CN1722674A - A firewall and access restriction method thereof - Google Patents
A firewall and access restriction method thereof Download PDFInfo
- Publication number
- CN1722674A CN1722674A CN 200410069278 CN200410069278A CN1722674A CN 1722674 A CN1722674 A CN 1722674A CN 200410069278 CN200410069278 CN 200410069278 CN 200410069278 A CN200410069278 A CN 200410069278A CN 1722674 A CN1722674 A CN 1722674A
- Authority
- CN
- China
- Prior art keywords
- connection
- packet
- blocking
- address
- restriction
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
This invention discloses a connecting speed limiting method, characterized in that it allocates connection limiting source to the connection limiting function, and statistic the connection speed according to the allocated connection limiting source, then block or allow the data packet to pass. This invention also discloses an access limiting method of firewall, which not only operate safe rule test to the data packet, but also limit the connection speed. The invention discloses a firewall, which comprises data packet receiving module, memory, allocation management module, data packet transmitting module and data packet process module, wherein the data packet process module comprises at least condition list processing unit, safe rule processing unit and connection speed limiting unit. Said method and firewall can limit the connected reference frequency, and control the network waste diffusing.
Description
Technical field
The present invention relates to the computer network security technology field, particularly relate to a kind of fire compartment wall and access restriction method thereof.
Background technology
Fire compartment wall through controlled network communication trunk line, carries out safe handling to any communication behavior by controlled main line as the basis and the core control equipment of network security system.In the prior art, fire compartment wall mainly prevents the attack of some malicious data bags by safety regulation inspection or unlatching anti-attack ability.
In the network based on TCP/IP procotol family, two network entities need connect earlier and communicate.When first packet of a certain data connection arrives fire compartment wall, information such as IP address in the fire compartment wall extraction packet and port, check the safety regulation of fire compartment wall, if packet meets safety regulation, the packet that then allows these data to connect passes through, and fire compartment wall connects the state table that connects for these data.The IP address and the port information that comprise the packet that passes through in the connection status table, the processing method that also comprises the safety regulation appointment to the data connection, such as, packet whether directly by, whether packet is carried out conversion, how conversion, whether does other and check etc., also comprise the state that current data connects, connect such as, data and to be in mounting phase, establishment stage, ending phase etc.
When this data data in connection bag passes through fire compartment wall once more, information such as IP address in the fire compartment wall extraction packet and port, and retrieval connection status table, therefrom obtain current state that this data connect and fire compartment wall processing method to it, and in view of the above packet is handled, and the result after will handling also records in the connection status table.If the state that data connect changes, also record in the connection status table.
Fig. 1 is the structural representation of prior art fire compartment wall, comprise: packet receiver module 101, memory 102, Configuration Manager 103, packet sending module 104 and processing data packets module 110, processing data packets module 110 comprise state table processing unit 111 and safety regulation processing unit 112.Wherein, the firewall administrator disposes safety regulations according to user's requirement by Configuration Manager 103, and the safety regulation that is disposed is kept in the memory 102.
The packet information of coming is transmitted in safety regulation processing unit 112 accepting state list processing unit 111, and carry out the safety regulation inspection according to the packet information of receiving, according to check result notice memory 102 this packet is transmitted to packet sending module 104, connection status table information in the notify status list processing unit 111 updated stored devices 102 then, or according to check result with this packet deletion in the memory 102.The packet that packet sending module 104 reception memorizers 102 send, and the packet of receiving forwarded.
By such scheme as can be known, the fire compartment wall of prior art and to the control method of packet after safety regulation configures, allows a part of packet unrestrictedly to pass through to the control result of packet, and a part of packet can't be by being dropped.And in real world applications, the network user often wishes that some service is accessed, but need carry out certain restriction to the frequency of visit.In addition, after the main frame of protected area was subjected to virus attack, this main frame can send packet to outer net insanely.In the face of this situation, the fire compartment wall of prior art is the diffusion of uncontrollable network spam and virus.
Summary of the invention
In view of this, main purpose of the present invention is to provide a kind of connection rate limit method, and it can be limited the access frequency of the network equipment or service.
Another object of the present invention is to provide the access restriction method on a kind of fire compartment wall, it can be limited the access frequency of the network equipment or service, and prevent the diffusion of network spam.
Further aim of the present invention is to provide a kind of fire compartment wall, it can be limited the access frequency of the network equipment or service, and prevent the diffusion of network spam.
For achieving the above object, technical scheme of the present invention is achieved in that
The invention discloses a kind of connection rate limit method, this method connects the restriction resource for connecting the limitation function configuration, and this method may further comprise the steps:
A. judging that newdata connects whether to meet connects the connection features of setting in the restriction resource, if then according to the connection restriction resource that is disposed these data are connected the statistics of speed, continuation execution in step B; Otherwise the packet that allows this newdata to connect passes through;
B. judge whether the connection speed that statistics obtains surpasses assign thresholds, if the packet of then blocking this data connection passes through; Otherwise according to the connection restriction resource that is disposed, the packet that allows or block this newdata connection passes through.
Wherein, described connection restriction resource comprises: connection features, designated statistics cycle, assign thresholds, blocking-up cycle, connection Limit Type, connection restriction statistical.Described connection Limit Type is protection main frame or protection service or restricting host or restriction service.Described connection restriction statistical is sharing mode or exclusively enjoys mode.Described connection features is purpose IP address or purpose IP address and destination interface or source IP address or the source IP address and the destination interface of packet.The source IP address of packet, purpose IP address are single IP address or one section IP address range in the described connection features.
Among the step B of such scheme, when the connection speed that described statistics obtains surpassed assign thresholds, this method further comprised: start blocking-up cycle and new measurement period;
Correspondingly, in the follow-up data connection processing, if the connection speed that statistics obtains is no more than assign thresholds, then described according to the connection of being disposed restriction resource allow or the blocking-up packet by being specially: judge that these data connect whether in the blocking-up cycle, if the packet of then blocking this newdata connection passes through; Otherwise the packet that allows this newdata to connect passes through.
Wherein, in the described blocking-up cycle, this method further comprises: judge whether the new connection speed that statistics obtains surpasses assign thresholds, if then start new blocking-up cycle and new measurement period; Otherwise do not handle.
Perhaps also can be that in step B, when the connection speed that described statistics obtains surpassed assign thresholds, this method further comprised: begin to block, and start new measurement period;
Correspondingly, in the follow-up data connection processing, if the connection speed that statistics obtains is no more than assign thresholds, then described according to the connection of being disposed restriction resource allow or the blocking-up packet by being specially: in the blocking-up process, the connection speed that obtains when statistics stops blocking-up during less than assign thresholds, starts new measurement period, and allowing the packet of the data connection of back to pass through, the connection speed that obtains up to statistics surpasses assign thresholds.
Access restriction method on also a kind of fire compartment wall of the present invention is provided with the connection limitation function in safety regulation, and configuration connects the restriction resource; This method may further comprise the steps:
A. fire compartment wall allows or blocks this packet and pass through according to packet information and the connection status table information received, or continues execution in step b;
B. judge whether the packet information of receiving meets safety regulation, if then the current packet of receiving is connected rate limit, and allow or block this packet and pass through according to the result that connects rate limit; Otherwise blocking this packet passes through.
Wherein, described step a comprises:
Fire compartment wall is retrieved the connection status table according to the packet information of receiving, and judges that the data of building whether this packet belongs in the connection status table connect, if then allow this packet to pass through, and upgrade the connection status table; Otherwise judge whether this packet is first packet that newdata connects, if, then continue execution in step b, pass through otherwise block this packet.Wherein, described packet information comprises: source IP address, purpose IP address, source port, destination interface, agreement.
Among the such scheme step b, the described rate limit that connects is handled and be may further comprise the steps:
B1. judging that newdata connects whether to meet connects the connection features of setting in the restriction resource, if then according to the connection restriction resource that is disposed these data are connected the statistics of speed, continuation execution in step b2; Otherwise the packet that allows this newdata to connect passes through;
B2. judge whether the connection speed that statistics obtains surpasses assign thresholds, if the packet of then blocking this newdata connection passes through; Otherwise according to the connection restriction resource that is disposed, the packet that allows or block this newdata connection passes through.
Wherein, when the connection speed that described statistics obtains surpassed assign thresholds, this method further comprised: start blocking-up cycle and new measurement period;
Correspondingly, in the follow-up data connection processing, if the connection speed that statistics obtains is no more than assign thresholds, then described according to dispose connect that the restriction resource allows or the blocking-up packet by being specially: judge that these data connect whether in the blocking-up cycle, if the packet of then blocking this data connection passes through; Otherwise the packet that allows these data to connect passes through.
In the such scheme, described connection restriction resource comprises: connection features, designated statistics cycle, assign thresholds, blocking-up cycle, connection Limit Type, connection restriction statistical.Described connection Limit Type is protection main frame or protection service or restricting host or restriction service.Described connection restriction statistical is sharing mode or exclusively enjoys mode.Described connection features is purpose IP address or purpose IP address and destination interface or source IP address or the source IP address and the destination interface of packet.The source IP address of packet, purpose IP address are single IP address or one section IP address range in the described connection features.
The present invention further discloses a kind of fire compartment wall, comprise at least: packet receiver module, memory, Configuration Manager, packet sending module and processing data packets module; Described Configuration Manager is used to dispose safety regulation, and the safety regulation that is disposed is kept in the memory; Described processing data packets module comprises state table processing unit, safety regulation processing unit at least, and described state table processing unit is transmitted to the safety regulation processing unit according to state table information with packet information;
Described processing data packets module further comprises: connect the rate limit processing unit;
Described Configuration Manager is further used for being provided with the connection rate-limiting feature of safety regulation, and configuration connects the restriction resource, and the connection restriction resource that is disposed is saved in the memory;
Described safety regulation module is used for the packet information that the accepting state table handing module sends, and carries out the safety regulation inspection, and according to check result packet information is transmitted to connection rate limit processing module;
Described connection rate limit processing module is used to receive the packet information that the safety regulation processing module is sent, and connects the rate limit processing, abandons or transmit this packet according to connecting rate limit result notice memory; And the result notify status table handing module according to packet upgrades the connection status table.
By such scheme as can be seen, key of the present invention is: increase connection rate limit processing unit in the processing data packets module of existing fire compartment wall, this connection rate limit processing unit connects the speed statistics to the data that meet connection features, and according to statistics and assign thresholds packet is transmitted or abandoned.
Therefore; this fire compartment wall provided by the present invention and access restriction method thereof; a kind of notion that connects rate limit has been proposed; on fire compartment wall, increase and connect the rate-limiting feature module; can realize the restriction of fire compartment wall to data connected reference frequency; and then can limit some host malicious visit Intranets of outer net, and protect the server of Intranet or the safety of some service well, also can visit the outer net particular address, special services limits to Intranet.Connection rate-limiting feature provided by the invention is different from the anti-function of attacking of tradition, this functional definition fire compartment wall can be single ip address or one group of max-session frequency that the IP address is set up.
For example; wish under some situation of serving the visit of being limited the quantity of the network user; access frequency is set in the scope of server permission according to method provided by the invention; just can prevent same client from sending too much request and exhaust Session Resources on the Web server, and then can protect internal server.For another example, when the intranet host infective virus of firewall protection, for the linking number of inside host access outer net is set a threshold value, the diffusion of Control Network rubbish to a certain extent.Therefore, on fire compartment wall, introduce the connection rate-limiting feature, the fail safe that can improve whole network.
Description of drawings
Fig. 1 is the structural representation of prior art fire compartment wall;
Fig. 2 is the structural representation of fire compartment wall of the present invention;
Fig. 3 is the realization flow figure of the access restriction method on the fire compartment wall of the present invention;
Fig. 4 connects the realization flow figure of rate limit method for the present invention;
Fig. 5 is the schematic network structure of the specific embodiment of protection main frame and protection COS;
Fig. 6 is the schematic network structure of the specific embodiment of restricting host and restriction COS.
Embodiment
The present invention is further described in more detail below in conjunction with drawings and the specific embodiments.
The present invention has increased the restriction that data is connected frequency on the safety regulation basis.On hardware was realized, the processing data packets module also comprised connecting the rate limit processing unit except comprising state table processing unit, safety regulation processing unit.This connection rate limit processing unit connects the speed statistics to the data that meet connection features, and according to statistics and threshold value packet is transmitted or abandoned.
Fig. 2 is the structural representation of fire compartment wall of the present invention, comprise: packet receiver module 201, memory 202, Configuration Manager 203, packet sending module 204 and processing data packets module 210, processing data packets module 210 comprise state table processing unit 211, safety regulation processing unit 212 and are connected rate limit processing unit 213.Wherein, the firewall administrator is provided with safety regulation by Configuration Manager 203 and is connected the restriction resource according to user's requirement, and with the safety regulation that disposed be connected and limit resource and be kept in the memory 202.
The packet information of coming is transmitted in safety regulation processing unit 212 accepting state list processing unit 211, and carries out the safety regulation inspection according to the packet information of receiving.Then, safety regulation processing unit 212 is according to check result, when meeting safety regulation but opening the connection limitation function in the safety regulation, notice memory 202 is transmitted to packet sending module 204 with this packet, then the connection status table information in the notify status list processing unit 211 updated stored devices 202; In meeting its safety regulation of safety regulation, open when connecting limitation function, this packet information is transmitted to connection rate limit processing unit 213; When not meeting safety regulation, with this data packet discarding in the memory 202.
Connect rate limit processing unit 213 and receive the packet information that 212 forwardings of safety regulation processing unit come, and it is resource matched to connect restriction according to the packet information of receiving.Then, connect rate limit processing unit 213 and this packet is transmitted to packet sending module 204 according to matching result notice memory 202, or carry out data connection speed according to matching result and add up, when statistics does not surpass assign thresholds and when not being in the blocking-up cycle, notice memory 202 is transmitted to packet sending module 204 with this packet, and the connection status table information in the notify status list processing unit 211 updated stored devices 202, when statistics surpasses assign thresholds or is in the blocking-up cycle, with this packet deletion in the memory 202.Simultaneously statistics is kept in the memory 202.Wherein, after the blocking-up cycle was meant that connection speed that fire compartment wall finds that statistics obtains surpasses assign thresholds, the blocking-up newdata connected and passes through a period of time of being continued.
The packet that packet sending module 204 reception memorizers 202 send, and the packet of receiving forwarded.
Based on said apparatus, the connection limitation function is set in advance, and configuration connects the restriction resource in safety regulation, then the present invention packet is connected restriction method as shown in Figure 3, comprise the steps:
Wherein, the information in the packet comprises: source IP address, purpose IP address, source port, destination interface, host-host protocol etc.Source IP address is meant which IP address packet derives from; Purpose IP address is which IP address packet mails to; Source port and destination interface are represented transmit leg and recipient's port numbers respectively, which service of destination interface representative data bag visit purpose IP address wherein; Host-host protocol comprises the IP protocol suite, such as Transmission Control Protocol or udp protocol etc.
Step 302~303, judge that whether this packet is first packet that newdata connects,, continue execution in step 304 if then fire compartment wall carries out the safety regulation inspection; Otherwise execution in step 308.
Press the Transmission Control Protocol agreement, a series of packets with identical source IP address, purpose IP address, source port, destination interface belong to same data and connect.Source IP address also belongs to same data with the just the opposite packet of purpose IP address, source port and destination interface and is connected.Newdata connects first packet of each data connection that is meant that fire compartment wall is received.
Whether the packet that step 304, judgement are received meets safety regulation, if, then continue execution in step 305, otherwise execution in step 308.
Wherein, the foundation of carrying out the safety regulation inspection is the feature such as source IP address, purpose IP address, source port, destination interface, agreement of packet.If the matching characteristic that is disposed of the information conforms safety regulation of packet, then this packet meets safety regulation; Otherwise this packet does not meet safety regulation.In addition, also comprise processing method in the safety regulation to packet, such as, the connection limitation function whether started.
Wherein, connect rate limit and just be meant that in office meaning decide in the measurement period, the newdata linking number with same characteristic features by fire compartment wall can not surpass assign thresholds.When fire compartment wall is found to connect speed above assign thresholds, begin to block passing through of newdata connection, a period of time of passing through that lasting always from this moment blocking-up newdata connects is called the blocking-up cycle.
Step 306~307, connect rate limit and handle, and judge according to the information in the packet whether this packet falls into the connection rate limit, if then execution in step 308; Otherwise execution in step 309.
Wherein, whether to fall into the foundation that connects rate limit be to connect the restriction resource to the judgment data bag.Connecting the restriction resource comprises: configuration informations such as connection features, designated statistics cycle, assign thresholds, blocking-up cycle, connection Limit Type, connection restriction statistical.Connect all to belong to fall in speed surpasses assign thresholds and these data are connected the blocking-up cycle and be connected rate limit.
Can know by such scheme, pass through, just can not guarantee the resource of normal connected reference like this for these data connect the state table that connects if connect the packet of limitation function refusal data connection.
In the such scheme, connect method that rate limit handles in described step 306~307 as shown in Figure 4, may further comprise the steps:
Step 401~402, judge according to the information of the packet received that this newdata connects and whether meet connection features, if then these data are connected the statistics of speed, continuation execution in step 403; Otherwise execution in step 407.
Wherein, connection features comprises source IP address, purpose IP address, destination interface of packet etc.The source IP address of packet, purpose IP address may be defined as single IP address, one section IP address range or do not limit in the connection features.The destination interface of packet may be defined as single-port or does not limit in the connection features.Connect speed and be meant at designated statistics in the cycle, the number that the data that meet connection features that fire compartment wall is received connect.A plurality of packets that same data connect only calculate once.The mode that connects the speed statistics can or exclusively enjoy mode for sharing mode.
Whether the connection speed that step 403~404, judgement statistics obtain surpasses assign thresholds, if, then block this packet and pass through, and start the blocking-up cycle, start new measurement period simultaneously; Otherwise continue execution in step 405.
Wherein, after the blocking-up cycle was meant that fire compartment wall find to connect speed and surpasses assign thresholds, the blocking-up newdata connected and passes through a period of time of being continued.That is to say, when fire compartment wall find to connect speed and surpasses threshold value, begin to block passing through of packet that newdata connects, to the timing in blocking-up cycle, expire simultaneously up to the blocking-up cycle.The blocking-up packet is by just being equivalent to data packet discarding.
In the present embodiment, in the blocking-up cycle, fire compartment wall continues monitoring and connects speed, no longer surpasses threshold value even find to connect speed, passes through but still need the blocking-up newdata to connect, and expires up to the blocking-up cycle.When the connection speed that each statistics obtains reaches assign thresholds, need to start new measurement period, restart to add up connecting speed.In the blocking-up cycle,, then need to start new blocking-up cycle and new measurement period if the new connection speed that statistics obtains surpasses assign thresholds.
Step 405~406, judge that this data connect whether in the blocking-up cycle, if then block this packet and pass through process ends; Otherwise execution in step 408.
In certain embodiments, if connect in the restriction resource and do not dispose the blocking-up cycle, the fire compartment wall persistent surveillance connects speed, when connecting speed and surpass assign thresholds, begin to block the packet that new data connect and pass through, and carry out the connection speed statistics of next round, the connection speed that obtains up to statistics is during less than assign thresholds, stop blocking-up, allow the packet of the data connection of back to pass through, and begin to carry out the connection speed statistics of next round.In other words, this execution mode can be realized blocking the cycle dynamically.
In further embodiments, the fire compartment wall persistent surveillance connects speed, surpasses threshold value if find to connect speed, and the packet of then blocking new data connection passes through, otherwise the packet that allows new data to connect passes through.We can say that this execution mode can be realized the real-time monitoring of fire compartment wall to visit data, guarantee that the accessed frequency of shielded main frame or service all is no more than assign thresholds at any time.Yet this execution mode needs the connection speed that monitors that each is instantaneous in fact, implements more complicated, need take the fire compartment wall more system resources.Therefore, embodiment shown in Figure 4 is a better embodiment of the present invention.
Among the present invention, also comprise connecting Limit Type and being connected the configuration that limits statistical in the connection restriction resource.Wherein, connecting Limit Type comprises: protection main frame, protection service, restricting host, restriction service.
1) the protection main frame refers to: decide to initiate in the measurement period can not surpass assign thresholds to the connection number of times of protected host from office the meaning of the main frame of appointed area.Surpass assign thresholds in case connect number of times, then the main frame of appointed area will be blocked by fire compartment wall the data connection that protected host is initiated once more, expire up to the blocking-up cycle, and the main frame of appointed area just can initiate to connect to protected host once more.For the connection restriction of protection Host Type, connection features is purpose IP address.
2) the protection service refers to: can not surpass assign thresholds from the main frame of the appointed area connection number of times of deciding the specified services of initiation on protected host in the measurement period that means in office.Surpass assign thresholds in case connect number of times; then the main frame of appointed area will be blocked by fire compartment wall the data connection that the specified services of protected host is initiated once more; expire up to the blocking-up cycle, the main frame of appointed area just can initiate to connect to the specified services of protected host once more.The main frame of appointed area initiates to connect not limited to other service of protected host.For the connection restriction of protection COS, connection features is purpose IP address and destination interface.
3) restricting host refers to: can not surpass assign thresholds from the main frame of the appointed area connection number of times of deciding in the measurement period any main frame to be initiated that means in office.Surpass assign thresholds in case connect number of times, then the main frame of appointed area will be blocked by fire compartment wall the data connection that any main frame is initiated once more, expire up to the blocking-up cycle, and the main frame of appointed area just can initiate to connect to any main frame once more.For the connection restriction of restricting host type, connection features is a source IP address.
4) the restriction service refers to: can not surpass assign thresholds from the main frame of the appointed area connection number of times of deciding in the measurement period specified services of any main frame to be initiated that means in office.Surpass assign thresholds in case connect number of times, then the main frame of appointed area will be blocked by fire compartment wall the data connection that the specified services of any main frame is initiated once more, expire up to the blocking-up cycle, the main frame of appointed area just can initiate to connect to the specified services of any main frame once more.The main frame of appointed area initiates to connect not limited to other service of any main frame.For the connection restriction of restriction COS, connection features is source IP address and destination interface.
In actual applications, protection main frame and protection service are mainly used in the server of protection Intranet.During the server of outer net machine access Intranet, can set the frequency that allows the extranet access internal server, protect the safety of internal server, refuse the machine of some malice function Intranets by fire compartment wall.The difference of protection main frame and protection service is: the protection host function is all services on the protection given host, as long as the address of extranet access is the address of specifying main frame, then defencive function will come into force; The protection service function is the specified services of protection on the given host, and such as http service, ftp service, when the specified services of extranet access given host, defencive function will come into force.
Restricting host and restriction service mainly are the control strategies that need define when the intranet host visit outer net of protected by firewall.The difference of restricting host and restriction service is: the restricting host function is that the frequency to inner particular host visit outer net limits, and can be used to limit the flow of particular host visit outer net in the practical application; Restriction service is the connection restriction of carrying out during to the special service of Intranet particular host visit outer net, such as intranet host visit www service, ftp service.In the practical application; consider that worm-type virus transmits by particular port; if the intranet host of protected by firewall is subjected to the attack of worm-type virus, then can reduce the middle viral external diffusion virus of machine in the Intranet by enabling the restriction service function.
In the practical application, can open in the above-mentioned four types connection limitation function a kind of separately, also can open wherein several simultaneously, can also open all types simultaneously, at this moment, as long as there is one to connect speed above assign thresholds, the data of just blocking all connection features that meet corresponding types connect.
Connect the restriction statistical and be meant when the data connection with identical connection features is added up, can adopt statistical.Generally include two kinds and connect the restriction statisticals: sharing mode and exclusively enjoy mode.Such as, connection restriction for the protection Host Type, sharing mode is meant that All hosts is total above behind the assign thresholds to the connection of protected host in the zone, and any main frame in the appointed area all is blocked the connection of protected host, expires up to the blocking-up cycle; After the mode of exclusively enjoying was meant that a certain main frame in the zone surpasses assign thresholds to the linking number of protected host, this main frame was blocked the connection of protected host, expire up to the blocking-up cycle, and other main frame in should the zone was proceeded to add up.That is to say, each main frame is added up separately the connection of protected host, be independent of each other each other.Above-mentioned four kinds of connection Limit Types all can adopt sharing mode and exclusively enjoy mode.
Describe for some concrete examples below.
As shown in Figure 5, when fire compartment wall was not opened the protection host function, as long as the firewall security rule allows to pass through, main frame just can arbitrarily be visited intranet host A among the Internet.If host-to-host A carries out malicious attack among the Internet, when the access times of host-to-host A among the Internet surpassed certain boundary, host A just may fall by paralysis.On fire compartment wall, open the connection limitation function of protection host A; and the IP address that connection features is a host A is set; at this moment; if the connection speed of host access intranet host A has surpassed the assign thresholds that connects restriction among the Internet; the packet that main frame sends among the Internet will be blocked by fire compartment wall, and can not threaten the safety of host A.
As shown in Figure 5, when fire compartment wall was not opened the protection service function, as long as the firewall security rule allows, main frame just can arbitrarily be visited the service on the host A among the Internet.If host-to-host A carries out malicious attack among the Internet, will consume the resource of host A, consume the dialogue resource of fire compartment wall simultaneously, influence the normal visit of the web service on other host-to-host A, when serious even can cause the host A paralysis.In the web service of opening on the fire compartment wall on the protection host A; and IP address that connection features is a host A and web service corresponding port be set; at this moment; if the connection speed of the web of host access intranet host A service has surpassed the assign thresholds that connects restriction among the Internet; the packet of its visit will be blocked by fire compartment wall; and can not threaten the safety of host A, and can not take the too many resource of fire compartment wall yet, guarantee normal connected reference.
As shown in Figure 6, when fire compartment wall was not opened the restricting host function, the machine of Intranet can arbitrarily be visited the Internet resource.During real network is used, often find that networking speed is slack-off or connect off and on, this be since one or more main frame of client's internal network by network worm infect cause.The machine of supposing the A of working group is infected by worm-type virus, and the machine among the A of working group will outwards be sent out the lot of data bag, consumes a large amount of Internet resources.If open restricting host function restraint of labour group A on fire compartment wall, and the IP address that connection features is all machines among the A of working group is set, then the worm bag that sends of the machine from the A of working group will be blocked by fire compartment wall, guarantees that virus can not spread in a large number.
In a word, the above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being done, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (20)
1, a kind of connection rate limit method is characterized in that, this method connects the restriction resource for connecting the limitation function configuration, and this method may further comprise the steps:
A. judging that newdata connects whether to meet connects the connection features of setting in the restriction resource, if then according to the connection restriction resource that is disposed these data are connected the statistics of speed, continuation execution in step B; Otherwise the packet that allows this newdata to connect passes through;
B. judge whether the connection speed that statistics obtains surpasses assign thresholds, if the packet of then blocking this data connection passes through; Otherwise according to the connection restriction resource that is disposed, the packet that allows or block this newdata connection passes through.
2, method according to claim 1 is characterized in that, described connection restriction resource comprises: connection features, designated statistics cycle, assign thresholds, blocking-up cycle, connection Limit Type, connection restriction statistical.
3, method according to claim 2 is characterized in that, described connection Limit Type is protection main frame or protection service or restricting host or restriction service.
4, method according to claim 2 is characterized in that, described connection restriction statistical is sharing mode or exclusively enjoys mode.
5, method according to claim 2 is characterized in that, described connection features is purpose IP address or purpose IP address and destination interface or source IP address or the source IP address and the destination interface of packet.
6, method according to claim 5 is characterized in that, the source IP address of packet, purpose IP address are single IP address or one section IP address range in the described connection features.
7, method according to claim 1 is characterized in that, among the step B, when the connection speed that described statistics obtains surpassed assign thresholds, this method further comprised: start blocking-up cycle and new measurement period;
Correspondingly, in the follow-up data connection processing, if the connection speed that statistics obtains is no more than assign thresholds, then described according to the connection of being disposed restriction resource allow or the blocking-up packet by being specially: judge that these data connect whether in the blocking-up cycle, if the packet of then blocking this newdata connection passes through; Otherwise the packet that allows this newdata to connect passes through.
8, method according to claim 7 is characterized in that, in the described blocking-up cycle, this method further comprises: judge whether the new connection speed that statistics obtains surpasses assign thresholds, if then start new blocking-up cycle and new measurement period; Otherwise do not handle.
9, method according to claim 1 is characterized in that, among the step B, when the connection speed that described statistics obtains surpassed assign thresholds, this method further comprised: begin to block, and start new measurement period;
Correspondingly, in the follow-up data connection processing, if the connection speed that statistics obtains is no more than assign thresholds, then described according to the connection of being disposed restriction resource allow or the blocking-up packet by being specially: in the blocking-up process, the connection speed that obtains when statistics stops blocking-up during less than assign thresholds, starts new measurement period, and allowing the packet of the data connection of back to pass through, the connection speed that obtains up to statistics surpasses assign thresholds.
10, the access restriction method on a kind of fire compartment wall is characterized in that, the connection limitation function is set in safety regulation, and configuration connects the restriction resource; This method may further comprise the steps:
A. fire compartment wall allows or blocks this packet and pass through according to packet information and the connection status table information received, or continues execution in step b;
B. judge whether the packet information of receiving meets safety regulation, if then the current packet of receiving is connected rate limit, and allow or block this packet and pass through according to the result that connects rate limit; Otherwise blocking this packet passes through.
11, method according to claim 10 is characterized in that, described step a comprises:
Fire compartment wall is retrieved the connection status table according to the packet information of receiving, and judges that the data of building whether this packet belongs in the connection status table connect, if then allow this packet to pass through, and upgrade the connection status table; Otherwise judge whether this packet is first packet that newdata connects, if, then continue execution in step b, pass through otherwise block this packet.
12, according to claim 10 or 11 described methods, it is characterized in that described packet information comprises: source IP address, purpose IP address, source port, destination interface, agreement.
13, method according to claim 10 is characterized in that, among the step b, the described rate limit that connects is handled and be may further comprise the steps:
B1. judging that newdata connects whether to meet connects the connection features of setting in the restriction resource, if then according to the connection restriction resource that is disposed these data are connected the statistics of speed, continuation execution in step b2; Otherwise the packet that allows this newdata to connect passes through;
B2. judge whether the connection speed that statistics obtains surpasses assign thresholds, if the packet of then blocking this newdata connection passes through; Otherwise according to the connection restriction resource that is disposed, the packet that allows or block this newdata connection passes through.
14, method according to claim 13 is characterized in that, among the step b2, when the connection speed that described statistics obtains surpassed assign thresholds, this method further comprised: start blocking-up cycle and new measurement period;
Correspondingly, in the follow-up data connection processing, if the connection speed that statistics obtains is no more than assign thresholds, then described according to dispose connect that the restriction resource allows or the blocking-up packet by being specially: judge that these data connect whether in the blocking-up cycle, if the packet of then blocking this data connection passes through; Otherwise the packet that allows these data to connect passes through.
According to claim 10,13 or 14 described methods, it is characterized in that 15, described connection restriction resource comprises: connection features, designated statistics cycle, assign thresholds, blocking-up cycle, connection Limit Type, connection restriction statistical.
16, method according to claim 15 is characterized in that, described connection Limit Type is protection main frame or protection service or restricting host or restriction service.
17, method according to claim 15 is characterized in that, described connection restriction statistical is sharing mode or exclusively enjoys mode.
18, method according to claim 15 is characterized in that, described connection features is purpose IP address or purpose IP address and destination interface or source IP address or the source IP address and the destination interface of packet.
19, method according to claim 18 is characterized in that, the source IP address of packet, purpose IP address are single IP address or one section IP address range in the described connection features.
20, a kind of fire compartment wall comprises at least: packet receiver module, memory, Configuration Manager, packet sending module and processing data packets module; Described Configuration Manager is used to dispose safety regulation, and the safety regulation that is disposed is kept in the memory; Described processing data packets module comprises state table processing unit, safety regulation processing unit at least, and described state table processing unit is transmitted to the safety regulation processing unit according to state table information with packet information;
It is characterized in that: described processing data packets module further comprises: connect the rate limit processing unit;
Described Configuration Manager is further used for being provided with the connection rate-limiting feature of safety regulation, and configuration connects the restriction resource, and the connection restriction resource that is disposed is saved in the memory;
Described safety regulation module is used for the packet information that the accepting state table handing module sends, and carries out the safety regulation inspection, and according to check result packet information is transmitted to connection rate limit processing module;
Described connection rate limit processing module is used to receive the packet information that the safety regulation processing module is sent, and connects the rate limit processing, abandons or transmit this packet according to connecting rate limit result notice memory; And the result notify status table handing module according to packet upgrades the connection status table.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100692780A CN100337222C (en) | 2004-07-15 | 2004-07-15 | A firewall and access restriction method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100692780A CN100337222C (en) | 2004-07-15 | 2004-07-15 | A firewall and access restriction method thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1722674A true CN1722674A (en) | 2006-01-18 |
| CN100337222C CN100337222C (en) | 2007-09-12 |
Family
ID=35912650
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2004100692780A Expired - Fee Related CN100337222C (en) | 2004-07-15 | 2004-07-15 | A firewall and access restriction method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100337222C (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101582900B (en) * | 2009-06-24 | 2012-06-27 | 成都市华为赛门铁克科技有限公司 | Firewall security policy configuration method and management unit |
| CN101350765B (en) * | 2007-07-20 | 2012-07-04 | 中国科学院声学研究所 | Network flow detection method |
| CN101836422B (en) * | 2007-10-23 | 2013-09-11 | 萨基姆国防安全公司 | Bidirectional gateway with enhanced security level |
| CN103746918A (en) * | 2014-01-06 | 2014-04-23 | 深圳市星盾网络技术有限公司 | Message forwarding system and message forwarding method |
| CN106060053A (en) * | 2016-06-12 | 2016-10-26 | 上海携程商务有限公司 | Method and system for automatically identifying and cleaning abnormal connection based on firewall |
| CN107547551A (en) * | 2017-09-06 | 2018-01-05 | 新华三信息安全技术有限公司 | Message filtering method, device, equipment and storage medium |
| CN107920077A (en) * | 2017-11-21 | 2018-04-17 | 湖北鑫英泰系统技术股份有限公司 | A kind of rejection service attack determination methods and device for electric power dispatching system |
| CN109150890A (en) * | 2018-09-05 | 2019-01-04 | 杭州迪普科技股份有限公司 | The means of defence and relevant device of newly-built connection attack |
| CN109510784A (en) * | 2018-12-28 | 2019-03-22 | 福建叮叮管家电子科技有限公司 | A kind of distribution method and system of community broad band connection |
| CN113542211A (en) * | 2021-05-17 | 2021-10-22 | 新华三信息安全技术有限公司 | Information processing method and device |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5898830A (en) * | 1996-10-17 | 1999-04-27 | Network Engineering Software | Firewall providing enhanced network security and user transparency |
| CN1075695C (en) * | 1996-09-02 | 2001-11-28 | 北京天融信网络安全技术有限公司 | Fireproof wall system |
| CN1192310C (en) * | 1999-08-26 | 2005-03-09 | 网观科技(加拿大)有限公司 | Fireproof wall for interconnecting network |
-
2004
- 2004-07-15 CN CNB2004100692780A patent/CN100337222C/en not_active Expired - Fee Related
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101350765B (en) * | 2007-07-20 | 2012-07-04 | 中国科学院声学研究所 | Network flow detection method |
| CN101836422B (en) * | 2007-10-23 | 2013-09-11 | 萨基姆国防安全公司 | Bidirectional gateway with enhanced security level |
| CN101582900B (en) * | 2009-06-24 | 2012-06-27 | 成都市华为赛门铁克科技有限公司 | Firewall security policy configuration method and management unit |
| CN103746918B (en) * | 2014-01-06 | 2018-01-12 | 深圳市星盾网络技术有限公司 | Message forwarding system and message forwarding method |
| CN103746918A (en) * | 2014-01-06 | 2014-04-23 | 深圳市星盾网络技术有限公司 | Message forwarding system and message forwarding method |
| CN106060053A (en) * | 2016-06-12 | 2016-10-26 | 上海携程商务有限公司 | Method and system for automatically identifying and cleaning abnormal connection based on firewall |
| CN107547551A (en) * | 2017-09-06 | 2018-01-05 | 新华三信息安全技术有限公司 | Message filtering method, device, equipment and storage medium |
| CN107547551B (en) * | 2017-09-06 | 2020-09-25 | 新华三信息安全技术有限公司 | Message filtering method, device, equipment and storage medium |
| CN107920077A (en) * | 2017-11-21 | 2018-04-17 | 湖北鑫英泰系统技术股份有限公司 | A kind of rejection service attack determination methods and device for electric power dispatching system |
| CN109150890A (en) * | 2018-09-05 | 2019-01-04 | 杭州迪普科技股份有限公司 | The means of defence and relevant device of newly-built connection attack |
| CN109510784A (en) * | 2018-12-28 | 2019-03-22 | 福建叮叮管家电子科技有限公司 | A kind of distribution method and system of community broad band connection |
| CN113542211A (en) * | 2021-05-17 | 2021-10-22 | 新华三信息安全技术有限公司 | Information processing method and device |
| CN113542211B (en) * | 2021-05-17 | 2023-10-20 | 新华三信息安全技术有限公司 | Information processing method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100337222C (en) | 2007-09-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1905555A (en) | Fire wall controlling system and method based on NGN service | |
| CN100337438C (en) | Method for preventing attacks on a network server within a call-based-services-environment and attack-prevention-device for executing the method | |
| CN1874303A (en) | Method for implementing black sheet | |
| US20110154492A1 (en) | Malicious traffic isolation system and method using botnet information | |
| CN1878082A (en) | Protective method for network attack | |
| CN1893375A (en) | System and method for detection and mitigation of distributed denial of service attacks | |
| CN1620034A (en) | Identification gateway and its data treatment method | |
| CN1612532A (en) | Host-based network intrusion detection systems | |
| CN100337222C (en) | A firewall and access restriction method thereof | |
| CN1728671A (en) | Server device, method for controlling a server device, and method for establishing a connection using the server device | |
| CN1682197A (en) | VPN and firewall integrated system | |
| CN1744607A (en) | System and method for blocking worm attack | |
| CN1640090A (en) | An apparatus and method for secure, automated response to distributed denial of service attacks | |
| CN101019405A (en) | Method and system for mitigating denial of service in a communication network | |
| CN1725709A (en) | Method of linking network equipment and invading detection system | |
| CN101069144A (en) | Computer and method for on-demand network access control | |
| CN101034989A (en) | Method, system and router for originating the authentication request via the user terminal | |
| CN101060521A (en) | Information packet filtering method and network firewall | |
| CN1697404A (en) | System and method for detecting network worm in interactive mode | |
| CN101056306A (en) | Network device and its access control method | |
| CN101022343A (en) | Network invading detecting/resisting system and method | |
| CN101039326A (en) | Service flow recognition method, apparatus and method and system for defending distributed refuse attack | |
| CN1630248A (en) | SYN flooding attack defence method based on connection request authentication | |
| CN101098227A (en) | User safety protection method of broadband access equipment | |
| CN101064597A (en) | Network security device and method for processing packet data using the same |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee |
Owner name: BEIJING LEADSEC TECHNOLOGY CO.,LTD. Free format text: FORMER NAME: LENOVO NET DEFENSE TECHNOLOGY (BEIJING) CO., LTD. |
|
| CP01 | Change in the name or title of a patent holder |
Address after: 100086, room 801-810, CLP information building, 6 South Avenue, Beijing, Haidian District, Zhongguancun Patentee after: Beijing Leadsec Technology Co.,Ltd. Address before: 100086, room 801-810, CLP information building, 6 South Avenue, Beijing, Haidian District, Zhongguancun Patentee before: Lenovo Wangyu Technology (Beijing) Ltd. |
|
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20070912 Termination date: 20150715 |
|
| EXPY | Termination of patent right or utility model |