CN111464552B - Firewall automatic test system based on packet filtering rule - Google Patents
Firewall automatic test system based on packet filtering rule Download PDFInfo
- Publication number
- CN111464552B CN111464552B CN202010282261.2A CN202010282261A CN111464552B CN 111464552 B CN111464552 B CN 111464552B CN 202010282261 A CN202010282261 A CN 202010282261A CN 111464552 B CN111464552 B CN 111464552B
- Authority
- CN
- China
- Prior art keywords
- test
- rule
- firewall
- packet filtering
- case
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention discloses a firewall automatic test system based on a packet filtering rule, wherein each field of the packet filtering rule is compiled into a test case, then the test case is scripted, and the test case is changed into a test script. And sequentially executing all test cases, creating rules on the page of the test cases, issuing the rules to the industrial equipment, then verifying whether the issuing is successful, matching the successfully issued rules with the message generated by calling the simulation tool, and automatically backfilling the test result by the test cases to generate a test report. The embodiment of the invention provides a firewall automatic test system based on a packet filtering rule, which aims to solve the problems of low test efficiency, high error rate and prolonged test time caused by manual testing of the packet filtering rule in the prior art.
Description
Technical Field
The embodiment of the invention relates to the technical field of firewalls, in particular to a firewall automatic test system based on packet filtering rules.
Background
With the development of information technology, industrial control systems gradually become networked. Many industrial control protocols are gradually running on industrial ethernet, and the policy and regulation and technical requirements for the industrial control industry are becoming higher and higher.
The industrial control firewall performs boundary protection on the boundary of the industrial control system and between different control areas in the industrial control system, so that the accuracy and the stability of the packet filtering rule are particularly important. However, due to the fact that proprietary protocols of the industrial control industry and network environments are complex and changeable, manual testing consumes a large amount of manpower, and therefore the accuracy and the stability of the filtering rules of the automatic testing packets have high application values.
The existing packet filtering rule test is mainly manually operated, different types of messages are simulated and sent through devices such as a firewall by clicking a client tool, whether the test accords with the strategy configuration of the firewall is tested, and whether industrial control safety devices such as the firewall can play an accurate boundary protection role is verified. However, manual testing efficiency is low, manual operation is prone to errors, and when the number of the packet filtering rules is large, testing time is prolonged seriously, and even product release is affected.
Disclosure of Invention
Therefore, the embodiment of the invention provides an automatic firewall testing system based on a packet filtering rule, which aims to solve the problems of low testing efficiency, high error rate and prolonged testing time caused by manual testing of the packet filtering rule in the prior art.
In order to achieve the above object, the embodiments of the present invention provide the following technical solutions:
the firewall automatic testing system based on the packet filtering rule comprises the following steps:
s101, firstly, switching the working mode of a firewall of the industrial control system into a protection mode;
s102, compiling each field of the packet filtering rule into a test case, and then scripting the test case to form a test script;
s103, executing all test cases in sequence, creating rules on the page by the test cases, and issuing the rules to the industrial equipment;
s104, automatically checking whether the rule is successfully issued or not through the test script, and if the rule is unsuccessfully issued, printing an error result and storing a corresponding log; if the rule is successfully issued, continuously checking whether the issued rule is consistent with the test case;
s105, successfully issuing the rule, calling a simulation tool, and generating message data matched with the test case by the industrial control system;
s106, checking whether the rule is matched with the message data through the test script, and if the matching fails, printing an error result and storing the error result in a corresponding log; if the matching is successful, continuing to execute the next test case;
and S107, the test case automatically backfills the test result and generates a test report.
Further, in step S101, the working modes of the firewall include an all-pass mode, an authentication mode and a protection mode.
Further, in step S103, the rules include a foreground rule and a background rule.
Further, in step S102, the test case includes a function case, a performance case, and/or a stability case.
Further, in step S105, a modscan debugging tool is selected as the simulation tool.
The embodiment of the invention has the following advantages:
the invention discloses a firewall automatic test system based on a packet filtering rule, which uses an automatic test script to automatically send all types of messages through the combination of fields of the packet filtering rule, thereby saving the time consumed by manpower clicking and avoiding errors. The invention automatically creates the firewall rules, automatically checks the matching result, outputs the test report by one key, is clear at a glance, and enables people unfamiliar with the protocol to complete the test.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below. It should be apparent that the drawings in the following description are merely exemplary, and that other embodiments can be derived from the drawings provided by those of ordinary skill in the art without inventive effort.
The structures, ratios, sizes, and the like shown in the present specification are only used for matching with the contents disclosed in the specification, so that those skilled in the art can understand and read the present invention, and do not limit the conditions for implementing the present invention, so that the present invention has no technical significance, and any structural modifications, changes in the ratio relationship, or adjustments of the sizes, without affecting the functions and purposes of the present invention, should still fall within the scope of the present invention.
Fig. 1 is a flowchart of an automated firewall testing system based on packet filtering rules according to an embodiment of the present invention.
Detailed Description
The present invention is described in terms of particular embodiments, other advantages and features of the invention will become apparent to those skilled in the art from the following disclosure, and it is to be understood that the described embodiments are merely exemplary of the invention and that it is not intended to limit the invention to the particular embodiments disclosed. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, belong to the protection scope of the present invention.
As shown in fig. 1, the present invention discloses an automatic firewall testing system based on packet filtering rules, which comprises the following steps: firstly, switching the working mode of a firewall of an industrial control system into a protection mode; compiling each field of the packet filtering rule into a test case, and then scripting the test case to change the test case into a test script; sequentially executing all test cases, creating rules on the page by the test cases, and issuing the rules to the industrial equipment; automatically checking whether the rule is successfully issued or not through the test script, and if the rule is failed to be issued, printing an error result and storing a corresponding log; if the rule is successfully issued, continuously checking whether the issued rule is consistent with the test case; the rule is successfully issued, a simulation tool is called, and the industrial control system generates message data matched with the test case; checking whether the rule is matched with the message data through the test script, and if the matching fails, printing an error result and storing the error result in a corresponding log; if the matching is successful, continuing to execute the next test case; and the test case automatically backfills the test result and generates a test report. According to the combination of each field of the packet filtering rule, the automatic test script is used for automatically sending all types of messages, so that the time consumed by manual clicking is saved, and errors are avoided. The firewall rules are automatically created, the matching result is automatically checked, the test report is output in one key mode, and the test is clear at a glance, so that people who are not familiar with the protocol can complete the test.
The working modes of the firewall comprise an all-pass mode, an authentication mode and a protection mode. The rules include foreground rules and background rules. The test cases include function cases, performance cases, and/or stability cases. The simulation tool selects a modscan debugging tool.
The first embodiment is as follows:
switching the working mode of a firewall of the industrial control system into a protection mode; setting a source IP and a destination IP in the packet filtering rule as actual IPs at two ends of a simulation tool, not filling a source port, selecting modbus by service, allowing action and not selecting a time object; creating the rule on the page to issue, and after the rule is successfully issued, inquiring whether the rule field is correct or not by using a command in a background; and constructing a modbus message by using a simulation tool, enabling the modbus message to pass through industrial equipment, increasing the matching times of checking rules from a page or a background, enabling the modbus message to pass through normally, and otherwise, failing to test the case.
Example two:
switching the working mode of a firewall of the industrial control system into a protection mode; setting a source IP and a destination IP in the packet filtering rule as actual IPs at two ends of the simulation tool, not filling a source port, selecting modbus by service, discarding permission, and not selecting a time object; creating the rule on the page to issue, and after the rule is successfully issued, inquiring whether the rule field is correct or not by using a command in a background; and (3) constructing a modbus message by using a simulation tool, and checking the rule matching times from a page or a background to increase, wherein if the modbus message normally passes, the test case passes, and otherwise, the test case fails.
Although the invention has been described in detail with respect to the general description and the specific embodiments, it will be apparent to those skilled in the art that modifications and improvements may be made based on the invention. Accordingly, it is intended that all such modifications and alterations be included within the scope of this invention as defined in the appended claims.
Claims (1)
1. A firewall automatic testing method based on a packet filtering rule is characterized by comprising the following steps:
s101, firstly, switching the working mode of a firewall of the industrial control system into a protection mode;
in step S101, the working modes of the firewall include an all-pass mode, an authentication mode, and a protection mode;
s102, compiling each field of the packet filtering rule into a test case, and then scripting the test case to form a test script;
in step S102, the test case includes a function case, a performance case, and/or a stable case;
s103, executing all test cases in sequence, creating rules on the page by the test cases, and issuing the rules to the industrial equipment;
in step S103, the rules include a foreground rule and a background rule;
s104, automatically checking whether the rule is successfully issued or not through the test script, and if the rule is unsuccessfully issued, printing an error result and storing a corresponding log; if the rule is successfully issued, continuously checking whether the issued rule is consistent with the test case;
s105, successfully issuing the rule, calling a simulation tool, and generating message data matched with the test case by the industrial control system;
in step S105, a modscan debugging tool is selected as the simulation tool;
s106, checking whether the rule is matched with the message data through the test script, and if the matching fails, printing an error result and storing the error result in a corresponding log; if the matching is successful, continuing to execute the next test case;
and S107, automatically backfilling the test result by the test case, and generating a test report.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010282261.2A CN111464552B (en) | 2020-04-11 | 2020-04-11 | Firewall automatic test system based on packet filtering rule |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010282261.2A CN111464552B (en) | 2020-04-11 | 2020-04-11 | Firewall automatic test system based on packet filtering rule |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111464552A CN111464552A (en) | 2020-07-28 |
| CN111464552B true CN111464552B (en) | 2022-11-15 |
Family
ID=71681050
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010282261.2A Active CN111464552B (en) | 2020-04-11 | 2020-04-11 | Firewall automatic test system based on packet filtering rule |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111464552B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112260886B (en) * | 2020-09-22 | 2022-06-24 | 武汉思普崚技术有限公司 | Firewall equipment stability testing method, storage medium and system |
| CN113391967B (en) * | 2021-06-16 | 2023-02-07 | 杭州迪普科技股份有限公司 | Packet filtering test method and device for firewall |
| CN114257426B (en) * | 2021-12-09 | 2024-05-03 | 山石网科通信技术股份有限公司 | Background flow generation method, device, electronic equipment and storage medium |
| CN115174219B (en) * | 2022-07-06 | 2024-04-19 | 哈尔滨工业大学(威海) | Management system capable of adapting to various industrial firewalls |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108196825A (en) * | 2017-12-28 | 2018-06-22 | 新华三大数据技术有限公司 | The construction method and system of software project |
| CN108197021A (en) * | 2017-12-28 | 2018-06-22 | 深圳市彬讯科技有限公司 | A kind of web system automated testing method, device, equipment and storage medium |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109254912A (en) * | 2018-08-13 | 2019-01-22 | 北京金堤科技有限公司 | A kind of method and device of automatic test |
| CN110618942A (en) * | 2019-09-20 | 2019-12-27 | 北京天地和兴科技有限公司 | Rapid test method for fine-grained control of industrial control protocol |
| CN110677322B (en) * | 2019-09-27 | 2021-08-03 | 杭州九略智能科技有限公司 | Python language-based industrial control safety equipment automatic test system and method |
-
2020
- 2020-04-11 CN CN202010282261.2A patent/CN111464552B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108196825A (en) * | 2017-12-28 | 2018-06-22 | 新华三大数据技术有限公司 | The construction method and system of software project |
| CN108197021A (en) * | 2017-12-28 | 2018-06-22 | 深圳市彬讯科技有限公司 | A kind of web system automated testing method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111464552A (en) | 2020-07-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111464552B (en) | Firewall automatic test system based on packet filtering rule | |
| CN109802852B (en) | Method and system for constructing network simulation topology applied to network target range | |
| CN108366067B (en) | System and method for testing consistency of universal service protocol of power system | |
| CN101841436B (en) | Method for testing performance of IPFIX (Internet Protocol Flow Information Export) server, device and system thereof | |
| CN110249593A (en) | The system and method for configuring the IED process bus network switch according to substation topology specification | |
| CN104980317A (en) | Automatic test system and test method for dispatching data network equipment | |
| CN113612654B (en) | Vehicle-mounted gateway function test method based on database | |
| CN105162646A (en) | Multi-protocol interface test system and method | |
| CN101808021A (en) | Fault detection method, device and system, message statistical method and node equipment | |
| Magro et al. | Safety related functions with IEC 61850 GOOSE messaging | |
| CN110618942A (en) | Rapid test method for fine-grained control of industrial control protocol | |
| CN101656642B (en) | Method, device and system for testing authentication performance of network access equipment | |
| CN110677322B (en) | Python language-based industrial control safety equipment automatic test system and method | |
| KR20010057434A (en) | A method for routing test based on generation of random virtual networks | |
| Quincozes et al. | Survey and Comparison of SDN Controllers for Teleprotection and Control Power Systems. | |
| Thomesse | Time and industrial local area networks | |
| Winkel | Real-time Ethernet in IEC 61784-2 and IEC 61158 series | |
| CN104426715A (en) | Distributed testing tool control method | |
| Miller et al. | Structural analysis of protocol specifications and generation of maximal fault coverage conformance test sequences | |
| EP1787426A1 (en) | Communications system | |
| CN108062033B (en) | Industrial protocol automatic simulation test system and method based on Linux system | |
| CN110266554B (en) | Testing method of private communication protocol | |
| CN113612644B (en) | Dynamic simulation method and system for network element of transmission network | |
| CN110798371A (en) | Testing method of private communication protocol | |
| US20210112062A1 (en) | Whitelist generator, whitelist evaluator, whitelist generator/evaluator, whitelist generation method, whitelist evaluation method, and whitelist generation/evaluation method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |