CN103209181A - Achieving method for application and connection firewall under linux network architecture - Google Patents
Achieving method for application and connection firewall under linux network architecture Download PDFInfo
- Publication number
- CN103209181A CN103209181A CN2013100931013A CN201310093101A CN103209181A CN 103209181 A CN103209181 A CN 103209181A CN 2013100931013 A CN2013100931013 A CN 2013100931013A CN 201310093101 A CN201310093101 A CN 201310093101A CN 103209181 A CN103209181 A CN 103209181A
- Authority
- CN
- China
- Prior art keywords
- layer
- application
- network architecture
- compartment wall
- connects
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 35
- 238000001914 filtration Methods 0.000 claims abstract description 13
- 238000012545 processing Methods 0.000 claims abstract description 10
- 230000008878 coupling Effects 0.000 claims description 12
- 238000010168 coupling process Methods 0.000 claims description 12
- 238000005859 coupling reaction Methods 0.000 claims description 12
- 230000008569 process Effects 0.000 claims description 9
- 238000012217 deletion Methods 0.000 claims description 3
- 230000037430 deletion Effects 0.000 claims description 3
- 230000005540 biological transmission Effects 0.000 abstract description 2
- 238000005516 engineering process Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides an achieving method for an application and connection firewall under linux network architecture. The achieving method comprises a step (a) of enabling a regular expression matching engine module to perform initialized processing on feature code configuration files of an application layer by calling an initialized interface function when a system is started; a step (b) of enabling the system to perform expansion processing on a connection tracking module when data messages reach the connection tracking module; and a step (c) of enabling the application layer to perform matching analysis processing connection on the data messages after the data messages undergo connecting filtering processing through a network layer and a transmission layer. Through the achieving method for the application and connection firewall under the linux network architecture, the problem that seven-layer application cannot be recognized through existing Netfilter architecture is solved, and comprehensive recognition and control on the data messages from an Internet protocol (IP) layer to the application layer are achieved.
Description
Technical field
The present invention relates to universal network device security field, relate in particular to and use the implementation method that connects fire compartment wall under a kind of linux network architecture.
Background technology
Along with rapid development of network technology, security performance to network communication apparatus requires also more and more higher, traditional packet filtering and firewall agent function, and present more advanced state data packets inspection (SPI) fire compartment wall based on the TCP/UDP layer can not satisfy the demand for security under the current linux network architecture.Press for a kind of based on seven layers of fire compartment wall of using the high level of security of interconnection technique at present.
Summary of the invention
The object of the present invention is to provide and use the implementation method that connects fire compartment wall under a kind of linux network architecture, by based on connecting tracking technique, realize a kind of based on seven layers of fire compartment wall of using the high level of security that connects.
The objective of the invention is to be achieved through the following technical solutions.
Use the implementation method that connects fire compartment wall under a kind of linux network architecture, comprise step:
A: when system started, regular expression matching engine module was carried out initialization process by calling the initialization interface function to the condition code configuration file of application layer;
B: data message arrives when connecting tracking module, and system will connect tracking module and carry out extension process;
C: data message carries out The matching analysis by application layer to the data message and handles connection after network layer, transport layer connect filtration treatment.
Preferably, the described initialization process of step a comprises the match parameter information of obtaining the various characteristics of application layer.
Preferably, described condition code configuration file is for using the configuration file that connects fire compartment wall.
Preferably, step b specifically comprises: connect and to have preserved in the tracking module that network layer connects data, transport layer connects data and is connected data with application layer, according to the defence policies of respective layer the data message is connected filtration treatment by network layer, transport layer.
Preferably, described connection filtration treatment comprise to the data message carry out by, revise, deletion or disconnect processing such as connection.
Preferably, step c specifically comprises: by regular expression matching engine module the character string of application layer is compared coupling, on coupling, discernible application then is set connects; Otherwise, be set to identify application and connect.
Preferably, by regular expression matching engine module the character string of application layer is compared coupling, on coupling, then also comprise upgrade connect follow the tracks of in to using the identification tag information parameter.
The present invention compared with prior art, beneficial effect is: use the implementation method that connects fire compartment wall under the linux network architecture provided by the invention, on based on connection tracking technique basis, the linux system adds a regular expression matching engine module, coupling is connected the matching treatment that the message of following the tracks of carries out the application layer character string, thereby carrying out application layer message identification handles, if on the coupling then discernible application is set connects and upgrade and use beacon information, not matching then to be set to identify use connects.Thereby solve the problem that existing Netfilter framework can't be identified seven layers of application, realize the data message is carried out omnidirectional Recognition and control from the IP layer to application layer.
Description of drawings
Fig. 1 uses the system architecture diagram of the implementation method that connects fire compartment wall for the present invention.
Fig. 2 uses the implementation method flow chart that connects fire compartment wall for the present invention.
Embodiment
What use was maximum in network communication apparatus is (SuSE) Linux OS, linux system uses the Netfilter framework to realize connecting the tracking mode firewall functionality, netfilter mainly adopts (Connection Tracking) technology of tracking that connects, connecting tracking is the basis of packet filtering, and it is as an independently module operation.Adopt and connect tracking module at protocol stack low layer data intercept bag; current data packet and state information thereof and historical data bag and state information thereof are compared; thereby obtain the control information of current data packet; according to the operation of these control informations decisions to network packet, reach the purpose of protecting network.
Particularly, layer network receives initialization and connects synchronously that (Synchronize, SYN) bag will be checked by the netfilter rule base instantly.This packet will be in rule base successively order compare.If this bag should be dropped, send one and reset that (Reset, RST) bag receives otherwise connect to remote host.And the information of this time connection is kept at connects in the trace information table, and show the due state of this packet.Connect the trace information epi-position under kernel mode, the content that network packet thereafter will connect in the trace information table therewith compares, and decides the operation of this packet according to the information in the information table.Because packet at first is to compare with being connected the trace information table, have only SYN bag just to compare with the netfilter rule base, packet be connected more all under kernel mode, carrying out of trace information table, so speed is very fast.
In order to make purpose of the present invention, technical scheme and advantage clearer, below in conjunction with drawings and Examples, the present invention is further elaborated.Should be appreciated that specific embodiment described herein only in order to explaining the present invention, and be not used in restriction the present invention.
See also shown in Figure 1ly, the present invention uses the system architecture diagram of the implementation method that connects fire compartment wall, comprising: regular expression matching engine module, connect tracking module.
Regular expression matching engine module is goed deep into the comparison match analyzing and processing for the data of the message that connects tracking being carried out application layer;
Connect tracking module and be used for connecting the packet filtering processing of following the tracks of, it is that the nucleus module of (Connection Tracking) key technology is followed the tracks of in the connection of Netfilter as an independently linux kernel module operation.
See also shown in Figure 2ly, the present invention uses the implementation method that connects fire compartment wall, comprising:
When step 201:linux system started, regular expression matching engine module was carried out initialization process by calling the initialization interface function to the condition code configuration file of application layer;
Comprise that specifically the condition code configuration file to application layer carries out initialization process, purpose is exactly that the match parameter information of obtaining the various characteristics of application layer is convenient to the follow-up connection data match analysis processing of using.
Above-mentioned condition code configuration file is for using the configuration file that connects fire compartment wall.
Step 202: data message arrives when connecting tracking module, and system will connect tracking module and carry out extension process;
Particularly, connect and to have preserved in the tracking module that network layer connects data, transport layer connects data and is connected data with application layer, according to the defence policies of respective layer the data message is connected filtration treatment by network layer, transport layer.
Above-mentioned connection filtration treatment comprise to the data message carry out by, revise, deletion or disconnect processing such as connection.
Step 203: data message carries out The matching analysis by application layer to the data message and handles connection after network layer, transport layer connect filtration treatment.
Specifically by regular expression matching engine module the character string of application layer is compared coupling, on coupling, discernible application connection then is set to be connected in the tracking using the identification tag information parameter with upgrading, otherwise, be set to identify and use connect, thereby realize the data message is carried out omnidirectional Recognition and control from the IP layer to application layer.
The present invention uses the implementation method that connects fire compartment wall not only can be used for ensureing seven layers of applied business stream but also can be applied to QoS for the realization based on seven layers of application level firewall.
Instantiation, negotiation data such as P2P software, owing to may be to carry out at any one port, it is infeasible coming identification protocol by port, and general analysis bag content is not owing to there is the link information of former application layer, and do not know that these data are negotiation data or concrete transmission data on earth, therefore the possibility of erroneous judgement is very big, " use and connect " then different, owing to followed the tracks of the application layer link information always, can very clearly recognize the end is Protocol Control Information or concrete file content data, and Protocol Control Information is managed with regard to Information Control Service, the file content data are just directly let slip, therefore do not have the problem of erroneous judgement.Using the connection firewall technology can all realize in kernel, different fully with the agent skill group of application layer, can handle any agreement, realizes the perfect unity of safety and efficient.
More than one of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be finished by the relevant hardware of program command, aforesaid program can be stored in the computer read/write memory medium, this program is carried out the step that comprises said method embodiment when carrying out; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CD.
The above only is preferred embodiment of the present invention, not in order to limiting the present invention, all any modifications of doing within the spirit and principles in the present invention, is equal to and replaces and improvement etc., all should be included within protection scope of the present invention.
Claims (7)
1. use the implementation method that connects fire compartment wall under a linux network architecture, it is characterized in that, comprise step:
A: when system started, regular expression matching engine module was carried out initialization process by calling the initialization interface function to the condition code configuration file of application layer;
B: data message arrives when connecting tracking module, and system will connect tracking module and carry out extension process;
C: data message carries out The matching analysis by application layer to the data message and handles connection after network layer, transport layer connect filtration treatment.
2. use the implementation method that connects fire compartment wall under the linux network architecture as claimed in claim 1, it is characterized in that the described initialization process of step a comprises the match parameter information of obtaining the various characteristics of application layer.
3. use the implementation method that connects fire compartment wall under the linux network architecture as claimed in claim 2, it is characterized in that, described condition code configuration file is for using the configuration file that connects fire compartment wall.
4. use the implementation method that connects fire compartment wall under the linux network architecture as claimed in claim 1, it is characterized in that, step b specifically comprises: connect and to have preserved in the tracking module that network layer connects data, transport layer connects data and is connected data with application layer, according to the defence policies of respective layer the data message is connected filtration treatment by network layer, transport layer.
5. use to connect the implementation method of fire compartment wall under the linux network architecture as claimed in claim 4, it is characterized in that, described connection filtration treatment comprise to the data message carry out by, revise, deletion or disconnect processing such as connection.
6. use the implementation method that connects fire compartment wall under the linux network architecture as claimed in claim 1, it is characterized in that, step c specifically comprises: by regular expression matching engine module the character string of application layer is compared coupling, on coupling, discernible application then is set connects; Otherwise, be set to identify application and connect.
7. use the implementation method that connects fire compartment wall under the linux network architecture as claimed in claim 6, it is characterized in that, by regular expression matching engine module the character string of application layer is compared coupling, on coupling, then also comprise upgrading connecting in the tracking using the identification tag information parameter.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2013100931013A CN103209181A (en) | 2013-03-22 | 2013-03-22 | Achieving method for application and connection firewall under linux network architecture |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2013100931013A CN103209181A (en) | 2013-03-22 | 2013-03-22 | Achieving method for application and connection firewall under linux network architecture |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103209181A true CN103209181A (en) | 2013-07-17 |
Family
ID=48756265
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2013100931013A Pending CN103209181A (en) | 2013-03-22 | 2013-03-22 | Achieving method for application and connection firewall under linux network architecture |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103209181A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105721347A (en) * | 2016-02-18 | 2016-06-29 | 北京京东尚科信息技术有限公司 | Method and system for precisely controlling network bandwidth |
| CN107623700A (en) * | 2017-10-25 | 2018-01-23 | 成都视达科信息技术有限公司 | A kind of method and system of fire wall |
| CN109962885A (en) * | 2017-12-22 | 2019-07-02 | 北京安天网络安全技术有限公司 | The network safety protection method and internet of things equipment of internet of things equipment |
| CN112583835A (en) * | 2020-12-14 | 2021-03-30 | 深圳市共进电子股份有限公司 | Method and device for matching network port data, router and readable storage medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102118320A (en) * | 2011-04-18 | 2011-07-06 | 北京神州数码思特奇信息技术股份有限公司 | Method for protocol identification and flow control |
-
2013
- 2013-03-22 CN CN2013100931013A patent/CN103209181A/en active Pending
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102118320A (en) * | 2011-04-18 | 2011-07-06 | 北京神州数码思特奇信息技术股份有限公司 | Method for protocol identification and flow control |
Non-Patent Citations (2)
| Title |
|---|
| 李剑等: "RedHat As5下L7-filter封包过滤的搭建应用", 《计算机应用》, vol. 29, 30 June 2009 (2009-06-30) * |
| 王秋莲: "基于Layer7的网络流量整形", 《中山大学硕士学位论文》, 31 December 2010 (2010-12-31), pages 23 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105721347A (en) * | 2016-02-18 | 2016-06-29 | 北京京东尚科信息技术有限公司 | Method and system for precisely controlling network bandwidth |
| CN107623700A (en) * | 2017-10-25 | 2018-01-23 | 成都视达科信息技术有限公司 | A kind of method and system of fire wall |
| CN109962885A (en) * | 2017-12-22 | 2019-07-02 | 北京安天网络安全技术有限公司 | The network safety protection method and internet of things equipment of internet of things equipment |
| CN112583835A (en) * | 2020-12-14 | 2021-03-30 | 深圳市共进电子股份有限公司 | Method and device for matching network port data, router and readable storage medium |
| CN112583835B (en) * | 2020-12-14 | 2023-01-20 | 深圳市共进电子股份有限公司 | Method and device for matching network port data, router and readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103929832B (en) | Electronic equipment and its communication means near field communication network | |
| CN104144156B (en) | Message processing method and device | |
| US9467360B2 (en) | System, device and method for managing network traffic by using monitoring and filtering policies | |
| CN107623754B (en) | WiFi acquisition system and method based on authenticity MAC identification | |
| CN105187394A (en) | Proxy server having mobile terminal malicious software behavior detection capability and method | |
| CN102685104A (en) | Soc-based device for packet filtering and packet filtering method thereof | |
| CN106778229B (en) | VPN-based malicious application downloading interception method and system | |
| EP3155764B1 (en) | Method and system for secure bidirectional communication for industrial devices | |
| CN109587156A (en) | Abnormal network access connection identification and blocking-up method, system, medium and equipment | |
| US8149866B2 (en) | System and method for filtering communications at a network interface controller | |
| CN102761534A (en) | Method and device for realizing transparent proxy of media access control layer | |
| CN112134893A (en) | Internet of things safety protection method and device, electronic equipment and storage medium | |
| CN103209181A (en) | Achieving method for application and connection firewall under linux network architecture | |
| JP6665190B2 (en) | Network sharing implementation method and apparatus | |
| CN106534794A (en) | A remote control method and device for a video surveillance system | |
| US9722955B2 (en) | Buffered session filtering for inline bypass application | |
| WO2020019524A1 (en) | Data processing method and device | |
| CN103812965A (en) | Router-based domain name classifying and processing method and device | |
| WO2018121705A1 (en) | Stream data bidirectional transmission method and device | |
| CN104660506B (en) | A kind of method, apparatus and system of data packet forwarding | |
| CN103220312B (en) | System and method for establishing point-to-point connection | |
| CN106453663B (en) | Improved storage expansion method and device based on cloud service | |
| CN106131237B (en) | Communication control method and device between container | |
| CN116708609A (en) | Method and device for extracting message character data, storage medium and electronic device | |
| CN106105128A (en) | System and method for terminal, server, and user identification |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20130717 |