CN115941264A - Firewall management system based on network security - Google Patents
Firewall management system based on network security Download PDFInfo
- Publication number
- CN115941264A CN115941264A CN202211350304.1A CN202211350304A CN115941264A CN 115941264 A CN115941264 A CN 115941264A CN 202211350304 A CN202211350304 A CN 202211350304A CN 115941264 A CN115941264 A CN 115941264A
- Authority
- CN
- China
- Prior art keywords
- network
- data packet
- network data
- firewall
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a firewall management system based on network security, which comprises the following steps: the method comprises the following steps: the method comprises the steps of firstly configuring a firewall, mainly configuring ports in which an external network can only access data on the firewall, and uniformly forbidding other ports, completing the configuration of the firewall through the flow matching of the first step, the second step and the third step, optimizing the configuration selection of the firewall to play a role of safety blocking fundamentally, dividing the firewall into three flow directions of inflow, flow and outflow according to the flow direction of network data to realize the five-point detection effect of a network data packet and improve the detection accuracy and the comprehensiveness of the network data packet, and then realizing the high-efficiency blocking protection effect of malicious network data flow through the matching of an intrusion detection module, a DMZ switch and an intrusion prevention module, improving the access safety of the network data, strengthening the control effect of a control center on the network data, optimizing the network environment and being beneficial to the healthy access and development of the network environment.
Description
Technical Field
The invention relates to the technical field of network security firewalls, in particular to a firewall management system based on network security.
Background
The firewall technology is a technology for protecting the safety of user data and information by organically combining various software and hardware devices for safety management and screening to help a computer network to construct a relatively isolated protection barrier between an internal network and an external network, and has the functions of timely finding and processing the problems of safety risk, data transmission and the like which may exist when the computer network runs, wherein the processing measures comprise isolation and protection, and simultaneously, recording and detecting can be carried out on various operations in the safety of the computer network to ensure the safety of the running of the computer network, ensure the integrity of the user data and the information and provide better and safer computer network use experience for users.
With the increasing development of the existing internet technology, the online information data are not uniform, and aggressive malicious data and viruses exist, so that a firewall is required to block the data, most of the existing firewalls can support intrusion blocking of malicious data at one layer, and a control and management mode of data flow cannot be adopted to perform accurate intrusion detection and efficient security defense processing on the intrusion malicious data at 2 and 4 layers, so that the access security of network information is reduced, and therefore, a firewall management system based on network security is provided.
Disclosure of Invention
The invention aims to provide a firewall management system based on network security, which aims to solve the problems that most of the existing firewalls proposed in the background technology can support intrusion blocking of malicious data at one layer, and cannot adopt a data flow control and management mode to carry out accurate intrusion detection and efficient security defense processing on the malicious data at 2 and 4 layers, so that the access security of network information is reduced.
In order to achieve the purpose, the invention provides the following technical scheme: a firewall management system based on network security comprises the following steps:
the method comprises the following steps: firstly, a firewall is configured, an external network is mainly configured on the firewall and can only access ports in data, other ports are uniformly forbidden, and the configuration is specifically as follows:
firewall (config) # Firewall enable;
firewall (config) # Firewall default permit (set Firewall default to allow packets to pass);
firewall # access-list 100 dense IP any any (configured access rules prohibit all packets from passing);
firewall # access-list 101permit IP address any (configuration rules allow file server to access external network)
Firewall # access-list 102permit tcp IP address (configuration rules allow a particular administrative user to access an internal archive server from an external network)
Firewall # access-list 102permit tcp any IP address gt1024 (configuration rules allow administrative user to get data from external network (only packets with port number larger than 1024 are allowed);
Firewall(config)#access-list normal 102deny ip any anyFirewall(config)#interface ethernet 0
firewall (config-if-Ethernet) # ip access-group 100in (applying rule 100 to incoming packets from interface Ethernet 0)
Firewall (config-if-Ethernet 0) # ip access-group 101in (apply rule 101 to incoming packets from interface Ethernet 0)
Firewall (config-if-Ethernet) # ip access-group 102in (rule 102 is applied to the packet entering from interface Ethernet), the configuration of the Firewall can be completed;
step two: setting up a Netfilter/Iptables firewall system architecture based on Linux, dividing the architecture into three flow directions of inflow, flow and outflow according to the flow direction of network data, wherein the inflow network data and the flow network data are distinguished through a route, and the flow network data are distinguished through delivery, and inserting a processing process at the following points according to the flow direction of the network data:
A. NF _ IP _ PRE _ ROUTING, performed before data is routed;
B. NF _ IP _ LOCAL _ IN, which is executed after the data flowing into the LOCAL is routed;
C. NF _ IP _ FORWARD, performed before data is diverted to another NIC;
D. NF _ IP _ ROUTING, performed before data outflow;
E. NF _ IP _ LOCAL _ OUT, which is executed before the LOCAL data is processed into the outflow route;
after a network data packet in an external network enters a system for IP verification, network data is processed through a first detection point NF _ IP _ PRE _ ROUTING and then enters a ROUTING code, and the ROUTING code determines whether the datagram needs to be forwarded or sent to a local machine; if the data packet is sent to the LOCAL machine, the data packet is processed by a detection point NF _ IP _ LOCAL _ IN and then transmitted to an upper layer protocol; if the data packet should be forwarded, it needs to be processed by NF _ IP _ FORWARD; the forwarded data packet is transmitted to a network after being processed by the last detection point NF _ IP _ POST _ ROUTING; after being processed by a hook function NF _ IP _ LOCAL _ OUT, locally generated data is subjected to ROUTING processing and then is sent to a network after being processed by NF _ IP _ POST _ ROUTING;
step three: the method comprises the steps of deploying NIPS at a key position of network data needing protection in an embedded mode, detecting network data flow of a network data packet by a firewall module, judging whether the network data packet contains malicious intrusion actions or not by an intrusion detection module, if the network data packet contains the malicious network data flow detected by the intrusion detection module, detecting and processing an IP address of the malicious network data flow by a DMZ switch, making a corresponding access control list, immediately starting an intrusion prevention module, blocking and connecting the network data flow containing the malicious network data flow in the network data packet, simultaneously sending the related malicious network data flow to a control and management center, and sending alarm/log information to the control and management center.
Preferably, in step two, the Netfilter/Iptables firewall system architecture includes:
a. defining a set of hook functions for each network protocol, calling the defined hook functions at a plurality of key points of a network data packet flowing through a protocol stack, and calling a Netfilter framework by using the network data packet and hook function labels as parameters in the called key points by the protocol stack;
b. any module in the NetFilter framework kernel can register one or more hooks of each protocol and complete hooking, so that when a certain data packet is transferred to the NetFilter framework, the kernel can detect whether any module registers the protocol and the hook function, if the certain data packet is registered, a callback function used by the module in registration is called, and therefore the modules have the opportunity to check the data packet, discard the data packet and instruct the NetFilter to transfer the data packet to a queue of a user space.
c. And for the waiting data packet which is transmitted to the user space for asynchronous processing, a user process in the Netfilter framework can check the network data packet, modify the network data packet and inject the network data packet into the kernel again through the same hook function leaving the kernel.
Preferably, in the second step, the Netfilter framework provides a set of hooks for a plurality of protocols, and stores the set of hooks in a two-dimensional array structure of application structure list _ head nf _ hooks, where the two-dimensional array structure of the set of hooks is: one dimension is a protocol family, the two dimensions are each call entrance of the network data packet, and the detection module embedded in the Netfilter frame can register a plurality of HOOK functions for a plurality of call points of a plurality of protocol families, so that a complete function pointer chain is integrally constructed, each time the protocol stack code executes the NF _ HOOK () function, the HOOK functions are triggered in sequence, the protocol stack content appointed by the parameters in the network data packet is processed, and the corresponding registered HOOK function returns one of the following values after being processed, informs the Netfilter frame core code processing result, and takes corresponding action on the data packet; and continue normal packet processing and set to NF _ ACCEPT; the discarded data packet is set as NF _ DROP, the data packet is processed by the corresponding hook function and is not required to be transmitted continuously, and then the processed network data packet is put into a processing queue and is processed by a user process of the control and management center.
Preferably, in the second step, the Netfilter framework covers three network data packet processing modes, which are a network data packet screening mode, a network data packet IP conversion mode and a network data packet detection mode, respectively, and the network data packet screening mode, the network data packet IP conversion mode and the network data packet detection mode all make IP data packet processing decisions at each insertion call point, and correspondingly establish an IP decision table for the IP data packet processing decisions made at each insertion call point, and then define a related processing behavior table according to a forward sequence by the established IP decision table, and execute the behavior of the IP decision table according to the data packets inserted at the call points from top to bottom.
Preferably, in the second step, the operating system Linux in the Netfilter/Iptables firewall system architecture includes a kernel bridge module, and is directly connected with the Netfilter/Iptables firewall system architecture under a 2.4 × kernel.
Preferably, in step three, when determining whether the network data packet contains a malicious network data flow, it is noted that only the data packet with the correct IP address is forwarded, and it is also noted that: (1) the method comprises the steps of (1) preventing data packets which are not source IP addresses from flowing into the Internet, (2) discarding undetected IP addresses, and (3) checking whether the packet headers of the data packets entering the intrusion detection module are normal.
Preferably, in step three, the DMZ switch is configured to:
switch (config) # access-list 103permit tcp any eq IP address, (configure access rules allow IP address access to the port of the archive server);
switch (config) # access-list 103access-list 100 family ip anyany (configuring access rules to prohibit all packets abnormally intruding into the intranet from passing);
switch (config) # access-list 104permit IP address (configuration rule allows management layer to log in internal packet server);
Switch(config)#interfaceethernet0/1;
switch (config-if-Ethernet O/1) # ip access-group 103in (apply rule 100 to incoming packets from interface Ethernet 0/1);
switch (config-if-Ethernet O/1) # ip access-group 104in (rule 101 is applied to the incoming packet from interface Ethernet 0/1).
Preferably, in the third step, when a network data packet contains malicious network data streams, the intrusion detection module detects the network data streams from four layers, namely objective factors, management confusion, subjective consciousness and decision lack, and the objective factors contain more and more network threats with poor quality, so that the network data streams are beneficial to burning fragrance of pandas, trojans and the like.
Compared with the prior art, the invention has the beneficial effects that:
according to the invention, through the flow matching of the first step, the second step and the third step, the configuration of the firewall is firstly perfected, the configuration selection of the firewall is optimized, the safety blocking effect is fundamentally played, the five-point detection effect of the network data packet is realized by dividing the flow direction into three flow directions of inflow, flow and outflow according to the flow direction of the network data, the detection precision and the comprehensiveness of the network data packet are improved, and then the high-efficiency blocking protection effect of malicious network data flow is realized through the matching of the intrusion detection module, the DMZ switch and the intrusion prevention module, the access safety of the network data is improved, and the control effect of the control center on the network data is also enhanced.
Drawings
FIG. 1 is a block flow diagram of the system of the present invention;
FIG. 2 is a flow chart of the insertion detection of network data at the IP layer according to the present invention;
FIG. 3 is a flow chart of the network data defense of the present invention;
fig. 4 is a diagram of the source of the network security problem of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example 1
Referring to fig. 1-4, the present invention provides a technical solution: a firewall management system based on network security comprises the following steps:
the method comprises the following steps: firstly, a firewall is configured, an external network is mainly configured on the firewall and can only access ports in data, other ports are uniformly forbidden, and the configuration is specifically as follows:
firewall (config) # Firewall enable;
firewall (config) # Firewall default permit (Firewall is set to allow packets to pass);
firewall # access-list 100 dense IP any any (configured access rules prohibit all packets from passing);
firewall # access-list 101permit IP address any (configuration rules allow file server to access external network)
Firewall # access-list 102permit tcp IP address (configuration rules allow a particular administrative user to access an internal archive server from an external network)
Firewall # access-list 102permit tcp any IP address gt1024 (configuration rules allow administrative user to get data from external network (only packets with port number larger than 1024 are allowed);
Firewall(config)#access-list normal 102deny ip any anyFirewall(config)#interface ethernet 0
firewall (config-if-Ethernet) # ip access-group 100in (applying rule 100 to incoming packets from interface Ethernet 0)
Firewall (config-if-Ethernet 0) # ip access-group 101in (applying rule 101 to incoming packets from interface Ethernet 0)
Firewall (config-if-Ethernet) # ip access-group 102in (rule 102 is applied to the packet entering from interface Ethernet), the configuration of the Firewall can be completed;
step two: setting up a Linux-based Netfilter/Iptables firewall system architecture, dividing the flow direction into inflow, flow and outflow three flow directions according to the flow direction of network data, wherein the inflow and the flow network data are distinguished by a route, the flow and the outflow network data are distinguished by delivery, and then inserting a processing process at the following points according to the flow direction of the network data:
A. NF _ IP _ PRE _ ROUTING, performed before data is routed;
B. NF _ IP _ LOCAL _ IN, executed after routing the data flowing into the LOCAL;
C. NF _ IP _ FORWARD, performed before data is diverted to another NIC;
D. NF _ IP _ ROUTING, performed before data outflow;
E. NF _ IP _ LOCAL _ OUT, executed before the LOCAL data is processed into the outflow route;
after a network data packet in an external network enters a system for IP verification, network data is processed through a first detection point NF _ IP _ PRE _ ROUTING and then enters a ROUTING code, and the ROUTING code determines whether the datagram needs to be forwarded or sent to a local machine; if the data packet is sent to the LOCAL machine, the data packet is processed by a detection point NF _ IP _ LOCAL _ IN and then transmitted to an upper layer protocol; if the data packet should be forwarded, it needs to be processed by NF _ IP _ FORWARD; the forwarded data packet is transmitted to a network after being processed by the last detection point NF _ IP _ POST _ ROUTING; the data generated locally is processed by a hook function NF _ IP _ LOCAL _ OUT, then is subjected to ROUTING processing, is processed by NF _ IP _ POST _ ROUTING and then is sent to a network, and the Netfilter/IP firewall system architecture comprises the following parts:
a. defining a set of hook functions for each network protocol, calling the defined hook functions at a plurality of key points of a network data packet flowing through a protocol stack, and calling a Netfilter framework by using the network data packet and hook function labels as parameters in the called key points by the protocol stack;
b. any module in the NetFilter framework kernel can register one or more hooks of each protocol and complete hooking, so that when a certain data packet is transferred to the NetFilter framework, the kernel can detect whether any module registers the protocol and the hook function, if the certain data packet is registered, a callback function used by the module in registration is called, and therefore the modules have the opportunity to check the data packet, discard the data packet and instruct the NetFilter to transfer the data packet to a queue of a user space.
c. For the waiting data packet is transmitted to a user space for asynchronous processing, a user process in a Netfilter framework can check the network data packet and modify the network data packet, and the network data packet can be injected into a kernel again through the same hook function leaving the kernel, the Netfilter framework provides a set of hooks for various protocols and stores the set of hooks by applying a struct list _ head nf _ hooks two-dimensional array structure, and the two-dimensional array structures of the set of hooks are respectively as follows: one dimension is a protocol family, the other dimension is each call entrance of the network data packet, and a detection module embedded in the Netfilter frame can register a plurality of HOOK functions for a plurality of call points of a plurality of protocol families, so that a complete function pointer chain is integrally constructed, each time a protocol stack code executes to the NF _ HOOK () function, the HOOK functions are triggered in sequence, protocol stack contents appointed by parameters in the network data packet are processed, and meanwhile, the corresponding registered HOOK functions are processed and then return one of the following values to inform the Netfilter frame of the processing result of the core code, and take corresponding actions on the data packet; and continue normal packet processing and set to NF _ ACCEPT; setting a discarded data packet as NF _ DROP, processing the data packet by a corresponding hook function, not continuously transmitting the data packet, putting the processed network data packet into a processing queue, and processing the data packet by a user process of a control and management center, wherein a Netfilter framework covers three network data packet processing modes, namely a network data packet screening mode, a network data packet IP conversion mode and a network data packet detection mode, an IP data packet processing decision is made on each insertion calling point in the network data packet screening mode, the network data packet IP conversion mode and the network data packet detection mode, an IP decision table is correspondingly established for the IP data packet processing decision made by each insertion calling point, relevant processing behavior tables are defined according to the forward sequence by the established IP decision table, the data packet inserted into the calling point is processed from top to bottom, the operation system in the Netfilter/Iptables firewall system comprises a kernel module, the kernel module is connected with a Netfilter/table under 2.4x, the firewall system is directly connected with a firewall, and the network data packet detection point is directly connected with a network firewall to improve the network data packet detection precision;
step three: the NIPS is deployed at the key position of network data needing protection in an embedded mode, the network data stream of a network data packet is detected by a firewall module, whether the network data packet contains malicious intrusion actions is judged by an intrusion detection module, if the network data packet contains the malicious network data stream is detected by the intrusion detection module, a DMZ switch detects the IP address of the malicious network data stream, a corresponding access control list is made, the intrusion prevention module is immediately started, the network data packet containing the malicious network data stream is blocked and connected, meanwhile, the related malicious network data stream is sent to a control and management center, alarm/log information is sent to the control and management center, when whether the network data packet contains the malicious network data stream or not, only the data packet with the correct IP address is required to be forwarded, and further: (1) the method comprises the following steps of (1) preventing a data packet which is not a source IP address from flowing into the Internet, (2) discarding an undetected IP address, (3) checking whether a packet header of an incoming data packet of an intrusion detection module is normal or not, and configuring a DMZ switch as follows:
switch (config) # access-list 103permit tcp any eq IP address, (configure access rules to allow IP address access to the port of the archive server);
switch (config) # access-list 103access-list 100 family ip anyany (configuring access rules to prohibit all packets abnormally intruding into the intranet from passing);
switch (config) # access-list 104permit IP address (configuration rule allows management layer to log in internal data packet server);
Switch(config)#interfaceethernet0/1;
switch (config-if-Ethernet O/1) # ip access-group 103in (apply rule 100 to incoming packets from interface Ethernet 0/1);
switch (config-if-Ethernet/1) # ip access-group 104in (rule 101 is acted on the data packet entering from interface Ethernet 0/1), when the network data packet contains malicious network data stream, the intrusion detection module detects the network data stream from four layers of objective factors, management confusion, subjective consciousness and decision lack, and the objective factors comprise more and more network threats with poor quality, which is beneficial to burning fragrance of pandas and Trojan horse, etc., the management confusion mainly lies in that the network management system is imperfect, when the intrusion detection module detects the network data stream, the intrusion detection module needs to comprehensively discriminate from the network management system, the subjective consciousness mainly refers to weak cognition and thin law, according to the legal agreement, the malicious network data stream is detected, the decision lack refers to the condition that the system network safety decision and operation and maintenance flow are incomplete, if the network data flow containing malicious intentions is released, the intrusion detection module needs to be based on the NetFilter/Iptables firewall system architecture of Linux, then the network data flow direction is divided into three flow direction data packets of inflow, flow and outflow to detect, the good and bad data in the network data packets are accurately detected and processed from each layer, the protection safety of the firewall to the network data is improved, the optimization of the network environment is facilitated, the configuration of the firewall is firstly perfected through the flow cooperation of the first step, the second step and the third step, the configuration selection of the firewall is optimized, the safety blocking effect is fundamentally played, then the flow direction is divided into three flow directions of inflow, flow and outflow according to the flow direction of the network data, the five-point detection effect of the network data packets is realized, and the detection accuracy and the comprehensiveness of the network data packets are improved, and the intrusion detection module, the DMZ switch and the intrusion prevention module are matched to realize the high-efficiency blocking and protecting effect of malicious network data flow, improve the access security of the network data and also strengthen the control effect of the control and management center on the network data.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.
Claims (8)
1. A firewall management system based on network security is characterized in that: the method comprises the following steps:
the method comprises the following steps: firstly, a firewall is configured, an external network is mainly configured on the firewall and can only access ports in data, other ports are uniformly forbidden, and the configuration is specifically as follows:
firewall (config) # Firewall enable;
firewall (config) # Firewall default permit (set Firewall default to allow packets to pass);
firewall # access-list 100 dense IP any any (configured access rules prohibit all packets from passing);
firewall # access-list 101permit IP address any (configuration rules allow file server to access external network)
Firewall # access-list 102permit tcp IP address (configuration rules allow a particular administrative user to access the internal archive server from the external network)
Firewall # access-list 102permit tcp any IP address gt1024 (configuration rules allow administrative user to get data from external network (only packets with port number larger than 1024 are allowed);
Firewall(config)#access-list normal 102deny ip any anyFirewall(config)#interface ethernet 0
firewall (config-if-Ethernet) # ip access-group 100in (applying rule 100 to incoming packets from interface Ethernet 0)
Firewall (config-if-Ethernet 0) # ip access-group 101in (applying rule 101 to incoming packets from interface Ethernet 0)
Firewall (config-if-Ethernet) # ip access-group 102in (the rule 102 is acted on the packet entering from the interface Ethernet O), namely the configuration of the Firewall can be completed;
step two: setting up a Linux-based Netfilter/Iptables firewall system architecture, dividing the flow direction into inflow, flow and outflow three flow directions according to the flow direction of network data, wherein the inflow and the flow network data are distinguished by a route, the flow and the outflow network data are distinguished by delivery, and then inserting a processing process at the following points according to the flow direction of the network data:
A. NF _ IP _ PRE _ ROUTING, performed before data is routed;
B. NF _ IP _ LOCAL _ IN, which is executed after the data flowing into the LOCAL is routed;
C. NF _ IP _ FORWARD, performed before data is diverted to another NIC;
D. NF _ IP _ ROUTING, performed before data outflow;
E. NF _ IP _ LOCAL _ OUT, executed before the LOCAL data is processed into the outflow route;
after a network data packet in an external network enters a system for IP verification, network data is processed through a first detection point NF _ IP _ PRE _ ROUTING and then enters a ROUTING code, and the ROUTING code determines whether the datagram needs to be forwarded or sent to a local machine; if the data packet is sent to the LOCAL machine, the data packet is processed by a detection point NF _ IP _ LOCAL _ IN and then transmitted to an upper layer protocol; if the data packet should be forwarded, it needs to be processed by NF _ IP _ FORWARD; the forwarded data packet is transmitted to a network after being processed by the last detection point NF _ IP _ POST _ ROUTING; after being processed by a hook function NF _ IP _ LOCAL _ OUT, locally generated data is subjected to ROUTING processing and then is sent to a network after being processed by NF _ IP _ POST _ ROUTING;
step three: the method comprises the steps of deploying NIPS at a key position of network data needing protection in an embedded mode, detecting network data flow of a network data packet by a firewall module, judging whether the network data packet contains malicious intrusion actions or not by an intrusion detection module, if the network data packet contains the malicious network data flow by the intrusion detection module, detecting and processing an IP address of the malicious network data flow by a DMZ switch, making a corresponding access control list, immediately starting an intrusion prevention module, blocking and connecting the network data flow containing the malicious network data flow in the network data packet, simultaneously sending the relevant malicious network data flow to a control center, and sending alarm/log information to the control center.
2. The firewall management system based on network security according to claim 1, wherein: in the second step, the Netfilter/Iptables firewall system architecture includes:
a. defining a set of hook functions for each network protocol, calling the defined hook functions at a plurality of key points of a network data packet flowing through a protocol stack, and calling a Netfilter framework by using the network data packet and hook function labels as parameters in the called key points by the protocol stack;
b. any module in the NetFilter framework kernel can register one or more hooks of each protocol and complete hooking, so that when a certain data packet is transferred to the NetFilter framework, the kernel can detect whether any module registers the protocol and the hook function, if the certain data packet is registered, a callback function used by the module in registration is called, and therefore the modules have the opportunity to check the data packet, discard the data packet and instruct the NetFilter to transfer the data packet to a queue of a user space.
c. And for the waiting data packet which is transmitted to the user space for asynchronous processing, a user process in the Netfilter framework can check the network data packet, modify the network data packet and inject the network data packet into the kernel again through the same hook function leaving the kernel.
3. The firewall management system based on network security according to claim 1, wherein: in the second step, the Netfilter framework provides a set of hooks for various protocols, and stores the set of hooks in a structure of applying struct list _ head nf _ hooks two-dimensional arrays, wherein the two-dimensional arrays of the set of hooks are respectively as follows: one dimension is a protocol family, the other dimension is each call entrance of the network data packet, and a detection module embedded in the Netfilter frame can register a plurality of HOOK functions for a plurality of call points of a plurality of protocol families, so that a complete function pointer chain is integrally constructed, each time a protocol stack code executes to the NF _ HOOK () function, the HOOK functions are triggered in sequence, protocol stack contents appointed by parameters in the network data packet are processed, and meanwhile, the corresponding registered HOOK functions are processed and then return one of the following values to inform the Netfilter frame of the processing result of the core code, and take corresponding actions on the data packet; and continue normal packet processing and set as NF _ ACCEPT; the discarded data packet is set as NF _ DROP, the data packet is processed by the corresponding hook function and is not required to be transmitted continuously, and then the processed network data packet is put into a processing queue and is processed by a user process of the control and management center.
4. The fire wall management system based on network security according to claim 1, wherein: in the second step, the Netfilter framework covers three network data packet processing modes, namely a network data packet screening mode, a network data packet IP conversion mode and a network data packet detection mode, wherein the network data packet screening mode, the network data packet IP conversion mode and the network data packet detection mode all make IP data packet processing decisions at each insertion call point, an IP decision table is correspondingly established for the IP data packet processing decisions made at each insertion call point, relevant processing behavior tables are defined according to a forward sequence by the established IP decision table, and the data packets passing through the insertion call points execute behaviors of the IP decision table from top to bottom.
5. The firewall management system based on network security according to claim 1, wherein: in the second step, the operating system Linux in the Netfilter/Iptables firewall system architecture comprises a kernel bridge module, and is directly connected with the Netfilter/Iptables firewall system architecture under a 2.4x kernel.
6. The firewall management system based on network security according to claim 1, wherein: in the third step, when determining whether the network data packet contains malicious network data flow, it is noted that only the data packet with the correct IP address is forwarded, and it is also noted that: (1) the method comprises the steps of (1) preventing data packets which are not source IP addresses from flowing into the Internet, (2) discarding undetected IP addresses, and (3) checking whether the packet headers of the data packets entering the intrusion detection module are normal.
7. The fire wall management system based on network security according to claim 1, wherein: in step three, the DMZ switch is configured to:
switch (config) # access-list 103permit tcp any eq IP address, (configure access rules to allow IP address access to the port of the archive server);
switch (config) # access-list 103access-list 100 family ip anyany (configuring access rules to prohibit all packets abnormally intruding into the intranet from passing);
switch (config) # access-list 104permit IP address (configuration rule allows management layer to log in internal data packet server);
Switch(config)#interfaceethernet0/1;
switch (config-if-Ethernet/1) # ip access-group 103in (apply rule 100 to incoming packets from interface Ethernet 0/1);
switch (config-if-Ethernet/1) # ip access-group 104in (apply rule 101 to incoming packets from interface Ethernet 0/1).
8. The fire wall management system based on network security according to claim 1, wherein: in the third step, when whether a network data packet contains malicious network data streams or not is detected, the intrusion detection module detects the network data streams from four layers of objective factors, management confusion, subjective consciousness and decision lack, the objective factors contain more and more network threats with different quality, and the network threats such as panda incense burning and trojan horse burning are facilitated, the management confusion mainly lies in that a network management system is incomplete, when the intrusion detection module detects the network data streams, the network management system needs to be screened completely, the subjective consciousness mainly refers to weak cognition consciousness and thin network management law, the intrusion detection module detects the malicious network data streams according to the network management law protocol, the decision lack refers to releasing the network data streams containing the malicious network data streams on the premise that the system network safety decision and the operation and maintenance flow are incomplete, and the intrusion detection module needs to be based on a net/Iptables system architecture of a Linux firewall and then detects the data packets which are divided into three types of inflow, flow and outflow flow according to the flow direction of the network data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211350304.1A CN115941264A (en) | 2022-10-31 | 2022-10-31 | Firewall management system based on network security |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211350304.1A CN115941264A (en) | 2022-10-31 | 2022-10-31 | Firewall management system based on network security |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115941264A true CN115941264A (en) | 2023-04-07 |
Family
ID=86699692
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211350304.1A Pending CN115941264A (en) | 2022-10-31 | 2022-10-31 | Firewall management system based on network security |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115941264A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117176475A (en) * | 2023-11-02 | 2023-12-05 | 成都卓拙科技有限公司 | Rule configuration method and device, linux host and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090126003A1 (en) * | 2007-05-30 | 2009-05-14 | Yoggie Security Systems, Inc. | System And Method For Providing Network And Computer Firewall Protection With Dynamic Address Isolation To A Device |
| CN213693762U (en) * | 2020-10-16 | 2021-07-13 | 安徽健坤通信股份有限公司 | Network intrusion prevention system |
| CN113872972A (en) * | 2021-09-28 | 2021-12-31 | 深圳市众云网科技有限公司 | Intelligent network safety monitoring system |
| CN115174269A (en) * | 2022-09-05 | 2022-10-11 | 中国人民解放军国防科技大学 | Linux host network communication security protection method and device |
-
2022
- 2022-10-31 CN CN202211350304.1A patent/CN115941264A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090126003A1 (en) * | 2007-05-30 | 2009-05-14 | Yoggie Security Systems, Inc. | System And Method For Providing Network And Computer Firewall Protection With Dynamic Address Isolation To A Device |
| CN213693762U (en) * | 2020-10-16 | 2021-07-13 | 安徽健坤通信股份有限公司 | Network intrusion prevention system |
| CN113872972A (en) * | 2021-09-28 | 2021-12-31 | 深圳市众云网科技有限公司 | Intelligent network safety monitoring system |
| CN115174269A (en) * | 2022-09-05 | 2022-10-11 | 中国人民解放军国防科技大学 | Linux host network communication security protection method and device |
Non-Patent Citations (4)
| Title |
|---|
| "典型防火墙配置案例-组网需求": ""典型防火墙配置案例-组网需求"", 《HTTPS://BLOG.CSDN.NET/CSUCXCC/ARTICLE/DETAILS/1683440》, pages 1 - 4 * |
| WJH168: ""Configure Extended Access Lists"", 《HTTPS://BLOG.CSDN.NET/WJH168/ARTICLE/DETAILS/7306047》, pages 1 - 10 * |
| 刘方: ""一种自适应的网络入侵防御系统的设计与实现"", 《中国优秀硕士论文全文数据库》, pages 1 - 33 * |
| 邓发乔: ""入侵防御系统研究与设计实现"", 《中国优秀硕士论文全文数据库》, pages 1 - 39 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117176475A (en) * | 2023-11-02 | 2023-12-05 | 成都卓拙科技有限公司 | Rule configuration method and device, linux host and storage medium |
| CN117176475B (en) * | 2023-11-02 | 2024-02-27 | 成都卓拙科技有限公司 | Rule configuration method and device, linux host and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US6609205B1 (en) | Network intrusion detection signature analysis using decision graphs | |
| US6792546B1 (en) | Intrusion detection signature analysis using regular expressions and logical operators | |
| CN105141604B (en) | A kind of network security threats detection method and system based on trusted service stream | |
| EP1873992B1 (en) | Packet classification in a network security device | |
| Dreger et al. | Dynamic application-layer protocol analysis for network intrusion detection | |
| US9094372B2 (en) | Multi-method gateway-based network security systems and methods | |
| US7646728B2 (en) | Network monitoring and intellectual property protection device, system and method | |
| FI122571B (en) | A method and apparatus for providing node security in a packet network router | |
| US7725936B2 (en) | Host-based network intrusion detection systems | |
| US7650634B2 (en) | Intelligent integrated network security device | |
| KR101045362B1 (en) | Active network defense system and method | |
| US20170093891A1 (en) | Mobile device-based intrusion prevention system | |
| US20040003284A1 (en) | Network switches for detection and prevention of virus attacks | |
| US20030101353A1 (en) | Method, computer-readable medium, and node for detecting exploits based on an inbound signature of the exploit and an outbound signature in response thereto | |
| WO2009132047A2 (en) | Collaborative and proactive defense of networks and information systems | |
| KR20060013491A (en) | Network attack signature generation | |
| JP7388613B2 (en) | Packet processing method and apparatus, device, and computer readable storage medium | |
| JP2021111396A (en) | Security for container network | |
| US20070289014A1 (en) | Network security device and method for processing packet data using the same | |
| US7725587B1 (en) | Deep packet scan hacker identification | |
| US10038763B2 (en) | Method and apparatus for detecting network protocols | |
| CN115941264A (en) | Firewall management system based on network security | |
| US20030084344A1 (en) | Method and computer readable medium for suppressing execution of signature file directives during a network exploit | |
| Krueger et al. | An architecture for inline anomaly detection | |
| Gheorghe et al. | Attack evaluation and mitigation framework |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |