WO2010000146A1 - Method, firewalls and network system for realizing information backup - Google Patents

Method, firewalls and network system for realizing information backup Download PDF

Info

Publication number
WO2010000146A1
WO2010000146A1 PCT/CN2009/070979 CN2009070979W WO2010000146A1 WO 2010000146 A1 WO2010000146 A1 WO 2010000146A1 CN 2009070979 W CN2009070979 W CN 2009070979W WO 2010000146 A1 WO2010000146 A1 WO 2010000146A1
Authority
WO
WIPO (PCT)
Prior art keywords
session
firewall
message
information
session information
Prior art date
Application number
PCT/CN2009/070979
Other languages
French (fr)
Chinese (zh)
Inventor
吴永清
Original Assignee
成都市华为赛门铁克科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 成都市华为赛门铁克科技有限公司 filed Critical 成都市华为赛门铁克科技有限公司
Priority to US12/469,413 priority Critical patent/US20100005263A1/en
Publication of WO2010000146A1 publication Critical patent/WO2010000146A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/20Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements
    • G06F11/2097Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements maintaining the standby controller/processing unit updated
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/20Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements
    • G06F11/202Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements where processing functionality is redundant
    • G06F11/2038Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements where processing functionality is redundant with a single idle spare processing component
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/20Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements
    • G06F11/202Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements where processing functionality is redundant
    • G06F11/2048Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements where processing functionality is redundant where the redundant components share neither address space nor persistent storage

Definitions

  • the present invention relates to the field of network communications, and in particular, to a method for implementing information backup, a firewall, and a network system. Background technique
  • the firewall plays an important role in the security of the network.
  • the mainstream firewall generally uses a stateful inspection firewall, and records the session information of each session through the firewall, and dynamically determines whether to discard the received message according to the recorded session information.
  • the session information herein includes related parameters of session establishment, and status information of an existing session, such as a source address, a destination address, a message protocol type, a session state, and the like.
  • the firewall in order to improve security and reliability, the firewall usually adopts dual-system hot standby networking mode, one of which is in working state and the other is in backup state. When the working state firewall fails, the backup state firewall takes over. Its work.
  • the prior art proposes a processing method for supporting inconsistent path back and forth between messages.
  • the network in the prior art mainly includes: firewall 1, firewall 2; routers Rl, R2, R3, R4. If the traditional path is consistent with the path, the path is: R3->Firewall l->Rl->Firewall1->R3; However, when the path is inconsistent with the path, the path is: R3 -> Firewall l->Rl->R2->Firewall2->R4.
  • each The firewall periodically scans the recorded session information, and then backs up the session information to another firewall through the heartbeat between the firewalls. After one of the firewalls fails, the other firewall can back up according to the previously backed up session. Information, processing session business.
  • the prior art has the following problems: Since the prior art uses periodic scanning and then backs up the session information, there is bound to be a delay, resulting in two firewall records. The session information cannot be completely consistent in real time, so some session services cannot be performed normally. For example, when one of the firewalls processes the session, the business related to the session cannot be performed normally because the latest session information of the session is not obtained in time.
  • the technical problem to be solved by the embodiments of the present invention is to provide a method for implementing information backup, a firewall, and a network system, so that the session information recorded between the firewalls is consistent in real time.
  • the embodiment of the present invention provides a method for implementing information backup, which is used to implement information backup between at least two firewalls, including: receiving a message; when detecting the received message, causing the recorded session information to change, Back up the changed session information to another firewall.
  • the embodiment of the invention further provides a firewall, comprising: a receiving unit, configured to receive a message; and a processing unit, configured to: when the received message is detected, the recorded session information changes, the changed session is Back up information to another firewall.
  • the embodiment of the present invention further provides a network system, including: a first firewall, configured to receive a packet, and detect whether the received packet changes the recorded session information, and if yes, send the changed session information.
  • the second firewall is configured to receive the changed session information sent by the first firewall and perform backup.
  • FIG. 1 is a flowchart of a method for implementing information backup according to an embodiment of the present invention
  • FIG. 2 is a flowchart of a method for implementing information backup according to Embodiment 2 of the present invention
  • FIG. 3 is a flowchart of a method for implementing information backup according to Embodiment 3 of the present invention.
  • FIG. 4 is a schematic structural diagram of a firewall according to an embodiment of the present invention.
  • FIG. 5 is a schematic structural diagram of a network system according to an embodiment of the present invention. detailed description
  • the embodiment of the invention provides a method for implementing information backup, which realizes that the session information recorded by the firewall is consistent in real time, so that the service of the session is normal.
  • the session information when the session information is backed up, the active/standby status of the firewall is not distinguished.
  • the session information when the first firewall is used as the primary firewall and the second firewall is used as the standby firewall, the session information can be backed up from the primary firewall to the standby firewall. The firewall is backed up to the main firewall.
  • the first embodiment of the present invention is a flowchart of a method for implementing information backup according to the embodiment of the present invention.
  • the first firewall and the second firewall are used as an example for description.
  • the method includes the following steps: Step 201: The first firewall receives the packet.
  • the first firewall receives packets of different protocol types, which may be ICMP (Internet).
  • protocol types which may be ICMP (Internet).
  • Control Message Protocol Internet Control Message Protocol
  • UDP User Datagram Protocol
  • TCP Transmission Control Protocol
  • Step 202 The first firewall backs up the changed session information to the second firewall when detecting the received message to change the recorded session information.
  • the first firewall When the first firewall detects that the received message changes the recorded session information, the first firewall immediately backs up the changed session information to the second firewall.
  • the detection of the received message causes the recorded session information to change. It may be that the session information needs to be changed according to the received message and the session information is added, and the recorded session information may be changed. The original session state changes, and the session information needs to be updated to cause the recorded session information to change. It can be found that, in the first embodiment, when the recorded session information is changed when the received message is detected, the changed session information is immediately backed up to the second firewall, thereby ensuring the relationship between the second firewall and the first firewall. Session information is consistent in real time.
  • the method for implementing the session information backup in the embodiment of the present invention is implemented in different manners according to different packet protocols. The following describes the embodiments of the present invention in detail with reference to different packet protocols.
  • Embodiment 2 Referring to FIG. 2, it is a flowchart of a method for implementing information backup according to Embodiment 2 of the present invention.
  • the second embodiment describes the processing flow when the firewall receives ICMP or UDP packets, with the first fire prevention.
  • the wall and the second firewall are described as an example.
  • Sessions based on UDP or ICMP are generally connectionless sessions. There is no change state of the session, and the processing is relatively simple.
  • the specific steps in Figure 2 are as follows:
  • Step 301 The first firewall receives the ICMP or UDP packet.
  • Step 302 The first firewall searches for the session corresponding to the received packet in the session information recorded by the first firewall.
  • the first firewall records the session information related to the session, and the session information. Can be stored in dedicated memory.
  • the first firewall searches for the related session corresponding to the packet in the session information recorded by the first firewall according to the related information carried in the packet.
  • Step 303 According to the search result, it is determined whether there is a session. If there is a session, the process proceeds to step 306. If the session does not exist, the process proceeds to step 304.
  • the first firewall can search for the related session corresponding to the message by using the session information recorded by the first firewall. It is found whether the session has been established before.
  • Step 304 The first firewall establishes an ICMP or UDP session, and proceeds to step 305.
  • the first firewall determines, according to the search result, that the session corresponding to the received message does not exist, and determines that the packet belongs to the permitted one according to the set access rule.
  • the message is based on the received packet to establish an ICMP or UDP session, and the session information of the new session is added.
  • the session information recorded by the first firewall has changed. If the first firewall determines that the packet is not allowed to pass, the packet is discarded, the process ends, and no session is established.
  • Step 305 Back up the session information of the ICMP or UDP session to the second firewall, and proceed to step 306; the first firewall uses the heartbeat line between the firewalls to set the session information of the ICMP or UDP session. Back up to the second firewall immediately to ensure that the session information between the second firewall and the first firewall is consistent in real time.
  • Step 306 Forward the ICMP or UDP message. It should be noted that, in the foregoing process, the backup session information is forwarded and the message is forwarded, for example, or the backup session information and the forwarded message are simultaneously performed, or the message is forwarded first and then the session information is backed up.
  • the changed session information is immediately backed up to the second firewall by detecting the newly established ICMP or UDP session after receiving the ICMP or UDP message, thereby ensuring the first The session information between the firewall and the first firewall is consistent in real time.
  • Embodiment 3 Referring to FIG. 3, it is a flowchart of a method for implementing information backup according to Embodiment 3 of the present invention.
  • the third embodiment describes the processing flow when the firewall receives the TCP packet.
  • the first firewall and the second firewall are used as an example for description. Because TCP-based sessions have various states, the process is relatively complex, but it is primarily backed up to another firewall when it detects a change in recorded session information.
  • the detected session information changes, including: adding session information when a new session is established, and the session is established but the session state is changed, resulting in session information update (such as modification or deletion of session information).
  • Step 401 The first firewall receives the TCP packet.
  • Step 402 The first firewall searches for the session corresponding to the received packet in the session information recorded by the first firewall.
  • the first firewall records the session information related to the session, and the session information may be stored. In dedicated memory.
  • the first firewall is based on the related information carried in the packet. Find the related session corresponding to the packet in the session information recorded by itself.
  • Step 403 According to the search result, it is determined whether there is a session. If there is a session, the process proceeds to step 404. If the session does not exist, the process proceeds to step 406.
  • the first firewall can search for the relevant session corresponding to the message by using the session information recorded by the first firewall. It is found whether the session has been established before. If the session has been established, the related information of the session is stored, so that the presence session is obtained, and the process proceeds to step 404, otherwise it is determined that there is no session, and the process proceeds to step 406.
  • Step 404 Determine whether the received message belongs to a message that changes the session state of the existing session. If yes, go to step 405, otherwise go to step 410.
  • the message changing the session state may be SYN + ACK. Packet, ACK message,
  • the RST message is either an F IN message or the like.
  • the SYN + ACK message is a connection establishment request response flag message, which is used to respond to the connection establishment request; the ACK message is a response flag message.
  • the SYN message is a connection establishment request response flag message, which is used to respond to the connection establishment request; the ACK message is a response flag message.
  • the first message that is, the SYN message
  • the RST message is the reset flag message;
  • the F IN message is the end flag message. It should be noted that this is just an example. As for other messages that will also change the state of the session, they will not be listed one by one.
  • step 405 the updated session information is backed up to the second firewall, and the process proceeds to step 410.
  • the first firewall determines that the received message belongs to the message that changes the session state of the existing session
  • the first firewall updates the session information of the corresponding session.
  • the session information has changed.
  • the first firewall passes the heartbeat line between the firewalls, and immediately backs up the updated session information of the TCP to the second firewall to ensure that the session information between the second firewall and the first firewall is in real time.
  • Step 406 Determine whether the message is a SYN message, if yes, proceed to step 408, otherwise proceed to step 407; Step 407, discarding the packet, and ending the process; Step 408, the first firewall establishes a TCP session, and proceeds to step 409;
  • the TCP session is established. Therefore, after the received packet is a SYN packet, the TCP session is established according to the packet, and the session information of the session is added. The session information recorded by the firewall has changed. In step 409, the newly recorded session information is backed up to the second firewall, and the process proceeds to step 41 0.
  • the first firewall backs up the session information recorded by the newly established session to the second firewall through the heartbeat line between the firewalls. Ensure that the session information between the second firewall and the first firewall is consistent in real time.
  • Step 4 1 Forward the packet. It should be noted that, in the foregoing process, the backup session information is forwarded and the message is forwarded, for example, or the backup session information and the forwarded message are simultaneously performed, or the message is forwarded first and then the session information is backed up.
  • FIG. 4 is a schematic structural diagram of a firewall according to an embodiment of the present invention.
  • the firewall includes: a receiving unit 51 and a processing unit 52.
  • the receiving unit 51 is configured to receive a message.
  • the processing unit 52 is configured to back up the changed session information to another firewall when detecting the received message to change the recorded session information.
  • the processing unit 52 further includes: a storage unit 52 1 , a searching unit 522 , and a first processing list Yuan 52 3.
  • the storage unit 521 is configured to record session information.
  • the searching unit 522 is configured to search for the session corresponding to the message in the session information recorded by the storage unit 521.
  • the first processing unit 52 3 is configured to: after the searching unit 522 does not find the session corresponding to the packet, establish a session according to the packet, and add session information of the session to the storage unit 521. The newly added session information is backed up to the other firewall.
  • the packet processed by the first processing unit 523 can be an SYN packet in an ICMP packet, a UDP packet, or a TCP packet.
  • the processing unit 52 further includes: a second processing unit 524.
  • the second processing unit 524 is configured to, after the searching unit 522 finds the session corresponding to the packet, further, when determining that the packet belongs to a message that changes the session state, the storage unit 521 is configured according to the The message updates the session information corresponding to the session, and backs up the updated session information to the another firewall. Updating the session information corresponding to the session, as described herein, includes: modifying or deleting session information corresponding to the session.
  • the message belonging to the change session state includes: a SYN + ACK packet in the TCP certificate, an ACK packet, an RST packet, or a F I N message.
  • FIG. 5 is a schematic structural diagram of a network system according to an embodiment of the present invention.
  • the network system includes: a first firewall 61 and a second firewall 62.
  • the first firewall 61 is configured to receive a message, and detect whether the received message changes the recorded session information, and if yes, send the changed session information.
  • the second firewall 62 is configured to receive the changed session information sent by the first firewall 61 and perform backup.
  • the first firewall 61 further includes: a receiving unit and a processing unit.
  • a receiving unit configured to receive a message.
  • a processing unit configured to search, in the recorded session information, a session corresponding to the packet, when not After the session corresponding to the packet is found, a session is established according to the packet, and session information of the session is added, and the newly added session information is backed up to the other firewall.
  • the processing unit finds the session corresponding to the packet, and further, when determining that the packet belongs to a message that changes the session state, the processing unit updates the session information corresponding to the session according to the packet, and the The updated session information is backed up to the other firewall.
  • the first firewall 61 refer to the structure shown in FIG. 4 above, which will not be described in detail herein. It should be noted that the first firewall 61 and the second firewall 62 described herein are opposite, and the second firewall 62 may have the structure shown in FIG. 4 described above.
  • the technical solution provided by the embodiment of the present invention backs up the changed session information to another firewall when the recorded session information is changed after detecting the received message, thereby
  • the backup mechanism ensures that the session information recorded between the firewalls is consistent in real time.
  • the technical solution provided by the embodiment of the present invention provides different processing procedures for different types of received messages, and the application is more flexible.
  • a person skilled in the art can understand that all or part of the process of implementing the above embodiment method can be completed by a computer program to instruct related hardware, and the program can be stored in a computer readable storage medium. In execution, the flow of an embodiment of the methods as described above may be included.
  • the storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), or a Random Accu s Memory (RAM).
  • ROM Read-Only Memory
  • RAM Random Accu s Memory

Abstract

A method, firewalls and a network system for realizing information backup are disclosed in the embodiments of the present invention. With the present invention, the information backup between at least two firewalls is realized. It comprises: receiving a message; when it is detected that the received message has made change in the recorded session information, backing up the changed session information to another firewall, so that the real-time coincidence of the recorded session information between the firewalls is realized.

Description

实现信息备份的方法、 防火墙和网络系统 本申请要求于 2008年 7月 4日提交中国专利局、申请号为 200810133021. 5 , 发明名称为 "实现信息备份的方法、 防火墙和网絡系统"的中国专利申请的优 先权, 其全部内容通过引用结合在本申请中。 技术领域  Method for realizing information backup, firewall and network system This application claims to be submitted to the Chinese Patent Office on July 4, 2008, the application number is 200810133021. 5, and the invention is entitled "Implementation of Information Backup Method, Firewall and Network System" Chinese Patent Priority of the application, the entire contents of which are incorporated herein by reference. Technical field
本发明涉及网絡通信领域, 尤其涉及一种实现信息备份的方法、 防火 墙和网絡系统。 背景技术  The present invention relates to the field of network communications, and in particular, to a method for implementing information backup, a firewall, and a network system. Background technique
防火墙作为网絡中的监测防护设备, 对网絡的安全起着重要的作用。 目前主流的防火墙一般釆用状态检测防火墙, 通过该类防火墙记录每一个 会话的会话信息, 并根据记录的会话信息动态地判断是否丟弃接收的报 文。 这里所述会话信息包括会话建立的相关参数, 以及现有会话的状态信 息, 例如源地址、 目的地址、 报文协议类型、 所处会话状态等。 在实际的应用中, 为了提高安全可靠性, 防火墙通常釆用双机热备组 网方式, 其中一台处于工作状态, 另一台处于备份状态, 当工作状态防火 墙发生故障时, 备份状态防火墙接替其工作。 该方法只有在报文来回路径 一致的情况下, 才能确保防火墙记录的每一个会话的会话信息的完整性, 所以在具体应用上的组网配置较为复杂。 现有技术提出一种支持报文来回路径不一致的处理方法。 现有技术中 的网絡主要包括: 防火墙 1、 防火墙 2 ; 路由器 Rl、 R2、 R3、 R4。 如果釆 用传统的 ^艮文来回路径一致方式, 路径为: R3->防火墙 l->Rl-> 防火墙 1->R3 ; 但现釆用^艮文来回路径不一致方式时, 则路径为: R3->防火墙 l->Rl->R2->防火墙 2->R4。针对现有技术报文来回路径不一致的情况, 每 台防火墙都会定期扫描记录的会话信息, 然后将会话信息通过防火墙之间 的心跳线备份到另一台防火墙上, 这样在其中一台防火墙发生故障后, 另 一台防火墙可以根据之前备份过来的会话信息, 处理会话业务。 在对现有技术的研究和实践过程中, 发明人发现现有技术存在以下问 题: 由于现有技术釆用的是定期扫描后再进行会话信息备份, 必然会有延 时, 导致两台防火墙记录的会话信息不能实时完全一致, 因而某些会话业 务没法正常进行。 例如其中一台防火墙在处理会话时, 由于没能及时的获 得该会话最新的会话信息, 与该会话相关的业务也就无法正常的进行。 As a monitoring and protection device in the network, the firewall plays an important role in the security of the network. At present, the mainstream firewall generally uses a stateful inspection firewall, and records the session information of each session through the firewall, and dynamically determines whether to discard the received message according to the recorded session information. The session information herein includes related parameters of session establishment, and status information of an existing session, such as a source address, a destination address, a message protocol type, a session state, and the like. In actual applications, in order to improve security and reliability, the firewall usually adopts dual-system hot standby networking mode, one of which is in working state and the other is in backup state. When the working state firewall fails, the backup state firewall takes over. Its work. This method can ensure the integrity of the session information of each session recorded by the firewall only when the packets are in the same path. Therefore, the networking configuration on specific applications is complicated. The prior art proposes a processing method for supporting inconsistent path back and forth between messages. The network in the prior art mainly includes: firewall 1, firewall 2; routers Rl, R2, R3, R4. If the traditional path is consistent with the path, the path is: R3->Firewall l->Rl->Firewall1->R3; However, when the path is inconsistent with the path, the path is: R3 -> Firewall l->Rl->R2->Firewall2->R4. In view of the inconsistency between the back and forth paths of the prior art messages, each The firewall periodically scans the recorded session information, and then backs up the session information to another firewall through the heartbeat between the firewalls. After one of the firewalls fails, the other firewall can back up according to the previously backed up session. Information, processing session business. In the research and practice of the prior art, the inventors found that the prior art has the following problems: Since the prior art uses periodic scanning and then backs up the session information, there is bound to be a delay, resulting in two firewall records. The session information cannot be completely consistent in real time, so some session services cannot be performed normally. For example, when one of the firewalls processes the session, the business related to the session cannot be performed normally because the latest session information of the session is not obtained in time.
发明内容 Summary of the invention
本发明实施例要解决的技术问题是提供一种实现信息备份的方法、 防 火墙和网絡系统, 实现防火墙之间记录的会话信息实时一致。  The technical problem to be solved by the embodiments of the present invention is to provide a method for implementing information backup, a firewall, and a network system, so that the session information recorded between the firewalls is consistent in real time.
本发明实施例提供一种实现信息备份的方法, 用于实现至少两个防火 墙之间的信息备份, 包括: 接收报文; 在检测到所述接收的报文使记录的 会话信息发生变化时, 将变化后的会话信息备份到另一防火墙。  The embodiment of the present invention provides a method for implementing information backup, which is used to implement information backup between at least two firewalls, including: receiving a message; when detecting the received message, causing the recorded session information to change, Back up the changed session information to another firewall.
本发明实施例还提供了一种防火墙, 包括: 接收单元, 用于接收报文; 处理单元, 用于在检测到所述接收的报文使记录的会话信息发生变化时, 将变化后的会话信息备份到另一防火墙。  The embodiment of the invention further provides a firewall, comprising: a receiving unit, configured to receive a message; and a processing unit, configured to: when the received message is detected, the recorded session information changes, the changed session is Back up information to another firewall.
本发明实施例还提供了一种网絡系统, 包括: 第一防火墙, 用于接收 报文, 并检测所述接收的报文是否使记录的会话信息发生变化, 若是, 将 变化后的会话信息发送出去; 第二防火墙, 用于接收所述第一防火墙发送 的所述变化后的会话信息后进行备份。  The embodiment of the present invention further provides a network system, including: a first firewall, configured to receive a packet, and detect whether the received packet changes the recorded session information, and if yes, send the changed session information. The second firewall is configured to receive the changed session information sent by the first firewall and perform backup.
本发明实施例提供的技术方案由于是在检测到接收的报文使记录的 会话信息发生变化时, 就将变化后的会话信息备份到另一防火墙, 从而通 过这种即时的备份机制, 保证了防火墙之间记录的会话信息实时一致。 附图说明 实施例或现有技术描述中所需要使用的附图作简单地介绍, 显而易见地, 下面描述中的附图仅仅是本发明的一些实施例, 对于本领域普通技术人员 来讲, 在不付出创造性劳动性的前提下, 还可以根据这些附图获得其他的 附图。 图 1为本发明实施例一实现信息备份的方法流程图; The technical solution provided by the embodiment of the present invention ensures that the changed session information is backed up to another firewall when the received message is detected to be changed, thereby ensuring the use of the instant backup mechanism. The session information recorded between the firewalls is consistent in real time. BRIEF DESCRIPTION OF THE DRAWINGS The accompanying drawings, which are to be regarded as Other drawings may also be obtained from these drawings without the inventive labor. FIG. 1 is a flowchart of a method for implementing information backup according to an embodiment of the present invention;
图 2为本发明实施例二实现信息备份的方法流程图;  2 is a flowchart of a method for implementing information backup according to Embodiment 2 of the present invention;
图 3为本发明实施例三实现信息备份的方法流程图;  3 is a flowchart of a method for implementing information backup according to Embodiment 3 of the present invention;
图 4为本发明实施例防火墙结构示意图;  4 is a schematic structural diagram of a firewall according to an embodiment of the present invention;
图 5为本发明实施例网絡系统结构示意图。 具体实施方式  FIG. 5 is a schematic structural diagram of a network system according to an embodiment of the present invention. detailed description
下面将结合本发明实施例中的附图, 对本发明实施例中的技术方案进 行清楚、 完整地描述,显然, 所描述的实施例仅仅是本发明一部分实施例, 而不是全部的实施例。 基于本发明中的实施例, 本领域普通技术人员在没 有作出创造性劳动前提下所获得的所有其他实施例, 都属于本发明保护的 范围。  The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
本发明实施例提供了一种实现信息备份的方法, 实现防火墙之间记录 的会话信息实时一致, 使得会话的业务正常进行。 本发明实施例中, 备份会话信息时不区分防火墙的主备状态, 即当第 一防火墙作为主防火墙, 第二防火墙作为备防火墙时, 会话信息可以从主 防火墙备份到备防火墙, 也可以从备防火墙备份到主防火墙。  The embodiment of the invention provides a method for implementing information backup, which realizes that the session information recorded by the firewall is consistent in real time, so that the service of the session is normal. In the embodiment of the present invention, when the session information is backed up, the active/standby status of the firewall is not distinguished. When the first firewall is used as the primary firewall and the second firewall is used as the standby firewall, the session information can be backed up from the primary firewall to the standby firewall. The firewall is backed up to the main firewall.
下面结合附图对本发明实施例作详细描述。 实施例一: 参见图 1, 是本发明实施例一实现信息备份的方法流程图, 以第一防 火墙和第二防火墙为例进行说明, 包括步骤: 步骤 201、 第一防火墙接收报文; The embodiments of the present invention are described in detail below with reference to the accompanying drawings. The first embodiment of the present invention is a flowchart of a method for implementing information backup according to the embodiment of the present invention. The first firewall and the second firewall are used as an example for description. The method includes the following steps: Step 201: The first firewall receives the packet.
第一防火墙接收各种不同协议类型的报文, 可能是 ICMP ( Internet The first firewall receives packets of different protocol types, which may be ICMP (Internet).
Control Message Protocol,互联网控制报文协议)报文,或者是 UDP( User Datagram Protocol,用户数据才艮十办议)才艮文,也可能是 TCP ( Transmi s s ion Control Protocol, 传输控制协议)报文。 Control Message Protocol (Internet Control Message Protocol) message, or UDP (User Datagram Protocol), or TCP (Transmitation Control Protocol) message .
步骤 202、 所述第一防火墙在检测到所述接收的报文使记录的会话信 息发生变化时, 将变化后的会话信息备份到第二防火墙。  Step 202: The first firewall backs up the changed session information to the second firewall when detecting the received message to change the recorded session information.
第一防火墙在检测到所述接收的报文使记录的会话信息发生变化时, 立即将变化后的会话信息备份到第二防火墙。  When the first firewall detects that the received message changes the recorded session information, the first firewall immediately backs up the changed session information to the second firewall.
这里所说的检测到接收的报文使记录的会话信息发生变化, 可能是需 要根据接收的报文建立新会话并新增会话信息而导致记录的会话信息发 生变化, 也可能是接收报文后原有的会话状态发生变化, 需要更新会话信 息而导致记录的会话信息发生变化。 可以发现, 实施例一通过在检测到所述接收的报文使记录的会话信息 发生变化时, 将变化后的会话信息立即备份到第二防火墙, 从而保证第二 防火墙与第一防火墙之间的会话信息实时一致。 在网絡系统的具体应用中, 根据报文协议的不同, 本发明实施例实现 会话信息备份的方法釆用不同的方式实现, 下面结合不同的报文协议对本 发明实施例进一步进行具体描述。 实施例二: 参见图 2, 是本发明实施例二实现信息备份的方法流程图。 实施例二 主要描述的是防火墙接收到 ICMP或 UDP报文时的处理流程, 以第一防火 墙和第二防火墙为例进行说明。 基于 UDP或 ICMP的会话一般都是无连接 的会话, 不存在会话的变化状态, 处理过程相对简单。 图 2中具体步骤如 下: The detection of the received message causes the recorded session information to change. It may be that the session information needs to be changed according to the received message and the session information is added, and the recorded session information may be changed. The original session state changes, and the session information needs to be updated to cause the recorded session information to change. It can be found that, in the first embodiment, when the recorded session information is changed when the received message is detected, the changed session information is immediately backed up to the second firewall, thereby ensuring the relationship between the second firewall and the first firewall. Session information is consistent in real time. In the specific application of the network system, the method for implementing the session information backup in the embodiment of the present invention is implemented in different manners according to different packet protocols. The following describes the embodiments of the present invention in detail with reference to different packet protocols. Embodiment 2: Referring to FIG. 2, it is a flowchart of a method for implementing information backup according to Embodiment 2 of the present invention. The second embodiment describes the processing flow when the firewall receives ICMP or UDP packets, with the first fire prevention. The wall and the second firewall are described as an example. Sessions based on UDP or ICMP are generally connectionless sessions. There is no change state of the session, and the processing is relatively simple. The specific steps in Figure 2 are as follows:
步骤 301、 第一防火墙接收 ICMP或 UDP报文; 步骤 302、 第一防火墙在自身所记录的会话信息中查找所接收报文对 应的会话; 第一防火墙记录有与会话相关的会话信息, 会话信息可以存储在专门 的内存中。 当接收到报文时, 第一防火墙根据报文中携带的相关信息, 在 自身所记录的会话信息中查找报文对应的相关会话。 步骤 303、 根据查找结果得出是否存在会话, 如果存在会话则进入步 骤 306 , 如果不存在会话则进入步骤 304 ; 第一防火墙通过在自身所记录的会话信息中查找报文对应的相关会 话, 可以查找到之前是否已经建立过会话, 如果已经建立过会话, 则存储 有该会话的相关信息, 因此得出存在会话, 并进入步骤 306 , 否则得出不 存在会话, 进入步骤 304。 步骤 304、 第一防火墙建立 ICMP或 UDP会话, 进入步骤 305 ; 第一防火墙根据查找结果得出不存在所接收报文对应的会话后,同时 根据设置的访问规则判断出该报文属于允许通过的报文, 则根据接收的报 文建立 ICMP或 UDP会话, 并新增该新会话的会话信息, 此时第一防火墙 记录的会话信息已经发生变化。 如果第一防火墙判断该报文不允许通过, 则会丟弃该报文, 结束流程, 不建立会话。  Step 301: The first firewall receives the ICMP or UDP packet. Step 302: The first firewall searches for the session corresponding to the received packet in the session information recorded by the first firewall. The first firewall records the session information related to the session, and the session information. Can be stored in dedicated memory. When receiving the packet, the first firewall searches for the related session corresponding to the packet in the session information recorded by the first firewall according to the related information carried in the packet. Step 303: According to the search result, it is determined whether there is a session. If there is a session, the process proceeds to step 306. If the session does not exist, the process proceeds to step 304. The first firewall can search for the related session corresponding to the message by using the session information recorded by the first firewall. It is found whether the session has been established before. If the session has been established, the related information of the session is stored, so that the presence session is obtained, and the process proceeds to step 306, otherwise it is determined that there is no session, and the process proceeds to step 304. Step 304: The first firewall establishes an ICMP or UDP session, and proceeds to step 305. The first firewall determines, according to the search result, that the session corresponding to the received message does not exist, and determines that the packet belongs to the permitted one according to the set access rule. The message is based on the received packet to establish an ICMP or UDP session, and the session information of the new session is added. The session information recorded by the first firewall has changed. If the first firewall determines that the packet is not allowed to pass, the packet is discarded, the process ends, and no session is established.
步骤 305、将 ICMP或 UDP会话的会话信息备份至第二防火墙, 进入步 骤 306 ; 第一防火墙通过防火墙之间的心跳线将 ICMP或 UDP会话的会话信息 立即备份到第二防火墙, 以保证第二防火墙与第一防火墙之间的会话信息 实时一致。 Step 305: Back up the session information of the ICMP or UDP session to the second firewall, and proceed to step 306; the first firewall uses the heartbeat line between the firewalls to set the session information of the ICMP or UDP session. Back up to the second firewall immediately to ensure that the session information between the second firewall and the first firewall is consistent in real time.
步骤 306、 转发 ICMP或 UDP 4艮文。 需要说明的是, 上述过程中, 是以先备份会话信息再转发报文举例说 明, 也可以是备份会话信息和转发报文是同时进行的, 或者是先转发报文 再备份会话信息。  Step 306: Forward the ICMP or UDP message. It should be noted that, in the foregoing process, the backup session information is forwarded and the message is forwarded, for example, or the backup session information and the forwarded message are simultaneously performed, or the message is forwarded first and then the session information is backed up.
可以发现, 实施例二通过在检测到接收 ICMP或 UDP报文后因为新建 立 ICMP或 UDP会话而使记录的会话信息发生变化时, 将变化后的会话信 息立即备份到第二防火墙, 从而保证第二防火墙与第一防火墙之间的会话 信息实时一致。  It can be found that, in the second embodiment, the changed session information is immediately backed up to the second firewall by detecting the newly established ICMP or UDP session after receiving the ICMP or UDP message, thereby ensuring the first The session information between the firewall and the first firewall is consistent in real time.
实施例三: 参见图 3 , 是本发明实施例三实现信息备份的方法流程图。 实施例三 主要描述的是防火墙接收到 TCP报文时的处理流程, 以第一防火墙和第二 防火墙为例进行说明。 因为基于 TCP的会话存在各种不同状态, 因此处理 过程相对较为复杂, 但主要也是在检测到记录的会话信息发生变化时将会 话信息备份到另一防火墙。 这里所说的检测到记录的会话信息发生变化, 包括: 建立新会话时新增会话信息, 原来已建立会话但会话状态发生变化 导致会话信息更新 (例如会话信息的修改或删除) 等。  Embodiment 3: Referring to FIG. 3, it is a flowchart of a method for implementing information backup according to Embodiment 3 of the present invention. The third embodiment describes the processing flow when the firewall receives the TCP packet. The first firewall and the second firewall are used as an example for description. Because TCP-based sessions have various states, the process is relatively complex, but it is primarily backed up to another firewall when it detects a change in recorded session information. Here, the detected session information changes, including: adding session information when a new session is established, and the session is established but the session state is changed, resulting in session information update (such as modification or deletion of session information).
图 3中具体步骤如下:  The specific steps in Figure 3 are as follows:
步骤 401、 第一防火墙接收 TCP报文; 步骤 402、第一防火墙在自身所记录的会话信息中查找所接收报文对 应的会话; 第一防火墙记录有与会话相关的会话信息,会话信息可以存储在专门 的内存中。 当接收到报文时, 第一防火墙根据报文中携带的相关信息, 在 自身所记录的会话信息中查找报文对应的相关会话。 步骤 403、 根据查找结果得出是否存在会话, 如果存在会话则进入 步骤 404 , 如果不存在会话则进入步骤 406 ; 第一防火墙通过在自身所记录的会话信息中查找报文对应的相关会 话, 可以查找到之前是否已经建立过会话, 如果已经建立过会话, 则存 储有该会话的相关信息, 因此得出存在会话, 并进入步骤 404 , 否则得出 不存在会话, 进入步骤 406。 Step 401: The first firewall receives the TCP packet. Step 402: The first firewall searches for the session corresponding to the received packet in the session information recorded by the first firewall. The first firewall records the session information related to the session, and the session information may be stored. In dedicated memory. When receiving a packet, the first firewall is based on the related information carried in the packet. Find the related session corresponding to the packet in the session information recorded by itself. Step 403: According to the search result, it is determined whether there is a session. If there is a session, the process proceeds to step 404. If the session does not exist, the process proceeds to step 406. The first firewall can search for the relevant session corresponding to the message by using the session information recorded by the first firewall. It is found whether the session has been established before. If the session has been established, the related information of the session is stored, so that the presence session is obtained, and the process proceeds to step 404, otherwise it is determined that there is no session, and the process proceeds to step 406.
步骤 404、判断接收的报文是否属于改变已存在会话的会话状态的报 文, 如果是则进入步骤 405 , 否则进入步骤 410; 在 TCP报文中,改变会话状态的报文可以是 SYN + ACK报文、 ACK报文、 Step 404: Determine whether the received message belongs to a message that changes the session state of the existing session. If yes, go to step 405, otherwise go to step 410. In the TCP message, the message changing the session state may be SYN + ACK. Packet, ACK message,
RST报文或者是 F IN报文等。 SYN + ACK报文是连接建立请求回应标志报文, 用以回应连接建立请求; ACK报文是回应标志报文, 在一个 TCP连接中, 除了第一个报文即 SYN报文外, 所有报文都设置该字段, 作为对上一个报 文的响应; RST报文是复位标志报文; F IN报文是结束标志报文。 需要说 明的是, 这里只是举例说明, 至于其他也将改变会话状态的报文, 不再一 一列出。 The RST message is either an F IN message or the like. The SYN + ACK message is a connection establishment request response flag message, which is used to respond to the connection establishment request; the ACK message is a response flag message. In a TCP connection, except for the first message, that is, the SYN message, all the messages are sent. This field is set to respond to the previous message; the RST message is the reset flag message; the F IN message is the end flag message. It should be noted that this is just an example. As for other messages that will also change the state of the session, they will not be listed one by one.
步骤 405、 将更新的会话信息备份至第二防火墙, 进入步骤 410; 第一防火墙判断接收的报文属于改变已存在会话的会话状态的报文 后, 更新对应会话的会话信息, 此时, 记录的会话信息发生变化。 第一防 火墙通过防火墙之间的心跳线, 将 TCP的更新后的会话信息备份立即备份 到第二防火墙, 以保证第二防火墙与第一防火墙之间的会话信息实时一 致。  In step 405, the updated session information is backed up to the second firewall, and the process proceeds to step 410. After the first firewall determines that the received message belongs to the message that changes the session state of the existing session, the first firewall updates the session information of the corresponding session. The session information has changed. The first firewall passes the heartbeat line between the firewalls, and immediately backs up the updated session information of the TCP to the second firewall to ensure that the session information between the second firewall and the first firewall is in real time.
步骤 406、 判断报文是否为 SYN报文, 如果是则进入步骤 408 , 否则 进入步骤 407 ; 步骤 407、 丟弃该报文, 结束流程; 步骤 408、 第一防火墙建立 TCP会话, 进入步骤 409 ; Step 406: Determine whether the message is a SYN message, if yes, proceed to step 408, otherwise proceed to step 407; Step 407, discarding the packet, and ending the process; Step 408, the first firewall establishes a TCP session, and proceeds to step 409;
TCP协议中在收到 SYN报文后会建立 TCP会话, 因此判断出接收的报 文为 SYN报文后, 根据该报文建立 TCP会话, 并新增该会话的会话信息, 此时, 第一防火墙记录的会话信息发生变化。 步骤 409、 将新记录的会话信息备份至第二防火墙, 进入步骤 41 0 ; 第一防火墙通过防火墙之间的心跳线将为新建立的会话所记录的会 话信息备份立即备份到第二防火墙, 以保证第二防火墙与第一防火墙之间 的会话信息实时一致。 步骤 4 1 0、 转发报文。 需要说明的是, 上述过程中, 是以先备份会话信息再转发报文举例说 明, 也可以是备份会话信息和转发报文是同时进行的, 或者是先转发报文 再备份会话信息。  After the SYN packet is received, the TCP session is established. Therefore, after the received packet is a SYN packet, the TCP session is established according to the packet, and the session information of the session is added. The session information recorded by the firewall has changed. In step 409, the newly recorded session information is backed up to the second firewall, and the process proceeds to step 41 0. The first firewall backs up the session information recorded by the newly established session to the second firewall through the heartbeat line between the firewalls. Ensure that the session information between the second firewall and the first firewall is consistent in real time. Step 4 1 0. Forward the packet. It should be noted that, in the foregoing process, the backup session information is forwarded and the message is forwarded, for example, or the backup session information and the forwarded message are simultaneously performed, or the message is forwarded first and then the session information is backed up.
份举例说明, 对于网絡系统中 N + 1备份的组网 (N大于 2 ) 情况, 其原理 是类似的。 上述实施例详细介绍了一种实现信息备份的方法,相应的,本发明实 施例提供一种防火墙和网絡系统。 请参阅图 4 , 是本发明实施例防火墙结构示意图。 如图 4所示, 防火墙包括: 接收单元 51、 处理单元 52。 For example, the principle is similar for the case of N + 1 backup networking (N is greater than 2) in a network system. The foregoing embodiment describes a method for implementing information backup in detail. Correspondingly, the embodiment of the present invention provides a firewall and a network system. Please refer to FIG. 4 , which is a schematic structural diagram of a firewall according to an embodiment of the present invention. As shown in FIG. 4, the firewall includes: a receiving unit 51 and a processing unit 52.
接收单元 51 , 用于接收报文。  The receiving unit 51 is configured to receive a message.
处理单元 52 ,用于在检测到所述接收的报文使记录的会话信息发生变 化时, 将变化后的会话信息备份到另一防火墙。  The processing unit 52 is configured to back up the changed session information to another firewall when detecting the received message to change the recorded session information.
处理单元 52进一步包括: 存储单元 52 1、 查找单元 522、 第一处理单 元 52 3。 The processing unit 52 further includes: a storage unit 52 1 , a searching unit 522 , and a first processing list Yuan 52 3.
存储单元 521 , 用于记录会话信息。 查找单元 522 , 用于在所述存储单元 521记录的会话信息中查找所述 报文对应的会话。  The storage unit 521 is configured to record session information. The searching unit 522 is configured to search for the session corresponding to the message in the session information recorded by the storage unit 521.
第一处理单元 52 3 , 用于当所述查找单元 522未查找到所述报文对应 的会话后, 根据所述报文建立会话, 在所述存储单元 521新增所述会话的 会话信息, 将所述新增的会话信息备份到所述另一防火墙。 此时, 第一处 理单元 523处理的报文可以为 ICMP报文、 UDP报文或 TCP报文中的 SYN 报文。  The first processing unit 52 3 is configured to: after the searching unit 522 does not find the session corresponding to the packet, establish a session according to the packet, and add session information of the session to the storage unit 521. The newly added session information is backed up to the other firewall. At this time, the packet processed by the first processing unit 523 can be an SYN packet in an ICMP packet, a UDP packet, or a TCP packet.
所述处理单元 52还包括: 第二处理单元 524。 第二处理单元 524 , 用于当所述查找单元 522查找到所述报文对应的 会话后, 进一步在判断出所述报文属于改变会话状态的报文时, 在所述存 储单元 521根据所述报文更新所述会话对应的会话信息, 将所述更新的会 话信息备份到所述另一防火墙。 这里所述的更新所述会话对应的会话信息 包括: 修改或删除所述会话对应的会话信息。 所述属于改变会话状态的报 文包括: TCP才艮文中的 SYN + ACK才艮文、 ACK才艮文、 RST才艮文或 F I N才艮文。  The processing unit 52 further includes: a second processing unit 524. The second processing unit 524 is configured to, after the searching unit 522 finds the session corresponding to the packet, further, when determining that the packet belongs to a message that changes the session state, the storage unit 521 is configured according to the The message updates the session information corresponding to the session, and backs up the updated session information to the another firewall. Updating the session information corresponding to the session, as described herein, includes: modifying or deleting session information corresponding to the session. The message belonging to the change session state includes: a SYN + ACK packet in the TCP certificate, an ACK packet, an RST packet, or a F I N message.
请参阅图 5 , 是本发明实施例网絡系统结构示意图。 如图 5所示, 网絡系统包括: 第一防火墙 61、 第二防火墙 62。 第一防火墙 61 , 用于接收报文, 并检测所述接收的报文是否使记录的 会话信息发生变化时, 若是, 将变化后的会话信息发送出去。  Please refer to FIG. 5 , which is a schematic structural diagram of a network system according to an embodiment of the present invention. As shown in FIG. 5, the network system includes: a first firewall 61 and a second firewall 62. The first firewall 61 is configured to receive a message, and detect whether the received message changes the recorded session information, and if yes, send the changed session information.
第二防火墙 62 , 用于接收所述第一防火墙 61发送的所述变化后的会 话信息后进行备份。  The second firewall 62 is configured to receive the changed session information sent by the first firewall 61 and perform backup.
所述第一防火墙 61进一步包括: 接收单元和处理单元。  The first firewall 61 further includes: a receiving unit and a processing unit.
接收单元, 用于接收报文。  a receiving unit, configured to receive a message.
处理单元, 用于在记录的会话信息中查找所述报文对应的会话, 当未 查找到所述报文对应的会话后, 根据所述报文建立会话, 新增所述会话的 会话信息, 将所述新增的会话信息备份到所述另一防火墙。 所述处理单元 当查找到所述报文对应的会话后, 进一步在判断出所述报文属于改变会话 状态的报文时, 根据所述报文更新所述会话对应的会话信息, 将所述更新 的会话信息备份到所述另一防火墙。 第一防火墙 61更具体的结构参阅上述图 4所示的结构, 此处不再详 细叙述。 需要说明的是, 这里所述的第一防火墙 61和第二防火墙 62是相 对的, 第二防火墙 62也可以具有上述图 4所示的结构。 a processing unit, configured to search, in the recorded session information, a session corresponding to the packet, when not After the session corresponding to the packet is found, a session is established according to the packet, and session information of the session is added, and the newly added session information is backed up to the other firewall. After the processing unit finds the session corresponding to the packet, and further, when determining that the packet belongs to a message that changes the session state, the processing unit updates the session information corresponding to the session according to the packet, and the The updated session information is backed up to the other firewall. For a more specific structure of the first firewall 61, refer to the structure shown in FIG. 4 above, which will not be described in detail herein. It should be noted that the first firewall 61 and the second firewall 62 described herein are opposite, and the second firewall 62 may have the structure shown in FIG. 4 described above.
综上所述, 本发明实施例提供的技术方案由于是在在检测到接收的报 文使记录的会话信息发生变化时, 就将变化后的会话信息备份到另一防火 墙, 从而通过这种即时的备份机制, 保证了防火墙之间记录的会话信息实 时一致。 进一步的, 本发明实施例提供的技术方案, 针对接收的报文的不同协 议类型, 提出不同的处理流程, 应用更为灵活。 本领域普通技术人员可以理解实现上述实施例方法中的全部或部分 流程, 是可以通过计算机程序来指令相关的硬件来完成, 所述的程序可存 储于一计算机可读取存储介质中, 该程序在执行时, 可包括如上述各方法 的实施例的流程。 其中, 所述的存储介质可为磁碟、 光盘、 只读存储记忆 体 ( Read- On ly Memory , ROM )或随机存储记忆体 ( Random Acce s s Memory , RAM ) 等。 最后应说明的是: 以上实施例仅用以说明本发明的技术方案, 而非对其 限制; 尽管参照前述实施例对本发明进行了详细的说明, 本领域的普通技术 人员应当理解: 其依然可以对前述各实施例所记载的技术方案进行修改, 或 者对其中部分技术特征进行等同替换; 而这些修改或者替换, 并不使相应技 术方案的本质脱离本发明各实施例技术方案的精神和范围。  In summary, the technical solution provided by the embodiment of the present invention backs up the changed session information to another firewall when the recorded session information is changed after detecting the received message, thereby The backup mechanism ensures that the session information recorded between the firewalls is consistent in real time. Further, the technical solution provided by the embodiment of the present invention provides different processing procedures for different types of received messages, and the application is more flexible. A person skilled in the art can understand that all or part of the process of implementing the above embodiment method can be completed by a computer program to instruct related hardware, and the program can be stored in a computer readable storage medium. In execution, the flow of an embodiment of the methods as described above may be included. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), or a Random Accu s Memory (RAM). It should be noted that the above embodiments are only for explaining the technical solutions of the present invention, and are not intended to be limiting; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those skilled in the art that: The technical solutions described in the foregoing embodiments are modified, or some of the technical features are equivalently replaced. The modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims

权 利 要 求 书 Claim
1、 一种实现信息备份的方法, 用于实现至少两个防火墙之间的信息 备份, 其特征在于, 包括:  A method for implementing information backup, which is used for implementing information backup between at least two firewalls, and is characterized in that:
接收报文;  Receiving a message;
在检测到所述接收的报文使记录的会话信息发生变化时, 将变化后的 会话信息备份到另一防火墙。  When the received message is detected to change the recorded session information, the changed session information is backed up to another firewall.
2、 根据权利要求 1 所述的实现信息备份的方法, 其特征在于, 所述 在检测到所述接收的报文使记录的会话信息发生变化时, 将变化后的会话 信息备份到另一防火墙的步骤包括:  The method for implementing information backup according to claim 1, wherein, when detecting the received message to change the recorded session information, backing up the changed session information to another firewall The steps include:
在记录的会话信息中查找所述报文对应的会话, 当未查找到所述报文 对应的会话后, 根据所述报文建立会话, 新增所述会话的会话信息, 将所 述新增的会话信息备份到所述另一防火墙。  Searching for the session corresponding to the packet in the recorded session information. After the session corresponding to the packet is not found, the session is established according to the packet, and the session information of the session is added, and the new session is added. The session information is backed up to the other firewall.
3、 根据权利要求 2 所述的实现信息备份的方法, 其特征在于, 所述 报文为互联网控制报文协议 I CMP报文、 用户数据报协议 UDP报文或传输 控制协议 TCP报文中的连接建立请求 SYN报文。  The method for implementing information backup according to claim 2, wherein the packet is in an Internet Control Message Protocol (ICMP) packet, a User Datagram Protocol (UDP) packet, or a Transmission Control Protocol (TCP) packet. The connection establishment request SYN message.
4、 根据权利要求 2 所述的实现信息备份的方法, 其特征在于, 所述 方法还包括:  The method for implementing information backup according to claim 2, wherein the method further comprises:
当查找到所述报文对应的会话后, 进一步在判断出所述报文属于改变 会话状态的报文时, 根据所述报文更新所述会话对应的会话信息, 将所述 更新的会话信息备份到所述另一防火墙。  After the session corresponding to the message is found, when the message is changed to the session state, the session information corresponding to the session is updated according to the message, and the updated session information is updated. Back up to the other firewall.
5、 根据权利要求 4 所述的实现信息备份的方法, 其特征在于, 所述 更新所述会话对应的会话信息包括: 修改或删除所述会话对应的会话信 息。  The method for implementing information backup according to claim 4, wherein the updating the session information corresponding to the session comprises: modifying or deleting the session information corresponding to the session.
6、 根据权利要求 4或 5所述的实现信息备份的方法, 其特征在于, 所述属于改变会话状态的报文包括: 传输控制协议 TCP报文中的连接建立 请求回应标志 SYN加 ACK ^艮文、 回应标志 ACK ^艮文、 复位标志 RST ^艮文或 结束标志 FIN ^艮文。 The method for implementing information backup according to claim 4 or 5, wherein the message belonging to the changed session state comprises: a connection establishment request response flag SYN plus ACK in the transmission control protocol TCP message Text, response flag ACK ^ 艮 text, reset flag RST ^ 艮 text or End sign FIN ^艮文.
7、 一种防火墙, 其特征在于, 包括:  7. A firewall, comprising:
接收单元, 用于接收报文;  a receiving unit, configured to receive a message;
处理单元, 用于在检测到所述接收的报文使记录的会话信息发生变化 时, 将变化后的会话信息备份到另一防火墙。  The processing unit is configured to back up the changed session information to another firewall when detecting the received message to change the recorded session information.
8、 根据权利要求 7所述的防火墙, 其特征在于, 所述处理单元包括: 存储单元, 用于记录会话信息;  The firewall according to claim 7, wherein the processing unit comprises: a storage unit, configured to record session information;
查找单元, 用于在所述存储单元记录的会话信息中查找所述报文对应 的会话;  a searching unit, configured to search for a session corresponding to the message in the session information recorded by the storage unit;
第一处理单元, 用于当所述查找单元未查找到所述报文对应的会话 后, 根据所述报文建立会话, 在所述存储单元新增所述会话的会话信息, 将所述新增的会话信息备份到所述另一防火墙。  a first processing unit, configured to: after the searching unit does not find the session corresponding to the packet, establish a session according to the packet, add session information of the session to the storage unit, and add the new session The added session information is backed up to the other firewall.
9、 根据权利要求 8 所述的防火墙, 其特征在于, 所述处理单元还包 括: The firewall according to claim 8, wherein the processing unit further comprises:
第二处理单元, 用于当所述查找单元查找到所述报文对应的会话后, 进一步在判断出所述报文属于改变会话状态的报文时, 在所述存储单元根 据所述报文更新所述会话对应的会话信息, 将所述更新的会话信息备份到 所述另一防火墙。  a second processing unit, configured to: when the searching unit finds the session corresponding to the packet, further, when determining that the packet belongs to a message that changes the session state, the storage unit is configured according to the packet Updating the session information corresponding to the session, and backing up the updated session information to the another firewall.
10、 一种网絡系统, 其特征在于, 包括: 第一防火墙, 用于接收报文, 并检测所述接收的报文是否使记录的会 话信息发生变化, 若是, 将变化后的会话信息发送出去;  A network system, comprising: a first firewall, configured to receive a message, and detect whether the received message changes the recorded session information, and if yes, send the changed session information. ;
第二防火墙, 用于接收所述第一防火墙发送的所述变化后的会话信息 后进行备份。  The second firewall is configured to receive the changed session information sent by the first firewall and perform backup.
11、 根据权利要求 10 所述的网絡系统, 其特征在于, 所述第一防火 墙包括: 接收单元, 用于接收报文; 处理单元, 用于在记录的会话信息中查找所述报文对应的会话, 当未 查找到所述报文对应的会话后, 根据所述报文建立会话, 新增所述会话的 会话信息, 将所述新增的会话信息备份到所述另一防火墙。 The network system according to claim 10, wherein the first firewall comprises: a receiving unit, configured to receive a message; a processing unit, configured to search for a session corresponding to the packet in the recorded session information, and after the session corresponding to the packet is not found, establish a session according to the packet, and add session information of the session, The newly added session information is backed up to the other firewall.
12、 根据权利要求 11 所述的网絡系统, 其特征在于, 所述处理单元 当查找到所述报文对应的会话后, 进一步在判断出所述报文属于改变会话 状态的报文时, 根据所述报文更新所述会话对应的会话信息, 将所述更新 的会话信息备份到所述另一防火墙。  The network system according to claim 11, wherein the processing unit, after finding the session corresponding to the packet, further determining that the packet belongs to a message changing the session state, according to The message updates the session information corresponding to the session, and backs up the updated session information to the another firewall.
PCT/CN2009/070979 2008-07-04 2009-03-24 Method, firewalls and network system for realizing information backup WO2010000146A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US12/469,413 US20100005263A1 (en) 2008-07-04 2009-05-20 Information backup method, firewall and network system

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2008101330215A CN101316271B (en) 2008-07-04 2008-07-04 Method for implementing information backup, fire wall and network system
CN200810133021.5 2008-07-04

Publications (1)

Publication Number Publication Date
WO2010000146A1 true WO2010000146A1 (en) 2010-01-07

Family

ID=40107110

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/070979 WO2010000146A1 (en) 2008-07-04 2009-03-24 Method, firewalls and network system for realizing information backup

Country Status (2)

Country Link
CN (1) CN101316271B (en)
WO (1) WO2010000146A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104243591A (en) * 2014-09-24 2014-12-24 杭州华三通信技术有限公司 Method and device for synchronizing session information of security cluster
US20200280580A1 (en) * 2019-02-28 2020-09-03 Beijing Baidu Netcom Science And Technology Co., Ltd. Method and apparatus for processing data

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101316271B (en) * 2008-07-04 2011-11-02 成都市华为赛门铁克科技有限公司 Method for implementing information backup, fire wall and network system
CN101557317B (en) * 2009-05-26 2011-06-29 杭州华三通信技术有限公司 Active dialogue backup system, equipment and method in dual-server hot-backup network
CN102035687B (en) 2011-01-06 2012-10-17 华为技术有限公司 Backup method and equipment for TCP connection
CN102333080A (en) * 2011-08-02 2012-01-25 杭州迪普科技有限公司 Method and device for preventing message from attacking
US9106610B2 (en) * 2013-06-07 2015-08-11 International Business Machines Corporation Regional firewall clustering in a networked computing environment
CN104519065B (en) * 2014-12-22 2018-05-01 北京卓越信通电子股份有限公司 A kind of industry control method of realizing fireproof wall for supporting filtering Modbus Transmission Control Protocol
CN105591810B (en) * 2015-10-22 2019-04-12 新华三技术有限公司 Backup messages sending method and equipment
CN107508833A (en) * 2017-09-22 2017-12-22 江苏海事职业技术学院 A kind of Network Safety on Campus protection system dispositions method
CN110138656B (en) * 2019-05-28 2022-03-01 新华三技术有限公司 Service processing method and device
CN113965347B (en) * 2021-09-09 2024-03-15 山石网科通信技术股份有限公司 Firewall data processing method and device
CN114301766A (en) * 2021-12-30 2022-04-08 山石网科通信技术股份有限公司 Communication method, communication apparatus, storage medium, and processor
CN114979236A (en) * 2022-05-12 2022-08-30 山石网科通信技术股份有限公司 Data transmission method, data transmission device, storage medium and electronic equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1794644A (en) * 2005-12-31 2006-06-28 西安交大捷普网络科技有限公司 Link backup method of fire wall
CN1905460A (en) * 2005-07-29 2007-01-31 上海恩梯梯通信工程有限公司 Higher quarantine network system
CN101316271A (en) * 2008-07-04 2008-12-03 华为技术有限公司 Method for implementing information backup, fire wall and network system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100438362C (en) * 2003-11-27 2008-11-26 华为技术有限公司 A method for implementing software hot-backup of main and reserve machines

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1905460A (en) * 2005-07-29 2007-01-31 上海恩梯梯通信工程有限公司 Higher quarantine network system
CN1794644A (en) * 2005-12-31 2006-06-28 西安交大捷普网络科技有限公司 Link backup method of fire wall
CN101316271A (en) * 2008-07-04 2008-12-03 华为技术有限公司 Method for implementing information backup, fire wall and network system

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104243591A (en) * 2014-09-24 2014-12-24 杭州华三通信技术有限公司 Method and device for synchronizing session information of security cluster
CN104243591B (en) * 2014-09-24 2018-02-09 新华三技术有限公司 The method and device of synchronous safety cluster session information
US20200280580A1 (en) * 2019-02-28 2020-09-03 Beijing Baidu Netcom Science And Technology Co., Ltd. Method and apparatus for processing data
US11689564B2 (en) * 2019-02-28 2023-06-27 Beijing Baidu Netcom Science And Technology Co., Ltd. Method and apparatus for processing data in cleaning device

Also Published As

Publication number Publication date
CN101316271B (en) 2011-11-02
CN101316271A (en) 2008-12-03

Similar Documents

Publication Publication Date Title
WO2010000146A1 (en) Method, firewalls and network system for realizing information backup
US8219606B2 (en) Methods, systems, and computer program products for sharing information for detecting an idle TCP connection
US8174964B2 (en) Detecting unavailable network connections
US11677862B1 (en) Methods, systems, and computer program products for sharing information for detecting an idle TCP connection
EP1742430A1 (en) Router redundancy in data communication networks
WO2008084389A2 (en) Method and system for providing peer liveness for high speed environments
US9674285B2 (en) Bypassing failed hub devices in hub-and-spoke telecommunication networks
WO2018121589A1 (en) Data link detection method, apparatus and system
US20080240118A1 (en) Sending Routing Protocol Data on a Multi-Access Network Segment
JP4494891B2 (en) Virtual connection with local connection conversion
JP2007515117A5 (en)
US20110213893A1 (en) Methods, systems, and computer program products for detecting an idle tcp connection
EP3806404A1 (en) Communication method, device and system for avoiding loop
US7769866B2 (en) Virtual connectivity with subscribe-notify service
WO2014153989A1 (en) Method for preventing ipsec tunnel oscillation caused by dpd detection failure
US9300642B2 (en) Restarting network reachability protocol sessions based on transport layer authentication
US10075565B1 (en) Methods, systems, and computer program products for sharing information for detecting an idle TCP connection
WO2011060677A1 (en) Method, device and system for main/standby switch
US20100005263A1 (en) Information backup method, firewall and network system
US10680930B2 (en) Method and apparatus for communication in virtual network
Cisco General Commands
Cisco General Commands
So-In et al. PETS: persistent TCP using simple freeze
Teklemariam et al. Transparent Recovery of Dynamic States on Constrained Nodes through Deep Packet Inspection
Vijayan et al. A study on disruption tolerant session based mobile architecture

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09771916

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1)EPC

122 Ep: pct application non-entry in european phase

Ref document number: 09771916

Country of ref document: EP

Kind code of ref document: A1