CN109743316A - Data transmission method, egress router, firewall and dual stage firewall system - Google Patents
Data transmission method, egress router, firewall and dual stage firewall system Download PDFInfo
- Publication number
- CN109743316A CN109743316A CN201811643288.9A CN201811643288A CN109743316A CN 109743316 A CN109743316 A CN 109743316A CN 201811643288 A CN201811643288 A CN 201811643288A CN 109743316 A CN109743316 A CN 109743316A
- Authority
- CN
- China
- Prior art keywords
- firewalls
- egress router
- ipsec virtual
- router
- firewall
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The present invention provides a kind of data transmission method, egress router, firewall and dual stage firewall system, passes through the link state that the egress router in dual stage firewall system obtains the corresponding IPSEC virtual channel of two firewalls;If the link state of two IPSEC virtual channels is normal operating conditions, egress router is carried out data transmission by the way of load balancing, through two IPSEC virtual channels with opposite equip..Method of the invention is shared by the dual-active mode load of dual stage firewall system, two firewalls are allow to load processing IPSEC vpn service flow, improve data transmission bauds, avoid the waste of resource, reliability and stability with higher simultaneously, and opposite equip. does not need two firewalls of setting, avoids the increase of cost and the waste of address resource.
Description
Technical field
The present invention relates to field of communication technology more particularly to a kind of data transmission method, egress router, firewalls and double
Platform firewall system.
Background technique
Firewall (Firewall), also referred to as protecting wall are to be sent out by Check Point founder Gil Shwed in 1993
It is bright and introduce Internet (US5606668 (A) 1993-12-15).It is between a kind of internally positioned network and external network
Network safety system.The guard system of one information security allows according to specific rule or the data of limitation transmission is logical
It crosses.The departments such as government, traffic, public security, telecommunications, finance, the energy carry interior web information system, with internet business
The demand of development, the Intranet system and network of these enterprise-levels usually need to establish session connection with public network again.To prevent Intranet
Network intrusions and network attack are received, firewall is widely used in for intranet and public network being isolated.
Since the flow of public network service is larger, enterprise network is commonly in the traditional firewall framework of public network export deployment at present
Two equipment active/standby backup mode each other, when wherein main equipment breaks down, in addition stand-by equipment can undertake its business immediately,
Guarantee needs not interrupt by the business of this device forwards originally.Local terminal has two firewalls to connect according to business in the prior art
At three layers, the load balancing networking that uplink and downlink connects interchanger configures two-node cluster hot backup for mouth work.Wherein a firewall is primary anti-
The tunnel IPSEC of wall with flues, opposite equip. and this firewall is established.When establishing the tunnel IPSEC, opposite equip. be only capable of with it is primary
Firewall carries out, and slave firewall cannot establish the tunnel IPSEC.If master firewall breaks down, opposite equip.
It needs to establish the tunnel IPSEC with slave firewall.
Local terminal has two firewalls in the prior art, and only master firewall carries out data transmission under normal conditions, causes
The waste of system resource, and data transmission bauds is limited.
Summary of the invention
The present invention provides a kind of data transmission method, egress router, firewall and dual stage firewall system, to pass through two
The dual-active mode load of platform firewall is shared, and improve data transfer speed avoids the waste of resource.
It is an aspect of the invention to provide a kind of data transmission methods, are applied to dual stage firewall system, the dual stage
Firewall system includes: hot standby each other two firewalls, egress router and interior network router, two firewalls difference
It is configured to Active state of activation, and two firewalls pass through the egress router respectively and opposite equip. is established
IPSEC virtual channel, two firewalls are connect by the interior network router with Intranet equipment respectively, the method packet
It includes:
The egress router obtains the link state of the corresponding IPSEC virtual channel of two firewalls;
If the link state of two IPSEC virtual channels is normal operating conditions, the egress router is adopted
With the mode of load balancing, carried out data transmission by two IPSEC virtual channels with the opposite equip..
Further, the method also includes:
If wherein the link state of an IPSEC virtual channel be abnormal operating state, the Exit Road by
Device carries out the transmission of total data by another IPSEC virtual channel and the opposite equip..
Further, the method also includes:
The egress router identifies the type of the data;
If the type of the data be predetermined data types, the egress router by with the predetermined data types
The corresponding IPSEC virtual channel carries out data transmission with the opposite equip..
Further, two firewalls pass through the corresponding IPSEC virtual channel and the opposite equip. respectively
Before carrying out data transmission, further includes:
The egress router configures egress gateways address of the IP address as two IPSEC virtual channels.
Another aspect of the present invention is to provide a kind of egress router, is applied to dual stage firewall system, the dual stage
Firewall system includes: hot standby each other two firewalls, egress router and interior network router, two firewalls difference
It is configured to Active state of activation, and two firewalls pass through the egress router respectively and opposite equip. is established
IPSEC virtual channel, two firewalls are connect by the interior network router with Intranet equipment respectively, the Exit Road by
Device includes:
Monitoring modular, for obtaining the link state of the corresponding IPSEC virtual channel of two firewalls;
Processing module uses if the link state for two IPSEC virtual channels is normal operating conditions
The mode of load balancing is carried out data transmission by two IPSEC virtual channels with the opposite equip..
Further, the processing module is also used to:
If wherein the link state of an IPSEC virtual channel is abnormal operating state, as described in another
IPSEC virtual channel and the opposite equip. carry out the transmission of total data.
Further, the processing module is also used to:
Identify the type of the data, if the type of the data be predetermined data types, by with the predetermined number
Carry out data transmission according to the corresponding IPSEC virtual channel of type with the opposite equip..
Further, the processing module is also used to:
Configure egress gateways address of the IP address as two IPSEC virtual channels.
Another aspect of the present invention is to provide a kind of firewall, is used for dual stage firewall system, the dual stage firewall
System includes: hot standby each other two firewalls, egress router and interior network router;
The firewall configuration is Active state of activation;
It is synchronous that the firewall by heartbeat carries out configuration with another firewall;
The firewall establishes IPSEC virtual channel, two fire prevention by the egress router and opposite equip.
Wall is connect by the interior network router with Intranet equipment respectively.
Another aspect of the present invention is to provide a kind of dual stage firewall system, comprising: as described above egress router,
Two firewalls as described above and interior network router;
Two firewalls are respectively configured as Active state of activation, and two firewalls pass through respectively it is described go out
Mouthful router and opposite equip. establish IPSEC virtual channel, two firewalls pass through respectively the interior network router with it is interior
The connection of net equipment.
Data transmission method, egress router, firewall and dual stage firewall system provided by the invention, it is anti-by dual stage
Egress router in wall with flues system obtains the link state of the corresponding IPSEC virtual channel of two firewalls;If two IPSEC
The link state of virtual channel is normal operating conditions, then egress router passes through two by the way of load balancing
IPSEC virtual channel carries out data transmission with opposite equip..Method of the invention passes through the dual-active mode of dual stage firewall system
Load balancing allows two firewalls to load processing IPSEC vpn service flow, improves data transmission bauds, avoid providing
The waste in source, while reliability and stability with higher, and opposite equip. does not need two firewalls of setting, avoids into
The waste of increase originally and address resource.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention without any creative labor, may be used also for those of ordinary skill in the art
To obtain other drawings based on these drawings.
Fig. 1 is the network architecture diagram of dual stage firewall system provided in an embodiment of the present invention;
Fig. 2 is data transmission method flow chart provided in an embodiment of the present invention;
Fig. 3 be another embodiment of the present invention provides data transmission method flow chart;
Fig. 4 is the structure chart of egress router provided in an embodiment of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
Fig. 1 is the network architecture diagram of dual stage firewall system provided in an embodiment of the present invention;Fig. 2 mentions for the embodiment of the present invention
The data transmission method flow chart of confession.The embodiment of the invention provides a kind of data transmission methods, are applied to dual stage as shown in Figure 1
In firewall system, the dual stage firewall system includes: hot standby each other two firewalls 111 and 112, egress routers
120 and interior network router 130, two firewalls 111 and 112 be respectively configured as Active state of activation, and described two
Firewall 111 and 112 establishes IPSEC (Internet with opposite equip. 200 by the egress router 120 respectively
Protocol Security, Internet protocol safety) virtual channel, pass through the interior network router 130 and Intranet equipment
300 connections.
As shown in Fig. 2, configuring VRRP agreement (Virtual Router between two firewalls and interior network router
Redundancy Protocol, Virtual Router Redundacy Protocol), VRRP agreement is configured to egress router, and pass through static routing
Or dynamic routing protocol makes to route reachable, two firewalls configure two-node cluster hot backup function, and two firewalls are each configured to
Active state of activation is cooperated by dual-active realization, avoids slave firewall from being in idle state, result in waste of resources,
And in the case where wherein a firewall breaks down, another firewall can evenly take over the work of failure firewall
Make, to realize the uninterrupted operation of business.The dual stage firewall system of the present embodiment, two firewalls pass through Exit Road respectively
IPSEC virtual channel is established by device and opposite equip., so that IPSEC vpn service flow is in two IPSEC virtual channels
It shuttles, is transmitted to realize with the data of opposite equip., wherein IPSECVPN, which refers to using ipsec protocol, realizes and remotely access
A kind of VPN (Virtual Private Network, Virtual Private Network) technology provides public and dedicated network end-to-end
Encryption and the service for checking credentials.It should be noted that being built since dual stage firewall system passes through egress router respectively with opposite equip.
Vertical IPSEC virtual channel namely two IPSEC virtual channels share a link between egress router and opposite equip.,
If opposite equip. can only support a vpn tunneling, opposite end is not needed at this time, two firewalls are set to meet two IPSEC
The foundation of virtual channel also avoids the waste of address resource to avoid the increase of cost.
As shown in Fig. 2, specific step is as follows for this method:
S101, the egress router obtain the link state of the corresponding IPSEC virtual channel of two firewalls.
In the present embodiment, the link shape that egress router passes through the corresponding IPSEC virtual channel of two firewalls of detection
State, to judge whether two firewalls work normally.Specifically, egress router monitors two firewalls and egress router
Between link state.Optionally, egress router can be monitored in real time, and can also be supervised again when there is data transfer task
It surveys.
If the link state of S102, two IPSEC virtual channels are normal operating conditions, the Exit Road by
Device is carried out data transmission by the way of load balancing, through two IPSEC virtual channels with the opposite equip..
In the present embodiment, when egress router detects that the link state of two IPSEC virtual channels is normal work
Making state namely two firewalls is normal operating conditions, then egress router is passed through by the way of load balancing at this time
Two IPSEC virtual channels carry out data transmission with opposite equip., specifically include and send data and receive data, so that IPSEC
Vpn service flow shuttles in two IPSEC virtual channels.Optionally, in the present embodiment can using based on stream load balancing,
Load balancing or broadband-based load balancing based on packet.
It should be noted that when data are sent by interior network router to opposite end from Intranet equipment, interior network router
It can be equally using process performed by middle outlet router of the present invention.
Data transmission method provided in this embodiment obtains two by the egress router in dual stage firewall system and prevents
The link state of the corresponding IPSEC virtual channel of wall with flues;If the link state of two IPSEC virtual channels is normal work
Make state, then egress router carries out data by two IPSEC virtual channels and opposite equip. by the way of load balancing
Transmission.The method of the present embodiment is shared by the dual-active mode load of dual stage firewall system, loads two firewalls
IPSEC vpn service flow is handled, data transmission bauds is improved, avoids the waste of resource, while with higher reliable
Property and stability, and opposite equip. do not need setting two firewalls, avoid the increase of cost and the waste of address resource.
Fig. 3 be another embodiment of the present invention provides data transmission method flow chart.On the basis of the above embodiments,
It is described after egress router described in S101 obtains the link state of the corresponding IPSEC virtual channel of two firewalls
Method further include:
If the link state of S201, wherein an IPSEC virtual channel is abnormal operating state, the outlet
Router carries out the transmission of total data by another IPSEC virtual channel and the opposite equip..
In the present embodiment, when egress router detects that any one link state is in two IPSEC virtual channels
Abnormal operating state then illustrates that corresponding firewall breaks down, evenly takes over failure by another firewall at this time and prevent
The work of wall with flues namely opposite equip. carry out the IPSEC virtual channel that total data is worked normally by this and are transmitted, from
And improve the reliability and stability of dual stage firewall system.
And when egress router detect again failure link-recovery it is normal after, then restore dual-active mode load and share.
Further, method provided by the above embodiment may also include that
The egress router identifies the type of the data;
If the type of the data be predetermined data types, the egress router by with the predetermined data types
The corresponding IPSEC virtual channel carries out data transmission with the opposite equip..
In the present embodiment, particular traffic data can be independently specified to be transmitted by specific IPSEC virtual channel,
That is the type of preliminary setting data is identified the type of data to be transmitted by egress router, if the type of the data is predetermined
Data type then selects the IPSEC virtual channel to match.Certainly, if the IPSEC virtual channel link state is improper work
Make state, is then carried out data transmission using another IPSEC virtual channel.
Further, two firewalls pass through the corresponding IPSEC virtual channel and the opposite equip. respectively
Before carrying out data transmission, further includes:
The egress router configures egress gateways address of the IP address as two IPSEC virtual channels.
In the present embodiment, two firewalls are that IP address carries out a variety of NAT (Network Address with outside access
Translation, network address translation) address conversion, to realize IPSEC and the NAT perfect combination under dual-active mode.
Data transmission method provided in this embodiment obtains two by the egress router in dual stage firewall system and prevents
The link state of the corresponding IPSEC virtual channel of wall with flues;If the link state of two IPSEC virtual channels is normal work
Make state, then egress router carries out data by two IPSEC virtual channels and opposite equip. by the way of load balancing
Transmission.The method of the present embodiment is shared by the dual-active mode load of dual stage firewall system, loads two firewalls
IPSEC vpn service flow is handled, data transmission bauds is improved, avoids the waste of resource, while with higher reliable
Property and stability, and opposite equip. do not need setting two firewalls, avoid the increase of cost and the waste of address resource.
Fig. 4 is the structure chart of egress router provided in an embodiment of the present invention.The embodiment of the present invention provides a kind of Exit Road
By device, the process flow of data transmission method embodiment offer can be executed, as shown in figure 4, egress router is applied to dual stage
Firewall system, the dual stage firewall system include: two hot standby each other firewalls, egress router and Intranet routing
Device, two firewalls are respectively configured as Active state of activation, and two firewalls pass through the Exit Road respectively
IPSEC virtual channel is established by device and opposite equip., two firewalls are set by the interior network router with Intranet respectively
Standby connection, the egress router includes: monitoring modular 121 and processing module 122.
Wherein monitoring modular 121, for obtaining the link state of the corresponding IPSEC virtual channel of two firewalls;
Processing module 122, if the link state for two IPSEC virtual channels is normal operating conditions,
By the way of load balancing, carried out data transmission by two IPSEC virtual channels with the opposite equip..
Further, the processing module 122 is also used to:
If wherein the link state of an IPSEC virtual channel is abnormal operating state, as described in another
IPSEC virtual channel and the opposite equip. carry out the transmission of total data.
Further, the processing module 122 is also used to:
Identify the type of the data, if the type of the data be predetermined data types, by with the predetermined number
Carry out data transmission according to the corresponding IPSEC virtual channel of type with the opposite equip..
Further, the processing module 122 is also used to:
Configure egress gateways address of the IP address as two IPSEC virtual channels.
Egress router provided in an embodiment of the present invention can be implemented specifically for method provided by the above-mentioned Fig. 2 of execution, 3
Example, details are not described herein again for concrete function.
Egress router provided in this embodiment obtains two fire prevention by the egress router in dual stage firewall system
The link state of the corresponding IPSEC virtual channel of wall;If the link state of two IPSEC virtual channels is to work normally
State, then egress router carries out data biography by two IPSEC virtual channels and opposite equip. by the way of load balancing
It is defeated.The egress router of the present embodiment is shared by configuring the dual-active mode load of dual stage firewall system, makes two firewalls
Processing IPSECVPN service traffics can be loaded, data transmission bauds is improved, avoids the waste of resource, while having higher
Reliability and stability, and opposite equip. does not need two firewalls of setting, avoids increase and the address resource of cost
Waste.
Another embodiment of the present invention provides a kind of firewalls, are used for dual stage firewall system, the dual stage firewall system
It include: hot standby each other two firewalls, egress router and interior network router;
The firewall configuration is Active state of activation;
It is synchronous that the firewall by heartbeat carries out configuration with another firewall;
The firewall establishes IPSEC virtual channel, two fire prevention by the egress router and opposite equip.
Wall is connect by the interior network router with Intranet equipment respectively.
In the present embodiment, two firewalls can be configured as follows:
1) configure uplink and downlink business interface (respective secure areas is added in interface by configuration interface IP address);
2) (forwarding strategy in the configuration domain Trust and the domain Untrust, allows to encapsulate security strategy between configuring the domain of firewall
The preceding message being honored as a queen of conciliating can pass through firewall;The local policy in the domain Local and the domain Untrust is configured, ike negotiation message is allowed
It can be normal through firewall);
3) VPN route device of the configuration firewall to client;
4) the configuration operation OSPF dynamic router agreement on firewall;
5) arranging access control list, definition need data flow to be protected;
6) ipsec security that configuration name is tran1 is proposed;
7) the IKE security suggestion of serial number 10 is configured;
8) IKE Peer is configured;
9) configuration name is the ipsec security policy template of map_temp serial number 1;
10) security strategy template map_temp is quoted in ipsec security strategy map1;
11) security strategy map1 is applied on uplink service interface;
12) the two-shipper configuration of firewall is opened.
Wherein, specifically, by taking a wherein firewall as an example, by 1) configuring uplink and downlink business interface, (configuration order is such as
Under), by the uplink service interface (GigabitEthernet1/0/1) of firewall (USG6600-1), namely and egress router
The interface of connection is configured to active group and standby group simultaneously, realizes the configuration of firewall Active state of activation.
[USG6600-1-GigabitEthernet1/0/1]hrp track active
[USG6600-1-GigabitEthernet1/0/1]hrp track standby
Further, by 3) configuring firewall to the VPN route device of client, dynamic learning is prevented, configuration order is such as
Under:
[USG6600-1]ip route-static 10.1.2.0 255.255.255.0 132.168.7.2
[USG6600-1]ip route-static 10.1.3.0 255.255.255.0 60.29.112.122
Further, it is configured by 12) opening the two-shipper of firewall, realizes that the load balancing of two firewalls, session are fast
Speed backup and automatically back up in realtime configuration order and periodically Status of Backups information, concrete configuration order it is as follows:
[USG6600-1]hrp interface GigabitEthernet 1/0/2
[USG6600-1]hrp enable
HRP_A[USG6600-1]hrp loadbalance-device
HRP_A[USG6600-1]hrp mirror session enable
HRP_A[USG6600-1]hrp auto-sync config
Firewall provided in this embodiment obtains two firewalls pair by the egress router in dual stage firewall system
The link state for the IPSEC virtual channel answered;If the link state of two IPSEC virtual channels is normal work shape
State, then egress router carries out data biography by two IPSEC virtual channels and opposite equip. by the way of load balancing
It is defeated.The present embodiment is shared by configuring the dual-active mode load of dual stage firewall system, and two firewalls is allow to load processing
IPSEC vpn service flow, improves data transmission bauds, avoids the waste of resource, at the same reliability with higher and
Stability, and opposite equip. does not need to be provided with two firewalls, avoids the increase of cost and the waste of address resource.
Another embodiment of the present invention provides a kind of dual stage firewall system, specific as shown in Figure 1, comprising: as above to state reality
Apply egress router described in example, two firewalls and interior network router as described in above-described embodiment;
Two firewalls are respectively configured as Active state of activation, and two firewalls pass through respectively it is described go out
Mouthful router and opposite equip. establish IPSEC virtual channel, two firewalls pass through respectively the interior network router with it is interior
The connection of net equipment.
Dual stage firewall system provided by the invention obtains two by the egress router in dual stage firewall system and prevents
The link state of the corresponding IPSEC virtual channel of wall with flues;If the link state of two IPSEC virtual channels is normal work
Make state, then egress router carries out data by two IPSEC virtual channels and opposite equip. by the way of load balancing
Transmission.The present embodiment is shared by configuring the dual-active mode load of dual stage firewall system, and two firewalls is allow to load place
IPSEC vpn service flow is managed, data transmission bauds is improved, avoids the waste of resource, while reliability with higher
And stability, and opposite equip. does not need to be provided with two firewalls, avoids the increase of cost and the waste of address resource.
In several embodiments provided by the present invention, it should be understood that disclosed device and method can pass through it
Its mode is realized.For example, the apparatus embodiments described above are merely exemplary, for example, the division of the unit, only
Only a kind of logical function partition, there may be another division manner in actual implementation, such as multiple units or components can be tied
Another system is closed or is desirably integrated into, or some features can be ignored or not executed.Another point, it is shown or discussed
Mutual coupling, direct-coupling or communication connection can be through some interfaces, the INDIRECT COUPLING or logical of device or unit
Letter connection can be electrical property, mechanical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit
The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple
In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme
's.
It, can also be in addition, the functional units in various embodiments of the present invention may be integrated into one processing unit
It is that each unit physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated list
Member both can take the form of hardware realization, can also realize in the form of hardware adds SFU software functional unit.
The above-mentioned integrated unit being realized in the form of SFU software functional unit can store and computer-readable deposit at one
In storage media.Above-mentioned SFU software functional unit is stored in a storage medium, including some instructions are used so that a computer
It is each that equipment (can be personal computer, server or the network equipment etc.) or processor (processor) execute the present invention
The part steps of embodiment the method.And storage medium above-mentioned includes: USB flash disk, mobile hard disk, read-only memory (Read-
Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic or disk etc. it is various
It can store the medium of program code.
Those skilled in the art can be understood that, for convenience and simplicity of description, only with above-mentioned each functional module
Division progress for example, in practical application, can according to need and above-mentioned function distribution is complete by different functional modules
At the internal structure of device being divided into different functional modules, to complete all or part of the functions described above.On
The specific work process for stating the device of description, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
Finally, it should be noted that the above embodiments are only used to illustrate the technical solution of the present invention., rather than its limitations;To the greatest extent
Pipe present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: its according to
So be possible to modify the technical solutions described in the foregoing embodiments, or to some or all of the technical features into
Row equivalent replacement;And these are modified or replaceed, various embodiments of the present invention technology that it does not separate the essence of the corresponding technical solution
The range of scheme.
Claims (10)
1. a kind of data transmission method, which is characterized in that be applied to dual stage firewall system, the dual stage firewall system packet
Include: two firewalls, egress router and interior network router hot standby each other, two firewalls are respectively configured as Active
State of activation, and two firewalls pass through the egress router respectively and opposite equip. establishes IPSEC virtual channel, institute
Two firewalls are stated to connect by the interior network router with Intranet equipment respectively, which comprises
The egress router obtains the link state of the corresponding IPSEC virtual channel of two firewalls;
If the link state of two IPSEC virtual channels is normal operating conditions, the egress router is using negative
The mode shared is carried, is carried out data transmission by two IPSEC virtual channels with the opposite equip..
2. the method according to claim 1, wherein further include:
If wherein the link state of an IPSEC virtual channel is abnormal operating state, the egress router is logical
It crosses another IPSEC virtual channel and the opposite equip. carries out the transmission of total data.
3. the method according to claim 1, wherein further include:
The egress router identifies the type of the data;
If the type of the data is predetermined data types, the egress router passes through corresponding with the predetermined data types
The IPSEC virtual channel carry out data transmission with the opposite equip..
4. method according to any one of claim 1-3, which is characterized in that two firewalls pass through correspondence respectively
The IPSEC virtual channel and before the opposite equip. carries out data transmission, further includes:
The egress router configures egress gateways address of the IP address as two IPSEC virtual channels.
5. a kind of egress router, which is characterized in that be applied to dual stage firewall system, the dual stage firewall system includes:
Two firewalls, egress router and interior network router hot standby each other, two firewalls are respectively configured as Active and swash
State living, and two firewalls pass through the egress router respectively and opposite equip. establishes IPSEC virtual channel, it is described
Two firewalls are connect by the interior network router with Intranet equipment respectively, and the egress router includes:
Monitoring modular, for obtaining the link state of the corresponding IPSEC virtual channel of two firewalls;
Processing module, if the link state for two IPSEC virtual channels is normal operating conditions, using load
The mode shared is carried out data transmission by two IPSEC virtual channels with the opposite equip..
6. egress router according to claim 5, which is characterized in that the processing module is also used to:
If wherein the link state of an IPSEC virtual channel is abnormal operating state, by another IPSEC
Virtual channel and the opposite equip. carry out the transmission of total data.
7. egress router according to claim 5, which is characterized in that the processing module is also used to:
Identify the type of the data, if the type of the data be predetermined data types, by with the tentation data class
The corresponding IPSEC virtual channel of type carries out data transmission with the opposite equip..
8. the egress router according to any one of claim 5-7, which is characterized in that the processing module is also used to:
Configure egress gateways address of the IP address as two IPSEC virtual channels.
9. a kind of firewall, which is characterized in that be used for dual stage firewall system, the dual stage firewall system includes: hot each other
Standby two firewalls, egress router and interior network router;
The firewall configuration is Active state of activation;
It is synchronous that the firewall by heartbeat carries out configuration with another firewall;
The firewall establishes IPSEC virtual channel, two firewalls point by the egress router and opposite equip.
It is not connect by the interior network router with Intranet equipment.
10. a kind of dual stage firewall system characterized by comprising Exit Road as described in any one of claim 5-8 by
Device, two firewalls as claimed in claim 9 and interior network router;
Two firewalls are respectively configured as Active state of activation, and two firewalls pass through the Exit Road respectively
IPSEC virtual channel is established by device and opposite equip., two firewalls are set by the interior network router with Intranet respectively
Standby connection.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811643288.9A CN109743316B (en) | 2018-12-29 | 2018-12-29 | Data transmission method, exit router, firewall and double firewall systems |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811643288.9A CN109743316B (en) | 2018-12-29 | 2018-12-29 | Data transmission method, exit router, firewall and double firewall systems |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109743316A true CN109743316A (en) | 2019-05-10 |
CN109743316B CN109743316B (en) | 2021-06-29 |
Family
ID=66362627
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811643288.9A Active CN109743316B (en) | 2018-12-29 | 2018-12-29 | Data transmission method, exit router, firewall and double firewall systems |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109743316B (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112702439A (en) * | 2020-12-31 | 2021-04-23 | 北京天融信网络安全技术有限公司 | Method for synchronizing status of gatekeeper and isolated gatekeeper |
CN113645117A (en) * | 2021-07-08 | 2021-11-12 | 郑州信大捷安信息技术股份有限公司 | IPSec protocol-based multi-channel intelligent routing method and system |
WO2022001581A1 (en) * | 2020-06-30 | 2022-01-06 | 华为技术有限公司 | Network, and data transmission method and apparatus |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1725702A (en) * | 2004-07-20 | 2006-01-25 | 联想网御科技(北京)有限公司 | Network safety equipment and assemblied system and method for implementing high availability |
US7480737B2 (en) * | 2002-10-25 | 2009-01-20 | International Business Machines Corporation | Technique for addressing a cluster of network servers |
CN102006310A (en) * | 2010-12-24 | 2011-04-06 | 山石网科通信技术(北京)有限公司 | Data stream processing method and firewall |
CN103501299A (en) * | 2013-09-24 | 2014-01-08 | 曙光信息产业(北京)有限公司 | Firewall cluster management method and system |
CN105450550A (en) * | 2015-11-10 | 2016-03-30 | 北京奇虎科技有限公司 | Channel priority adjustment method and device for router |
-
2018
- 2018-12-29 CN CN201811643288.9A patent/CN109743316B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7480737B2 (en) * | 2002-10-25 | 2009-01-20 | International Business Machines Corporation | Technique for addressing a cluster of network servers |
CN1725702A (en) * | 2004-07-20 | 2006-01-25 | 联想网御科技(北京)有限公司 | Network safety equipment and assemblied system and method for implementing high availability |
CN102006310A (en) * | 2010-12-24 | 2011-04-06 | 山石网科通信技术(北京)有限公司 | Data stream processing method and firewall |
CN103501299A (en) * | 2013-09-24 | 2014-01-08 | 曙光信息产业(北京)有限公司 | Firewall cluster management method and system |
CN105450550A (en) * | 2015-11-10 | 2016-03-30 | 北京奇虎科技有限公司 | Channel priority adjustment method and device for router |
Non-Patent Citations (1)
Title |
---|
吴朔媚,宋建卫: "《计算机网络安全技术研究》", 31 March 2017 * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2022001581A1 (en) * | 2020-06-30 | 2022-01-06 | 华为技术有限公司 | Network, and data transmission method and apparatus |
CN112702439A (en) * | 2020-12-31 | 2021-04-23 | 北京天融信网络安全技术有限公司 | Method for synchronizing status of gatekeeper and isolated gatekeeper |
CN112702439B (en) * | 2020-12-31 | 2022-11-15 | 北京天融信网络安全技术有限公司 | Method for synchronizing status of gatekeeper and isolated gatekeeper |
CN113645117A (en) * | 2021-07-08 | 2021-11-12 | 郑州信大捷安信息技术股份有限公司 | IPSec protocol-based multi-channel intelligent routing method and system |
Also Published As
Publication number | Publication date |
---|---|
CN109743316B (en) | 2021-06-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3509256B1 (en) | Determining routing decisions in a software-defined wide area network | |
US10091102B2 (en) | Tunnel sub-interface using IP header field | |
EP2579634B1 (en) | Methods and apparatus for a self-organized layer-2 enterprise network architecture | |
CN104506513B (en) | Fire wall flow table backup method, fire wall and firewall system | |
CN109743197B (en) | Firewall deployment system and method based on priority configuration | |
US10523657B2 (en) | Endpoint privacy preservation with cloud conferencing | |
CN109743316A (en) | Data transmission method, egress router, firewall and dual stage firewall system | |
CN104125088A (en) | Method of interaction information between systems in same terminal of DRNI and system thereof | |
CN109450905B (en) | Method, device and system for transmitting data | |
WO2021227863A1 (en) | Disaster recovery method and apparatus for hybrid cloud private line access network | |
CN103731303B (en) | A kind of longitudinal fusion architecture interface realizes the method and apparatus of many active entities detections | |
CN112751767B (en) | Routing information transmission method and device and data center internet | |
CN110417665B (en) | EVPN networking system and method for multiple Fabric scenes of data center | |
CN112769614B (en) | Automatic management method of VPN (virtual private network) on demand and intercommunication system of heterogeneous network | |
CN110661858A (en) | Websocket-based intranet penetration method and system | |
CN108833272A (en) | A kind of route management method and device | |
CN108353027A (en) | A kind of software defined network system for detecting port failure | |
George et al. | A Brief Overview of VXLAN EVPN | |
CN115865601A (en) | SDN network communication system of cross-cloud data center | |
US10015074B1 (en) | Abstract stack ports to enable platform-independent stacking | |
JP5345651B2 (en) | Secure tunneling platform system and method | |
CN115134141A (en) | Micro-service container cluster cross-network communication system and communication method thereof | |
CN108322379A (en) | A kind of Virtual Private Network vpn system and implementation method | |
CN112671811A (en) | Network access method and equipment | |
JP2011151557A (en) | Communication system and control method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |