CN1278528C - Network safety device multi work mode adapting method - Google Patents
Network safety device multi work mode adapting method Download PDFInfo
- Publication number
- CN1278528C CN1278528C CN 02156503 CN02156503A CN1278528C CN 1278528 C CN1278528 C CN 1278528C CN 02156503 CN02156503 CN 02156503 CN 02156503 A CN02156503 A CN 02156503A CN 1278528 C CN1278528 C CN 1278528C
- Authority
- CN
- China
- Prior art keywords
- frame
- network
- bridge
- safety device
- port
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The present invention relates to a self-adaptive method for multi work modes of a network safety device. The network safety device automatically analyze a destination address of a received data frame and further processes the data frame according to the analyzing result. In the present invention, the firewall function is realized in the forwarding and processing process of a network bridge, and simultaneously, the forwarding function of a network bridge of an IEEE802.1d spanning tree and the route forwarding function of an IP layer are remained; a user does not need to know the specific working state of the network safety device, and the network safety device can be used as a secure gateway in a mode of a network bridge to work after the user configures the network safety device according to the characteristics of the mode of the network bridge; likewise, the network safety device can also be used as a secure gateway in a routing mode to work; simultaneously, any port of the network safety device can be mixed to work between the two modes without any arrangement or any limitation, which leads that the network safety device can be more conveniently used for various kinds of complicated network environment.
Description
Technical field
The present invention relates to the adaptive method of a kind of Network Security Device multi-operation mode, be particularly related to network safety gateway equipment (as fire compartment wall, VPN (Virtual Private Network, abbreviation VPN)) the self-reacting method of multi-operation mode belongs to the network security technology field.
Background technology
According to OSI (Open System Interconnect ReferenceModel, be called for short OSI) the protocol architecture demixing technology, bridge is typical link layer working equipment, it one very important function be exactly that the different physical subnets that connect for it provide link to connect, IEEE (Institute of Electrical and Electronics Engineers, Institute for Electrical and ElectronicEngineers) 802.1d provides a kind of link based on STP (Spanning Tree Protocol, Spanning-Tree Protocol) to transmit and the state-maintenance method.Route pattern is equivalent to be operated in network layer, and under this pattern, forwarding of data is mated routing table in network layer, finishes the selection and the relaying of route.
Internet transmission control protocol (Transfer Control Protocol/Internet Protocol, be called for short ICP/IP protocol) be a packet switching communication agreement, the message of application layer will be grouped the back and be added transport layer packet header layer by layer, network layer packet header and link layer packet header, the content in link layer packet header comprises source MAC (the Media Access Control of this frame, be the hardware access point) address and target MAC (Media Access Control) address, when a certain TCP/IP main frame was attempted before other main frame sends a packet, with at first at address resolution protocol (the Address Resolution Protocol of this machine, abbreviation ARP) search purposes Internet protocol (Internet Protocol in the buffer memory, be called for short IP) corresponding MAC Address, so just can construct a complete link data frame, and then this frame sent.If when not having the list item of purpose IP correspondence in the arp cache of this machine, then this main frame need send the broadcast request of an ARP, in order to inquire after the MAC Address of this destination host correspondence.If source and purpose are at a network segment, then the ARP request will obtain responding very soon, could add the hardware address of destination address like this in the Frame that this main frame sends; If source and purpose be not when the same network segment, the ARP request will be difficult to obtain reply.The initiator that can cause like this visiting can not find the MAC Address of purpose IP.At this moment, just need us on initiator's main frame of visit suitable gateway address to be set, in case purpose IP network and source IP network occur not in a subnet time, ARP will directly resolve the MAC Address that obtains this gateway and charge to buffer memory.
Above situation is the difference place of network bridge mode gateway and route pattern gateway just, and what two sections of network bridge mode gateway were connected generally is two physics network segments of same subnet; What the two ends of route pattern generally connect is two network segments of different sub-network.In the course of work that as above ARP resolves, the former can directly obtain the MAC Address of purpose IP correspondence, and the latter then can only obtain the MAC Address of gateway; That is to say: in the former case, Frame can directly be issued purpose IP by bridge, and the latter's Frame then can only be issued routing gateway, finishes follow-up forwarding work by routing gateway then.
Traditional packet filtering technology general work is in network layer, and the packet filtering technology of network layer has two limitations: the first, because network layer is only handled the forwarding between different segment,, source address and destination address will can not be forwarded so being positioned at the IP message of the same network segment; The second, when fire compartment wall is added between protected network and the router, the gateway setting of pointing to router originally should be modified as the setting of pointing to fire compartment wall by the main frame in the network of firewall protection; Simultaneously, the original router of protected network should be revised its routing table, so that transmit the IP message of fire compartment wall.When user's network was very complicated, this had brought the trouble that is provided with just for the fire compartment wall user.
Referring to Fig. 1, it is the flow chart of fire compartment wall when using as bridge.
As shown in the figure, when port receives packet, judge at first whether port status is available, this port status, is then abandoned if port status is unavailable by the decision of stp spanning tree algorithm; If port status can be used, then packet is carried out the filtering rule coupling, that is: parse IP address contained in this bag, protocol type, port numbers or the like, the self-defining rule of match user is if matching result is illegal, then with data packet discarding; If matching result is legal, then continue in forwarding database, to search the destination address of Frame, if find this destination address, then this Frame is forwarded from given port according to routing iinformation; If do not find this destination address, then this Frame is forwarded from each port; After forwarding,, then charge to forwarding database if find destination address; If do not find destination address then with this data packet discarding.
When the user uses this gateway as a bridge, the network segment that distinct interface connect of gateway belongs to same subnet, the ARP message that sends of main frame on these networks can proper solution be separated out the MAC Address of purpose IP like this, like this, the message that these main frames send when passing fire compartment wall, thereby just can through after the safety inspection of fire compartment wall, directly mate forwarding database and forward.
The packet filtering technology that works in link layer just in time can remedy the deficiency that network layer packet is filtered.Under the network bridge mode, will transmit in the past from suitable port directly according to the MAC Address coupling forwarding database of this frame through the frame of rule match for each.Because this repeating process and IP address irrelevant (by the MAC Address decision), the TCP/IP that is attached thereto client computer is provided with and can make any changes, so also be referred to as transparent mode.Can connect with this pattern and physically to be divided into two subnets, but the IP address still belongs to the network of same subnet.
Generally, a gateway can only work in a state, if the words of bridge state, it can only be finished bag according to MAC Address and transmit, and source and purpose IP be when being in different sub-network, owing to can not directly obtain the MAC Address of purpose, so bridge can not be handled the forwarding between different sub-network; And if a gateway works in routing state, it just can only be in network layer according to the address of source IP and purpose IP, coupling routing table, determine routing direction at last.In case source and purpose are in same subnet, the result of routing table coupling will think that this frame must go back, and so also can't finish forwarding, and bridge forwarding that Here it is can not compatible reason with routing forwarding.
So the fire compartment wall of many producers generally is to have kept network bridge mode and route pattern simultaneously, but need selects mode of operation and switched by the user in use, and dual mode and incompatible, this in use is very inconvenient.
Summary of the invention
Main purpose of the present invention is to propose the adaptive method of a kind of gateway device multi-operation mode at the deficiency of prior art, break through the limitation of route and network bridge mode, can at random handle bridge data forwarding and route data transmits, make net drive fire compartment wall and can insert at any time between a plurality of same network segment subnets between (bridge) and different segment subnet (route), and without any need for switching.
The object of the present invention is achieved like this:
The adaptive method of a kind of Network Security Device multi-operation mode, Network Security Device is analyzed automatically to the destination address of receiving data frames, and according to the result of this analysis this Frame is further processed.
The specific implementation step of this method comprises at least:
Step 1: after Network Security Device receives Frame by its port, judge whether the state of this port is available; If it is unavailable then abandon this Frame; Available then execution in step 2);
Step 2: whether the target MAC (Media Access Control) address of judging this Frame points to this machine: if not then carrying out the bridge data processing; If execution in step 3 then);
Step 3: upload to the IP layer after the isl frame header removal with this Frame;
Step 4: whether the IP layer destination address of judging this Frame points to this machine, if then this Frame is sent to this machine higher level protocol suite and handle; Otherwise execution in step 5);
Step 5: carry out the safety regulation coupling;
Step 6:, then abandon these data if this Frame is an invalid data; Otherwise execution in step 7);
Step 7: if this Frame is pretended, then the source address of this Frame is changed to other IP addresses of user's appointment, and then transmits; Otherwise execution in step 8);
Step 8: the coupling routing table forwards Frame then.
Above-mentioned method step 1 utilizes the STP algorithm to judge whether the state of this port is available.
Above-mentioned Network Security Device is at least fire compartment wall or VPN, and this Network Security Device is connected between a plurality of same network segment subnets or between the different segment subnet.
The present invention has realized firewall functionality in the forwarding processing procedure of bridge, the route forwarding function that has simultaneously still kept the forwarding capability and the IP layer of IEEE802.1d spanning-tree bridge, it in use, the user does not need to know what state the present invention specifically works in, as long as the user thinks that it works in network bridge mode, then after the characteristics configuration according to this pattern, the present invention just can be as the security gateway work of a network bridge mode; If the user thinks that it works in route pattern, the present invention just can be as the security gateway work of a network bridge mode; Simultaneously, what arbitrary port of the present invention can mix works between these two kinds of patterns, and without any need for setting, also without any restriction, this can make the present invention be applied to the network environment of various complexity more easily.
Description of drawings
Fig. 1 is that Network Security Device receives and the flow chart when transmitting Frame in the prior art;
Fig. 2 is a flow chart of the present invention.
Embodiment
The present invention is described in further detail below in conjunction with accompanying drawing and specific embodiment:
The present invention is based on IEEE 802.1d Ethernet bridge, the network interconnection entity (relay entity) of IEEE 802.X is designated as bridge, the design of bridge has realized the interconnected of local area network (LAN), and what they used when the data that determine how to transmit between local area network (LAN) is destination-mac address.Bridge does not have common network layer, and the route search by the network layer burden then has been placed on data link layer with the bag forwarding capability usually.Fire compartment wall of the present invention when work all Ethernet interfaces bound be a virtual bridge equipment, ether end network interface is set to promiscuous mode.Be tied to a virtual bridge equipment and refer to mode by software of physically network interface card herein, join a software bridge and get on, make it to become a port of a bridge, this process is fully based on the 802.1d agreement.Promiscuous mode also is the form that realizes by software, with a control bit set of the process chip of network interface card, so that this network interface card can receive all packets.All data on the local area network (LAN) that this port links to each other all will be received and then be further processed.
The fire compartment wall of realizing with the bridge mode depends on two conditions to the processing of the packet that receives: the upstate of each physical port (being network interface) of forwarding database that bridge is safeguarded (maybe can be referred to as the routing information base of bridge) and bridge.
The formation of the forwarding database of bridge and maintenance are dynamic study and recording process; Bridge can be attempted it is outwards transmitted by its all physical port when a certain ethernet frame is forwarded for the first time, can normally reach its destination host after forwarding by a certain port, then the routing iinformation of this time forwarding (comprise target MAC (Media Access Control) address, transmit used port) will be credited to forwarding database.802.1d bridge utilizes the stp spanning tree algorithm, can send out BPDU (bridge protocol data unit, Bridge Protocol Data Unit) bag mutually with other bridge equipment and safeguard whole link topology by bridge interconnect, the loop that can not cause network.
The packet that enters bridge is when transmitting, fire compartment wall can mate its destination-mac address and the MAC Address in the forwarding database of bridge, if database has write down the corresponding port of this MAC Address, and this port is in forwarding state, then this packet just can be forwarded by this port, and this process realizes at link layer fully.The present invention has added the interface of fire compartment wall and the communication interface between link layer bridge and the IP layer route in this process.
Firewall interface is used to finish the safety inspection of isl frame, that is to say that when the operating state MAC Address normal, isl frame of bridge is included in forwarding database, this frame just will be received rule inspection, illegal being dropped, legal is for further processing.The user can self-definedly be directed to the security strategy of IP address, port, protocol type, when data wrap in when being forwarded, will directly check relevant (IP address, port, agreement etc.) information of the IP message that each packet comprises at link layer.
When the user uses Network Security Device as a routing gateway, situation is just different, as previously mentioned, at this moment the gateway of user's main frame should be to point to gateway (being the present networks safety means), the result that its ARP resolves, what obtain is the MAC Address of security gateway, like this, this gateway just outwards no longer should wrap and transmit, but receive it, call the bridge equipment of this gateway and the communication interface of IP layer, when this gateway still is in the bridge state, remove the link frame head of this frame, pass to the IP layer, after the IP layer receives this packet, also can continue it is resolved the safety regulation inspection, illegally promptly abandon, legal words continue to check that its destination address is this machine, if not words, then mate routing table, in routing table, find its routing direction, and then by the MAC Address that obtains it as preceding invocation of procedure ARP agreement, reconstruct a complete isl frame, at last message is forwarded.That is to say: it is route service on the bridge basis that gateway of the present invention uses as routing gateway.
Referring to Fig. 2, when port receives packet, judge at first whether port status is available, this port status, is then abandoned if port status is unavailable by the decision of stp spanning tree algorithm; If port status can be used, check then whether target MAC (Media Access Control) address is this machine, if, then by the bridge deal with data; If not, then remove the link frame head of this Frame, pass to the IP layer, after the IP layer received this packet, the destination address of at first checking it was this machine address, if then this frame is mail to the high layer stack of this machine agreement; If not, then can continue it is resolved the safety regulation inspection, illegally promptly abandon, legal words continue the coupling routing table, find its routing direction in routing table, and it is forwarded.
The present invention has realized firewall functionality in the forwarding processing procedure of bridge, the route forwarding function that has simultaneously still kept the forwarding capability and the IP layer of 802.1d spanning-tree bridge, it in use, the user does not need to know what state the present invention specifically works in, as long as the user thinks that it works in network bridge mode, then after the characteristics configuration according to this pattern, the present invention just can be as the security gateway work of a network bridge mode; If the user thinks that it works in route pattern, the present invention just can be as the security gateway work of a network bridge mode; Simultaneously, what arbitrary port of the present invention can mix works between these two kinds of patterns, and without any need for setting, also without any restriction, this can make the present invention be applied to the network environment of various complexity more easily.
It should be noted that at last: above embodiment only in order to the explanation the present invention and and unrestricted technical scheme described in the invention; Therefore, although this specification has been described in detail the present invention with reference to each above-mentioned embodiment,, those of ordinary skill in the art should be appreciated that still and can make amendment or be equal to replacement the present invention; And all do not break away from the technical scheme and the improvement thereof of the spirit and scope of the present invention, and it all should be encompassed in the middle of the claim scope of the present invention.
Claims (3)
1, the adaptive method of a kind of Network Security Device multi-operation mode is characterized in that comprising:
Step 1): after Network Security Device receives Frame by its port, judge whether the state of this port is available; If it is unavailable then abandon this Frame; Available then execution in step 2);
Step 2): whether the target MAC (Media Access Control) address of judging this Frame points to this machine; If not, then carry out the bridge data processing; If execution in step 3 then);
Step 3): upload to the IP layer after the isl frame header removal with this Frame;
Step 4): whether the IP layer destination address of judging this Frame points to this machine, handles if then this Frame is sent to this machine higher level protocol suite; Otherwise execution in step 5);
Step 5): carry out the safety regulation coupling;
Step 6):, then abandon these data if this Frame is an invalid data; Otherwise execution in step 7);
Step 7): if this Frame is pretended, then the source address of this Frame is changed to other IP addresses of user's appointment, and then transmits; Otherwise execution in step 8);
Step 8): the coupling routing table forwards Frame then.
2, the adaptive method of Network Security Device multi-operation mode according to claim 1 is characterized in that: described step 1) utilizes the STP algorithm to judge whether the state of this port is available.
3, the adaptive method of Network Security Device multi-operation mode according to claim 1 and 2, it is characterized in that: described Network Security Device is at least fire compartment wall or VPN, and this Network Security Device is connected between a plurality of same network segment subnets or between the different segment subnet.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 02156503 CN1278528C (en) | 2002-12-16 | 2002-12-16 | Network safety device multi work mode adapting method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 02156503 CN1278528C (en) | 2002-12-16 | 2002-12-16 | Network safety device multi work mode adapting method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1509030A CN1509030A (en) | 2004-06-30 |
| CN1278528C true CN1278528C (en) | 2006-10-04 |
Family
ID=34236241
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 02156503 Expired - Fee Related CN1278528C (en) | 2002-12-16 | 2002-12-16 | Network safety device multi work mode adapting method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1278528C (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101896010A (en) * | 2009-05-18 | 2010-11-24 | 大唐移动通信设备有限公司 | Equipment and method for filtering information |
| CN101896011A (en) * | 2009-05-18 | 2010-11-24 | 大唐移动通信设备有限公司 | Information filtering equipment and method |
| CN102469045B (en) * | 2010-11-05 | 2015-04-08 | 中科信息安全共性技术国家工程研究中心有限公司 | Method for improving concurrency of WEB security gateway |
| WO2012100671A1 (en) * | 2011-01-30 | 2012-08-02 | 华为技术有限公司 | Method for binding physical network ports, network card and communication system |
-
2002
- 2002-12-16 CN CN 02156503 patent/CN1278528C/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| CN1509030A (en) | 2004-06-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US6154839A (en) | Translating packet addresses based upon a user identifier | |
| US8458784B2 (en) | Data protection system selectively altering an end portion of packets based on incomplete determination of whether a packet is valid or invalid | |
| CN1879388B (en) | Dual mode firewall | |
| US6006272A (en) | Method for network address translation | |
| US20060256814A1 (en) | Ad hoc computer network | |
| US20020150114A1 (en) | Packet routing apparatus and a method of routing a packet | |
| US20030182580A1 (en) | Network traffic flow control system | |
| CN1575462A (en) | Method and apparatus for implementing a layer 3/layer 7 firewall in an l2 device | |
| US8601567B2 (en) | Firewall for tunneled IPv6 traffic | |
| US8804512B1 (en) | Obtaining high availability using TCP proxy devices | |
| JP2002504285A (en) | Apparatus for realizing virtual private network | |
| WO2013063791A1 (en) | Nat/firewall accelerator | |
| CN101499965B (en) | Method for network packet routing forwarding and address converting based on IPSec security association | |
| CN1527544A (en) | Ethernet exchanger and its service processing method | |
| US6556575B1 (en) | Broadcast traffic reduction in a communications network | |
| CN102664804B (en) | Method and system for achieving network bridge function of network equipment | |
| US20030210696A1 (en) | System and method for routing across segments of a network switch | |
| US20060256717A1 (en) | Electronic packet control system | |
| US8146144B2 (en) | Method and system for the transparent transmission of data traffic between data processing devices, corresponding computer program product, and corresponding computer-readable storage medium | |
| CN107733930A (en) | For forwarding Internet protocol in multiple WAN network gateways(IP)The method and system of packet | |
| CN1292354C (en) | Two-layer exchange type firewall package filtering method based on bridge | |
| CN1278528C (en) | Network safety device multi work mode adapting method | |
| CN102821020A (en) | Method for transparent transmission of virtual private network (VPN) communication through copy and transfer of internet protocol (IP) packet | |
| US20060256770A1 (en) | Interface for configuring ad hoc network packet control | |
| CN103379187A (en) | Data processing method and gateway network element |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: LEGEND WANGYU TECHNOLOGY (BEIJING) LTD. Free format text: FORMER OWNER: LIANXIANG (BEIJING) CO. LTD. Effective date: 20050218 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20050218 Address after: 100086, room 801-810, CLP information building, 6 South Avenue, Beijing, Haidian District, Zhongguancun Applicant after: Lenovo Wangyu Technology (Beijing) Ltd. Address before: 100085, No. 6, Pioneer Road, Haidian District information industry base, Beijing Applicant before: Lenovo (Beijing) Co., Ltd. |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee |
Owner name: BEIJING LEADSEC INFORMATION TECHNOLOGY CO., LTD. Free format text: FORMER NAME: LEADSEC TECHNOLOGY (BEIJING) CO., LTD. |
|
| CP01 | Change in the name or title of a patent holder |
Address after: 100086, room 801-810, CLP information building, 6 South Avenue, Beijing, Haidian District, Zhongguancun Patentee after: Beijing Leadsec Technology Co.,Ltd. Address before: 100086, room 801-810, CLP information building, 6 South Avenue, Beijing, Haidian District, Zhongguancun Patentee before: Lenovo Wangyu Technology (Beijing) Ltd. |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20061004 Termination date: 20161216 |