KR101749178B1 - Security apparatus performing synchronization between virtual firewall - Google Patents

Security apparatus performing synchronization between virtual firewall Download PDF

Info

Publication number
KR101749178B1
KR101749178B1 KR1020150187535A KR20150187535A KR101749178B1 KR 101749178 B1 KR101749178 B1 KR 101749178B1 KR 1020150187535 A KR1020150187535 A KR 1020150187535A KR 20150187535 A KR20150187535 A KR 20150187535A KR 101749178 B1 KR101749178 B1 KR 101749178B1
Authority
KR
South Korea
Prior art keywords
virtual
firewall
synchronization
firewalls
data
Prior art date
Application number
KR1020150187535A
Other languages
Korean (ko)
Inventor
윤남식
Original Assignee
주식회사 시큐아이
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 시큐아이 filed Critical 주식회사 시큐아이
Priority to KR1020150187535A priority Critical patent/KR101749178B1/en
Application granted granted Critical
Publication of KR101749178B1 publication Critical patent/KR101749178B1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1095Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0654Management of faults, events, alarms or notifications using network fault recovery
    • H04L41/0668Management of faults, events, alarms or notifications using network fault recovery by dynamic selection of recovery network elements, e.g. replacement by the most appropriate element after failure
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls

Abstract

The present invention relates to a security device that performs virtual-to-virtual-firewall synchronization in a high-availability (HA) environment in a virtual environment.
According to another aspect of the present invention, there is provided a security device for performing synchronization between virtual firewalls, comprising: a communication unit for performing data communication with the outside; a control unit for configuring a plurality of virtual firewalls in High Availability (HA) And a storage unit for storing synchronization data for a virtual firewall and shared by the plurality of virtual firewalls, wherein the plurality of virtual firewalls acquire the synchronization data from the storage unit and perform mutual synchronization.

Description

[0001] The present invention relates to a security apparatus performing synchronization between virtual firewalls,

The present invention relates to a security device that performs virtual-to-virtual-firewall synchronization in a high-availability (HA) environment in a virtual environment.

When a firewall is highly configurable using a plurality of security devices (security devices), a plurality of security devices exchange packets to perform mutual synchronization.

1, the first security device 111 and the second security device 112 connect between the first router 121 and the second router 122, and the first router 121 and the second router 122 are connected to each other. And provides a firewall service for connection between the second routers 122.

The first router 121 may be connected to a device such as the server 131 and the second router 122 may be connected to a device such as the PC 132 or the like. In various embodiments, the first router 121 and the second router 122 may be configured as switches or the like.

In high availability, the first security device 111 and the second security device 112 can be configured with the same device, one can act as the primary device and the other as the backup device . Hereinafter, it is assumed that the first security device 111 is a basic device and the second security device 112 is an auxiliary device.

During normal operation, the first security device 111 is in an active state and provides a firewall service between the first router 121 and the second router 122. At this time, the second security device 112 operates in a stanby state.

If the connection to the first security device 111 is broken due to a failure or the like, the second security device 112 is switched to the active state and the firewall between the first router 121 and the second router 122 Service.

In order to ensure continuity of operation between the first security device 111 and the second security device 112 in such a high availability, setting data between the first security device 111 and the second security device 112, Data such as session data must be synchronized. To this end, an HA link is established between the first security device 111 and the second security device 112, and the first security device 111 and the second security device 112 establish synchronization Data is transmitted and received. Specifically, the first security device 111 periodically synchronizes configuration data, session data, and the like stored in a storage unit (memory) of the first security device 111 to the second security device 112, The device 112 may store the configuration data of the first security device 111, session data in the storage unit (memory) of the second security device 112 in synchronization with the synchronization.

In configuring high availability as in the prior art, when a plurality of security devices are physically separate devices, synchronization between security devices can be achieved only through data transmission and reception. That is, in the prior art, guest OSes 221 and 222 of respective security devices physically different on the host OS 210 constituting the high availability are driven as shown in FIG. 2, and on the guest OSes 221 and 222 The applications 231 and 232 for each security device are driven. As a result, since the guest OSes 221 and 222 for each security device are separate devices and use separate memories 241 and 242, synchronization can be achieved only through data transmission / reception.

In the prior art, there is a problem that synchronization data is lost due to an error in data transmission / reception using the HA connection, or data transmission / reception for synchronization is periodically performed, thereby overloading the security device.

The present invention provides a security device for configuring a virtual firewall with high availability in a virtual environment and performing synchronization by sharing a memory without transmitting / receiving data between virtual firewalls.

According to an aspect of the present invention, there is provided a security device for performing synchronization between virtual firewalls, comprising: a communication unit for performing data communication with the outside; a plurality of virtual And a storage unit for storing synchronization data for the plurality of virtual firewalls and shared by the plurality of virtual firewalls, wherein the plurality of virtual firewalls acquire the synchronization data from the storage unit, Is performed.

The synchronization data may include at least one of configuration data and session data for a first virtual firewall operating as a basic device.

In addition, the session data may include firewall state information for the first virtual firewall.

The plurality of virtual firewalls may include a first virtual firewall that provides a firewall service in a normal state and operates as a basic device, and a second virtual firewall that, in the case where the first virtual firewall is disabled, And a second virtual firewall functioning as an auxiliary device.

The first virtual firewall may store the synchronization data in a storage unit shared by the plurality of virtual firewalls, and the second virtual firewall may load the synchronization data from a storage unit shared by the plurality of virtual firewalls Thereby performing the synchronization.

The second virtual firewall may load the synchronization data from a storage unit shared by the plurality of virtual firewalls when the function of the first virtual firewall is lost, Thereby providing a service.

The security device for performing synchronization between virtual firewalls according to the present invention performs synchronization by using a shared memory without transmitting and receiving data between virtual firewalls formed in a virtual environment, thereby making it possible to efficiently configure a high-availability firewall.

1 is a diagram illustrating a configuration of a high-availability firewall network according to the related art.
2 is a software diagram of a high-availability firewall according to the prior art.
FIG. 3 is a block diagram illustrating the configuration of a security apparatus for configuring a highly available virtual firewall according to the present invention.
4 is a diagram illustrating a configuration of a highly available virtual firewall network by a security device according to the present invention.
5 is a software diagram of a highly available virtual firewall according to the present invention.

In the description of the embodiments of the present invention, if it is determined that a detailed description of known configurations or functions related to the present invention can not be applied to the present invention, detailed description thereof may be omitted.

Quot ;, " include, "" include," as used herein. And the like are intended to indicate the presence of disclosed features, operations, components, etc., and are not intended to limit the invention in any way. Also, in this specification, "include." Or "have." , Etc. are intended to designate the presence of stated features, integers, steps, operations, components, parts, or combinations thereof, may be combined with one or more other features, steps, operations, components, It should be understood that they do not preclude the presence or addition of combinations thereof.

As used herein, the singular forms "a", "an" and "the" include plural referents unless the context clearly dictates otherwise.

Hereinafter, the present invention will be described with reference to the accompanying drawings.

FIG. 3 is a block diagram illustrating the configuration of a security apparatus for configuring a highly available virtual firewall according to the present invention.

3, the security device 300 according to the present invention may include a communication unit 310, a control unit 320, and a storage unit (memory) 330.

The communication unit 310 performs data communication with the outside. The communication unit 310 performs data communication with at least one router, a switch, or devices (server, PC, etc.) connected thereto.

The control unit 320 configures the high-availability virtual firewall according to the present invention and controls the respective components of the security device 300 for synchronization between virtual firewalls.

Specifically, the control unit 320 constructs a virtual environment in the security device 300 to configure a highly available virtual firewall. In the virtual environment, the control unit 320 drives the firewall on the virtual machine to form a plurality of virtual firewalls 411 and 412 as shown in FIG. The plurality of virtual firewalls 411 and 412 are connected to external routers 421 and 422 and provide a firewall service between the routers 421 and 422.

The first virtual firewall 411 of the plurality of virtual firewalls 411 and 412 may operate as a basic device and the second virtual firewall 412 may operate as an auxiliary device. During normal operation, the first virtual firewall 411 is in an active state and provides a firewall service. At this time, the second virtual firewall 412 operates in a stanby state. If the first virtual firewall 411 fails to function due to a failure or the like, the second virtual firewall 412 is activated and provides a firewall service. The controller 320 controls the active and idle states of the plurality of virtual firewalls 411 and 412 formed as described above to configure a highly available virtual firewall.

In various embodiments of the present invention, the control unit 320 performs synchronization between the plurality of virtual firewalls 411 and 412. At this time, the control unit 320 can control the synchronization to be performed by loading the synchronization data from one storage unit 330 shared by the plurality of virtual firewalls 411 and 412.

Specifically, the security device 300 is driven by one host OS 510 as shown in FIG. In the virtual environment, the control unit 320 drives the applications 521 and 522 for the first virtual firewall 411 and the second virtual firewall 412, respectively, on one host OS 510. The first virtual firewall 411 and the second virtual firewall 412 share one memory 530 because they are actually operated on one security device 300 and one host OS 510 accordingly. In this case, the memory 530 in the software structure of FIG. 5 may physically correspond to the storage unit 330 of FIG.

Thus, if the first virtual firewall 411 stores synchronization data in the storage 330, such as configuration data, session data (firewall status information, etc.), the second virtual firewall 412 accesses it To load firewall related information. Accordingly, the first virtual firewall 411 and the second virtual firewall 412 can perform synchronization by loading synchronization data from one shared storage 330. [

As a result, the plurality of virtual firewalls 411 and 412 can efficiently perform the synchronization by sharing one storage unit 330 without the data transmission / reception of the virtual firewalls 411 and 412.

In one embodiment, when the first virtual firewall 411 acting as a base unit loses functionality, the control unit 320 loads the synchronization data from the storage unit 330 and performs synchronization And provide the firewall service based on the loaded synchronization data. According to this embodiment, it is possible to prevent the security device 300 from being overloaded by unnecessarily periodically performing the synchronization operation between the virtual firewalls. However, the synchronization point of the second virtual firewall 412 is not limited to this, and may be controlled to load synchronization data according to a predetermined period.

