The adaptive method of Network Security Device multi-operation mode
Technical field
The present invention relates to the adaptive method of a kind of Network Security Device multi-operation mode, be particularly related to network safety gateway equipment (as fire compartment wall, VPN (Virtual Private Network, abbreviation VPN)) the self-reacting method of multi-operation mode belongs to the network security technology field.
Background technology
According to OSI (Open System Interconnect ReferenceModel, be called for short OSI) the protocol architecture demixing technology, bridge is typical link layer working equipment, it one very important function be exactly that the different physical subnets that connect for it provide link to connect, IEEE (Institute of Electrical and Electronics Engineers, Institute for Electrical and ElectronicEngineers) 802.1d provides a kind of link based on STP (Spanning Tree Protocol, Spanning-Tree Protocol) to transmit and the state-maintenance method.Route pattern is equivalent to be operated in network layer, and under this pattern, forwarding of data is mated routing table in network layer, finishes the selection and the relaying of route.
Internet transmission control protocol (Transfer Control Protocol/Internet Protocol, be called for short ICP/IP protocol) be a packet switching communication agreement, the message of application layer will be grouped the back and be added transport layer packet header layer by layer, network layer packet header and link layer packet header, the content in link layer packet header comprises source MAC (the Media Access Control of this frame, be the hardware access point) address and target MAC (Media Access Control) address, when a certain TCP/IP main frame was attempted before other main frame sends a packet, with at first at address resolution protocol (the Address Resolution Protocol of this machine, abbreviation ARP) search purposes Internet protocol (Internet Protocol in the buffer memory, be called for short IP) corresponding MAC Address, so just can construct a complete link data frame, and then this frame sent.If when not having the list item of purpose IP correspondence in the arp cache of this machine, then this main frame need send the broadcast request of an ARP, in order to inquire after the MAC Address of this destination host correspondence.If source and purpose are at a network segment, then the ARP request will obtain responding very soon, could add the hardware address of destination address like this in the Frame that this main frame sends; If source and purpose be not when the same network segment, the ARP request will be difficult to obtain reply.The initiator that can cause like this visiting can not find the MAC Address of purpose IP.At this moment, just need us on initiator's main frame of visit suitable gateway address to be set, in case purpose IP network and source IP network occur not in a subnet time, ARP will directly resolve the MAC Address that obtains this gateway and charge to buffer memory.
Above situation is the difference place of network bridge mode gateway and route pattern gateway just, and what two sections of network bridge mode gateway were connected generally is two physics network segments of same subnet; What the two ends of route pattern generally connect is two network segments of different sub-network.In the course of work that as above ARP resolves, the former can directly obtain the MAC Address of purpose IP correspondence, and the latter then can only obtain the MAC Address of gateway; That is to say: in the former case, Frame can directly be issued purpose IP by bridge, and the latter's Frame then can only be issued routing gateway, finishes follow-up forwarding work by routing gateway then.
Traditional packet filtering technology general work is in network layer, and the packet filtering technology of network layer has two limitations: the first, because network layer is only handled the forwarding between different segment,, source address and destination address will can not be forwarded so being positioned at the IP message of the same network segment; The second, when fire compartment wall is added between protected network and the router, the gateway setting of pointing to router originally should be modified as the setting of pointing to fire compartment wall by the main frame in the network of firewall protection; Simultaneously, the original router of protected network should be revised its routing table, so that transmit the IP message of fire compartment wall.When user's network was very complicated, this had brought the trouble that is provided with just for the fire compartment wall user.
Referring to Fig. 1, it is the flow chart of fire compartment wall when using as bridge.
As shown in the figure, when port receives packet, judge at first whether port status is available, this port status, is then abandoned if port status is unavailable by the decision of stp spanning tree algorithm; If port status can be used, then packet is carried out the filtering rule coupling, that is: parse IP address contained in this bag, protocol type, port numbers or the like, the self-defining rule of match user is if matching result is illegal, then with data packet discarding; If matching result is legal, then continue in forwarding database, to search the destination address of Frame, if find this destination address, then this Frame is forwarded from given port according to routing iinformation; If do not find this destination address, then this Frame is forwarded from each port; After forwarding,, then charge to forwarding database if find destination address; If do not find destination address then with this data packet discarding.
When the user uses this gateway as a bridge, the network segment that distinct interface connect of gateway belongs to same subnet, the ARP message that sends of main frame on these networks can proper solution be separated out the MAC Address of purpose IP like this, like this, the message that these main frames send when passing fire compartment wall, thereby just can through after the safety inspection of fire compartment wall, directly mate forwarding database and forward.
The packet filtering technology that works in link layer just in time can remedy the deficiency that network layer packet is filtered.Under the network bridge mode, will transmit in the past from suitable port directly according to the MAC Address coupling forwarding database of this frame through the frame of rule match for each.Because this repeating process and IP address irrelevant (by the MAC Address decision), the TCP/IP that is attached thereto client computer is provided with and can make any changes, so also be referred to as transparent mode.Can connect with this pattern and physically to be divided into two subnets, but the IP address still belongs to the network of same subnet.
Generally, a gateway can only work in a state, if the words of bridge state, it can only be finished bag according to MAC Address and transmit, and source and purpose IP be when being in different sub-network, owing to can not directly obtain the MAC Address of purpose, so bridge can not be handled the forwarding between different sub-network; And if a gateway works in routing state, it just can only be in network layer according to the address of source IP and purpose IP, coupling routing table, determine routing direction at last.In case source and purpose are in same subnet, the result of routing table coupling will think that this frame must go back, and so also can't finish forwarding, and bridge forwarding that Here it is can not compatible reason with routing forwarding.
So the fire compartment wall of many producers generally is to have kept network bridge mode and route pattern simultaneously, but need selects mode of operation and switched by the user in use, and dual mode and incompatible, this in use is very inconvenient.
Summary of the invention
Main purpose of the present invention is to propose the adaptive method of a kind of gateway device multi-operation mode at the deficiency of prior art, break through the limitation of route and network bridge mode, can at random handle bridge data forwarding and route data transmits, make net drive fire compartment wall and can insert at any time between a plurality of same network segment subnets between (bridge) and different segment subnet (route), and without any need for switching.
The object of the present invention is achieved like this:
The adaptive method of a kind of Network Security Device multi-operation mode, Network Security Device is analyzed automatically to the destination address of receiving data frames, and according to the result of this analysis this Frame is further processed.
The specific implementation step of this method comprises at least:
Step 1: after Network Security Device receives Frame by its port, judge whether the state of this port is available; If it is unavailable then abandon this Frame; Available then execution in step 2);
Step 2: whether the target MAC (Media Access Control) address of judging this Frame points to this machine: if not then carrying out the bridge data processing; If execution in step 3 then);
Step 3: upload to the IP layer after the isl frame header removal with this Frame;
Step 4: whether the IP layer destination address of judging this Frame points to this machine, if then this Frame is sent to this machine higher level protocol suite and handle; Otherwise execution in step 5);
Step 5: carry out the safety regulation coupling;
Step 6:, then abandon these data if this Frame is an invalid data; Otherwise execution in step 7);
Step 7: if this Frame is pretended, then the source address of this Frame is changed to other IP addresses of user's appointment, and then transmits; Otherwise execution in step 8);
Step 8: the coupling routing table forwards Frame then.
Above-mentioned method step 1 utilizes the STP algorithm to judge whether the state of this port is available.
Above-mentioned Network Security Device is at least fire compartment wall or VPN, and this Network Security Device is connected between a plurality of same network segment subnets or between the different segment subnet.
The present invention has realized firewall functionality in the forwarding processing procedure of bridge, the route forwarding function that has simultaneously still kept the forwarding capability and the IP layer of IEEE802.1d spanning-tree bridge, it in use, the user does not need to know what state the present invention specifically works in, as long as the user thinks that it works in network bridge mode, then after the characteristics configuration according to this pattern, the present invention just can be as the security gateway work of a network bridge mode; If the user thinks that it works in route pattern, the present invention just can be as the security gateway work of a network bridge mode; Simultaneously, what arbitrary port of the present invention can mix works between these two kinds of patterns, and without any need for setting, also without any restriction, this can make the present invention be applied to the network environment of various complexity more easily.
Description of drawings
Fig. 1 is that Network Security Device receives and the flow chart when transmitting Frame in the prior art;
Fig. 2 is a flow chart of the present invention.
Embodiment
The present invention is described in further detail below in conjunction with accompanying drawing and specific embodiment:
The present invention is based on IEEE 802.1d Ethernet bridge, the network interconnection entity (relay entity) of IEEE 802.X is designated as bridge, the design of bridge has realized the interconnected of local area network (LAN), and what they used when the data that determine how to transmit between local area network (LAN) is destination-mac address.Bridge does not have common network layer, and the route search by the network layer burden then has been placed on data link layer with the bag forwarding capability usually.Fire compartment wall of the present invention when work all Ethernet interfaces bound be a virtual bridge equipment, ether end network interface is set to promiscuous mode.Be tied to a virtual bridge equipment and refer to mode by software of physically network interface card herein, join a software bridge and get on, make it to become a port of a bridge, this process is fully based on the 802.1d agreement.Promiscuous mode also is the form that realizes by software, with a control bit set of the process chip of network interface card, so that this network interface card can receive all packets.All data on the local area network (LAN) that this port links to each other all will be received and then be further processed.
The fire compartment wall of realizing with the bridge mode depends on two conditions to the processing of the packet that receives: the upstate of each physical port (being network interface) of forwarding database that bridge is safeguarded (maybe can be referred to as the routing information base of bridge) and bridge.
The formation of the forwarding database of bridge and maintenance are dynamic study and recording process; Bridge can be attempted it is outwards transmitted by its all physical port when a certain ethernet frame is forwarded for the first time, can normally reach its destination host after forwarding by a certain port, then the routing iinformation of this time forwarding (comprise target MAC (Media Access Control) address, transmit used port) will be credited to forwarding database.802.1d bridge utilizes the stp spanning tree algorithm, can send out BPDU (bridge protocol data unit, Bridge Protocol Data Unit) bag mutually with other bridge equipment and safeguard whole link topology by bridge interconnect, the loop that can not cause network.
The packet that enters bridge is when transmitting, fire compartment wall can mate its destination-mac address and the MAC Address in the forwarding database of bridge, if database has write down the corresponding port of this MAC Address, and this port is in forwarding state, then this packet just can be forwarded by this port, and this process realizes at link layer fully.The present invention has added the interface of fire compartment wall and the communication interface between link layer bridge and the IP layer route in this process.
Firewall interface is used to finish the safety inspection of isl frame, that is to say that when the operating state MAC Address normal, isl frame of bridge is included in forwarding database, this frame just will be received rule inspection, illegal being dropped, legal is for further processing.The user can self-definedly be directed to the security strategy of IP address, port, protocol type, when data wrap in when being forwarded, will directly check relevant (IP address, port, agreement etc.) information of the IP message that each packet comprises at link layer.
When the user uses Network Security Device as a routing gateway, situation is just different, as previously mentioned, at this moment the gateway of user's main frame should be to point to gateway (being the present networks safety means), the result that its ARP resolves, what obtain is the MAC Address of security gateway, like this, this gateway just outwards no longer should wrap and transmit, but receive it, call the bridge equipment of this gateway and the communication interface of IP layer, when this gateway still is in the bridge state, remove the link frame head of this frame, pass to the IP layer, after the IP layer receives this packet, also can continue it is resolved the safety regulation inspection, illegally promptly abandon, legal words continue to check that its destination address is this machine, if not words, then mate routing table, in routing table, find its routing direction, and then by the MAC Address that obtains it as preceding invocation of procedure ARP agreement, reconstruct a complete isl frame, at last message is forwarded.That is to say: it is route service on the bridge basis that gateway of the present invention uses as routing gateway.
Referring to Fig. 2, when port receives packet, judge at first whether port status is available, this port status, is then abandoned if port status is unavailable by the decision of stp spanning tree algorithm; If port status can be used, check then whether target MAC (Media Access Control) address is this machine, if, then by the bridge deal with data; If not, then remove the link frame head of this Frame, pass to the IP layer, after the IP layer received this packet, the destination address of at first checking it was this machine address, if then this frame is mail to the high layer stack of this machine agreement; If not, then can continue it is resolved the safety regulation inspection, illegally promptly abandon, legal words continue the coupling routing table, find its routing direction in routing table, and it is forwarded.
The present invention has realized firewall functionality in the forwarding processing procedure of bridge, the route forwarding function that has simultaneously still kept the forwarding capability and the IP layer of 802.1d spanning-tree bridge, it in use, the user does not need to know what state the present invention specifically works in, as long as the user thinks that it works in network bridge mode, then after the characteristics configuration according to this pattern, the present invention just can be as the security gateway work of a network bridge mode; If the user thinks that it works in route pattern, the present invention just can be as the security gateway work of a network bridge mode; Simultaneously, what arbitrary port of the present invention can mix works between these two kinds of patterns, and without any need for setting, also without any restriction, this can make the present invention be applied to the network environment of various complexity more easily.
It should be noted that at last: above embodiment only in order to the explanation the present invention and and unrestricted technical scheme described in the invention; Therefore, although this specification has been described in detail the present invention with reference to each above-mentioned embodiment,, those of ordinary skill in the art should be appreciated that still and can make amendment or be equal to replacement the present invention; And all do not break away from the technical scheme and the improvement thereof of the spirit and scope of the present invention, and it all should be encompassed in the middle of the claim scope of the present invention.