CN116192921A - Database auditing method and device based on multiple firewalls - Google Patents

Database auditing method and device based on multiple firewalls Download PDF

Info

Publication number
CN116192921A
CN116192921A CN202310199274.7A CN202310199274A CN116192921A CN 116192921 A CN116192921 A CN 116192921A CN 202310199274 A CN202310199274 A CN 202310199274A CN 116192921 A CN116192921 A CN 116192921A
Authority
CN
China
Prior art keywords
firewall
data packet
database
auditing
session
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310199274.7A
Other languages
Chinese (zh)
Inventor
刘晓韬
高强花
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Dbsec Technology Co ltd
Original Assignee
Beijing Dbsec Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Dbsec Technology Co ltd filed Critical Beijing Dbsec Technology Co ltd
Priority to CN202310199274.7A priority Critical patent/CN116192921A/en
Publication of CN116192921A publication Critical patent/CN116192921A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a database auditing method and device based on multiple firewalls, wherein the method comprises the following steps: each firewall in the plurality of firewalls transmits session information of a session established through the firewall to other firewalls in the plurality of firewalls; the first firewall receives a data packet interacted between the database client and the database; judging whether the session to which the data packet belongs is established through the first firewall, if so, sending the data packet to an auditing program arranged on the first firewall for auditing; if not, a second firewall for establishing the session to which the data packet belongs is obtained, and the data packet is sent to the second firewall. The method and the device solve the problem that in the prior art, the flow accessing the database is scattered to different firewalls for auditing, so that a complete auditing result cannot be obtained, and the integrity of the auditing result of the database can be ensured to a certain extent.

Description

Database auditing method and device based on multiple firewalls
Technical Field
The application relates to the field of database auditing, in particular to a database auditing method and device based on multiple firewalls.
Background
Database audit (DBAudio for short) is centered on security events, based on comprehensive audit and accurate audit, database activities on a network are recorded in real time, compliance management of fine-grained audit is performed on database operation, and real-time warning is performed on risk behaviors suffered by the database. The method helps the user to generate compliance reports and accident tracing sources afterwards by recording, analyzing and reporting the behaviors of the user access database, and simultaneously provides high-efficiency inquiry audit reports and positions event reasons through a big data searching technology so as to inquire, analyze and filter the event reasons later, thereby realizing the monitoring and audit of the network behaviors of the internal database and the external database and improving the safety of data assets.
When auditing the database, the flow accessing the database is generally obtained, and the flow is audited. In order to ensure the security of the database, a firewall (or referred to as a firewall) is provided to protect the database. A network firewall is a special internetworking device used to enhance access control between networks. All network traffic flowing in and out of the computer passes through the firewall. The firewall scans its network traffic for some attacks so that it can be filtered from being executed on the target computer. The firewall may also close ports that are not in use. But it also can prohibit outgoing communication from a particular port, blocking trojans. Finally, it may prohibit access from a particular site, thereby preventing all communications from unknown intruders.
In the case where the database is behind a firewall, traffic accessing the database may be sent through the firewall to an auditing program for auditing, which may be located on the firewall or on other devices connected to the firewall.
In order to solve the problem, two or more firewalls are used before the database, and on one hand, the number of available firewalls is increased, so that the potential safety hazard after one firewall fails is avoided; on the other hand, a plurality of firewalls can also play a role in shunting, so that the load balance of the firewalls is achieved. However, this is problematic for database auditing, for example, accesses to the database by the same database session may be scattered across different firewalls, and thus different auditing procedures may be performed to audit, and a complete auditing result may not be obtained.
Disclosure of Invention
The embodiment of the application provides a database auditing method and device based on multiple firewalls, which are used for at least solving the problem that in the prior art, complete auditing results cannot be obtained because traffic accessing a database is scattered to different firewalls for auditing.
According to one aspect of the present application, there is provided a database auditing method based on multiple firewalls, including: each firewall in the plurality of firewalls transmits session information of a session established through the firewall to other firewalls in the plurality of firewalls; the session is established between a database client and a database through at least one of the plurality of protection walls, and each of the protection walls is provided with an auditing program which is used for auditing the data packet interacted between the database client and the database; a first firewall receives a data packet interacted between the database client and the database, wherein the first firewall is one of the plurality of firewalls; the first firewall judges whether the session to which the data packet belongs is established through the first firewall, if so, the first firewall sends the data packet to an auditing program arranged on the first firewall for auditing; if not, the first firewall acquires a second firewall for establishing the session to which the data packet belongs and sends the data packet to the second firewall, wherein the second firewall is one of the plurality of firewalls; and after the second firewall receives the data packet, the data packet is sent to an auditing program arranged on the second firewall for auditing.
According to another aspect of the present application, there is also provided a database auditing apparatus based on multiple firewalls, located in a first firewall, including: the sending module is used for sending the session information of the session established by the firewall to other firewalls in the plurality of firewalls; the session is established between a database client and a database through at least one of the plurality of protection walls, and each of the protection walls is provided with an auditing program which is used for auditing the data packet interacted between the database client and the database; the receiving module is used for receiving the data packet interacted between the database client and the database, wherein the first firewall is one of the plurality of firewalls; the judging module is used for judging whether the session to which the data packet belongs is established through the first firewall, if so, the first firewall sends the data packet to an auditing program arranged on the first firewall for auditing; if not, a second firewall for establishing the session to which the data packet belongs is obtained, and the data packet is sent to the second firewall, wherein the second firewall is one of the plurality of firewalls; and the second firewall is used for sending the data packet to an auditing program arranged on the second firewall for auditing after receiving the data packet.
According to another aspect of the present application, there is also provided an electronic device including a memory and a processor; wherein the memory is configured to store one or more computer instructions, wherein the one or more computer instructions are executed by the processor to perform the method steps described above.
According to another aspect of the present application, there is also provided a readable storage medium having stored thereon computer instructions which when executed by a processor perform the above-mentioned method steps.
In the embodiment of the application, each firewall in a plurality of firewalls is adopted to send session information of a session established through the firewall to other firewalls in the plurality of firewalls; the session is established between a database client and a database through at least one of the plurality of protection walls, and each of the protection walls is provided with an auditing program which is used for auditing the data packet interacted between the database client and the database; a first firewall receives a data packet interacted between the database client and the database, wherein the first firewall is one of the plurality of firewalls; the first firewall judges whether the session to which the data packet belongs is established through the first firewall, if so, the first firewall sends the data packet to an auditing program arranged on the first firewall for auditing; if not, the first firewall acquires a second firewall for establishing the session to which the data packet belongs and sends the data packet to the second firewall, wherein the second firewall is one of the plurality of firewalls; and after the second firewall receives the data packet, the data packet is sent to an auditing program arranged on the second firewall for auditing. The method and the device solve the problem that in the prior art, the flow accessing the database is scattered to different firewalls for auditing, so that a complete auditing result cannot be obtained, and the integrity of the auditing result of the database can be ensured to a certain extent.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application, illustrate and explain the application and are not to be construed as limiting the application. In the drawings:
FIG. 1 is a system schematic diagram of a firewall database audit according to an embodiment of the application;
FIG. 2 is a flow chart of a multi-firewall based database auditing method according to an embodiment of the present application; the method comprises the steps of,
fig. 3 is a schematic diagram of sending session information between firewalls according to an embodiment of the present application.
Detailed Description
It should be noted that, in the case of no conflict, the embodiments and features in the embodiments may be combined with each other. The present application will be described in detail below with reference to the accompanying drawings in conjunction with embodiments.
It should be noted that the steps illustrated in the flowcharts of the figures may be performed in a computer system such as a set of computer executable instructions, and that although a logical order is illustrated in the flowcharts, in some cases the steps illustrated or described may be performed in an order other than that illustrated herein.
Database auditing, firewalls, and the like are referred to in the following embodiments, and technical terms in the following embodiments will be first described.
TCP protocol
The Transmission Control Protocol (TCP) is a connection-oriented, reliable, byte-stream based transport layer communication protocol, defined by IETF RFC 793. TCP is intended to accommodate a layered protocol hierarchy that supports multiple network applications. Reliable communication services are provided by means of TCP between pairs of processes in host computers connected to different but interconnected computer communication networks. TCP assumes that it can obtain simple, possibly unreliable datagram services from lower level protocols. In principle, TCP should be able to operate over a variety of communication systems from hardwired to packet-switched or circuit-switched networks.
TCP connection
A TCP connection is a connection established at two communication ends using the TCP protocol, e.g., a client and a server may establish a TCP connection via the TCP protocol.
In a TCP connection there are a plurality of states, the following are meanings of the respective states:
CLOSED state (CLOSED): without any connection state.
Listening state (LISTEN): listening for connection requests from remote TCP ports.
Synchronization packet transmit status (SYN-send): and waits for a matching connection request (client) after resending the connection request.
Synchronization packet reception status (SYN-RCVD): and then, after receiving and transmitting a connection request, waiting for the confirmation (server) of the connection request by the opposite party.
Establishment state (ESTABLISHED): representing an already established connection.
The following describes a state change in a connection in a TCP connection. Initially, both the server and the client are in a CLOSED state before the connection is established, and after the server starts to create a socket (socket), the server starts to monitor and changes to a list state. The client requests to establish a connection, sends a Synchronization (SYN) message to the server, and the state of the client changes to syn_send. After receiving the message from the client, the server sends an Acknowledgement (ACK) and a SYN message to the client, and the state of the server becomes syn_rcvd. Then, after receiving the ACK and SYN messages, the client sends an ACK to the server, the client state becomes ESTABLISHED, and the server also becomes ESTABLISHED after receiving the ACK from the client. At this time, the three-way handshake is completed and the connection is established.
The three-way handshake process may be as follows:
1. firstly, a client sends a connection establishment request with syn=1 to a server, and seq is a data packet sequence number.
2. After the service end receives the data packet, the ACK is set to 1 to indicate that the data packet is received, and the ACK field is set to x+1 to indicate that the data packet with the sequence number x is received, so that the next data packet with the sequence number x+1 is expected to be received. Syn=1 is then sent, indicating a request to establish a connection (this ensures full duplex communication).
3. The client sends a message confirming receipt to the server, ack=1 represents the message in the process of confirming receipt of 2, and similarly, ACK is set to y+1, which means that the next data packet y+1 is expected to be received, and then the data packet x+1 expected to be sent by the server is sent.
Fig. 1 is a schematic diagram of a system for auditing a database with a firewall according to an embodiment of the application, as shown in fig. 1, where the system may include a plurality of firewalls (two firewalls, namely, firewall 1 and firewall 2, are shown in fig. 1), the database access traffic may pass through a load balancing server, the load balancing server may send the database access traffic to the firewall 1 or firewall 2 according to the running states of the firewall 1 and firewall 2, the firewall 1 and firewall 2 may send the database access traffic to the database on one hand, and on the other hand, audit the database access traffic and the access results returned by the database, that is, audit programs (not shown in fig. 1) are provided on the firewall 1 and firewall 2, and the access (including the database access traffic and the access results returned by the database) of the database is audited by the audit programs on the firewall 1 and firewall 2.
In fig. 1, due to the existence of the load balancing server, the database access traffic of the same session may be sent to the firewall 1 and the firewall 2 by the load balancing server, which may cause the audit result to be scattered on the firewall 1 and the firewall 2, so that the complete audit result cannot be obtained.
In order to solve the above-mentioned problems, in the following embodiments, a multi-firewall-based database auditing method is provided, and fig. 2 is a flowchart of the multi-firewall-based database auditing method according to an embodiment of the present application, as shown in fig. 2, and the steps included in the method referred to in fig. 2 are described below.
Step S202, each firewall in a plurality of firewalls sends session information of a session established through the firewall to other firewalls in the plurality of firewalls; the session is established between the database client and the database through at least one of the plurality of protection walls, and each of the protection walls is provided with an auditing program which is used for auditing the data packet interacted between the database client and the database.
In step S204, a first firewall receives a data packet interacted between the database client and the database, where the first firewall is one of the plurality of firewalls.
Step S206, the first firewall judges whether the session to which the data packet belongs is established through the first firewall, if so, the first firewall sends the data packet to an auditing program arranged on the first firewall for auditing.
Step S208, if not, the first firewall obtains a second firewall that establishes a session to which the data packet belongs, and sends the data packet to the second firewall, where the second firewall is one of the multiple firewalls.
Step S210, after receiving the data packet, the second firewall sends the data packet to an auditing program set on the second firewall for auditing.
In the above steps, each firewall records all sessions created by the firewall, so that each firewall can clearly know the firewall where the session to which a data packet belongs, and thus the data packet can be sent to the firewall where the session belongs, and the data packets of the same session can be ensured to be audited by the same firewall. The method solves the problem that the complete auditing result cannot be obtained because the flow accessing the database is scattered to different firewalls for auditing in the prior art, and can ensure the integrity of the auditing result of the database to a certain extent.
Fig. 3 is a schematic diagram of sending session information between firewalls according to an embodiment of the present application, where the system shown in fig. 3 is basically the same as that shown in fig. 1, and includes multiple firewalls, where the database access traffic may pass through a load balancing server, where the load balancing server may send the database access traffic to the firewall 1 or the firewall 2 according to the running states of the firewall 1 and the firewall 2, where the firewall 1 and the firewall 2 may send the database access traffic to the database on one hand, and audit the database access traffic and the access result returned by the database on the other hand, that is, audit programs are provided on the firewall 1 and the firewall 2, and audit the access of the database by the audit programs on the firewall 1 and the firewall 2. Unlike fig. 1, in fig. 3, information interaction is performed between the firewall 1 and the firewall 2, the firewall 1 transmits session information of a session established thereon to the firewall 2, and the firewall 2 transmits session information of a session established on the firewall to the firewall 1.
As an optional implementation manner, the load balancing server is connected with a plurality of firewalls, and when the load balancing server receives a first synchronous message for establishing a TCP connection from a database client, the load balancing server obtains loads of all auditing programs on the fireproof walls or the number of data packets for which the auditing programs on all the fireproof walls have completed auditing, the load balancing server selects a firewall where the auditing program with the smallest load is located or a firewall where the auditing program with the smallest number of auditing data packets has been completed, and the load balancing server sends the first synchronous message to the selected firewall.
And under the condition that the selected firewall receives the first synchronous message, judging whether the number of data packets which are not audited by an audit program on the firewall exceeds a threshold value, if so, forwarding the first synchronous message to the database, and if so, retransmitting the first synchronous message to the load balancing server by the selected firewall, and retransmitting the firewall by the load balancing server and transmitting the first synchronous message to the reselected firewall.
The session information may include: the network address of the database client, the port number of the database client, the network address of the database, and the port number of the database. In this case, the connections established by different database clients with the same database belong to different sessions, as do the connections of the same database client with different databases. In an optional implementation manner, the first firewall determining whether the session to which the data packet belongs is established through the first firewall includes: the first firewall searches for the session information recorded in the first firewall according to the source network address and port number, the destination network address and port number of the data packet, wherein the session information comprises: the network address of the database client, the port number of the database client, the network address of the database and the port number of the database; if the first firewall can find the session information matched with the source network address and the port number and the destination network address and the port number of the data packet, judging whether the session corresponding to the matched session information is established in the first firewall.
The second firewall can also distinguish whether the data packet comes from other firewalls or not, so as to perform different processing, namely the second firewall judges whether the data packet comes from other firewalls or not; and after the second firewall determines that the data packet is sourced from other firewalls, the data packet is sent to an auditing program arranged on the second firewall for auditing.
As an optional implementation manner, if the second firewall determines that the data packet originates from another firewall, on one hand, the second firewall sends the data packet to an auditing program set on the second firewall for auditing, and on the other hand, the second firewall also obtains a source network address, a port number, a destination network address and a port number of the data packet, and sends the obtained network address and port number as session information to the other firewall, so as to instruct the other firewall that the session to which the data packet belongs is located in the second firewall.
And under the condition that the second firewall determines that the data packet originates from the database client or the database, the second firewall searches the session to which the data packet belongs in the locally recorded session information, and under the condition that the session to which the data packet belongs is established by the second firewall, the second firewall sends the data packet to an auditing program arranged on the second firewall for auditing.
After the data packet reaches the firewall, whether the data packet is a packet of the database protected by the firewall is judged, only the packet accessing the protected database enters the following processing flow, the packet not accessing the protected database is not accessed, and the firewall does not need to process the data packet and transfer the data packet.
In the case of two firewalls, the first firewall (i.e., firewall 1) receives a syn+ack packet (or called a message) for a session, since the received data packets are a SYN message and an ACK message, indicating that there is already a database client sending the first SYN packet to the database. In this case the first firewall records the sequence number (seq) and ACK information carried in the SYN message and ACK message. After the first firewall records the SYN message and the ACK message, the SYN message and the ACK message are transferred to the second firewall (namely, the firewall 2), the second firewall records the seq and the ACK information after receiving the SYN message and the ACK message, and the second firewall forwards the information to the first firewall (receives the SYNACK packet), and through the forwarding operation, the first firewall informs the second firewall that the session established through the SYN message and the ACK message is processed by the first firewall.
The first firewall receives a non-SYN request packet for a session and creates the session. At this time, if the first firewall has recorded the SYN packet and the ACK packet of the session, it is determined that the data packet of the session is processed by the first firewall, and then the non-SYN request packet is sent to a protocol analysis process (NPP), and the protocol analysis process directly transfers the data packet to an auditing program for auditing.
If the second firewall receives the response packet of the session, the second firewall also records that the session is processed by the first firewall, the response packet of the session is directly transferred to the first firewall, the first firewall judges that the session is established, the second firewall is put on the first firewall for auditing, and the response packet is transferred away according to the port record of the session after the auditing. If the first firewall does not create the session, the session is transferred back to the second firewall, the second firewall judges whether to process on the second firewall after receiving the response packet, if yes, the session is processed on the second firewall, and if not, the session is transferred to the other firewall for processing.
In an alternative embodiment, in order to prevent the data packet from being forwarded between the first firewall and the second firewall, at this time, after the first firewall receives the data packet sent by the second firewall, if the first firewall finds that the session corresponding to the data packet is not processed on the first firewall, the first firewall records the data packet, where the record is used to instruct the first firewall to forward the received data packet to the second firewall, if the first firewall receives the data packet again, the first firewall determines that the data packet has been forwarded to the second firewall once, the first firewall forwards the data packet to other firewalls except the second firewall, if the data packet has been forwarded to all firewalls, the first firewall audits the data packet, records session information corresponding to the data packet, and processes the data packet of the session in future by the first firewall.
By the embodiment, the session can be judged to be created by which firewall, and all data packets of the session are audited on the firewall when the session is created by which firewall. Thus, the database access flow of one session can be ensured to be audited on the same firewall.
In this embodiment, there is provided an electronic device including a memory in which a computer program is stored, and a processor configured to run the computer program to perform the method in the above embodiment.
The above-described programs may be run on a processor or may also be stored in memory (or referred to as computer-readable media), including both permanent and non-permanent, removable and non-removable media, and information storage may be implemented by any method or technique. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device.
These computer programs may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart block or blocks and/or block diagram block or blocks, and corresponding steps may be implemented in different modules.
Such an apparatus or system is provided in this embodiment. The device is called a database auditing device based on multiple firewalls, is positioned in a first firewall, and comprises: the sending module is used for sending the session information of the session established by the firewall to other firewalls in the plurality of firewalls; the session is established between a database client and a database through at least one of the plurality of protection walls, and each of the protection walls is provided with an auditing program which is used for auditing the data packet interacted between the database client and the database; the receiving module is used for receiving the data packet interacted between the database client and the database, wherein the first firewall is one of the plurality of firewalls; the judging module is used for judging whether the session to which the data packet belongs is established through the first firewall, if so, the first firewall sends the data packet to an auditing program arranged on the first firewall for auditing; if not, a second firewall for establishing the session to which the data packet belongs is obtained, and the data packet is sent to the second firewall, wherein the second firewall is one of the plurality of firewalls; and the second firewall is used for sending the data packet to an auditing program arranged on the second firewall for auditing after receiving the data packet.
The system or the device is used for realizing the functions of the method in the above embodiment, and each module in the system or the device corresponds to each step in the method, which has been described in the method, and will not be described herein.
Optionally, the judging module is configured to: searching in the session information recorded in the first firewall according to the source network address and port number and the destination network address and port number of the data packet, wherein the session information comprises: the network address of the database client, the port number of the database client, the network address of the database and the port number of the database; if the session information matched with the source network address and the port number and the destination network address and the port number of the data packet can be found, judging whether the session corresponding to the matched session information is established in the first firewall.
Optionally, the method further comprises: the second judging module and the second sending module are positioned on the second firewall, wherein the second judging module is used for judging whether the data packet is sourced from other firewalls or not; and the second sending module is used for sending the data packet to an auditing program arranged on the second fireproof wall for auditing after determining that the data packet is sourced from other firewalls.
Optionally, the second sending module is configured to, when it is determined that the data packet originates from the database client or the database, search, by the second firewall, a session to which the data packet belongs in locally recorded session information, and when the session to which the data packet belongs is established by the second firewall, send, by the second firewall, the data packet to an audit program set on the second firewall for auditing.
The method and the device solve the problem that in the prior art, the flow accessing the database is scattered to different firewalls for auditing, so that a complete auditing result cannot be obtained, and the integrity of the auditing result of the database can be ensured to a certain extent.
The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and changes may be made to the present application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc. which are within the spirit and principles of the present application are intended to be included within the scope of the claims of the present application.

Claims (10)

1. A multi-firewall based database auditing method, comprising:
each firewall in the plurality of firewalls transmits session information of a session established through the firewall to other firewalls in the plurality of firewalls; the session is established between a database client and a database through at least one of the plurality of protection walls, and each of the protection walls is provided with an auditing program which is used for auditing the data packet interacted between the database client and the database;
a first firewall receives a data packet interacted between the database client and the database, wherein the first firewall is one of the plurality of firewalls;
the first firewall judges whether the session to which the data packet belongs is established through the first firewall, if so, the first firewall sends the data packet to an auditing program arranged on the first firewall for auditing;
if not, the first firewall acquires a second firewall for establishing the session to which the data packet belongs and sends the data packet to the second firewall, wherein the second firewall is one of the plurality of firewalls;
and after the second firewall receives the data packet, the data packet is sent to an auditing program arranged on the second firewall for auditing.
2. The method of claim 1, wherein the first firewall determining whether a session to which the data packet belongs is established through the first firewall comprises:
the first firewall searches for the session information recorded in the first firewall according to the source network address and port number, the destination network address and port number of the data packet, wherein the session information comprises: the network address of the database client, the port number of the database client, the network address of the database and the port number of the database;
if the first firewall can find the session information matched with the source network address and the port number and the destination network address and the port number of the data packet, judging whether the session corresponding to the matched session information is established in the first firewall.
3. The method of claim 1, wherein the second firewall sending the data packet to an audit program disposed on the second firewall for auditing includes:
the second firewall judges whether the data packet originates from other firewalls;
and after the second firewall determines that the data packet is sourced from other firewalls, the data packet is sent to an auditing program arranged on the second firewall for auditing.
4. The method of claim 3, wherein the second firewall sending the data packet to an audit program disposed on the second firewall for auditing comprises:
and under the condition that the second firewall determines that the data packet originates from the database client or the database, the second firewall searches the session to which the data packet belongs in the locally recorded session information, and under the condition that the session to which the data packet belongs is established by the second firewall, the second firewall sends the data packet to an auditing program arranged on the second firewall for auditing.
5. A multi-firewall based database auditing apparatus, located in a first firewall, comprising:
the sending module is used for sending the session information of the session established by the firewall to other firewalls in the plurality of firewalls; the session is established between a database client and a database through at least one of the plurality of protection walls, and each of the protection walls is provided with an auditing program which is used for auditing the data packet interacted between the database client and the database;
the receiving module is used for receiving the data packet interacted between the database client and the database, wherein the first firewall is one of the plurality of firewalls;
the judging module is used for judging whether the session to which the data packet belongs is established through the first firewall, if so, the first firewall sends the data packet to an auditing program arranged on the first firewall for auditing; if not, a second firewall for establishing the session to which the data packet belongs is obtained, and the data packet is sent to the second firewall, wherein the second firewall is one of the plurality of firewalls; and the second firewall is used for sending the data packet to an auditing program arranged on the second firewall for auditing after receiving the data packet.
6. The apparatus of claim 5, wherein the determining module is configured to:
searching in the session information recorded in the first firewall according to the source network address and port number and the destination network address and port number of the data packet, wherein the session information comprises: the network address of the database client, the port number of the database client, the network address of the database and the port number of the database;
if the session information matched with the source network address and the port number and the destination network address and the port number of the data packet can be found, judging whether the session corresponding to the matched session information is established in the first firewall.
7. The apparatus as recited in claim 5, further comprising: the second judging module and the second sending module are positioned on the second firewall, wherein,
the second judging module is used for judging whether the data packet originates from other firewalls or not;
and the second sending module is used for sending the data packet to an auditing program arranged on the second fireproof wall for auditing after determining that the data packet is sourced from other firewalls.
8. The apparatus of claim 7, wherein the device comprises a plurality of sensors,
and the second sending module is used for searching the session to which the data packet belongs in the session information recorded locally under the condition that the data packet is determined to be sourced from the database client or the database, and sending the data packet to an auditing program set on the second firewall by the second firewall for auditing under the condition that the session to which the data packet belongs is established by the second firewall.
9. An electronic device includes a memory and a processor; wherein the memory is for storing one or more computer instructions, wherein the one or more computer instructions are executed by the processor to implement the method steps of any of claims 1 to 4.
10. A readable storage medium having stored thereon computer instructions which, when executed by a processor, implement the method steps of any of claims 1 to 4.
CN202310199274.7A 2023-02-28 2023-02-28 Database auditing method and device based on multiple firewalls Pending CN116192921A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310199274.7A CN116192921A (en) 2023-02-28 2023-02-28 Database auditing method and device based on multiple firewalls

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310199274.7A CN116192921A (en) 2023-02-28 2023-02-28 Database auditing method and device based on multiple firewalls

Publications (1)

Publication Number Publication Date
CN116192921A true CN116192921A (en) 2023-05-30

Family

ID=86447380

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310199274.7A Pending CN116192921A (en) 2023-02-28 2023-02-28 Database auditing method and device based on multiple firewalls

Country Status (1)

Country Link
CN (1) CN116192921A (en)

Similar Documents

Publication Publication Date Title
US10630784B2 (en) Facilitating a secure 3 party network session by a network device
US11509672B2 (en) Method and system for limiting the range of data transmissions
US10305904B2 (en) Facilitating secure network traffic by an application delivery controller
EP3092749B1 (en) Method and apparatus of identifying proxy ip address
US9118719B2 (en) Method, apparatus, signals, and medium for managing transfer of data in a data network
US9654445B2 (en) Network traffic filtering and routing for threat analysis
KR101850351B1 (en) Method for Inquiring IoC Information by Use of P2P Protocol
US8925068B2 (en) Method for preventing denial of service attacks using transmission control protocol state transition
US20090040926A1 (en) System and Method of Traffic Inspection and Stateful Connection Forwarding Among Geographically Dispersed Network Appliances Organized as Clusters
JP4575980B2 (en) Method, system, and computer program for communication in a computer system
US11489937B2 (en) Methods and systems for implementing a regionally contiguous proxy service
CN110266678B (en) Security attack detection method and device, computer equipment and storage medium
US10735453B2 (en) Network traffic filtering and routing for threat analysis
CN107205026A (en) A kind of Point-to-Point Data Transmission method and system
CN112738095A (en) Method, device, system, storage medium and equipment for detecting illegal external connection
CN105373891A (en) Smart grid data management and transmission system
CN102655509A (en) Network attack identification method and device
US7552206B2 (en) Throttling service connections based on network paths
CN108737413B (en) Data processing method and device of transmission layer and computer readable storage medium
CN116708041B (en) Camouflage proxy method, device, equipment and medium
CN110995763B (en) Data processing method and device, electronic equipment and computer storage medium
CN116192921A (en) Database auditing method and device based on multiple firewalls
CN113472736A (en) Method, device, equipment and readable medium for internal and external network data transmission
JP2005184249A (en) Communication system, server, terminal, communication method, program, and storage medium
Tang et al. TISIN: Traceable Information Sharing in Intermittent Networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination