Firewall kernel security component integration method
Technical field
The present invention relates to a kind of method of firewall kernel security component tissue, particularly the method that packet filtering, attack detecting, application proxy are combined as a whole belongs to computer network security field.
Background technology
Because the main security component attack detecting of fire compartment wall, packet filtering, application proxy are all realized separately that respectively the security strategy that they use is also relatively independent usually.For the user, such framework lacks intuitive, logically also relatively disperses, and is difficult to embody actual correlation, is easy to generate contradiction and wrong configuration; For system, owing to carry out the security strategy inspection respectively, there are a lot of occurrences that repeat in cooperation difficulty mutually on the efficient, and particularly application proxy is often implemented in application layer, need carry out repeatedly internal memory during data passes and duplicate, and is very big to the systematic function influence.Therefore, each security component is carried out integrated realization in kernel, be undoubtedly a kind of solution well.
Summary of the invention
It is a kind of with the firewall security assembly that main purpose of the present invention is to provide, as packet filtering, attack detecting, application proxy, the method of integrated realization in operating system nucleus, it will possess uniformity and intuitive more on policy configurations, in system works, it will have easier cooperation means and the treatment effeciency of Geng Gao.
The object of the present invention is achieved like this:
To the design of firewall system, the system configuration that adopts the pipeline system of integrated framework to handle, the security strategy of integration organization, and the transmission path of packet and current strategies match point in kernel.
For the realization of integral system structure, unified Definition is at the calling interface point of operating system nucleus, and packet filtering, attack detecting and application proxy insert at only point of interface respectively and check function according to functional objective, can effectively cooperate each other.
Realization to the security strategy of integration organization, use from the tree structure organizational security policies of protection target as root node, mutual exclusion between the different branches of Policy Tree guarantees all unique definite sub-branch of each coupling or leaf node, and leaf node promptly shows the action that fire compartment wall should be taked; If packet filtering is delivered the inspection final result of security strategy and acted on behalf of branch, then the agency can continue to mate downwards from this checkpoint; Policy Tree is shared by each security component in kernel, and current check point transmits in protocol stack with packet, makes inspection can have continuity.
Fire compartment wall comprises the complete step that packet carries out safety inspection:
Step 1: in the end half formation, carry out mixed mode and handle, judge that it still is the bridge processing module that current data packet is handed over gateway;
Step 2: before route, do following work
Step 201: basic security inspection;
Step 202: multicast and broadcast is handled;
Step 203: carry out purpose NAT;
Step 204: carry out attack detecting;
Step 205: the upper-layer protocol inspection-to Transmission Control Protocol: at first carry out attack detecting, look into the total state table then and abandon or transmit according to the result, syn wrapped in do not find in the total state table, carry out the security strategy inspection, abandon/send agency/interpolation total state table and transmit according to the result; To udp protocol: look into state table earlier, that can find transmits, and that can not find out carries out the security strategy inspection, and decision abandons or adds state table and forwarding according to the result; To the ICMP agreement: if the mistake bag is directly transmitted, otherwise looked into state table, that can find transmits, and that can not find out carries out the security strategy inspection, and decision abandons or adds state table and forwarding according to the result.
Step 3: application proxy supports: to the packet that needs application proxy to check that matches, current check point and packet are delivered the TCP layer simultaneously.
Step 4: application proxy obtains packet and related security policies checkpoint from formation, proceed the security strategy inspection, and carries out agent functionality.
Step 5: do following work after the route
Step 501: carry out attack detecting;
Step 502: carry out flow control;
Step 503: carry out source NAT.
The realization that packet and current strategies match point transmit in kernel is to utilize skb to transmit the current safety strategy to check state, by protocol stack designated lane transfer data packets.
Description of drawings
Fig. 1 is the structure chart of kernel integrated safe assembly of the present invention;
Fig. 2 is a method flow diagram of the present invention: to packet before the route, and according to the flow process of fire compartment wall open/close state, and safety inspection, and the flow process of the multicast/broadcast bag being handled according to the multicast/broadcast strategy.
Fig. 3 is a method flow diagram of the present invention: the tcp data bag is carried out the attack detecting of transport layer and the flow chart that carries out safety inspection according to Policy Tree
Fig. 4 is a method flow diagram of the present invention, UDP message bag query State table is judged whether to exist virtual connections, and carry out the flow chart of safety inspection according to Policy Tree
Fig. 5 is a method flow diagram of the present invention, ICMP packet query State table is judged whether to exist virtual connections, and carry out the flow chart of safety inspection according to Policy Tree
Fig. 6 is kernel protocol stack integral structure figure of the present invention
Embodiment
The present invention will be further described below in conjunction with the drawings and specific embodiments:
Referring to Fig. 1, fire compartment wall core security components such as packet filtering, supply detection, application proxy coexist as in the operating system nucleus, at the Ip_rcv point of invocation, Arp agency, total state module, Policy Tree module realize the function of packet filtering jointly, attack detecting and address conversion module are finished its corresponding function, Transparent Proxy supports and then skb is made amendment, and proposes the support to the application proxy of TCP layer; Bag to direct forwarding carries out sending after the route querying, and needs are delivered agency's bag, is sent to the TCP layer through the protocol stack designated lane, sends after acting on behalf of analyzing and processing; At the Ip_output point of invocation, Transparent Proxy supports and sends after the bag that the agency is sent is made an amendment once more, and attack detecting and address conversion module are operated once more, and in addition, flow-control module is realized the controlled function of packet filtering to data packet flow.
Fig. 2, Fig. 3, Fig. 4, Fig. 5 have illustrated the main handling process of fire compartment wall to packet.
Referring to Fig. 2, to packet before the route, at first check the fire compartment wall open/close state, if state is for closing, directly operate by the original flow process of operating system, otherwise begin basic safety inspection, and the multicast/broadcast bag is handled, then according to the area attribute of packet receiving network interface card according to the multicast/broadcast strategy, carry out purpose NAT, next call attack detecting and network layer is attacked survey, at last transport layer protocol is carried out subsequent treatment respectively, respectively as Fig. 3, Fig. 4, shown in Figure 5.
Referring to Fig. 3, to the tcp data bag, at first it is carried out the attack detecting of transport layer, analyzing it then is the syn bag, judge its operation of carrying out if not directly looking into the total state table, if, next look into its source port, judge whether it is the dynamic connection of some agreement, if possible be then to look into state table to judge whether the current communication that corresponding this agreement is arranged really, can let pass if exist, if not dynamic connection, then carry out safety inspection, abandon/transmit packet or send agent processes according to the result at last by designated lane according to Policy Tree.
Referring to Fig. 4,, look into state table earlier and judge whether to exist virtual connections the UDP message bag, if exist then transmit, if there is no, then carry out safety inspection according to Policy Tree, and abandon/transmit packet according to the result, when transmitting packet, add the state table corresponding entry simultaneously.
Referring to Fig. 5, to the ICMP packet, if carrying is the mistake return data, then directly transmit, otherwise the query State table judges whether to exist virtual connections, if exist then directly forwarding, if there is no, then carry out safety inspection, and abandon/transmit packet according to the result according to Policy Tree, when transmitting packet, add the state table corresponding entry simultaneously.
When packet arrives TCP layer application proxy through designated lane, application proxy is analyzed from extracted data wherein, and from skb, obtain the security checkpoints that packet filtering has analyzed, thereby then carry out the inspection work of application layer security according to Policy Tree, concrete agent process and packet send flow process and do not repeat them here.
Should illustrate at last: the foregoing description is only in order to explanation the present invention, and and unrestricted technical scheme of the present invention, although the present invention is had been described in detail with reference to above-mentioned example, but, those of ordinary skill in the art should be appreciated that still and can make amendment or be equal to replacement the present invention, therefore, technical scheme and relevant improvement the thereof that all do not break away from the spirit and scope of the present invention all should be encompassed in the middle of the claim scope of the present invention.