CN1547353A - A high-performance multi-service network security processing equipment - Google Patents
A high-performance multi-service network security processing equipment Download PDFInfo
- Publication number
- CN1547353A CN1547353A CNA2003101182297A CN200310118229A CN1547353A CN 1547353 A CN1547353 A CN 1547353A CN A2003101182297 A CNA2003101182297 A CN A2003101182297A CN 200310118229 A CN200310118229 A CN 200310118229A CN 1547353 A CN1547353 A CN 1547353A
- Authority
- CN
- China
- Prior art keywords
- module
- message
- processing module
- interface
- processing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000012545 processing Methods 0.000 title claims abstract description 189
- 238000004891 communication Methods 0.000 claims abstract description 36
- 238000001514 detection method Methods 0.000 claims description 47
- 238000001914 filtration Methods 0.000 claims description 38
- 238000000034 method Methods 0.000 claims description 28
- 230000008569 process Effects 0.000 claims description 27
- 230000015654 memory Effects 0.000 claims description 24
- 238000004458 analytical method Methods 0.000 claims description 22
- 238000013519 translation Methods 0.000 claims description 22
- 238000005538 encapsulation Methods 0.000 claims description 21
- 230000006870 function Effects 0.000 claims description 21
- 239000000284 extract Substances 0.000 claims description 12
- 230000002093 peripheral effect Effects 0.000 claims description 10
- 238000006243 chemical reaction Methods 0.000 claims description 7
- 230000003044 adaptive effect Effects 0.000 claims description 5
- 238000000605 extraction Methods 0.000 claims description 4
- 238000012795 verification Methods 0.000 claims description 3
- 101100283411 Arabidopsis thaliana GMII gene Proteins 0.000 claims 1
- 230000001360 synchronised effect Effects 0.000 description 8
- 238000013478 data encryption standard Methods 0.000 description 5
- 230000003068 static effect Effects 0.000 description 5
- 238000012546 transfer Methods 0.000 description 5
- 230000002155 anti-virotic effect Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 238000011161 development Methods 0.000 description 3
- 230000006855 networking Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000008878 coupling Effects 0.000 description 2
- 238000010168 coupling process Methods 0.000 description 2
- 238000005859 coupling reaction Methods 0.000 description 2
- 230000009545 invasion Effects 0.000 description 2
- 230000007704 transition Effects 0.000 description 2
- 230000005641 tunneling Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000007423 decrease Effects 0.000 description 1
- 230000002950 deficient Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000012467 final product Substances 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a kind of network security processing device, the character lies in: the device includes a physical interface, a high speed hardware processing model and the server platform, the physical layer interface and the high speed hardware processing model carry on data communication through the communication bus of the physical layer interface, the high speed hardware processing model and the server platform carry on data communication through the high speed communication bus, there has safe processing system in the server platform. The device safety processing performance reach over 5Gbps, at the same time, it upgrades the extensibility of function greatly, it can satisfy the demands to the network security device in each kind of field such as ISP, IDC, entrepreneur network, government network, financial network and telecom network effectively.
Description
Technical field
The invention belongs to the network information security technology field, relate in particular to a kind of network security treatment facility.
Background technology
Along with the fast development and the extensive use of computer networking technology, network security becomes the vital problem that influences the computer networking technology development and use.Therefore, the diverse network safety means occurred, and obtained using widely.Simple safety means only can be realized functions such as basic packet filtering, state packet filter, complicated safety means have merged Virtual Private Network (Virtual Private Network Virtual Private Network), network address translation functions such as (Network Address Translation network address translation), usually according to the demand of network organizing, device interior also can embedded information filtering, anti-virus, intrusion detection modules such as (IDS:Invasion Detection System intruding detection systems).
Existing Network Security Device has two kinds of main implementations:
(1) universal PC system (or industrial computer)+software architecture
The characteristics of this Network Security Device are to adopt universal PC system (or industrial computer) as hardware platform, referring to accompanying drawing 1, the operation general-purpose operating system such as Windows/Linux/Unix etc. in the CPU of this hardware platform, safety function is realized by the Secure Application software that moves on the general-purpose operating system.
The Network Security Device cost of this framework is low, flexibility good, and upgrading is convenient, only need change software to get final product.But exist the bottleneck (usually, the increase of packet filtering rule number can cause the exponential decline of forwarding performance) that is difficult to overcome at the safe handling aspect of performance.Reason is that the function of this safety means adopts software to realize, improving performance can only be by improving the operational capability of general processor, but the operational capability of general processor is limited after all, therefore, adopt this Network Security Device under big capaciated flow network environment, to exist inevitable performance bottleneck, be not suitable for substantially under big capaciated flow network environment, using.
(2) safe processing chip+flush bonding processor framework
This safety means are software computing hardwareization, mainly constitute by safe processing chip and flush bonding processor, main safe handling flow process is realized on the safe processing chip of special use, as FPGA (FieldProgrammable Gate Array field programmable gate array), ASIC (Application SpecificIntegrated Circuit application-specific integrated circuit (ASIC), NP (Network Processor network processing unit) etc., to reduce the computing pressure of flush bonding processor, flush bonding processor is mainly finished the control to equipment, functions such as management are referring to Fig. 2.
The performance that the core network processor of this architectural framework safety means or safe processing chip are handled packet filtering, forwarding is higher, has alleviated the performance bottleneck that the message under the big capaciated flow network environment filters fast, transmits to a certain extent.But, network processing unit NP is the data forwarding chip that is applicable in data communication exchange, the router, it is not special-purpose safe processing chip, in the performance that can't reach special-purpose safe processing chip based on the aspects such as state-detection, agency by agreement even acl rule filtration that connect at all, in case carry out the safe handling of data, performance will sharply reduce.In addition, adopt the architectural framework of special-purpose safe processing chip at present, function aspects is also simple relatively, can only realize functions such as fast and simply message ACL (Access ControlList Access Control List (ACL)) filtration, state-detection, forwarding processing, aspect traffic handing capacity and expansion, exist and the same defective of network processing unit, function and professional expansion (upgrading) can only realize by upper layer software (applications).
Although this safety processing device has improved the handling property of system to a certain extent, solved the performance bottleneck under the heavy traffic condition.Yet, because using network processing unit or special-purpose safe processing chip handles, function expansion or upgrading can only realize by upper layer software (applications), and the embedded type CPU operational performance of the safety means of common this framework such as fire compartment wall, network address conversion gateway, Virtual Private Network gateway etc. is all lower, if during upper-layer service functions such as embedded IDS, anti-virus, information filtering, then seriously reduce because of the limited performance that causes of CPU operational capability.In addition, the communication port bandwidth between flush bonding processor and the safe processing chip is generally lower, and effective bandwidth is difficult to realize high performance software/hardware collaborative work in hundreds of M bps usually.
Summary of the invention
The present invention is directed to above-mentioned two kinds of safety means architectural frameworks limitation separately, provide a kind of new high-performance multiple services safety processing device, can solve universal PC system (or industrial computer)+software architecture at the bottleneck of transmitting on the handling property, also can solve simultaneously the safe processing chip+limitation of flush bonding processor framework aspect functional expansionary, both can fully satisfy the performance requirement under the big capaciated flow network environment, also can satisfy the demand of function expansion.
For realizing above-mentioned purpose of the present invention, the invention provides a kind of network security treatment facility, comprise physical layer interface, high-speed hardware processing module and server platform; Carry out data communication by the physical layer interface communication bus between physical layer interface and the high-speed hardware processing module, carry out data communication by the high-speed communication bus between high-speed hardware processing module and the server platform, the server platform internal operation has safe processing system.
The high-speed hardware processing module comprises safe processing chip, high-speed searching coprocessor, list item memory and packet buffer memory; The message that receives into from physical layer interface is at first carried out the extraction and the analysis of message security information and forwarding information by safe processing chip, be placed into message in the described packet buffer memory temporary then, simultaneously the security information and the forwarding information that extract are handled, the actual demand of tabling look-up according to each message sends look-up command to high-speed searching coprocessor or described list item memory, after instruction is finished, high-speed searching coprocessor or list item memory return the look-up command result, safe processing chip extracts message according to this look-up command result in the packet buffer memory, carry out editor's encapsulation process of message, and then message is delivered physical layer interface or delivered server platform by the high-speed communication bus according to the forwarding information among the look-up command result.
Safe processing chip comprises that table look-up processing module, caching management module, scheduling and quality of service supervision module, encryption and decryption processing module, message editing encapsulation process module, message output processing module, CPU of message input interface processing module, message analysis module, intrusion detection module, state-detection and filtering module, forwarding processing module, network address translation processing module, Virtual Private Network processing module, search engine handles packet buffer module and cpu i/f processing module;
Message input interface processing module receives message from described physical layer interface, delivers the message analysis resume module.The message analysis module is analyzed with legitimacy message and is detected, and abandons or subsequent treatment according to the result who analyzes.Handle if message need carry out network address translation, the network address information of then extracting message is delivered network address translation processing module and the search engine processing module of tabling look-up and is handled; Handle if message need carry out Virtual Private Network, the Virtual Private Network information of extracting message is delivered Virtual Private Network processing module, encryption and decryption processing module and the search engine processing module of tabling look-up and is handled; If message need carry out intrusion detection and filtration, based on the state-detection that connects, two layers to seven layers information then extracting message are delivered intrusion detection module, state-detection and filtering module and the search engine processing module of tabling look-up and are handled;
Transmit processing module and extract message forwarding information, be delivered to the search engine processing module of tabling look-up and table look-up, to determine the purpose forward-path; Caching management module is kept in the message that the message analysis module receives, and, cooperates the scheduling forwarding of carrying out message jointly with scheduling and quality of service supervision module according to intrusion detection module, state-detection and filtering module, forwarding processing module, network address translation processing module, Virtual Private Network processing module, the search engine message process information that processing module sends here of tabling look-up; CPU handles the packet buffer module and receives the message of sending here from buffer process module and cpu i/f processing module, according to the message control information, sends to message editing encapsulation process module or cpu i/f processing module; The cpu i/f processing modules implement is to the control of safe processing chip internal module, and CPU handles submitting of message and following the biography; Message editing encapsulation process module receives the message sent here from buffer process module and searches control, forwarding information from what each processing module, search engine tabled look-up that processing module sends here, carry out the edit-modify of message then, and carry out the verification of encapsulation again of message, send to message output interface processing module then; Message output interface processing module sends to described physical layer interface after receiving the message of sending here from message editing encapsulation process module.
