Background technology
Along with the fast development and the extensive use of computer networking technology, network security becomes the vital problem that influences the computer networking technology development and use.Therefore, the diverse network safety means occurred, and obtained using widely.Simple safety means only can be realized functions such as basic packet filtering, state packet filter, complicated safety means have merged Virtual Private Network (Virtual Private Network Virtual Private Network), network address translation functions such as (Network Address Translation network address translation), usually according to the demand of network organizing, device interior also can embedded information filtering, anti-virus, intrusion detection modules such as (IDS:Invasion Detection System intruding detection systems).
Existing Network Security Device has two kinds of main implementations:
(1) universal PC system (or industrial computer)+software architecture
The characteristics of this Network Security Device are to adopt universal PC system (or industrial computer) as hardware platform, referring to accompanying drawing 1, the operation general-purpose operating system such as Windows/Linux/Unix etc. in the CPU of this hardware platform, safety function is realized by the Secure Application software that moves on the general-purpose operating system.
The Network Security Device cost of this framework is low, flexibility good, and upgrading is convenient, only need change software to get final product.But exist the bottleneck (usually, the increase of packet filtering rule number can cause the exponential decline of forwarding performance) that is difficult to overcome at the safe handling aspect of performance.Reason is that the function of this safety means adopts software to realize, improving performance can only be by improving the operational capability of general processor, but the operational capability of general processor is limited after all, therefore, adopt this Network Security Device under big capaciated flow network environment, to exist inevitable performance bottleneck, be not suitable for substantially under big capaciated flow network environment, using.
(2) safe processing chip+flush bonding processor framework
This safety means are software computing hardwareization, mainly constitute by safe processing chip and flush bonding processor, main safe handling flow process is realized on the safe processing chip of special use, as FPGA (FieldProgrammable Gate Array field programmable gate array), ASIC (Application SpecificIntegrated Circuit application-specific integrated circuit (ASIC), NP (Network Processor network processing unit) etc., to reduce the computing pressure of flush bonding processor, flush bonding processor is mainly finished the control to equipment, functions such as management are referring to Fig. 2.
The performance that the core network processor of this architectural framework safety means or safe processing chip are handled packet filtering, forwarding is higher, has alleviated the performance bottleneck that the message under the big capaciated flow network environment filters fast, transmits to a certain extent.But, network processing unit NP is the data forwarding chip that is applicable in data communication exchange, the router, it is not special-purpose safe processing chip, in the performance that can't reach special-purpose safe processing chip based on the aspects such as state-detection, agency by agreement even acl rule filtration that connect at all, in case carry out the safe handling of data, performance will sharply reduce.In addition, adopt the architectural framework of special-purpose safe processing chip at present, function aspects is also simple relatively, can only realize functions such as fast and simply message ACL (Access ControlList Access Control List (ACL)) filtration, state-detection, forwarding processing, aspect traffic handing capacity and expansion, exist and the same defective of network processing unit, function and professional expansion (upgrading) can only realize by upper layer software (applications).
Although this safety processing device has improved the handling property of system to a certain extent, solved the performance bottleneck under the heavy traffic condition.Yet, because using network processing unit or special-purpose safe processing chip handles, function expansion or upgrading can only realize by upper layer software (applications), and the embedded type CPU operational performance of the safety means of common this framework such as fire compartment wall, network address conversion gateway, Virtual Private Network gateway etc. is all lower, if during upper-layer service functions such as embedded IDS, anti-virus, information filtering, then seriously reduce because of the limited performance that causes of CPU operational capability.In addition, the communication port bandwidth between flush bonding processor and the safe processing chip is generally lower, and effective bandwidth is difficult to realize high performance software/hardware collaborative work in hundreds of M bps usually.
Summary of the invention
The present invention is directed to above-mentioned two kinds of safety means architectural frameworks limitation separately, provide a kind of new high-performance multiple services safety processing device, can solve universal PC system (or industrial computer)+software architecture at the bottleneck of transmitting on the handling property, also can solve simultaneously the safe processing chip+limitation of flush bonding processor framework aspect functional expansionary, both can fully satisfy the performance requirement under the big capaciated flow network environment, also can satisfy the demand of function expansion.
For realizing above-mentioned purpose of the present invention, the invention provides a kind of network security treatment facility, comprise physical layer interface, high-speed hardware processing module and server platform; Carry out data communication by the physical layer interface communication bus between physical layer interface and the high-speed hardware processing module, carry out data communication by the high-speed communication bus between high-speed hardware processing module and the server platform, the server platform internal operation has safe processing system.
The high-speed hardware processing module comprises safe processing chip, high-speed searching coprocessor, list item memory and packet buffer memory; The message that receives into from physical layer interface is at first carried out the extraction and the analysis of message security information and forwarding information by safe processing chip, be placed into message in the described packet buffer memory temporary then, simultaneously the security information and the forwarding information that extract are handled, the actual demand of tabling look-up according to each message sends look-up command to high-speed searching coprocessor or described list item memory, after instruction is finished, high-speed searching coprocessor or list item memory return the look-up command result, safe processing chip extracts message according to this look-up command result in the packet buffer memory, carry out editor's encapsulation process of message, and then message is delivered physical layer interface or delivered server platform by the high-speed communication bus according to the forwarding information among the look-up command result.
Safe processing chip comprises that table look-up processing module, caching management module, scheduling and quality of service supervision module, encryption and decryption processing module, message editing encapsulation process module, message output processing module, CPU of message input interface processing module, message analysis module, intrusion detection module, state-detection and filtering module, forwarding processing module, network address translation processing module, Virtual Private Network processing module, search engine handles packet buffer module and cpu i/f processing module;
Message input interface processing module receives message from described physical layer interface, delivers the message analysis resume module.The message analysis module is analyzed with legitimacy message and is detected, and abandons or subsequent treatment according to the result who analyzes.Handle if message need carry out network address translation, the network address information of then extracting message is delivered network address translation processing module and the search engine processing module of tabling look-up and is handled; Handle if message need carry out Virtual Private Network, the Virtual Private Network information of extracting message is delivered Virtual Private Network processing module, encryption and decryption processing module and the search engine processing module of tabling look-up and is handled; If message need carry out intrusion detection and filtration, based on the state-detection that connects, two layers to seven layers information then extracting message are delivered intrusion detection module, state-detection and filtering module and the search engine processing module of tabling look-up and are handled;
Transmit processing module and extract message forwarding information, be delivered to the search engine processing module of tabling look-up and table look-up, to determine the purpose forward-path; Caching management module is kept in the message that the message analysis module receives, and, cooperates the scheduling forwarding of carrying out message jointly with scheduling and quality of service supervision module according to intrusion detection module, state-detection and filtering module, forwarding processing module, network address translation processing module, Virtual Private Network processing module, the search engine message process information that processing module sends here of tabling look-up; CPU handles the packet buffer module and receives the message of sending here from buffer process module and cpu i/f processing module, according to the message control information, sends to message editing encapsulation process module or cpu i/f processing module; The cpu i/f processing modules implement is to the control of safe processing chip internal module, and CPU handles submitting of message and following the biography; Message editing encapsulation process module receives the message sent here from buffer process module and searches control, forwarding information from what each processing module, search engine tabled look-up that processing module sends here, carry out the edit-modify of message then, and carry out the verification of encapsulation again of message, send to message output interface processing module then; Message output interface processing module sends to described physical layer interface after receiving the message of sending here from message editing encapsulation process module.
Safe processing system includes security kernel subsystem, system interface subsystem and Secure Application subsystem; The security kernel subsystem is support platform with operating system, receives user configuration information, sets up the configuration information list item, list item is safeguarded, and carried out the systemic-function configuration; The system interface subsystem is finished the conversion of interface and adaptive between Secure Application subsystem and security kernel subsystem; The Secure Application subsystem provides various system applies functions.
The security kernel subsystem comprises safety chip driving, physical layer interface driving, ICP/IP protocol stack and operating system;
Safe processing chip drives and finishes the safe processing chip initialization and the administration configuration interface is provided; Physical layer interface drives and finishes the physical layer interface initialization and the administration configuration interface is provided; The ICP/IP protocol stack is held consultation to the processing message protocol and is handled and control, realizes correct link establishment and message safe handling and forwarding; Operating system is as the support platform of security kernel subsystem.
The Secure Application subsystem comprises log service module, high availability module, web service module, configuration service module, Virtual Private Network service module and configure user graphic interface module; Log service module is handled and output journal information; Set up communication port between the high availability module of high availability module and another network security treatment facility, finish state-detection and information synchronization between two equipment; The web service module provides the support to the administration configuration passage; The configuration service module is finished and is read configuration information, initialization apparatus, and regularly the new data that dispose of user are write configuration file; The Virtual Private Network service module provides the support to Virtual Private Network; Configure user graphic interface module provides user's configuration management graphical interfaces.
The physical layer interface communication bus can be Media Independent Interface MII or gigabit Media Independent Interface GMII.
The high-speed communication bus can be Peripheral Component Interconnect PCI or very fast Peripheral Component Interconnect PCI-X.
Embodiment
Below in conjunction with accompanying drawing realization of the present invention is described in detail.
Referring to Fig. 3, safety processing device of the present invention is by physical layer interface 01, high-speed hardware processing module 02 and server platform 03 constitute, physical layer interface 01 mainly provides 100,000,000 FE (Fast Ethernet Fast Ethernet) port or gigabit GE (Gigabit Ethernet gigabit Ethernet) port, and pass through physical layer interface communication bus 04 between the high-speed hardware processing module 02, carry out data communication as MII (Media IndependenceInterface Media Independent Interface) or GMII (Gigabit Media Independence Interface gigabit Media Independent Interface) etc., between high-speed hardware processing module 02 and the server platform 03 by high-speed communication bus 06, as PCI (Peripheral Component Interconnection Peripheral Component Interconnect), PCI-X (the very fast Peripheral Component Interconnect of Peripheral Component Interconnection Express) etc. carries out data communication.
Referring to Fig. 4, high-speed hardware processing module 02 mainly is made up of safe processing chip 021, high-speed searching coprocessor 022, list item memory 023, packet buffer memory 024 etc.
The core of high-speed hardware processing module 02 is a safe processing chip 021, this chip is finished main safe handling function under the coordinated of server platform, as packet filtering, state-detection and filtration, Virtual Private Network, network address translation, encryption and decryption functions etc.
As seen from Figure 4, safe processing chip 021 is by message input interface processing module 02101, message analysis module 02102, intrusion detection module 02103, state-detection and filtering module 02104, transmit processing module 02105, network address translation processing module 02106, Virtual Private Network processing module 02107, the search engine processing module 02108 of tabling look-up, caching management module 02109, scheduling and quality of service (Quality ofService quality of service) supervision module 02110, encryption and decryption processing module 02111, message editing encapsulation process module 02112, message output interface processing module 02113, CPU handles packet buffer module 02114, and cpu i/f processing module 02115 is formed.Wherein:
Message input interface processing module 02101 is docked with peripheral physical layer interface 01, and does the adaptive of interface communications protocol, receive Frame after, deliver message analysis module 02102 and handle.
Message analysis module 02102 is carried out message analysis, the legitimacy that comprises message detects and agreement identification, protocol type according to message carries out different handling processes with information such as traffic classifications, handle if message need carry out network address translation, extract the information such as the network address of message and deliver network address translation processing module 02106 and search engine module 02108 processing; Handle if message need carry out Virtual Private Network, extract the Virtual Private Network information of message and deliver Virtual Private Network processing module 02107, encryption and decryption processing module 02111 and search engine module 02108 processing; If message need carry out intrusion detection and filtration, based on the state-detection and the filtration that connect, relevant two layers to the seven layers information of then extracting message deliver intrusion detection module 02103, state-detection and filtering module 02104 and search engine module 02108 is handled.
Message analysis module 02102 directly is delivered to caching management module 02109 to message and carries out buffer memory, queue scheduling and quality of service control when the extraction message information carries out the control flows processing procedure.
Intrusion detection module 02103 is supported intrusion detection feature, can take precautions against common tens of kinds of network attacks and scanning automatically and spy upon, and reaches linear speed and detects and filter, and avoids the attack to Intranet and fire compartment wall itself.This module and safe processing system 05 match, and strick precaution and warning more than 1400 kinds of attack signatures can be provided.Simultaneously, this module and state-detection and filtering module 02104 can be realized the interlock strick precaution.By Real-time Alarm information and daily record data, the user can analyze and confirm attack, realizes taking precautions against in early days.This module is carried out Treatment Analysis after receiving the message control information that message analysis module 02102 delivers, and extracts state-detection and the filtering information of tabling look-up is delivered state-detection and filtering module 02104 and search engine table look-up module 02108 and handled.When message data stream need be carried out the intrusion detection analysis, corresponding message is stamped friendship CPU handle sign, be transmitted to message editing encapsulation process module 02112 and CPU processing packet buffer module 02114 simultaneously by caching management module 02109.
State-detection and filtering module 02104 are realized packet filtering, basic packet filtering not only is provided, session status detects, and support can realize to TCP (Transfer ControlProtocol transmission control protocol) based on the state packet filter of application layer, UDP (User Datagram Protocol User Data Protocol), FTP (File Transfer Protocol file transfer protocol (FTP)), HTTP (Hyper Text Transport Protocol HTML (Hypertext Markup Language)), SMTP (Simple Mail Transfer Protocol Simple Mail Transfer protocol), H.323 wait the state-detection of application protocol to filter.The filtering information of tabling look-up (as source address, destination address, source port, destination interface, protocol type, connection control information, application layer message etc.) of this module extraction message is delivered search engine table look-up module 02108 and is tabled look-up, with judge that this message abandons or by, realize based on message and the filtration that is connected.
Transmit processing module 02105 and extract the message routing forwarding information, being delivered to search engine table look-up module 02108 tables look-up, to determine the purpose forward-path, be used for scheduling and quality of service supervision module 02110, caching management module 02109 and 02112 scheduling of message editing encapsulation process module and E-Packet.
Network address translation processing module 02106 realizes the dynamic address conversion, supports many-one, multi-to-multi address transition, also supports the static address conversion, and the inner public and private net address of network enabled mixes addressing, can discern and carry out correct address transition automatically.After receiving the message information that message analysis module 02102 delivers, extract information such as the network address and deliver search engine table look-up module 02108 and handle.
Virtual Private Network processing module 02107 realizes based on L2TP (Layer 2 Tunneling Protocol Layer 2 Tunneling Protocols), GRE (Generic Routing Encapsulation generic route encapsulation), the Virtual Private Network function of IPSEC agreements such as (expansions of Internet Protocol SECurity extensions IP protocol security), high-performance DES can be provided (Data Encryption Standard data encryption standard), 3DES (Triple Data Encryption Standard triple is according to encryption standard), AES (AdvancedEncryption Standard super encryption standard), MD5 (Message-Digest Algorithm 5 message digest algorithm 5), SHA-1/SHA-2 encryption and decryption functions such as (Secure Hash Standard safety HASH canonical algorithms), and can realize that the manual configuration of key and IKE consult automatically.This module is carried out the Virtual Private Network Treatment Analysis after receiving the message information that message analysis module 02102 is delivered, and extracts the Virtual Private Network information of tabling look-up and deliver 02108 processing of search engine table look-up module.
The request of tabling look-up that search engine is tabled look-up processing module 02108 reception invasion detection module 02103, state-detection and filtering module 02104, transmitted processing module 02105, network address translation processing module 02106, Virtual Private Network Virtual Private Network processing module 02107 etc.; Adopt table look-up algorithm, routing forwarding algorithm etc. of rule and content match algorithm, network address translation to finish the message table lookup operation.Mixing for different algorithms or multiple algorithm realizes adopting high-speed searching coprocessor 022 or list item memory 023.
02109 pair of message that receives from message analysis module 02102 of caching management module is stored, and writes packet buffer memory 024.And wait for from intrusion detection module 02103, state-detection and filtering module 02104, transmit the message information that processing module 02105, network address translation processing module 02106, Virtual Private Network processing module 02107 and search engine table look-up module 02108 etc. are sent here, according to the storage control information of message in packet buffer memory 024, supervise 02110 common cooperation of processing module with scheduling and quality of service and finish this message reading control and dispatching transmission in packet buffer memory 024 again.
Scheduling and quality of service supervision module 02110 are finished the message of different input/output ports, different forward filtering information are dispatched and traffic policing, the caching management module 02109 that sends control information sends to message editing encapsulation process module 02112 to message and CPU handles packet buffer module 02114 by caching management module 02109.
Encryption and decryption processing module 02111 is by different enciphering and deciphering algorithm submodules, as DES, 3DES, AES etc.; Message, the Virtual Private Network channel message that should carry out encryption and decryption carried out corresponding encryption and decryption, with guarantee message in transport process correctly reliably, be not stolen and distort.
Message editing encapsulation process module 02112 receives the message sent here from buffer process module 02109 and searches control, forwarding information from what each processing module, search engine table look-up module 02108 were sent here, carries out the edit-modify of message then; E-Packet as network address translation, the network address information that needs to revise message is the network address information after changing; As the routing forwarding message, need to revise message forwarding address information and routing information; And carry out the verification of encapsulation again of message, send to message output interface processing module 02113 then.
Message output interface processing module 02113 is docked with the physical layer interface 01 of periphery, and do the adaptive of interface communications protocol, after receiving the message of sending here from message editing encapsulation process module 02112, add frame check information and frame control information, send to described physical layer interface.
CPU handles packet buffer module 02114 and realizes safe processing chip is submitted the storage of CPU message and the storage that E-Packets that CPU is issued to safe processing chip, with high-performance, no congested communication between realization and the server platform 03.
The control that cpu i/f processing module 02115 realizes safe processing chip 021 inner each module, and CPU handles submitting of message and following the biography; The effect of this module maximum is to communicate by the high-speed communication bus with server platform, to realize the efficient cooperation between safe processing chip and the server platform.
The coupling that high-speed searching coprocessor 022 adopts based on bit and bit mask, realization is filtered the coupling of rule and content, with finish message information as stream identification, state-detection and the filtering module of intrusion detection module filter with based on the state-detection that is connected, thereby the high-performance information that can reach linear speed is tabled look-up and the message forwarding; List items such as the Virtual Private Network of list item memory 023 main stored messages, network address translation, filtration, forwarding-table item, state-detection, ACL can adopt general DDR (Double Data Rate is two along trigger data speed) SSRAM (the synchronous static RAM of Synchronous Static RAM) or DDR SDRAM devices such as (Synchronous Dynamic RAM Synchronous Dynamic Random Access Memories); Packet buffer memory 024 main storage incoming message, security information and forwarding information stored messages before safe processing chip disposes fully at incoming message, etc. pending and forwarding, avoid message to abandon, can adopt general DDR (Double Data Rate is two along trigger data speed) SSRAM (the synchronous static RAM of Synchronous Static RAM) or DDRSDRAM devices such as (Synchronous Dynamic RAM Synchronous Dynamic Random Access Memories) because of congested.
Server platform 03 uses single CPU to carry out high-speed computation usually and handles, and also can use many CPU to carry out the parallel high-speed calculation process, by with reach high performance software-hardware synergism cooperating of high-speed hardware processing module 02 and handle.Upper strata control or application software modules such as server platform 03 also can embedded IDS, anti-virus, depth content filtration are realized various abundant safe handling functions.
Be high-speed communication passage 06 between server platform 03 and the high-speed hardware processing module 02, as PCI, PCI-X etc., this passage is directly provided by safe processing chip 021 on high speed processing module 02, by physical connection and the information interaction at a high speed between this passage realization safe processing chip 021 and the server platform 03, this passage can provide up to the communication bandwidth more than the 8Gbps, guarantees choke free software and hardware system collaborative work.
Referring to Fig. 5, server platform 03 is the industrial Server architectural framework of standard, in single or multiple high-speed CPUs 031, internal memory 032, hard disk 033, peripheral component interconnect interface 034, chipset 035, external interface 036 (serial ports, parallel port, USB interface, VGA interface etc.) and other accessories 037 are arranged.
Fig. 6 is the functional block diagram of the safe processing system 05 that moved in the server platform 03.Safe processing system 05 includes security kernel subsystem 051, system interface subsystem 052 and Secure Application subsystem 053, security kernel subsystem 051 is the core of safe processing system 05, with operating system 05104 is support platform, it is responsible for receiving all user configuration informations, sets up the configuration information list item and list item is safeguarded.In addition, after it receives configuration information, also to drive hardware chip or configuration ICP/IP protocol stack, thereby finish the functional configuration of system according to configuration information.
System interface subsystem 052 is the interface between security kernel subsystem 051 and the Secure Application subsystem 053, finishes the conversion, adaptive of interface between Secure Application subsystem 053 and security kernel subsystem 051.
Secure Application subsystem 053 provides the various application functions of network security treatment facility, comprises log services, high availability, web service, configuration service, Virtual Private Network service.Message hands over high-speed hardware processing module 02 to handle after receiving and handle from physical layer interface 01; High-speed hardware processing module 02 is handled message according to user's configuration information, hands over safe processing system 05 to handle as need, then by giving safe processing system 05 on the high-speed communication bus 06.After safe processing system 05 receives this message, call safe processing chip driving 05101 and 05103 pair of message of ICP/IP protocol stack of security kernel subsystem 051 handles by system interface subsystem 052, the message of handling is handed down to high-speed hardware processing module 02 by high-speed communication bus 06, after high-speed hardware processing module 02 is finished processing to message, message is forwarded by physical layer interface 01.
Secure Application subsystem 053 comprises log service module 05301, high availability module 05302, web service module 05303, configuration service module 05304, Virtual Private Network service module 05305.Log service module 05301 is handled all log informations of network security treatment facility, with all log information output; Set up communication port between the high availability module of high availability module 05302 and another network security treatment facility, finish state-detection and information synchronization between two equipment.Obtain configuration information between the equipment and finish system configuration work and all finish by system interface subsystem 052.
Web service module 05303 provides the support based on the administration configuration passage of WebUI for safety processing device, and by web service module 05303, the user can be configured, control and manage the network security treatment facility by browser software.
Read the configuration information initialization apparatus and regularly the new data that dispose of user are write configuration file from configuration file when configuration service module 05304 is finished the Network Security Device initialization.
Virtual Private Network service module 05305 provides the support to the Virtual Private Network agreement, sets up with the connection negotiation that realizes Virtual Private Network agreements such as IPsec, L2TP, GRE, and realizes handling through consultation automatically of agreement such as IKE.
Configure user graphic interface module 05306 provides user's configuration management interface, the user can realize the unit or the cluster management of equipment are disposed as order line, WEB administration interface and SNMP (Simple NetworkManagement Protocol) network management protocol by multiple way to manage.
Security kernel subsystem 051 is made up of safe processing chip driving 05101, physical layer interface driving 05102, ICP/IP protocol stack 05103 and operating system 05104, and operating system, bottom layer driving, tactical management and the configuration feature etc. of equipment operation are provided.Security kernel subsystem 051 provides support for Secure Application subsystem 053 by system interface subsystem 052.
Safe processing chip drives 05101 and finishes safe processing chip initialization (drive controlling) and the administration configuration interface is provided; Physical layer interface drives 05102 and finishes physical layer interface chip for driving initialization (drive controlling) and the administration configuration interface is provided; ICP/IP protocol stack 05103 is finished and is held consultation and handle and control handling message Virtual Private Network, FTP, HTTP, IP agreements such as TCP, UDP, realizes correct link establishment and message safe handling and forwarding; Operating system 05104 is as the support platform of security kernel subsystem 051.
The message that receives into from physical layer interface, at first carry out corresponding safe handling by safe processing chip, (as safety filtering, network address translation conversion, Virtual Private Network processing, encryption and decryption processing, information filtering, forwarding processing etc.), handle as the need software assistance, then by giving server platform on the high-speed communication bus, carry out high-speed computation and processing by the CPU of server platform.The message of handling passes out to physical layer interface by safe processing chip again.
Along with networks development, occasions such as telecommunications network, ISP (Internet Service Provider ISP), IDC (Internet Data Center Internet data center) and enterprise network, government affairs net, Network and Finance Network are more and more higher to the performance requirement of Network Security Device, simultaneously, because the needs of actual networking also require functions such as the embedded IDS of safety means, anti-virus, depth content filtration.Adopt Network Security Device of the present invention, more than can be on the safe handling performance up to 5Gbps; And, owing to adopted server platform, on functional expansionary, be greatly improved, can effectively satisfy the demand of various occasions such as ISP, IDC, enterprise network, government affairs net, Network and Finance Network, telecommunications network to Network Security Device.
The invention is not restricted to above execution mode, those skilled in the art can make various changes and distortion according to the present invention, only otherwise break away from spirit of the present invention, all should belong to the defined scope of claim of the present invention.