CN1604539A - Firewall kernel security component integration method - Google Patents
Firewall kernel security component integration method Download PDFInfo
- Publication number
- CN1604539A CN1604539A CN 200410065183 CN200410065183A CN1604539A CN 1604539 A CN1604539 A CN 1604539A CN 200410065183 CN200410065183 CN 200410065183 CN 200410065183 A CN200410065183 A CN 200410065183A CN 1604539 A CN1604539 A CN 1604539A
- Authority
- CN
- China
- Prior art keywords
- packet
- inspection
- state table
- carry out
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
It is an integrating method of firewall inner safety components, which comprises the following: to integrate the frame without strict division of each component; then to integrate the safety strategy alignment and inspection; to users the alignment is consistent and to system the inspection is inherent; to have one complete data pack and transmission path of current strategy matched to make the data pack go through each inspection point and through the firewall.
Description
Technical field
The present invention relates to a kind of method of firewall kernel security component tissue, particularly the method that packet filtering, attack detecting, application proxy are combined as a whole belongs to computer network security field.
Background technology
Because the main security component attack detecting of fire compartment wall, packet filtering, application proxy are all realized separately that respectively the security strategy that they use is also relatively independent usually.For the user, such framework lacks intuitive, logically also relatively disperses, and is difficult to embody actual correlation, is easy to generate contradiction and wrong configuration; For system, owing to carry out the security strategy inspection respectively, there are a lot of occurrences that repeat in cooperation difficulty mutually on the efficient, and particularly application proxy is often implemented in application layer, need carry out repeatedly internal memory during data passes and duplicate, and is very big to the systematic function influence.Therefore, each security component is carried out integrated realization in kernel, be undoubtedly a kind of solution well.
Summary of the invention
It is a kind of with the firewall security assembly that main purpose of the present invention is to provide, as packet filtering, attack detecting, application proxy, the method of integrated realization in operating system nucleus, it will possess uniformity and intuitive more on policy configurations, in system works, it will have easier cooperation means and the treatment effeciency of Geng Gao.
The object of the present invention is achieved like this:
To the design of firewall system, the system configuration that adopts the pipeline system of integrated framework to handle, the security strategy of integration organization, and the transmission path of packet and current strategies match point in kernel.
For the realization of integral system structure, unified Definition is at the calling interface point of operating system nucleus, and packet filtering, attack detecting and application proxy insert at only point of interface respectively and check function according to functional objective, can effectively cooperate each other.
Realization to the security strategy of integration organization, use from the tree structure organizational security policies of protection target as root node, mutual exclusion between the different branches of Policy Tree guarantees all unique definite sub-branch of each coupling or leaf node, and leaf node promptly shows the action that fire compartment wall should be taked; If packet filtering is delivered the inspection final result of security strategy and acted on behalf of branch, then the agency can continue to mate downwards from this checkpoint; Policy Tree is shared by each security component in kernel, and current check point transmits in protocol stack with packet, makes inspection can have continuity.
Fire compartment wall comprises the complete step that packet carries out safety inspection:
Step 1: in the end half formation, carry out mixed mode and handle, judge that it still is the bridge processing module that current data packet is handed over gateway;
Step 2: before route, do following work
Step 201: basic security inspection;
Step 202: multicast and broadcast is handled;
Step 203: carry out purpose NAT;
Step 204: carry out attack detecting;
Step 205: the upper-layer protocol inspection-to Transmission Control Protocol: at first carry out attack detecting, look into the total state table then and abandon or transmit according to the result, syn wrapped in do not find in the total state table, carry out the security strategy inspection, abandon/send agency/interpolation total state table and transmit according to the result; To udp protocol: look into state table earlier, that can find transmits, and that can not find out carries out the security strategy inspection, and decision abandons or adds state table and forwarding according to the result; To the ICMP agreement: if the mistake bag is directly transmitted, otherwise looked into state table, that can find transmits, and that can not find out carries out the security strategy inspection, and decision abandons or adds state table and forwarding according to the result.
Step 3: application proxy supports: to the packet that needs application proxy to check that matches, current check point and packet are delivered the TCP layer simultaneously.
Step 4: application proxy obtains packet and related security policies checkpoint from formation, proceed the security strategy inspection, and carries out agent functionality.
Step 5: do following work after the route
Step 501: carry out attack detecting;
Step 502: carry out flow control;
Step 503: carry out source NAT.
The realization that packet and current strategies match point transmit in kernel is to utilize skb to transmit the current safety strategy to check state, by protocol stack designated lane transfer data packets.
Description of drawings
Fig. 1 is the structure chart of kernel integrated safe assembly of the present invention;
Fig. 2 is a method flow diagram of the present invention: to packet before the route, and according to the flow process of fire compartment wall open/close state, and safety inspection, and the flow process of the multicast/broadcast bag being handled according to the multicast/broadcast strategy.
Fig. 3 is a method flow diagram of the present invention: the tcp data bag is carried out the attack detecting of transport layer and the flow chart that carries out safety inspection according to Policy Tree
Fig. 4 is a method flow diagram of the present invention, UDP message bag query State table is judged whether to exist virtual connections, and carry out the flow chart of safety inspection according to Policy Tree
Fig. 5 is a method flow diagram of the present invention, ICMP packet query State table is judged whether to exist virtual connections, and carry out the flow chart of safety inspection according to Policy Tree
Fig. 6 is kernel protocol stack integral structure figure of the present invention
Embodiment
The present invention will be further described below in conjunction with the drawings and specific embodiments:
Referring to Fig. 1, fire compartment wall core security components such as packet filtering, supply detection, application proxy coexist as in the operating system nucleus, at the Ip_rcv point of invocation, Arp agency, total state module, Policy Tree module realize the function of packet filtering jointly, attack detecting and address conversion module are finished its corresponding function, Transparent Proxy supports and then skb is made amendment, and proposes the support to the application proxy of TCP layer; Bag to direct forwarding carries out sending after the route querying, and needs are delivered agency's bag, is sent to the TCP layer through the protocol stack designated lane, sends after acting on behalf of analyzing and processing; At the Ip_output point of invocation, Transparent Proxy supports and sends after the bag that the agency is sent is made an amendment once more, and attack detecting and address conversion module are operated once more, and in addition, flow-control module is realized the controlled function of packet filtering to data packet flow.
Fig. 2, Fig. 3, Fig. 4, Fig. 5 have illustrated the main handling process of fire compartment wall to packet.
Referring to Fig. 2, to packet before the route, at first check the fire compartment wall open/close state, if state is for closing, directly operate by the original flow process of operating system, otherwise begin basic safety inspection, and the multicast/broadcast bag is handled, then according to the area attribute of packet receiving network interface card according to the multicast/broadcast strategy, carry out purpose NAT, next call attack detecting and network layer is attacked survey, at last transport layer protocol is carried out subsequent treatment respectively, respectively as Fig. 3, Fig. 4, shown in Figure 5.
Referring to Fig. 3, to the tcp data bag, at first it is carried out the attack detecting of transport layer, analyzing it then is the syn bag, judge its operation of carrying out if not directly looking into the total state table, if, next look into its source port, judge whether it is the dynamic connection of some agreement, if possible be then to look into state table to judge whether the current communication that corresponding this agreement is arranged really, can let pass if exist, if not dynamic connection, then carry out safety inspection, abandon/transmit packet or send agent processes according to the result at last by designated lane according to Policy Tree.
Referring to Fig. 4,, look into state table earlier and judge whether to exist virtual connections the UDP message bag, if exist then transmit, if there is no, then carry out safety inspection according to Policy Tree, and abandon/transmit packet according to the result, when transmitting packet, add the state table corresponding entry simultaneously.
Referring to Fig. 5, to the ICMP packet, if carrying is the mistake return data, then directly transmit, otherwise the query State table judges whether to exist virtual connections, if exist then directly forwarding, if there is no, then carry out safety inspection, and abandon/transmit packet according to the result according to Policy Tree, when transmitting packet, add the state table corresponding entry simultaneously.
When packet arrives TCP layer application proxy through designated lane, application proxy is analyzed from extracted data wherein, and from skb, obtain the security checkpoints that packet filtering has analyzed, thereby then carry out the inspection work of application layer security according to Policy Tree, concrete agent process and packet send flow process and do not repeat them here.
Should illustrate at last: the foregoing description is only in order to explanation the present invention, and and unrestricted technical scheme of the present invention, although the present invention is had been described in detail with reference to above-mentioned example, but, those of ordinary skill in the art should be appreciated that still and can make amendment or be equal to replacement the present invention, therefore, technical scheme and relevant improvement the thereof that all do not break away from the spirit and scope of the present invention all should be encompassed in the middle of the claim scope of the present invention.
Claims (7)
1. firewall kernel security component integration method, it is characterized in that design to firewall system, the system configuration that adopts the pipeline system of integrated framework to handle, the security strategy of integration organization, and the transmission path of packet and current strategies match point in kernel;
For the realization of integral system structure, unified Definition is at the calling interface point of operating system nucleus, and packet filtering, attack detecting and application proxy insert at only point of interface respectively and check function according to functional objective, can effectively cooperate each other;
Realization to the security strategy of integration organization, use from the tree structure organizational security policies of protection target as root node, mutual exclusion between the different branches of Policy Tree guarantees all unique definite sub-branch of each coupling or leaf node, and leaf node promptly shows the action that fire compartment wall should be taked; If packet filtering is delivered the inspection final result of security strategy and acted on behalf of branch, then the agency can continue to mate downwards from this checkpoint; Policy Tree is shared by each security component in kernel, and current check point transmits in protocol stack with packet, makes inspection can have continuity.
2, firewall kernel security component integration method according to claim 1 is characterized in that the method that fire compartment wall carries out packet inspection comprises following steps:
Step 1: in the end half formation, carry out mixed mode and handle, judge that it still is the bridge processing module that current data packet is handed over gateway;
Step 2: before route, do following work
Step 201: basic security inspection;
Step 202: multicast and broadcast is handled;
Step 203: carry out purpose NAT;
Step 204: carry out attack detecting;
Step 205: the upper-layer protocol inspection-to Transmission Control Protocol: at first carry out attack detecting, look into the total state table then and abandon or transmit according to the result, syn wrapped in do not find in the total state table, carry out the security strategy inspection, abandon/send agency/interpolation total state table and transmit according to the result; To udp protocol: look into state table earlier, that can find transmits, and that can not find out carries out the security strategy inspection, and decision abandons or adds state table and forwarding according to the result; To the ICMP agreement: if the mistake bag is directly transmitted, otherwise looked into state table, that can find transmits, and that can not find out carries out the security strategy inspection, and decision abandons or adds state table and forwarding according to the result.
Step 3: application proxy supports: to the packet that needs application proxy to check that matches, current check point and packet are delivered the TCP layer simultaneously.
Step 4: application proxy obtains packet and related security policies checkpoint from formation, proceed the security strategy inspection, and carries out agent functionality.
Step 5: do following work after the route
Step 501: carry out attack detecting;
Step 502: carry out flow control;
Step 503: carry out source NAT.
3, firewall kernel security component integration method according to claim 1, it is characterized in that the realization that packet and current strategies match point transmit in kernel: utilize skb to transmit the current safety strategy and check state, by protocol stack designated lane transfer data packets.
4, firewall kernel security component integration method according to claim 1, it is characterized in that packet before the route, at first check the fire compartment wall open/close state, if state is for closing, directly operate by the original flow process of operating system, otherwise begin basic safety inspection, and the multicast/broadcast bag is handled according to the multicast/broadcast strategy, then according to the area attribute of packet receiving network interface card, carry out purpose NAT, next call attack detecting and network layer is attacked survey, at last transport layer protocol is carried out subsequent treatment respectively.
5, firewall kernel security component integration method according to claim 1, it is characterized in that the tcp data bag, at first it is carried out the attack detecting of transport layer, analyzing it then is the syn bag, judge its operation of carrying out if not directly looking into the total state table, if, next look into its source port, judge whether it is the dynamic connection of some agreement, if possible be then to look into state table to judge whether the current communication that corresponding this agreement is arranged really, can let pass if exist, if not dynamic connection, then carry out safety inspection, abandon/transmit packet according to the result at last according to Policy Tree, perhaps send agent processes by designated lane.
6, firewall kernel security component integration method according to claim 1, it is characterized in that the UDP message bag, look into state table earlier and judge whether to exist virtual connections, if exist then forwarding, if there is no, then carry out safety inspection, and abandon/transmit packet according to the result according to Policy Tree, when transmitting packet, add the state table corresponding entry simultaneously.
7, firewall kernel security component integration method according to claim 1, it is characterized in that packet to ICMP, if carrying is the mistake return data, then directly transmit, otherwise the query State table judges whether to exist virtual connections, if exist then directly forwarding, if there is no, then carry out safety inspection, and abandon/transmit packet according to the result according to Policy Tree, when transmitting packet, add the state table corresponding entry simultaneously.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100651831A CN1317852C (en) | 2004-10-29 | 2004-10-29 | Firewall kernel security component integration method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100651831A CN1317852C (en) | 2004-10-29 | 2004-10-29 | Firewall kernel security component integration method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1604539A true CN1604539A (en) | 2005-04-06 |
| CN1317852C CN1317852C (en) | 2007-05-23 |
Family
ID=34666467
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2004100651831A Expired - Fee Related CN1317852C (en) | 2004-10-29 | 2004-10-29 | Firewall kernel security component integration method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1317852C (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101834783A (en) * | 2010-03-29 | 2010-09-15 | 北京星网锐捷网络技术有限公司 | Method and device for forwarding messages and network equipment |
| CN101610218B (en) * | 2009-07-15 | 2011-08-24 | 中兴通讯股份有限公司 | Management method and system of HQoS strategy tree |
| CN104994084A (en) * | 2015-06-23 | 2015-10-21 | 西安交大捷普网络科技有限公司 | Local agent method of WEB firewall |
| CN106506720A (en) * | 2016-11-16 | 2017-03-15 | 西安诺瓦电子科技有限公司 | Network ip address auto-allocation method |
| CN115277502A (en) * | 2022-06-17 | 2022-11-01 | 广州根链国际网络研究院有限公司 | Method for automatically measuring IPv6 flow aiming at APP application |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CA2296989C (en) * | 1999-01-29 | 2005-10-25 | Lucent Technologies Inc. | A method and apparatus for managing a firewall |
| WO2004062216A1 (en) * | 2002-12-27 | 2004-07-22 | Fujitsu Limited | Apparatus for checking policy of firewall |
-
2004
- 2004-10-29 CN CNB2004100651831A patent/CN1317852C/en not_active Expired - Fee Related
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101610218B (en) * | 2009-07-15 | 2011-08-24 | 中兴通讯股份有限公司 | Management method and system of HQoS strategy tree |
| CN101834783A (en) * | 2010-03-29 | 2010-09-15 | 北京星网锐捷网络技术有限公司 | Method and device for forwarding messages and network equipment |
| CN101834783B (en) * | 2010-03-29 | 2012-01-25 | 北京星网锐捷网络技术有限公司 | Method and device for forwarding messages and network equipment |
| CN104994084A (en) * | 2015-06-23 | 2015-10-21 | 西安交大捷普网络科技有限公司 | Local agent method of WEB firewall |
| CN106506720A (en) * | 2016-11-16 | 2017-03-15 | 西安诺瓦电子科技有限公司 | Network ip address auto-allocation method |
| CN115277502A (en) * | 2022-06-17 | 2022-11-01 | 广州根链国际网络研究院有限公司 | Method for automatically measuring IPv6 flow aiming at APP application |
| CN115277502B (en) * | 2022-06-17 | 2023-10-10 | 广州根链国际网络研究院有限公司 | Method for automatically measuring IPv6 flow aiming at APP |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1317852C (en) | 2007-05-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP1515491B1 (en) | Architecture for virtual private networks | |
| CN104202300B (en) | Data communications method and device based on network isolating device | |
| US6854063B1 (en) | Method and apparatus for optimizing firewall processing | |
| US6154839A (en) | Translating packet addresses based upon a user identifier | |
| CN100459563C (en) | Identification gateway and its data treatment method | |
| CN102938736B (en) | A kind of method and apparatus realizing IPv4 message passing through IPv 6 network | |
| CN101820383B (en) | Method and device for restricting remote access of switcher | |
| US11153185B2 (en) | Network device snapshots | |
| CN101159591A (en) | Method and system of implementing different type port image | |
| WO2013063791A1 (en) | Nat/firewall accelerator | |
| CN100454901C (en) | ARP message processing method | |
| US20130223337A1 (en) | Mobile device to generate multiple maximum transfer units and data transfer method | |
| CN1317852C (en) | Firewall kernel security component integration method | |
| CN102821020B (en) | Method for transparent transmission of virtual private network (VPN) communication through copy and transfer of internet protocol (IP) packet | |
| CN101599889A (en) | Prevent the method for MAC address spoofing in a kind of ethernet switching device | |
| Lin et al. | A design of the ethernet firewall based on FPGA | |
| CN101621528B (en) | Conversation system based on Ethernet switch cluster management and method for realizing conversation passage | |
| CN113067910A (en) | NAT traversal method, device, electronic equipment and storage medium | |
| Shieha | Application layer firewall using openflow | |
| CN1426169A (en) | Method for improving route repeat liability of access server | |
| CN100341282C (en) | Kernel-level transparent proxy method based on universal protocol analysis engine | |
| CN1960330A (en) | Method and equipment in use for communication connection of redirecting network | |
| CN1444363A (en) | Method for implementing Ethernet local area network in public place | |
| CN1278528C (en) | Network safety device multi work mode adapting method | |
| WO2008102177A2 (en) | Data tunnelling |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee |
Owner name: NANJING UNIVERSITY; JIANGSU NANDA SUFUTE SOFTWARE Free format text: FORMER NAME OR ADDRESS: JIANGSU NANDA SUFUTE SOFTWARE CO., LTD.; NANJING UNIVERSITY |
|
| CP03 | Change of name, title or address |
Address after: 210093 No. 22, Hankou Road, Nanjing, Jiangsu Co-patentee after: Jiangsu Njusoft Co., Ltd. Patentee after: Nanjing University Address before: 210008, Beijing West Road, Jiangsu, Nanjing Co-patentee before: Nanjing University Patentee before: Jiangsu Njusoft Co., Ltd. |
|
| C19 | Lapse of patent right due to non-payment of the annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |