CN114338282B - Security gateway and data processing method thereof - Google Patents
Security gateway and data processing method thereof Download PDFInfo
- Publication number
- CN114338282B CN114338282B CN202111365415.5A CN202111365415A CN114338282B CN 114338282 B CN114338282 B CN 114338282B CN 202111365415 A CN202111365415 A CN 202111365415A CN 114338282 B CN114338282 B CN 114338282B
- Authority
- CN
- China
- Prior art keywords
- data
- processing
- traffic data
- security
- carrying
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 11
- 238000004458 analytical method Methods 0.000 claims abstract description 50
- 238000000034 method Methods 0.000 claims abstract description 12
- 238000004220 aggregation Methods 0.000 claims abstract description 11
- 230000002776 aggregation Effects 0.000 claims abstract description 11
- 238000004364 calculation method Methods 0.000 claims description 10
- 230000001133 acceleration Effects 0.000 claims description 9
- 238000004590 computer program Methods 0.000 claims description 5
- 230000005540 biological transmission Effects 0.000 claims description 4
- 230000004931 aggregating effect Effects 0.000 claims description 3
- 230000007547 defect Effects 0.000 description 4
- 230000010354 integration Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 2
- 238000007405 data analysis Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Abstract
The embodiment of the disclosure provides a security gateway and a data processing method thereof, belonging to the technical field of signal processing, wherein the method comprises the following steps: receiving network flow data sent by a front-end port; the network flow data is divided into a plurality of partial network flow data after being subjected to modulo processing; and respectively carrying out security analysis processing on the partial network traffic data, carrying out aggregation processing on the partial security traffic data after the security analysis processing, and sending the aggregated security traffic data to a back-end port. By the processing scheme, the overall data processing capacity of the security gateway is improved.
Description
Technical Field
The disclosure relates to the technical field of signal processing, and in particular relates to a security gateway and a data processing method thereof.
Background
The security gateway is a novel hardware system developed from the integration of the traditional router and the firewall, and besides the functions of the traditional router for distributing the network and the basic network firewall, the security gateway is also added with a data analysis and configuration interface, so that a user can conveniently perform uniform security protection strategy configuration on the application service of the back end, analyze real-time data and block attacks and unsafe access.
In the related art, the security gateway is based on a network card and is combined with a processor to run software to realize security protection. Because the throughput of the security gateway is greatly increased after the security policies are configured to the security gateway, the data volume to be processed is also greatly increased, and the scheme adopting the network card and the processor cannot meet the increasing data requirement.
Disclosure of Invention
In view of the above, embodiments of the present disclosure provide a security gateway and a data processing method thereof, which at least partially solve the problems in the related art.
In a first aspect, an embodiment of the present disclosure provides a data processing method, where the method includes:
receiving network flow data sent by a front-end port;
the network flow data is divided into a plurality of partial network flow data after being subjected to modulo processing;
and respectively carrying out security analysis processing on the partial network traffic data, carrying out aggregation processing on the partial security traffic data after the security analysis processing, and sending the aggregated security traffic data to a back-end port.
According to a specific implementation manner of the embodiment of the present disclosure, the dividing the network traffic data into a plurality of pieces of partial network traffic data after performing the modulo processing includes:
determining each data packet of the network traffic data;
performing five-tuple hash processing on the four-layer packet header and the IP of each data packet to obtain a hash value;
and carrying out modulo on the hash value corresponding to each data packet, and forming a part of network flow data by the data packets with the same modulo result.
According to a specific implementation manner of the embodiment of the present disclosure, the performing security analysis processing on the partial network traffic data includes:
and carrying out security analysis processing on part of network flow data by adopting an encryption and decryption acceleration mode.
According to a specific implementation of an embodiment of the disclosure, the method further includes:
and carrying out transparent transmission on partial flow data which do not pass through after the safety analysis and treatment.
In a second aspect, an embodiment of the present disclosure further provides a data processing apparatus, including:
the first receiving unit is used for receiving the network flow data sent by the front end port;
the first distribution unit is used for dividing the network flow data into a plurality of partial network flow data after carrying out modulo processing on the network flow data;
the processing unit is used for respectively carrying out security analysis processing on the partial network flow data;
and the aggregation unit is used for carrying out aggregation processing on part of the safety flow data after the safety analysis processing and sending the aggregated safety flow data to the back-end port.
In a third aspect, embodiments of the present disclosure further provide a security gateway, including:
the input end of the field programmable gate array is connected with the front end port; the network traffic data distribution device is used for receiving network traffic data sent by a front-end port and distributing the network traffic data to at least two output ends of the network traffic data, wherein the data of the same IP are distributed to the same output end;
the input ends of the at least two processors are respectively connected with at least two output ends of the field programmable gate array in a one-to-one correspondence manner; the system is used for carrying out security analysis processing on the received partial network traffic data and transmitting the security traffic data which is processed by the security analysis processing;
the switch is characterized in that at least two input ends of the switch are connected with output ends of the at least two processors in a one-to-one correspondence manner, and the output ends of the switch are connected with rear end ports; and the device is used for receiving and aggregating the safety flow data respectively sent by the at least two processors and sending the aggregated safety flow data to the back-end port.
According to a specific implementation manner of the embodiment of the disclosure, the input ends of the at least two processors are respectively connected with at least two output ends of the field programmable gate array in a one-to-one correspondence manner through connecting wires, and the connecting wires comprise at least one of a high-speed serial computer expansion bus standard wire, a universal serial bus or an ethernet wire.
According to a specific implementation manner of the embodiment of the disclosure, an encryption/decryption acceleration card is inserted on the processor, and the encryption/decryption acceleration card is used for being combined with the processor to perform security analysis processing on the received partial network traffic data.
According to a specific implementation of an embodiment of the disclosure, the field programmable gate array includes:
the second receiving unit is used for receiving the network flow data sent by the front end port and determining each data packet of the network flow data;
the second distribution unit is used for dividing the network flow data into a plurality of partial network flow data after carrying out modulo processing, wherein the second distribution unit comprises a calculation module and a sending module, and the calculation module is used for carrying out five-tuple hash processing on a four-layer packet head and IP of each data packet to obtain a hash value; the sending module is used for carrying out module finding on the hash value corresponding to each data packet, and the data packets with the same module finding result are sent to the same output end.
In a fourth aspect, the disclosed embodiments also provide a computer readable storage medium comprising a processor, a memory and a computer program stored on the memory and executable on the processor, the computer program implementing the steps of the data processing method as described above when being executed by the processor.
In the embodiment of the disclosure, a field programmable gate array distributes received network traffic data to at least two processors according to a consistency principle, each processor is responsible for carrying out security analysis processing on part of the network traffic data, and then a switch aggregates the security traffic data processed by the security analysis processing in each processor and sends the aggregated security traffic data to a back-end port; thus, the data processing capacity of each processor can be reduced, the data processing speed can be increased, and the overall data processing capacity of the security gateway can be improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present disclosure, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present disclosure, and other drawings may be obtained according to these drawings without inventive effort to a person of ordinary skill in the art.
Fig. 1 is a schematic structural diagram of a security gateway according to an embodiment of the disclosure;
fig. 2 is a flowchart of a data processing method according to an embodiment of the present disclosure.
Detailed Description
Embodiments of the present disclosure are described in detail below with reference to the accompanying drawings.
Other advantages and effects of the present disclosure will become readily apparent to those skilled in the art from the following disclosure, which describes embodiments of the present disclosure by way of specific examples. It will be apparent that the described embodiments are merely some, but not all embodiments of the present disclosure. The disclosure may be embodied or practiced in other different specific embodiments, and details within the subject specification may be modified or changed from various points of view and applications without departing from the spirit of the disclosure. It should be noted that the following embodiments and features in the embodiments may be combined with each other without conflict. All other embodiments, which can be made by one of ordinary skill in the art without inventive effort, based on the embodiments in this disclosure are intended to be within the scope of this disclosure.
It is noted that various aspects of the embodiments are described below within the scope of the following claims. It should be apparent that the aspects described herein may be embodied in a wide variety of forms and that any specific structure and/or function described herein is merely illustrative. Based on the present disclosure, one skilled in the art will appreciate that one aspect described herein may be implemented independently of any other aspect, and that two or more of these aspects may be combined in various ways. For example, an apparatus may be implemented and/or a method practiced using any number of the aspects set forth herein. In addition, such apparatus may be implemented and/or such methods practiced using other structure and/or functionality in addition to one or more of the aspects set forth herein.
It should also be noted that the illustrations provided in the following embodiments merely illustrate the basic concepts of the disclosure by way of illustration, and only the components related to the disclosure are shown in the drawings and are not drawn according to the number, shape and size of the components in actual implementation, and the form, number and proportion of the components in actual implementation may be arbitrarily changed, and the layout of the components may be more complicated.
In addition, in the following description, specific details are provided in order to provide a thorough understanding of the examples. However, it will be understood by those skilled in the art that the aspects may be practiced without these specific details.
An embodiment of the present disclosure provides a data processing method, applied to a security gateway as shown in fig. 1, where the method is shown in fig. 2, and includes:
step 210: receiving network flow data sent by a front-end port;
step 220: the network flow data is divided into a plurality of partial network flow data after being subjected to modulo processing;
step 230: and respectively carrying out security analysis processing on the partial network traffic data, carrying out aggregation processing on the partial security traffic data after the security analysis processing, and sending the aggregated security traffic data to a back-end port.
In the embodiment of the disclosure, a field programmable gate array (Field Programmable Gate Array, abbreviated as FPGA) distributes received network traffic data to at least two processors according to a consistency principle, each processor is responsible for performing security analysis processing on part of the network traffic data, and then the switch aggregates the security traffic data processed by the security analysis processing in each processor and sends the aggregated security traffic data to a back-end port; thus, the data processing capacity of each processor can be reduced, the data processing speed can be increased, and the overall data processing capacity of the security gateway can be improved.
As shown in fig. 1, the field programmable gate array FPGA110 belongs to a semi-custom circuit in an application-specific integrated circuit, is a programmable logic array, and can effectively solve the problem of fewer gates in the original device. The basic structure of the FPGA may include programmable input-output units, configurable logic blocks, digital clock management modules, embedded block RAM, wiring resources, embedded dedicated hard cores, and embedded functional units within the chassis, etc.
The data processing device controls the FPGA110 to receive the network traffic data sent by the front-end port through the input port thereof, and divides the network traffic data into a plurality of partial network traffic data after performing the modulo processing, where the data of the same IP are in the same partial network traffic data.
Because the FPGA has the characteristics of rich wiring resources, high repeated programming and integration level and low investment, the defects of a custom circuit can be overcome, and the defect of limited gate circuit number of a programmable device can be overcome.
The processor 120 may be an ARM processor, an Intel central processing unit (Intel Central Processing Unit, intel CPU), or other chips, modules, etc. capable of performing data processing, for example, an application specific integrated circuit (Application Specific Integrated Circuit, abbreviated as ASIC), which is not limited herein.
Wherein the number of processors 120 is at least two. Wherein, the larger the number of processors 120, the larger the volume of the security gateway 100, the higher the cost, the lower the amount of data processed by each processor 120, and the faster the data processing speed of the security gateway 100; the smaller the number of processors 120, the smaller the volume and lower the cost of security gateway 100, and the higher the amount of data processed by each processor 120, the slower the data processing speed of security gateway 100. Accordingly, the number of processors 120 is preferably 3-10. In actual operation, the number of processors 120 may be expanded or reduced according to actual requirements, which is not limited herein.
In addition, the processor 120 may also be replaced by a server, where multiple discrete servers form a combined distributed processing structure to perform security analysis processing on multiple pieces of partial network traffic data.
The number of the output ports of the FPGA110 is the same as the number of the processors 120, each processor 120 includes an input port, and at least two output ports of the FPGA110 are respectively connected to the input ends of at least two processors 120 in a one-to-one correspondence.
The data processing apparatus controls each processor 120 to perform security analysis processing on the received partial network traffic data and transmits the security traffic data processed through the security analysis processing from the respective output port to the switch 130.
The number of the input ports of the switch 130 is the same as the number of the processors 120, each processor 120 includes an output port, and the input ends of at least two processors 120 are respectively connected with at least two input ports of the switch 130 in a one-to-one correspondence.
The data processing apparatus controls the switch 130 to receive the secure traffic data respectively transmitted by the at least two processors 120 through at least two input ports thereof, aggregate the secure traffic data respectively transmitted by the at least two processors 120, and transmit the aggregated secure traffic data to the back-end port 300.
Further, step 202 includes:
determining each data packet of the network traffic data;
performing five-tuple hash processing on the four-layer packet header and the IP of each data packet to obtain a hash value;
and carrying out modulo on the hash value corresponding to each data packet, and forming a part of network flow data by the data packets with the same modulo result.
In this embodiment, each data packet includes a four-layer packet header, where the four-layer packet header is a source IP address, a destination IP address, a source port number, and a destination port number, and a hash value is obtained by performing five-tuple hash processing on the four-layer packet header and the IP.
And carrying out module calculation processing on the hash value of each data packet, wherein each result obtained after module calculation corresponds to each output port of the FGPA, and the output port for transmitting the data packet can be determined through the hash value corresponding to each data packet. In this way, it can be ensured that packets of the same IP eventually form a piece of partial network traffic data at the same output port and are sent to the same processor.
Further, the performing security analysis processing on the partial network traffic data respectively includes:
and carrying out security analysis processing on part of network flow data by adopting an encryption and decryption acceleration mode.
The encryption/decryption accelerator card is an accelerator for relieving the burden of the processor from excessive participation in the public key encryption of the transport layer security protocol (TLS). The processor can be provided with a clamping groove, and the encryption and decryption acceleration card is inserted into the clamping groove and connected with the processor, so that the encryption and decryption acceleration card and the processor can jointly perform security analysis and processing on the received partial network flow data.
Therefore, the processor combines the encryption and decryption acceleration card to perform security analysis processing on part of network flow data, so that the processing speed of the data can be improved, and the data processing performance of the security gateway can be improved.
Further, the method further comprises the following steps:
and carrying out transparent transmission on partial flow data which do not pass through after the safety analysis and treatment.
In addition, the security gateway also carries out transparent transmission on reverse traffic.
The embodiment of the disclosure also provides a data processing device, including:
the first receiving unit is used for receiving the network flow data sent by the front end port;
the first distribution unit is used for dividing the network flow data into a plurality of partial network flow data after carrying out modulo processing on the network flow data;
the processing unit is used for respectively carrying out security analysis processing on the partial network flow data;
and the aggregation unit is used for carrying out aggregation processing on part of the safety flow data after the safety analysis processing and sending the aggregated safety flow data to the back-end port.
In the embodiment of the disclosure, a first distributing unit distributes network traffic data received by a first receiving unit to at least two processing units according to a consistency principle, each processing unit is responsible for carrying out security analysis processing on part of the network traffic data, and an aggregation unit aggregates the security traffic data processed by the security analysis processing in each processing unit and then sends the aggregated security traffic data to a back-end port; thus, the data processing capacity of each processor can be reduced, the data processing speed can be increased, and the overall data processing capacity of the security gateway can be improved.
Referring to fig. 1, the embodiment of the present disclosure further provides a security gateway 100, including:
a field programmable gate array 110, wherein an input end of the field programmable gate array 110 is connected with a front end port 200; the network traffic data distribution device is used for receiving network traffic data sent by a front-end port and distributing the network traffic data to at least two output ends of the network traffic data, wherein the data of the same IP are distributed to the same output end;
the input ends of the at least two processors 120 are respectively connected with at least two output ends of the field programmable gate array 110 in a one-to-one correspondence manner; the system is used for carrying out security analysis processing on the received partial network traffic data and transmitting the security traffic data which is processed by the security analysis processing;
a switch 130, at least two input ends of the switch 130 are connected with output ends of the at least two processors 120 in a one-to-one correspondence, and an output end of the switch 130 is connected with a back-end port 300; and the device is used for receiving and aggregating the safety flow data respectively sent by the at least two processors and sending the aggregated safety flow data to the back-end port.
In the embodiment of the disclosure, the field programmable gate array 110 distributes the received network traffic data to at least two processors 120 according to a consistency principle, each processor 120 is responsible for performing security analysis processing on part of the network traffic data, and the switch 130 aggregates the security traffic data processed by the security analysis processing in each processor and sends the aggregated security traffic data to the back-end port 300; in this way, the data processing amount per processor 120 can be reduced, and the data processing speed can be increased, thereby improving the data processing capability of the security gateway 100 as a whole.
The field programmable gate array (Field Programmable Gate Array, abbreviated as FPGA) 110 belongs to a semi-custom circuit in an application-specific integrated circuit, is a programmable logic array, and can effectively solve the problem of fewer gates in the original device. The basic structure of the FPGA may include programmable input-output units, configurable logic blocks, digital clock management modules, embedded block RAM, wiring resources, embedded dedicated hard cores, and embedded functional units within the chassis, etc.
The FPGA110 receives the network traffic data sent by the front-end port through the input port thereof, and distributes the network traffic data to the at least two processors 120, where the data of the same IP is distributed to the same processor.
Because the FPGA has the characteristics of rich wiring resources, high repeated programming and integration level and low investment, the defects of a custom circuit can be overcome, and the defect of limited gate circuit number of a programmable device can be overcome.
The processor 120 may be an ARM processor, an Intel central processing unit (Intel Central Processing Unit, intel CPU), or other chips, modules, etc. capable of performing data processing, for example, an application specific integrated circuit (Application Specific Integrated Circuit, abbreviated as ASIC), which is not limited herein.
Wherein the number of processors 120 is at least two. Wherein, the larger the number of processors 120, the larger the volume of the security gateway 100, the higher the cost, the lower the amount of data processed by each processor 120, and the faster the data processing speed of the security gateway 100; the smaller the number of processors 120, the smaller the volume and lower the cost of security gateway 100, and the higher the amount of data processed by each processor 120, the slower the data processing speed of security gateway 100. Accordingly, the number of processors 120 is preferably 3-10. In actual operation, the number of processors 120 may be expanded or reduced according to actual requirements, which is not limited herein.
In addition, the processor 120 may also be replaced by a server, where multiple discrete servers form a combined distributed processing structure to perform security analysis processing on multiple pieces of partial network traffic data.
The number of the output ports of the FPGA110 is the same as the number of the processors 120, each processor 120 includes an input port, and at least two output ports of the FPGA110 are respectively connected to the input ends of at least two processors 120 in a one-to-one correspondence.
Each processor 120 performs security analysis processing on the received partial network traffic data and transmits the security traffic data processed through the security analysis processing from the respective output port to the switch 130.
The number of the input ports of the switch 130 is the same as the number of the processors 120, each processor 120 includes an output port, and the input ends of at least two processors 120 are respectively connected with at least two input ports of the switch 130 in a one-to-one correspondence.
The switch 130 receives the secure traffic data respectively transmitted by the at least two processors 120 through at least two input ports thereof, aggregates the secure traffic data respectively transmitted by the at least two processors 120, and transmits the aggregated secure traffic data to the back-end port 300.
Further, the input ends of the at least two processors 120 are respectively connected to at least two output ends of the field programmable gate array 110 in a one-to-one correspondence manner through connection wires, wherein the connection wires include at least one of a high-speed serial computer expansion bus standard line (Peripheral Component Interconnect Express, abbreviated as PCIE), a universal serial bus (Universal Serial Bus, abbreviated as USB) or an ethernet line.
Further, the processor 120 is inserted with an encryption/decryption accelerator card, which is used for combining with the processor to perform security analysis processing on the received partial network traffic data.
The encryption/decryption accelerator is an accelerator that relieves the processor 120 from the burden of excessive participation in the public key encryption of the transport layer security protocol (TLS). The processor 120 may be provided with a card slot, and the encryption/decryption accelerator card is inserted into the card slot and connected with the processor 120, so as to perform security analysis processing on a part of the received network traffic data together with the processor 120.
Therefore, the processor combines the encryption and decryption acceleration card to perform security analysis processing on part of network flow data, so that the processing speed of the data can be improved, and the data processing performance of the security gateway can be improved.
Further, the field programmable gate array includes:
the second receiving unit is used for receiving the network flow data sent by the front end port and determining each data packet of the network flow data;
the second distribution unit is used for dividing the network flow data into a plurality of partial network flow data after carrying out modulo processing, wherein the second distribution unit comprises a calculation module and a sending module, and the calculation module is used for carrying out five-tuple hash processing on a four-layer packet head and IP of each data packet to obtain a hash value; the sending module is used for carrying out module finding on the hash value corresponding to each data packet, and the data packets with the same module finding result are sent to the same output end.
In this embodiment, each data packet includes a four-layer packet header, where the four-layer packet header is a source IP address, a destination IP address, a source port number, and a destination port number, and a hash value is obtained by performing five-tuple hash processing on the four-layer packet header and the IP.
And carrying out module calculation processing on the hash value of each data packet, wherein each result obtained after module calculation corresponds to each output port of the FGPA, and the output port for transmitting the data packet can be determined through the hash value corresponding to each data packet. In this way, it can be ensured that packets of the same IP eventually form a piece of partial network traffic data at the same output port and are sent to the same processor.
The disclosed embodiments also provide a computer readable storage medium comprising a processor, a memory and a computer program stored on the memory and executable on the processor, which when executed by the processor, implements the steps of the data processing method as described above.
The foregoing is merely specific embodiments of the disclosure, but the protection scope of the disclosure is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the disclosure are intended to be covered by the protection scope of the disclosure. Therefore, the protection scope of the present disclosure shall be subject to the protection scope of the claims.
Claims (8)
1. A method of data processing, the method comprising:
receiving network flow data sent by a front-end port;
the network traffic data is divided into a plurality of partial network traffic data after being subjected to modulo processing, and the method comprises the following steps: determining each data packet of the network traffic data; performing five-tuple hash processing on the four-layer packet header and the IP of each data packet to obtain a hash value; carrying out modulo on the hash value corresponding to each data packet, and forming a part of network flow data by the data packets with the same modulo result;
and respectively carrying out security analysis processing on the partial network traffic data, carrying out aggregation processing on the partial security traffic data after the security analysis processing, and sending the aggregated security traffic data to a back-end port.
2. The method of claim 1, wherein the performing security analysis on the portion of the network traffic data, respectively, comprises:
and carrying out security analysis processing on part of network flow data by adopting an encryption and decryption acceleration mode.
3. The method as recited in claim 1, further comprising:
and carrying out transparent transmission on partial flow data which do not pass through after the safety analysis and treatment.
4. A data processing apparatus, comprising:
the first receiving unit is used for receiving the network flow data sent by the front end port;
the first distribution unit divides the network traffic data into a plurality of partial network traffic data after performing modulo processing, and includes: determining each data packet of the network traffic data; performing five-tuple hash processing on the four-layer packet header and the IP of each data packet to obtain a hash value; carrying out modulo on the hash value corresponding to each data packet, and forming a part of network flow data by the data packets with the same modulo result;
the processing unit is used for respectively carrying out security analysis processing on the partial network flow data;
and the aggregation unit is used for carrying out aggregation processing on part of the safety flow data after the safety analysis processing and sending the aggregated safety flow data to the back-end port.
5. A security gateway, comprising:
the input end of the field programmable gate array is connected with the front end port; the network traffic data distribution device is used for receiving network traffic data sent by a front-end port and distributing the network traffic data to at least two output ends of the network traffic data, wherein the data of the same IP are distributed to the same output end;
the input ends of the at least two processors are respectively connected with at least two output ends of the field programmable gate array in a one-to-one correspondence manner; the system is used for carrying out security analysis processing on the received partial network traffic data and transmitting the security traffic data which is processed by the security analysis processing;
the switch is characterized in that at least two input ends of the switch are connected with output ends of the at least two processors in a one-to-one correspondence manner, and the output ends of the switch are connected with rear end ports; the device is used for receiving and aggregating the safety flow data respectively sent by the at least two processors and sending the aggregated safety flow data to a back-end port;
wherein the field programmable gate array comprises:
the second receiving unit is used for receiving the network flow data sent by the front end port and determining each data packet of the network flow data;
the second distribution unit is used for dividing the network flow data into a plurality of partial network flow data after carrying out modulo processing, wherein the second distribution unit comprises a calculation module and a sending module, and the calculation module is used for carrying out five-tuple hash processing on a four-layer packet head and IP of each data packet to obtain a hash value; the sending module is used for carrying out module finding on the hash value corresponding to each data packet, and the data packets with the same module finding result are sent to the same output end.
6. The security gateway of claim 5, wherein the inputs of the at least two processors are respectively connected to at least two outputs of the field programmable gate array in a one-to-one correspondence via connection lines, the connection lines comprising at least one of a high-speed serial computer expansion bus standard line, a universal serial bus, or an ethernet line.
7. The security gateway of claim 5, wherein the processor is plugged with an encryption/decryption accelerator card for performing security analysis processing on the received portion of the network traffic data in combination with the processor.
8. A computer-readable storage medium, comprising a processor, a memory and a computer program stored on the memory and executable on the processor, which computer program, when executed by the processor, implements the steps of the data processing method according to any one of claims 1 to 3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111365415.5A CN114338282B (en) | 2021-11-16 | 2021-11-16 | Security gateway and data processing method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111365415.5A CN114338282B (en) | 2021-11-16 | 2021-11-16 | Security gateway and data processing method thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114338282A CN114338282A (en) | 2022-04-12 |
| CN114338282B true CN114338282B (en) | 2024-01-26 |
Family
ID=81047128
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111365415.5A Active CN114338282B (en) | 2021-11-16 | 2021-11-16 | Security gateway and data processing method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114338282B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112433862A (en) * | 2020-11-13 | 2021-03-02 | 苏州浪潮智能科技有限公司 | Data aggregation implementation system and equipment |
| CN113194097A (en) * | 2021-04-30 | 2021-07-30 | 北京数盾信息科技有限公司 | Data processing method and device for security gateway and security gateway |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060059373A1 (en) * | 2004-09-10 | 2006-03-16 | International Business Machines Corporation | Integrated circuit chip for encryption and decryption using instructions supplied through a secure interface |
| US8976666B2 (en) * | 2013-07-25 | 2015-03-10 | Iboss, Inc. | Load balancing network adapter |
-
2021
- 2021-11-16 CN CN202111365415.5A patent/CN114338282B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112433862A (en) * | 2020-11-13 | 2021-03-02 | 苏州浪潮智能科技有限公司 | Data aggregation implementation system and equipment |
| CN113194097A (en) * | 2021-04-30 | 2021-07-30 | 北京数盾信息科技有限公司 | Data processing method and device for security gateway and security gateway |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114338282A (en) | 2022-04-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10630654B2 (en) | Hardware-accelerated secure communication management | |
| DE202015009800U1 (en) | Security plug-in for a system-on-a-chip platform | |
| CN116018790A (en) | Receiver-based precise congestion control | |
| CN108809642B (en) | FPGA-based multi-channel data trillion encryption authentication high-speed transmission implementation method | |
| US11770327B2 (en) | Data distribution method, data aggregation method, and related apparatuses | |
| EP3812911A2 (en) | System, apparatus and method for communicating telemetry information via virtual bus encodings | |
| CN113162963A (en) | Network element supporting flexible data reduction operations | |
| CN106230718A (en) | Based on XilinxFPGA many kilomega networks converging system and implementation method | |
| Joardar et al. | High performance collective communication-aware 3D Network-on-Chip architectures | |
| DE102022129250A1 (en) | Transmission rate based on detected available bandwidth | |
| CN104243348A (en) | Data processing method and device | |
| CN114338282B (en) | Security gateway and data processing method thereof | |
| EP3579507B1 (en) | Dynamic scheduling methods, platform, system and switch apparatus. | |
| CN113986969A (en) | Data processing method and device, electronic equipment and storage medium | |
| Wellem et al. | A hardware-accelerated infrastructure for flexible sketch-based network traffic monitoring | |
| CN109150829A (en) | Software definition cloud network trust data distribution method, readable storage medium storing program for executing and terminal | |
| Vipin | CANNoC: An open-source NoC architecture for ECU consolidation | |
| CN106302242A (en) | One realizes message handling system and method based on FPGA | |
| CN107332654B (en) | FPGA-based multi-board card array parallel decryption device and method thereof | |
| WO2019084805A1 (en) | Method and apparatus for distributing message | |
| CN112995245B (en) | Configurable load balancing system and method based on FPGA | |
| US9258273B2 (en) | Duplicating packets efficiently within a network security appliance | |
| Baymani et al. | Exploring RapidIO technology within a DAQ system event building network | |
| RU2631972C1 (en) | Method of aggregation of multiple data transmission channels in single logic data transfer check for broadband transmission of data to mass consumer and device based on it | |
| CN111314163A (en) | Data packet transmission method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |