WO2016074502A1 - Method and device for implementing virtual firewall - Google Patents

Method and device for implementing virtual firewall Download PDF

Info

Publication number
WO2016074502A1
WO2016074502A1 PCT/CN2015/085627 CN2015085627W WO2016074502A1 WO 2016074502 A1 WO2016074502 A1 WO 2016074502A1 CN 2015085627 W CN2015085627 W CN 2015085627W WO 2016074502 A1 WO2016074502 A1 WO 2016074502A1
Authority
WO
WIPO (PCT)
Prior art keywords
virtual firewall
information
data traffic
identifier
instance
Prior art date
Application number
PCT/CN2015/085627
Other languages
French (fr)
Chinese (zh)
Inventor
王煜
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2016074502A1 publication Critical patent/WO2016074502A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the present invention relates to the field of network security, and in particular, to a method and apparatus for implementing a virtual firewall.
  • the traditional solution when the system requires multiple sets of firewall protection, it is common to deploy multiple firewalls for protection.
  • the traditional method is to deploy a firewall in front of the CE device for management and configuration. For example, in the MPLS VPN network, security protection needs to be performed between VPNs.
  • the traditional solution has obvious shortcomings:
  • the embodiments of the present invention provide a method and an apparatus for implementing a virtual firewall.
  • the main purpose of the present invention is to solve the technical problem of implementing multiple virtual firewall instances on a single hardware platform.
  • a method for implementing a virtual firewall is provided by an embodiment of the present invention, where the method includes:
  • the configuration parameter of the virtual firewall is searched according to the identifier of the virtual firewall instance, and according to the data traffic. Packet information to find an ACL rule group;
  • the first information includes at least a quintuple, VLAN information, or IP information in the packet of the data traffic; and the second information includes at least a quintuple in the packet of the data traffic.
  • the obtaining the identifier of the virtual firewall instance according to the first information of the received data traffic includes:
  • the configuration parameter of the virtual firewall is searched according to the identifier of the virtual firewall instance, and after the ACL rule group is searched according to the packet information of the data traffic, the method further includes:
  • the VLAN The mapping table includes a mapping between the VLAN information of the data traffic and the identifier of the virtual firewall instance; if yes, performing configuration to search for the configuration parameter of the virtual firewall according to the identifier of the virtual firewall instance, and according to the data The packet information of the traffic is searched for the ACL rule group.
  • the configuration parameter of the virtual firewall is searched according to the identifier of the virtual firewall instance, and after the ACL rule group is searched according to the packet information of the data traffic, the method further includes:
  • the message information includes at least the VLAN information
  • the first VPN mapping table includes a correspondence between the VLAN information and the VPN information
  • the second VPN mapping table includes the information between the VPN information and the identifier of the virtual firewall instance. Corresponding relationship; if yes, performing a search for the configuration parameter of the virtual firewall according to the identifier of the virtual firewall instance, and searching for an ACL rule group according to the packet information of the data traffic;
  • the configuration parameter of the virtual firewall is searched according to the identifier of the virtual firewall instance, and after the ACL rule group is searched according to the packet information of the data traffic, Also includes:
  • the IP mapping table includes a correspondence between the IP address and the identifier of the virtual firewall instance obtained by the HASH operation of the IP address; if yes, performing a search for the virtual firewall according to the identifier of the virtual firewall instance. Configure the parameters and find the ACL rule group based on the packet information of the data traffic.
  • the method includes:
  • Performing a HASH operation on the second information to obtain a value H where a low N bit of the value H is used to search an index of a CAM table, and a high N bit of the value H is used to search for an identifier of the CAM table;
  • the CAM table is matched with the pre-stored CAM table, the content of the matched CAM table is obtained, and the content is matched with the second information according to the content, and if they are the same, it is determined that the second information can be searched according to the second information.
  • the method further includes:
  • the resource object in the total resource queue QA in the total resource pool PA is first dequeued, and then the queue operation is performed to the resource queue Qv.
  • the resource object in the resource queue Qv in the resource pool Pv is first dequeued, and then the queue operation is performed to the resource total queue QA;
  • the Qv is a queue or a stack of each type of the resource pool of the virtual firewall instance; the QA is a resource corresponding to each type of the resource pool of the virtual firewall instance; The total resource pool of the virtual firewall instance; the Pv is a resource in a resource pool corresponding to the virtual firewall instance VFWv.
  • an embodiment of the present invention further provides an apparatus for implementing a virtual firewall, where the apparatus includes:
  • An obtaining unit configured to obtain an identifier of the virtual firewall instance according to the first information of the received data traffic
  • the first searching unit is configured to search for the configuration parameter of the virtual firewall according to the identifier of the virtual firewall instance, if the session entry that matches the data traffic cannot be found according to the second information of the data traffic. And searching for an ACL rule group according to the packet information of the data traffic;
  • a generating unit configured to generate a session entry according to the data traffic, the configuration parameter of the virtual firewall, and the ACL rule group, and save related security service parameters of the session in the data traffic in the session entry in.
  • the first information includes at least a quintuple, VLAN information, or IP information in the packet of the data traffic; and the second information includes at least a quintuple in the packet of the data traffic.
  • the obtaining unit is configured to:
  • the obtaining unit is further configured to:
  • the VLAN The mapping table includes a mapping between the VLAN information of the data traffic and the identifier of the virtual firewall instance; if yes, performing configuration to search for the configuration parameter of the virtual firewall according to the identifier of the virtual firewall instance, and according to the data The packet information of the traffic is searched for the ACL rule group.
  • the obtaining unit is further configured to:
  • the message information includes at least the VLAN information
  • the first VPN mapping table includes a correspondence between the VLAN information and the VPN information
  • the second VPN mapping table includes the information between the VPN information and the identifier of the virtual firewall instance.
  • Correspondence relationship if yes, execute according to the The identifier of the virtual firewall instance is used to find the configuration parameter of the virtual firewall, and the ACL rule group is searched according to the packet information of the data traffic.
  • the obtaining unit is further configured to:
  • the IP mapping table includes a correspondence between the IP address and the identifier of the virtual firewall instance obtained by the HASH operation of the IP address; if yes, performing a search for the virtual firewall according to the identifier of the virtual firewall instance. Configure the parameters and find the ACL rule group based on the packet information of the data traffic.
  • the device further comprises a second searching unit, which is configured to:
  • the second search unit is configured to:
  • Performing a HASH operation on the second information to obtain a value H where a low N bit of the value H is used to search an index of a CAM table, and a high N bit of the value H is used to search for an identifier of the CAM table;
  • the CAM table is matched with the pre-stored CAM table, the content of the matched CAM table is obtained, and the content is matched with the second information according to the content, and if they are the same, it is determined that the second information can be searched according to the second information.
  • the device further comprises:
  • the deleting unit is configured to perform the dequeuing operation on the resource object in the resource queue Qv in the resource pool Pv before deleting the virtual firewall instance VFWv, and then re-enter the operation to the resource total queue QA;
  • the Qv is a queue or a stack of each type of the resource pool of the virtual firewall instance; the QA is a resource corresponding to each type of the resource pool of the virtual firewall instance; The total resource pool of the virtual firewall instance; the Pv is a resource in a resource pool corresponding to the virtual firewall instance VFWv.
  • the virtual firewall instance is obtained by using the first information of the received data traffic. And determining, in the case that the session entry that matches the data traffic is not found, according to the second information of the data traffic, searching for the configuration parameter of the virtual firewall according to the identifier of the virtual firewall instance, and according to the The packet information of the data traffic is searched for the ACL rule group; the session entry is generated according to the data traffic, the configuration parameter of the virtual firewall, and the ACL rule group, and the related security service parameters of the session in the data traffic are saved.
  • the physical firewall can be divided into multiple logical firewalls, and each logical firewall can independently apply for resources and configure different security policies to meet different security requirements of users.
  • the embodiment of the invention provides a method for implementing multiple virtual firewall instances on a single hardware platform, which solves the defects of the traditional firewall deployment. It can provide independent security service policies for different users while greatly reducing maintenance and management costs.
  • FIG. 1 is a schematic flowchart of a first embodiment of a method for implementing a virtual firewall according to the present invention
  • FIG. 2 is a schematic flowchart of a second embodiment of a method for implementing a virtual firewall according to the present invention
  • FIG. 3 is a schematic flowchart of a third embodiment of a method for implementing a virtual firewall according to the present invention.
  • FIG. 4 is a schematic flowchart of a fourth embodiment of a method for implementing a virtual firewall according to the present invention.
  • FIG. 5 is a schematic diagram of functional modules of a first embodiment of an apparatus for implementing a virtual firewall according to the present invention
  • FIG. 6 is a schematic diagram of functional modules of a second embodiment of an apparatus for implementing a virtual firewall according to the present invention.
  • FIG. 7 is a schematic diagram of functional modules of a third embodiment of an apparatus for implementing a virtual firewall according to the present invention.
  • FIG. 8 is a schematic diagram of functional modules of a fourth embodiment of an apparatus for implementing a virtual firewall according to the present invention.
  • Embodiments of the present invention provide a method for implementing a virtual firewall.
  • FIG. 1 is a schematic flowchart of a first embodiment of a method for implementing a virtual firewall according to the present invention.
  • the method for implementing a virtual firewall includes:
  • Step 101 Acquire an identifier of the virtual firewall instance according to the first information of the received data traffic.
  • the first information includes at least a quintuple, a virtual local area network (VLAN) information, or an Internet Protocol (IP) information in the packet of the data traffic.
  • VLAN virtual local area network
  • IP Internet Protocol
  • the identifier of the virtual firewall instance is obtained according to the first information of the received data traffic, including:
  • the identifier of the virtual firewall instance is obtained according to the first packet information of the data traffic and the pre-stored VLAN mapping table.
  • the first packet information includes at least VLAN information
  • the VLAN mapping table includes VLAN information of the data traffic. The mapping between the virtual firewall instance and the identifier of the virtual firewall instance; if yes, the configuration of the virtual firewall is performed according to the identifier of the virtual firewall instance, and the ACL rule group is searched according to the packet information of the data traffic;
  • the first packet information includes at least a VLAN.
  • the ID of the virtual firewall instance is used to find the configuration parameters of the virtual firewall, and the ACL rule group is searched according to the packet information of the data traffic.
  • the identifier of the virtual firewall instance is obtained according to the second packet information of the data traffic and the pre-stored IP mapping table, where the second packet information includes at least an IP address, and the IP mapping table includes an IP address and an IP address.
  • the shunt module is started, that is, the mapping table is initialized; then, the session management module is started, that is, the session table is initialized; then, the resource pool module is started, that is, the system resource queue is initialized; finally, the grading is started.
  • Management module which initializes the virtual firewall table.
  • Initialization of the mapping table refers to the interface mapping table, VPN mapping table, VLAN mapping table, IP
  • the mapping table applies for the corresponding address space and clears the requested space.
  • the linear table such as the interface mapping table, the VPN mapping table, and the VLAN mapping table, can calculate the size of the address space to be applied according to the number of interfaces actually supported by the system, the number of VPNs, and the number of VLANs; and the IP mapping table is The HASH table applies for the corresponding address space according to the configuration specifications supported by the system. If the IP mapping table requires CAM table support, the corresponding address space is also requested for the CAM table.
  • Initialization of the session table refers to requesting the corresponding address space for the session HASH+CAM table, and clearing the requested space.
  • Virtual firewall instance table initialization Apply the corresponding address space according to the number of virtual virtual firewall instances supported by the system, and clear the requested space.
  • the traffic distribution mechanism is to send the data traffic received by the system to the corresponding virtual firewall instance. That is, the interface information of the received data traffic or the packet information of the data traffic (such as the VPN, VLAN, or IP information in the packet) is matched with the configuration information of the virtual firewall instance, and the data traffic is sent to the corresponding virtual firewall instance.
  • the corresponding security service is provided by the virtual firewall instance.
  • the traffic distribution mechanism is implemented by maintaining an interface mapping table, a VLAN mapping table, a VPN mapping table, and an IP mapping table.
  • the interface mapping table uses a linear table to store the correspondence between the interface and the virtual firewall instance.
  • the keyword of the table is the interface index (IF-ID), and the result is the index (VFW-ID) of the virtual firewall instance to which the interface belongs.
  • the VLAN mapping table uses a linear table to store which VPN or virtual firewall instance the VLAN belongs to.
  • the key of the table is the VLAN index (VLAN-ID), and the result is the VPN index (VPN-ID) to which the VLAN belongs or the index (VFW-ID) of the virtual firewall instance.
  • the VPN mapping table uses a linear table to store the correspondence between the VPN and the virtual firewall instance.
  • the keyword of the table is the VPN index (VPN-ID), and the result is the index (VFW-ID) of the virtual firewall instance to which the VPN belongs.
  • the IP mapping table uses a HASH table to store the correspondence between the IP address and the virtual firewall.
  • the key of the table is the IP mapping table index (IP-ID) obtained by the HASH operation of the IP address, and the result is the index (VFW-ID) of the virtual firewall instance to which the IP address belongs.
  • IP-ID IP mapping table index
  • VFW-ID index of the virtual firewall instance to which the IP address belongs.
  • VFW-ID field in the corresponding interface mapping table VLAN mapping table, VPN mapping table, and IP mapping table.
  • VFWx corresponding to VFW-ID is x
  • the table a of the interface mapping table is processed.
  • the VFW-ID field in the item is set to x.
  • the data traffic whose destination IP address is a specific IPb is sent to the specified virtual firewall instance VFWy (corresponding to VFW-ID is y) for processing.
  • the IPb is HASH-operated to obtain the HASH value b, and then the VFW-ID field in the item b of the IP mapping table is set to y.
  • the interface mapping table, the VLAN mapping table, the VPN mapping table, and the IP mapping table are respectively searched according to the interface information of the received data traffic or the packet information of the data traffic, and the virtual firewall instance index corresponding to the data traffic is obtained, and then The data traffic is sent to the virtual firewall for subsequent processing.
  • a certain data traffic matches multiple entries in the interface mapping table, the VLAN mapping table, the VPN mapping table, and the IP mapping table, it is determined according to the priority of the mapping table to determine which virtual firewall instance the data traffic should be sent to.
  • the interface mapping table has the highest priority
  • the VLAN mapping table is the second
  • the VPN mapping table is again
  • the IP mapping table has the lowest priority.
  • Step 102 If the session entry matching the data traffic cannot be found according to the second information of the data traffic, the configuration parameter of the virtual firewall is searched according to the identifier of the virtual firewall instance, and the ACL rule is searched according to the packet information of the data traffic. group;
  • the second information includes at least a quintuple in the packet of the data traffic.
  • the session management mechanism is that after the virtual firewall instance receives the data traffic, the data traffic is matched with the ACL rule group to generate a corresponding session entry.
  • the virtual firewall instance can provide the security services related to the session state, such as the ASPF and the NAT ALG, according to the related state changes in the session table. It can also provide address binding, blacklist, address translation, statistics, attack defense, etc. according to the statistics of the session table. Security service.
  • Step 103 Generate a session entry according to the data traffic, the configuration parameters of the virtual firewall, and the ACL rule group, and save the related security service parameters of the session in the data traffic in the session entry.
  • the session management mechanism has the following advantages: after the virtual firewall instance receives the first packet of the session, the configuration parameters in the virtual firewall instance table and the ACL matching the packet are obtained.
  • the rule group automatically generates a session entry and saves the session-related security service parameters in the session table entry. Then, when the virtual firewall instance receives subsequent packets of the session, it does not need to repeatedly search for the virtual firewall instance table or ACL rule group, and directly read the information of the session entry. In this way, the processing efficiency of the subsequent messages of the session can be greatly improved.
  • a “session”, also called a "stream”, contains the two-direction message that is uniquely determined by the quintuple.
  • the forward packet sent by A to B that is, the source IP of the packet is IPA
  • the destination IP is IPB
  • the source port is PORTA
  • the destination port is PORTB
  • the protocol is PROX
  • the reverse packet returned by B to A That is, the source IP of the packet is IPB, the destination IP is IPA, the source port is PORTB, the destination port is PORTA, and the protocol is PROX.
  • the quintuple of the two directions messages is only reversed, and they belong to a session here.
  • the virtual firewall instance manages its own session resources independently. That is, each virtual firewall instance logically maintains a separate session table (FT). Each entry in the FT table corresponds to a session, and all the information related to the session is saved:
  • the status information such as the TCP connection status and the FTP status, can be used to provide an ASPF status tracking service for the session based on the status information, or provide related anti-attack services based on the statistics of the relevant status of all sessions.
  • the aging information such as the session creation timestamp and update timestamp, can be used to calculate the remaining aging time of the session based on the timestamp and determine when the session is aged.
  • Security policy information such as the session's NAT policy, ACL policy, ASPF policy, and ALG policy, can be used to forward, drop, send, modify, and forward the corresponding protocol fields based on these policy information.
  • Statistics such as the number of packets sent and received by the session, can provide session monitoring services for these statistics.
  • Forwarding information such as Layer 3 routing information and Layer 2 forwarding information, can provide data traffic forwarding services based on these forwarding information.
  • the maximum number of sessions CFT saved in the FT table is specified.
  • the value of CFT is relatively large, such as 128K. Therefore, the FT table can adopt the secondary search structure of HASH+CAM to improve the search efficiency.
  • the virtual firewall instance After the virtual firewall instance receives the message, it first retrieves the FT table. If the retrieval fails, the virtual firewall instance table and the ACL rule group are searched, and the flow table is established according to the matched security service parameters. If the search is successful, the flow table is taken directly. Then, according to the information in the flow table, the corresponding security policy is executed on the packet.
  • the identifier of the virtual firewall instance is obtained according to the first information of the received data traffic; and the session entry matching the data traffic cannot be found according to the second information of the data traffic, according to the identifier of the virtual firewall instance.
  • Find the configuration parameters of the virtual firewall and find the ACL rule group based on the packet information of the data traffic.
  • Each logical firewall can independently apply for resources and configure different security policies to meet different security requirements of users.
  • the present invention provides a method for implementing multiple virtual firewall instances on a single hardware platform, which solves the defects of traditional firewall deployment. It can provide independent security service policies for different users while greatly reducing maintenance and management costs.
  • FIG. 2 is a schematic flowchart diagram of a second embodiment of a method for implementing a virtual firewall according to the present invention.
  • the method further includes:
  • Step 104 Search for a session entry that matches the data traffic according to the second information.
  • a low N bit of the value H is used to search an index of the CAM table, and a high N bit of the value H is used to search for an identifier of the CAM table;
  • the CAM table is matched with the pre-stored CAM table, the content of the matched CAM table is obtained, and the content is matched with the second information according to the content. If the content is the same, it is determined that the session entry matching the data traffic can be searched according to the second information; If it is different, it is determined that the session entry matching the data traffic cannot be found according to the second information;
  • the quintuple (source IP, destination IP, source port, destination port, protocol) and the VPN index VPN-ID in the packet are subjected to a 128-bit HASH operation to obtain a HASH value H.
  • the 0 to N-1 bits of the value H are taken as the CAM table index IDX CAM corresponding to the FT entry, and the remaining bits of the value H are searched for the CAM table corresponding to the IDX CAM . If there is no matching CAM entry, the search fails and the session does not exist in the FT table. If there is a matching CAM entry IDXENTRY, the corresponding session index S-ID is calculated.
  • the keyword is also searched for an exact match to confirm whether it is the actual required entry.
  • FIG. 3 is a schematic flowchart diagram of a third embodiment of a method for implementing a virtual firewall according to the present invention.
  • the method further includes:
  • step 105 when the virtual firewall instance VFWv is created, the resource object in the total resource queue QA in the total resource pool PA is first performed in a dequeuing operation, and then the enqueue operation is performed to the resource queue Qv.
  • the resource object in the resource queue Qv in the resource pool Pv is first dequeued, and then the queue operation is performed to the resource total queue QA;
  • Qv is a queue or stack in each type of the resource pool of the virtual firewall instance; QA is the resource corresponding to each type of the resource pool of the virtual firewall instance; PA is the total resource pool of the virtual firewall instance; Pv is virtual The resource in the resource pool corresponding to the firewall instance VFWv.
  • the resource pool mechanism means that each virtual firewall instance corresponds to a separate resource pool, and the virtual firewall instance only allows operation of resource objects in its own resource pool. That is, the virtual firewall instance is independently responsible for the application, collection, and aging of resource objects in the resource pool.
  • the resource objects herein include, but are not limited to, address resources, security domain resources, service resources, session resources, and the like.
  • the advantage of using the resource pool is that it can fully utilize the resources of the system and flexibly control the resources occupied by each virtual firewall instance.
  • the independent resource pool management also greatly reduces the coupling between the virtual firewall instances and reduces the virtual firewall instance. The interaction between them is easier to use.
  • each virtual firewall instance Since the total number of resources in the system is limited, the resources allocated to the resource pool of each virtual firewall instance are also limited. For example, the system supports up to 32M sessions and supports up to 256 virtual firewall instances. Each virtual firewall instance can support up to 128K sessions on average.
  • the resource objects in the resource pool Pv corresponding to the virtual firewall instance VFWv can be separated by type. Management, each type is managed by a queue (or stack) Qv, that is, each resource object of the type corresponds to a member of the Qv.
  • the system resource can be regarded as the largest total resource pool PA, where each type of resource corresponds to a total queue QA.
  • the super administrator When the super administrator creates a virtual firewall instance VFWv, it specifies the number of resource objects included in each resource queue Qv in the resource pool Pv, that is, the resources in the total resource queue QA in the total resource pool PA. The object performs the dequeue operation first, and then enters the queue operation to the resource queue Qv.
  • the super administrator deletes the virtual firewall instance VFWv the resource objects included in the resource queue Qv in the resource pool Pv are reclaimed, that is, the resource objects in the resource queue Qv in the resource pool Pv are first executed. Perform the enqueue operation to the resource total queue QA.
  • the virtual firewall administrator requests, recycles, and aging the resource objects in the resource pool Pv, that is, the dequeue, enqueue, and enqueue operations of the resource objects in the corresponding resource queue Qv.
  • FIG. 4 is a schematic flowchart diagram of a fourth embodiment of a method for implementing a virtual firewall according to the present invention.
  • the method further includes:
  • Step 106 Configure a first administrator for each virtual firewall instance and a second administrator for the first administrator.
  • the hierarchical management mechanism implements the independent configuration management of the virtual firewall instance by using the secondary management mode, that is, the super administrator creates or deletes the virtual firewall instance and specifies the corresponding virtual firewall administrator; The administrator manages the virtual firewall instance independently.
  • the corresponding resource pool is allocated or reclaimed for the virtual firewall instance, that is, the previous Resource Pool module.
  • the super administrator also specifies which data traffic is sent or not sent. Into this virtual firewall instance processing. That is, the previous "split" module.
  • the virtual firewall administrator manages the virtual firewall instance, that is, configures private ACL security rules to manage resource objects in the resource pool according to user security requirements.
  • a virtual firewall instance table to store configuration information about the virtual firewall instance.
  • the virtual firewall instance table uses a linear table.
  • the keyword of the virtual firewall instance is the index VFW-ID of the virtual firewall instance.
  • the result is the configuration parameters of the virtual firewall instance. For example, the attack defense type and related threshold parameters are enabled in the virtual firewall instance. , or configured blacklist parameters, etc.
  • the virtual firewall administrator configures the relevant security services, the corresponding fields are updated.
  • the advantage of hierarchical management is that the super administrator only pays attention to which system resources need to be allocated for the virtual firewall instance, and the management of the virtual firewall instance can be independently responsible by the virtual firewall administrator, making the management of the virtual firewall more flexible and convenient.
  • the embodiment of the invention further provides an apparatus for implementing a virtual firewall.
  • FIG. 5 is a schematic diagram of functional modules of a first embodiment of an apparatus for implementing a virtual firewall according to the present invention.
  • the device for implementing a virtual firewall includes:
  • the obtaining unit 501 is configured to obtain an identifier of the virtual firewall instance according to the first information of the received data traffic;
  • the first information includes at least a quintuple, VLAN information, or IP information in the packet of the data traffic.
  • the obtaining unit 501 is configured to:
  • the identifier of the virtual firewall instance is obtained according to the first packet information of the data traffic and the pre-stored VLAN mapping table.
  • the first packet information includes at least VLAN information
  • the VLAN mapping table includes VLAN information of the data traffic. The mapping between the virtual firewall instance and the identifier of the virtual firewall instance; if yes, the configuration of the virtual firewall is performed according to the identifier of the virtual firewall instance, and the ACL rule group is searched according to the packet information of the data traffic;
  • the first packet information includes at least a VLAN.
  • the first VPN mapping table includes a correspondence between the VLAN information and the VPN information
  • the second VPN mapping table includes a correspondence between the VPN information and the identifier of the virtual firewall instance; if yes, performing a virtual firewall according to the identifier of the virtual firewall instance Configuration parameters, and find an ACL rule group according to the packet information of the data traffic;
  • the identifier of the virtual firewall instance is obtained according to the second packet information of the data traffic and the pre-stored IP mapping table, where the second packet information includes at least an IP address, and the IP mapping table includes an IP address and an IP address.
  • the pair between the identifiers of the virtual firewall instances obtained through the HASH operation If yes, the configuration parameters of the virtual firewall are searched based on the identifier of the virtual firewall instance, and the ACL rule group is searched based on the packet information of the data traffic.
  • the shunt module is started, that is, the mapping table is initialized; then, the session management module is started, that is, the session table is initialized; then, the resource pool module is started, that is, the system resource queue is initialized; finally, the grading is started.
  • Management module which initializes the virtual firewall table.
  • the initialization of the mapping table refers to requesting the corresponding address space for the interface mapping table, the VPN mapping table, the VLAN mapping table, and the IP mapping table, and clearing the requested space.
  • the linear table such as the interface mapping table, the VPN mapping table, and the VLAN mapping table, can calculate the size of the address space to be applied according to the number of interfaces actually supported by the system, the number of VPNs, and the number of VLANs; and the IP mapping table is The HASH table applies for the corresponding address space according to the configuration specifications supported by the system. If the IP mapping table requires CAM table support, the corresponding address space is also requested for the CAM table.
  • Initialization of the session table refers to requesting the corresponding address space for the session HASH+CAM table, and clearing the requested space.
  • Virtual firewall instance table initialization Apply the corresponding address space according to the number of virtual virtual firewall instances supported by the system, and clear the requested space.
  • the traffic distribution mechanism is to send the data traffic received by the system to the corresponding virtual firewall instance. That is, the interface information of the received data traffic or the packet information of the data traffic (such as the VPN, VLAN, or IP information in the packet) is matched with the configuration information of the virtual firewall instance, and the data traffic is sent to the corresponding virtual firewall instance.
  • the corresponding security service is provided by the virtual firewall instance.
  • the traffic distribution mechanism is implemented by maintaining an interface mapping table, a VLAN mapping table, a VPN mapping table, and an IP mapping table.
  • the interface mapping table uses a linear table to store the correspondence between the interface and the virtual firewall instance.
  • the keyword of the table is the interface index (IF-ID), and the result is the index (VFW-ID) of the virtual firewall instance to which the interface belongs.
  • the VLAN mapping table uses a linear table to store which VPN or virtual firewall instance the VLAN belongs to.
  • the key of the table is the VLAN index (VLAN-ID), and the result is the VPN index (VPN-ID) to which the VLAN belongs or the index (VFW-ID) of the virtual firewall instance.
  • the VPN mapping table uses a linear table to store the correspondence between the VPN and the virtual firewall instance.
  • the keyword of the table is the VPN index (VPN-ID), and the result is the index (VFW-ID) of the virtual firewall instance to which the VPN belongs.
  • the IP mapping table uses a HASH table to store the correspondence between the IP address and the virtual firewall.
  • the key of the table is the IP mapping table index (IP-ID) obtained by the HASH operation of the IP address, and the result is the index (VFW-ID) of the virtual firewall instance to which the IP address belongs.
  • IP-ID IP mapping table index
  • VFW-ID index of the virtual firewall instance to which the IP address belongs.
  • VFW-ID field in the corresponding interface mapping table VLAN mapping table, VPN mapping table, and IP mapping table.
  • VFWx corresponding to VFW-ID is x
  • the table a of the interface mapping table is processed.
  • the VFW-ID field in the item is set to x.
  • the data traffic whose destination IP address is a specific IPb is sent to the specified virtual firewall instance VFWy (corresponding to VFW-ID is y) for processing.
  • the IPb is HASH-operated to obtain the HASH value b, and then the VFW-ID field in the item b of the IP mapping table is set to y.
  • the interface mapping table, the VLAN mapping table, the VPN mapping table, and the IP mapping table are respectively searched according to the interface information of the received data traffic or the packet information of the data traffic, and the virtual firewall instance index corresponding to the data traffic is obtained, and then The data traffic is sent to the virtual firewall for subsequent processing.
  • a certain data traffic matches multiple entries in the interface mapping table, the VLAN mapping table, the VPN mapping table, and the IP mapping table, it is determined according to the priority of the mapping table to determine which virtual firewall instance the data traffic should be sent to.
  • the interface mapping table has the highest priority
  • the VLAN mapping table is the second
  • the VPN mapping table is again
  • the IP mapping table has the lowest priority.
  • the first searching unit 502 is configured to: if the session entry matching the data traffic cannot be found according to the second information of the data traffic, find the configuration parameter of the virtual firewall according to the identifier of the virtual firewall instance, and report the data according to the data traffic
  • the text information is used to find an ACL rule group.
  • the second information includes at least a quintuple in the packet of the data traffic.
  • the session management mechanism is that after the virtual firewall instance receives the data traffic, the data traffic is matched with the ACL rule group to generate a corresponding session entry.
  • the virtual firewall instance can provide session state-related security services such as ASPF and NAT ALG according to related state changes in the session table. You can also provide security services such as address binding, blacklist, address translation, statistics, and attack defense based on the statistics of the session table.
  • the generating unit 503 is configured to generate a session entry according to the data traffic, the configuration parameter of the virtual firewall, and the ACL rule group, and save the related security service parameter of the session in the data traffic in the session entry.
  • the session management mechanism has the advantage that after the virtual firewall instance receives the first packet of the session, the session can be automatically generated according to the configuration parameters in the virtual firewall instance table and the ACL rule group matched by the packet. An entry and save the session-related security service parameters in the session table entry. Then, when the virtual firewall instance receives subsequent packets of the session, it does not need to repeatedly search for the virtual firewall instance table or ACL rule group, and directly read the information of the session entry. In this way, the processing efficiency of the subsequent messages of the session can be greatly improved.
  • a “session”, also called a "stream”, contains the two-direction message that is uniquely determined by the quintuple.
  • the forward packet sent by A to B that is, the source IP of the packet is IPA
  • the destination IP is IPB
  • the source port is PORTA
  • the destination port is PORTB
  • the protocol is PROX
  • the reverse packet returned by B to A That is, the source IP of the packet is IPB, the destination IP is IPA, the source port is PORTB, the destination port is PORTA, and the protocol is PROX.
  • the quintuple of the two directions messages is only reversed, and they belong to a session here.
  • the virtual firewall instance manages its own session resources independently. That is, each virtual firewall instance logically maintains a separate session table (FT). Each entry in the FT table corresponds to a session, and all the information related to the session is saved:
  • the status information such as the TCP connection status and the FTP status, can be used to provide an ASPF status tracking service for the session based on the status information, or provide related anti-attack services based on the statistics of the relevant status of all sessions.
  • the aging information such as the session creation timestamp and update timestamp, can be used to calculate the remaining aging time of the session based on the timestamp and determine when the session is aged.
  • Security policy information such as the session's NAT policy, ACL policy, ASPF policy, and ALG policy, can be used to forward, drop, send, modify, and forward the corresponding protocol fields based on these policy information.
  • Statistics such as the number of packets sent and received by the session, can provide session monitoring services for these statistics.
  • Forwarding information such as Layer 3 routing information and Layer 2 forwarding information, can provide data traffic forwarding services based on these forwarding information.
  • the maximum number of sessions CFT saved in the FT table is specified.
  • the value of CFT is relatively large, such as 128K. Therefore, the FT table can adopt the secondary search structure of HASH+CAM to improve the search efficiency.
  • Each CAM table can store C CAM strip entries, and each CAM entry corresponds to one session.
  • the virtual firewall instance After the virtual firewall instance receives the message, it first retrieves the FT table. If the retrieval fails, the virtual firewall instance table and the ACL rule group are searched, and the flow table is established according to the matched security service parameters. If the search is successful, the flow table is taken directly. Then, according to the information in the flow table, the corresponding security policy is executed on the packet.
  • the identifier of the virtual firewall instance is obtained according to the first information of the received data traffic; and the session entry matching the data traffic cannot be found according to the second information of the data traffic, according to the identifier of the virtual firewall instance.
  • Find the configuration parameters of the virtual firewall and find the ACL rule group based on the packet information of the data traffic.
  • Each logical firewall can independently apply for resources and configure different security policies to meet different security requirements of users.
  • the present invention provides a method for implementing multiple virtual firewall instances on a single hardware platform, which solves the defects of traditional firewall deployment. It can provide independent security service policies for different users while greatly reducing maintenance and management costs.
  • FIG. 6 is a schematic diagram of functional modules of a second embodiment of an apparatus for implementing a virtual firewall according to the present invention.
  • the device for implementing the virtual firewall further includes:
  • the second searching unit 504 is configured to:
  • the second searching unit 504 is configured to:
  • a low N bit of the value H is used to search an index of the CAM table, and a high N bit of the value H is used to search for an identifier of the CAM table;
  • the CAM table is matched with the pre-stored CAM table, the content of the matched CAM table is obtained, and the content is matched with the second information according to the content. If the content is the same, it is determined that the session entry matching the data traffic can be searched according to the second information; If it is different, it is determined that the session entry matching the data traffic cannot be found according to the second information;
  • FIG. 7 is a schematic diagram of functional modules of a third embodiment of an apparatus for implementing a virtual firewall according to the present invention.
  • the device for implementing the virtual firewall further includes:
  • the creating unit 505 is configured to perform a dequeuing operation on the resource object in the total resource queue QA in the total resource pool PA, and then enter the resource queue Qv;
  • the deleting unit 506 is configured to perform the dequeuing operation on the resource object in the resource queue Qv in the resource pool Pv before deleting the virtual firewall instance VFWv, and then re-enter the operation to the resource total queue QA;
  • Qv is a queue or stack in each type of the resource pool of the virtual firewall instance; QA is the resource corresponding to each type of the resource pool of the virtual firewall instance; PA is the total resource pool of the virtual firewall instance; Pv is virtual The resource in the resource pool corresponding to the firewall instance VFWv.
  • the resource pool mechanism means that each virtual firewall instance corresponds to a separate resource pool, and the virtual firewall instance only allows operation of resource objects in its own resource pool. That is, the virtual firewall instance is independently responsible for the application, collection, and aging of resource objects in the resource pool.
  • the resource objects herein include, but are not limited to, address resources, security domain resources, service resources, session resources, and the like.
  • the advantage of using the resource pool is that it can fully utilize the resources of the system and flexibly control the resources occupied by each virtual firewall instance.
  • the independent resource pool management also greatly reduces the coupling between the virtual firewall instances and reduces the virtual firewall instance. The interaction between them is easier to use.
  • each virtual firewall instance Since the total number of resources in the system is limited, the resources allocated to the resource pool of each virtual firewall instance are also limited. For example, the system supports up to 32M sessions and supports up to 256 virtual firewall instances. Each virtual firewall instance can support up to 128K sessions on average.
  • the resource objects in the resource pool Pv corresponding to the virtual firewall instance VFWv can be managed separately according to the type.
  • Each type is managed by a queue (or stack) Qv, that is, each resource object of the type corresponds to one member of the Qv.
  • system resources can be seen as one of the largest total resource pool PA, Each type of resource corresponds to a total queue QA.
  • the super administrator When the super administrator creates a virtual firewall instance VFWv, it specifies the number of resource objects included in each resource queue Qv in the resource pool Pv, that is, the resources in the total resource queue QA in the total resource pool PA. The object performs the dequeue operation first, and then enters the queue operation to the resource queue Qv.
  • the super administrator deletes the virtual firewall instance VFWv the resource objects included in the resource queue Qv in the resource pool Pv are reclaimed, that is, the resource objects in the resource queue Qv in the resource pool Pv are first executed. Perform the enqueue operation to the resource total queue QA.
  • the virtual firewall administrator requests, recycles, and aging the resource objects in the resource pool Pv, that is, the dequeue, enqueue, and enqueue operations of the resource objects in the corresponding resource queue Qv.
  • FIG. 8 is a schematic diagram of functional modules of a fourth embodiment of an apparatus for implementing a virtual firewall according to the present invention.
  • the device for implementing the virtual firewall further includes:
  • the configuration unit 507 is configured to configure a first administrator for each virtual firewall instance and a second administrator for the first administrator.
  • the hierarchical management mechanism implements the independent configuration management of the virtual firewall instance by using the secondary management mode, that is, the super administrator creates or deletes the virtual firewall instance and specifies the corresponding virtual firewall administrator; The administrator manages the virtual firewall instance independently.
  • the corresponding resource pool is allocated or reclaimed for the virtual firewall instance, that is, the previous Resource Pool module.
  • the super administrator also specifies which data traffic is sent or not sent. Into this virtual firewall instance processing. That is, the previous "split" module.
  • the virtual firewall administrator manages the virtual firewall instance, that is, configures private ACL security rules to manage resource objects in the resource pool according to user security requirements.
  • a virtual firewall instance table to store configuration information about the virtual firewall instance.
  • the virtual firewall instance table uses a linear table.
  • the keyword of the virtual firewall instance is the index VFW-ID of the virtual firewall instance.
  • the result is the configuration parameters of the virtual firewall instance. For example, the attack defense type and related threshold parameters are enabled in the virtual firewall instance. , or configured blacklist parameters, etc.
  • the virtual firewall administrator configures the relevant security services, the corresponding fields are updated.
  • the advantage of hierarchical management is that the super administrator only pays attention to which system resources need to be allocated for the virtual firewall instance, and the management of the virtual firewall instance can be independently responsible by the virtual firewall administrator, making the management of the virtual firewall more flexible and convenient.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

Disclosed is a method for implementing a virtual firewall. The method comprises: acquiring an identifier of a virtual firewall instance according to received first information of a data traffic; searching for a configuration parameter of the virtual firewall according to the identifier of the virtual firewall instance, and searching for an ACL rule set according to packet information of the data traffic; and generating a session entry according to the data traffic, the configuration parameter of the virtual firewall and the ACL rule set, and storing a related security service parameter of a session in the data traffic into the session entry. Also disclosed is a device for implementing a virtual firewall. In this way, a physical firewall can be divided into multiple logical firewalls for use, each logical firewall can separately apply for separate resources; in addition, defects of deployment of a conventional firewall are overcome, and separate security service policies can be provided to different users at the same time on the premise that maintenance and management costs are greatly reduced.

Description

实现虚拟防火墙的方法及装置Method and device for realizing virtual firewall 技术领域Technical field
本发明涉及网络安全领域,尤其涉及一种实现虚拟防火墙的方法及装置。The present invention relates to the field of network security, and in particular, to a method and apparatus for implementing a virtual firewall.
背景技术Background technique
在传统的解决方案中,当系统需要多套防火墙防护时,一般是部署多台防火墙进行防护。传统的方式是在CE设备前各部署一台防火墙,各自进行管理及配置,比如在MPLS VPN网络中,各VPN之间需要做安全保护,传统的解决方案存在明显的不足:In a traditional solution, when the system requires multiple sets of firewall protection, it is common to deploy multiple firewalls for protection. The traditional method is to deploy a firewall in front of the CE device for management and configuration. For example, in the MPLS VPN network, security protection needs to be performed between VPNs. The traditional solution has obvious shortcomings:
企业需要部署和管理多台独立防火墙,导致拥有和维护成本较高,网络管理的复杂度较大;集中放置的多个独立防火墙将占用较多的机架空间,并且给综合布线带来额外的复杂度;由于业务的发展,MPLS VPN或者VLAN的划分可能会发生新的变化,MPLS VPN或者VLAN是逻辑的实现,仅仅改动配置即可方便满足该需求。而传统防火墙需要发生物理上的变化,对用户后期备件以及管理造成很大的困难。Enterprises need to deploy and manage multiple independent firewalls, resulting in higher cost of ownership and maintenance, and greater complexity of network management. Multiple independent firewalls placed in a centralized manner will occupy more rack space and bring additional wiring to the integrated wiring. Complexity; due to the development of services, MPLS VPN or VLAN division may undergo new changes. MPLS VPN or VLAN is a logical implementation. It is convenient to meet this requirement only by changing the configuration. However, traditional firewalls need to undergo physical changes, which poses great difficulties for users' spare parts and management.
发明内容Summary of the invention
本发明实施例提供一种实现虚拟防火墙的方法及装置,主要目的在于解决如何在单一的硬件平台上实现多个虚拟防火墙实例的技术问题。The embodiments of the present invention provide a method and an apparatus for implementing a virtual firewall. The main purpose of the present invention is to solve the technical problem of implementing multiple virtual firewall instances on a single hardware platform.
为实现上述目的,本发明实施例提供的一种实现虚拟防火墙的方法,所述方法包括:To achieve the above object, a method for implementing a virtual firewall is provided by an embodiment of the present invention, where the method includes:
根据接收到的数据流量的第一信息获取虚拟防火墙实例的标识;Obtaining an identifier of the virtual firewall instance according to the first information of the received data traffic;
在根据所述数据流量的第二信息无法查找到与所述数据流量匹配的会话表项的情况下,根据所述虚拟防火墙实例的标识查找所述虚拟防火墙的配置参数,并根据所述数据流量的报文信息查找ACL规则组;In the case that the session entry matching the data traffic cannot be found according to the second information of the data traffic, the configuration parameter of the virtual firewall is searched according to the identifier of the virtual firewall instance, and according to the data traffic. Packet information to find an ACL rule group;
根据所述数据流量、所述虚拟防火墙的配置参数以及所述ACL规则组生成会话表项,并将所述数据流量中的会话的相关安全服务参数保存在所述会话表项中。 Generating a session entry according to the data traffic, the configuration parameter of the virtual firewall, and the ACL rule group, and saving related security service parameters of the session in the data traffic in the session entry.
优选地,所述第一信息至少包括所述数据流量的报文中的五元组、VLAN信息或者IP信息;所述第二信息至少包括所述数据流量的报文中的五元组。Preferably, the first information includes at least a quintuple, VLAN information, or IP information in the packet of the data traffic; and the second information includes at least a quintuple in the packet of the data traffic.
优选地,所述根据接收到的数据流量的第一信息获取虚拟防火墙实例的标识,包括:Preferably, the obtaining the identifier of the virtual firewall instance according to the first information of the received data traffic includes:
判断是否能根据所述数据流量的接口信息和预先存储的接口映射表,获取所述虚拟防火墙实例的标识,所述接口映射表包括所述数据流量的接口信息和所述虚拟防火墙实例的标识之间的对应关系;若是,则执行根据所述虚拟防火墙实例的标识查找所述虚拟防火墙的配置参数,并根据所述数据流量的报文信息查找ACL规则组。Determining whether the identifier of the virtual firewall instance is obtained according to the interface information of the data traffic and the pre-stored interface mapping table, where the interface mapping table includes interface information of the data traffic and an identifier of the virtual firewall instance. If the configuration is performed, the configuration parameter of the virtual firewall is searched according to the identifier of the virtual firewall instance, and the ACL rule group is searched according to the packet information of the data traffic.
优选地,所述若是,则执行根据所述虚拟防火墙实例的标识查找所述虚拟防火墙的配置参数,并根据所述数据流量的报文信息查找ACL规则组之后,还包括:Preferably, if the configuration is performed, the configuration parameter of the virtual firewall is searched according to the identifier of the virtual firewall instance, and after the ACL rule group is searched according to the packet information of the data traffic, the method further includes:
若否,则判断是否能根据所述数据流量的第一报文信息和预先存储的VLAN映射表,获取所述虚拟防火墙实例的标识,所述第一报文信息至少包括VLAN信息,所述VLAN映射表包括所述数据流量的VLAN信息和所述虚拟防火墙实例的标识之间的对应关系;若是,则执行根据所述虚拟防火墙实例的标识查找所述虚拟防火墙的配置参数,并根据所述数据流量的报文信息查找ACL规则组;If not, determining whether the identifier of the virtual firewall instance is obtained according to the first packet information of the data traffic and the pre-stored VLAN mapping table, where the first packet information includes at least VLAN information, the VLAN The mapping table includes a mapping between the VLAN information of the data traffic and the identifier of the virtual firewall instance; if yes, performing configuration to search for the configuration parameter of the virtual firewall according to the identifier of the virtual firewall instance, and according to the data The packet information of the traffic is searched for the ACL rule group.
优选地,所述若是,则执行根据所述虚拟防火墙实例的标识查找所述虚拟防火墙的配置参数,并根据所述数据流量的报文信息查找ACL规则组之后,还包括:Preferably, if the configuration is performed, the configuration parameter of the virtual firewall is searched according to the identifier of the virtual firewall instance, and after the ACL rule group is searched according to the packet information of the data traffic, the method further includes:
若否,则判断是否能根据所述数据流量的第一报文信息、预先存储的第一VPN映射表和预先存储的第二VPN映射表,获取所述虚拟防火墙实例的标识,所述第一报文信息至少包括VLAN信息,所述第一VPN映射表包括所述VLAN信息和VPN信息的对应关系,所述第二VPN映射表包括所述VPN信息和所述虚拟防火墙实例的标识之间的对应关系;若是,则执行根据所述虚拟防火墙实例的标识查找所述虚拟防火墙的配置参数,并根据所述数据流量的报文信息查找ACL规则组;If not, determining whether the identifier of the virtual firewall instance is obtained according to the first packet information of the data traffic, the first VPN mapping table that is pre-stored, and the second VPN mapping table that is stored in advance. The message information includes at least the VLAN information, the first VPN mapping table includes a correspondence between the VLAN information and the VPN information, and the second VPN mapping table includes the information between the VPN information and the identifier of the virtual firewall instance. Corresponding relationship; if yes, performing a search for the configuration parameter of the virtual firewall according to the identifier of the virtual firewall instance, and searching for an ACL rule group according to the packet information of the data traffic;
优选地,所述若是,则执行根据所述虚拟防火墙实例的标识查找所述虚拟防火墙的配置参数,并根据所述数据流量的报文信息查找ACL规则组之后, 还包括:Preferably, if the configuration is performed, the configuration parameter of the virtual firewall is searched according to the identifier of the virtual firewall instance, and after the ACL rule group is searched according to the packet information of the data traffic, Also includes:
若否,则判断是否能根据所述数据流量的第二报文信息和所述预先存储的IP映射表,获取所述虚拟防火墙实例的标识,所述第二报文信息至少包括IP地址,所述IP映射表包括所述IP地址与所述IP地址经HASH运算得到的所述虚拟防火墙实例的标识之间的对应关系;若是,则执行根据所述虚拟防火墙实例的标识查找所述虚拟防火墙的配置参数,并根据所述数据流量的报文信息查找ACL规则组。If not, determining whether the identifier of the virtual firewall instance is obtained according to the second packet information of the data traffic and the pre-stored IP mapping table, where the second packet information includes at least an IP address. The IP mapping table includes a correspondence between the IP address and the identifier of the virtual firewall instance obtained by the HASH operation of the IP address; if yes, performing a search for the virtual firewall according to the identifier of the virtual firewall instance. Configure the parameters and find the ACL rule group based on the packet information of the data traffic.
优选地,所述根据接收到的数据流量的第一信息获取虚拟防火墙实例的标识之后,包括:Preferably, after obtaining the identifier of the virtual firewall instance according to the first information of the received data traffic, the method includes:
根据所述第二信息查找与所述数据流量匹配的会话表项;Searching, according to the second information, a session entry that matches the data traffic;
所述根据所述第二信息查找与所述数据流量匹配的会话表项,包括:And searching, according to the second information, a session entry that matches the data traffic, including:
对所述第二信息进行HASH运算得到值H,所述值H的低N比特用于查找CAM表的索引,所述值H的高N比特用于查找所述CAM表的标识;Performing a HASH operation on the second information to obtain a value H, where a low N bit of the value H is used to search an index of a CAM table, and a high N bit of the value H is used to search for an identifier of the CAM table;
若能与预先存储的CAM表匹配,则获取匹配到的所述CAM表的内容,并根据所述内容与所述第二信息进行匹配,若相同,则确定根据所述第二信息能查找与所述数据流量匹配的会话表项;若不同,则确定根据所述第二信息无法查找与所述数据流量匹配的会话表项;If the CAM table is matched with the pre-stored CAM table, the content of the matched CAM table is obtained, and the content is matched with the second information according to the content, and if they are the same, it is determined that the second information can be searched according to the second information. The session entry that matches the data traffic; if not, determining that the session entry matching the data traffic cannot be found according to the second information;
若无法与预先存储的CAM表匹配,则确定根据所述第二信息无法查找与所述数据流量匹配的会话表项。If it is unable to match the pre-stored CAM table, it is determined that the session entry matching the data traffic cannot be found according to the second information.
优选地,所述方法还包括:Preferably, the method further includes:
在创建虚拟防火墙实例VFWv时,将总资源池PA中的资源总队列QA中的资源对象先执行出队操作,再入队操作到资源队列Qv;When the virtual firewall instance VFWv is created, the resource object in the total resource queue QA in the total resource pool PA is first dequeued, and then the queue operation is performed to the resource queue Qv.
在删除所述虚拟防火墙实例VFWv时,将资源池Pv中的资源队列Qv中的资源对象先执行出队操作,再入队操作到资源总队列QA;When the virtual firewall instance VFWv is deleted, the resource object in the resource queue Qv in the resource pool Pv is first dequeued, and then the queue operation is performed to the resource total queue QA;
其中,所述Qv为所述虚拟防火墙实例的资源池的每一个类型中的一个队列或者栈;所述QA为所述虚拟防火墙实例的资源池的每一个类型对应的资源;所述PA为所述虚拟防火墙实例的总资源池;所述Pv为所述虚拟防火墙实例VFWv对应的资源池中的资源。The Qv is a queue or a stack of each type of the resource pool of the virtual firewall instance; the QA is a resource corresponding to each type of the resource pool of the virtual firewall instance; The total resource pool of the virtual firewall instance; the Pv is a resource in a resource pool corresponding to the virtual firewall instance VFWv.
此外,为实现上述目的,本发明实施例还提供一种实现虚拟防火墙的装置,所述装置包括: In addition, in order to achieve the above object, an embodiment of the present invention further provides an apparatus for implementing a virtual firewall, where the apparatus includes:
获取单元,设置为根据接收到的数据流量的第一信息获取虚拟防火墙实例的标识;An obtaining unit, configured to obtain an identifier of the virtual firewall instance according to the first information of the received data traffic;
第一查找单元,设置为在根据所述数据流量的第二信息无法查找到与所述数据流量匹配的会话表项的情况下,根据所述虚拟防火墙实例的标识查找所述虚拟防火墙的配置参数,并根据所述数据流量的报文信息查找ACL规则组;The first searching unit is configured to search for the configuration parameter of the virtual firewall according to the identifier of the virtual firewall instance, if the session entry that matches the data traffic cannot be found according to the second information of the data traffic. And searching for an ACL rule group according to the packet information of the data traffic;
生成单元,设置为根据所述数据流量、所述虚拟防火墙的配置参数以及所述ACL规则组生成会话表项,并将所述数据流量中的会话的相关安全服务参数保存在所述会话表项中。a generating unit, configured to generate a session entry according to the data traffic, the configuration parameter of the virtual firewall, and the ACL rule group, and save related security service parameters of the session in the data traffic in the session entry in.
优选地,所述第一信息至少包括所述数据流量的报文中的五元组、VLAN信息或者IP信息;所述第二信息至少包括所述数据流量的报文中的五元组。Preferably, the first information includes at least a quintuple, VLAN information, or IP information in the packet of the data traffic; and the second information includes at least a quintuple in the packet of the data traffic.
优选地,所述获取单元,设置为:Preferably, the obtaining unit is configured to:
判断是否能根据所述数据流量的接口信息和预先存储的接口映射表,获取所述虚拟防火墙实例的标识,所述接口映射表包括所述数据流量的接口信息和所述虚拟防火墙实例的标识之间的对应关系;若是,则执行根据所述虚拟防火墙实例的标识查找所述虚拟防火墙的配置参数,并根据所述数据流量的报文信息查找ACL规则组。Determining whether the identifier of the virtual firewall instance is obtained according to the interface information of the data traffic and the pre-stored interface mapping table, where the interface mapping table includes interface information of the data traffic and an identifier of the virtual firewall instance. If the configuration is performed, the configuration parameter of the virtual firewall is searched according to the identifier of the virtual firewall instance, and the ACL rule group is searched according to the packet information of the data traffic.
优选地,所述获取单元,还设置为:Preferably, the obtaining unit is further configured to:
若否,则判断是否能根据所述数据流量的第一报文信息和预先存储的VLAN映射表,获取所述虚拟防火墙实例的标识,所述第一报文信息至少包括VLAN信息,所述VLAN映射表包括所述数据流量的VLAN信息和所述虚拟防火墙实例的标识之间的对应关系;若是,则执行根据所述虚拟防火墙实例的标识查找所述虚拟防火墙的配置参数,并根据所述数据流量的报文信息查找ACL规则组。If not, determining whether the identifier of the virtual firewall instance is obtained according to the first packet information of the data traffic and the pre-stored VLAN mapping table, where the first packet information includes at least VLAN information, the VLAN The mapping table includes a mapping between the VLAN information of the data traffic and the identifier of the virtual firewall instance; if yes, performing configuration to search for the configuration parameter of the virtual firewall according to the identifier of the virtual firewall instance, and according to the data The packet information of the traffic is searched for the ACL rule group.
优选地,所述获取单元,还设置为:Preferably, the obtaining unit is further configured to:
若否,则判断是否能根据所述数据流量的第一报文信息、预先存储的第一VPN映射表和预先存储的第二VPN映射表,获取所述虚拟防火墙实例的标识,所述第一报文信息至少包括VLAN信息,所述第一VPN映射表包括所述VLAN信息和VPN信息的对应关系,所述第二VPN映射表包括所述VPN信息和所述虚拟防火墙实例的标识之间的对应关系;若是,则执行根据所述 虚拟防火墙实例的标识查找所述虚拟防火墙的配置参数,并根据所述数据流量的报文信息查找ACL规则组。If not, determining whether the identifier of the virtual firewall instance is obtained according to the first packet information of the data traffic, the first VPN mapping table that is pre-stored, and the second VPN mapping table that is stored in advance. The message information includes at least the VLAN information, the first VPN mapping table includes a correspondence between the VLAN information and the VPN information, and the second VPN mapping table includes the information between the VPN information and the identifier of the virtual firewall instance. Correspondence relationship; if yes, execute according to the The identifier of the virtual firewall instance is used to find the configuration parameter of the virtual firewall, and the ACL rule group is searched according to the packet information of the data traffic.
优选地,所述获取单元,还设置为:Preferably, the obtaining unit is further configured to:
若否,则判断是否能根据所述数据流量的第二报文信息和所述预先存储的IP映射表,获取所述虚拟防火墙实例的标识,所述第二报文信息至少包括IP地址,所述IP映射表包括所述IP地址与所述IP地址经HASH运算得到的所述虚拟防火墙实例的标识之间的对应关系;若是,则执行根据所述虚拟防火墙实例的标识查找所述虚拟防火墙的配置参数,并根据所述数据流量的报文信息查找ACL规则组。If not, determining whether the identifier of the virtual firewall instance is obtained according to the second packet information of the data traffic and the pre-stored IP mapping table, where the second packet information includes at least an IP address. The IP mapping table includes a correspondence between the IP address and the identifier of the virtual firewall instance obtained by the HASH operation of the IP address; if yes, performing a search for the virtual firewall according to the identifier of the virtual firewall instance. Configure the parameters and find the ACL rule group based on the packet information of the data traffic.
优选地,所述装置还包括第二查找单元,设置为:Preferably, the device further comprises a second searching unit, which is configured to:
根据所述第二信息查找与所述数据流量匹配的会话表项;Searching, according to the second information, a session entry that matches the data traffic;
所述第二查找单元,设置为:The second search unit is configured to:
对所述第二信息进行HASH运算得到值H,所述值H的低N比特用于查找CAM表的索引,所述值H的高N比特用于查找所述CAM表的标识;Performing a HASH operation on the second information to obtain a value H, where a low N bit of the value H is used to search an index of a CAM table, and a high N bit of the value H is used to search for an identifier of the CAM table;
若能与预先存储的CAM表匹配,则获取匹配到的所述CAM表的内容,并根据所述内容与所述第二信息进行匹配,若相同,则确定根据所述第二信息能查找与所述数据流量匹配的会话表项;若不同,则确定根据所述第二信息无法查找与所述数据流量匹配的会话表项;If the CAM table is matched with the pre-stored CAM table, the content of the matched CAM table is obtained, and the content is matched with the second information according to the content, and if they are the same, it is determined that the second information can be searched according to the second information. The session entry that matches the data traffic; if not, determining that the session entry matching the data traffic cannot be found according to the second information;
若无法与预先存储的CAM表匹配,则确定根据所述第二信息无法查找与所述数据流量匹配的会话表项。If it is unable to match the pre-stored CAM table, it is determined that the session entry matching the data traffic cannot be found according to the second information.
优选地,所述装置还包括:Preferably, the device further comprises:
创建单元,设置为在创建虚拟防火墙实例VFWv时,将总资源池PA中的资源总队列QA中的资源对象先执行出队操作,再入队操作到资源队列Qv;Create a unit, and set the resource object in the total resource queue QA of the total resource pool PA to perform the dequeue operation first, and then enter the queue operation to the resource queue Qv.
删除单元,设置为在删除所述虚拟防火墙实例VFWv时,将资源池Pv中的资源队列Qv中的资源对象先执行出队操作,再入队操作到资源总队列QA;The deleting unit is configured to perform the dequeuing operation on the resource object in the resource queue Qv in the resource pool Pv before deleting the virtual firewall instance VFWv, and then re-enter the operation to the resource total queue QA;
其中,所述Qv为所述虚拟防火墙实例的资源池的每一个类型中的一个队列或者栈;所述QA为所述虚拟防火墙实例的资源池的每一个类型对应的资源;所述PA为所述虚拟防火墙实例的总资源池;所述Pv为所述虚拟防火墙实例VFWv对应的资源池中的资源。The Qv is a queue or a stack of each type of the resource pool of the virtual firewall instance; the QA is a resource corresponding to each type of the resource pool of the virtual firewall instance; The total resource pool of the virtual firewall instance; the Pv is a resource in a resource pool corresponding to the virtual firewall instance VFWv.
本实施例通过根据接收到的数据流量的第一信息获取虚拟防火墙实例的 标识;在根据所述数据流量的第二信息无法查找到与所述数据流量匹配的会话表项的情况下,根据所述虚拟防火墙实例的标识查找所述虚拟防火墙的配置参数,并根据所述数据流量的报文信息查找ACL规则组;根据所述数据流量、所述虚拟防火墙的配置参数以及所述ACL规则组生成会话表项,并将所述数据流量中的会话的相关安全服务参数保存在所述会话表项中,从而可以实现通过它可将一个物理防火墙划分为多个逻辑防火墙来用,每个逻辑防火墙可以独立申请资源,并配置不同的安全策略,以满足用户不同的安全需求;同时,本发明实施例提供了一种在一个单一的硬件平台上实现多个虚拟防火墙实例的方法,解决了传统防火墙部署的缺陷。可以在大大降低维护和管理成本的前提下,同时为不同用户提供独立的安全服务策略。In this embodiment, the virtual firewall instance is obtained by using the first information of the received data traffic. And determining, in the case that the session entry that matches the data traffic is not found, according to the second information of the data traffic, searching for the configuration parameter of the virtual firewall according to the identifier of the virtual firewall instance, and according to the The packet information of the data traffic is searched for the ACL rule group; the session entry is generated according to the data traffic, the configuration parameter of the virtual firewall, and the ACL rule group, and the related security service parameters of the session in the data traffic are saved. In the session entry, the physical firewall can be divided into multiple logical firewalls, and each logical firewall can independently apply for resources and configure different security policies to meet different security requirements of users. At the same time, the embodiment of the invention provides a method for implementing multiple virtual firewall instances on a single hardware platform, which solves the defects of the traditional firewall deployment. It can provide independent security service policies for different users while greatly reducing maintenance and management costs.
附图说明DRAWINGS
图1为本发明实现虚拟防火墙的方法第一实施例的流程示意图;1 is a schematic flowchart of a first embodiment of a method for implementing a virtual firewall according to the present invention;
图2为本发明实现虚拟防火墙的方法第二实施例的流程示意图;2 is a schematic flowchart of a second embodiment of a method for implementing a virtual firewall according to the present invention;
图3为本发明实现虚拟防火墙的方法第三实施例的流程示意图;3 is a schematic flowchart of a third embodiment of a method for implementing a virtual firewall according to the present invention;
图4为本发明实现虚拟防火墙的方法第四实施例的流程示意图;4 is a schematic flowchart of a fourth embodiment of a method for implementing a virtual firewall according to the present invention;
图5为本发明实现虚拟防火墙的装置第一实施例的功能模块示意图;5 is a schematic diagram of functional modules of a first embodiment of an apparatus for implementing a virtual firewall according to the present invention;
图6为本发明实现虚拟防火墙的装置第二实施例的功能模块示意图;6 is a schematic diagram of functional modules of a second embodiment of an apparatus for implementing a virtual firewall according to the present invention;
图7为本发明实现虚拟防火墙的装置第三实施例的功能模块示意图;7 is a schematic diagram of functional modules of a third embodiment of an apparatus for implementing a virtual firewall according to the present invention;
图8为本发明实现虚拟防火墙的装置第四实施例的功能模块示意图。FIG. 8 is a schematic diagram of functional modules of a fourth embodiment of an apparatus for implementing a virtual firewall according to the present invention.
本发明目的的实现、功能特点及优点将结合实施例,参照附图做进一步说明。The implementation, functional features, and advantages of the present invention will be further described in conjunction with the embodiments.
具体实施方式detailed description
应当理解,此处所描述的具体实施例仅仅用以解释本发明,并不用于限定本发明。It is understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
本发明实施例提供一种实现虚拟防火墙的方法。Embodiments of the present invention provide a method for implementing a virtual firewall.
参照图1,图1为本发明实现虚拟防火墙的方法第一实施例的流程示意图。Referring to FIG. 1, FIG. 1 is a schematic flowchart of a first embodiment of a method for implementing a virtual firewall according to the present invention.
在第一实施例中,该实现虚拟防火墙的方法包括:In the first embodiment, the method for implementing a virtual firewall includes:
步骤101,根据接收到的数据流量的第一信息获取虚拟防火墙实例的标识; Step 101: Acquire an identifier of the virtual firewall instance according to the first information of the received data traffic.
其中,第一信息至少包括数据流量的报文中的五元组、虚拟局域网(Virtual Local Area Network,VLAN)信息或者网际协议(Internet Protocol,IP)信息。The first information includes at least a quintuple, a virtual local area network (VLAN) information, or an Internet Protocol (IP) information in the packet of the data traffic.
优选地,根据接收到的数据流量的第一信息获取虚拟防火墙实例的标识,包括:Preferably, the identifier of the virtual firewall instance is obtained according to the first information of the received data traffic, including:
判断是否能根据数据流量的接口信息和预先存储的接口映射表,获取虚拟防火墙实例的标识,接口映射表包括数据流量的接口信息和虚拟防火墙实例的标识之间的对应关系;若是,则执行根据虚拟防火墙实例的标识查找虚拟防火墙的配置参数,并根据数据流量的报文信息查找接入控制列表(Access Control List,ACL)规则组;And determining, according to the interface information of the data traffic and the pre-stored interface mapping table, the identifier of the virtual firewall instance, where the interface mapping table includes the correspondence between the interface information of the data traffic and the identifier of the virtual firewall instance; if yes, performing the The ID of the virtual firewall instance is used to find the configuration parameters of the virtual firewall, and the access control list (ACL) rule group is searched according to the packet information of the data traffic.
若否,则判断是否能根据数据流量的第一报文信息和预先存储的VLAN映射表,获取虚拟防火墙实例的标识,第一报文信息至少包括VLAN信息,VLAN映射表包括数据流量的VLAN信息和虚拟防火墙实例的标识之间的对应关系;若是,则执行根据虚拟防火墙实例的标识查找虚拟防火墙的配置参数,并根据数据流量的报文信息查找ACL规则组;If not, it is determined whether the identifier of the virtual firewall instance is obtained according to the first packet information of the data traffic and the pre-stored VLAN mapping table. The first packet information includes at least VLAN information, and the VLAN mapping table includes VLAN information of the data traffic. The mapping between the virtual firewall instance and the identifier of the virtual firewall instance; if yes, the configuration of the virtual firewall is performed according to the identifier of the virtual firewall instance, and the ACL rule group is searched according to the packet information of the data traffic;
若否,则判断是否能根据数据流量的第一报文信息、预先存储的第一VPN映射表和预先存储的第二VPN映射表,获取虚拟防火墙实例的标识,第一报文信息至少包括VLAN信息,第一虚拟专用网(Virtual Private Network,VPN映射表包括VLAN信息和VPN信息的对应关系,第二VPN映射表包括VPN信息和虚拟防火墙实例的标识之间的对应关系;若是,则执行根据虚拟防火墙实例的标识查找虚拟防火墙的配置参数,并根据数据流量的报文信息查找ACL规则组;If yes, it is determined whether the identifier of the virtual firewall instance is obtained according to the first packet information of the data traffic, the first VPN mapping table that is pre-stored, and the second VPN mapping table that is pre-stored. The first packet information includes at least a VLAN. Information, the first virtual private network (Virtual Private Network, the VPN mapping table includes the correspondence between the VLAN information and the VPN information, and the second VPN mapping table includes the correspondence between the VPN information and the identifier of the virtual firewall instance; if yes, the execution basis The ID of the virtual firewall instance is used to find the configuration parameters of the virtual firewall, and the ACL rule group is searched according to the packet information of the data traffic.
若否,则判断是否能根据数据流量的第二报文信息和预先存储的IP映射表,获取虚拟防火墙实例的标识,第二报文信息至少包括IP地址,IP映射表包括IP地址与IP地址经HASH运算得到的虚拟防火墙实例的标识之间的对应关系;若是,则执行根据虚拟防火墙实例的标识查找虚拟防火墙的配置参数,并根据数据流量的报文信息查找ACL规则组。If not, it is determined whether the identifier of the virtual firewall instance is obtained according to the second packet information of the data traffic and the pre-stored IP mapping table, where the second packet information includes at least an IP address, and the IP mapping table includes an IP address and an IP address. The mapping between the identifiers of the virtual firewall instances obtained by the HASH operation; if yes, the configuration parameters of the virtual firewall are searched according to the identifier of the virtual firewall instance, and the ACL rule group is searched according to the packet information of the data traffic.
可选地,系统上电后,首先,启动分流模块,即初始化映射表;然后,启动会话管理模块,即初始化会话表;再然后,启动资源池模块,即初始化系统资源队列;最后,启动分级管理模块,即初始化虚拟防火墙表。Optionally, after the system is powered on, first, the shunt module is started, that is, the mapping table is initialized; then, the session management module is started, that is, the session table is initialized; then, the resource pool module is started, that is, the system resource queue is initialized; finally, the grading is started. Management module, which initializes the virtual firewall table.
映射表的初始化:是指为接口映射表、VPN映射表、VLAN映射表、IP 映射表申请相应的地址空间,并将申请的空间清0。其中的线性表,如接口映射表、VPN映射表、VLAN映射表,可以根据系统实际支持的接口个数、VPN个数、VLAN个数计算出需要申请的地址空间的大小;而IP映射表是HASH表,则根据系统支持的配置规格申请相应的地址空间,如果IP映射表需要CAM表支持,则还要为CAM表申请相应的地址空间。Initialization of the mapping table: refers to the interface mapping table, VPN mapping table, VLAN mapping table, IP The mapping table applies for the corresponding address space and clears the requested space. The linear table, such as the interface mapping table, the VPN mapping table, and the VLAN mapping table, can calculate the size of the address space to be applied according to the number of interfaces actually supported by the system, the number of VPNs, and the number of VLANs; and the IP mapping table is The HASH table applies for the corresponding address space according to the configuration specifications supported by the system. If the IP mapping table requires CAM table support, the corresponding address space is also requested for the CAM table.
会话表的初始化:是指为会话HASH+CAM表申请相应的地址空间,并将申请的空间清0。Initialization of the session table: refers to requesting the corresponding address space for the session HASH+CAM table, and clearing the requested space.
系统资源池初始化:将系统的所有资源按照资源类型T分别入队到对应的资源队列QT。即系统资源池PA={QA,QB···QT}。System resource pool initialization: All resources of the system are respectively enqueued according to the resource type T to the corresponding resource queue QT. That is, the system resource pool PA={QA, QB···QT}.
虚拟防火墙实例表初始化:根据系统最多支持的虚拟虚拟防火墙实例的个数申请相应的地址空间,并将申请的空间清0。Virtual firewall instance table initialization: Apply the corresponding address space according to the number of virtual virtual firewall instances supported by the system, and clear the requested space.
分流机制,是指将系统收到的数据流量分别送入对应的虚拟防火墙实例。即根据接收数据流量的接口信息或者数据流量的报文信息(比如报文中的VPN、VLAN或者IP信息等)与虚拟防火墙实例的配置信息进行匹配,将数据流量送入对应的虚拟防火墙实例,由虚拟防火墙实例提供相应的安全服务。The traffic distribution mechanism is to send the data traffic received by the system to the corresponding virtual firewall instance. That is, the interface information of the received data traffic or the packet information of the data traffic (such as the VPN, VLAN, or IP information in the packet) is matched with the configuration information of the virtual firewall instance, and the data traffic is sent to the corresponding virtual firewall instance. The corresponding security service is provided by the virtual firewall instance.
通过维护接口映射表、VLAN映射表、VPN映射表、IP映射表来实现分流机制。The traffic distribution mechanism is implemented by maintaining an interface mapping table, a VLAN mapping table, a VPN mapping table, and an IP mapping table.
接口映射表,采用线性表,保存的是接口与虚拟防火墙实例的对应关系。该表的关键字是接口索引(IF-ID),结果是该接口所属的虚拟防火墙实例的索引(VFW-ID)。The interface mapping table uses a linear table to store the correspondence between the interface and the virtual firewall instance. The keyword of the table is the interface index (IF-ID), and the result is the index (VFW-ID) of the virtual firewall instance to which the interface belongs.
VLAN映射表,采用线性表,保存的是VLAN属于哪个VPN或者虚拟防火墙实例。该表的关键字是VLAN索引(VLAN-ID),结果是该VLAN所属的VPN索引(VPN-ID)或者虚拟防火墙实例的索引(VFW-ID)。The VLAN mapping table uses a linear table to store which VPN or virtual firewall instance the VLAN belongs to. The key of the table is the VLAN index (VLAN-ID), and the result is the VPN index (VPN-ID) to which the VLAN belongs or the index (VFW-ID) of the virtual firewall instance.
VPN映射表,采用线性表,保存的是VPN与虚拟防火墙实例的对应关系。该表的关键字是VPN索引(VPN-ID),结果是该VPN所属的虚拟防火墙实例的索引(VFW-ID)。The VPN mapping table uses a linear table to store the correspondence between the VPN and the virtual firewall instance. The keyword of the table is the VPN index (VPN-ID), and the result is the index (VFW-ID) of the virtual firewall instance to which the VPN belongs.
IP映射表,采用HASH表,保存的是IP地址与虚拟防火墙的对应关系。该表的关键字是IP地址经HASH运算得到的IP映射表索引(IP-ID),结果是该IP地址所属的虚拟防火墙实例的索引(VFW-ID)。这里,当允许IP地址配置为掩码地址,则要将掩码地址覆盖的所有IP地址保存到HASH表。这样就 可能因为IP地址太多而导致HASH表空间不够。所以,这种情况可以考虑使用CAM表来保存IP掩码地址,从而避免表空间问题,且提高IP检索的效率。The IP mapping table uses a HASH table to store the correspondence between the IP address and the virtual firewall. The key of the table is the IP mapping table index (IP-ID) obtained by the HASH operation of the IP address, and the result is the index (VFW-ID) of the virtual firewall instance to which the IP address belongs. Here, when the allowed IP address is configured as a mask address, all IP addresses covered by the mask address are saved to the HASH table. This way There may be insufficient HASH table space due to too many IP addresses. Therefore, in this case, you can consider using the CAM table to save the IP mask address, thus avoiding table space problems and improving the efficiency of IP retrieval.
当超级管理员配置虚拟防火墙实例负责处理哪些数据流量时,只要指定相应的接口映射表、VLAN映射表、VPN映射表、IP映射表中的VFW-ID字段即可。比如,要将特定的接口IFa(对应IF-ID为a)收到的数据流量送入指定的虚拟防火墙实例VFWx(对应VFW-ID为x)来处理,则将接口映射表的第a条表项中的VFW-ID字段置为x即可。再比如,将目的IP地址是特定的IPb的数据流量送入指定的虚拟防火墙实例VFWy(对应VFW-ID为y)来处理。则首先将IPb做HASH运算得到HASH值b,然后将IP映射表的第b条表项中的VFW-ID字段置为y即可。When the super administrator configures the virtual firewall instance to handle which data traffic, you only need to specify the VFW-ID field in the corresponding interface mapping table, VLAN mapping table, VPN mapping table, and IP mapping table. For example, if the data traffic received by a specific interface IFa (corresponding to IF-ID is a) is sent to the specified virtual firewall instance VFWx (corresponding to VFW-ID is x), the table a of the interface mapping table is processed. The VFW-ID field in the item is set to x. For another example, the data traffic whose destination IP address is a specific IPb is sent to the specified virtual firewall instance VFWy (corresponding to VFW-ID is y) for processing. First, the IPb is HASH-operated to obtain the HASH value b, and then the VFW-ID field in the item b of the IP mapping table is set to y.
当系统运行时,根据接收数据流量的接口信息或者数据流量的报文信息,分别查找接口映射表、VLAN映射表、VPN映射表、IP映射表,得到该数据流量对应的虚拟防火墙实例索引,然后将数据流量送入该虚拟防火墙进行后续处理。当某数据流量匹配接口映射表、VLAN映射表、VPN映射表、IP映射表中的多个表时,需要根据映射表的优先级来决定该数据流量应送入哪个虚拟防火墙实例。一般来说,接口映射表的优先级最高,VLAN映射表次之,VPN映射表再次之,而IP映射表的优先级最低。When the system is running, the interface mapping table, the VLAN mapping table, the VPN mapping table, and the IP mapping table are respectively searched according to the interface information of the received data traffic or the packet information of the data traffic, and the virtual firewall instance index corresponding to the data traffic is obtained, and then The data traffic is sent to the virtual firewall for subsequent processing. When a certain data traffic matches multiple entries in the interface mapping table, the VLAN mapping table, the VPN mapping table, and the IP mapping table, it is determined according to the priority of the mapping table to determine which virtual firewall instance the data traffic should be sent to. Generally, the interface mapping table has the highest priority, the VLAN mapping table is the second, the VPN mapping table is again, and the IP mapping table has the lowest priority.
步骤102,在根据数据流量的第二信息无法查找到与数据流量匹配的会话表项的情况下,根据虚拟防火墙实例的标识查找虚拟防火墙的配置参数,并根据数据流量的报文信息查找ACL规则组;Step 102: If the session entry matching the data traffic cannot be found according to the second information of the data traffic, the configuration parameter of the virtual firewall is searched according to the identifier of the virtual firewall instance, and the ACL rule is searched according to the packet information of the data traffic. group;
其中,第二信息至少包括数据流量的报文中的五元组。The second information includes at least a quintuple in the packet of the data traffic.
可选地,会话管理机制,是指虚拟防火墙实例收到数据流量后,将数据流量与ACL规则组匹配生成对应的会话表项。虚拟防火墙实例可以根据会话表中的相关状态变化提供ASPF和NAT ALG等与会话状态相关的安全服务,也可以根据会话表的相关统计提供地址绑定、黑名单、地址转化、统计、攻击防范等安全服务。Optionally, the session management mechanism is that after the virtual firewall instance receives the data traffic, the data traffic is matched with the ACL rule group to generate a corresponding session entry. The virtual firewall instance can provide the security services related to the session state, such as the ASPF and the NAT ALG, according to the related state changes in the session table. It can also provide address binding, blacklist, address translation, statistics, attack defense, etc. according to the statistics of the session table. Security service.
步骤103,根据数据流量、虚拟防火墙的配置参数以及ACL规则组生成会话表项,并将数据流量中的会话的相关安全服务参数保存在会话表项中。Step 103: Generate a session entry according to the data traffic, the configuration parameters of the virtual firewall, and the ACL rule group, and save the related security service parameters of the session in the data traffic in the session entry.
可选地,会话管理机制的好处是,在虚拟防火墙实例收到会话的第一个报文后,可以根据虚拟防火墙实例表中的的配置参数,以及报文匹配的ACL 规则组,自动生成会话表项,并将会话相关的安全服务参数保存在会话表项中。之后在虚拟防火墙实例收到该会话的后续报文时,就不需要重复查找虚拟防火墙实例表或ACL规则组,而直接读取会话表项的信息即可。这样,可以大大提高会话后续报文的处理效率。Optionally, the session management mechanism has the following advantages: after the virtual firewall instance receives the first packet of the session, the configuration parameters in the virtual firewall instance table and the ACL matching the packet are obtained. The rule group automatically generates a session entry and saves the session-related security service parameters in the session table entry. Then, when the virtual firewall instance receives subsequent packets of the session, it does not need to repeatedly search for the virtual firewall instance table or ACL rule group, and directly read the information of the session entry. In this way, the processing efficiency of the subsequent messages of the session can be greatly improved.
这里一个“会话”,也叫一条“流”,包含由五元组唯一确定的正反两个方向的报文。比如A发给B的正向报文,即报文的源IP是IPA、目的IP是IPB、源端口是PORTA、目的端口是PORTB、协议是PROX,以及由B返回给A的反向报文,即报文的源IP是IPB、目的IP是IPA、源端口是PORTB、目的端口是PORTA、协议是PROX,这两个方向报文的五元组只是顺序颠倒,它们在这里属于一个会话。Here a "session", also called a "stream", contains the two-direction message that is uniquely determined by the quintuple. For example, the forward packet sent by A to B, that is, the source IP of the packet is IPA, the destination IP is IPB, the source port is PORTA, the destination port is PORTB, the protocol is PROX, and the reverse packet returned by B to A. That is, the source IP of the packet is IPB, the destination IP is IPA, the source port is PORTB, the destination port is PORTA, and the protocol is PROX. The quintuple of the two directions messages is only reversed, and they belong to a session here.
虚拟防火墙实例独立管理自己的会话资源,即每个虚拟防火墙实例在逻辑上单独维护一个会话表(FT),FT表中的每个表项对应一个会话,保存着该会话相关的所有信息:The virtual firewall instance manages its own session resources independently. That is, each virtual firewall instance logically maintains a separate session table (FT). Each entry in the FT table corresponds to a session, and all the information related to the session is saved:
状态信息,比如TCP连接状态、FTP状态等,可以根据这些状态信息为会话提供ASPF状态跟踪服务,也可以根据所有会话的相关状态的统计提供相关的防攻击服务。The status information, such as the TCP connection status and the FTP status, can be used to provide an ASPF status tracking service for the session based on the status information, or provide related anti-attack services based on the statistics of the relevant status of all sessions.
老化信息,比如会话的创建时间戳、更新时间戳等,可以根据时间戳计算会话的剩余老化时间,决定是何时老化该会话。The aging information, such as the session creation timestamp and update timestamp, can be used to calculate the remaining aging time of the session based on the timestamp and determine when the session is aged.
安全策略信息,比如会话的NAT策略、ACL策略、ASPF策略、ALG策略等,可以根据这些策略信息完成数据包转发、丢弃、上送、修改相应协议字段后转发等操作。Security policy information, such as the session's NAT policy, ACL policy, ASPF policy, and ALG policy, can be used to forward, drop, send, modify, and forward the corresponding protocol fields based on these policy information.
统计信息,比如会话的收发包个数等,可以这些统计信息提供会话监控服务。Statistics, such as the number of packets sent and received by the session, can provide session monitoring services for these statistics.
转发信息,比如三层的路由信息、二层的转发信息等,可以根据这些转发信息提供数据流量转发服务。Forwarding information, such as Layer 3 routing information and Layer 2 forwarding information, can provide data traffic forwarding services based on these forwarding information.
在创建虚拟防火墙实例时会指定FT表中最多保存的会话条数CFT,一般CFT的值都比较大,比如128K条。所以FT表可以采用HASH+CAM的二级检索结构,以提高查找效率。其中,HASH表可以保存CHS=2N条表项,每条HASH表项对应一个CAM表,每个CAM表可以保存CCAM条表项,每条 CAM表项对应一个会话,则When creating a virtual firewall instance, the maximum number of sessions CFT saved in the FT table is specified. Generally, the value of CFT is relatively large, such as 128K. Therefore, the FT table can adopt the secondary search structure of HASH+CAM to improve the search efficiency. The HASH table can store C HS = 2 N entries, each HASH entry corresponds to a CAM table, and each CAM table can store C CAM strip entries, and each CAM entry corresponds to one session, then
CFT=CHS×CCAM C FT =C HS ×C CAM
当虚拟防火墙实例收到报文后,首先,会检索FT表。如果检索失败,则查找虚拟防火墙实例表和ACL规则组,根据匹配的安全服务参数建立流表。如果检索成功,则直接取出流表。然后,根据流表中的信息,对报文执行相应的安全策略。After the virtual firewall instance receives the message, it first retrieves the FT table. If the retrieval fails, the virtual firewall instance table and the ACL rule group are searched, and the flow table is established according to the matched security service parameters. If the search is successful, the flow table is taken directly. Then, according to the information in the flow table, the corresponding security policy is executed on the packet.
本实施例通过根据接收到的数据流量的第一信息获取虚拟防火墙实例的标识;在根据数据流量的第二信息无法查找到与数据流量匹配的会话表项的情况下,根据虚拟防火墙实例的标识查找虚拟防火墙的配置参数,并根据数据流量的报文信息查找ACL规则组;根据数据流量、虚拟防火墙的配置参数以及ACL规则组生成会话表项,并将数据流量中的会话的相关安全服务参数保存在会话表项中,从而可以实现通过它可将一个物理防火墙划分为多个逻辑防火墙来用,每个逻辑防火墙可以独立申请资源,并配置不同的安全策略,以满足用户不同的安全需求;同时,本发明提供了一种在一个单一的硬件平台上实现多个虚拟防火墙实例的方法,解决了传统防火墙部署的缺陷。可以在大大降低维护和管理成本的前提下,同时为不同用户提供独立的安全服务策略。In this embodiment, the identifier of the virtual firewall instance is obtained according to the first information of the received data traffic; and the session entry matching the data traffic cannot be found according to the second information of the data traffic, according to the identifier of the virtual firewall instance. Find the configuration parameters of the virtual firewall, and find the ACL rule group based on the packet information of the data traffic. Generate the session entry based on the data traffic, the configuration parameters of the virtual firewall, and the ACL rule group, and set the security service parameters of the session in the data traffic. It is stored in the session table, so that it can be used to divide a physical firewall into multiple logical firewalls. Each logical firewall can independently apply for resources and configure different security policies to meet different security requirements of users. At the same time, the present invention provides a method for implementing multiple virtual firewall instances on a single hardware platform, which solves the defects of traditional firewall deployment. It can provide independent security service policies for different users while greatly reducing maintenance and management costs.
参照图2,图2为本发明实现虚拟防火墙的方法第二实施例的流程示意图。Referring to FIG. 2, FIG. 2 is a schematic flowchart diagram of a second embodiment of a method for implementing a virtual firewall according to the present invention.
在第二实施例中,该步骤101之后还包括:In the second embodiment, after step 101, the method further includes:
步骤104,根据第二信息查找与数据流量匹配的会话表项。Step 104: Search for a session entry that matches the data traffic according to the second information.
根据第二信息查找与数据流量匹配的会话表项,包括:Find a session entry that matches the data traffic according to the second information, including:
对第二信息进行HASH运算得到值H,值H的低N比特用于查找CAM表的索引,值H的高N比特用于查找CAM表的标识;Performing a HASH operation on the second information to obtain a value H, a low N bit of the value H is used to search an index of the CAM table, and a high N bit of the value H is used to search for an identifier of the CAM table;
若能与预先存储的CAM表匹配,则获取匹配到的CAM表的内容,并根据内容与第二信息进行匹配,若相同,则确定根据第二信息能查找与数据流量匹配的会话表项;若不同,则确定根据第二信息无法查找与数据流量匹配的会话表项;If the CAM table is matched with the pre-stored CAM table, the content of the matched CAM table is obtained, and the content is matched with the second information according to the content. If the content is the same, it is determined that the session entry matching the data traffic can be searched according to the second information; If it is different, it is determined that the session entry matching the data traffic cannot be found according to the second information;
若无法与预先存储的CAM表匹配,则确定根据第二信息无法查找与数据流量匹配的会话表项。If it is unable to match the pre-stored CAM table, it is determined that the session entry matching the data traffic cannot be found according to the second information.
可选地,首先,将报文中的五元组(源IP、目的IP、源端口、目的端口、 协议)和VPN索引VPN-ID等关键字做128比特的HASH运算得到HASH值H。然后,取值H的0~N-1比特位作为FT表项对应的CAM表索引IDXCAM,取值H的剩余比特位查找IDXCAM对应的CAM表。如果没有匹配的CAM表项,则说明查找失败,FT表中不存在该会话。如果存在匹配的CAM表项IDXENTRY,则计算出对应的会话索引S-IDOptionally, first, the quintuple (source IP, destination IP, source port, destination port, protocol) and the VPN index VPN-ID in the packet are subjected to a 128-bit HASH operation to obtain a HASH value H. Then, the 0 to N-1 bits of the value H are taken as the CAM table index IDX CAM corresponding to the FT entry, and the remaining bits of the value H are searched for the CAM table corresponding to the IDX CAM . If there is no matching CAM entry, the search fails and the session does not exist in the FT table. If there is a matching CAM entry IDXENTRY, the corresponding session index S-ID is calculated.
S-ID=IDXCAM×CCAM+IDXENTRY S-ID=IDX CAM ×C CAM +IDX ENTRY
这里,因为可能存在HASH冲突,所以取出会话表项后,要也查找关键字进行精确匹配来确认是否为实际需要的表项。Here, because there may be a HASH conflict, after the session entry is fetched, the keyword is also searched for an exact match to confirm whether it is the actual required entry.
参照图3,图3为本发明实现虚拟防火墙的方法第三实施例的流程示意图。Referring to FIG. 3, FIG. 3 is a schematic flowchart diagram of a third embodiment of a method for implementing a virtual firewall according to the present invention.
在第三实施例中,以步骤103之后为例,但不限于步骤103之后,方法还包括:In the third embodiment, after the step 103 is taken as an example, but not limited to the step 103, the method further includes:
步骤105,在创建虚拟防火墙实例VFWv时,将总资源池PA中的资源总队列QA中的资源对象先执行出队操作,再入队操作到资源队列Qv;In step 105, when the virtual firewall instance VFWv is created, the resource object in the total resource queue QA in the total resource pool PA is first performed in a dequeuing operation, and then the enqueue operation is performed to the resource queue Qv.
在删除虚拟防火墙实例VFWv时,将资源池Pv中的资源队列Qv中的资源对象先执行出队操作,再入队操作到资源总队列QA;When the virtual firewall instance VFWv is deleted, the resource object in the resource queue Qv in the resource pool Pv is first dequeued, and then the queue operation is performed to the resource total queue QA;
其中,Qv为虚拟防火墙实例的资源池的每一个类型中的一个队列或者栈;QA为虚拟防火墙实例的资源池的每一个类型对应的资源;PA为虚拟防火墙实例的总资源池;Pv为虚拟防火墙实例VFWv对应的资源池中的资源。Qv is a queue or stack in each type of the resource pool of the virtual firewall instance; QA is the resource corresponding to each type of the resource pool of the virtual firewall instance; PA is the total resource pool of the virtual firewall instance; Pv is virtual The resource in the resource pool corresponding to the firewall instance VFWv.
可选地,资源池机制,是指每个虚拟防火墙实例对应单独的资源池,虚拟防火墙实例只允许操作自己的资源池中的资源对象。即由虚拟防火墙实例独立负责资源池中资源对象的申请、回收、老化等。这里的资源对象包括单不限于地址资源、安全域资源、服务资源、会话资源等。Optionally, the resource pool mechanism means that each virtual firewall instance corresponds to a separate resource pool, and the virtual firewall instance only allows operation of resource objects in its own resource pool. That is, the virtual firewall instance is independently responsible for the application, collection, and aging of resource objects in the resource pool. The resource objects herein include, but are not limited to, address resources, security domain resources, service resources, session resources, and the like.
采用资源池的好处是,能充分利用系统的资源,并且灵活的控制每个虚拟防火墙实例占用的资源;同时独立的资源池管理,也大大降低虚拟防火墙实例之间的耦合度,减少虚拟防火墙实例之间的相互影响,更便于使用。The advantage of using the resource pool is that it can fully utilize the resources of the system and flexibly control the resources occupied by each virtual firewall instance. At the same time, the independent resource pool management also greatly reduces the coupling between the virtual firewall instances and reduces the virtual firewall instance. The interaction between them is easier to use.
由于系统的资源总数是有限的,所以分配到每个虚拟防火墙实例的资源池中的资源也是有限的。比如系统最多支持32M条会话(Session),最多支持256个虚拟防火墙实例,那么每个虚拟防火墙实例平均最多能支持128K条会话。Since the total number of resources in the system is limited, the resources allocated to the resource pool of each virtual firewall instance are also limited. For example, the system supports up to 32M sessions and supports up to 256 virtual firewall instances. Each virtual firewall instance can support up to 128K sessions on average.
虚拟防火墙实例VFWv对应的资源池Pv中的资源对象可以按照类型分开 管理,每个类型采用一个队列(或者栈)Qv来管理,即该类型的每个资源对象对应Qv中的一个成员。而系统资源可以看做一个最大的总资源池PA,其中每个类型的资源对应一个总队列QA。The resource objects in the resource pool Pv corresponding to the virtual firewall instance VFWv can be separated by type. Management, each type is managed by a queue (or stack) Qv, that is, each resource object of the type corresponds to a member of the Qv. The system resource can be regarded as the largest total resource pool PA, where each type of resource corresponds to a total queue QA.
当超级管理员创建虚拟防火墙实例VFWv时,会分别指定资源池Pv中的每个资源队列Qv所包含的资源对象的个数,也就是先将总资源池PA中的资源总队列QA中的资源对象先执行出队操作,再入队操作到资源队列Qv。当超级管理员删除虚拟防火墙实例VFWv时,会回收资源池Pv中的所有资源队列Qv中包含的资源对象,也就是将资源池Pv中的资源队列Qv中的资源对象先执行出队操作,再执行入队操作到资源总队列QA。When the super administrator creates a virtual firewall instance VFWv, it specifies the number of resource objects included in each resource queue Qv in the resource pool Pv, that is, the resources in the total resource queue QA in the total resource pool PA. The object performs the dequeue operation first, and then enters the queue operation to the resource queue Qv. When the super administrator deletes the virtual firewall instance VFWv, the resource objects included in the resource queue Qv in the resource pool Pv are reclaimed, that is, the resource objects in the resource queue Qv in the resource pool Pv are first executed. Perform the enqueue operation to the resource total queue QA.
虚拟防火墙管理员对资源池Pv中资源对象的申请、回收、老化,也就是对相应的资源队列Qv中的资源对象的出队、入队、入队操作。The virtual firewall administrator requests, recycles, and aging the resource objects in the resource pool Pv, that is, the dequeue, enqueue, and enqueue operations of the resource objects in the corresponding resource queue Qv.
参照图4,图4为本发明实现虚拟防火墙的方法第四实施例的流程示意图。Referring to FIG. 4, FIG. 4 is a schematic flowchart diagram of a fourth embodiment of a method for implementing a virtual firewall according to the present invention.
在第四实施例中,以步骤105之后为例,但不限于步骤105之后,该方法还包括:In the fourth embodiment, after the step 105 is taken as an example, but not limited to after step 105, the method further includes:
步骤106,为每一个虚拟防火墙实例配置第一管理员,为第一管理员配置第二管理员。Step 106: Configure a first administrator for each virtual firewall instance and a second administrator for the first administrator.
可选地,分级管理机制,是指采用二级管理的方式实现虚拟防火墙实例的独立配置管理,即由超级管理员来创建或删除虚拟防火墙实例,并指定对应的虚拟防火墙管理员;由虚拟防火墙管理员来独立管理虚拟防火墙实例。Optionally, the hierarchical management mechanism implements the independent configuration management of the virtual firewall instance by using the secondary management mode, that is, the super administrator creates or deletes the virtual firewall instance and specifies the corresponding virtual firewall administrator; The administrator manages the virtual firewall instance independently.
超级管理员创建或删除虚拟防火墙实例时,要为该虚拟防火墙实例分配或回收对应的资源池,即前面的“资源池”模块;同时,超级管理员还要指定哪些数据流量送入或不送入该虚拟防火墙实例处理。即前面的“分流”模块。When a super administrator creates or deletes a virtual firewall instance, the corresponding resource pool is allocated or reclaimed for the virtual firewall instance, that is, the previous Resource Pool module. At the same time, the super administrator also specifies which data traffic is sent or not sent. Into this virtual firewall instance processing. That is, the previous "split" module.
虚拟防火墙管理员管理虚拟防火墙实例,即根据用户的安全需求,配置私有的ACL安全规则,管理资源池中的资源对象。这里,我们维护一个虚拟防火墙实例表,来保存虚拟防火墙实例的相关配置信息。虚拟防火墙实例表采用线性表,该表的关键字是虚拟防火墙实例的索引VFW-ID,结果是该虚拟防火墙实例的相关配置参数,比如虚拟防火墙实例使能了哪些防攻击类型和相关的阈值参数,或者配置的黑名单参数等。当虚拟防火墙管理员配置相关的安全服务时,就更新相应的字段。 The virtual firewall administrator manages the virtual firewall instance, that is, configures private ACL security rules to manage resource objects in the resource pool according to user security requirements. Here, we maintain a virtual firewall instance table to store configuration information about the virtual firewall instance. The virtual firewall instance table uses a linear table. The keyword of the virtual firewall instance is the index VFW-ID of the virtual firewall instance. The result is the configuration parameters of the virtual firewall instance. For example, the attack defense type and related threshold parameters are enabled in the virtual firewall instance. , or configured blacklist parameters, etc. When the virtual firewall administrator configures the relevant security services, the corresponding fields are updated.
分级管理的好处是,超级管理员只关注需要为虚拟防火墙实例分配哪些系统资源,而虚拟防火墙实例的管理可以由虚拟防火墙管理员独立负责,使虚拟防火墙的管理更加灵活方便。The advantage of hierarchical management is that the super administrator only pays attention to which system resources need to be allocated for the virtual firewall instance, and the management of the virtual firewall instance can be independently responsible by the virtual firewall administrator, making the management of the virtual firewall more flexible and convenient.
本发明实施例进一步提供一种实现虚拟防火墙的装置。The embodiment of the invention further provides an apparatus for implementing a virtual firewall.
参照图5,图5为本发明实现虚拟防火墙的装置第一实施例的功能模块示意图。Referring to FIG. 5, FIG. 5 is a schematic diagram of functional modules of a first embodiment of an apparatus for implementing a virtual firewall according to the present invention.
在第一实施例中,该实现虚拟防火墙的装置包括:In the first embodiment, the device for implementing a virtual firewall includes:
获取单元501,设置为根据接收到的数据流量的第一信息获取虚拟防火墙实例的标识;The obtaining unit 501 is configured to obtain an identifier of the virtual firewall instance according to the first information of the received data traffic;
其中,第一信息至少包括数据流量的报文中的五元组、VLAN信息或者IP信息。The first information includes at least a quintuple, VLAN information, or IP information in the packet of the data traffic.
优选地,获取单元501,设置为:Preferably, the obtaining unit 501 is configured to:
判断是否能根据数据流量的接口信息和预先存储的接口映射表,获取虚拟防火墙实例的标识,接口映射表包括数据流量的接口信息和虚拟防火墙实例的标识之间的对应关系;若是,则执行根据虚拟防火墙实例的标识查找虚拟防火墙的配置参数,并根据数据流量的报文信息查找ACL规则组;And determining, according to the interface information of the data traffic and the pre-stored interface mapping table, the identifier of the virtual firewall instance, where the interface mapping table includes the correspondence between the interface information of the data traffic and the identifier of the virtual firewall instance; if yes, performing the The ID of the virtual firewall instance is used to find the configuration parameters of the virtual firewall, and the ACL rule group is searched according to the packet information of the data traffic.
若否,则判断是否能根据数据流量的第一报文信息和预先存储的VLAN映射表,获取虚拟防火墙实例的标识,第一报文信息至少包括VLAN信息,VLAN映射表包括数据流量的VLAN信息和虚拟防火墙实例的标识之间的对应关系;若是,则执行根据虚拟防火墙实例的标识查找虚拟防火墙的配置参数,并根据数据流量的报文信息查找ACL规则组;If not, it is determined whether the identifier of the virtual firewall instance is obtained according to the first packet information of the data traffic and the pre-stored VLAN mapping table. The first packet information includes at least VLAN information, and the VLAN mapping table includes VLAN information of the data traffic. The mapping between the virtual firewall instance and the identifier of the virtual firewall instance; if yes, the configuration of the virtual firewall is performed according to the identifier of the virtual firewall instance, and the ACL rule group is searched according to the packet information of the data traffic;
若否,则判断是否能根据数据流量的第一报文信息、预先存储的第一VPN映射表和预先存储的第二VPN映射表,获取虚拟防火墙实例的标识,第一报文信息至少包括VLAN信息,第一VPN映射表包括VLAN信息和VPN信息的对应关系,第二VPN映射表包括VPN信息和虚拟防火墙实例的标识之间的对应关系;若是,则执行根据虚拟防火墙实例的标识查找虚拟防火墙的配置参数,并根据数据流量的报文信息查找ACL规则组;If yes, it is determined whether the identifier of the virtual firewall instance is obtained according to the first packet information of the data traffic, the first VPN mapping table that is pre-stored, and the second VPN mapping table that is pre-stored. The first packet information includes at least a VLAN. The first VPN mapping table includes a correspondence between the VLAN information and the VPN information, and the second VPN mapping table includes a correspondence between the VPN information and the identifier of the virtual firewall instance; if yes, performing a virtual firewall according to the identifier of the virtual firewall instance Configuration parameters, and find an ACL rule group according to the packet information of the data traffic;
若否,则判断是否能根据数据流量的第二报文信息和预先存储的IP映射表,获取虚拟防火墙实例的标识,第二报文信息至少包括IP地址,IP映射表包括IP地址与IP地址经HASH运算得到的虚拟防火墙实例的标识之间的对 应关系;若是,则执行根据虚拟防火墙实例的标识查找虚拟防火墙的配置参数,并根据数据流量的报文信息查找ACL规则组。If not, it is determined whether the identifier of the virtual firewall instance is obtained according to the second packet information of the data traffic and the pre-stored IP mapping table, where the second packet information includes at least an IP address, and the IP mapping table includes an IP address and an IP address. The pair between the identifiers of the virtual firewall instances obtained through the HASH operation If yes, the configuration parameters of the virtual firewall are searched based on the identifier of the virtual firewall instance, and the ACL rule group is searched based on the packet information of the data traffic.
可选地,系统上电后,首先,启动分流模块,即初始化映射表;然后,启动会话管理模块,即初始化会话表;再然后,启动资源池模块,即初始化系统资源队列;最后,启动分级管理模块,即初始化虚拟防火墙表。Optionally, after the system is powered on, first, the shunt module is started, that is, the mapping table is initialized; then, the session management module is started, that is, the session table is initialized; then, the resource pool module is started, that is, the system resource queue is initialized; finally, the grading is started. Management module, which initializes the virtual firewall table.
映射表的初始化:是指为接口映射表、VPN映射表、VLAN映射表、IP映射表申请相应的地址空间,并将申请的空间清0。其中的线性表,如接口映射表、VPN映射表、VLAN映射表,可以根据系统实际支持的接口个数、VPN个数、VLAN个数计算出需要申请的地址空间的大小;而IP映射表是HASH表,则根据系统支持的配置规格申请相应的地址空间,如果IP映射表需要CAM表支持,则还要为CAM表申请相应的地址空间。The initialization of the mapping table refers to requesting the corresponding address space for the interface mapping table, the VPN mapping table, the VLAN mapping table, and the IP mapping table, and clearing the requested space. The linear table, such as the interface mapping table, the VPN mapping table, and the VLAN mapping table, can calculate the size of the address space to be applied according to the number of interfaces actually supported by the system, the number of VPNs, and the number of VLANs; and the IP mapping table is The HASH table applies for the corresponding address space according to the configuration specifications supported by the system. If the IP mapping table requires CAM table support, the corresponding address space is also requested for the CAM table.
会话表的初始化:是指为会话HASH+CAM表申请相应的地址空间,并将申请的空间清0。Initialization of the session table: refers to requesting the corresponding address space for the session HASH+CAM table, and clearing the requested space.
系统资源池初始化:将系统的所有资源按照资源类型T分别入队到对应的资源队列QT。即系统资源池PA={QA,QB···QT}。System resource pool initialization: All resources of the system are respectively enqueued according to the resource type T to the corresponding resource queue QT. That is, the system resource pool PA={QA, QB···QT}.
虚拟防火墙实例表初始化:根据系统最多支持的虚拟虚拟防火墙实例的个数申请相应的地址空间,并将申请的空间清0。Virtual firewall instance table initialization: Apply the corresponding address space according to the number of virtual virtual firewall instances supported by the system, and clear the requested space.
分流机制,是指将系统收到的数据流量分别送入对应的虚拟防火墙实例。即根据接收数据流量的接口信息或者数据流量的报文信息(比如报文中的VPN、VLAN或者IP信息等)与虚拟防火墙实例的配置信息进行匹配,将数据流量送入对应的虚拟防火墙实例,由虚拟防火墙实例提供相应的安全服务。The traffic distribution mechanism is to send the data traffic received by the system to the corresponding virtual firewall instance. That is, the interface information of the received data traffic or the packet information of the data traffic (such as the VPN, VLAN, or IP information in the packet) is matched with the configuration information of the virtual firewall instance, and the data traffic is sent to the corresponding virtual firewall instance. The corresponding security service is provided by the virtual firewall instance.
通过维护接口映射表、VLAN映射表、VPN映射表、IP映射表来实现分流机制。The traffic distribution mechanism is implemented by maintaining an interface mapping table, a VLAN mapping table, a VPN mapping table, and an IP mapping table.
接口映射表,采用线性表,保存的是接口与虚拟防火墙实例的对应关系。该表的关键字是接口索引(IF-ID),结果是该接口所属的虚拟防火墙实例的索引(VFW-ID)。The interface mapping table uses a linear table to store the correspondence between the interface and the virtual firewall instance. The keyword of the table is the interface index (IF-ID), and the result is the index (VFW-ID) of the virtual firewall instance to which the interface belongs.
VLAN映射表,采用线性表,保存的是VLAN属于哪个VPN或者虚拟防火墙实例。该表的关键字是VLAN索引(VLAN-ID),结果是该VLAN所属的VPN索引(VPN-ID)或者虚拟防火墙实例的索引(VFW-ID)。The VLAN mapping table uses a linear table to store which VPN or virtual firewall instance the VLAN belongs to. The key of the table is the VLAN index (VLAN-ID), and the result is the VPN index (VPN-ID) to which the VLAN belongs or the index (VFW-ID) of the virtual firewall instance.
VPN映射表,采用线性表,保存的是VPN与虚拟防火墙实例的对应关系。 该表的关键字是VPN索引(VPN-ID),结果是该VPN所属的虚拟防火墙实例的索引(VFW-ID)。The VPN mapping table uses a linear table to store the correspondence between the VPN and the virtual firewall instance. The keyword of the table is the VPN index (VPN-ID), and the result is the index (VFW-ID) of the virtual firewall instance to which the VPN belongs.
IP映射表,采用HASH表,保存的是IP地址与虚拟防火墙的对应关系。该表的关键字是IP地址经HASH运算得到的IP映射表索引(IP-ID),结果是该IP地址所属的虚拟防火墙实例的索引(VFW-ID)。这里,当允许IP地址配置为掩码地址,则要将掩码地址覆盖的所有IP地址保存到HASH表。这样就可能因为IP地址太多而导致HASH表空间不够。所以,这种情况可以考虑使用CAM表来保存IP掩码地址,从而避免表空间问题,且提高IP检索的效率。The IP mapping table uses a HASH table to store the correspondence between the IP address and the virtual firewall. The key of the table is the IP mapping table index (IP-ID) obtained by the HASH operation of the IP address, and the result is the index (VFW-ID) of the virtual firewall instance to which the IP address belongs. Here, when the allowed IP address is configured as a mask address, all IP addresses covered by the mask address are saved to the HASH table. This may result in insufficient HASH table space due to too many IP addresses. Therefore, in this case, you can consider using the CAM table to save the IP mask address, thus avoiding table space problems and improving the efficiency of IP retrieval.
当超级管理员配置虚拟防火墙实例负责处理哪些数据流量时,只要指定相应的接口映射表、VLAN映射表、VPN映射表、IP映射表中的VFW-ID字段即可。比如,要将特定的接口IFa(对应IF-ID为a)收到的数据流量送入指定的虚拟防火墙实例VFWx(对应VFW-ID为x)来处理,则将接口映射表的第a条表项中的VFW-ID字段置为x即可。再比如,将目的IP地址是特定的IPb的数据流量送入指定的虚拟防火墙实例VFWy(对应VFW-ID为y)来处理。则首先将IPb做HASH运算得到HASH值b,然后将IP映射表的第b条表项中的VFW-ID字段置为y即可。When the super administrator configures the virtual firewall instance to handle which data traffic, you only need to specify the VFW-ID field in the corresponding interface mapping table, VLAN mapping table, VPN mapping table, and IP mapping table. For example, if the data traffic received by a specific interface IFa (corresponding to IF-ID is a) is sent to the specified virtual firewall instance VFWx (corresponding to VFW-ID is x), the table a of the interface mapping table is processed. The VFW-ID field in the item is set to x. For another example, the data traffic whose destination IP address is a specific IPb is sent to the specified virtual firewall instance VFWy (corresponding to VFW-ID is y) for processing. First, the IPb is HASH-operated to obtain the HASH value b, and then the VFW-ID field in the item b of the IP mapping table is set to y.
当系统运行时,根据接收数据流量的接口信息或者数据流量的报文信息,分别查找接口映射表、VLAN映射表、VPN映射表、IP映射表,得到该数据流量对应的虚拟防火墙实例索引,然后将数据流量送入该虚拟防火墙进行后续处理。当某数据流量匹配接口映射表、VLAN映射表、VPN映射表、IP映射表中的多个表时,需要根据映射表的优先级来决定该数据流量应送入哪个虚拟防火墙实例。一般来说,接口映射表的优先级最高,VLAN映射表次之,VPN映射表再次之,而IP映射表的优先级最低。When the system is running, the interface mapping table, the VLAN mapping table, the VPN mapping table, and the IP mapping table are respectively searched according to the interface information of the received data traffic or the packet information of the data traffic, and the virtual firewall instance index corresponding to the data traffic is obtained, and then The data traffic is sent to the virtual firewall for subsequent processing. When a certain data traffic matches multiple entries in the interface mapping table, the VLAN mapping table, the VPN mapping table, and the IP mapping table, it is determined according to the priority of the mapping table to determine which virtual firewall instance the data traffic should be sent to. Generally, the interface mapping table has the highest priority, the VLAN mapping table is the second, the VPN mapping table is again, and the IP mapping table has the lowest priority.
第一查找单元502,设置为在根据数据流量的第二信息无法查找到与数据流量匹配的会话表项的情况下,根据虚拟防火墙实例的标识查找虚拟防火墙的配置参数,并根据数据流量的报文信息查找ACL规则组;The first searching unit 502 is configured to: if the session entry matching the data traffic cannot be found according to the second information of the data traffic, find the configuration parameter of the virtual firewall according to the identifier of the virtual firewall instance, and report the data according to the data traffic The text information is used to find an ACL rule group.
其中,第二信息至少包括数据流量的报文中的五元组。The second information includes at least a quintuple in the packet of the data traffic.
可选地,会话管理机制,是指虚拟防火墙实例收到数据流量后,将数据流量与ACL规则组匹配生成对应的会话表项。虚拟防火墙实例可以根据会话表中的相关状态变化提供ASPF和NAT ALG等与会话状态相关的安全服务, 也可以根据会话表的相关统计提供地址绑定、黑名单、地址转化、统计、攻击防范等安全服务。Optionally, the session management mechanism is that after the virtual firewall instance receives the data traffic, the data traffic is matched with the ACL rule group to generate a corresponding session entry. The virtual firewall instance can provide session state-related security services such as ASPF and NAT ALG according to related state changes in the session table. You can also provide security services such as address binding, blacklist, address translation, statistics, and attack defense based on the statistics of the session table.
生成单元503,设置为根据数据流量、虚拟防火墙的配置参数以及ACL规则组生成会话表项,并将数据流量中的会话的相关安全服务参数保存在会话表项中。The generating unit 503 is configured to generate a session entry according to the data traffic, the configuration parameter of the virtual firewall, and the ACL rule group, and save the related security service parameter of the session in the data traffic in the session entry.
可选地,会话管理机制的好处是,在虚拟防火墙实例收到会话的第一个报文后,可以根据虚拟防火墙实例表中的的配置参数,以及报文匹配的ACL规则组,自动生成会话表项,并将会话相关的安全服务参数保存在会话表项中。之后在虚拟防火墙实例收到该会话的后续报文时,就不需要重复查找虚拟防火墙实例表或ACL规则组,而直接读取会话表项的信息即可。这样,可以大大提高会话后续报文的处理效率。Optionally, the session management mechanism has the advantage that after the virtual firewall instance receives the first packet of the session, the session can be automatically generated according to the configuration parameters in the virtual firewall instance table and the ACL rule group matched by the packet. An entry and save the session-related security service parameters in the session table entry. Then, when the virtual firewall instance receives subsequent packets of the session, it does not need to repeatedly search for the virtual firewall instance table or ACL rule group, and directly read the information of the session entry. In this way, the processing efficiency of the subsequent messages of the session can be greatly improved.
这里一个“会话”,也叫一条“流”,包含由五元组唯一确定的正反两个方向的报文。比如A发给B的正向报文,即报文的源IP是IPA、目的IP是IPB、源端口是PORTA、目的端口是PORTB、协议是PROX,以及由B返回给A的反向报文,即报文的源IP是IPB、目的IP是IPA、源端口是PORTB、目的端口是PORTA、协议是PROX,这两个方向报文的五元组只是顺序颠倒,它们在这里属于一个会话。Here a "session", also called a "stream", contains the two-direction message that is uniquely determined by the quintuple. For example, the forward packet sent by A to B, that is, the source IP of the packet is IPA, the destination IP is IPB, the source port is PORTA, the destination port is PORTB, the protocol is PROX, and the reverse packet returned by B to A. That is, the source IP of the packet is IPB, the destination IP is IPA, the source port is PORTB, the destination port is PORTA, and the protocol is PROX. The quintuple of the two directions messages is only reversed, and they belong to a session here.
虚拟防火墙实例独立管理自己的会话资源,即每个虚拟防火墙实例在逻辑上单独维护一个会话表(FT),FT表中的每个表项对应一个会话,保存着该会话相关的所有信息:The virtual firewall instance manages its own session resources independently. That is, each virtual firewall instance logically maintains a separate session table (FT). Each entry in the FT table corresponds to a session, and all the information related to the session is saved:
状态信息,比如TCP连接状态、FTP状态等,可以根据这些状态信息为会话提供ASPF状态跟踪服务,也可以根据所有会话的相关状态的统计提供相关的防攻击服务。The status information, such as the TCP connection status and the FTP status, can be used to provide an ASPF status tracking service for the session based on the status information, or provide related anti-attack services based on the statistics of the relevant status of all sessions.
老化信息,比如会话的创建时间戳、更新时间戳等,可以根据时间戳计算会话的剩余老化时间,决定是何时老化该会话。The aging information, such as the session creation timestamp and update timestamp, can be used to calculate the remaining aging time of the session based on the timestamp and determine when the session is aged.
安全策略信息,比如会话的NAT策略、ACL策略、ASPF策略、ALG策略等,可以根据这些策略信息完成数据包转发、丢弃、上送、修改相应协议字段后转发等操作。Security policy information, such as the session's NAT policy, ACL policy, ASPF policy, and ALG policy, can be used to forward, drop, send, modify, and forward the corresponding protocol fields based on these policy information.
统计信息,比如会话的收发包个数等,可以这些统计信息提供会话监控服务。 Statistics, such as the number of packets sent and received by the session, can provide session monitoring services for these statistics.
转发信息,比如三层的路由信息、二层的转发信息等,可以根据这些转发信息提供数据流量转发服务。Forwarding information, such as Layer 3 routing information and Layer 2 forwarding information, can provide data traffic forwarding services based on these forwarding information.
在创建虚拟防火墙实例时会指定FT表中最多保存的会话条数CFT,一般CFT的值都比较大,比如128K条。所以FT表可以采用HASH+CAM的二级检索结构,以提高查找效率。其中,HASH表可以保存CHS=2N条表项,每条HASH表项对应一个CAM表,每个CAM表可以保存CCAM条表项,每条CAM表项对应一个会话,则When creating a virtual firewall instance, the maximum number of sessions CFT saved in the FT table is specified. Generally, the value of CFT is relatively large, such as 128K. Therefore, the FT table can adopt the secondary search structure of HASH+CAM to improve the search efficiency. The HASH table can store C HS = 2 N entries, and each HASH entry corresponds to a CAM table. Each CAM table can store C CAM strip entries, and each CAM entry corresponds to one session.
CFT=CHS×CCAM C FT =C HS ×C CAM
当虚拟防火墙实例收到报文后,首先,会检索FT表。如果检索失败,则查找虚拟防火墙实例表和ACL规则组,根据匹配的安全服务参数建立流表。如果检索成功,则直接取出流表。然后,根据流表中的信息,对报文执行相应的安全策略。After the virtual firewall instance receives the message, it first retrieves the FT table. If the retrieval fails, the virtual firewall instance table and the ACL rule group are searched, and the flow table is established according to the matched security service parameters. If the search is successful, the flow table is taken directly. Then, according to the information in the flow table, the corresponding security policy is executed on the packet.
本实施例通过根据接收到的数据流量的第一信息获取虚拟防火墙实例的标识;在根据数据流量的第二信息无法查找到与数据流量匹配的会话表项的情况下,根据虚拟防火墙实例的标识查找虚拟防火墙的配置参数,并根据数据流量的报文信息查找ACL规则组;根据数据流量、虚拟防火墙的配置参数以及ACL规则组生成会话表项,并将数据流量中的会话的相关安全服务参数保存在会话表项中,从而可以实现通过它可将一个物理防火墙划分为多个逻辑防火墙来用,每个逻辑防火墙可以独立申请资源,并配置不同的安全策略,以满足用户不同的安全需求;同时,本发明提供了一种在一个单一的硬件平台上实现多个虚拟防火墙实例的方法,解决了传统防火墙部署的缺陷。可以在大大降低维护和管理成本的前提下,同时为不同用户提供独立的安全服务策略。In this embodiment, the identifier of the virtual firewall instance is obtained according to the first information of the received data traffic; and the session entry matching the data traffic cannot be found according to the second information of the data traffic, according to the identifier of the virtual firewall instance. Find the configuration parameters of the virtual firewall, and find the ACL rule group based on the packet information of the data traffic. Generate the session entry based on the data traffic, the configuration parameters of the virtual firewall, and the ACL rule group, and set the security service parameters of the session in the data traffic. It is stored in the session table, so that it can be used to divide a physical firewall into multiple logical firewalls. Each logical firewall can independently apply for resources and configure different security policies to meet different security requirements of users. At the same time, the present invention provides a method for implementing multiple virtual firewall instances on a single hardware platform, which solves the defects of traditional firewall deployment. It can provide independent security service policies for different users while greatly reducing maintenance and management costs.
图6为本发明实现虚拟防火墙的装置第二实施例的功能模块示意图。FIG. 6 is a schematic diagram of functional modules of a second embodiment of an apparatus for implementing a virtual firewall according to the present invention.
在第二实施例中,该实现虚拟防火墙的装置还包括:In the second embodiment, the device for implementing the virtual firewall further includes:
第二查找单元504,设置为:The second searching unit 504 is configured to:
根据第二信息查找与数据流量匹配的会话表项;Find a session entry that matches the data traffic according to the second information;
第二查找单元504,设置为:The second searching unit 504 is configured to:
对第二信息进行HASH运算得到值H,值H的低N比特用于查找CAM表的索引,值H的高N比特用于查找CAM表的标识; Performing a HASH operation on the second information to obtain a value H, a low N bit of the value H is used to search an index of the CAM table, and a high N bit of the value H is used to search for an identifier of the CAM table;
若能与预先存储的CAM表匹配,则获取匹配到的CAM表的内容,并根据内容与第二信息进行匹配,若相同,则确定根据第二信息能查找与数据流量匹配的会话表项;若不同,则确定根据第二信息无法查找与数据流量匹配的会话表项;If the CAM table is matched with the pre-stored CAM table, the content of the matched CAM table is obtained, and the content is matched with the second information according to the content. If the content is the same, it is determined that the session entry matching the data traffic can be searched according to the second information; If it is different, it is determined that the session entry matching the data traffic cannot be found according to the second information;
若无法与预先存储的CAM表匹配,则确定根据第二信息无法查找与数据流量匹配的会话表项。If it is unable to match the pre-stored CAM table, it is determined that the session entry matching the data traffic cannot be found according to the second information.
图7为本发明实现虚拟防火墙的装置第三实施例的功能模块示意图。FIG. 7 is a schematic diagram of functional modules of a third embodiment of an apparatus for implementing a virtual firewall according to the present invention.
在第三实施例中,该实现虚拟防火墙的装置还包括:In the third embodiment, the device for implementing the virtual firewall further includes:
创建单元505,设置为在创建虚拟防火墙实例VFWv时,将总资源池PA中的资源总队列QA中的资源对象先执行出队操作,再入队操作到资源队列Qv;The creating unit 505 is configured to perform a dequeuing operation on the resource object in the total resource queue QA in the total resource pool PA, and then enter the resource queue Qv;
删除单元506,设置为在删除虚拟防火墙实例VFWv时,将资源池Pv中的资源队列Qv中的资源对象先执行出队操作,再入队操作到资源总队列QA;The deleting unit 506 is configured to perform the dequeuing operation on the resource object in the resource queue Qv in the resource pool Pv before deleting the virtual firewall instance VFWv, and then re-enter the operation to the resource total queue QA;
其中,Qv为虚拟防火墙实例的资源池的每一个类型中的一个队列或者栈;QA为虚拟防火墙实例的资源池的每一个类型对应的资源;PA为虚拟防火墙实例的总资源池;Pv为虚拟防火墙实例VFWv对应的资源池中的资源。Qv is a queue or stack in each type of the resource pool of the virtual firewall instance; QA is the resource corresponding to each type of the resource pool of the virtual firewall instance; PA is the total resource pool of the virtual firewall instance; Pv is virtual The resource in the resource pool corresponding to the firewall instance VFWv.
可选地,资源池机制,是指每个虚拟防火墙实例对应单独的资源池,虚拟防火墙实例只允许操作自己的资源池中的资源对象。即由虚拟防火墙实例独立负责资源池中资源对象的申请、回收、老化等。这里的资源对象包括单不限于地址资源、安全域资源、服务资源、会话资源等。Optionally, the resource pool mechanism means that each virtual firewall instance corresponds to a separate resource pool, and the virtual firewall instance only allows operation of resource objects in its own resource pool. That is, the virtual firewall instance is independently responsible for the application, collection, and aging of resource objects in the resource pool. The resource objects herein include, but are not limited to, address resources, security domain resources, service resources, session resources, and the like.
采用资源池的好处是,能充分利用系统的资源,并且灵活的控制每个虚拟防火墙实例占用的资源;同时独立的资源池管理,也大大降低虚拟防火墙实例之间的耦合度,减少虚拟防火墙实例之间的相互影响,更便于使用。The advantage of using the resource pool is that it can fully utilize the resources of the system and flexibly control the resources occupied by each virtual firewall instance. At the same time, the independent resource pool management also greatly reduces the coupling between the virtual firewall instances and reduces the virtual firewall instance. The interaction between them is easier to use.
由于系统的资源总数是有限的,所以分配到每个虚拟防火墙实例的资源池中的资源也是有限的。比如系统最多支持32M条会话(Session),最多支持256个虚拟防火墙实例,那么每个虚拟防火墙实例平均最多能支持128K条会话。Since the total number of resources in the system is limited, the resources allocated to the resource pool of each virtual firewall instance are also limited. For example, the system supports up to 32M sessions and supports up to 256 virtual firewall instances. Each virtual firewall instance can support up to 128K sessions on average.
虚拟防火墙实例VFWv对应的资源池Pv中的资源对象可以按照类型分开管理,每个类型采用一个队列(或者栈)Qv来管理,即该类型的每个资源对象对应Qv中的一个成员。而系统资源可以看做一个最大的总资源池PA,其 中每个类型的资源对应一个总队列QA。The resource objects in the resource pool Pv corresponding to the virtual firewall instance VFWv can be managed separately according to the type. Each type is managed by a queue (or stack) Qv, that is, each resource object of the type corresponds to one member of the Qv. And system resources can be seen as one of the largest total resource pool PA, Each type of resource corresponds to a total queue QA.
当超级管理员创建虚拟防火墙实例VFWv时,会分别指定资源池Pv中的每个资源队列Qv所包含的资源对象的个数,也就是先将总资源池PA中的资源总队列QA中的资源对象先执行出队操作,再入队操作到资源队列Qv。当超级管理员删除虚拟防火墙实例VFWv时,会回收资源池Pv中的所有资源队列Qv中包含的资源对象,也就是将资源池Pv中的资源队列Qv中的资源对象先执行出队操作,再执行入队操作到资源总队列QA。When the super administrator creates a virtual firewall instance VFWv, it specifies the number of resource objects included in each resource queue Qv in the resource pool Pv, that is, the resources in the total resource queue QA in the total resource pool PA. The object performs the dequeue operation first, and then enters the queue operation to the resource queue Qv. When the super administrator deletes the virtual firewall instance VFWv, the resource objects included in the resource queue Qv in the resource pool Pv are reclaimed, that is, the resource objects in the resource queue Qv in the resource pool Pv are first executed. Perform the enqueue operation to the resource total queue QA.
虚拟防火墙管理员对资源池Pv中资源对象的申请、回收、老化,也就是对相应的资源队列Qv中的资源对象的出队、入队、入队操作。The virtual firewall administrator requests, recycles, and aging the resource objects in the resource pool Pv, that is, the dequeue, enqueue, and enqueue operations of the resource objects in the corresponding resource queue Qv.
图8为本发明实现虚拟防火墙的装置第四实施例的功能模块示意图。FIG. 8 is a schematic diagram of functional modules of a fourth embodiment of an apparatus for implementing a virtual firewall according to the present invention.
在第四实施例中,该实现虚拟防火墙的装置还包括:In the fourth embodiment, the device for implementing the virtual firewall further includes:
配置单元507,设置为为每一个虚拟防火墙实例配置第一管理员,为第一管理员配置第二管理员。The configuration unit 507 is configured to configure a first administrator for each virtual firewall instance and a second administrator for the first administrator.
可选地,分级管理机制,是指采用二级管理的方式实现虚拟防火墙实例的独立配置管理,即由超级管理员来创建或删除虚拟防火墙实例,并指定对应的虚拟防火墙管理员;由虚拟防火墙管理员来独立管理虚拟防火墙实例。Optionally, the hierarchical management mechanism implements the independent configuration management of the virtual firewall instance by using the secondary management mode, that is, the super administrator creates or deletes the virtual firewall instance and specifies the corresponding virtual firewall administrator; The administrator manages the virtual firewall instance independently.
超级管理员创建或删除虚拟防火墙实例时,要为该虚拟防火墙实例分配或回收对应的资源池,即前面的“资源池”模块;同时,超级管理员还要指定哪些数据流量送入或不送入该虚拟防火墙实例处理。即前面的“分流”模块。When a super administrator creates or deletes a virtual firewall instance, the corresponding resource pool is allocated or reclaimed for the virtual firewall instance, that is, the previous Resource Pool module. At the same time, the super administrator also specifies which data traffic is sent or not sent. Into this virtual firewall instance processing. That is, the previous "split" module.
虚拟防火墙管理员管理虚拟防火墙实例,即根据用户的安全需求,配置私有的ACL安全规则,管理资源池中的资源对象。这里,我们维护一个虚拟防火墙实例表,来保存虚拟防火墙实例的相关配置信息。虚拟防火墙实例表采用线性表,该表的关键字是虚拟防火墙实例的索引VFW-ID,结果是该虚拟防火墙实例的相关配置参数,比如虚拟防火墙实例使能了哪些防攻击类型和相关的阈值参数,或者配置的黑名单参数等。当虚拟防火墙管理员配置相关的安全服务时,就更新相应的字段。The virtual firewall administrator manages the virtual firewall instance, that is, configures private ACL security rules to manage resource objects in the resource pool according to user security requirements. Here, we maintain a virtual firewall instance table to store configuration information about the virtual firewall instance. The virtual firewall instance table uses a linear table. The keyword of the virtual firewall instance is the index VFW-ID of the virtual firewall instance. The result is the configuration parameters of the virtual firewall instance. For example, the attack defense type and related threshold parameters are enabled in the virtual firewall instance. , or configured blacklist parameters, etc. When the virtual firewall administrator configures the relevant security services, the corresponding fields are updated.
分级管理的好处是,超级管理员只关注需要为虚拟防火墙实例分配哪些系统资源,而虚拟防火墙实例的管理可以由虚拟防火墙管理员独立负责,使虚拟防火墙的管理更加灵活方便。 The advantage of hierarchical management is that the super administrator only pays attention to which system resources need to be allocated for the virtual firewall instance, and the management of the virtual firewall instance can be independently responsible by the virtual firewall administrator, making the management of the virtual firewall more flexible and convenient.
以上仅为本发明的优选实施例,并非因此限制本发明的专利范围,凡是利用本发明实施例说明书及附图内容所作的等效结构或等效流程变换,或直接或间接运用在其他相关的技术领域,均同理包括在本发明的专利保护范围内。The above are only the preferred embodiments of the present invention, and are not intended to limit the scope of the invention, and the equivalent structure or equivalent process transformations made by the description of the embodiments of the present invention and the contents of the drawings, or directly or indirectly applied to other related The technical field is equally included in the scope of patent protection of the present invention.
工业实用性Industrial applicability
如上所述,通过上述实施例及优选实施方式,解决了传统防火墙部署的缺陷。可以在大大降低维护和管理成本的前提下,同时为不同用户提供独立的安全服务策略。 As described above, the drawbacks of the conventional firewall deployment are solved by the above embodiments and preferred embodiments. It can provide independent security service policies for different users while greatly reducing maintenance and management costs.

Claims (16)

  1. 一种实现虚拟防火墙的方法,所述方法包括:A method of implementing a virtual firewall, the method comprising:
    根据接收到的数据流量的第一信息获取虚拟防火墙实例的标识;Obtaining an identifier of the virtual firewall instance according to the first information of the received data traffic;
    在根据所述数据流量的第二信息无法查找到与所述数据流量匹配的会话表项的情况下,根据所述虚拟防火墙实例的标识查找所述虚拟防火墙的配置参数,并根据所述数据流量的报文信息查找接入控制列表ACL规则组;In the case that the session entry matching the data traffic cannot be found according to the second information of the data traffic, the configuration parameter of the virtual firewall is searched according to the identifier of the virtual firewall instance, and according to the data traffic. The packet information is searched for an access control list ACL rule group;
    根据所述数据流量、所述虚拟防火墙的配置参数以及所述ACL规则组生成会话表项,并将所述数据流量中的会话的相关安全服务参数保存在所述会话表项中。Generating a session entry according to the data traffic, the configuration parameter of the virtual firewall, and the ACL rule group, and saving related security service parameters of the session in the data traffic in the session entry.
  2. 根据权利要求1所述的方法,其中,所述第一信息至少包括所述数据流量的报文中的五元组、虚拟局域网VLAN信息或者网际协议IP信息;所述第二信息至少包括所述数据流量的报文中的五元组。The method according to claim 1, wherein the first information comprises at least a quintuple in the packet of the data traffic, virtual local area network VLAN information or internet protocol IP information; the second information comprises at least the The quintuple in the message of the data traffic.
  3. 根据权利要求1所述的方法,其中,所述根据接收到的数据流量的第一信息获取虚拟防火墙实例的标识,包括:The method of claim 1, wherein the obtaining the identifier of the virtual firewall instance according to the first information of the received data traffic comprises:
    判断是否能根据所述数据流量的接口信息和预先存储的接口映射表,获取所述虚拟防火墙实例的标识,所述接口映射表包括所述数据流量的接口信息和所述虚拟防火墙实例的标识之间的对应关系;若是,则执行根据所述虚拟防火墙实例的标识查找所述虚拟防火墙的配置参数,并根据所述数据流量的报文信息查找ACL规则组。Determining whether the identifier of the virtual firewall instance is obtained according to the interface information of the data traffic and the pre-stored interface mapping table, where the interface mapping table includes interface information of the data traffic and an identifier of the virtual firewall instance. If the configuration is performed, the configuration parameter of the virtual firewall is searched according to the identifier of the virtual firewall instance, and the ACL rule group is searched according to the packet information of the data traffic.
  4. 根据权利要求3所述的方法,其中,所述若是,则执行根据所述虚拟防火墙实例的标识查找所述虚拟防火墙的配置参数,并根据所述数据流量的报文信息查找ACL规则组之后,还包括:The method of claim 3, wherein, if yes, performing a search for the configuration parameter of the virtual firewall according to the identifier of the virtual firewall instance, and after searching the ACL rule group according to the packet information of the data traffic, Also includes:
    若否,则判断是否能根据所述数据流量的第一报文信息和预先存储的VLAN映射表,获取所述虚拟防火墙实例的标识,所述第一报文信息至少包括VLAN信息,所述VLAN映射表包括所述数据流量的VLAN信息和所述虚拟防火墙实例的标识之间的对应关系;若是,则执行根据所述虚拟防火墙 实例的标识查找所述虚拟防火墙的配置参数,并根据所述数据流量的报文信息查找ACL规则组。If not, determining whether the identifier of the virtual firewall instance is obtained according to the first packet information of the data traffic and the pre-stored VLAN mapping table, where the first packet information includes at least VLAN information, the VLAN The mapping table includes a correspondence between VLAN information of the data traffic and an identifier of the virtual firewall instance; if yes, performing according to the virtual firewall The identifier of the instance is used to find the configuration parameter of the virtual firewall, and the ACL rule group is searched according to the packet information of the data traffic.
  5. 根据权利要求4所述的方法,其中,所述若是,则执行根据所述虚拟防火墙实例的标识查找所述虚拟防火墙的配置参数,并根据所述数据流量的报文信息查找ACL规则组之后,还包括:The method of claim 4, wherein if yes, performing a search for the configuration parameter of the virtual firewall according to the identifier of the virtual firewall instance, and searching for an ACL rule group according to the packet information of the data traffic, Also includes:
    若否,则判断是否能根据所述数据流量的第一报文信息、预先存储的第一虚拟专用网VPN映射表和预先存储的第二VPN映射表,获取所述虚拟防火墙实例的标识,所述第一报文信息至少包括VLAN信息,所述第一VPN映射表包括所述VLAN信息和VPN信息的对应关系,所述第二VPN映射表包括所述VPN信息和所述虚拟防火墙实例的标识之间的对应关系;若是,则执行根据所述虚拟防火墙实例的标识查找所述虚拟防火墙的配置参数,并根据所述数据流量的报文信息查找ACL规则组。If not, determining whether the identifier of the virtual firewall instance is obtained according to the first packet information of the data traffic, the first virtual private network VPN mapping table stored in advance, and the second VPN mapping table stored in advance. The first message mapping table includes at least the VLAN information, the first VPN mapping table includes a correspondence between the VLAN information and the VPN information, and the second VPN mapping table includes the VPN information and an identifier of the virtual firewall instance. The mapping between the virtual firewalls is performed according to the identifier of the virtual firewall instance, and the ACL rule group is searched according to the packet information of the data traffic.
  6. 根据权利要求5所述的方法,其中,所述若是,则执行根据所述虚拟防火墙实例的标识查找所述虚拟防火墙的配置参数,并根据所述数据流量的报文信息查找ACL规则组之后,还包括:The method of claim 5, wherein, if yes, performing a search for the configuration parameter of the virtual firewall according to the identifier of the virtual firewall instance, and after searching the ACL rule group according to the packet information of the data traffic, Also includes:
    若否,则判断是否能根据所述数据流量的第二报文信息和所述预先存储的IP映射表,获取所述虚拟防火墙实例的标识,所述第二报文信息至少包括IP地址,所述IP映射表包括所述IP地址与所述IP地址经HASH运算得到的所述虚拟防火墙实例的标识之间的对应关系;若是,则执行根据所述虚拟防火墙实例的标识查找所述虚拟防火墙的配置参数,并根据所述数据流量的报文信息查找ACL规则组。If not, determining whether the identifier of the virtual firewall instance is obtained according to the second packet information of the data traffic and the pre-stored IP mapping table, where the second packet information includes at least an IP address. The IP mapping table includes a correspondence between the IP address and the identifier of the virtual firewall instance obtained by the HASH operation of the IP address; if yes, performing a search for the virtual firewall according to the identifier of the virtual firewall instance. Configure the parameters and find the ACL rule group based on the packet information of the data traffic.
  7. 根据权利要求1所述的方法,其中,所述根据接收到的数据流量的第一信息获取虚拟防火墙实例的标识之后,包括:The method of claim 1, wherein the obtaining the identifier of the virtual firewall instance according to the first information of the received data traffic comprises:
    根据所述第二信息查找与所述数据流量匹配的会话表项;Searching, according to the second information, a session entry that matches the data traffic;
    所述根据所述第二信息查找与所述数据流量匹配的会话表项,包括:And searching, according to the second information, a session entry that matches the data traffic, including:
    对所述第二信息进行HASH运算得到值H,所述值H的低N比特用于查找CAM表的索引,所述值H的高N比特用于查找所述CAM表的标识; Performing a HASH operation on the second information to obtain a value H, where a low N bit of the value H is used to search an index of a CAM table, and a high N bit of the value H is used to search for an identifier of the CAM table;
    若能与预先存储的CAM表匹配,则获取匹配到的所述CAM表的内容,并根据所述内容与所述第二信息进行匹配,若相同,则确定根据所述第二信息能查找与所述数据流量匹配的会话表项;若不同,则确定根据所述第二信息无法查找与所述数据流量匹配的会话表项;If the CAM table is matched with the pre-stored CAM table, the content of the matched CAM table is obtained, and the content is matched with the second information according to the content, and if they are the same, it is determined that the second information can be searched according to the second information. The session entry that matches the data traffic; if not, determining that the session entry matching the data traffic cannot be found according to the second information;
    若无法与预先存储的CAM表匹配,则确定根据所述第二信息无法查找与所述数据流量匹配的会话表项。If it is unable to match the pre-stored CAM table, it is determined that the session entry matching the data traffic cannot be found according to the second information.
  8. 根据权利要求1至7任意一项所述的方法,其中,所述方法还包括:The method according to any one of claims 1 to 7, wherein the method further comprises:
    在创建虚拟防火墙实例VFWv时,将总资源池PA中的资源总队列QA中的资源对象先执行出队操作,再入队操作到资源队列Qv;When the virtual firewall instance VFWv is created, the resource object in the total resource queue QA in the total resource pool PA is first dequeued, and then the queue operation is performed to the resource queue Qv.
    在删除所述虚拟防火墙实例VFWv时,将资源池Pv中的资源队列Qv中的资源对象先执行出队操作,再入队操作到资源总队列QA;When the virtual firewall instance VFWv is deleted, the resource object in the resource queue Qv in the resource pool Pv is first dequeued, and then the queue operation is performed to the resource total queue QA;
    其中,所述Qv为所述虚拟防火墙实例的资源池的每一个类型中的一个队列或者栈;所述QA为所述虚拟防火墙实例的资源池的每一个类型对应的资源;所述PA为所述虚拟防火墙实例的总资源池;所述Pv为所述虚拟防火墙实例VFWv对应的资源池中的资源。The Qv is a queue or a stack of each type of the resource pool of the virtual firewall instance; the QA is a resource corresponding to each type of the resource pool of the virtual firewall instance; The total resource pool of the virtual firewall instance; the Pv is a resource in a resource pool corresponding to the virtual firewall instance VFWv.
  9. 一种实现虚拟防火墙的装置,所述装置包括:An apparatus for implementing a virtual firewall, the apparatus comprising:
    获取单元,设置为根据接收到的数据流量的第一信息获取虚拟防火墙实例的标识;An obtaining unit, configured to obtain an identifier of the virtual firewall instance according to the first information of the received data traffic;
    第一查找单元,设置为在根据所述数据流量的第二信息无法查找到与所述数据流量匹配的会话表项的情况下,根据所述虚拟防火墙实例的标识查找所述虚拟防火墙的配置参数,并根据所述数据流量的报文信息查找ACL规则组;The first searching unit is configured to search for the configuration parameter of the virtual firewall according to the identifier of the virtual firewall instance, if the session entry that matches the data traffic cannot be found according to the second information of the data traffic. And searching for an ACL rule group according to the packet information of the data traffic;
    生成单元,设置为根据所述数据流量、所述虚拟防火墙的配置参数以及所述ACL规则组生成会话表项,并将所述数据流量中的会话的相关安全服务参数保存在所述会话表项中。a generating unit, configured to generate a session entry according to the data traffic, the configuration parameter of the virtual firewall, and the ACL rule group, and save related security service parameters of the session in the data traffic in the session entry in.
  10. 根据权利要求9所述的装置,其中,所述第一信息至少包括所述数据流量的报文中的五元组、VLAN信息或者IP信息;所述第二信息至少包括 所述数据流量的报文中的五元组。The apparatus according to claim 9, wherein the first information comprises at least a quintuple, VLAN information or IP information in a message of the data traffic; the second information comprises at least The quintuple in the message of the data traffic.
  11. 根据权利要求9所述的装置,其中,所述获取单元,设置为:The apparatus according to claim 9, wherein said obtaining unit is configured to:
    判断是否能根据所述数据流量的接口信息和预先存储的接口映射表,获取所述虚拟防火墙实例的标识,所述接口映射表包括所述数据流量的接口信息和所述虚拟防火墙实例的标识之间的对应关系;若是,则执行根据所述虚拟防火墙实例的标识查找所述虚拟防火墙的配置参数,并根据所述数据流量的报文信息查找ACL规则组。Determining whether the identifier of the virtual firewall instance is obtained according to the interface information of the data traffic and the pre-stored interface mapping table, where the interface mapping table includes interface information of the data traffic and an identifier of the virtual firewall instance. If the configuration is performed, the configuration parameter of the virtual firewall is searched according to the identifier of the virtual firewall instance, and the ACL rule group is searched according to the packet information of the data traffic.
  12. 根据权利要求11所述的装置,其中,所述获取单元还设置为:The apparatus according to claim 11, wherein the obtaining unit is further configured to:
    若否,则判断是否能根据所述数据流量的第一报文信息和预先存储的VLAN映射表,获取所述虚拟防火墙实例的标识,所述第一报文信息至少包括VLAN信息,所述VLAN映射表包括所述数据流量的VLAN信息和所述虚拟防火墙实例的标识之间的对应关系;若是,则执行根据所述虚拟防火墙实例的标识查找所述虚拟防火墙的配置参数,并根据所述数据流量的报文信息查找ACL规则组。If not, determining whether the identifier of the virtual firewall instance is obtained according to the first packet information of the data traffic and the pre-stored VLAN mapping table, where the first packet information includes at least VLAN information, the VLAN The mapping table includes a mapping between the VLAN information of the data traffic and the identifier of the virtual firewall instance; if yes, performing configuration to search for the configuration parameter of the virtual firewall according to the identifier of the virtual firewall instance, and according to the data The packet information of the traffic is searched for the ACL rule group.
  13. 根据权利要求12所述的装置,其中,所述获取单元,还设置为:The device according to claim 12, wherein the obtaining unit is further configured to:
    若否,则判断是否能根据所述数据流量的第一报文信息、预先存储的第一VPN映射表和预先存储的第二VPN映射表,获取所述虚拟防火墙实例的标识,所述第一报文信息至少包括VLAN信息,所述第一VPN映射表包括所述VLAN信息和VPN信息的对应关系,所述第二VPN映射表包括所述VPN信息和所述虚拟防火墙实例的标识之间的对应关系;若是,则执行根据所述虚拟防火墙实例的标识查找所述虚拟防火墙的配置参数,并根据所述数据流量的报文信息查找ACL规则组。If not, determining whether the identifier of the virtual firewall instance is obtained according to the first packet information of the data traffic, the first VPN mapping table that is pre-stored, and the second VPN mapping table that is stored in advance. The message information includes at least the VLAN information, the first VPN mapping table includes a correspondence between the VLAN information and the VPN information, and the second VPN mapping table includes the information between the VPN information and the identifier of the virtual firewall instance. Corresponding relationship; if yes, performing configuration on the virtual firewall according to the identifier of the virtual firewall instance, and searching for an ACL rule group according to the packet information of the data traffic.
  14. 根据权利要求13所述的装置,其中,所述获取单元,还设置为:The device according to claim 13, wherein the obtaining unit is further configured to:
    若否,则判断是否能根据所述数据流量的第二报文信息和所述预先存储的IP映射表,获取所述虚拟防火墙实例的标识,所述第二报文信息至少包括IP地址,所述IP映射表包括所述IP地址与所述IP地址经HASH运算得到 的所述虚拟防火墙实例的标识之间的对应关系;若是,则执行根据所述虚拟防火墙实例的标识查找所述虚拟防火墙的配置参数,并根据所述数据流量的报文信息查找ACL规则组。If not, determining whether the identifier of the virtual firewall instance is obtained according to the second packet information of the data traffic and the pre-stored IP mapping table, where the second packet information includes at least an IP address. The IP mapping table includes the IP address and the IP address obtained by HASH operation The mapping between the identifiers of the virtual firewall instances is performed; if yes, the configuration parameters of the virtual firewall are searched according to the identifier of the virtual firewall instance, and the ACL rule group is searched according to the packet information of the data traffic.
  15. 根据权利要求14所述的装置,其中,所述装置还包括第二查找单元,设置为:The apparatus of claim 14, wherein the apparatus further comprises a second lookup unit configured to:
    根据所述第二信息查找与所述数据流量匹配的会话表项;Searching, according to the second information, a session entry that matches the data traffic;
    所述第二查找单元,设置为:The second search unit is configured to:
    对所述第二信息进行HASH运算得到值H,所述值H的低N比特用于查找CAM表的索引,所述值H的高N比特用于查找所述CAM表的标识;Performing a HASH operation on the second information to obtain a value H, where a low N bit of the value H is used to search an index of a CAM table, and a high N bit of the value H is used to search for an identifier of the CAM table;
    若能与预先存储的CAM表匹配,则获取匹配到的所述CAM表的内容,并根据所述内容与所述第二信息进行匹配,若相同,则确定根据所述第二信息能查找与所述数据流量匹配的会话表项;若不同,则确定根据所述第二信息无法查找与所述数据流量匹配的会话表项;If the CAM table is matched with the pre-stored CAM table, the content of the matched CAM table is obtained, and the content is matched with the second information according to the content, and if they are the same, it is determined that the second information can be searched according to the second information. The session entry that matches the data traffic; if not, determining that the session entry matching the data traffic cannot be found according to the second information;
    若无法与预先存储的CAM表匹配,则确定根据所述第二信息无法查找与所述数据流量匹配的会话表项。If it is unable to match the pre-stored CAM table, it is determined that the session entry matching the data traffic cannot be found according to the second information.
  16. 根据权利要求9至15任意一项所述的装置,其中,所述装置还包括:The device according to any one of claims 9 to 15, wherein the device further comprises:
    创建单元,设置为在创建虚拟防火墙实例VFWv时,将总资源池PA中的资源总队列QA中的资源对象先执行出队操作,再入队操作到资源队列Qv;Create a unit, and set the resource object in the total resource queue QA of the total resource pool PA to perform the dequeue operation first, and then enter the queue operation to the resource queue Qv.
    删除单元,设置为在删除所述虚拟防火墙实例VFWv时,将资源池Pv中的资源队列Qv中的资源对象先执行出队操作,再入队操作到资源总队列QA;The deleting unit is configured to perform the dequeuing operation on the resource object in the resource queue Qv in the resource pool Pv before deleting the virtual firewall instance VFWv, and then re-enter the operation to the resource total queue QA;
    其中,所述Qv为所述虚拟防火墙实例的资源池的每一个类型中的一个队列或者栈;所述QA为所述虚拟防火墙实例的资源池的每一个类型对应的资源;所述PA为所述虚拟防火墙实例的总资源池;所述Pv为所述虚拟防火墙实例VFWv对应的资源池中的资源。 The Qv is a queue or a stack of each type of the resource pool of the virtual firewall instance; the QA is a resource corresponding to each type of the resource pool of the virtual firewall instance; The total resource pool of the virtual firewall instance; the Pv is a resource in a resource pool corresponding to the virtual firewall instance VFWv.
PCT/CN2015/085627 2014-11-11 2015-07-30 Method and device for implementing virtual firewall WO2016074502A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410631667.1 2014-11-11
CN201410631667.1A CN105577628B (en) 2014-11-11 2014-11-11 Method and device for realizing virtual firewall

Publications (1)

Publication Number Publication Date
WO2016074502A1 true WO2016074502A1 (en) 2016-05-19

Family

ID=55887291

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/085627 WO2016074502A1 (en) 2014-11-11 2015-07-30 Method and device for implementing virtual firewall

Country Status (2)

Country Link
CN (1) CN105577628B (en)
WO (1) WO2016074502A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106534287A (en) * 2016-10-27 2017-03-22 杭州迪普科技股份有限公司 Session table item management method and device
US11518821B2 (en) 2017-01-18 2022-12-06 Tetra Laval Holdings & Finance S.A. Melt-processed material with high cellulose fiber content

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105939356B (en) * 2016-06-13 2019-06-14 北京网康科技有限公司 A kind of virtual firewall division methods and device
CN107196952A (en) * 2017-06-12 2017-09-22 深圳市永达电子信息股份有限公司 Personal virtual application firewall method is realized based on Opensatck
CN107517129B (en) * 2017-08-25 2020-04-03 杭州迪普科技股份有限公司 Method and device for configuring uplink interface of equipment based on OpenStack
CN107483341B (en) * 2017-08-29 2020-10-02 杭州迪普科技股份有限公司 Method and device for rapidly forwarding firewall-crossing messages
CN107395645B (en) * 2017-09-05 2018-06-26 瑞科网信(北京)科技有限公司 For fire wall system and method and be stored with the medium of corresponding program
CN107888500B (en) * 2017-11-03 2020-04-17 东软集团股份有限公司 Message forwarding method and device, storage medium and electronic equipment
CN107864101A (en) * 2017-12-26 2018-03-30 杭州迪普科技股份有限公司 Load-balancing method and device
CN108989352B (en) * 2018-09-03 2022-11-11 平安科技(深圳)有限公司 Firewall implementation method and device, computer equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101345711A (en) * 2008-08-13 2009-01-14 成都市华为赛门铁克科技有限公司 Packet processing method, fire wall equipment and network security system
CN101459583A (en) * 2007-12-13 2009-06-17 华为技术有限公司 Packet processing method and apparatus, packet sending method and apparatus
CN101958903A (en) * 2010-10-09 2011-01-26 南京博同科技有限公司 Method for realizing high-performance firewall based on SOC and parallel virtual firewall
CN103457920A (en) * 2012-06-04 2013-12-18 中国科学院声学研究所 Method and system for distributed firewall security policy configuration based on overlay network

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102387061B (en) * 2011-10-21 2014-05-07 华为技术有限公司 Method, device and system for accessing VPC (virtual private cloud) to VPN (virtual private network)

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101459583A (en) * 2007-12-13 2009-06-17 华为技术有限公司 Packet processing method and apparatus, packet sending method and apparatus
CN101345711A (en) * 2008-08-13 2009-01-14 成都市华为赛门铁克科技有限公司 Packet processing method, fire wall equipment and network security system
CN101958903A (en) * 2010-10-09 2011-01-26 南京博同科技有限公司 Method for realizing high-performance firewall based on SOC and parallel virtual firewall
CN103457920A (en) * 2012-06-04 2013-12-18 中国科学院声学研究所 Method and system for distributed firewall security policy configuration based on overlay network

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106534287A (en) * 2016-10-27 2017-03-22 杭州迪普科技股份有限公司 Session table item management method and device
CN106534287B (en) * 2016-10-27 2019-11-08 杭州迪普科技股份有限公司 A kind of management method and device of session entry
US11518821B2 (en) 2017-01-18 2022-12-06 Tetra Laval Holdings & Finance S.A. Melt-processed material with high cellulose fiber content

Also Published As

Publication number Publication date
CN105577628B (en) 2020-01-21
CN105577628A (en) 2016-05-11

Similar Documents

Publication Publication Date Title
WO2016074502A1 (en) Method and device for implementing virtual firewall
CN111095901B (en) Service operation linking method, device, system, and readable storage medium
US10320687B2 (en) Policy enforcement for upstream flood traffic
US9667551B2 (en) Policy enforcement proxy
US9736036B2 (en) Variable-based forwarding path construction for packet processing within a network device
US9800497B2 (en) Operations, administration and management (OAM) in overlay data center environments
US10284431B2 (en) Distributed operating system for network devices
US20180026884A1 (en) Cloud overlay for operations administration and management
US10798048B2 (en) Address resolution protocol suppression using a flow-based forwarding element
US11038845B2 (en) Firewall in a virtualized computing environment using physical network interface controller (PNIC) level firewall rules
US20150295831A1 (en) Network address translation offload to network infrastructure for service chains in a network environment
US20130332602A1 (en) Physical path determination for virtual network packet flows
US20180006969A1 (en) Technique for gleaning mac and ip address bindings
US11616720B2 (en) Packet processing method and system, and device
US10432628B2 (en) Method for improving access control for TCP connections while optimizing hardware resources
US10567344B2 (en) Automatic firewall configuration based on aggregated cloud managed information
JPWO2014054768A1 (en) Communication system, virtual network management apparatus, virtual network management method and program
US11463357B2 (en) Method and system for propagating network traffic flows between end points based on service and priority policies
US9509600B1 (en) Methods for providing per-connection routing in a virtual environment and devices thereof
US20170237691A1 (en) Apparatus and method for supporting multiple virtual switch instances on a network switch
EP3474497A1 (en) Method and device for aggregating virtual local area network
CN104052668B (en) The retransmission method and system of a kind of AH messages
EP4096171A1 (en) Policy enforcement for bare metal servers by top of rack switches
DE102022206442A1 (en) Memory efficient implementation of downstream VXLAN identifiers
JP5833186B1 (en) CPU allocation apparatus and method, and program

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15858382

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15858382

Country of ref document: EP

Kind code of ref document: A1