KR101749178B1 - Security apparatus performing synchronization between virtual firewall - Google Patents
Security apparatus performing synchronization between virtual firewall Download PDFInfo
- Publication number
- KR101749178B1 KR101749178B1 KR1020150187535A KR20150187535A KR101749178B1 KR 101749178 B1 KR101749178 B1 KR 101749178B1 KR 1020150187535 A KR1020150187535 A KR 1020150187535A KR 20150187535 A KR20150187535 A KR 20150187535A KR 101749178 B1 KR101749178 B1 KR 101749178B1
- Authority
- KR
- South Korea
- Prior art keywords
- virtual
- firewall
- synchronization
- firewalls
- data
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1095—Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0654—Management of faults, events, alarms or notifications using network fault recovery
- H04L41/0668—Management of faults, events, alarms or notifications using network fault recovery by dynamic selection of recovery network elements, e.g. replacement by the most appropriate element after failure
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
Abstract
The present invention relates to a security device that performs virtual-to-virtual-firewall synchronization in a high-availability (HA) environment in a virtual environment.
According to another aspect of the present invention, there is provided a security device for performing synchronization between virtual firewalls, comprising: a communication unit for performing data communication with the outside; a control unit for configuring a plurality of virtual firewalls in High Availability (HA) And a storage unit for storing synchronization data for a virtual firewall and shared by the plurality of virtual firewalls, wherein the plurality of virtual firewalls acquire the synchronization data from the storage unit and perform mutual synchronization.
Description
The present invention relates to a security device that performs virtual-to-virtual-firewall synchronization in a high-availability (HA) environment in a virtual environment.
When a firewall is highly configurable using a plurality of security devices (security devices), a plurality of security devices exchange packets to perform mutual synchronization.
1, the
The
In high availability, the
During normal operation, the
If the connection to the
In order to ensure continuity of operation between the
In configuring high availability as in the prior art, when a plurality of security devices are physically separate devices, synchronization between security devices can be achieved only through data transmission and reception. That is, in the prior art,
In the prior art, there is a problem that synchronization data is lost due to an error in data transmission / reception using the HA connection, or data transmission / reception for synchronization is periodically performed, thereby overloading the security device.
The present invention provides a security device for configuring a virtual firewall with high availability in a virtual environment and performing synchronization by sharing a memory without transmitting / receiving data between virtual firewalls.
According to an aspect of the present invention, there is provided a security device for performing synchronization between virtual firewalls, comprising: a communication unit for performing data communication with the outside; a plurality of virtual And a storage unit for storing synchronization data for the plurality of virtual firewalls and shared by the plurality of virtual firewalls, wherein the plurality of virtual firewalls acquire the synchronization data from the storage unit, Is performed.
The synchronization data may include at least one of configuration data and session data for a first virtual firewall operating as a basic device.
In addition, the session data may include firewall state information for the first virtual firewall.
The plurality of virtual firewalls may include a first virtual firewall that provides a firewall service in a normal state and operates as a basic device, and a second virtual firewall that, in the case where the first virtual firewall is disabled, And a second virtual firewall functioning as an auxiliary device.
The first virtual firewall may store the synchronization data in a storage unit shared by the plurality of virtual firewalls, and the second virtual firewall may load the synchronization data from a storage unit shared by the plurality of virtual firewalls Thereby performing the synchronization.
The second virtual firewall may load the synchronization data from a storage unit shared by the plurality of virtual firewalls when the function of the first virtual firewall is lost, Thereby providing a service.
The security device for performing synchronization between virtual firewalls according to the present invention performs synchronization by using a shared memory without transmitting and receiving data between virtual firewalls formed in a virtual environment, thereby making it possible to efficiently configure a high-availability firewall.
1 is a diagram illustrating a configuration of a high-availability firewall network according to the related art.
2 is a software diagram of a high-availability firewall according to the prior art.
FIG. 3 is a block diagram illustrating the configuration of a security apparatus for configuring a highly available virtual firewall according to the present invention.
4 is a diagram illustrating a configuration of a highly available virtual firewall network by a security device according to the present invention.
5 is a software diagram of a highly available virtual firewall according to the present invention.
In the description of the embodiments of the present invention, if it is determined that a detailed description of known configurations or functions related to the present invention can not be applied to the present invention, detailed description thereof may be omitted.
Quot ;, " include, "" include," as used herein. And the like are intended to indicate the presence of disclosed features, operations, components, etc., and are not intended to limit the invention in any way. Also, in this specification, "include." Or "have." , Etc. are intended to designate the presence of stated features, integers, steps, operations, components, parts, or combinations thereof, may be combined with one or more other features, steps, operations, components, It should be understood that they do not preclude the presence or addition of combinations thereof.
As used herein, the singular forms "a", "an" and "the" include plural referents unless the context clearly dictates otherwise.
Hereinafter, the present invention will be described with reference to the accompanying drawings.
FIG. 3 is a block diagram illustrating the configuration of a security apparatus for configuring a highly available virtual firewall according to the present invention.
3, the
The
The
Specifically, the
The first
In various embodiments of the present invention, the
Specifically, the
Thus, if the first
As a result, the plurality of
In one embodiment, when the first
It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims. It is to be understood that both the foregoing general description and the following detailed description of the present invention are exemplary and explanatory and are intended to provide further explanation of the invention as claimed. Accordingly, the scope of the present invention should be construed as being included in the scope of the present invention, all changes or modifications derived from the technical idea of the present invention.
300: security device
310:
320:
330:
411, 412: Virtual firewall
421, 422: Router
510: Host OS
521, 522: Application
530: Memory
Claims (6)
A communication unit for performing data communication with the outside;
A controller configured to configure a plurality of virtual firewalls in High Availability (HA) in a virtual environment; And
And a storage unit for storing synchronization data for the plurality of virtual firewalls, the storage units being shared by the plurality of virtual firewalls,
Wherein the plurality of virtual firewalls are configured to be driven by respective virtual applications on one operating system (OS), and the synchronization data is acquired from the storage unit to perform mutual synchronization,
Wherein the plurality of virtual firewalls comprise:
A first virtual firewall providing a firewall service in a normal state and operating as a basic device; And
And a second virtual firewall providing the firewall service on behalf of the first virtual firewall and acting as an auxiliary device when the function of the first virtual firewall is lost,
Wherein the first virtual firewall comprises:
Storing the synchronization data in a storage unit shared by the plurality of virtual firewalls,
Wherein the second virtual firewall comprises:
And performs the synchronization by loading the synchronization data from a storage unit shared by the plurality of virtual firewalls.
And at least one of configuration data and session data for a first virtual firewall operating as the basic device.
And firewall status information for the first virtual firewall.
Load the synchronization data from a storage unit shared by the plurality of virtual firewalls and provide the firewall service using the loaded synchronization data when the function of the first virtual firewall is lost. Device.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150187535A KR101749178B1 (en) | 2015-12-28 | 2015-12-28 | Security apparatus performing synchronization between virtual firewall |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150187535A KR101749178B1 (en) | 2015-12-28 | 2015-12-28 | Security apparatus performing synchronization between virtual firewall |
Publications (1)
Publication Number | Publication Date |
---|---|
KR101749178B1 true KR101749178B1 (en) | 2017-06-21 |
Family
ID=59281905
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020150187535A KR101749178B1 (en) | 2015-12-28 | 2015-12-28 | Security apparatus performing synchronization between virtual firewall |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR101749178B1 (en) |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101239217B1 (en) * | 2011-12-09 | 2013-03-06 | 시큐아이닷컴 주식회사 | High availability system, method for synchronizing devices in the same, and method for managing devices in the same |
-
2015
- 2015-12-28 KR KR1020150187535A patent/KR101749178B1/en active IP Right Grant
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101239217B1 (en) * | 2011-12-09 | 2013-03-06 | 시큐아이닷컴 주식회사 | High availability system, method for synchronizing devices in the same, and method for managing devices in the same |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9965368B2 (en) | High-availability cluster architecture and protocol | |
JP6487883B2 (en) | Failure recovery method, Internet system of goods and charging system using the same | |
TWI642282B (en) | Fail recovery method and internet of things system and charging system using the same | |
US8756412B2 (en) | Gateway supporting transparent redundancy in process control systems and other systems and related method | |
US9030947B2 (en) | Methods for zero loss and nonstop packet processing during system software upgrades | |
US9137141B2 (en) | Synchronization of load-balancing switches | |
EP2701354B1 (en) | Method and apparatus for creating network devices | |
US9992058B2 (en) | Redundant storage solution | |
CN107342911B (en) | Processing device, substitute processing device, relay device, processing system, and processing method | |
CN110275680A (en) | A kind of dual control dual-active storage system | |
CN110967969A (en) | High availability industrial automation system and method for transmitting information through the same | |
US11232006B2 (en) | Server system | |
EP2629469A2 (en) | Wireless gateway apparatus | |
EP3750059B1 (en) | Server system | |
CN105827496A (en) | Method and apparatus for managing PE device | |
KR101749178B1 (en) | Security apparatus performing synchronization between virtual firewall | |
CN112564983A (en) | Data transmission method, device, computer system and medium | |
KR101358995B1 (en) | Method and system for managing high availability | |
US10491544B2 (en) | Consistency control of a logical path passing through a relay device | |
CN101170544A (en) | A communication method in high-availability cluster system based on single practical IP address | |
US11902083B1 (en) | Techniques to provide a flexible witness in a distributed system | |
US10652203B2 (en) | Network system, communication control device and address setting method | |
CN104753699A (en) | Link failure handling method and device | |
CN114978660B (en) | Out-of-band network construction method and out-of-band processing method based on out-of-band network | |
KR20170131001A (en) | System for controlling application sever based on data distribution service |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AMND | Amendment | ||
E601 | Decision to refuse application | ||
AMND | Amendment | ||
X701 | Decision to grant (after re-examination) | ||
GRNT | Written decision to grant |