CN201294533Y - Intelligent multifunctional safety gateway - Google Patents
Intelligent multifunctional safety gateway Download PDFInfo
- Publication number
- CN201294533Y CN201294533Y CNU2008201926553U CN200820192655U CN201294533Y CN 201294533 Y CN201294533 Y CN 201294533Y CN U2008201926553 U CNU2008201926553 U CN U2008201926553U CN 200820192655 U CN200820192655 U CN 200820192655U CN 201294533 Y CN201294533 Y CN 201294533Y
- Authority
- CN
- China
- Prior art keywords
- module
- unit
- network
- thread
- linux kernel
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The utility model relates to an intelligent multi-functional safe gateway, which comprises a Linux kernel and at least two network cards, wherein the Linux kernel is respectively connected with each network card. The intelligent multi-functional safe gateway is characterized in that the Linux kernel is further connected with an IP bag filter module, a flow rate control module, an L7 and a P2P module through an interface, an inner task scheduling module is respectively connected with the Linux kernel, the IP bag filter module, the flow rate control module, the L7 and the P2P module, and the inner task scheduling module is further connected with an user through an interactive interface module. The intelligent multi-functional safe gateway integrates the functions of a router, a flow rate control, a VPN and a firewall, can supply a flow rate control function, an intelligent router function, a VPN dial access server function, a network firewall and a NAT address conversion function based on an IP, replaces various special network equipment which are expensive and have relatively single function, and has steady and reliable performance and low cost.
Description
Technical field
The utility model belongs to a kind of gateway device that is applied to IP network, particularly a kind of intelligent multifunction security gateway.
Background technology
Middle-size and small-size at home and abroad at present IP network construction and operation maintenance field, more and more higher for the requirement of network management control, at all not second to telecom operators.The middle and small scale IP network is generally type of user such as government department, large-scale enterprises and institutions, medium and small operator and uses, not only to possess basic network operation management expectancy, also will possess P2P application traffics such as effective control BT, functions such as VPN dial-up access, advanced firewall are provided.Insert quantity from network size, network complexity and the network user, adopt general low and middle-grade network switchs can satisfy simple networking requirement, but can't realize senior functional requirements such as intelligent IP Route Selection and control, IP flow control, VPN dial-up access, fire compartment wall, and this small-/medium-sized Intranet institute of government department, large-scale enterprises and institutions etc. is prerequisite exactly; If adopt high end equipment, can realize the part simple function, but not comprehensive, because the equipment of manufacturer production generally only possesses a certain independent function, all only finish simple functions such as route, Flow Control, VPN and network security as router, fluidic device or fire compartment wall.
Summary of the invention
The purpose of this utility model provides a kind ofly possesses intelligent route control, IP flow control, VPN and firewall functionality simultaneously, and cheap intelligent multifunction security gateway, to overcome above-mentioned deficiency.
To achieve these goals, the utility model is made of linux kernel and two network interface cards at least, its linux kernel interconnects with each network interface card respectively, be characterized in: linux kernel also interconnects by interface and ip packet filter module, flow-control module, L7 and P2P module, an internal task scheduler module interconnects with linux kernel, ip packet filter module, flow-control module, L7 and P2P module respectively, and the internal task scheduler module also is connected with the user by an interactive interface module.
Above-mentioned internal task scheduler module is made of task analysis unit, generation mission thread model data unit, thread resources allocation units, thread pool, task object directed element and thread execution inspection unit, wherein:
The task analysis unit links to each other with the output of interactive interface module, and the task analysis unit also interconnects by generating mission thread model data unit and thread resources allocation units;
The thread resources allocation units send signal to described linux kernel, ip packet filter module, flow-control module, L7 and P2P module respectively by the task object directed element, and the thread resources allocation units also interconnect with a thread pool;
The input of thread execution inspection unit receives the signal of described linux kernel, ip packet filter module, flow-control module, L7 and P2P module respectively, and the output of thread execution inspection unit sends signal to thread resources allocation units and interactive interface module respectively.
Above-mentioned interactive interface module is made of Java Web Start unit, subscription client, TCP/IP unit, control command unit language translation unit, interface service process unit and database, wherein:
Java Web Start unit is connected with described user, and interconnects by subscription client, TCP/IP unit, control command unit language translation unit and interface service process unit;
Interface service process unit and database interconnect, and interconnect with described task scheduling modules.
The beneficial effects of the utility model are:
(1) integrated degree height can be realized functions such as router, flow control, VPN dialup server, fire compartment wall and the NAT network address on an equipment, and can realize the function interlock.
(2) with low cost, networking is convenient, and is simple to operate, alternative expensive many private network devices (as single devices such as dedicated router, flow-control equipment, vpn gateway, fire compartment walls).
(3) stable performance is outstanding, and the tactful route based on source address, destination address, source port, target port can be provided, and the custom strategies routing function based on different time sections especially innovation is provided.
(4) can provide three-layer network visit and flow control function, more can support seven layer networks to use identification and flow control, particularly application such as QQ, MSN, online game, BT, electric donkey, a sudden peal of thunder, and with the interlock of tactful routing function, the outlet of the different outer net of Intelligence Selection, and adjust the application traffic strategy according to the time period.
(5) standard P PTP Point to Point Tunnel Protocol vpn server can be provided, and only complete VPN VPN (virtual private network) can be formed with this equipment.
(6) availability can the stable network fire compartment wall and network address translation function, and realizes interlock with tactful routing function, realizes intelligent route control of export and Prevention-Security.
Description of drawings
Fig. 1 is a theory diagram of the present utility model.
Fig. 2 is an interactive interface module principle block diagram of the present utility model.
Fig. 3 is an internal task scheduler module theory diagram of the present utility model.
Embodiment
Below in conjunction with drawings and Examples the utility model is described in further detail.
Embodiment 1:
The utility model is deployed in networks converge and core node,, realizes the route forwarding function of general three-layer network switch or router as core router.The utility model possesses a plurality of network interfaces, can be simultaneously carries out interconnectedly with a plurality of heterogeneous networks, finishes routing forwarding.By modes such as Telnet, SSH, Java Web Start, the user can manage it by long-range connection the utility model.Interactive interface software of the present utility model, the user carries out operations such as the inquiry, formulation, modification, deletion of routing policy.Internal task dispatching management software will carry out scheduled for executing to operating system nucleus ICP/IP protocol stack route instruction by user instruction.Router feature provided by the utility model possesses functions such as the route control of general common three-layer network switch or router, common tactful route, and tactful route based on source port, destination interface additionally is provided, the dynamic routing strategy based on the time period is provided simultaneously.
Embodiment 2:
The utility model is deployed in to be needed on the network to carry out on the backbone links of flow control, and equipment is taked series system, makes the backbone network data on flows through the utility model.By the interactive interface program that the utility model provides, can carry out limit control to the flow of this equipment of flowing through, the major limitation field is a bandwidth, and the time period can be set, and carries out different flow control strategies with the different time periods.The user can enable L7 network application identification and P2P uses identification according to actual conditions, and application such as common QQ, MSN, online game, BT, electric donkey, the sudden peal of thunder timeliness that conducts interviews is limited and bandwidth constraints.
Embodiment 3:
The utility model is positioned over interior business server and network critical point node, enable PPTP VPN service function by the interactive interface program, to enable PPTP VPN Service service, the user can be provided with this service parameter by interface routine, inserts quantity etc. as allowing access IP address range, validated user account number and password, effective time limit, maximum user.Behind interior business server and internal network critical point node deployment the utility model, can in network-wide basis, realize the VPN network insertion, the user can enter the VPN network by standard P PTP VPN dialing, has saved the comparatively loaded down with trivial details multiple spot vpn gateway of L2TP and SSL VPN and has disposed and expensive equipment cost.This dial mode is supported by mainstream operation systems such as Windows 2000/XP/2003/Vista, Linux, Solaris, Mac OS X.
Embodiment 4:
The utility model is deployed in network exit, by opening the network firewall function, can carry out IP intrusion detection and packet filtering to internal network, protection internal server and terminal.Under special circumstances, also can enable two-way bag and detect, prevent the internal information leakage or external network is caused attack.For the extremely limited present situation of most small-/medium-sized Intranet public network address resources, the utility model NAT network address translation function is as the part of firewall functionality, can effectively solve the not enough problem of public network address, by the interactive interface program, the operator scheme of a whole set of foolization is provided, has made things convenient for the user to be provided with.
Embodiment 5:
The utility model is deployed in network exit, can carry out interconnectedly with a plurality of different outer nets (the Internet) link, forms so-called multiple exit.Device interior adopts the multiple exit Link State is obtained in the state detection in real time of polylith interface network interface card, and can in time adjust the outlet route, guarantees that internal network can keep network unimpeded with outer net (the Internet) all the time.The interface testing mechanism can rationally be regulated by the user, so that adapt to different network environments, improves and detects accuracy.
In sum, core of the present utility model is to develop internal task dispatcher software and interactive interface program, is used for operating system in the control appliance system and its relevant kernel module and hardware coordination to work in order.Hardware aspect, adopt the server of x86 or PowerPC processor architecture, dispose some network adapter (network interface card), can adopt 100,000,000 electricity mouthful RJ45 network interface cards according to network size and interconnected requirement, also can adopt gigabit electricity mouthful RJ45 network interface card, or dispose gigabit multimode fiber interface network interface card as required.Software aspect, operating system are Linux, and the kernel version is 2.6, and insert ip packet filter device module and L7 and the P2P application cognizance code of revising.Mutual by instruction and feedback information that independently developed interactive interface program is finished between user and the system, the internal task dispatcher software is handled the information that obtains alternately, makes up and maintain internal routing policy, the task scheduling based on the time period, flow control strategy, VPN, firewall rule and dynamic address conversion table.Interlock between every function (data communication between process) is responsible for coordinating and Resources allocation by the internal task dispatcher software.
The utility model can be realized following functional requirement:
(1) can be used as middle and small scale IP network router gateway, possess a plurality of interconnecting interfaces, can make interconnecting of IP network realization and private network, metropolitan area network, the Internet, serve as router feature; Can realize the tactful route based on source address and destination address, source port and destination interface, initiative can be according to time period control strategy Route Selection; Thereby can finish the outlet Route Selection according to the break-make blocked state of a plurality of interconnecting interfaces and realize multiple exit self-healing, remain interconnecting of internal network and outer net.
(2) can provide three-layer network flow control function, provide Trafic Control flow control based on application port (TCP/UDP port) based on TCP/UDP; More can provide flow control function based on application of L7 seven layer networks and exclusive IP P2P application characteristic, point to point networks such as the BT of a large amount of consume network bandwidth, electric donkey, a sudden peal of thunder are used provides the bandwidth constraints management; Can provide visit and flow restriction to various common network applications such as QQ, MSN, online game etc.; Initiative can conduct interviews according to the time period and control and traffic management, and can select different outer net outlets according to using identification intelligent, realizes shunting.
(3) can provide VPN dialup server function based on standard P PTP (Point to Point Tunnel Protocol), realize the VPN networking very easily, guarantee the stable operation of VPN (virtual private network), be suitable for all kinds of maintaining secrecy and responsive realm information network data exchange field, and network configuration is very simple, and is with low cost.
(4) the IP firewall functionality be can provide, intrusion detection, intrusion defense and two-way ip packet filter realized; Availability can be outstanding NAT (network address translation) function, and based on PAT (port address conversion) function of port, support port mapping; Can practise combines with tactful routing function finishes dynamic routing and address transition interlock, realizes multiple exit load balancing and redundancy.
(5) the integrated of above-mentioned functions and interlock be can realize, router, flow control, VPN dial-up service and fire compartment wall and NAT address translation feature on an equipment, finished.
The utility model constitutes based on (SuSE) Linux OS, special-purpose software and based on the server hardware of x86 or PowerPC framework.Above-mentioned functions all adopts software to realize, and adopts x86 or PowerPC processor to move and handle the realization functional requirement.The x86 processor belongs to the RISC instruction system, applicable under the little environment of network traffics network packet being handled; If network traffics are bigger, it is heavy that network packet is handled burden, can adopt the PowerPC processor based on the cisc instruction system, and performance will have by a larger margin and improve.
The utility model adds IP bag processing filters module at linux kernel, is implemented in that operating system kernel level is other handles guaranteed efficiency to the IP packet; IP bag processing filters module is made amendment, add multi-thread concurrent numerical control system, can realize the effective control to IP network link session number, limiting network bandwidth utilization rate reduces network interconnection interface pressure; Realize operating system ICP/IP protocol stack route instruction is dispatched and controlled by special-purpose software, and in internal memory, safeguard a dynamic routing Policy Table, operation-interface is provided, accept the customization routing policy, different routing policy control and managements according to internal clocking and timed task mechanism realization different time sections, and with kernel IP bag processing filters module implementation process between communicate by letter, finish the function interlock, realize routing forwarding based on source address, destination address, source port, destination interface etc.; Insert operating system nucleus by software and realize the flow control management, can the flow of three-layer network TCP/UDP protocol data bag be limited by norm, and the monitor data window can be provided; Detect and IP P2P bag detection of code is implemented in application traffic identification and bandwidth detection controlled function on the seven layer network applications by L7 bag, can use P2P such as common network application such as QQ, MSN, online game and BT, electric donkey, sudden peals of thunder and carry out effective access control and bandwidth control; Realize kernel ip packet filter device is realized that Interactive control finishes IP and wrap into to invade and detect defence, two-way IP bag and detect that defence, NAT network address translation, PAT port address are changed, the port mapping function by software, and can link with above-mentioned functions (especially router feature), and by status monitoring realization multiple exit balancing link load and the redundancy of software to a plurality of external network interconnection interfaces, guarantee that internal network keeps at least one link unimpeded with external network all the time, prevent the network service interruption; Provide multiple long-range connected mode such as Telnet, SSH, Java Web StartClient to realize the networked devices configuration management.
The content that is not described in detail in this specification belongs to this area professional and technical personnel's known prior art.
Claims (3)
1, a kind of intelligent multifunction security gateway, constitute by linux kernel and at least two network interface cards, its linux kernel interconnects with each network interface card respectively, it is characterized in that: linux kernel also interconnects by interface and ip packet filter module, flow-control module, L7 and P2P module, an internal task scheduler module interconnects with linux kernel, ip packet filter module, flow-control module, L7 and P2P module respectively, and the internal task scheduler module also is connected with the user by an interactive interface module.
2, intelligent multifunction security gateway as claimed in claim 1, it is characterized in that: the internal task scheduler module is made of task analysis unit, generation mission thread model data unit, thread resources allocation units, thread pool, task object directed element and thread execution inspection unit, wherein:
The task analysis unit links to each other with the output of interactive interface module, and the task analysis unit also interconnects by generating mission thread model data unit and thread resources allocation units;
The thread resources allocation units send signal to described linux kernel, ip packet filter module, flow-control module, L7 and P2P module respectively by the task object directed element, and the thread resources allocation units also interconnect with a thread pool;
The input of thread execution inspection unit receives the signal of described linux kernel, ip packet filter module, flow-control module, L7 and P2P module respectively, and the output of thread execution inspection unit sends signal to thread resources allocation units and interactive interface module respectively.
3, intelligent multifunction security gateway as claimed in claim 1, it is characterized in that: the interactive interface module is made of Java Web Start unit, subscription client, TCP/IP unit, control command unit language translation unit, interface service process unit and database, wherein:
Java Web Start unit is connected with described user, and interconnects by subscription client, TCP/IP unit, control command unit language translation unit and interface service process unit;
Interface service process unit and database interconnect, and interconnect with described task scheduling modules.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNU2008201926553U CN201294533Y (en) | 2008-11-20 | 2008-11-20 | Intelligent multifunctional safety gateway |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNU2008201926553U CN201294533Y (en) | 2008-11-20 | 2008-11-20 | Intelligent multifunctional safety gateway |
Publications (1)
Publication Number | Publication Date |
---|---|
CN201294533Y true CN201294533Y (en) | 2009-08-19 |
Family
ID=41008015
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CNU2008201926553U Expired - Fee Related CN201294533Y (en) | 2008-11-20 | 2008-11-20 | Intelligent multifunctional safety gateway |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN201294533Y (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103632090A (en) * | 2013-11-04 | 2014-03-12 | 天津汉柏信息技术有限公司 | Method for operating virtual firewall on virtual machine |
CN105162881A (en) * | 2015-09-25 | 2015-12-16 | 中铁工程装备集团有限公司 | P2P optimal transmission method based on multi-mode terminal |
CN105871729A (en) * | 2015-01-23 | 2016-08-17 | 中兴通讯股份有限公司 | Implementation method of router and router |
CN106411771A (en) * | 2016-09-09 | 2017-02-15 | 北京锐安科技有限公司 | Data forwarding method and system |
CN107124357A (en) * | 2017-07-11 | 2017-09-01 | 王焱华 | A kind of cloud computing intelligent gateway |
CN109474517A (en) * | 2018-12-04 | 2019-03-15 | 广东九联科技股份有限公司 | A kind of Household intelligent gateway system of monitoring user online |
CN111866148A (en) * | 2020-07-23 | 2020-10-30 | 浪潮云信息技术股份公司 | Message queue flow control system |
-
2008
- 2008-11-20 CN CNU2008201926553U patent/CN201294533Y/en not_active Expired - Fee Related
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103632090A (en) * | 2013-11-04 | 2014-03-12 | 天津汉柏信息技术有限公司 | Method for operating virtual firewall on virtual machine |
CN103632090B (en) * | 2013-11-04 | 2016-06-08 | 天津汉柏信息技术有限公司 | A kind of virtual machine runs the method for virtual firewall |
CN105871729A (en) * | 2015-01-23 | 2016-08-17 | 中兴通讯股份有限公司 | Implementation method of router and router |
CN105162881A (en) * | 2015-09-25 | 2015-12-16 | 中铁工程装备集团有限公司 | P2P optimal transmission method based on multi-mode terminal |
CN105162881B (en) * | 2015-09-25 | 2018-09-21 | 中铁工程装备集团有限公司 | A kind of P2P optimized transmission methods based on multimode terminal |
CN106411771A (en) * | 2016-09-09 | 2017-02-15 | 北京锐安科技有限公司 | Data forwarding method and system |
CN107124357A (en) * | 2017-07-11 | 2017-09-01 | 王焱华 | A kind of cloud computing intelligent gateway |
CN109474517A (en) * | 2018-12-04 | 2019-03-15 | 广东九联科技股份有限公司 | A kind of Household intelligent gateway system of monitoring user online |
CN111866148A (en) * | 2020-07-23 | 2020-10-30 | 浪潮云信息技术股份公司 | Message queue flow control system |
CN111866148B (en) * | 2020-07-23 | 2022-05-31 | 浪潮云信息技术股份公司 | Message queue flow control system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN201294533Y (en) | Intelligent multifunctional safety gateway | |
CN105530259B (en) | Message filtering method and equipment | |
CN104618379B (en) | IDC service scene-oriented security service arranging method and network structure | |
CN104580026B (en) | Exchange system, exchange control system and storage medium | |
CN109150604B (en) | SDN-based power communication network system and cross-domain slicing method | |
CN106953788A (en) | A kind of Virtual Network Controller and control method | |
CN101582900A (en) | Firewall security policy configuration method and management unit | |
CN103595772A (en) | Cloud data center network deployment scheme based on virtual router | |
CN105471907A (en) | Openflow based virtual firewall transmission control method and system | |
CN102904749A (en) | Network security appliance | |
CN1315019B (en) | Providing desired service policies to subscribers accessing internet | |
Tran et al. | A network topology-aware selectively distributed firewall control in sdn | |
CN101115057A (en) | Tactic management based firewall system and dispatching method | |
Chang et al. | Performance isolation for network slices in industry 4.0: the 5growth approach | |
CN101242409A (en) | An efficient filtering method for multi-language network data packets | |
CN102404185A (en) | Method and a system for achieving providing of network as service | |
CN204652413U (en) | A kind of intelligent type computer network safety gateway | |
CN106059930B (en) | A kind of powerline network system | |
Romanov et al. | Research of SDN network performance parameters using mininet network emulator | |
CN104363185B (en) | A kind of miniature composite network data exchange system | |
CN114157718B (en) | SDN network system and control method thereof | |
CN107105038A (en) | A kind of traffic police computer network system | |
CN111901196B (en) | Software Defined Network (SDN) flow monitoring and visualization system | |
CN107733798A (en) | Can source router and energy adjustment method | |
CN101964723B (en) | Communication operator network information interaction management method and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090819 Termination date: 20171120 |
|
CF01 | Termination of patent right due to non-payment of annual fee |