[go: up one dir, main page]

CN115801572A - A method for upgrading firmware of industrial firewall - Google Patents

A method for upgrading firmware of industrial firewall Download PDF

Info

Publication number
CN115801572A
CN115801572A CN202211340645.0A CN202211340645A CN115801572A CN 115801572 A CN115801572 A CN 115801572A CN 202211340645 A CN202211340645 A CN 202211340645A CN 115801572 A CN115801572 A CN 115801572A
Authority
CN
China
Prior art keywords
data
firmware
data processing
transmitted
processing module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211340645.0A
Other languages
Chinese (zh)
Inventor
刘长喜
于慧超
石永杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Wangteng Technology Co ltd
Original Assignee
Beijing Wangteng Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Wangteng Technology Co ltd filed Critical Beijing Wangteng Technology Co ltd
Priority to CN202211340645.0A priority Critical patent/CN115801572A/en
Publication of CN115801572A publication Critical patent/CN115801572A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Computer And Data Communications (AREA)

Abstract

The invention discloses an industrial firewall firmware upgrading method, which comprises the following steps: A. setting a topological structure and a data processing flow of the industrial firewall; after entering an industrial firewall from a data inlet, data to be transmitted sequentially passes through the data processing modules connected in series to be monitored and filtered; B. when the firmware of the industrial firewall needs to be upgraded, sequentially upgrading the firmware of each data processing module from a data inlet end, and keeping the data transmission of other online data processing modules which do not execute the firmware upgrading operation by using a data transmission bypass; C. the data processing module after the firmware is upgraded is subjected to online operation again, and the upgraded firmware is verified in the subsequent data monitoring and filtering; D. and C, repeating the steps B and C until the firmware of all the data processing modules is upgraded. The invention can improve the defects of the prior art, and realizes the firmware upgrade while monitoring data by the firewall on the premise of not using a firewall redundant module.

Description

一种工业防火墙固件升级方法A method for upgrading firmware of industrial firewall

技术领域technical field

本发明涉及工业网络安全技术领域,尤其是一种工业防火墙固件升级方法。The invention relates to the technical field of industrial network security, in particular to a method for upgrading firmware of an industrial firewall.

背景技术Background technique

防火墙是一种网络安全构件,起到了对网络传输数据进行监控过滤的作用。因为网络攻击行为一直处于动态变化中,所以防火墙的固件也需要针对网络攻击行为进行对应的升级。现有技术中,为了保证防火墙在升级过程中可以正常进行数据监控,通常设置冗余的防火墙模块,在防火墙进行升级时可以使用冗余模块进行不间断的数据监控。但是这些冗余的防火墙模块利用率极低,导致防火墙系统的复杂度提高。A firewall is a network security component that monitors and filters network transmission data. Because network attack behaviors are always changing dynamically, the firmware of the firewall also needs to be upgraded accordingly for network attack behaviors. In the prior art, in order to ensure that the firewall can normally perform data monitoring during the upgrade process, redundant firewall modules are usually provided, and the redundant modules can be used for uninterrupted data monitoring when the firewall is upgraded. However, the utilization rate of these redundant firewall modules is extremely low, which increases the complexity of the firewall system.

发明内容Contents of the invention

本发明要解决的技术问题是提供一种工业防火墙固件升级方法,能够解决现有技术的不足,在不使用防火墙冗余模块的前提下实现防火墙监控数据的同时进行固件升级。The technical problem to be solved by the present invention is to provide an industrial firewall firmware upgrade method, which can solve the deficiencies of the prior art, and implement firmware upgrade while implementing firewall monitoring data without using firewall redundant modules.

为解决上述技术问题,本发明所采取的技术方案如下。In order to solve the above technical problems, the technical solutions adopted by the present invention are as follows.

一种工业防火墙固件升级方法,包括以下步骤:A method for upgrading firmware of an industrial firewall, comprising the following steps:

A、设置工业防火墙的拓扑结构和数据处理流程;工业防火墙包括若干个串联连接的数据处理模块,不相邻的数据处理模块之间设置有数据传输旁路;待传输数据从数据入口进入工业防火墙后,依次通过串联连接的数据处理模块进行监控过滤;A. Set up the topology structure and data processing flow of the industrial firewall; the industrial firewall includes several data processing modules connected in series, and a data transmission bypass is set between non-adjacent data processing modules; the data to be transmitted enters the industrial firewall from the data entrance After that, monitor and filter through the data processing modules connected in series in turn;

B、当工业防火墙固件需要升级时,从数据入口端开始,依次对每个数据处理模块进行固件升级,对执行固件升级的数据处理模块进行离线操作,使用数据传输旁路保持未执行固件升级操作的其它在线数据处理模块的数据传输;B. When the firmware of the industrial firewall needs to be upgraded, starting from the data entry port, upgrade the firmware of each data processing module in turn, perform offline operations on the data processing modules that perform firmware upgrades, and use the data transmission bypass to keep the firmware upgrade operation from being executed Data transmission of other online data processing modules;

C、将固件升级完毕的数据处理模块重新进行在线操作,并在后续的数据监控过滤中对升级后的固件进行校验;C. The data processing module whose firmware has been upgraded is re-operated online, and the upgraded firmware is verified in the subsequent data monitoring and filtering;

D、重复步骤B和C,直至全部数据处理模块的固件升级完毕。D. Steps B and C are repeated until the firmware upgrades of all data processing modules are completed.

作为优选,步骤A中,每个数据处理模块包含数量相同的规则文件,不同数据处理模块中的规则文件一一对应,拓扑结构中相邻数据处理模块中对应的规则文件的线性度超过设定阈值。As a preference, in step A, each data processing module contains the same number of rule files, and the rule files in different data processing modules correspond one-to-one, and the linearity of the corresponding rule files in adjacent data processing modules in the topology exceeds the set threshold.

作为优选,步骤A中,待传输数据依次经过串联连接的数据处理模块,当出现两个相邻的数据处理模块中对应的规则文件判定待传输数据为非法数据时,停止此待传输数据的传输。As a preference, in step A, the data to be transmitted passes sequentially through the data processing modules connected in series, and when the corresponding rule files in two adjacent data processing modules determine that the data to be transmitted is illegal data, the transmission of the data to be transmitted is stopped .

作为优选,步骤B中,当待传输数据传输至离线的数据处理模块时,使用数据传输旁路将待传输数据传输至与离线的数据处理模块相邻的下一个数据处理模块中,然后获取与离线的数据处理模块相邻的两个在线的数据处理模块中任意一个数据处理模块判定为非法数据的待传输数据,将提取的待传输数据的源IP地址、源端口、目的IP地址、目的端口和传输协议与预置的黑名单进行比对,若出现比对成功的项目,则停止此待传输数据的传输。Preferably, in step B, when the data to be transmitted is transmitted to the offline data processing module, use the data transmission bypass to transmit the data to be transmitted to the next data processing module adjacent to the offline data processing module, and then obtain and Any one of the two online data processing modules adjacent to the offline data processing module judges the data to be transmitted as illegal data, and extracts the source IP address, source port, destination IP address, and destination port of the data to be transmitted Compare the transmission protocol with the preset blacklist, and if there is a successful comparison item, stop the transmission of the data to be transmitted.

作为优选,步骤B中,首先对离线的数据处理模块进行固件数据备份,然后下载固件升级文件对现有固件进行升级。Preferably, in step B, first perform firmware data backup on the off-line data processing module, and then download the firmware upgrade file to upgrade the existing firmware.

作为优选,步骤C中,计算固件的摘要数据,使用摘要数据与固件的数字签名进行比对校验。Preferably, in step C, the digest data of the firmware is calculated, and the digest data is compared with the digital signature of the firmware for verification.

采用上述技术方案所带来的有益效果在于:本发明通过重新设计防火墙的监控过滤规则,使用多个数据处理模块的监控结果对数据进行判定,从而为防火墙的在线固件升级设立基础。在固件升级过程中,对各个数据处理模块依次进行升级操作,在升级过程中,利用固件升级模块相邻的其它数据处理模块的监控结果代替固件升级模块的监控,从而实现防火墙的数据监控和固件升级的同时进行。The beneficial effect of adopting the above technical solution is that the present invention uses the monitoring results of multiple data processing modules to judge data by redesigning the monitoring and filtering rules of the firewall, thereby establishing a foundation for the online firmware upgrade of the firewall. During the firmware upgrade process, each data processing module is upgraded sequentially. During the upgrade process, the monitoring results of other data processing modules adjacent to the firmware upgrade module are used to replace the monitoring of the firmware upgrade module, thereby realizing the data monitoring and firmware of the firewall. Simultaneously with the upgrade.

附图说明Description of drawings

图1是本发明一个具体实施方式的原理图。Fig. 1 is a schematic diagram of a specific embodiment of the present invention.

具体实施方式Detailed ways

参照图1,本发明一个具体实施方式包括以下步骤:With reference to Fig. 1, a specific embodiment of the present invention comprises the following steps:

A、设置工业防火墙的拓扑结构和数据处理流程;工业防火墙包括若干个串联连接的数据处理模块,不相邻的数据处理模块之间设置有数据传输旁路;每个数据处理模块包含数量相同的规则文件,不同数据处理模块中的规则文件一一对应,拓扑结构中相邻数据处理模块中对应的规则文件的线性度超过设定阈值;待传输数据从数据入口进入工业防火墙后,依次通过串联连接的数据处理模块进行监控过滤;待传输数据依次经过串联连接的数据处理模块,当出现两个相邻的数据处理模块中对应的规则文件判定待传输数据为非法数据时,停止此待传输数据的传输;A. Set up the topology structure and data processing flow of the industrial firewall; the industrial firewall includes several data processing modules connected in series, and data transmission bypasses are set between non-adjacent data processing modules; each data processing module contains the same number of Rule files, rule files in different data processing modules correspond one by one, and the linearity of the corresponding rule files in adjacent data processing modules in the topology exceeds the set threshold; after the data to be transmitted enters the industrial firewall from the data entrance, it passes through the serial The connected data processing modules perform monitoring and filtering; the data to be transmitted sequentially passes through the data processing modules connected in series, and when the corresponding rule files in two adjacent data processing modules determine that the data to be transmitted is illegal data, the data to be transmitted is stopped transmission;

B、当工业防火墙固件需要升级时,从数据入口端开始,依次对每个数据处理模块进行固件升级,首先对离线的数据处理模块进行固件数据备份,然后下载固件升级文件对现有固件进行升级,对执行固件升级的数据处理模块进行离线操作,使用数据传输旁路保持未执行固件升级操作的其它在线数据处理模块的数据传输;当待传输数据传输至离线的数据处理模块时,使用数据传输旁路将待传输数据传输至与离线的数据处理模块相邻的下一个数据处理模块中,然后获取与离线的数据处理模块相邻的两个在线的数据处理模块中任意一个数据处理模块判定为非法数据的待传输数据,将提取的待传输数据的源IP地址、源端口、目的IP地址、目的端口和传输协议与预置的黑名单进行比对,若出现比对成功的项目,则停止此待传输数据的传输;B. When the firmware of the industrial firewall needs to be upgraded, starting from the data entry port, upgrade the firmware of each data processing module in turn. First, backup the firmware data of the offline data processing module, and then download the firmware upgrade file to upgrade the existing firmware. , perform offline operations on the data processing module performing firmware upgrade, use the data transmission bypass to maintain the data transmission of other online data processing modules that have not performed firmware upgrade operations; when the data to be transmitted is transmitted to the offline data processing module, use data transmission The bypass transmits the data to be transmitted to the next data processing module adjacent to the offline data processing module, and then obtains any one of the two online data processing modules adjacent to the offline data processing module to determine as For illegal data to be transmitted, compare the source IP address, source port, destination IP address, destination port, and transmission protocol of the extracted data to be transmitted with the preset blacklist. If there is a successful comparison item, stop the transmission of the data to be transmitted;

C、将固件升级完毕的数据处理模块重新进行在线操作,并在后续的数据监控过滤中对升级后的固件进行校验,计算固件的摘要数据,使用摘要数据与固件的数字签名进行比对校验;C. Re-operate the data processing module with the firmware upgraded online, and verify the upgraded firmware in the subsequent data monitoring and filtering, calculate the summary data of the firmware, and use the summary data to compare and verify with the digital signature of the firmware test;

D、重复步骤B和C,直至全部数据处理模块的固件升级完毕。D. Steps B and C are repeated until the firmware upgrades of all data processing modules are completed.

以上显示和描述了本发明的基本原理和主要特征和本发明的优点。本行业的技术人员应该了解,本发明不受上述实施例的限制,上述实施例和说明书中描述的只是说明本发明的原理,在不脱离本发明精神和范围的前提下,本发明还会有各种变化和改进,这些变化和改进都落入要求保护的本发明范围内。本发明要求保护范围由所附的权利要求书及其等效物界定。The basic principles and main features of the present invention and the advantages of the present invention have been shown and described above. Those skilled in the industry should understand that the present invention is not limited by the above-mentioned embodiments. What are described in the above-mentioned embodiments and the description only illustrate the principle of the present invention. Without departing from the spirit and scope of the present invention, the present invention will also have Variations and improvements are possible, which fall within the scope of the claimed invention. The protection scope of the present invention is defined by the appended claims and their equivalents.

Claims (6)

1.一种工业防火墙固件升级方法,其特征在于包括以下步骤:1. A kind of industrial firewall firmware upgrade method is characterized in that comprising the following steps: A、设置工业防火墙的拓扑结构和数据处理流程;工业防火墙包括若干个串联连接的数据处理模块,不相邻的数据处理模块之间设置有数据传输旁路;待传输数据从数据入口进入工业防火墙后,依次通过串联连接的数据处理模块进行监控过滤;A. Set up the topology structure and data processing flow of the industrial firewall; the industrial firewall includes several data processing modules connected in series, and a data transmission bypass is set between non-adjacent data processing modules; the data to be transmitted enters the industrial firewall from the data entrance After that, monitor and filter through the data processing modules connected in series in turn; B、当工业防火墙固件需要升级时,从数据入口端开始,依次对每个数据处理模块进行固件升级,对执行固件升级的数据处理模块进行离线操作,使用数据传输旁路保持未执行固件升级操作的其它在线数据处理模块的数据传输;B. When the firmware of the industrial firewall needs to be upgraded, starting from the data entry port, upgrade the firmware of each data processing module in turn, perform offline operations on the data processing modules that perform firmware upgrades, and use the data transmission bypass to keep the firmware upgrade operation from being executed Data transmission of other online data processing modules; C、将固件升级完毕的数据处理模块重新进行在线操作,并在后续的数据监控过滤中对升级后的固件进行校验;C. The data processing module whose firmware has been upgraded is re-operated online, and the upgraded firmware is verified in the subsequent data monitoring and filtering; D、重复步骤B和C,直至全部数据处理模块的固件升级完毕。D. Steps B and C are repeated until the firmware upgrades of all data processing modules are completed. 2.根据权利要求1所述的工业防火墙固件升级方法,其特征在于:步骤A中,每个数据处理模块包含数量相同的规则文件,不同数据处理模块中的规则文件一一对应,拓扑结构中相邻数据处理模块中对应的规则文件的线性度超过设定阈值。2. The method for upgrading firmware of an industrial firewall according to claim 1, characterized in that: in step A, each data processing module includes the same number of rule files, and the rule files in different data processing modules correspond one-to-one. The linearity of the corresponding rule file in the adjacent data processing module exceeds the set threshold. 3.根据权利要求2所述的工业防火墙固件升级方法,其特征在于:步骤A中,待传输数据依次经过串联连接的数据处理模块,当出现两个相邻的数据处理模块中对应的规则文件判定待传输数据为非法数据时,停止此待传输数据的传输。3. The firmware upgrade method of industrial firewall according to claim 2, characterized in that: in step A, the data to be transmitted passes through the data processing modules connected in series successively, when the corresponding rule files in two adjacent data processing modules appear When it is determined that the data to be transmitted is illegal data, the transmission of the data to be transmitted is stopped. 4.根据权利要求3所述的工业防火墙固件升级方法,其特征在于:步骤B中,当待传输数据传输至离线的数据处理模块时,使用数据传输旁路将待传输数据传输至与离线的数据处理模块相邻的下一个数据处理模块中,然后获取与离线的数据处理模块相邻的两个在线的数据处理模块中任意一个数据处理模块判定为非法数据的待传输数据,将提取的待传输数据的源IP地址、源端口、目的IP地址、目的端口和传输协议与预置的黑名单进行比对,若出现比对成功的项目,则停止此待传输数据的传输。4. The method for upgrading the firmware of an industrial firewall according to claim 3, wherein in step B, when the data to be transmitted is transmitted to the offline data processing module, the data to be transmitted is transmitted to the offline data processing module using a data transmission bypass. In the next data processing module adjacent to the data processing module, then obtain the data to be transmitted that is judged to be illegal by any one of the two online data processing modules adjacent to the offline data processing module, and extract the data to be transmitted The source IP address, source port, destination IP address, destination port and transmission protocol of the transmitted data are compared with the preset blacklist. If there is a successful comparison item, the transmission of the data to be transmitted is stopped. 5.根据权利要求4所述的工业防火墙固件升级方法,其特征在于:步骤B中,首先对离线的数据处理模块进行固件数据备份,然后下载固件升级文件对现有固件进行升级。5. The firmware upgrade method of industrial firewall according to claim 4, characterized in that: in step B, first carry out firmware data backup to the off-line data processing module, and then download the firmware upgrade file to upgrade the existing firmware. 6.根据权利要求5所述的工业防火墙固件升级方法,其特征在于:步骤C中,计算固件的摘要数据,使用摘要数据与固件的数字签名进行比对校验。6. The method for upgrading the firmware of an industrial firewall according to claim 5, wherein in step C, the digest data of the firmware is calculated, and the digest data is compared with the digital signature of the firmware for verification.
CN202211340645.0A 2022-10-28 2022-10-28 A method for upgrading firmware of industrial firewall Pending CN115801572A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211340645.0A CN115801572A (en) 2022-10-28 2022-10-28 A method for upgrading firmware of industrial firewall

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211340645.0A CN115801572A (en) 2022-10-28 2022-10-28 A method for upgrading firmware of industrial firewall

Publications (1)

Publication Number Publication Date
CN115801572A true CN115801572A (en) 2023-03-14

Family

ID=85434402

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211340645.0A Pending CN115801572A (en) 2022-10-28 2022-10-28 A method for upgrading firmware of industrial firewall

Country Status (1)

Country Link
CN (1) CN115801572A (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101004691A (en) * 2007-01-23 2007-07-25 北京映翰通网络技术有限公司 Method and device for updating firmware program
US20080289026A1 (en) * 2007-05-18 2008-11-20 Microsoft Corporation Firewall installer
CN109905272A (en) * 2018-12-28 2019-06-18 杭州电子科技大学 A security dynamic cleaning method for industrial firewall firmware
US20190265963A1 (en) * 2018-02-27 2019-08-29 Ricoh Company, Ltd. Information processing apparatus and firmware updating method
CN114020311A (en) * 2021-10-14 2022-02-08 摩拜(北京)信息技术有限公司 Firmware upgrade method, device and electronic device
US20220321536A1 (en) * 2021-04-06 2022-10-06 Vmware, Inc. Upgrading firewall module on port-by-port basis

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101004691A (en) * 2007-01-23 2007-07-25 北京映翰通网络技术有限公司 Method and device for updating firmware program
US20080289026A1 (en) * 2007-05-18 2008-11-20 Microsoft Corporation Firewall installer
US20190265963A1 (en) * 2018-02-27 2019-08-29 Ricoh Company, Ltd. Information processing apparatus and firmware updating method
CN109905272A (en) * 2018-12-28 2019-06-18 杭州电子科技大学 A security dynamic cleaning method for industrial firewall firmware
US20220321536A1 (en) * 2021-04-06 2022-10-06 Vmware, Inc. Upgrading firewall module on port-by-port basis
CN114020311A (en) * 2021-10-14 2022-02-08 摩拜(北京)信息技术有限公司 Firmware upgrade method, device and electronic device

Similar Documents

Publication Publication Date Title
CN106506203B (en) Node monitoring system applied to block chain
WO2021017364A1 (en) Network failure diagnosis method and apparatus, network device, and storage medium
CN107544470B (en) A controller protection method based on white list
CN102393732B (en) Vehicle Fault Diagnosis Method
CN106936620A (en) The processing method and processing unit of a kind of alarm event
CN107948063B (en) Method for establishing aggregation link and access equipment
CN118316825A (en) Vehicle Ethernet ring network testing method, device, electronic equipment and storage medium
CN102385382B (en) Vehicle Fault Diagnosis System
CN104579797A (en) Intelligent substation switch information flow automatic configuration method
CN115577365A (en) Industrial control system protocol fuzzy test method based on state conversion
CN115801572A (en) A method for upgrading firmware of industrial firewall
CN104702458B (en) A kind of snakelike concatenated method of inspection of data transfer equipment, device and system
US20180113779A1 (en) Intelligent packet analyzer circuits, systems, and methods
WO2013116402A1 (en) Safe state for networked devices
JP2019153981A5 (en)
CN101753372B (en) Detection method and device of bearer network router equipment
CN115766526B (en) Method and device for testing physical layer chip of switch and electronic equipment
JP7589702B2 (en) COMMUNICATION CONTROL DEVICE, COMMUNICATION CONTROL METHOD, AND COMMUNICATION CONTROL PROGRAM
CN108156019B (en) An SDN-based network-derived alarm filtering system and method
CN102684914B (en) Method and system for achieving bridge interface linkage
CN107210945A (en) Method and computer network for running computer network
CN109067603B (en) A method and system for determining substation network VLAN configuration problems
KR102144791B1 (en) Apparatus and method of detecting error of serial communication lines
CN209517168U (en) A kind of bypass test cable suitable for daisy chain looped network
CN107276778B (en) Port control method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20230314