It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims. It is to be understood that both the foregoing general description and the following detailed description of the present invention are exemplary and explanatory and are intended to provide further explanation of the invention as claimed. Accordingly, the scope of the present invention should be construed as being included in the scope of the present invention, all changes or modifications derived from the technical idea of the present invention.

300: security device
310:
320:
330:
411, 412: Virtual firewall
421, 422: Router
510: Host OS
521, 522: Application
530: Memory

Claims (6)

A security device that performs synchronization between virtual firewalls,
A communication unit for performing data communication with the outside;
A controller configured to configure a plurality of virtual firewalls in High Availability (HA) in a virtual environment; And
And a storage unit for storing synchronization data for the plurality of virtual firewalls, the storage units being shared by the plurality of virtual firewalls,
Wherein the plurality of virtual firewalls are configured to be driven by respective virtual applications on one operating system (OS), and the synchronization data is acquired from the storage unit to perform mutual synchronization,
Wherein the plurality of virtual firewalls comprise:
A first virtual firewall providing a firewall service in a normal state and operating as a basic device; And
And a second virtual firewall providing the firewall service on behalf of the first virtual firewall and acting as an auxiliary device when the function of the first virtual firewall is lost,
Wherein the first virtual firewall comprises:
Storing the synchronization data in a storage unit shared by the plurality of virtual firewalls,
Wherein the second virtual firewall comprises:
And performs the synchronization by loading the synchronization data from a storage unit shared by the plurality of virtual firewalls. 2. The method according to claim 1,
And at least one of configuration data and session data for a first virtual firewall operating as the basic device. 3. The method of claim 2,
And firewall status information for the first virtual firewall. delete delete 2. The system of claim 1, wherein the second virtual firewall comprises:
Load the synchronization data from a storage unit shared by the plurality of virtual firewalls and provide the firewall service using the loaded synchronization data when the function of the first virtual firewall is lost. Device.
KR1020150187535A 2015-12-28 2015-12-28 Security apparatus performing synchronization between virtual firewall KR101749178B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020150187535A KR101749178B1 (en) 2015-12-28 2015-12-28 Security apparatus performing synchronization between virtual firewall

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150187535A KR101749178B1 (en) 2015-12-28 2015-12-28 Security apparatus performing synchronization between virtual firewall

Publications (1)

Publication Number Publication Date
KR101749178B1 true KR101749178B1 (en) 2017-06-21

Family

ID=59281905

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150187535A KR101749178B1 (en) 2015-12-28 2015-12-28 Security apparatus performing synchronization between virtual firewall

Country Status (1)

Country Link
KR (1) KR101749178B1 (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101239217B1 (en) * 2011-12-09 2013-03-06 시큐아이닷컴 주식회사 High availability system, method for synchronizing devices in the same, and method for managing devices in the same

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101239217B1 (en) * 2011-12-09 2013-03-06 시큐아이닷컴 주식회사 High availability system, method for synchronizing devices in the same, and method for managing devices in the same

Similar Documents

Publication Publication Date Title
US9965368B2 (en) High-availability cluster architecture and protocol
JP6487883B2 (en) Failure recovery method, Internet system of goods and charging system using the same
TWI642282B (en) Fail recovery method and internet of things system and charging system using the same
US8756412B2 (en) Gateway supporting transparent redundancy in process control systems and other systems and related method
US9030947B2 (en) Methods for zero loss and nonstop packet processing during system software upgrades
US9137141B2 (en) Synchronization of load-balancing switches
EP2701354B1 (en) Method and apparatus for creating network devices
US9992058B2 (en) Redundant storage solution
CN107342911B (en) Processing device, substitute processing device, relay device, processing system, and processing method
CN110275680A (en) A kind of dual control dual-active storage system
CN110967969A (en) High availability industrial automation system and method for transmitting information through the same
US11232006B2 (en) Server system
EP2629469A2 (en) Wireless gateway apparatus
EP3750059B1 (en) Server system
CN105827496A (en) Method and apparatus for managing PE device
KR101749178B1 (en) Security apparatus performing synchronization between virtual firewall
CN112564983A (en) Data transmission method, device, computer system and medium
KR101358995B1 (en) Method and system for managing high availability
US10491544B2 (en) Consistency control of a logical path passing through a relay device
CN101170544A (en) A communication method in high-availability cluster system based on single practical IP address
US11902083B1 (en) Techniques to provide a flexible witness in a distributed system
US10652203B2 (en) Network system, communication control device and address setting method
CN104753699A (en) Link failure handling method and device
CN114978660B (en) Out-of-band network construction method and out-of-band processing method based on out-of-band network
KR20170131001A (en) System for controlling application sever based on data distribution service

Legal Events

Date Code Title Description
AMND Amendment
E601 Decision to refuse application
AMND Amendment
X701 Decision to grant (after re-examination)
GRNT Written decision to grant