Safe processing system includes security kernel subsystem, system interface subsystem and Secure Application subsystem; The security kernel subsystem is support platform with operating system, receives user configuration information, sets up the configuration information list item, list item is safeguarded, and carried out the systemic-function configuration; The system interface subsystem is finished the conversion of interface and adaptive between Secure Application subsystem and security kernel subsystem; The Secure Application subsystem provides various system applies functions.
The security kernel subsystem comprises safety chip driving, physical layer interface driving, ICP/IP protocol stack and operating system;
Safe processing chip drives and finishes the safe processing chip initialization and the administration configuration interface is provided; Physical layer interface drives and finishes the physical layer interface initialization and the administration configuration interface is provided; The ICP/IP protocol stack is held consultation to the processing message protocol and is handled and control, realizes correct link establishment and message safe handling and forwarding; Operating system is as the support platform of security kernel subsystem.
The Secure Application subsystem comprises log service module, high availability module, web service module, configuration service module, Virtual Private Network service module and configure user graphic interface module; Log service module is handled and output journal information; Set up communication port between the high availability module of high availability module and another network security treatment facility, finish state-detection and information synchronization between two equipment; The web service module provides the support to the administration configuration passage; The configuration service module is finished and is read configuration information, initialization apparatus, and regularly the new data that dispose of user are write configuration file; The Virtual Private Network service module provides the support to Virtual Private Network; Configure user graphic interface module provides user's configuration management graphical interfaces.
The physical layer interface communication bus can be Media Independent Interface MII or gigabit Media Independent Interface GMII.
The high-speed communication bus can be Peripheral Component Interconnect PCI or very fast Peripheral Component Interconnect PCI-X.
Description of drawings
Fig. 1 is the safety processing device structural representation of universal PC system (or industrial computer)+software architecture;
Fig. 2 is the safety processing device structural representation of safe processing chip+flush bonding processor framework;
Fig. 3 is a safety processing device structural representation of the present invention;
Fig. 4 is a high-speed hardware processing module structural representation of the present invention;
Fig. 5 is a server platform structural representation of the present invention;
The software system function module frame chart of Fig. 6 for moving in the server platform of the present invention.
Embodiment
Below in conjunction with accompanying drawing realization of the present invention is described in detail.
Referring to Fig. 3, safety processing device of the present invention is by physical layer interface 01, high-speed hardware processing module 02 and server platform 03 constitute, physical layer interface 01 mainly provides 100,000,000 FE (Fast Ethernet Fast Ethernet) port or gigabit GE (Gigabit Ethernet gigabit Ethernet) port, and pass through physical layer interface communication bus 04 between the high-speed hardware processing module 02, carry out data communication as MII (Media IndependenceInterface Media Independent Interface) or GMII (Gigabit Media Independence Interface gigabit Media Independent Interface) etc., between high-speed hardware processing module 02 and the server platform 03 by high-speed communication bus 06, as PCI (Peripheral Component Interconnection Peripheral Component Interconnect), PCI-X (the very fast Peripheral Component Interconnect of Peripheral Component Interconnection Express) etc. carries out data communication.
Referring to Fig. 4, high-speed hardware processing module 02 mainly is made up of safe processing chip 021, high-speed searching coprocessor 022, list item memory 023, packet buffer memory 024 etc.
The core of high-speed hardware processing module 02 is a safe processing chip 021, this chip is finished main safe handling function under the coordinated of server platform, as packet filtering, state-detection and filtration, Virtual Private Network, network address translation, encryption and decryption functions etc.
As seen from Figure 4, safe processing chip 021 is by message input interface processing module 02101, message analysis module 02102, intrusion detection module 02103, state-detection and filtering module 02104, transmit processing module 02105, network address translation processing module 02106, Virtual Private Network processing module 02107, the search engine processing module 02108 of tabling look-up, caching management module 02109, scheduling and quality of service (Quality ofService quality of service) supervision module 02110, encryption and decryption processing module 02111, message editing encapsulation process module 02112, message output interface processing module 02113, CPU handles packet buffer module 02114, and cpu i/f processing module 02115 is formed.Wherein:
Message input interface processing module 02101 is docked with peripheral physical layer interface 01, and does the adaptive of interface communications protocol, receive Frame after, deliver message analysis module 02102 and handle.
Message analysis module 02102 is carried out message analysis, the legitimacy that comprises message detects and agreement identification, protocol type according to message carries out different handling processes with information such as traffic classifications, handle if message need carry out network address translation, extract the information such as the network address of message and deliver network address translation processing module 02106 and search engine module 02108 processing; Handle if message need carry out Virtual Private Network, extract the Virtual Private Network information of message and deliver Virtual Private Network processing module 02107, encryption and decryption processing module 02111 and search engine module 02108 processing; If message need carry out intrusion detection and filtration, based on the state-detection and the filtration that connect, relevant two layers to the seven layers information of then extracting message deliver intrusion detection module 02103, state-detection and filtering module 02104 and search engine module 02108 is handled.
Message analysis module 02102 directly is delivered to caching management module 02109 to message and carries out buffer memory, queue scheduling and quality of service control when the extraction message information carries out the control flows processing procedure.
Intrusion detection module 02103 is supported intrusion detection feature, can take precautions against common tens of kinds of network attacks and scanning automatically and spy upon, and reaches linear speed and detects and filter, and avoids the attack to Intranet and fire compartment wall itself.This module and safe processing system 05 match, and strick precaution and warning more than 1400 kinds of attack signatures can be provided.Simultaneously, this module and state-detection and filtering module 02104 can be realized the interlock strick precaution.By Real-time Alarm information and daily record data, the user can analyze and confirm attack, realizes taking precautions against in early days.This module is carried out Treatment Analysis after receiving the message control information that message analysis module 02102 delivers, and extracts state-detection and the filtering information of tabling look-up is delivered state-detection and filtering module 02104 and search engine table look-up module 02108 and handled.When message data stream need be carried out the intrusion detection analysis, corresponding message is stamped friendship CPU handle sign, be transmitted to message editing encapsulation process module 02112 and CPU processing packet buffer module 02114 simultaneously by caching management module 02109.
State-detection and filtering module 02104 are realized packet filtering, basic packet filtering not only is provided, session status detects, and support can realize to TCP (Transfer ControlProtocol transmission control protocol) based on the state packet filter of application layer, UDP (User Datagram Protocol User Data Protocol), FTP (File Transfer Protocol file transfer protocol (FTP)), HTTP (Hyper Text Transport Protocol HTML (Hypertext Markup Language)), SMTP (Simple Mail Transfer Protocol Simple Mail Transfer protocol), H.323 wait the state-detection of application protocol to filter.The filtering information of tabling look-up (as source address, destination address, source port, destination interface, protocol type, connection control information, application layer message etc.) of this module extraction message is delivered search engine table look-up module 02108 and is tabled look-up, with judge that this message abandons or by, realize based on message and the filtration that is connected.
Transmit processing module 02105 and extract the message routing forwarding information, being delivered to search engine table look-up module 02108 tables look-up, to determine the purpose forward-path, be used for scheduling and quality of service supervision module 02110, caching management module 02109 and 02112 scheduling of message editing encapsulation process module and E-Packet.
Network address translation processing module 02106 realizes the dynamic address conversion, supports many-one, multi-to-multi address transition, also supports the static address conversion, and the inner public and private net address of network enabled mixes addressing, can discern and carry out correct address transition automatically.After receiving the message information that message analysis module 02102 delivers, extract information such as the network address and deliver search engine table look-up module 02108 and handle.
Virtual Private Network processing module 02107 realizes based on L2TP (Layer 2 Tunneling Protocol Layer 2 Tunneling Protocols), GRE (Generic Routing Encapsulation generic route encapsulation), the Virtual Private Network function of IPSEC agreements such as (expansions of Internet Protocol SECurity extensions IP protocol security), high-performance DES can be provided (Data Encryption Standard data encryption standard), 3DES (Triple Data Encryption Standard triple is according to encryption standard), AES (AdvancedEncryption Standard super encryption standard), MD5 (Message-Digest Algorithm 5 message digest algorithm 5), SHA-1/SHA-2 encryption and decryption functions such as (Secure Hash Standard safety HASH canonical algorithms), and can realize that the manual configuration of key and IKE consult automatically.This module is carried out the Virtual Private Network Treatment Analysis after receiving the message information that message analysis module 02102 is delivered, and extracts the Virtual Private Network information of tabling look-up and deliver 02108 processing of search engine table look-up module.
The request of tabling look-up that search engine is tabled look-up processing module 02108 reception invasion detection module 02103, state-detection and filtering module 02104, transmitted processing module 02105, network address translation processing module 02106, Virtual Private Network Virtual Private Network processing module 02107 etc.; Adopt table look-up algorithm, routing forwarding algorithm etc. of rule and content match algorithm, network address translation to finish the message table lookup operation.Mixing for different algorithms or multiple algorithm realizes adopting high-speed searching coprocessor 022 or list item memory 023.
02109 pair of message that receives from message analysis module 02102 of caching management module is stored, and writes packet buffer memory 024.And wait for from intrusion detection module 02103, state-detection and filtering module 02104, transmit the message information that processing module 02105, network address translation processing module 02106, Virtual Private Network processing module 02107 and search engine table look-up module 02108 etc. are sent here, according to the storage control information of message in packet buffer memory 024, supervise 02110 common cooperation of processing module with scheduling and quality of service and finish this message reading control and dispatching transmission in packet buffer memory 024 again.
Scheduling and quality of service supervision module 02110 are finished the message of different input/output ports, different forward filtering information are dispatched and traffic policing, the caching management module 02109 that sends control information sends to message editing encapsulation process module 02112 to message and CPU handles packet buffer module 02114 by caching management module 02109.
Encryption and decryption processing module 02111 is by different enciphering and deciphering algorithm submodules, as DES, 3DES, AES etc.; Message, the Virtual Private Network channel message that should carry out encryption and decryption carried out corresponding encryption and decryption, with guarantee message in transport process correctly reliably, be not stolen and distort.
Message editing encapsulation process module 02112 receives the message sent here from buffer process module 02109 and searches control, forwarding information from what each processing module, search engine table look-up module 02108 were sent here, carries out the edit-modify of message then; E-Packet as network address translation, the network address information that needs to revise message is the network address information after changing; As the routing forwarding message, need to revise message forwarding address information and routing information; And carry out the verification of encapsulation again of message, send to message output interface processing module 02113 then.
Message output interface processing module 02113 is docked with the physical layer interface 01 of periphery, and do the adaptive of interface communications protocol, after receiving the message of sending here from message editing encapsulation process module 02112, add frame check information and frame control information, send to described physical layer interface.
CPU handles packet buffer module 02114 and realizes safe processing chip is submitted the storage of CPU message and the storage that E-Packets that CPU is issued to safe processing chip, with high-performance, no congested communication between realization and the server platform 03.
The control that cpu i/f processing module 02115 realizes safe processing chip 021 inner each module, and CPU handles submitting of message and following the biography; The effect of this module maximum is to communicate by the high-speed communication bus with server platform, to realize the efficient cooperation between safe processing chip and the server platform.
The coupling that high-speed searching coprocessor 022 adopts based on bit and bit mask, realization is filtered the coupling of rule and content, with finish message information as stream identification, state-detection and the filtering module of intrusion detection module filter with based on the state-detection that is connected, thereby the high-performance information that can reach linear speed is tabled look-up and the message forwarding; List items such as the Virtual Private Network of list item memory 023 main stored messages, network address translation, filtration, forwarding-table item, state-detection, ACL can adopt general DDR (Double Data Rate is two along trigger data speed) SSRAM (the synchronous static RAM of Synchronous Static RAM) or DDR SDRAM devices such as (Synchronous Dynamic RAM Synchronous Dynamic Random Access Memories); Packet buffer memory 024 main storage incoming message, security information and forwarding information stored messages before safe processing chip disposes fully at incoming message, etc. pending and forwarding, avoid message to abandon, can adopt general DDR (Double Data Rate is two along trigger data speed) SSRAM (the synchronous static RAM of Synchronous Static RAM) or DDRSDRAM devices such as (Synchronous Dynamic RAM Synchronous Dynamic Random Access Memories) because of congested.
Be high-speed communication passage 06 between server platform 03 and the high-speed hardware processing module 02, as PCI, PCI-X etc., this passage is directly provided by safe processing chip 021 on high speed processing module 02, by physical connection and the information interaction at a high speed between this passage realization safe processing chip 021 and the server platform 03, this passage can provide up to the communication bandwidth more than the 8Gbps, guarantees choke free software and hardware system collaborative work.
Referring to Fig. 5, server platform 03 is the industrial Server architectural framework of standard, in single or multiple high-speed CPUs 031, internal memory 032, hard disk 033, peripheral component interconnect interface 034, chipset 035, external interface 036 (serial ports, parallel port, USB interface, VGA interface etc.) and other accessories 037 are arranged.
Fig. 6 is the functional block diagram of the safe processing system 05 that moved in the server platform 03.Safe processing system 05 includes security kernel subsystem 051, system interface subsystem 052 and Secure Application subsystem 053, security kernel subsystem 051 is the core of safe processing system 05, with operating system 05104 is support platform, it is responsible for receiving all user configuration informations, sets up the configuration information list item and list item is safeguarded.In addition, after it receives configuration information, also to drive hardware chip or configuration ICP/IP protocol stack, thereby finish the functional configuration of system according to configuration information.
Read the configuration information initialization apparatus and regularly the new data that dispose of user are write configuration file from configuration file when configuration service module 05304 is finished the Network Security Device initialization.
Virtual Private Network service module 05305 provides the support to the Virtual Private Network agreement, sets up with the connection negotiation that realizes Virtual Private Network agreements such as IPsec, L2TP, GRE, and realizes handling through consultation automatically of agreement such as IKE.
Configure user graphic interface module 05306 provides user's configuration management interface, the user can realize the unit or the cluster management of equipment are disposed as order line, WEB administration interface and SNMP (Simple NetworkManagement Protocol) network management protocol by multiple way to manage.
Safe processing chip drives 05101 and finishes safe processing chip initialization (drive controlling) and the administration configuration interface is provided; Physical layer interface drives 05102 and finishes physical layer interface chip for driving initialization (drive controlling) and the administration configuration interface is provided; ICP/IP protocol stack 05103 is finished and is held consultation and handle and control handling message Virtual Private Network, FTP, HTTP, IP agreements such as TCP, UDP, realizes correct link establishment and message safe handling and forwarding; Operating system 05104 is as the support platform of security kernel subsystem 051.
The message that receives into from physical layer interface, at first carry out corresponding safe handling by safe processing chip, (as safety filtering, network address translation conversion, Virtual Private Network processing, encryption and decryption processing, information filtering, forwarding processing etc.), handle as the need software assistance, then by giving server platform on the high-speed communication bus, carry out high-speed computation and processing by the CPU of server platform.The message of handling passes out to physical layer interface by safe processing chip again.
Along with networks development, occasions such as telecommunications network, ISP (Internet Service Provider ISP), IDC (Internet Data Center Internet data center) and enterprise network, government affairs net, Network and Finance Network are more and more higher to the performance requirement of Network Security Device, simultaneously, because the needs of actual networking also require functions such as the embedded IDS of safety means, anti-virus, depth content filtration.Adopt Network Security Device of the present invention, more than can be on the safe handling performance up to 5Gbps; And, owing to adopted server platform, on functional expansionary, be greatly improved, can effectively satisfy the demand of various occasions such as ISP, IDC, enterprise network, government affairs net, Network and Finance Network, telecommunications network to Network Security Device.
The invention is not restricted to above execution mode, those skilled in the art can make various changes and distortion according to the present invention, only otherwise break away from spirit of the present invention, all should belong to the defined scope of claim of the present invention.
Claims (8)
1. network security treatment facility, it is characterized in that, described safety processing device comprises physical layer interface, high-speed hardware processing module and server platform, carry out data communication by the physical layer interface communication bus between described physical layer interface and the high-speed hardware processing module, carry out data communication by the high-speed communication bus between described high-speed hardware processing module and the server platform, described server platform internal operation has safe processing system.
2. network security treatment facility according to claim 1 is characterized in that, described high-speed hardware processing module comprises safe processing chip, high-speed searching coprocessor, list item memory and packet buffer memory;
The message that receives into from described physical layer interface is at first carried out the extraction and the analysis of message security information and forwarding information by safe processing chip, be placed into this message in the packet buffer memory temporary then, simultaneously the security information and the forwarding information that extract are handled, the actual demand of tabling look-up according to each message sends look-up command to high-speed searching coprocessor or list item memory, after instruction is finished, high-speed searching coprocessor or list item memory return the look-up command result, safe processing chip extracts message according to this look-up command result in the packet buffer memory, carry out editor's encapsulation process of message, and then message is delivered described physical layer interface or delivered server platform by described high-speed communication bus according to the forwarding information among the look-up command result.
3. network security treatment facility according to claim 2, it is characterized in that described safe processing chip comprises message input interface processing module, the message analysis module, the intrusion detection module, state-detection and filtering module, transmit processing module, the network address translation processing module, the Virtual Private Network processing module, the search engine processing module of tabling look-up, caching management module, scheduling and quality of service supervision module, the encryption and decryption processing module, message editing encapsulation process module, the message output processing module, CPU handles packet buffer module and cpu i/f processing module;
Message input interface processing module receives message from described physical layer interface, delivers the message analysis resume module, and the message analysis module is analyzed with legitimacy message and detected, and abandons or subsequent treatment according to the result who analyzes; Handle if message need carry out network address translation, the network address information of then extracting message is delivered network address translation processing module and the search engine processing module of tabling look-up and is handled; Handle if message need carry out Virtual Private Network, the Virtual Private Network information of extracting message is delivered Virtual Private Network processing module, encryption and decryption processing module and the search engine processing module of tabling look-up and is handled; If message need carry out intrusion detection and filtration, based on the state-detection that connects, two layers to seven layers information then extracting message are delivered intrusion detection module, state-detection and filtering module and the search engine processing module of tabling look-up and are handled;
Transmit processing module and extract message forwarding information, be delivered to the search engine processing module of tabling look-up and table look-up, to determine the purpose forward-path; Caching management module is kept in the message that the message analysis module receives, and, cooperates the scheduling forwarding of carrying out message jointly with scheduling and quality of service supervision module according to intrusion detection module, state-detection and filtering module, forwarding processing module, network address translation processing module, Virtual Private Network processing module, the search engine message process information that processing module sends here of tabling look-up; CPU handles the packet buffer module and receives the message of sending here from buffer process module and cpu i/f processing module, according to the message control information, sends to message editing encapsulation process module or cpu i/f processing module; The cpu i/f processing modules implement is to the control of safe processing chip internal module, and CPU handles submitting of message and following the biography; Message editing encapsulation process module receives the message sent here from buffer process module and searches control, forwarding information from what each processing module, search engine tabled look-up that processing module sends here, carry out the edit-modify of message then, and carry out the verification of encapsulation again of message, send to message output interface processing module then; Message output interface processing module sends to described physical layer interface after receiving the message of sending here from message editing encapsulation process module.
4. network security treatment facility according to claim 1 is characterized in that, described safe processing system includes security kernel subsystem, system interface subsystem and Secure Application subsystem;
The security kernel subsystem is support platform with operating system, receives user configuration information, sets up the configuration information list item, list item is safeguarded, and carried out the systemic-function configuration;
The system interface subsystem is finished the conversion of interface and adaptive between Secure Application subsystem and security kernel subsystem;
The Secure Application subsystem provides various system applies functions.
According to claim 1,2 or 4 described network security treatment facilities, it is characterized in that 5, described security kernel subsystem comprises safety chip driving, physical layer interface driving, ICP/IP protocol stack and operating system;
Safe processing chip drives and finishes described safe processing chip initialization and the administration configuration interface is provided; Physical layer interface drives and finishes described physical layer interface initialization and the administration configuration interface is provided; The ICP/IP protocol stack is held consultation to the processing message protocol and is handled and control, realizes correct link establishment and message safe handling and forwarding; Operating system is as the support platform of security kernel subsystem.
6. network security treatment facility according to claim 4, it is characterized in that described Secure Application subsystem comprises log service module, high availability module, web service module, configuration service module, Virtual Private Network service module and configure user graphic interface module;
Log service module is handled and output journal information;
Set up communication port between the high availability module of high availability module and another network security treatment facility, finish state-detection and information synchronization between two equipment;
The web service module provides the support to the administration configuration passage;
The configuration service module is finished and is read configuration information, initialization apparatus, and regularly the new data that dispose of user are write configuration file;
The Virtual Private Network service module provides the support to Virtual Private Network;
Configure user graphic interface module provides user's configuration management graphical interfaces.
7. network security treatment facility according to claim 1 is characterized in that, described physical layer interface communication bus can be Media Independent Interface MII or gigabit Media Independent Interface GMII.
8. network security treatment facility according to claim 1 is characterized in that, described high-speed communication bus can be Peripheral Component Interconnect PCI or very fast Peripheral Component Interconnect PCI-X.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2003101182297A CN1291567C (en) | 2003-12-05 | 2003-12-05 | A high-performance multi-service network security processing equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2003101182297A CN1291567C (en) | 2003-12-05 | 2003-12-05 | A high-performance multi-service network security processing equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1547353A true CN1547353A (en) | 2004-11-17 |
| CN1291567C CN1291567C (en) | 2006-12-20 |
Family
ID=34337994
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2003101182297A Expired - Fee Related CN1291567C (en) | 2003-12-05 | 2003-12-05 | A high-performance multi-service network security processing equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1291567C (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102098291A (en) * | 2010-12-17 | 2011-06-15 | 天津曙光计算机产业有限公司 | FPGA (Field Programmable Gate Array)-based network security log processing method and device |
| CN102592064A (en) * | 2011-01-07 | 2012-07-18 | 深圳同方电子设备有限公司 | Dynamic crypto chip |
| CN102624726A (en) * | 2012-03-07 | 2012-08-01 | 上海盖奇信息科技有限公司 | Multi-core intelligent network card platform-based ultrahigh-bandwidth network security audit method |
| CN101076013B (en) * | 2006-05-19 | 2012-08-22 | 上海三零卫士信息安全有限公司 | Network data intelligent shift guide system and method |
| CN102035717B (en) * | 2009-09-27 | 2013-07-31 | 中国移动通信集团公司 | Network application system based on general processor and network processor and implementation method thereof |
| CN105141596A (en) * | 2015-08-12 | 2015-12-09 | 北京威努特技术有限公司 | Industrial control firewall implementation method supporting extensible protocol detection |
| CN108282488A (en) * | 2018-02-06 | 2018-07-13 | 山东渔翁信息技术股份有限公司 | It is a kind of that stealthy method, apparatus and system being carried out to server using stealthy equipment |
-
2003
- 2003-12-05 CN CNB2003101182297A patent/CN1291567C/en not_active Expired - Fee Related
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101076013B (en) * | 2006-05-19 | 2012-08-22 | 上海三零卫士信息安全有限公司 | Network data intelligent shift guide system and method |
| CN102035717B (en) * | 2009-09-27 | 2013-07-31 | 中国移动通信集团公司 | Network application system based on general processor and network processor and implementation method thereof |
| CN102098291A (en) * | 2010-12-17 | 2011-06-15 | 天津曙光计算机产业有限公司 | FPGA (Field Programmable Gate Array)-based network security log processing method and device |
| CN102098291B (en) * | 2010-12-17 | 2015-08-19 | 曙光信息产业股份有限公司 | A kind of network security log processing method based on FPGA and device |
| CN102592064A (en) * | 2011-01-07 | 2012-07-18 | 深圳同方电子设备有限公司 | Dynamic crypto chip |
| CN102624726A (en) * | 2012-03-07 | 2012-08-01 | 上海盖奇信息科技有限公司 | Multi-core intelligent network card platform-based ultrahigh-bandwidth network security audit method |
| CN105141596A (en) * | 2015-08-12 | 2015-12-09 | 北京威努特技术有限公司 | Industrial control firewall implementation method supporting extensible protocol detection |
| CN108282488A (en) * | 2018-02-06 | 2018-07-13 | 山东渔翁信息技术股份有限公司 | It is a kind of that stealthy method, apparatus and system being carried out to server using stealthy equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1291567C (en) | 2006-12-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8234361B2 (en) | Computerized system and method for handling network traffic | |
| CN101051891A (en) | Method and device for safety strategy uniformly treatment in safety gateway | |
| CN101013962B (en) | Integrated security switch | |
| CN1905555A (en) | Fire wall controlling system and method based on NGN service | |
| WO2018032399A1 (en) | Server and method having high concurrency capability | |
| CN101056222A (en) | A deep message detection method, network device and system | |
| CN101068229A (en) | Content filtering gateway realizing method based on network filter | |
| CN1682197A (en) | VPN and firewall integrated system | |
| WO2007079095A2 (en) | Runtime adaptable search processor | |
| CN1645813A (en) | System and method for managing a proxy request over a secure network using inherited security attributes | |
| JP2003525557A (en) | Systems, devices and methods for rapid packet filtering and packet processing | |
| CN1744607A (en) | System and method for blocking worm attack | |
| WO2009142854A2 (en) | Method and apparatus to index network traffic meta-data | |
| CN105827629B (en) | Software definition safe flow guide device and its implementation under cloud computing environment | |
| CN111797371A (en) | Switch encryption system | |
| CN104168257A (en) | Data isolation device based on non-network mode, and method and system thereof | |
| CN1889510A (en) | Method for raising network security via message processing | |
| CN1291567C (en) | A high-performance multi-service network security processing equipment | |
| CN111600852A (en) | Firewall design method based on programmable data plane | |
| CN111541658B (en) | PCIE firewall | |
| CN113810397B (en) | Protocol data processing method and device | |
| Yusuf et al. | Reconfigurable architecture for network flow analysis | |
| CN1476208A (en) | Method of supporting address transfer application network | |
| US20060171311A1 (en) | Method and system for classifying packets | |
| CN113453278B (en) | TCP packet segmentation packaging method based on 5G UPF and terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| ASS | Succession or assignment of patent right |
Owner name: LI HAO Free format text: FORMER OWNER: SHENZHEN CITY HENGYANG SCIENCE CO., LTD. Effective date: 20040903 |
|
| C06 | Publication | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| PB01 | Publication | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20040903 Address after: Nanshan Software Park, Shenzhen, Guangdong 2204, Nanshan District Applicant after: Li Hao Address before: Nanshan Software Park, Shenzhen, Guangdong 2204, Nanshan District Applicant before: Semptian Technologies Ltd. |
|
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Owner name: SHENZHEN CITY HENGYANG SCIENCE CO., LTD. Free format text: FORMER OWNER: LI HAO Effective date: 20071221 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20071221 Address after: Room 605, Tsinghua information harbor complex, North Zone, Nanshan District hi tech Development Zone, Shenzhen, Guangdong Patentee after: Semptian Technologies Ltd. Address before: Nanshan Software Park, Shenzhen, Guangdong 2204, Nanshan District Patentee before: Li Hao |
|
| C56 | Change in the name or address of the patentee |
Owner name: SHENZHEN SEMPTIAN TECHNOLOGIES?CO.,?LTD. Free format text: FORMER NAME: SEMPTIAN TECHNOLOGY CO., LTD. |
|
| CP03 | Change of name, title or address |
Address after: 518000, Guangdong Shenzhen hi tech Southern District, Haitian two road 14, software industry base, 5D block, 7, Nanshan District Patentee after: SEMPTIAN TECHNOLOGIES LTD. Address before: Room 605, Tsinghua information harbor complex, North Zone, Nanshan District hi tech Development Zone, Shenzhen, Guangdong Patentee before: Semptian Technologies Ltd. |
|
| C56 | Change in the name or address of the patentee | ||
| CP03 | Change of name, title or address |
Address after: 518000 Guangdong city of Shenzhen province Nanshan District Guangdong streets two Haitian Road No. 14, block 5D 8 layer software industry base Patentee after: Shenzhen Hengxin data Limited by Share Ltd Address before: 518000, Guangdong Shenzhen hi tech Southern District, Haitian two road 14, software industry base, 5D block, 7, Nanshan District Patentee before: SEMPTIAN TECHNOLOGIES LTD. |
|
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20061220 Termination date: 20191205 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |