CN1604539A - Firewall kernel security component integration method - Google Patents

Firewall kernel security component integration method Download PDF

Info

Publication number
CN1604539A
CN1604539A CN 200410065183 CN200410065183A CN1604539A CN 1604539 A CN1604539 A CN 1604539A CN 200410065183 CN200410065183 CN 200410065183 CN 200410065183 A CN200410065183 A CN 200410065183A CN 1604539 A CN1604539 A CN 1604539A
Authority
CN
China
Prior art keywords
packet
inspection
state table
carry out
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN 200410065183
Other languages
Chinese (zh)
Other versions
CN1317852C (en
Inventor
蔡圣闻
李论
金毅
齐竞艳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiangsu Njusoft Co., Ltd.
Nanjing University
Original Assignee
JIANGSU NJUSOFT CO Ltd
Nanjing University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by JIANGSU NJUSOFT CO Ltd, Nanjing University filed Critical JIANGSU NJUSOFT CO Ltd
Priority to CNB2004100651831A priority Critical patent/CN1317852C/en
Publication of CN1604539A publication Critical patent/CN1604539A/en
Application granted granted Critical
Publication of CN1317852C publication Critical patent/CN1317852C/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

It is an integrating method of firewall inner safety components, which comprises the following: to integrate the frame without strict division of each component; then to integrate the safety strategy alignment and inspection; to users the alignment is consistent and to system the inspection is inherent; to have one complete data pack and transmission path of current strategy matched to make the data pack go through each inspection point and through the firewall.

Description

Firewall kernel security component integration method
Technical field
The present invention relates to a kind of method of firewall kernel security component tissue, particularly the method that packet filtering, attack detecting, application proxy are combined as a whole belongs to computer network security field.
Background technology
Because the main security component attack detecting of fire compartment wall, packet filtering, application proxy are all realized separately that respectively the security strategy that they use is also relatively independent usually.For the user, such framework lacks intuitive, logically also relatively disperses, and is difficult to embody actual correlation, is easy to generate contradiction and wrong configuration; For system, owing to carry out the security strategy inspection respectively, there are a lot of occurrences that repeat in cooperation difficulty mutually on the efficient, and particularly application proxy is often implemented in application layer, need carry out repeatedly internal memory during data passes and duplicate, and is very big to the systematic function influence.Therefore, each security component is carried out integrated realization in kernel, be undoubtedly a kind of solution well.
Summary of the invention
It is a kind of with the firewall security assembly that main purpose of the present invention is to provide, as packet filtering, attack detecting, application proxy, the method of integrated realization in operating system nucleus, it will possess uniformity and intuitive more on policy configurations, in system works, it will have easier cooperation means and the treatment effeciency of Geng Gao.
The object of the present invention is achieved like this:
To the design of firewall system, the system configuration that adopts the pipeline system of integrated framework to handle, the security strategy of integration organization, and the transmission path of packet and current strategies match point in kernel.
For the realization of integral system structure, unified Definition is at the calling interface point of operating system nucleus, and packet filtering, attack detecting and application proxy insert at only point of interface respectively and check function according to functional objective, can effectively cooperate each other.
Realization to the security strategy of integration organization, use from the tree structure organizational security policies of protection target as root node, mutual exclusion between the different branches of Policy Tree guarantees all unique definite sub-branch of each coupling or leaf node, and leaf node promptly shows the action that fire compartment wall should be taked; If packet filtering is delivered the inspection final result of security strategy and acted on behalf of branch, then the agency can continue to mate downwards from this checkpoint; Policy Tree is shared by each security component in kernel, and current check point transmits in protocol stack with packet, makes inspection can have continuity.
Fire compartment wall comprises the complete step that packet carries out safety inspection:
Step 1: in the end half formation, carry out mixed mode and handle, judge that it still is the bridge processing module that current data packet is handed over gateway;
Step 2: before route, do following work
Step 201: basic security inspection;
Step 202: multicast and broadcast is handled;
Step 203: carry out purpose NAT;
Step 204: carry out attack detecting;
Step 205: the upper-layer protocol inspection-to Transmission Control Protocol: at first carry out attack detecting, look into the total state table then and abandon or transmit according to the result, syn wrapped in do not find in the total state table, carry out the security strategy inspection, abandon/send agency/interpolation total state table and transmit according to the result; To udp protocol: look into state table earlier, that can find transmits, and that can not find out carries out the security strategy inspection, and decision abandons or adds state table and forwarding according to the result; To the ICMP agreement: if the mistake bag is directly transmitted, otherwise looked into state table, that can find transmits, and that can not find out carries out the security strategy inspection, and decision abandons or adds state table and forwarding according to the result.
Step 3: application proxy supports: to the packet that needs application proxy to check that matches, current check point and packet are delivered the TCP layer simultaneously.
Step 4: application proxy obtains packet and related security policies checkpoint from formation, proceed the security strategy inspection, and carries out agent functionality.
Step 5: do following work after the route
Step 501: carry out attack detecting;
Step 502: carry out flow control;
Step 503: carry out source NAT.
The realization that packet and current strategies match point transmit in kernel is to utilize skb to transmit the current safety strategy to check state, by protocol stack designated lane transfer data packets.
Description of drawings
Fig. 1 is the structure chart of kernel integrated safe assembly of the present invention;
Fig. 2 is a method flow diagram of the present invention: to packet before the route, and according to the flow process of fire compartment wall open/close state, and safety inspection, and the flow process of the multicast/broadcast bag being handled according to the multicast/broadcast strategy.
Fig. 3 is a method flow diagram of the present invention: the tcp data bag is carried out the attack detecting of transport layer and the flow chart that carries out safety inspection according to Policy Tree
Fig. 4 is a method flow diagram of the present invention, UDP message bag query State table is judged whether to exist virtual connections, and carry out the flow chart of safety inspection according to Policy Tree
Fig. 5 is a method flow diagram of the present invention, ICMP packet query State table is judged whether to exist virtual connections, and carry out the flow chart of safety inspection according to Policy Tree
Fig. 6 is kernel protocol stack integral structure figure of the present invention
Embodiment
The present invention will be further described below in conjunction with the drawings and specific embodiments:
Referring to Fig. 1, fire compartment wall core security components such as packet filtering, supply detection, application proxy coexist as in the operating system nucleus, at the Ip_rcv point of invocation, Arp agency, total state module, Policy Tree module realize the function of packet filtering jointly, attack detecting and address conversion module are finished its corresponding function, Transparent Proxy supports and then skb is made amendment, and proposes the support to the application proxy of TCP layer; Bag to direct forwarding carries out sending after the route querying, and needs are delivered agency's bag, is sent to the TCP layer through the protocol stack designated lane, sends after acting on behalf of analyzing and processing; At the Ip_output point of invocation, Transparent Proxy supports and sends after the bag that the agency is sent is made an amendment once more, and attack detecting and address conversion module are operated once more, and in addition, flow-control module is realized the controlled function of packet filtering to data packet flow.
Fig. 2, Fig. 3, Fig. 4, Fig. 5 have illustrated the main handling process of fire compartment wall to packet.
Referring to Fig. 2, to packet before the route, at first check the fire compartment wall open/close state, if state is for closing, directly operate by the original flow process of operating system, otherwise begin basic safety inspection, and the multicast/broadcast bag is handled, then according to the area attribute of packet receiving network interface card according to the multicast/broadcast strategy, carry out purpose NAT, next call attack detecting and network layer is attacked survey, at last transport layer protocol is carried out subsequent treatment respectively, respectively as Fig. 3, Fig. 4, shown in Figure 5.
Referring to Fig. 3, to the tcp data bag, at first it is carried out the attack detecting of transport layer, analyzing it then is the syn bag, judge its operation of carrying out if not directly looking into the total state table, if, next look into its source port, judge whether it is the dynamic connection of some agreement, if possible be then to look into state table to judge whether the current communication that corresponding this agreement is arranged really, can let pass if exist, if not dynamic connection, then carry out safety inspection, abandon/transmit packet or send agent processes according to the result at last by designated lane according to Policy Tree.
Referring to Fig. 4,, look into state table earlier and judge whether to exist virtual connections the UDP message bag, if exist then transmit, if there is no, then carry out safety inspection according to Policy Tree, and abandon/transmit packet according to the result, when transmitting packet, add the state table corresponding entry simultaneously.
Referring to Fig. 5, to the ICMP packet, if carrying is the mistake return data, then directly transmit, otherwise the query State table judges whether to exist virtual connections, if exist then directly forwarding, if there is no, then carry out safety inspection, and abandon/transmit packet according to the result according to Policy Tree, when transmitting packet, add the state table corresponding entry simultaneously.
When packet arrives TCP layer application proxy through designated lane, application proxy is analyzed from extracted data wherein, and from skb, obtain the security checkpoints that packet filtering has analyzed, thereby then carry out the inspection work of application layer security according to Policy Tree, concrete agent process and packet send flow process and do not repeat them here.
Should illustrate at last: the foregoing description is only in order to explanation the present invention, and and unrestricted technical scheme of the present invention, although the present invention is had been described in detail with reference to above-mentioned example, but, those of ordinary skill in the art should be appreciated that still and can make amendment or be equal to replacement the present invention, therefore, technical scheme and relevant improvement the thereof that all do not break away from the spirit and scope of the present invention all should be encompassed in the middle of the claim scope of the present invention.

Claims (7)

1. firewall kernel security component integration method, it is characterized in that design to firewall system, the system configuration that adopts the pipeline system of integrated framework to handle, the security strategy of integration organization, and the transmission path of packet and current strategies match point in kernel;
For the realization of integral system structure, unified Definition is at the calling interface point of operating system nucleus, and packet filtering, attack detecting and application proxy insert at only point of interface respectively and check function according to functional objective, can effectively cooperate each other;
Realization to the security strategy of integration organization, use from the tree structure organizational security policies of protection target as root node, mutual exclusion between the different branches of Policy Tree guarantees all unique definite sub-branch of each coupling or leaf node, and leaf node promptly shows the action that fire compartment wall should be taked; If packet filtering is delivered the inspection final result of security strategy and acted on behalf of branch, then the agency can continue to mate downwards from this checkpoint; Policy Tree is shared by each security component in kernel, and current check point transmits in protocol stack with packet, makes inspection can have continuity.
2, firewall kernel security component integration method according to claim 1 is characterized in that the method that fire compartment wall carries out packet inspection comprises following steps:
Step 1: in the end half formation, carry out mixed mode and handle, judge that it still is the bridge processing module that current data packet is handed over gateway;
Step 2: before route, do following work
Step 201: basic security inspection;
Step 202: multicast and broadcast is handled;
Step 203: carry out purpose NAT;
Step 204: carry out attack detecting;
Step 205: the upper-layer protocol inspection-to Transmission Control Protocol: at first carry out attack detecting, look into the total state table then and abandon or transmit according to the result, syn wrapped in do not find in the total state table, carry out the security strategy inspection, abandon/send agency/interpolation total state table and transmit according to the result; To udp protocol: look into state table earlier, that can find transmits, and that can not find out carries out the security strategy inspection, and decision abandons or adds state table and forwarding according to the result; To the ICMP agreement: if the mistake bag is directly transmitted, otherwise looked into state table, that can find transmits, and that can not find out carries out the security strategy inspection, and decision abandons or adds state table and forwarding according to the result.
Step 3: application proxy supports: to the packet that needs application proxy to check that matches, current check point and packet are delivered the TCP layer simultaneously.
Step 4: application proxy obtains packet and related security policies checkpoint from formation, proceed the security strategy inspection, and carries out agent functionality.
Step 5: do following work after the route
Step 501: carry out attack detecting;
Step 502: carry out flow control;
Step 503: carry out source NAT.
3, firewall kernel security component integration method according to claim 1, it is characterized in that the realization that packet and current strategies match point transmit in kernel: utilize skb to transmit the current safety strategy and check state, by protocol stack designated lane transfer data packets.
4, firewall kernel security component integration method according to claim 1, it is characterized in that packet before the route, at first check the fire compartment wall open/close state, if state is for closing, directly operate by the original flow process of operating system, otherwise begin basic safety inspection, and the multicast/broadcast bag is handled according to the multicast/broadcast strategy, then according to the area attribute of packet receiving network interface card, carry out purpose NAT, next call attack detecting and network layer is attacked survey, at last transport layer protocol is carried out subsequent treatment respectively.
5, firewall kernel security component integration method according to claim 1, it is characterized in that the tcp data bag, at first it is carried out the attack detecting of transport layer, analyzing it then is the syn bag, judge its operation of carrying out if not directly looking into the total state table, if, next look into its source port, judge whether it is the dynamic connection of some agreement, if possible be then to look into state table to judge whether the current communication that corresponding this agreement is arranged really, can let pass if exist, if not dynamic connection, then carry out safety inspection, abandon/transmit packet according to the result at last according to Policy Tree, perhaps send agent processes by designated lane.
6, firewall kernel security component integration method according to claim 1, it is characterized in that the UDP message bag, look into state table earlier and judge whether to exist virtual connections, if exist then forwarding, if there is no, then carry out safety inspection, and abandon/transmit packet according to the result according to Policy Tree, when transmitting packet, add the state table corresponding entry simultaneously.
7, firewall kernel security component integration method according to claim 1, it is characterized in that packet to ICMP, if carrying is the mistake return data, then directly transmit, otherwise the query State table judges whether to exist virtual connections, if exist then directly forwarding, if there is no, then carry out safety inspection, and abandon/transmit packet according to the result according to Policy Tree, when transmitting packet, add the state table corresponding entry simultaneously.
CNB2004100651831A 2004-10-29 2004-10-29 Firewall kernel security component integration method Expired - Fee Related CN1317852C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2004100651831A CN1317852C (en) 2004-10-29 2004-10-29 Firewall kernel security component integration method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2004100651831A CN1317852C (en) 2004-10-29 2004-10-29 Firewall kernel security component integration method

Publications (2)

Publication Number Publication Date
CN1604539A true CN1604539A (en) 2005-04-06
CN1317852C CN1317852C (en) 2007-05-23

Family

ID=34666467

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2004100651831A Expired - Fee Related CN1317852C (en) 2004-10-29 2004-10-29 Firewall kernel security component integration method

Country Status (1)

Country Link
CN (1) CN1317852C (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101834783A (en) * 2010-03-29 2010-09-15 北京星网锐捷网络技术有限公司 Method and device for forwarding messages and network equipment
CN101610218B (en) * 2009-07-15 2011-08-24 中兴通讯股份有限公司 Management method and system of HQoS strategy tree
CN104994084A (en) * 2015-06-23 2015-10-21 西安交大捷普网络科技有限公司 Local agent method of WEB firewall
CN106506720A (en) * 2016-11-16 2017-03-15 西安诺瓦电子科技有限公司 Network ip address auto-allocation method
CN115277502A (en) * 2022-06-17 2022-11-01 广州根链国际网络研究院有限公司 Method for automatically measuring IPv6 flow aiming at APP application

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2296989C (en) * 1999-01-29 2005-10-25 Lucent Technologies Inc. A method and apparatus for managing a firewall
WO2004062216A1 (en) * 2002-12-27 2004-07-22 Fujitsu Limited Apparatus for checking policy of firewall

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101610218B (en) * 2009-07-15 2011-08-24 中兴通讯股份有限公司 Management method and system of HQoS strategy tree
CN101834783A (en) * 2010-03-29 2010-09-15 北京星网锐捷网络技术有限公司 Method and device for forwarding messages and network equipment
CN101834783B (en) * 2010-03-29 2012-01-25 北京星网锐捷网络技术有限公司 Method and device for forwarding messages and network equipment
CN104994084A (en) * 2015-06-23 2015-10-21 西安交大捷普网络科技有限公司 Local agent method of WEB firewall
CN106506720A (en) * 2016-11-16 2017-03-15 西安诺瓦电子科技有限公司 Network ip address auto-allocation method
CN115277502A (en) * 2022-06-17 2022-11-01 广州根链国际网络研究院有限公司 Method for automatically measuring IPv6 flow aiming at APP application
CN115277502B (en) * 2022-06-17 2023-10-10 广州根链国际网络研究院有限公司 Method for automatically measuring IPv6 flow aiming at APP

Also Published As

Publication number Publication date
CN1317852C (en) 2007-05-23

Similar Documents

Publication Publication Date Title
EP1515491B1 (en) Architecture for virtual private networks
CN104202300B (en) Data communications method and device based on network isolating device
US6854063B1 (en) Method and apparatus for optimizing firewall processing
US6154839A (en) Translating packet addresses based upon a user identifier
CN100459563C (en) Identification gateway and its data treatment method
CN102938736B (en) A kind of method and apparatus realizing IPv4 message passing through IPv 6 network
CN101820383B (en) Method and device for restricting remote access of switcher
US11153185B2 (en) Network device snapshots
CN101159591A (en) Method and system of implementing different type port image
WO2013063791A1 (en) Nat/firewall accelerator
CN100454901C (en) ARP message processing method
US20130223337A1 (en) Mobile device to generate multiple maximum transfer units and data transfer method
CN1317852C (en) Firewall kernel security component integration method
CN102821020B (en) Method for transparent transmission of virtual private network (VPN) communication through copy and transfer of internet protocol (IP) packet
CN101599889A (en) Prevent the method for MAC address spoofing in a kind of ethernet switching device
Lin et al. A design of the ethernet firewall based on FPGA
CN101621528B (en) Conversation system based on Ethernet switch cluster management and method for realizing conversation passage
CN113067910A (en) NAT traversal method, device, electronic equipment and storage medium
Shieha Application layer firewall using openflow
CN1426169A (en) Method for improving route repeat liability of access server
CN100341282C (en) Kernel-level transparent proxy method based on universal protocol analysis engine
CN1960330A (en) Method and equipment in use for communication connection of redirecting network
CN1444363A (en) Method for implementing Ethernet local area network in public place
CN1278528C (en) Network safety device multi work mode adapting method
WO2008102177A2 (en) Data tunnelling

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C56 Change in the name or address of the patentee

Owner name: NANJING UNIVERSITY; JIANGSU NANDA SUFUTE SOFTWARE

Free format text: FORMER NAME OR ADDRESS: JIANGSU NANDA SUFUTE SOFTWARE CO., LTD.; NANJING UNIVERSITY

CP03 Change of name, title or address

Address after: 210093 No. 22, Hankou Road, Nanjing, Jiangsu

Co-patentee after: Jiangsu Njusoft Co., Ltd.

Patentee after: Nanjing University

Address before: 210008, Beijing West Road, Jiangsu, Nanjing

Co-patentee before: Nanjing University

Patentee before: Jiangsu Njusoft Co., Ltd.

C19 Lapse of patent right due to non-payment of the annual fee
CF01 Termination of patent right due to non-payment of annual fee