Movatterモバイル変換

[0]ホーム
URL:

CN1439985A - Method for improving fire wall performance - Google Patents

Method for improving fire wall performanceDownload PDF

Info

Publication number
CN1439985A
CN1439985ACN 02104228CN02104228ACN1439985ACN 1439985 ACN1439985 ACN 1439985ACN 02104228CN02104228CN 02104228CN 02104228 ACN02104228 ACN 02104228ACN 1439985 ACN1439985 ACN 1439985A
Authority
CN
China
Prior art keywords
node
address translation
network
rule
network address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN 02104228
Other languages
Chinese (zh)
Other versions
CN1232922C (en
Inventor
傅一帆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NATIONAL COMPUTER SYSTEM ENGINEERING RESEARCH INSTITUTE
Original Assignee
NATIONAL COMPUTER SYSTEM ENGINEERING RESEARCH INSTITUTE
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NATIONAL COMPUTER SYSTEM ENGINEERING RESEARCH INSTITUTEfiledCriticalNATIONAL COMPUTER SYSTEM ENGINEERING RESEARCH INSTITUTE
Priority to CN 02104228priorityCriticalpatent/CN1232922C/en
Publication of CN1439985ApublicationCriticalpatent/CN1439985A/en
Application grantedgrantedCritical
Publication of CN1232922CpublicationCriticalpatent/CN1232922C/en
Anticipated expirationlegal-statusCritical
Expired - Fee Relatedlegal-statusCriticalCurrent

Links

Images

Landscapes

Abstract

A method to improve performance of fireproof wall in computer network system applies hyperspace model to create safety rules, which includes the following steps: 1) inputting safety strategic steps by the User, 2) carrying on preprocessing steps of space dividing, syntax checking and semantic analysing for the rules having been preprocessed for creating smantic structure tree of safety strategy and creation step to be down loaded into fulcrum and 4) inquring method for fireproof wall safety strategy created according to above method, of which step 4) can be operated as capturing each data packet passing through the fireproof wall by filtering module to extract information in it for obtaining access state bit in order to execute relevant action after the downloading operation.

Description

A kind of method of improving fire wall performance
Technical field
The present invention relates to firewall security model in the computer network system,, improve the forward efficiency of fire wall by utilization to fire wall hyperspace model and method for fast searching.
Background technology
Existing firewall package filtering rule generally is to take action according to some parameters such as ip source address, ip destination address, service port number, user's sign, time etc., as receiving, abandoning, and perhaps network address translation etc.Fire wall is stored rule in order, when the filtering data bag, according to the header packet information that extracts in the packet (ip source address, ip destination address, source port, destination interface) the n bar rule with fire wall contrasts one by one, up to finding certain bar rule information matches in the packet therewith, can use this rule this moment, takes certain action, not through optimizing, average length of search is (n+1)/2 to this method for search procedure.There is the following shortcoming in existing fire wall: sequential search efficient is slow, and when regular number increased, forward efficiency descended; The search rule complexity is o (N) (N is a simple rule bar number) or the like.
Summary of the invention
The present invention improves firewall security rule treatments speed and throughput by a kind of method of improving the firewall security regular weaves.Method of the present invention is represented above-mentioned traditional parameters on hyperspace, and action can be abstracted into the Function Mapping on hyperspace.Action=f (x1, x2 ...., xn) x1 wherein, x2 ...., the independent variable of xn on hyperspace, representing, action is a functional value, in order to represent one group of specific action.Spatial model method and classic method rule treatments ability comparison search rule complexity are o (logN) (N is a simple rule bar number).The present invention reorganizes packet filtering rules, forms one tree; The semantic structure tree is launched firewall rule in hyperspace, make total rule searching calculated amount decline to a great extent, and computation complexity is reduced to o (logN).
Description of drawings
Fig. 1 is a kind of typical network environment
Fig. 2 is the process flow diagram of method that the formed search rule according to the present invention is searched
Embodiment
Describe the present invention below in conjunction with specific embodiment and relevant drawings.The production method of safety rule tree of having used the hyperspace model is as follows: 1) user imports the security strategy step; 2) pre-treatment step that the safety rule of user's input is carried out spatial division, syntax check, semantic analysis.3), generate security strategy semantic structure tree, and install to the generation step of going in the core down to compiling, optimize through pretreated rule list.4) step that the firewall security policy that generates is as stated above inquired about.Network environment among Fig. 1 is to have disposed the representative network applied environment of cygergate2.0, and the in-house network user can visit dns service, the www service in DMZ district, can visit internet; User on the internet can visit the service that the DMZ district provides.On the fire wall main frame, extranets there are three legal IP address, be respectively to be used for the externally 159.226.232.254 of visit of user, be used for the 159.226.232.73 of domain name service and the 159.226.232.116 that serves as web, in-house network and DMZ respectively there is a local I P address, be respectively 172.16.1.222 (in-house network), 172.16.9.222 (DMZ).Generally speaking, allow following several visits in the example of Fig. 1:
1. extranets are visited the server of DMZ, and the user who is specially Internet can visit the http service that websrv provides;
2. in-house network user capture extranets, the domestic consumer that is specially in-house network can visit some service that Internet provides,
3. we do not use the IP address directly to visit usually, so the domain name service that allows the dnssrv of intranet access DMZ to provide also allows the name server of dnssrv and extranets to visit mutually.
Be described in below under such network environment, how implement the safety rule hyperspace model of eygergate2.0 fire wall.At first, the user imports safety rule: fire wall is before carrying out packet filtering, and the user at first is configured fire wall, and content comprises network object, network interface object, the input of rule list.Network object is the fundamental element that constitutes access control rule.We give one section ip, and perhaps single ip names sb, and are convenient to user's memory.For example server, normal hosts, the network segment etc.Fire wall is exactly according to these the most basic elements, constitutes the rule of access control as source or purpose.Can be referring to figure below.
TitleInterfaceMinimum IPMaximum IP
net1 qfe0 1.0.0.1 9.255.255.254
net2 qfe0 11.0.0.1 126.255.255.254
net3 qfe0 128.0.0.1 172.15.255.254
net4 qfe0 172.32.0.1 192.167.255.254
net5 qfe0 192.169.0.1 223.255.255.254
TitleNetwork address translationConversion back IPInterfaceServer ip address
websrvStatic purpose pattern 172.16.9.94 Qfe2 159.226.252.116
TitleNetwork address translationConversion back IPInterfaceServer ip address
DnssrvStatic purpose pattern172.16.9.95qfe2159.226.232.73
The configuration of network interface object is to allow the user set the information of the interface on the fire wall, mainly comprises all network interface card information of searching for fire wall, the inside network interface card of fire wall is set, outside network interface card.Can be referring to figure below.
Sequence numberInterface nameThe IP addressThe positionThe gateway name
1 qfe0 159.226.232.254Outside gate
2 qfe1 172.16.1.222Inner gate
3 qfe2 172.16.9.222Inner gate
Rule list, rule list are exactly the set of the access control rule of user's formulation.Can be referring to figure below.
Article one, rule:
Source addressDestination addressServiceAction
Net1 Net2 Net3 Net4 Net5 ? ? websrv ? ? http ? ? Accept
Input according to the user generates following database:
(1) network object management database, (2) network interface Object Management group database, (3) rule list number
According to the storehouse
Then carry out spatial division, they are divided into the zone that does not have common factor with the port numbers of service and the IP address of network object, leave lane database in, through after the spatial division, network object and service have been divided into mutual disjunct fritter, and they leave in the database for dress function use down.The effect of spatial division is to prepare for syntax check, semantic analysis, reduces grammar mistake, semantic conflict as far as possible and compilation process is oversimplified.
According to people's custom, the rule of input had repetition when the user imported control law, the phenomenon of contradiction, and load module carries out pre-service to the rule of user input, obtains inerrancy on the grammer, reconcilable regular collection semantically.Therefore, carry out the grammatical and semantic inspection, promptly regular pre-treatment step.Check the following situation that whether occurs:
1. to the inspection of the formation element of rule: comprise that source and destination can not be identical; That rule must contain is active, purpose, service;
2. to the inspection of the relation between many rules: comprise that semantic conflict is arranged between the rule, then the principle that has a right of priority with the rule that comes the rule list front is handled
3. check the appearance avoid invalid rule: comprise that inner invalid address can not visit the outside without network address translation.
4. check so that network object conforms to network interface, the network address, the translative mode of reality: comprise that source or purpose in same the rule should have identical interface, the network address, translative mode.
Every rule will enter database and must check through so more, when rule just can correct input enter database after tested.
If the problems referred to above do not occur, then enter compile step, the create-rule tree, described rule tree structurally has three grades: Snet, Dnet, Port.The effect of rule tree is to make the packet filtering module will obtain the information of the action type that should trigger after the tertiary structure of having looked into rule tree step by step.The semantic analysis concrete steps of create-rule tree:
1. retrieve the rule of all id ∈ action numberings from rule table database, the Snet node in these rules is generated a Snet chained list, each node in the chained list all contains id, rule numbers, network object number information.
2. in like manner, retrieve the Dnet node of the strictly all rules of all id ∈ action numberings from rule table database, generate a Dnet chained list, each node in the chained list all contains id, rule numbers, network object number information.
3. in like manner, retrieve the service node of the strictly all rules of all id ∈ action numberings from rule table database, generate a service chained list, each node in the chained list all contains id, rule numbers information.
4. from first node of Snet chained list, generate its Dnet chained list, the service chained list of first node in its Dnet chained list of regeneration, and with this service chaining table generation balanced binary tree tree, be connected on the Dnet node.Then the tree of first Dnet node of first Snet node generates.
5. successively, the tree of second Dnet node of first Snet node of regeneration generates until the service tree of last Dnet node of first Snet node, at this moment the Dnet tree of first Snet node can be generated, and is connected on this first Snet node.
6. be similar to step 4,5, then handle second Snet node.All Snet chained lists all dispose in the Snet chained list, then this Snet chained list are generated the balanced binary tree tree.The tertiary structure of rule tree is finished thus.Only need load networks information of address conversion in the rule list Query Result of each service node.
7. network address translation analysis.Can specifically be divided into following steps:
(a) after the structure of whole rule tree all generated, each Snet node in the traverse tree was handled the load networks information of address conversion successively to each Snet node.Specific as follows:
Read the network object id (being the network object numbering) of each Snet, in the network object database, search one by one, will draw pairing several information: ip, Ipsrc after effective ip, network interface card numbering, network address translation pattern, the network address translation according to the network object numbering.
(b) if a network object of reading is numbered corresponding effective ip=1, promptly this Ipsrc is a legal address, then need not pass through network address translation.
At this moment put network address translation pattern=0/*0:needn ' t network address translation * of this node/;
In network interface Object Management group table, find corresponding N IC according to the network interface card numbering again;
With these NIC, network address translation pattern, the encapsulation of Ipsrc information, travel through each service node of each Dnet under this Snet node, with the Action information that loaded on each service node together with above NIC, network address translation pattern, Ipsrc information, together be packaged among the fg_RuleResult, still load on each service node.
(c) if a network object of reading is numbered corresponding effective ip=0, promptly this Ipsrc is the local address, reads its network address translation pattern, and at this moment the value of network address translation pattern has two kinds of possibility 1:hide (stealth mode); 2:static src (static father pattern); The ip of record after the network address translation (at present for the network address translation of Hide pattern, only corresponding legal IP after the conversion) puts the ip after the IpAddr=network address translation; Put network address translation pattern=hide; Record NIC; Write down the Ipsrc of this Snet.
(d) then travel through each Dnet node under this Snet node, read the network object numbering of each Dnet node correspondence.Read a corresponding effective ip of network object numbering,
As effective ip=0, then the next stage service node that is connected in this Dnet node under this Snet node is traveled through, in the rule list Query Result of each service node, will put its network address translation pattern=0 (no network address translation); Its NIC is changed to the NIC that network object is numbered,
If effectively ip=1 (Ipdst is a legal address) finds its effective ip and network address translation pattern according to the value of this network object numbering, record network address translation pattern then continues to find its NIC and location in network interface Object Management group table, record NIC,
(1) if location=0 (this Ipdst is bundled on the inner network interface), then check the network address translation pattern of the Dnet node that has write down, (a) if meaning this Ipdst, network address translation pattern=0 (no network address translation) is placed on inner legal IP, need not change, then put its network address translation pattern=0 (no network address translation); Put the NIC of its NIC for the Snet that write down; Encapsulation.(b) as if network address translation pattern=3 (static dst), this Ipdst is the DMZ that is placed on inner network interface, change by static purpose, then puts its network address translation pattern=3; Put its NIC NIC of Dnet node for this reason.Encapsulation.
(2), then check the NIC, network address translation pattern, the IpAddr that in rapid c step by step, have write down, encapsulation if location=1 (this Ipdst is bundled on the outside network interface).
(e) travel through each service node under this Dnet node, and packaged information is carried in the rule list Query Result of each service node.
Butt joint and accompanying drawing 2 are described the search procedure of rule tree in detail below.Searching of rule tree is fairly simple, when the filtering data bag, from packet, extract header packet information (ip source address, the ip destination address, source port, destination interface), search in rule tree with the ip source address, finally can obtain a pointer, be root node in proper order, continues to search the ip destination address in the subtree space; In like manner, continue to look into destination interface, obtain a rule tree Query Result at last, in view of the above, the packet filtering module can be taked corresponding action.
The present invention can move under a large amount of different operating systems of many computing machines or computer set.What the present invention set forth is tissue filter rule on firewall system, thereby improve a kind of improved general model of seek rate, for the realization of model on different hardware platforms according to this, and serve as the further expansion that carry out this model on the basis with this model, all belong within the range of rights and interests of the present invention.For example, this kind method is at the windows platform, and various unix platforms comprise solaris, linux, the realization on the platform, perhaps realization on different hardware platforms such as pc machine, sparc machine.Perhaps to some expansions of this method, as in the rule to the user, the support of the notion of group, to the support of authentication, to the support of audit, support that note take, to the support of encryption, to the support of vpn.And be the modification that the administration interface on the firewall system set up of basis is done to inventing with this; And some modifications that some aspect of rule tree itself is done.All include rights and interests of the present invention.

Claims (9)

(d) then travel through each Dnet node under this Snet node, read the network object numbering of each Dnet node correspondence; Read a corresponding effective ip of network object numbering, as effective ip=0, then the next stage service node that is connected in this Dnet node under this Snet node is traveled through, in the rule list Query Result of each service node, will put its network address translation pattern=0 (no network address translation); Its NIC is changed to the NIC of network object numbering, if effective ip=1 (Ipdst is a legal address), value according to this network object numbering is found its effective ip and network address translation pattern, record network address translation pattern, then in network interface Object Management group table, continue to find its NIC and location, record NIC
CN 021042282002-02-202002-02-20Method for improving fire wall performanceExpired - Fee RelatedCN1232922C (en)

Priority Applications (1)

Application NumberPriority DateFiling DateTitle
CN 02104228CN1232922C (en)2002-02-202002-02-20Method for improving fire wall performance

Applications Claiming Priority (1)

Application NumberPriority DateFiling DateTitle
CN 02104228CN1232922C (en)2002-02-202002-02-20Method for improving fire wall performance

Publications (2)

Publication NumberPublication Date
CN1439985Atrue CN1439985A (en)2003-09-03
CN1232922C CN1232922C (en)2005-12-21

Family

ID=27793058

Family Applications (1)

Application NumberTitlePriority DateFiling Date
CN 02104228Expired - Fee RelatedCN1232922C (en)2002-02-202002-02-20Method for improving fire wall performance

Country Status (1)

CountryLink
CN (1)CN1232922C (en)

Cited By (15)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
CN100359889C (en)*2004-10-292008-01-02江苏南大苏富特软件股份有限公司 Packet Filtering and Management Method Based on Policy Tree
CN100384143C (en)*2004-08-242008-04-23华为技术有限公司 A method for network switching equipment to detect malicious IP scanning
CN100395997C (en)*2005-07-122008-06-18华为技术有限公司 A method for protecting the security of access users
CN1988447B (en)*2006-12-222010-08-18华为技术有限公司Method and device for treating communication network service
CN1863193B (en)*2005-05-102010-10-13联想网御科技(北京)有限公司Method for implementing safety tactics of network safety apparatus
CN101242260B (en)*2007-02-082010-12-15北京天融信网络安全技术有限公司Automatic repair method for firewall system
CN101036369B (en)*2004-10-082011-02-23国际商业机器公司Offline analysis of packets
CN102027714A (en)*2008-05-162011-04-20微软公司 Perform networking tasks based on the destination network
CN101299683B (en)*2008-06-252012-07-18中兴通讯股份有限公司Collocation device and method for off-line data
CN101330495B (en)*2007-06-192012-07-25瑞达信息安全产业股份有限公司Control method and control system for implementing non-equity access in a computer network
CN102833271A (en)*2012-09-202012-12-19桂林电子科技大学Solution for potential safety hazards in VPN (virtual private network)
CN106603524A (en)*2016-12-092017-04-26浙江宇视科技有限公司Method for combining safety rules and intelligent device
CN109873799A (en)*2017-12-042019-06-11和硕联合科技股份有限公司 Network security system and method thereof
CN111464566A (en)*2014-12-022020-07-28Nicira股份有限公司Context-aware distributed firewall
CN111698110A (en)*2019-03-142020-09-22深信服科技股份有限公司Network equipment performance analysis method, system, equipment and computer medium

Cited By (18)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
CN100384143C (en)*2004-08-242008-04-23华为技术有限公司 A method for network switching equipment to detect malicious IP scanning
CN101036369B (en)*2004-10-082011-02-23国际商业机器公司Offline analysis of packets
CN100359889C (en)*2004-10-292008-01-02江苏南大苏富特软件股份有限公司 Packet Filtering and Management Method Based on Policy Tree
CN1863193B (en)*2005-05-102010-10-13联想网御科技(北京)有限公司Method for implementing safety tactics of network safety apparatus
CN100395997C (en)*2005-07-122008-06-18华为技术有限公司 A method for protecting the security of access users
CN1988447B (en)*2006-12-222010-08-18华为技术有限公司Method and device for treating communication network service
CN101242260B (en)*2007-02-082010-12-15北京天融信网络安全技术有限公司Automatic repair method for firewall system
CN101330495B (en)*2007-06-192012-07-25瑞达信息安全产业股份有限公司Control method and control system for implementing non-equity access in a computer network
CN102027714B (en)*2008-05-162017-06-06微软技术许可有限责任公司 Perform networking tasks based on the destination network
CN102027714A (en)*2008-05-162011-04-20微软公司 Perform networking tasks based on the destination network
CN101299683B (en)*2008-06-252012-07-18中兴通讯股份有限公司Collocation device and method for off-line data
CN102833271B (en)*2012-09-202014-11-26桂林电子科技大学Solution for potential safety hazards in VPN (virtual private network)
CN102833271A (en)*2012-09-202012-12-19桂林电子科技大学Solution for potential safety hazards in VPN (virtual private network)
CN111464566A (en)*2014-12-022020-07-28Nicira股份有限公司Context-aware distributed firewall
CN106603524A (en)*2016-12-092017-04-26浙江宇视科技有限公司Method for combining safety rules and intelligent device
CN109873799A (en)*2017-12-042019-06-11和硕联合科技股份有限公司 Network security system and method thereof
CN111698110A (en)*2019-03-142020-09-22深信服科技股份有限公司Network equipment performance analysis method, system, equipment and computer medium
CN111698110B (en)*2019-03-142023-07-18深信服科技股份有限公司Network equipment performance analysis method, system, equipment and computer medium

Also Published As

Publication numberPublication date
CN1232922C (en)2005-12-21

Similar Documents

PublicationPublication DateTitle
CN1232922C (en)Method for improving fire wall performance
CN103858392B (en) Method and apparatus for updating rule compilation data structure
CN101639879B (en)Database security monitoring method, device and system
Kwak et al.Mining communities in networks: a solution for consistency and its evaluation
US11790016B2 (en)Method, device and computer program for collecting data from multi-domain
CN106227668A (en)Data processing method and device
Reza et al.Prunejuice: pruning trillion-edge graphs to a precise pattern-matching solution
KR20090054442A (en) Methods, computer readable media, computing systems, and transformation frameworks for transforming tree data structures into modular finite state translators
US11847121B2 (en)Compound predicate query statement transformation
CN108123962A (en)A kind of method that BFS algorithms generation attack graph is realized using Spark
US20150201047A1 (en)Block mask register
CN118199908A (en) A network security threat processing method, device and electronic equipment
CN116663019A (en)Source code vulnerability detection method, device and system
US7853591B1 (en)Protection of database operations
US9900409B2 (en)Classification engine for data packet classification
Ma et al.Graph simulation on large scale temporal graphs
CN1160971C (en) Command storage and command interpretation method for router operation maintenance and configuration commands
Wirsing et al.Design and analysis of cloud-based architectures with KLAIM and Maude
Abdulhassan et al.Cuckoo filter-based many-field packet classification using X-tree
Godefroy et al.Automatic generation of correlation rules to detect complex attack scenarios
TaylorModels, algorithms, and architectures for scalable packet classification
Ye et al.Converting service rules to semantic rules
Hsieh et al.Multiprefix trie: A new data structure for designing dynamic router-tables
NottinghamGPF: A framework for general packet classification on GPU co-processors
Lucchesi et al.High-performance IP lookup using Intel Xeon Phi: a Bloom filters based approach

Legal Events

DateCodeTitleDescription
C06Publication
PB01Publication
C10Entry into substantive examination
SE01Entry into force of request for substantive examination
C14Grant of patent or utility model
GR01Patent grant
C17Cessation of patent right
CF01Termination of patent right due to non-payment of annual fee

Granted publication date:20051221

Termination date:20110220
[8]ページ先頭
©2009-2025 Movatter.jp