CN115801572A - Industrial firewall firmware upgrading method - Google Patents
Industrial firewall firmware upgrading method Download PDFInfo
- Publication number
- CN115801572A CN115801572A CN202211340645.0A CN202211340645A CN115801572A CN 115801572 A CN115801572 A CN 115801572A CN 202211340645 A CN202211340645 A CN 202211340645A CN 115801572 A CN115801572 A CN 115801572A
- Authority
- CN
- China
- Prior art keywords
- data
- data processing
- firmware
- transmitted
- processing modules
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 15
- 238000012545 processing Methods 0.000 claims abstract description 69
- 230000005540 biological transmission Effects 0.000 claims abstract description 24
- 238000012544 monitoring process Methods 0.000 claims abstract description 14
- 238000001914 filtration Methods 0.000 claims abstract description 6
- 230000007547 defect Effects 0.000 abstract description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention discloses an industrial firewall firmware upgrading method, which comprises the following steps: A. setting a topological structure and a data processing flow of the industrial firewall; after entering an industrial firewall from a data inlet, data to be transmitted sequentially passes through the data processing modules connected in series to be monitored and filtered; B. when the firmware of the industrial firewall needs to be upgraded, sequentially upgrading the firmware of each data processing module from a data inlet end, and keeping the data transmission of other online data processing modules which do not execute the firmware upgrading operation by using a data transmission bypass; C. the data processing module after the firmware is upgraded is subjected to online operation again, and the upgraded firmware is verified in the subsequent data monitoring and filtering; D. and C, repeating the steps B and C until the firmware of all the data processing modules is upgraded. The invention can improve the defects of the prior art, and realizes the firmware upgrade while monitoring data by the firewall on the premise of not using a firewall redundant module.
Description
Technical Field
The invention relates to the technical field of industrial network security, in particular to an industrial firewall firmware upgrading method.
Background
The firewall is a network security component and plays a role in monitoring and filtering network transmission data. Because the network attack behavior is in dynamic change all the time, the firmware of the firewall also needs to be upgraded correspondingly to the network attack behavior. In the prior art, in order to ensure that a firewall can normally perform data monitoring in an upgrading process, a redundant firewall module is usually provided, and the redundant module can be used for performing uninterrupted data monitoring when the firewall is upgraded. But these redundant firewall modules are of very low utilization, resulting in increased complexity of the firewall system.
Disclosure of Invention
The technical problem to be solved by the invention is to provide an industrial firewall firmware upgrading method, which can solve the defects of the prior art and realize the firmware upgrading while monitoring data of the firewall on the premise of not using a firewall redundant module.
In order to solve the technical problems, the technical scheme adopted by the invention is as follows.
An industrial firewall firmware upgrading method comprises the following steps:
A. setting a topological structure and a data processing flow of the industrial firewall; the industrial firewall comprises a plurality of data processing modules which are connected in series, and a data transmission bypass is arranged between the non-adjacent data processing modules; after entering an industrial firewall from a data inlet, data to be transmitted sequentially passes through the data processing modules connected in series to be monitored and filtered;
B. when the firmware of the industrial firewall needs to be upgraded, sequentially upgrading the firmware of each data processing module from a data inlet end, performing offline operation on the data processing module executing the firmware upgrade, and keeping data transmission of other online data processing modules not executing the firmware upgrade operation by using a data transmission bypass;
C. the data processing module with the upgraded firmware is subjected to online operation again, and the upgraded firmware is verified in the subsequent data monitoring and filtering;
D. and C, repeating the steps B and C until the firmware of all the data processing modules is upgraded.
Preferably, in the step a, each data processing module includes the same number of rule files, the rule files in different data processing modules correspond to one another, and the linearity of the corresponding rule file in the adjacent data processing module in the topology structure exceeds a set threshold.
Preferably, in the step a, the data to be transmitted sequentially passes through the data processing modules connected in series, and when the rule file corresponding to two adjacent data processing modules determines that the data to be transmitted is illegal, the transmission of the data to be transmitted is stopped.
Preferably, in step B, when the data to be transmitted is transmitted to the offline data processing module, the data to be transmitted is transmitted to the next data processing module adjacent to the offline data processing module by using the data transmission bypass, then the data to be transmitted is obtained, which is determined as illegal data by any one of the two online data processing modules adjacent to the offline data processing module, the source IP address, the source port, the destination IP address, the destination port and the transmission protocol of the extracted data to be transmitted are compared with a preset blacklist, and if an item successfully compared occurs, the transmission of the data to be transmitted is stopped.
Preferably, in step B, the firmware data is backed up for the offline data processing module first, and then the firmware upgrade file is downloaded to upgrade the existing firmware.
Preferably, in step C, the digest data of the firmware is calculated, and the digest data is compared with the digital signature of the firmware for verification.
The beneficial effect that adopts above-mentioned technical scheme to bring lies in: the invention judges the data by redesigning the monitoring and filtering rules of the firewall and using the monitoring results of the plurality of data processing modules, thereby establishing a foundation for the online firmware upgrade of the firewall. In the firmware upgrading process, upgrading operation is carried out on each data processing module in sequence, and monitoring of the firmware upgrading module is replaced by monitoring results of other data processing modules adjacent to the firmware upgrading module in the upgrading process, so that data monitoring and firmware upgrading of the firewall are carried out simultaneously.
Drawings
FIG. 1 is a schematic diagram of one embodiment of the present invention.
Detailed Description
Referring to fig. 1, one embodiment of the present invention includes the steps of:
A. setting a topological structure and a data processing flow of the industrial firewall; the industrial firewall comprises a plurality of data processing modules which are connected in series, and a data transmission bypass is arranged between the non-adjacent data processing modules; each data processing module comprises the same number of rule files, the rule files in different data processing modules correspond to one another, and the linearity of the corresponding rule files in the adjacent data processing modules in the topological structure exceeds a set threshold; after entering an industrial firewall from a data inlet, data to be transmitted sequentially passes through the data processing modules connected in series to be monitored and filtered; the data to be transmitted sequentially pass through the data processing modules connected in series, and when the corresponding rule files in two adjacent data processing modules judge that the data to be transmitted is illegal, the transmission of the data to be transmitted is stopped;
B. when the firmware of the industrial firewall needs to be upgraded, sequentially upgrading the firmware of each data processing module from a data inlet end, firstly backing up the firmware data of the offline data processing module, then downloading a firmware upgrading file to upgrade the existing firmware, performing offline operation on the data processing module executing the firmware upgrading, and keeping the data transmission of other online data processing modules not executing the firmware upgrading operation by using a data transmission bypass; when data to be transmitted is transmitted to an offline data processing module, transmitting the data to be transmitted to a next data processing module adjacent to the offline data processing module by using a data transmission bypass, then acquiring the data to be transmitted which is judged as illegal data by any one of two online data processing modules adjacent to the offline data processing module, comparing a source IP address, a source port, a destination IP address, a destination port and a transmission protocol of the extracted data to be transmitted with a preset blacklist, and if the items which are compared successfully appear, stopping the transmission of the data to be transmitted;
C. the data processing module after the firmware is upgraded is subjected to online operation again, the upgraded firmware is verified in the subsequent data monitoring and filtering, the abstract data of the firmware is calculated, and the abstract data and the digital signature of the firmware are used for comparison and verification;
D. and C, repeating the steps B and C until the firmware of all the data processing modules is upgraded.
The foregoing shows and describes the general principles and broad features of the present invention and advantages thereof. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, which are given by way of illustration of the principles of the present invention, but that various changes and modifications may be made without departing from the spirit and scope of the invention, and such changes and modifications are within the scope of the invention as claimed. The scope of the invention is defined by the appended claims and equivalents thereof.
Claims (6)
1. An industrial firewall firmware upgrading method is characterized by comprising the following steps:
A. setting a topological structure and a data processing flow of the industrial firewall; the industrial firewall comprises a plurality of data processing modules which are connected in series, and a data transmission bypass is arranged between the non-adjacent data processing modules; after entering an industrial firewall from a data inlet, data to be transmitted sequentially passes through the data processing modules connected in series to be monitored and filtered;
B. when the firmware of the industrial firewall needs to be upgraded, sequentially upgrading the firmware of each data processing module from a data inlet end, performing offline operation on the data processing module executing the firmware upgrade, and keeping data transmission of other online data processing modules not executing the firmware upgrade operation by using a data transmission bypass;
C. the data processing module after the firmware is upgraded is subjected to online operation again, and the upgraded firmware is verified in the subsequent data monitoring and filtering;
D. and C, repeating the steps B and C until the firmware of all the data processing modules is upgraded.
2. The industrial firewall firmware upgrade method according to claim 1, wherein: in the step A, each data processing module comprises the same number of rule files, the rule files in different data processing modules correspond to one another, and the linearity of the corresponding rule files in the adjacent data processing modules in the topological structure exceeds a set threshold value.
3. The industrial firewall firmware upgrade method according to claim 2, wherein: in the step A, the data to be transmitted sequentially pass through the data processing modules connected in series, and when the corresponding rule files in the two adjacent data processing modules judge that the data to be transmitted is illegal, the transmission of the data to be transmitted is stopped.
4. The industrial firewall firmware upgrade method according to claim 3, wherein: in the step B, when the data to be transmitted is transmitted to the offline data processing module, the data to be transmitted is transmitted to the next data processing module adjacent to the offline data processing module by using the data transmission bypass, then the data to be transmitted of the illegal data is obtained by obtaining any one of the two online data processing modules adjacent to the offline data processing module, the extracted source IP address, source port, destination IP address, destination port and transmission protocol of the data to be transmitted are compared with the preset blacklist, and if the item successfully compared is present, the transmission of the data to be transmitted is stopped.
5. The industrial firewall firmware upgrade method according to claim 4, wherein: in step B, firstly, firmware data backup is carried out on the offline data processing module, and then a firmware upgrading file is downloaded to upgrade the existing firmware.
6. The industrial firewall firmware upgrade method according to claim 5, wherein: and step C, calculating abstract data of the firmware, and comparing and checking the abstract data with the digital signature of the firmware.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211340645.0A CN115801572A (en) | 2022-10-28 | 2022-10-28 | Industrial firewall firmware upgrading method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211340645.0A CN115801572A (en) | 2022-10-28 | 2022-10-28 | Industrial firewall firmware upgrading method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115801572A true CN115801572A (en) | 2023-03-14 |
Family
ID=85434402
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211340645.0A Pending CN115801572A (en) | 2022-10-28 | 2022-10-28 | Industrial firewall firmware upgrading method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115801572A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101004691A (en) * | 2007-01-23 | 2007-07-25 | 北京映翰通网络技术有限公司 | Method and device for updating firmware program |
| US20080289026A1 (en) * | 2007-05-18 | 2008-11-20 | Microsoft Corporation | Firewall installer |
| CN109905272A (en) * | 2018-12-28 | 2019-06-18 | 杭州电子科技大学 | A kind of industrial fireproof wall firmware Safety actuality cleaning method |
| US20190265963A1 (en) * | 2018-02-27 | 2019-08-29 | Ricoh Company, Ltd. | Information processing apparatus and firmware updating method |
| CN114020311A (en) * | 2021-10-14 | 2022-02-08 | 摩拜(北京)信息技术有限公司 | Firmware upgrading method and device and electronic equipment |
| US20220321536A1 (en) * | 2021-04-06 | 2022-10-06 | Vmware, Inc. | Upgrading firewall module on port-by-port basis |
-
2022
- 2022-10-28 CN CN202211340645.0A patent/CN115801572A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101004691A (en) * | 2007-01-23 | 2007-07-25 | 北京映翰通网络技术有限公司 | Method and device for updating firmware program |
| US20080289026A1 (en) * | 2007-05-18 | 2008-11-20 | Microsoft Corporation | Firewall installer |
| US20190265963A1 (en) * | 2018-02-27 | 2019-08-29 | Ricoh Company, Ltd. | Information processing apparatus and firmware updating method |
| CN109905272A (en) * | 2018-12-28 | 2019-06-18 | 杭州电子科技大学 | A kind of industrial fireproof wall firmware Safety actuality cleaning method |
| US20220321536A1 (en) * | 2021-04-06 | 2022-10-06 | Vmware, Inc. | Upgrading firewall module on port-by-port basis |
| CN114020311A (en) * | 2021-10-14 | 2022-02-08 | 摩拜(北京)信息技术有限公司 | Firmware upgrading method and device and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108600029B (en) | Configuration file updating method and device, terminal equipment and storage medium | |
| CN106506203B (en) | Node monitoring system applied to block chain | |
| US10003496B1 (en) | Network change management | |
| CN102546135B (en) | Active/standby server switched system and method | |
| US7983866B2 (en) | Device testing system and test data obtaining method | |
| US20150113312A1 (en) | System and method for detecting server removal from a cluster to enable fast failover of storage | |
| CN112437920A (en) | Abnormality detection device and abnormality detection method | |
| CN112437037B (en) | Sketch-based DDoS flooding attack detection method and device | |
| CN111104282B (en) | Node processing method and device based on block chain | |
| EP2980697B1 (en) | System and method for altering a functionality of an application | |
| CN104333617B (en) | A kind of method that rack cabinets set static IP automatically under linux system | |
| CN114615310A (en) | Method and device for maintaining TCP connection and electronic equipment | |
| CN115801572A (en) | Industrial firewall firmware upgrading method | |
| CN112532467B (en) | Method, device and system for realizing fault detection | |
| CN110224872B (en) | Communication method, device and storage medium | |
| CN107729184B (en) | System component service self-healing method | |
| CN114500247B (en) | Industrial control network fault diagnosis method and device, electronic equipment and readable storage medium | |
| US20090296697A1 (en) | Method for verifying shared state synchronization of redundant modules in a high availability network switch | |
| CN112511337B (en) | Block chain consensus network self-recovery method, electronic device, system and storage medium | |
| CN110166295B (en) | Method for judging whether network topology supports Byzantine fault tolerance or not | |
| CN111277444B (en) | Switch fault early warning method and device | |
| CN102684914B (en) | Method and system for achieving bridge interface linkage | |
| CN111309561A (en) | Method and device for monitoring state of big data system | |
| CN111917826A (en) | PBFT consensus algorithm based on block chain intellectual property protection | |
| CN106789150B (en) | Network fault detection method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |