CN1829198A - Firewall apparatus with integrated exchange route function - Google Patents
Firewall apparatus with integrated exchange route function Download PDFInfo
- Publication number
- CN1829198A CN1829198A CNA2006100382092A CN200610038209A CN1829198A CN 1829198 A CN1829198 A CN 1829198A CN A2006100382092 A CNA2006100382092 A CN A2006100382092A CN 200610038209 A CN200610038209 A CN 200610038209A CN 1829198 A CN1829198 A CN 1829198A
- Authority
- CN
- China
- Prior art keywords
- network
- exchange
- chip
- interface
- fwsm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention relates to a firewall equipment with integrated exchange route function, belonging to data communication field. It contains fire wall module and exchange route module, wherein said fire wall module at least providing an ethernet interface connected with exchange route module provided like quantities ethernet interface, fire wall module providing outer network interface, inner network interface and DMZ interface type; exchange route module providing at least two interfaces; said fire wall module and exchange route module each set a computer system, fire wall modular computer system including CPU and network chip connected adopting bus mode, route module computer system including CPU and network chip connected adopting bus mode. Said invention reduces networking link and cost, realizing network threaten defence, and enhancing network stability and security.
Description
Technical field:
The present invention relates to the data communication field, be specifically related to a kind of firewall box of integrated exchange route function.
Background technology:
Very big negative issue has also appearred in network in the flow of the Internet and professional develop rapidly, be that network security problem becomes increasingly conspicuous, the fail safe of network is receiving increasing user's concern, and firewall box becomes indispensable link in the network.
Fire compartment wall is a kind of senior access control apparatus, it is the combination that places a series of parts between the heterogeneous networks security domain, be unique passage of communication stream between the heterogeneous networks security domain, the visit behavior of safety policy control that can be relevant (allow, refuse, monitor, write down) turnover network according to enterprise.Firewall box typical case in network use as shown in Figure 1, firewall box generally is provided with outer network interface, interior network interface, DMZ interface, special occasions also needs a plurality of outer network interfaces or DMZ interface or interior network interface, but firewall box does not possess the function of exchange route machine.Exchange route machine not only can provide the exchange of switch high bandwidth but also take into account the flexibility of router networking, therefore was widely used in network is formed.
Network processing unit (NP) chip is a kind of chip between CPU and dedicated IC chip (ASIC), also is a kind of balancing technique that obtains between CPU and ASIC, has possessed the flexibility of CPU and the high-performance of ASIC simultaneously.The network processing unit technology is a kind of main chip technology that router adopts under the multi-service integrated environment at present, has solved variety of protocol support and forwarding performance problem under multiservice environment.NP is extensive use of on router, fire compartment wall now.The ASIC fire compartment wall carries out hardware-accelerated processing by custom-designed asic chip logic, though R﹠D costs are higher, limited flexibility system, can't support too many function, but its performance has inborn advantage, be fit to very much the pattern that is applied to simple, to the processing of the higher big flow of carrier class of throughput and time delay index request.
Traditional fire compartment wall networking mode as shown in Figure 1, for strengthening the fail safe of network, usually by a router one outer net is inserted Intranet, router one, fire compartment wall 2 and multilayer switch 3 are usually located at the server convergence-level, the networking link is more, increase the complexity of network, reduced stability of network.
Summary of the invention:
The objective of the invention is to overcome above-mentioned deficiency, a kind of integrated exchange route function firewall box is provided, be used to reform the networking model of the network equipment, reduce the networking link, reduce networking cost, and realize the defence of Cyberthreat strengthening stability of network and fail safe in network access layer, convergence-level.
The object of the present invention is achieved like this: a kind of integrated exchange route function firewall box, it is characterized in that: form by FWSM and exchange routing module, FWSM provides the Ethernet interface of an Ethernet interface and the equivalent amount that provides of exchange routing module to link to each other at least, FWSM externally provides outer network interface, interior network interface and DMZ interface type, the exchange routing module externally provides at least two interfaces, described FWSM, the exchange routing module is respectively established a computer system, the computer system of forming FWSM comprises CPU and network chip, CPU adopts the X86 framework, the ARM framework, the processor of PowerPC framework or MIPS framework, network chip adopts network card chip, network processor chip or fire compartment wall special chip adopt bus mode to connect between CPU and the network chip; The computer system of forming the exchange routing module comprises CPU and network chip, CPU adopts the processor of X86 framework, ARM, PowerPC framework or MIPS framework, network chip be can at least 3 layers of function of exchange exchange chip, adopt bus mode to connect between CPU and the network chip.
Integrated exchange route function firewall box of the present invention, the technical grade PC that can adopt integrated four network interface cards is as FWSM; It is integrated 4 PCI-Express on Pentium 4 processor and the mainboard that the concrete configuration of described Industrial PC Computer requires; The CPU of described exchange routing module adopts PowerPC 8245, and the multilayer exchange chip adopts BCM5690 or BCM5695.
The present invention is by integrated exchange route function on firewall box, make an equipment possess the function of three equipment simultaneously, reformed the networking model of the network equipment, reduced the networking link, reduced networking cost, and realize the defence of Cyberthreat in network access layer or convergence-level, strengthen network stability and fail safe.Typical networking mode as shown in Figure 1, can be reduced to networking mode shown in Figure 2,, because the minimizing of networking link can reach the effect that reduces failsafe link, strengthened stability of network again because thereby the minimizing of networking equipment greatly reduces networking cost.Because equipment of the present invention is mainly used in the access of network or converges, can realize the defence of Cyberthreat at Access Layer and convergence-level by FWSM, thereby strengthen the fail safe and the stability of network.
Description of drawings:
Fig. 1 is traditional fire compartment wall networking mode figure.
Fig. 2 adopts fire compartment wall networking mode figure of the present invention.
Fig. 3 is a logic diagram of the present invention.
Fig. 4 is the execution mode figure of the present invention when the FWSM network chip adopts network card chip.
Fig. 5 is the Key Circuit schematic diagram that the present invention exchanges a kind of embodiment of routing module, i.e. circuit theory diagrams between CPU and the network chip.
Embodiment:
Referring to Fig. 2, Fig. 2 adopts fire compartment wall networking mode figure of the present invention.
Referring to Fig. 3, integrated exchange route function firewall box of the present invention is made up of FWSM and exchange routing module, and FWSM externally provides outer network interface, interior network interface and DMZ interface type; The exchange routing module can externally provide at least two interfaces, the interface of exchange routing module both can be separately in return routing interface also can expand to outer network interface or the interior network interface or the DMZ interface of FWSM; FWSM provides the Ethernet interface of an Ethernet interface and the equivalent amount that provides of exchange routing module to link to each other at least.
Described FWSM, exchange routing module are respectively established a computer system.The computer system of forming FWSM comprises CPU and network chip, CPU adopts the processor of X86 framework, ARM framework, PowerPC framework or MIPS framework, network chip adopts network card chip (NIC), network processing unit (NP) chip or fire compartment wall special chip (ASIC), adopts bus mode to connect between CPU and the network chip.The computer system of forming the exchange routing module comprises CPU and network chip, CPU adopts the processor of X86 framework, ARM, PowerPC framework or MIPS framework, network chip adopts bus mode to connect for the multilayer exchange chip of 3 layers of function of exchange can be provided at least between CPU and the network chip.
Be illustrated in figure 4 as a kind of embodiment when the network chip of FWSM adopts network card chip, the technical grade PC that specifically can adopt integrated four network interface cards is as FWSM, be that more specifically CPU adopts Pentium 4 processor, the integrated technical grade PC of 4 PCI-Express; The exchange routing module adopts the full gigabit multilayer switch solution of Broadcom company, more specifically adopt PowerPC 8245 for CPU, the multilayer exchange chip adopts BCM5690 or BCM5695, and this multilayer exchange chip can provide 12 gigabit interface S1 to S12 and one 10,000,000,000 interface.Omitted exchange routing interface numbering S4 to S11 among the figure.
Fig. 5 has provided the circuit connecting relation of exchange routing module CPU and multilayer exchange chip.
The interface F1 of FWSM, interface F2, interface F3, interface F4 can be defined as outer network interface or interior network interface or DMZ interface arbitrarily.Typical case's application model is that interface F1 is defined as outer network interface, interface F2 and interface F3 are defined as the DMZ interface, interface 4 is defined as interior network interface, because interface F4 directly links to each other with the exchange routing module, so the total interface of exchange routing module can be defined as the firewall interface with interface F4 same type, exchange the also stand-alone interface of the route use in return separately of interface of routing module simultaneously.
Exchange routing module exchange chip can provide exchange route function, and the exchange routing module provides at least two physical interfaces, and the exchange routing module links to each other the physical interface of oneself with the interface F4 of FWSM.The simplified design of exchange routing module is to adopt the chip that 2 layers function of exchange can only be provided or routing function only is provided only is provided.
Because FWSM respectively has a physical interface to link to each other with the exchange routing module, so the FWSM of the firewall box of integrated exchange route function of the present invention and exchange routing module can realize that the communication of two intermodules is interconnected, by software approach both separately the configuring firewalls module and the exchange routing module, also can dispose the another one module by a module.
According to technical scheme provided by the invention, embodiment can also be following mode:
1) FWSM respectively provides an interface to link to each other with the exchange routing module in the above-mentioned embodiment, can also be that FWSM provides a plurality of interfaces to link to each other with the interface of the exchange routing module of equivalent amount, thereby improves the bandwidth that device interior connects.
2) network chip of FWSM can adopt network processing unit (NP) to come the instead of web card chip, and the network processor chip that Intel Company, Motorola and Broadcom company produce all can satisfy the requirement of technical scheme provided by the invention;
3) network chip of FWSM can adopt fire compartment wall special chip (ASIC) to come the instead of web card chip.
4) network chip of exchange routing module can be a slice or multi-disc, thereby provide higher interface integrated level on an equipment according to the demand of disposal ability.
Claims (4)
1, a kind of integrated exchange route function firewall box, it is characterized in that: form by FWSM and exchange routing module, FWSM provides the Ethernet interface of an Ethernet interface and the equivalent amount that provides of exchange routing module to link to each other at least, FWSM externally provides outer network interface, interior network interface and DMZ interface type, the exchange routing module externally provides at least two interfaces, described FWSM, the exchange routing module is respectively established a computer system, the computer system of forming FWSM comprises CPU and network chip, CPU adopts the X86 framework, the ARM framework, the processor of PowerPC framework or MIPS framework, network chip adopts network card chip, network processor chip or fire compartment wall special chip adopt bus mode to connect between CPU and the network chip; The computer system of forming the exchange routing module comprises CPU and network chip, CPU adopts the processor of X86 framework, ARM, PowerPC framework or MIPS framework, network chip be can at least 3 layers of function of exchange exchange chip, adopt bus mode to connect between CPU and the network chip.
2, a kind of integrated exchange route function firewall box according to claim 1 is characterized in that: the technical grade PC that adopts integrated four network interface cards is as FWSM.
3, a kind of integrated exchange route function firewall box according to claim 2 is characterized in that: described CPU adopts Pentium 4 processor, the integrated technical grade PC of 4 PCI-Express.
4, according to claim 1 or 2 or 3 described a kind of integrated exchange route function firewall boxs, it is characterized in that: described exchange routing module CPU adopts PowerPC 8245, and the multilayer exchange chip adopts BCM5690 or BCM5695.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2006100382092A CN1829198A (en) | 2006-02-10 | 2006-02-10 | Firewall apparatus with integrated exchange route function |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2006100382092A CN1829198A (en) | 2006-02-10 | 2006-02-10 | Firewall apparatus with integrated exchange route function |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1829198A true CN1829198A (en) | 2006-09-06 |
Family
ID=36947330
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2006100382092A Pending CN1829198A (en) | 2006-02-10 | 2006-02-10 | Firewall apparatus with integrated exchange route function |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1829198A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114826791A (en) * | 2022-06-30 | 2022-07-29 | 苏州浪潮智能科技有限公司 | Firewall setting method, system, equipment and computer readable storage medium |
-
2006
- 2006-02-10 CN CNA2006100382092A patent/CN1829198A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114826791A (en) * | 2022-06-30 | 2022-07-29 | 苏州浪潮智能科技有限公司 | Firewall setting method, system, equipment and computer readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102347900B (en) | Integrate virtual and physical network switching equipment to isomery switching domain method and system | |
| Burns et al. | Automatic management of network security policy | |
| CN1809035A (en) | Novel firewall device integrating routing and switching function | |
| CN1305271C (en) | Network safety isolating and information exchanging system and method based on proxy mapping | |
| CN102255903B (en) | Safety isolation method for virtual network and physical network of cloud computing | |
| TWI625641B (en) | Methods for preventing computer attacks in two-phase filtering and apparatuses using the same | |
| CN106953788A (en) | A kind of Virtual Network Controller and control method | |
| CN101013962A (en) | Integrated security switch | |
| CN102483702A (en) | Network traffic processing pipeline for virtual machines in a network device | |
| CN103812768A (en) | High-performance network data processing platform system | |
| CN110362992A (en) | Based on the method and apparatus for stopping in the environment of cloud or detecting computer attack | |
| CN102347959A (en) | Resource access system and method based on identity and session | |
| CN102571738A (en) | Intrusion prevention system (IPS) based on virtual local area network (VLAN) exchange and system thereof | |
| CN102130831A (en) | Networking method based on super virtual local area network (Super VLAN) technology | |
| CN100444582C (en) | Switching device with firewall function | |
| CN1801018A (en) | Interface method and apparatus for plant-level monitoring system and decentralized control system for power plant | |
| CN1829198A (en) | Firewall apparatus with integrated exchange route function | |
| CN108632123A (en) | A kind of management platform system of processing high-performance network data | |
| CN1324867C (en) | Route exchanger of integrated fire proof wall | |
| CN102739433A (en) | Control method of local area network computer through network management software allocation based on multi-net environment of three-layer switch | |
| CN109842527A (en) | A kind of network alarm method and equipment | |
| Tillman et al. | SNA and OSI: Three strategies for interconnection | |
| CN1103523C (en) | Integrated access, service and route device | |
| CN106992911A (en) | Data center network access device | |
| CN1649321A (en) | Method and system for router and net bridge inter connection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |