WO2004112313A2 - Equipement de securite reseau et son procede de production - Google Patents

Equipement de securite reseau et son procede de production Download PDF

Info

Publication number
WO2004112313A2
WO2004112313A2 PCT/CN2004/000656 CN2004000656W WO2004112313A2 WO 2004112313 A2 WO2004112313 A2 WO 2004112313A2 CN 2004000656 W CN2004000656 W CN 2004000656W WO 2004112313 A2 WO2004112313 A2 WO 2004112313A2
Authority
WO
WIPO (PCT)
Prior art keywords
network
security
module
protocol
processing
Prior art date
Application number
PCT/CN2004/000656
Other languages
English (en)
Chinese (zh)
Other versions
WO2004112313A8 (fr
WO2004112313A3 (fr
Inventor
Wei Wei
Hong Gao
Yong Cheng
Xiaodong Lu
Bin Song
Chunyu Song
Weijian Xiao
Chunmei Liu
Gang Wang
Original Assignee
Lenovo (Beijing) Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lenovo (Beijing) Limited filed Critical Lenovo (Beijing) Limited
Publication of WO2004112313A2 publication Critical patent/WO2004112313A2/fr
Publication of WO2004112313A3 publication Critical patent/WO2004112313A3/fr
Publication of WO2004112313A8 publication Critical patent/WO2004112313A8/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/104Grouping of entities

Definitions

  • Network security device and implementation method thereof
  • the present invention relates to the technical field of network security, and in particular, to a network security device and an implementation method thereof. Background of the invention
  • Network security devices are equipped with network security devices for information transmission security.
  • Network security devices can implement functions such as content filtering, virus filtering, and intrusion detection.
  • functions such as content filtering, virus filtering, and intrusion detection.
  • intrusion detection There are two ways of current network security devices:
  • the first is software.
  • firewalls, etc. These devices are designed to have network security processing functions and are implemented by the network protocol stack software of the operating system or software on the operating system. This design method causes the security device to process network packets slowly. Especially on high-speed networks, the security device becomes a network bottleneck.
  • the hardware method For example: Security equipment: Use an application-specific integrated circuit (ASIC) chip or a field programmable logic gate array (FPGA) to implement a network protocol stack. Because ASIC and FPGA chips cannot be upgraded in security devices at any time.
  • ASIC application-specific integrated circuit
  • FPGA field programmable logic gate array
  • a network processor is a processor that specializes in processing data packets. It sends data packets to the next node at the speed at which they arrive, that is, wire speed.
  • the network processor can It is realized through programming to meet various network applications.
  • the network processor integrates multiple general-purpose CPUs or special-purpose processors, which can It is recommended to perform analysis, and through programming, it can cooperate with the application to perform complex processing such as billing according to use, load balancing, and data management.
  • the work of the network processor includes: monitoring logins to identify users, checking out login information, and then matching users' files and charging policy tables, and finding keywords in the load.
  • network processors At present, as users place higher requirements on network processors, specialized network processors such as a high-level protocol processor, an encryption protocol processor, and a content filtering processor have appeared.
  • the network processor can shorten the development cycle of network equipment through strong programmability. Therefore, network processors will adopt network processors on a large scale in the future, and network processor technology will also achieve greater development. Summary of the Invention
  • the main object of the present invention is to provide a network security device, which can improve the processing speed of network messages, improve the stability of the system, and can easily and conveniently upgrade the system at any time.
  • Another object of the present invention is to provide a method for realizing network security, improve the processing speed of network messages, and facilitate system upgrade at any time.
  • the present invention provides a network security device, where the security device includes at least a network security processing module, and the network security processing module includes at least a network processor, a storage module, and a network interface module;
  • the storage module and the network interface module are connected to the network processor through a high-speed bus.
  • the storage module stores configuration information including security policies, the operation code of the network security processing module, the information of the network security processing module, the protocol of the network processor chip, and the security processing microcomputer. Code software
  • the network processor receives a network message, a management command, and configuration information sent from the outside through a network interface module, performs protocol analysis on the network message, and according to the security information retrieved from the storage module,
  • the whole policy performs security processing on network messages, and sends the processed network messages through the network interface module; or sends the configuration information to the storage module according to the management command; or sends the network security processing module information through the network interface module according to the management command.
  • a network interface module connects a network processor with an external device, and receives and sends information.
  • the network security module may further include a security co-processing module.
  • the security co-processing module is connected to the network processor through a high-speed cascade bus, or is connected to the network interface module at the same time.
  • the security co-processing module receives the network processor or the network interface.
  • the network message sent by the module performs upper layer protocol processing and security processing on the network message, and sends the processed message to the network processor or the network interface module. .
  • the security co-processing module may include: a cryptographic protocol processor, a high-level protocol parsing processor, a content filtering processor, a virus filtering processor, an intrusion detection processor, and a memory for storing the security processing parameters of the processor; the memory and the foregoing Each processor is connected, and the processor is connected to a network processor or a network interface module through a high-speed cascade bus.
  • the network interface module may include at least: a 100 Gigabit Ethernet interface, or a Gigabit Ethernet interface, or an asynchronous transfer mode (ATM) interface, or a synchronous digital sequence (SDH) interface, or a T1 / E1 interface, or a wireless local area network 802.11 interface.
  • ATM asynchronous transfer mode
  • SDH synchronous digital sequence
  • the security device may further include a control management module.
  • the control management module converts management commands and configuration information received from the outside into management commands and configuration information that can be recognized by the network processor and the security co-processing module and writes the configuration information to the storage of the network security processing module.
  • the network processor and the security co-processing module operate according to the received command, or send the operating status, events, and log information of the security device to an external administrator computer.
  • the control management module may include at least a CPU, a memory, and an interface circuit; the memory and the interface circuit are respectively connected to the CPU;
  • the CPU converts management commands and configuration information received from the interface circuit into a network processor and
  • the management command and configuration information that the security co-processing module can recognize are written into the storage module and the security co-processing module, and the network processor operates according to the command;
  • the interface circuit is respectively connected to the network security processing module and an external computer; it receives management commands, configuration information sent by the external computer, and information returned by the network security processing module; or sends the converted management command and configuration information to the network security processing module Forward the information returned by the network security processing module to an external computer;
  • the network security processing module further includes a control interface module, which is respectively connected to the interface circuit of the network processor and the control management module, receives the converted management command and configuration information, and returns the network security processing module information to the control management module.
  • the safety device may further include a power supply module for supplying power to the safety device and a case, and each module of the safety device is disposed in the case.
  • the interface circuit may include a control interface circuit and a management interface circuit; the control interface circuit is connected to the control interface module of the network security processing module; and the management interface circuit is connected to an external computer.
  • the control management module may be a computer, the control interface circuit is a PCI interface, or a Compact-PCI interface, or a serial communication interface, or an Ethernet interface; and the management interface circuit is an Ethernet interface, or a serial interface. Line communication interface;
  • the control interface module is a PCI or Compact-PCI interface, or a serial communication interface, or an Ethernet interface.
  • the present invention also provides a method for implementing network security.
  • the method includes the following steps:
  • the network security device is configured by the administrator computer, and the running code of the network security processing module and the security policy for processing network packets are stored in the network security device; 3) After the network security device receives the network message from the network, it performs protocol analysis on the network message, and performs security processing on the message according to the security policy;
  • the network security device forwards the processed network message to the network device.
  • step 2) may include the following steps:
  • the network security device is powered on and initialized, and the pre-stored network processor microcode software for network protocol processing and security processing is loaded into the network processor;
  • the administrator computer configures the network security device through a browser interface or a GUI interface or a command line interface; and sends configuration information including a security policy for processing network packets and a network security processing module operation code to network security Device
  • the network security device stores the received configuration information in the storage module of the network security processing module, and stores the running code in the network processor chip.
  • the step 22) may further include: the network security device performs login authentication on the administrator computer, and the administrator computer configures the network security device after the login authentication passes.
  • the login authentication method may be: using one-time password protocol or password authentication protocol (PAP) for login authentication; or using IP security protocol (IPSEC) for login authentication; or using secure socket layer protocol (SSL) for login Authentication; or use Secure Shell Host Protocol (SSH) for login authentication.
  • PAP one-time password protocol or password authentication protocol
  • IPSEC IP security protocol
  • SSL secure socket layer protocol
  • SSH Secure Shell Host Protocol
  • the step 3) may include the following steps:
  • the network processor in the network security device After the network security device receives the network packet, the network processor in the network security device performs Layer 2 protocol analysis on the received network packet, and reads the security processing for the Layer 2 protocol stored in step 2). And determine whether it complies with the security policy, and if so, go to step 32) or forward the network packet according to the security policy; otherwise, discard the packet;
  • the network processor analyzes the layer 3 (IP) protocol of the network packet, and reads the policy about the security processing of the layer 3 protocol stored in step 2), and determines whether the security policy is complied with. The security policy goes to step 33) or forward this network packet, Otherwise, the packet is discarded;
  • IP layer 3
  • the network processor performs upper layer protocol processing on the network message, reads a policy on the security processing of the upper layer protocol in the storage module, and performs VPN encryption authentication, content filtering, virus filtering, or intrusion detection on the network message according to the security policy. Forwarding legitimate network packets and discarding illegal network packets.
  • the method can further set a security co-processing module in the network security device.
  • the step 2) may include:
  • the network security device is powered on and initialized, and the pre-stored microprocessor software of each processor for network protocol processing and security processing is loaded into the corresponding network processor and security co-processing module;
  • the administrator computer configures the network security device through a browser interface or a GUI interface or a command line interface; it will include a security policy for processing network messages, parameters for security processing, and configuration of the network security processing module running code Sending information to network security devices;
  • the network security device After receiving the configuration information, the network security device stores the parameters related to security processing in the memory of the security co-processing module, and stores the policy related to protocol security processing in the storage module of the network security processing module.
  • the step 3) may include the following steps:
  • the network processor After the network security device receives the network packet, the network processor performs layer 2 protocol analysis on the received network packet, and reads the strategy for processing the layer 2 protocol security stored in step 2), and judges Whether it complies with the security policy, and if so, go to step 32) or forward the network packet according to the security policy; otherwise, discard the packet;
  • the network processor analyzes the layer 3 (IP) protocol of the network packet, and reads the policy about the security processing of the layer 3 protocol stored in step 2), and determines whether the security policy is complied with. The security policy goes to step 33) or forward this network packet, Otherwise, the packet is discarded;
  • IP layer 3
  • the network processor forwards the network message to the security co-processing module, and the security co-processing module performs the upper layer protocol processing on the network message, and reads the policies and parameters related to the security processing of the upper layer protocol stored in step 2).
  • the policy performs content filtering, virus filtering, or intrusion detection on network packets, forwards legitimate network packets, and discards illegal network packets.
  • the step 3) may include the following steps:
  • the security co-processing module performs upper layer protocol processing on the network packet, and reads the policies and parameters related to the security processing of the upper layer protocol stored in step 2), and sends the network packet according to the security policy. Perform content filtering, virus filtering, or intrusion detection, forward legitimate network packets to the network processor, and discard illegal network packets;
  • the network processor performs layer 2 protocol analysis on the received network packet, and reads the policies related to the security processing of the layer 2 protocol stored in step 2), and determines whether the security policy is met.
  • the security policy goes to step 33) or forward the network packet; otherwise, discard the packet;
  • the network processor analyzes the Layer 3 IP protocol of the network packet, and reads the strategy for the secure processing of the Layer 3 protocol stored in step 2), and judges whether it complies with the security policy, and if so, it is based on the security policy Forward this network message, otherwise, discard this message.
  • Step 31) Whether the determination is consistent with the security policy may be determined according to a Layer 2 network protocol rule table in the security policy.
  • the content of the rule table may at least include: a medium access control protocol (MAC) address, and a virtual local area network protocol. (VLAN);
  • MAC medium access control protocol
  • VLAN virtual local area network protocol
  • Step 32) The judgment as to whether the security policy is met may be determined by referring to the address table, port number, protocol type, or service protocol type in the security policy according to the content of the network.
  • NAT network address translation
  • VPN virtual gateway
  • MPLS Multi-Protocol Label Switching
  • the content filtering may be matching a network message with a keyword stored in a storage module, and if they are consistent, the network message is discarded.
  • the virus filtering may be storing virus codes as keywords in a storage module, matching network messages with the keywords, and discarding the network messages if they match; or hashing virus codes with ( hash) function generates a word digest, which is stored in the virus signature database in the storage module; performs a hash calculation on the detected network packet, generates a digest, and compares it with the virus signature database. If they are consistent, the network text is discarded .
  • the intrusion behavior detection may be storing an intrusion behavior rule base in a storage module; matching the rule base with a packet obtained by recombining one or more detected network packets, and discarding the network packet if they are consistent. Text.
  • the network security device of the present invention and the implementation method thereof are provided with a network processor in the network security device, utilizing the multiprocessor of the network processor chip, multi-layer protocol analysis, and powerful chip-level programming.
  • the function processes network data securely, guarantees the processing speed of wire speed in a broadband environment, and can easily upgrade the system at any time.
  • FIG. 1 is a block diagram of the implementation of a network security device in the first preferred embodiment of the present invention
  • FIG. 2 is a schematic diagram of the working process of the network security device in the embodiment shown in FIG. 1
  • FIG. Implementation block diagram of the device
  • FIG. 4 is a schematic flowchart of the work flow of the network security device in the embodiment shown in FIG. 3;
  • FIG. 5 is a schematic flowchart of the first work mode of step 407 shown in FIG. 4;
  • FIG. 6 is a detailed flowchart of the second working mode of step 407 shown in FIG. 4
  • the network security device of the present invention is mainly composed of a network security processing module including a network processor, and uses protocol processing and powerful programming functions of the network processor to perform protocol analysis and security processing on network texts.
  • the network security device of the present invention can also Adding a control management module to reduce the workload of the network security processing module, increase processing speed, and implement various methods.
  • the network security device of the present invention has at least the following implementations:
  • the network security device includes a network security processing module, or a network security processing module and a control management module.
  • the device is configured as a circuit board card and can be directly installed on a computer or network device through a PCI interface or a Compact-PCI interface.
  • the network security device only includes the network security processing module, or the network security processing module and the control management module.
  • a power supply module is provided to supply power to these modules, and these modules are set in a casing to become an independent network security device.
  • the Ethernet interface is connected to a computer or a network device.
  • the network security device includes a network security processing module and a control management module.
  • the control management module is implemented by a computer.
  • the network security processing module is set as a circuit board card, which is installed to the control management through the PCI interface or the Compact-PCI interface. On the module; or the network security processing module is set as an independent peripheral, and is connected to the control management module through a serial communication interface or an Ethernet interface.
  • the network security device includes only a network security processing module. It is set as a circuit board card, and is directly installed on a computer or a network device through a PCI interface or a Compact-PCI interface.
  • FIG. 1 is a block diagram of an implementation of a network security device in a first preferred embodiment of the present invention; wherein the network security device includes: a network security processing module 110.
  • the network security processing module 110 is a core module of the network security device of the present invention, and mainly completes a fast security filtering and processing function of a network protocol, and includes: a network processor 111, a storage module 112, a network interface module 113, a storage module 112, and a security protocol.
  • Processing module 114 is a core module of the network security device of the present invention, and mainly completes a fast security filtering and processing function of a network protocol, and includes: a network processor 111, a storage module 112, a network interface module 113, a storage module 112, and a security protocol.
  • Processing module 114 is a packet processing module 110, a packet data network protocol, and a packet data network protocol.
  • the network interface module 113 is connected to the network processor 111 or the security co-processing module 114 at the same time through a high-speed cascade bus; the network interface module 113 is connected to the network 130 and the network device 140, and may also be connected to the administrator computer 120.
  • the storage module 112 stores configuration information including security policies, operation codes of the network security processing module 110, and information generated during the operation of the network security processing module 110.
  • the storage module information is referred to as network security processing module information, network protocols, and security processing microcode software. , Security policy rules, etc.
  • the network processor 111 performs network layer 7 protocol processing and security processing on the network message.
  • the network processor 111 receives the network message sent by the network 130, the management command and configuration information sent by the administrator computer 120 through the network interface module 113, and processes the network message. Analyze the protocol, and perform security processing on the network packets according to the security policy taken from the storage module 112, and send the processed network packets to the network device 140 through the network interface module 113; or send the configuration information to the storage module 112 according to the management command Or send the information of the network security processing module 110 to the administrator computer 120 through the network interface module 113 according to a management command;
  • the network interface module 113 connects the network processor 111 with the administrator computer 120, the network 130, and the network device 140, and receives and sends information.
  • the network security processing module 110 is configured as a circuit board card, and the network interface module 113 uses a PCI interface. Or a Compact-PCI interface, the network security device in this embodiment is installed on the network device 140 through the foregoing interface.
  • the network interface module 113 is a main component for receiving and forwarding messages. It is composed of a variety of network protocol physical chips and physical interfaces.
  • Ethernet interface can include a 100 megabit Ethernet interface, or a gigabit Ethernet interface, or asynchronous transfer mode (ATM) interface, or synchronous digital sequence (SDH) interface, or T1 / E1 interface, or interface such as wireless local area network 802.11.
  • ATM synchronous transfer mode
  • SDH synchronous digital sequence
  • T1 / E1 interface or interface such as wireless local area network 802.11.
  • the network security device of this embodiment can also use these interfaces to remotely manage Computer connected.
  • the network security processing module 110 of this embodiment further includes a security co-processing module 114.
  • the security processing algorithm is complex, such as: VPN encryption authentication, application layer content filtering, virus detection, and intrusion behavior detection
  • the processing module 114 implements the above complex algorithm, which can improve the overall processing performance.
  • functions such as VPN encryption, application layer content filtering, virus detection, and intrusion behavior detection are performed by the cryptographic protocol processor 115, the content filtering processor 116, and the high-level protocol parsing processor 117 in the security co-processing module 114, respectively.
  • the virus filtering processor 118 and the intrusion detection processor 119 are implemented.
  • the above five processors are connected to a memory storing processor parameters, and the five processors are connected to the network processor 111 through a high-speed cascade bus.
  • the memory in the security co-processing module 114 is used to store parameters of the cryptographic protocol processor 115, the content filtering processor 116, the high-level protocol parsing processor 117, the virus filtering processor 118, and the intrusion detection processor 119, such as: Key information, VPN security negotiation information, content filtering information, virus signature information, etc.
  • the network security processing module 110 of this embodiment has two working modes:
  • the solid line in FIG. 1 indicates the first working mode of the network security processing module 110: a network packet to be processed is sent from the network interface module 113 After receiving, it is first sent to the network processor 111; after the network processor 111 performs basic network protocol processing, the network message is sent through a high-speed cascade bus Sent to the security co-processing module 114; the security co-processing module 114 performs the above complex algorithm processing on the network message and returns it to the network processor 111; the network processor 111 passes the network message processed by the security co-processing module 114 through the network The interface module 113 forwards it.
  • the dashed line in FIG. 1 indicates the second working mode of the network security processing module 110: After receiving a network packet to be processed from the network interface module 113, it is first sent to the security co-processing module 114 through a high-speed cascade bus; the security co-processing module 114 After performing the above complex algorithm processing on the network message, the legal message is sent to the network processor 111; after the network processor 111 performs basic network protocol processing, the network message is sent and forwarded through the network interface module 113. Conversely, when the message is sent, the network processor 111 passes the processed message to the security co-processing module 114. After the security co-processing module 114 finishes processing, it sends the network protocol module 113 to the network interface module 113 as shown by the dashed line.
  • the security co-processing module 114 may be selected to adopt one of the above-mentioned working modes according to the system requirements.
  • the security co-processing module 114 may also be implemented by the CPU in the network processor 111 using software, but this will increase the workload of the network processor 111 and affect the processing speed. Therefore, it is generally implemented by adding processor hardware.
  • FIG. 2 is a schematic diagram of a working process of the network security device in the embodiment shown in FIG. 1. The process includes the following steps:
  • Step 201 After the security device is powered on, the network security processing module 110 is started, and the pre-stored processor microcode software used for network protocol processing and security processing is loaded into each processing of the corresponding network processor and security co-processing module. Device, complete hardware initialization.
  • Step 202 The administrator computer 120 configures the network security processing module 110 through a browser interface or a GUI interface or a command line interface.
  • the configuration information includes: a security policy for processing network packets, security processing parameters, and network security. Processing module run code, etc.
  • Step 203 The network security processing module 110 receives the configuration information, stores parameters related to security processing in the memory of the security co-processing module 114, and stores a policy related to protocol security processing in the storage module 112.
  • Step 204 After the network security processing module 110 receives the network message from the network 130 through the network interface module 113, the network processor 111 performs protocol analysis on the network message, and according to the security policy in the storage module 112, the network message Perform security processing, and the security co-processing module 114 performs upper layer protocol processing on the message, and performs security processing according to the security processing parameters stored in the memory of the security co-processing module 114; and sends the processed network packet to the network device 140. .
  • the network security processing module 110 After the network security processing module 110 receives the network message from the network 130 through the network interface module 113, the network processor 111 performs protocol analysis on the network message, and according to the security policy in the storage module 112, the network message Perform security processing, and the security co-processing module 114 performs upper layer protocol processing on the message, and performs security processing according to the security processing parameters stored in the memory of the security co-processing module 114; and sends the processed network packet to the network device 140. .
  • a network security device includes a network security processing module and a control management module.
  • the control management module is implemented by a computer, and the network security processing module is set as an independent peripheral device through a serial communication interface. Or the Ethernet interface is connected to the control management module, and the network security processing module is connected to the external network and network equipment through the network interface, respectively.
  • FIG. 3 is a block diagram of an implementation of a network security device in a second preferred embodiment of the present invention; wherein the network security device includes: a network security processing module 330 and a control management module 320.
  • the network security processing module 330 in this embodiment includes: a control interface module 331, a network processor 332, a storage module 333, a network interface module 340, including a cryptographic protocol processor 335, a content filtering processor 336, and a high-level protocol parsing processor 337. , Virus filtering processor 338, intrusion detection processor 339, and memory security co-processing module 334.
  • the network processor 332 is connected to other modules, respectively.
  • the security co-processing module 334 may be connected to the network processor 332 and may be connected to the network interface module 340.
  • the security co-processing module 334 may also be connected to the control interface module 331.
  • the working principle of the network security processing module 330 in this embodiment is the same as that of the network security processing module in the embodiment shown in FIG. 1.
  • Block 110 is basically the same, except that some control management functions are implemented by the control management module 320, which can reduce the workload of the network security processing module 330 and improve the processing speed.
  • the network sends the received packet network 360 Gen ⁇ ⁇ , and ⁇ 1 processing network after sending to the network device Gen 350.
  • the network interface module 340 may be the same as the network interface module 113 in the embodiment shown in FIG. 1.
  • the control management module 320 includes: a memory 321, a CPU 322, and an interface circuit 323 including a management interface circuit 324 and a control interface circuit 325; a memory 321, a management interface circuit 324, and a control interface circuit 325 are connected to the CPU 322, respectively.
  • the control interface circuit 325 of the control management module 320 is connected to the control interface module 331 of the network security processing module 330; the management interface circuit 324 of the control management module 320 is connected to the administrator computer 310.
  • the management interface circuit 324 may be an Ethernet interface. Since the network security processing module 330 is set as an independent peripheral device in this embodiment, the control interface circuit 325 may be a serial communication interface in the case of a short range and an Ethernet interface in the case of a remote range. If the network security processing module 330 is configured as a circuit board card, the control interface circuit 325 may be a PCI or Compact-PCI interface.
  • the control interface module 331 of the network security processing module 330 in this embodiment may be a serial communication interface or an Ethernet interface. If the network security processing module 330 is configured as a circuit board card, the control interface module 331 may be a PCI or Compact-PCI interface.
  • the CPU in the control management module 320 converts management commands and configuration information received from the administrator computer 310 through the management interface circuit 324 into management commands and configuration information that can be recognized by the network processor 332 into the storage module 333 or / and the security protocol.
  • each processor in the network processor 332 and the security co-processing module 334 operates according to the command, or sends the operating status, events, and log information of the security device to the administrator computer 310.
  • the memory 321 in the control management module 320 stores an operating system and control management software.
  • the management interface circuit 324 receives the management command, configuration information sent by the administrator computer 310, and information returned by the network security processing module 330; or sends the converted management command and configuration information to the network security processing module 330, and sends the network security processing module The information returned by 330 is forwarded to the administrator computer 310.
  • the security co-processing module 334 in this embodiment may also be implemented by the CPU in the control management module 320. However, this also affects the processing speed, so it is generally used Add processor hardware to achieve.
  • the network security device in this embodiment mainly controls the network processor 332 and the security co-processing module 334 by the control management software in the control management module 320 to implement protocol processing and security processing of network packets.
  • the control management software is composed of multiple service processes, including at least: an HTTP Web service process, a process that provides a command line remote shell, a log collection and sending process, and a network management SNMP (simple network management protocol) process.
  • the above service process includes a security authentication protocol for ensuring connection confidentiality, such as: Secure Socket Layer (SSL), or Secure Shell Host (SSH), or IPSEC (Internet protocol) security), or one time password, or PAP (Password authentication protocol).
  • FIG. 4 is a schematic diagram of a working process of the network security device in the embodiment shown in FIG. 3; the process includes the following steps:
  • Step 401 After the security device is powered on, the CPU of the control management module 320 and its operating system are started first, and run to complete the initialization of the hardware and the operating system loading. At the same time, the network security processing module 330 is also started to complete the hardware. Initialization; these two modules During the initialization process, the control interface circuit 325 of the control management module 320 and the control interface module 331 of the network security processing module 330 are initialized. After the initialization is completed, the connection establishment between the two modules is completed.
  • Step 402 After the operating system of the control management module 320 is started, an interactive management interface service process is provided for the administrator computer 310, a command line service process, an HTTP service process, and configuration module software are started.
  • Step 403 The administrator computer 310 starts a browser, or a command line terminal, or a GUI configuration management software, and performs login authentication with the control management module 320.
  • a one-time password protocol or a password authentication protocol may be used for authentication.
  • IP Security Protocol IP Security Protocol
  • SSL Secure Sockets Layer Protocol
  • SSH Secure Shell Host Protocol
  • Step 404 the administrator computer 310 sends a configuration command or a management command to the network security processing module 330 through the control management module 320 through a browser interface or a GUI interface or a command line interface.
  • the configuration command includes configuration information: processing network packets Security policies, running code of the network security processing module 330, and the like.
  • Step 405 The control management module 320 receives the command from the administrator computer 310. If it is a security policy configuration command, go to step 406. If it is a management command, such as viewing logs and status monitoring, go to step 408. From the network security processing module 330 The corresponding information is read and sent to the administrator computer 310.
  • Step 406 The control management module 320 converts the configuration command into an internal command that can be recognized by the network security processing module 330, and writes the command to the storage module 333 in the network security processing module 330.
  • Step 407 After the network security processing module 330 receives the network message from the network 360 through the network interface module 340, the network processor 332 and the network security processing module 334 perform protocol analysis on the network script, and according to the security in the storage module 333, The policy performs security processing on the network packet, and sends the processed network packet to the network device 350.
  • the network security processing module performs protocol analysis and security processing on network packets, which is the core of this patent.
  • the network security processing module 330 of this embodiment also has two working modes:
  • the line indicates the first working mode of the security co-processing module 334: After receiving a network packet to be processed from the network interface module 340, it is first sent to the network processor 332; the network processor 332 performs layer 2 and layer 3 networks After the protocol is processed, the network message is sent to the security co-processing module 334 via the high-speed cascade bus; the security co-processing module 334 performs complex algorithm processing on the network message and returns it to the network processor 332; the network processor 332 will pass the security The network packet processed by the co-processing module 332 is forwarded through the network interface module 340.
  • the dotted line in FIG. 3 indicates the second working mode of the security co-processing module 334: After receiving a network packet to be processed from the network interface module 340, it is first sent to the security co-processing module 334 through a high-speed cascade bus; the security co-processing module 334 The network packet is processed by the above complex algorithm and sent to the network processor 332. After the network processor 332 performs the layer 2 and layer 3 network protocol processing, the network packet is sent and forwarded through the network interface module 340. On the contrary, when the message is sent, the network processor 332 delivers the processed message to the security co-processing module 334. After the security co-processing module 334 finishes processing, it sends the network co-processing module 340 to the network interface module 340 as shown by the dotted line.
  • the security co-processing module 334 may choose which of the above-mentioned working modes according to the system requirements.
  • FIG. 5 is a schematic diagram of a specific working process of step 407 shown in FIG. 4. It includes the following steps:
  • Steps 501-503 the network processor 332 mobilizes the layer 2 processor engine of the network processor to perform layer 2 protocol analysis on the received packet, reads a strategy for securely processing the layer 2 protocol in the memory, and according to the security policy
  • the layer 2 network protocol rule table in the judgment determines whether the security policy is met. If so, the security processing is performed according to the security policy, that is, step 504 is performed or the message is forwarded, otherwise, the message is discarded.
  • the contents of the rule table may include: a shield access control protocol (MAC) address, a virtual local area network protocol (VLAN), and the like.
  • MAC shield access control protocol
  • VLAN virtual local area network protocol
  • the network processor 332 mobilizes the layer 3 processor engine of the network processor to analyze the layer 3 (IP) protocol of the message, reads the strategy for securely processing the layer 3 protocol in the memory, and according to the network report The content of the text is compared with the address table, port number, protocol type, or service protocol type in the security policy to determine whether the security policy is met. If the security policy is not met, the packet is discarded. If it is a NAT policy, the packet is NATed.
  • IP layer 3
  • MPLS Multi-Protocol Label Switching
  • Step 507 Read the security policy. If it is an upper layer or application layer protocol such as: URL, HTTP, SMTP, FTP, POP3, etc., perform VPN encryption authentication processing, content filtering, virus filtering, or intrusion behavior detection. Then, the network processor 332 forwards the message to the processor in the security coprocessor module 334 reads the corresponding security processing parameters from the memory and processes the upper layer protocol. If it is a legitimate message, it forwards the message, if it is an illegal message , Then the packet is discarded.
  • an upper layer or application layer protocol such as: URL, HTTP, SMTP, FTP, POP3, etc.
  • the content filtering method is to match network messages with keywords stored in the storage module, and if they are consistent, discard the network message.
  • viruses There are many ways to filter viruses, for example: You can save virus codes as keywords In the storage module, the network message is matched with the keyword, and if they are the same, the network message is discarded; the virus code may also be used to generate a word digest using a hash function and stored in the storage module. In the virus signature database; perform hash calculation on the detected network message, generate a summary, and compare with the virus signature database. If they are the same, discard the network message.
  • the method for detecting intrusion behavior is to store an intrusion behavior rule base in a storage module; match the rule base with a packet obtained by recombining one or more detected network packets, and discard the network if they match ⁇ ⁇ Gen Wen.
  • Figure 6 is a detailed flowchart of the second working mode in step 407 shown in Figure 4. It includes the following steps:
  • Step 501 Read the security policy. If it is an upper layer or application layer protocol such as: URL, HTTP, SMTP, FTP, POP3, etc., and perform VPN encryption authentication processing, content filtering, virus filtering, or intrusion behavior detection, then security co-processing
  • the corresponding processor of the processor module 334 reads the corresponding security processing parameters from the memory and processes the upper layer protocol. If it is a legitimate message or there is no upper layer or application layer protocol security policy, the message is forwarded to the network processor 332. If it is an illegal message, the message is discarded.
  • Steps 502-504 the network processor 332 mobilizes the layer 2 processor engine of the network processor to perform layer 2 protocol analysis on the received packet, reads a strategy in the memory for processing the layer 2 protocol securely, and according to the security policy
  • the layer 2 network protocol rule table in the judgment determines whether the security policy is met. If so, the security processing is performed according to the security policy, that is, step 504 is performed or the message is forwarded, otherwise, the message is discarded.
  • the content of the rule table may include: a media access control protocol (MAC) address, a virtual local area network protocol (VLAN), and the like.
  • MAC media access control protocol
  • VLAN virtual local area network protocol
  • the network processor 332 mobilizes the network processor layer 3 processor engine to perform Layer 3 (IP) protocol analysis on the message, reads the strategy for securely processing the layer 3 protocol in the memory, and according to the network report
  • IP Layer 3
  • the content of the text is compared with the address table, port number, protocol type, or service protocol type in the security policy to determine whether it conforms to the security policy; if it does not comply with the security policy If it is a NAT policy, the packet is NAT processed and then forwarded; if it is allowed to pass, it is directly forwarded; if it is a VPN policy, the packet is VPN encrypted or VPN decrypted.
  • IP Layer 3
  • MPLS Multi-Protocol Label Switching
  • the administrator computer may send configuration commands and management commands to the network security device at any time, and the network security device performs configuration and management according to the configuration commands and management commands. If it is a security policy configuration command, the configuration command is converted into an internal command recognized by the network security processing module, and the configuration information in the command is written into a storage module in the network security processing module. If it is a management command, such as viewing logs, status monitoring, etc., the corresponding information is read from the system and sent to the administrator computer. In this way, the administrator computer can not only manage the network security device, but more importantly, it can quickly upgrade through reconfiguration when new attack methods and new network protocols appear.
  • the network security device and the implementation method thereof of the present invention are provided with a network processor in the network security device, and the network data is processed by the multi-layer protocol analysis and powerful programming function of the network processor.
  • the secure processing ensures the processing speed of wire speed in a broadband environment and can easily upgrade the system at any time. It is applicable to various network devices such as firewalls, security routers, security switches, intrusion detection devices, antivirus gateways, and VPN encryption gateways.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

L'invention concerne un équipement de sécurité réseau qui comprend un module de processus de sécurité réseau. Le module de processus de sécurité réseau comprend un processeur réseau, un module mémoire, un module interface réseau, les trois modules étant interconnectés par un bus rapide. L'équipement utilise la puissante fonction de programmation microcode de puce du processeur réseau et de multiples micro-processeurs pour traduire le protocole réseau multi-niveaux et pour réaliser la sécurité des données réseau. L'invention concerne également un procédé de réalisation de la sécurité réseau, ce procédé interconnectant l'équipement de sécurité réseau et le dispositif réseau susmentionnés. L'ordinateur administratif configure l'équipement de sécurité réseau et stocke le code d'exécution du module processus de sécurité réseau et la police de sécurité qui permet d'appliquer le diagramme réseau à l'équipement de sécurité réseau. L'équipement de sécurité réseau traduit le diagramme réseau et traite le diagramme selon la police de sécurité. L'application de cette invention garantit la vitesse de processus de la vitesse de fil conducteur dans un environnement large bande et permet d'actualiser le système à tout moment.
PCT/CN2004/000656 2003-06-18 2004-06-18 Equipement de securite reseau et son procede de production WO2004112313A2 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN03137099.3 2003-06-18
CNB031370993A CN100358280C (zh) 2003-06-18 2003-06-18 一种网络安全装置及其实现方法

Publications (3)

Publication Number Publication Date
WO2004112313A2 true WO2004112313A2 (fr) 2004-12-23
WO2004112313A3 WO2004112313A3 (fr) 2005-02-10
WO2004112313A8 WO2004112313A8 (fr) 2005-03-17

Family

ID=33546184

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2004/000656 WO2004112313A2 (fr) 2003-06-18 2004-06-18 Equipement de securite reseau et son procede de production

Country Status (2)

Country Link
CN (1) CN100358280C (fr)
WO (1) WO2004112313A2 (fr)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2417655A (en) * 2004-09-15 2006-03-01 Streamshield Networks Ltd Network-based platform for providing security services to subscribers
CN106790113A (zh) * 2016-12-27 2017-05-31 华东师范大学 一种硬件防火墙配置管理方法及装置
CN107241307A (zh) * 2017-04-26 2017-10-10 北京立思辰计算机技术有限公司 一种基于报文内容的自学习的网络隔离安全装置和方法
CN108216300A (zh) * 2016-12-10 2018-06-29 河南蓝信科技股份有限公司 一种车载综合信息采集装置及其方法
CN111077883A (zh) * 2019-12-27 2020-04-28 国家计算机网络与信息安全管理中心 一种基于can总线的车载网络安全防护方法及装置
CN111628900A (zh) * 2019-02-28 2020-09-04 西门子股份公司 基于网络协议的模糊测试方法、装置和计算机可读介质
CN111797371A (zh) * 2020-06-16 2020-10-20 北京京投信安科技发展有限公司 一种交换机加密系统
CN112261056A (zh) * 2020-10-27 2021-01-22 南方电网数字电网研究院有限公司 电力系统的通讯控制方法、装置、控制设备和存储介质
CN112929183A (zh) * 2021-01-26 2021-06-08 北京百度网讯科技有限公司 智能网卡、报文传输方法、装置、设备及存储介质
CN112965824A (zh) * 2021-03-31 2021-06-15 北京金山云网络技术有限公司 报文的转发方法及装置、存储介质、电子设备

Families Citing this family (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100433639C (zh) * 2005-01-27 2008-11-12 华为技术有限公司 一种实现网络安全控制的方法及系统
CN100563246C (zh) * 2005-11-30 2009-11-25 华为技术有限公司 一种基于ip的语音通信边界安全控制系统及方法
CN100542103C (zh) * 2006-10-25 2009-09-16 华为技术有限公司 一种热升级网络处理器的方法及装置
CN101374110B (zh) * 2008-10-22 2011-05-11 成都市华为赛门铁克科技有限公司 无线服务网络中报文的处理方法、系统和设备
CN102090072A (zh) * 2009-05-11 2011-06-08 松下电器产业株式会社 内容发送装置及内容发送方法
US8479286B2 (en) * 2009-12-15 2013-07-02 Mcafee, Inc. Systems and methods for behavioral sandboxing
CN101820413B (zh) * 2010-01-08 2012-08-29 中国科学院软件研究所 一种网络安全最佳防护策略的选择方法
CN101902469A (zh) * 2010-07-12 2010-12-01 江苏华丽网络工程有限公司 一种基于二层网络设备的智能安全防御方法
CN102006285B (zh) * 2010-11-02 2016-07-06 北京天融信科技股份有限公司 一种用于网络安全设备的报文处理方法及装置
CN102624726A (zh) * 2012-03-07 2012-08-01 上海盖奇信息科技有限公司 基于智能网卡多核平台的超高带宽网络安全审计方法
CN104135462A (zh) * 2013-05-05 2014-11-05 南京理工大学连云港研究院 基于ssl加密协议的网络终端安全设备及方法
CN103795735B (zh) * 2014-03-07 2017-11-07 深圳市迈科龙电子有限公司 安全设备、服务器及服务器信息安全实现方法
CN105141596A (zh) * 2015-08-12 2015-12-09 北京威努特技术有限公司 一种支持可扩展协议检测的工控防火墙实现方法
CN105337902A (zh) * 2015-11-17 2016-02-17 福建星网锐捷网络有限公司 网络出口装置、网络出口系统以及网络出口报文处理方法
CN107231245B (zh) * 2016-03-23 2021-04-02 阿里巴巴集团控股有限公司 上报监控日志的方法及装置、处理监控日志的方法及装置
CN106603493B (zh) * 2016-11-11 2020-04-24 北京安天网络安全技术有限公司 一种内置于网络设备中的安全防护装置及防护方法
CN106534177A (zh) * 2016-12-08 2017-03-22 武汉万千无限科技有限公司 一种多功能计算机网络安全控制系统
CN106992947B (zh) * 2017-05-23 2022-10-25 信联安宝(北京)科技有限公司 电源分立的安全管理交换机
CN108810035A (zh) * 2018-08-23 2018-11-13 安徽阳露新型建材有限公司 一种可实时监控的网络安全设备
CN110460475B (zh) * 2019-08-22 2022-04-05 北京物芯科技有限责任公司 一种报文安全处理系统和方法
CN110535847B (zh) * 2019-08-23 2021-08-31 极芯通讯技术(南京)有限公司 网络处理器及网络数据的入栈处理方法
CN113742740B (zh) * 2020-05-29 2024-06-18 华为技术有限公司 设备行为监督方法、装置及存储介质
CN111901129A (zh) * 2020-06-28 2020-11-06 乾讯信息技术(无锡)有限公司 一种基于网络多媒体的安全防护装置
CN114115099B (zh) * 2021-11-08 2024-01-02 浙江高信技术股份有限公司 支持网络安全的plc系统
CN118199997A (zh) * 2023-10-23 2024-06-14 北京光润通科技发展有限公司 一种用于链路层组间路由安全级别审核的网卡

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002039667A2 (fr) * 2000-11-07 2002-05-16 Fast-Chip, Inc. Processeur de reseau a base d'un commutateur

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6092202A (en) * 1998-05-22 2000-07-18 N*Able Technologies, Inc. Method and system for secure transactions in a computer system
CN1234079C (zh) * 2002-10-31 2005-12-28 浙江大学 高速信息安全处理器

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002039667A2 (fr) * 2000-11-07 2002-05-16 Fast-Chip, Inc. Processeur de reseau a base d'un commutateur

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
& ZHANG, S.W.: 'Study on realization scheme of firewall based on network processor' HONGKE NORTHERN JIAOTONG UNIVERSITY vol. 26, no. 3, June 2002, pages 40 - 43 *

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2417655A (en) * 2004-09-15 2006-03-01 Streamshield Networks Ltd Network-based platform for providing security services to subscribers
GB2417655B (en) * 2004-09-15 2006-11-29 Streamshield Networks Ltd Network-based security platform
CN108216300A (zh) * 2016-12-10 2018-06-29 河南蓝信科技股份有限公司 一种车载综合信息采集装置及其方法
CN106790113A (zh) * 2016-12-27 2017-05-31 华东师范大学 一种硬件防火墙配置管理方法及装置
CN107241307A (zh) * 2017-04-26 2017-10-10 北京立思辰计算机技术有限公司 一种基于报文内容的自学习的网络隔离安全装置和方法
CN107241307B (zh) * 2017-04-26 2023-08-08 北京立思辰计算机技术有限公司 一种基于报文内容的自学习的网络隔离安全装置和方法
CN111628900A (zh) * 2019-02-28 2020-09-04 西门子股份公司 基于网络协议的模糊测试方法、装置和计算机可读介质
CN111628900B (zh) * 2019-02-28 2023-08-29 西门子股份公司 基于网络协议的模糊测试方法、装置和计算机可读介质
CN111077883A (zh) * 2019-12-27 2020-04-28 国家计算机网络与信息安全管理中心 一种基于can总线的车载网络安全防护方法及装置
CN111797371A (zh) * 2020-06-16 2020-10-20 北京京投信安科技发展有限公司 一种交换机加密系统
CN112261056A (zh) * 2020-10-27 2021-01-22 南方电网数字电网研究院有限公司 电力系统的通讯控制方法、装置、控制设备和存储介质
CN112929183A (zh) * 2021-01-26 2021-06-08 北京百度网讯科技有限公司 智能网卡、报文传输方法、装置、设备及存储介质
CN112965824A (zh) * 2021-03-31 2021-06-15 北京金山云网络技术有限公司 报文的转发方法及装置、存储介质、电子设备
CN112965824B (zh) * 2021-03-31 2024-04-09 北京金山云网络技术有限公司 报文的转发方法及装置、存储介质、电子设备

Also Published As

Publication number Publication date
CN1567808A (zh) 2005-01-19
WO2004112313A8 (fr) 2005-03-17
CN100358280C (zh) 2007-12-26
WO2004112313A3 (fr) 2005-02-10

Similar Documents

Publication Publication Date Title
WO2004112313A2 (fr) Equipement de securite reseau et son procede de production
US8656488B2 (en) Method and apparatus for securing a computer network by multi-layer protocol scanning
US8274979B2 (en) Method and system for secure communication between a public network and a local network
JP6236528B2 (ja) ネットワークルーティングのためのパケット分類
US8045550B2 (en) Packet tunneling
US20160171102A1 (en) Runtime adaptable search processor
US7965636B2 (en) Loadbalancing network traffic across multiple remote inspection devices
WO2007134023A2 (fr) Pare-feu portable
US7849503B2 (en) Packet processing using distribution algorithms
US8130756B2 (en) Tunnel configuration associated with packet checking in a network
EA004423B1 (ru) Система, устройство и способ быстрой фильтрации и обработки пакетов
JP2006506853A (ja) 能動的ネットワーク防衛システム及び方法
WO2006069041A2 (fr) Dispositif d'interface de reseau et de pare-feu
US20060101261A1 (en) Security router system and method of authenticating user who connects to the system
US11297037B2 (en) Method and network device for overlay tunnel termination and mirroring spanning datacenters
KR20130126833A (ko) 네트워크 가상화를 위한 고속 스위칭 방법 및 고속 가상 스위치
JP4340653B2 (ja) 通信処理装置及び通信処理方法
CN110868362B (zh) 一种MACsec非受控端口报文的处理方法及装置
JP2008524965A (ja) ネットワークインターフェイスおよびファイヤーウォールデバイス
JP4319246B2 (ja) 通信制御装置及び通信制御方法
Mireles et al. Securing an InfiniBand network and its effect on performance
JPWO2009066343A1 (ja) 通信制御装置及び通信制御方法
CN118509209A (zh) 一种双向源地址验证装置
Lockwood Network Packet Processing in Reconfigurable Hardware
Press Cisco ASA

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
CFP Corrected version of a pamphlet front page

Free format text: PUBLISHED PUBLICATION NUMBER IN THE BOTTOM LEFT REPLACED BY CORRECT NUMBER.

122 Ep: pct application non-entry in european phase