state code into a log file;
and when the coprocessor judges that the state of the main processor is abnormal, the coprocessor reads the state code stored in the state register of the main processor, then blocks a communication interface with the main processor, isolates the coprocessor from the main processor, and stores the read state code into a log file.
6. The firewall according to claim 3, wherein the exception logging and resetting is handled in the form of:
when the main processor judges that the state of the coprocessor is abnormal, the main processor reads the state code stored in the coprocessor state register, stores the read state code into a log file, controls two network interfaces of the coprocessor to be in a direct connection state to normally communicate, outputs a low level reset signal to the coprocessor, and reloads a security policy after the coprocessor is reset, and controls the two network interfaces to be in a security control state;
and when the coprocessor judges that the main processor is abnormal, the coprocessor reads the state code stored in the state register of the main processor, stores the read state code into a log file, outputs a low-level reset signal to the main processor, and sends the log file to the main processor after the main processor is reset.
7. The firewall according to claim 1 or 2, wherein the main processor processes a management flow of the firewall and sends the received security policy to the coprocessor, and the coprocessor receives and stores the security policy, performs deep security inspection on a packet entering the firewall according to the security policy, and forwards a legitimate packet.
8. The firewall according to claim 7, wherein the main processor is an ARM processor and the co-processor is an FPGA processor.
9. The firewall according to claim 7, wherein the co-processor comprises:
the filtering matching module is used for carrying out basic validity check, industrial control protocol deep analysis, industrial control protocol instruction validity check and industrial control protocol parameter validity check on the received message;
the MAC module receives the Ethernet message header and carries out time identification on the message through the timestamp module, and the time precision reaches microsecond level, so that each message has precise time information; after the MAC module receives the Ethernet message header and before the message data is received, the Ethernet message header is sent to the filtering and matching module, so that the filtering and matching module carries out security check on the Ethernet message header in advance;
and the storage and forwarding module is used for storing the message sent by the MAC module and forwarding or blocking the received message according to the matching result of the filtering and matching module.
10. The firewall according to claim 9, wherein the coprocessor further comprises a policy management module, the policy management module is configured to independently provide the filtering matching module with a security policy, so that the filtering matching module performs basic validity check, deep analysis of an industrial control protocol, validity check of an industrial control protocol instruction, and validity check of an industrial control protocol parameter on a packet entering the firewall according to the security policy.
11. The firewall according to claim 9, wherein the basic validity checking, the deep parsing of the industrial control protocol, the validity checking of instructions of the industrial control protocol, and the validity checking of parameters of the industrial control protocol are performed in parallel; in the process of security check, as long as one check flow gives an illegal judgment result in advance, other check flows end the Ethernet message processing flow in advance.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811359856.2A CN109558366B (en) | 2018-11-15 | 2018-11-15 | Firewall based on multiprocessor architecture |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811359856.2A CN109558366B (en) | 2018-11-15 | 2018-11-15 | Firewall based on multiprocessor architecture |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109558366A CN109558366A (en) | 2019-04-02 |
CN109558366B true CN109558366B (en) | 2023-03-31 |
Family
ID=65866507
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811359856.2A Active CN109558366B (en) | 2018-11-15 | 2018-11-15 | Firewall based on multiprocessor architecture |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109558366B (en) |
Families Citing this family (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109922085B (en) * | 2019-04-11 | 2021-12-24 | 江苏亨通工控安全研究院有限公司 | Safety protection system and method based on CIP (common interface protocol) in PLC (programmable logic controller) |
CN112558505B (en) * | 2019-09-10 | 2024-10-15 | 阿里(四川)网络技术有限公司 | Control processing method and device of industrial control system, industrial control system and electronic equipment |
CN110941862B (en) * | 2019-12-11 | 2021-04-02 | 博依特(广州)工业互联网有限公司 | Data isolation system based on FPGA + ARM |
CN110995726B (en) * | 2019-12-11 | 2021-03-30 | 博依特(广州)工业互联网有限公司 | Network isolation system of FPGA chip based on embedded ARM |
CN111190758B (en) * | 2019-12-19 | 2022-01-14 | 江苏新质信息科技有限公司 | Method for realizing equipment state self-recovery based on combination of FPGA (field programmable Gate array) calculation rule and RPC (remote procedure call) monitoring |
CN115150420B (en) * | 2021-03-29 | 2024-04-09 | 中移(上海)信息通信科技有限公司 | Service processing method and device and related equipment |
CN116015696A (en) * | 2021-10-20 | 2023-04-25 | 中移系统集成有限公司 | Firewall system, malicious software detection method and device |
CN114115099B (en) * | 2021-11-08 | 2024-01-02 | 浙江高信技术股份有限公司 | PLC system supporting network security |
CN115174219B (en) * | 2022-07-06 | 2024-04-19 | 哈尔滨工业大学(威海) | Management system capable of adapting to various industrial firewalls |
CN116684203B (en) * | 2023-08-03 | 2023-12-22 | 南京南自华盾数字技术有限公司 | Method and system for realizing ModbusTCP protocol security protection without code variation |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101014048A (en) * | 2007-02-12 | 2007-08-08 | 杭州华为三康技术有限公司 | Distributed firewall system and method for realizing content diction of firewall |
CN106230771A (en) * | 2016-07-07 | 2016-12-14 | 国网青海省电力公司 | Industrial control system industrial fireproof wall based on polycaryon processor |
CN106576082A (en) * | 2014-08-22 | 2017-04-19 | 霍尼韦尔国际公司 | Hardware assist for redundant ethernet network |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10038552B2 (en) * | 2015-11-30 | 2018-07-31 | Honeywell International Inc. | Embedded security architecture for process control systems |
-
2018
- 2018-11-15 CN CN201811359856.2A patent/CN109558366B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101014048A (en) * | 2007-02-12 | 2007-08-08 | 杭州华为三康技术有限公司 | Distributed firewall system and method for realizing content diction of firewall |
CN106576082A (en) * | 2014-08-22 | 2017-04-19 | 霍尼韦尔国际公司 | Hardware assist for redundant ethernet network |
CN106230771A (en) * | 2016-07-07 | 2016-12-14 | 国网青海省电力公司 | Industrial control system industrial fireproof wall based on polycaryon processor |
Also Published As
Publication number | Publication date |
---|---|
CN109558366A (en) | 2019-04-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109558366B (en) | Firewall based on multiprocessor architecture | |
CN109479013B (en) | Logging of traffic in a computer network | |
US11223639B2 (en) | Endpoint network traffic analysis | |
US20190098027A1 (en) | Joint defence method and apparatus for network security, and server and storage medium | |
US11848947B2 (en) | System and method for providing security to in-vehicle network | |
JP3968724B2 (en) | Network security system and operation method thereof | |
US9130983B2 (en) | Apparatus and method for detecting abnormality sign in control system | |
CN109561091B (en) | Network safety protection system for civil air defense engineering | |
US20200167342A1 (en) | System for Secure Software Defined Networking Based on Block-Chain and Method Thereof | |
CN109922048B (en) | Method and system for detecting serial scattered hidden threat intrusion attacks | |
US11349866B2 (en) | Hardware acceleration device for denial-of-service attack identification and mitigation | |
EP2790354A1 (en) | Security management system having multiple relay servers, and security management method | |
CN114826880B (en) | Data safety operation on-line monitoring system | |
RU2739864C1 (en) | System and method of correlating events for detecting information security incident | |
CN202979014U (en) | Network isolation device | |
CN1326365C (en) | Worm blocking system and method using hardware-based pattern matching | |
CN104660584A (en) | Trojan virus analysis technique based on network conversation | |
KR20230156262A (en) | System and method for machine learning based malware detection | |
CN106657087B (en) | Method for realizing industrial firewall dynamically tracked by Ethernet/Ip protocol | |
US11356471B2 (en) | System and method for defending a network against cyber-threats | |
KR102352187B1 (en) | Passive fingerprinting method and device | |
CN117395082B (en) | Service processing method, electronic device and storage medium | |
Ohoussou et al. | Autonomous agent based intrusion detection in virtual computing environment | |
US20100212014A1 (en) | Method for Detecting a Service Prevention Attack and Communication Terminal | |
Liu et al. | A Secure and Efficient USB-based In-band Communication Interface between Host and BMC |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |