CN111541658B

CN111541658B - PCIE firewall

Info

Publication number: CN111541658B
Application number: CN202010290844.XA
Authority: CN
Inventors: 许艺明
Original assignee: Individual
Current assignee: Individual
Priority date: 2020-04-14
Filing date: 2020-04-14
Publication date: 2024-05-31
Anticipated expiration: 2040-04-14
Also published as: CN111541658A

Abstract

The PCIE firewall provided by the invention comprises PCIE interfaces: the PCIE firewall is deployed on at least one physical server by being inserted on the physical server to realize data interaction and safety protection between the PCIE firewall and the physical server; multicore NP processor: the PCIE interface is electrically connected with the PCIE interface and is used for running an operating system; the operating system comprises a control plane, a forwarding plane and a security plane; FPGA chip: the PCIE interface is electrically connected with the PCIE interface; ASIC chip: the PCIE interface is electrically connected with the PCIE interface; a network interface unit: and realizing the data interaction between the PCIE firewall and the external network. The PCIE firewall realizes the safety control and protection of the data center north-south traffic and east-west traffic, and improves the safety protection performance.

Description

PCIE firewall

Technical Field

The invention belongs to the technical field of computers, and particularly relates to a PCIE firewall.

Background

The cloud computing data center is mainly deployed by adopting a virtualization technology, including a computing virtualization technology, a network virtualization technology and a storage virtualization technology. The cloud computing data center is mainly built based on KVM (keyboard-video-mouse) technology, container (Docker) technology, cloud management platform and other technologies. The safety protection of the traditional cloud computing data center is mainly realized by deploying a physical firewall or a VFW firewall product, and the safety protection means has a good safety protection effect on the north-south traffic. However, for the security protection of east-west traffic (i.e., network data traffic between virtual machines), the physical firewall needs to use a "drainage" manner, and the VFW firewall has many problems such as occupation of physical host CPU, bus and network resources, insufficient performance, low efficiency, and unsatisfactory security management and control protection effect. In addition, the traditional firewall products focus on the safety control and protection functions, network data traffic encryption and decryption mainly adopts international open source algorithms (such as AES, RSA, hash and the like), the data encryption and decryption performance is insufficient, and the safety is worry.

Disclosure of Invention

Aiming at the defects in the prior art, the invention provides the PCIE firewall, which realizes the safety control and protection of the north-south flow and the east-west flow of the data center and improves the safety protection performance.

A PCIE firewall, comprising:

PCIE interface: the PCIE firewall is deployed on at least one physical server by being inserted on the physical server to realize data interaction and safety protection between the PCIE firewall and the physical server;

multicore NP processor: the PCIE interface is electrically connected with the PCIE interface and is used for running an operating system; the operating system comprises a control plane, a forwarding plane and a security plane;

FPGA chip: the PCIE interface is electrically connected with the PCIE interface;

ASIC chip: the PCIE interface is electrically connected with the PCIE interface;

A network interface unit: and realizing the data interaction between the PCIE firewall and the external network.

Preferably, the PCIE firewall further includes:

memory: the multi-core processor is electrically connected with the ASIC chip, the multi-core NP processor and the PCIE interface respectively;

And (3) a storage chip: and the multi-core NP processor is electrically connected with the ASIC chip and the multi-core NP processor respectively.

Preferably, the control plane is specifically configured to:

The network interface unit or the network interface unit in the physical server is used for receiving and identifying the data message, the network layer and application layer plane separation mode software architecture design is adopted, the single-time analysis architecture is adopted for realizing the one-time analysis and one-time matching of the data message, and the data message is extracted to the application layer plane through the zero-copy technology to realize the unified analysis and detection of threat characteristics.

Preferably, the control plane is further configured to:

Micro isolation between virtual machines in a physical server is realized by utilizing a micro segmentation technology; and checking and intercepting network attack behaviors among virtual machines in a physical server by using a DPI deep packet inspection technology, wherein the network attack behaviors comprise one or more of the following combinations: overflow attacks, RPC attacks, WEBCGI attacks, denial of service, trojan horses, worms, and system vulnerabilities; carrying out security detection on the file of the virtual machine by an escape prevention detection technology;

the control plane is also for:

According to the migration condition and the copying condition of the virtual machine in the physical server, synchronously adjusting related security policies;

the control plane is also for:

And monitoring the flow of the virtual machines in real time, deep carding the communication relationship among the virtual machines in the physical server, and displaying the communication relationship among the virtual machines in a dynamic topological structure according to the carding result.

Preferably, the PCIE firewall further includes:

The password operation main control unit: the multi-core NP processor is used for carrying out data interaction with the multi-core NP processor;

A password operation chip; the device is respectively and electrically connected with the password operation main control unit and the FPGA interface unit;

FPGA interface unit: the data interaction is carried out between the FPGA chip and the ASIC chip;

the encryption function is realized by the password operation main control unit, the password operation chip and the FPGA interface unit.

Preferably, the forwarding plane is specifically configured to:

Searching an SA security alliance according to a preset local strategy, and when the SA security alliance is not searched, establishing a new SA security alliance through the password operation chip, wherein the process is ended; when the SA security alliance is found, the data message is packaged into an ESP load to obtain an ESP message, and a serial number counter corresponding to a sender is set to be 0;

Filling the ESP message, and then encrypting the filled ESP message by using a secret key, an encryption algorithm, an algorithm mode and an IV specified by the SA security association;

when a sender sends an encrypted ESP message, a sequence number counter corresponding to the ESP message is increased by 1, and the value of the sequence number counter is inserted into a sequence number field; when the value of the serial number counter reaches a preset maximum value, a new security alliance is established through the password operation chip;

Performing ICV operation after removing the authentication data field in the ESP message, and giving the obtained value to the authentication data field to obtain a new ESP message;

And when the length of the new ESP message exceeds a preset output interface MTU value, slicing the new ESP message.

Preferably, the security plane is further configured to:

Associating the received data message of the application layer with an application label through a preset special protocol;

When the data message of the application layer is detected, the relevant application threat characteristics are read according to the data message associated application label of the application layer;

the security plane is also for:

Deep security scanning, fingerprint identification and vulnerability verification are carried out on a WEB server website through a preset WEB scanner;

the security plane is also for:

And checking firewall configuration through an active scanning method, obtaining an open port and existing risks of the physical server according to a scanning result, and providing corresponding protection operation according to the scanning result.

Preferably, the security plane is further configured to:

detecting application layer flow passing through a physical server and a virtual machine in real time, analyzing the application layer flow, matching a preset vulnerability analysis recognition library according to an analysis result, and obtaining vulnerabilities of the physical server and the virtual machine according to a matching result;

the security plane is also for:

adopting a streaming mode and heuristic file scanning technology to search and kill various viruses and files of various protocol types in a physical server and a virtual machine; the protocol type comprises one or a combination of several protocols of the following: HTTP, SMTP, POP3 and FTP; the viruses comprise one or a combination of several of the following viruses: trojan horse, worm, macro virus and script virus.

Preferably, the security plane is provided with an authentication system module;

The authentication system module receives a password or certificate authentication login factor information input by a user through an authentication client, and when the password or the certificate authentication login factor information passes verification, a token is issued to the authentication client;

When an application server receives an access request sent by an application client, the application server generates a random number, encodes the random number and initiates a random number challenge to the application client;

The application client calls a corresponding interface of the authentication client to sign the received random number, a signature value is obtained, and a token received by the authentication client is also obtained;

The authentication client combines the received token with the signature value to obtain a combined token, and sends the combined token to the application client;

the application client sends the received combined token to an application server;

the application server sends the received random number, signature value, combined token and application ID corresponding to the access request to an authentication system module through an API interface of webservice;

the authentication system module verifies the received random number, signature value, combined token and application ID, returns the verification result to the application server through webservice, and when the verification result is passed, the authentication system performs identity authentication and single sign-on when receiving the access request of the application server again.

According to the technical scheme, the PCIE firewall provided by the invention is deployed by plugging the PCIE interface into the PCIE slot of the physical server, comprehensively takes over network data traffic entering and exiting between the physical server and the virtual machine, and realizes the safety control and protection of the north-south traffic and the east-west traffic of the data center.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below. Like elements or portions are generally identified by like reference numerals throughout the several figures. In the drawings, elements or portions thereof are not necessarily drawn to scale.

Fig. 1 is a hardware architecture diagram of a PCIE firewall provided by the present invention.

Fig. 2 is a software architecture diagram of a PCIE firewall provided by the present invention.

Fig. 3 is a flowchart of a method for processing a PCIE firewall outbound message according to a third embodiment of the present invention.

Fig. 4 is a flowchart of an identity authentication method when a user accesses an application server in the fourth embodiment of the present invention.

Detailed Description

Embodiments of the technical scheme of the present application will be described in detail below with reference to the accompanying drawings. The following examples are only for more clearly illustrating the technical aspects of the present application, and thus are merely examples, and are not intended to limit the scope of the present application. It is noted that unless otherwise indicated, technical or scientific terms used herein should be given the ordinary meaning as understood by one of ordinary skill in the art to which this application belongs.

It should be understood that the terms "comprises" and "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.

It is also to be understood that the terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in this specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.

It should be further understood that the term "and/or" as used in the present specification and the appended claims refers to any and all possible combinations of one or more of the associated listed items, and includes such combinations.

As used in this specification and the appended claims, the term "if" may be interpreted as "when..once" or "in response to a determination" or "in response to detection" depending on the context. Similarly, the phrase "if a determination" or "if a [ described condition or event ] is detected" may be interpreted in the context of meaning "upon determination" or "in response to determination" or "upon detection of a [ described condition or event ]" or "in response to detection of a [ described condition or event ]".

Embodiment one:

A PCIE firewall, see fig. 1, comprising:

PCIE interface 2: the PCIE firewall is deployed on at least one physical server by being inserted on the physical server to realize data interaction and safety protection between the PCIE firewall and the physical server;

Specifically, in fig. 1, 1 is a PCIE firewall fixing slot, configured to be plugged into a physical server. The PCIE interface comprises PCIE3.0/PCIE4.0/PCIE5.0 and supports 16GT/s in rate, the PCIE firewall adopts a PCIE bus transmission mode, and the PCIE bus is directly connected with each processor, so that the PCIE interface has the characteristics of high throughput and low delay, realizes high-speed data processing, and can support the application requirements of high-performance safety protection.

Multicore NP processor 3: the PCIE interface is electrically connected with the PCIE interface and is used for running an operating system; the operating system comprises a control plane, a forwarding plane and a security plane;

Specifically, the multi-core NP processor may employ a bot-specific multi-core (e.g., 64-core) NP processor or other special multi-core network processor for running an operating system, system scheduling, system internal communication management, and security management and protection functions. The operating system can adopt an independently developed Linux-like special operating system, and software function modules in the operating system support elastic expansion and cutting according to requirements.

FPGA chip 5: the PCIE interface is electrically connected with the PCIE interface;

Specifically, the FPGA chip may be used for internal communication and data storage forwarding management of the PCIE firewall system.

ASIC chip 6: the PCIE interface is electrically connected with the PCIE interface;

Specifically, the ASIC chip may be used for processing communication and forwarding layer network data traffic (such as VPN/NAT/VLAN traffic) inside a PCIE firewall system. The multi-core NP processor, the FPGA chip and the ASIC chip jointly realize the functions of route forwarding processing, access control, safety protection, intrusion protection, virus protection and the like, wherein the multi-core NP processor realizes control plane processing, and the special ASIC chip realizes forwarding layer processing.

Network interface unit 8: and realizing the data interaction between the PCIE firewall and the external network.

Specifically, the network interface unit supports communication protocols such as 10GE Ethernet/10 GE SFP/40GE QSFP, and the like, and for example, an Intel network chip can be used.

The PCIE firewall is constructed on a 64-bit multi-core concurrent high-speed hardware platform, and a parallel operation system is adopted to enable a forwarding plane, a control plane and a security plane to run on the multi-core platform in parallel, so that multi-plane concurrent processing is performed, the security processing performance of network data packets is greatly improved, and the PCIE firewall is closely cooperated.

The PCIE firewall is deployed in the physical server, and is deployed by plugging a PCIE interface into a PCIE slot of the physical server, comprehensively takes over network data traffic entering and exiting between the physical server and the virtual machine, and realizes the safety control and protection of the data center in the north-south direction and the east-west direction. In addition, the operating system of the PCIE firewall also supports IOV, OVC, VRF and other virtualization and distributed technologies, a single physical server supports double PCIE firewall HA (high availability cluster), a plurality of PCIE firewalls deployed by a plurality of physical servers support virtual machine security migration and PCIE firewall centralized management and control, and the PCIE firewalls can be deployed to realize the north-south and east-west network data processing flow visualization, threat visualization, network security management and control protection and comprehensive security situation awareness of the cloud computing data center, so that a cloud computing data center security resource pool is constructed, and the network and information security of the cloud computing large data center are comprehensively ensured.

Preferably, the PCIE firewall further includes:

Memory 4: the multi-core processor is electrically connected with the ASIC chip, the multi-core NP processor and the PCIE interface respectively;

Specifically, the memory is used for running an operating system, managing and scheduling the system, managing the process, communicating internally and caching data transmission. The memory can adopt a cache chip to realize the system-level security function processing cache.

Memory chip 7: and the multi-core NP processor is electrically connected with the ASIC chip and the multi-core NP processor respectively.

Specifically, the memory chip is used for system level file storage and caching.

Preferably, the PCIE firewall further includes:

The cryptographic operation master control unit 9: the multi-core NP processor is used for carrying out data interaction with the multi-core NP processor;

a cryptographic operation chip 10; the device is respectively and electrically connected with the password operation main control unit and the FPGA interface unit;

FPGA interface unit 11: the data interaction is carried out between the FPGA chip and the ASIC chip;

Specifically, the cryptographic operation chip may implement the SM1 algorithm and the SM2 algorithm using an SSX30-D chip and an SSX1510 chip. The FPGA interface unit is used for system internal communication.

The hardware modules in the PCIE firewall also support elastic modular combination. For example, when the encryption function is not needed, the password operation main control unit, the password operation chip and the FPGA interface unit can be cut; when the cache is needed, a cache chip can be added; when more functions are required, a higher integration chip can be provided. The PCIE firewall can also be added with radiating fins, radiating fans and the like to meet the radiating requirement of the system under the condition of high-performance operation.

Embodiment two:

Embodiment two the control plane is further described on the basis of embodiment one.

Referring to fig. 2, the control plane is responsible for monitoring and coordination work among each plane and each module of the whole system, and the functions of the control plane mainly comprise functions of system configuration storage, configuration issuing, console UI and the like.

The control plane is specifically configured to:

Specifically, an application identification module is arranged at the bottom layer of the software architecture, and the application identification module identifies all received data messages and grabs the application data messages to be processed to an application layer, so that the forwarding of network layer data is not affected even if the application layer fails in data processing.

Zero copy techniques include memory buffer scheduling algorithms, DMA and multi-buffer pipeline scheduling techniques, and the like. The control plane can also realize the high-efficiency matching of the data messages through a Boolean superposition algorithm, reduces redundant data message encapsulation, realizes high-performance data processing, and effectively improves the efficiency of an application layer. The PCIE firewall adopts a multi-core hardware architecture, and an advanced lock-free parallel processing technology is adopted at the instruction computing level, so that the simultaneous processing of multiple pipelines is realized, the throughput of the system is improved in multiple, and the performance is strong.

Preferably, the control plane is further configured to:

specifically, the control plane establishes a micro-segmentation and zero-trust mechanism in the cloud computing platform, micro-isolation between virtual machines is realized by utilizing a micro-segmentation technology, and transverse translation of network attack behaviors after the network attack behaviors enter the data center network is prevented. The control plane also carries out security detection on the file, and prevents the virus file from being transmitted wantonly on the cloud platform.

The control plane is also for:

Specifically, the PCIE firewall may be further deployed on a service server to be protected, and through a dedicated traffic takeover mechanism, advanced threat protection between virtual machines is implemented, so as to solve the east-west traffic security problem in the cloud environment. And meanwhile, all PCIE firewalls are managed through a unified management platform, so that unified policy issuing, situation display function and effective follow-up of security policies are realized. The control plane supports synchronously adjusting related security policies according to migration and replication conditions of the virtual machine, so that the virtual machine is always under the protection of a virtualized firewall. The security policy is used to meet different security requirements.

The control plane is also for:

Specifically, the control plane has a cloud computing environment flow visualization function, and provides an important protection basis for cloud computing safety of users.

For a brief description of the products provided by the embodiments of the present invention, reference should be made to the corresponding content of the foregoing product embodiments where the examples are not mentioned.

Embodiment III:

Embodiment III based on the above embodiment, a forwarding plane is further described.

Referring to fig. 2, the forwarding plane may implement basic functions such as static routing, default routing, and floating static routing, and support functions such as policy routing and multicast routing, and may implement dynamic routing protocols such as BGP and OSPF.

The PCIE firewall supports the network card multiplexing function, and the PCIE firewall can not be configured with a network interface, multiplexes the PCIE network cards of a server and builds a switching network taking PCIE SWITCH as a core in the system. The forwarding plane supports tunneling of system management data, key parameters, and authentication information by establishing an IPSEC VPN secure connection. Referring to fig. 3, the processing steps of the pcie firewall outbound message are as follows:

Specifically, the forwarding plane looks up the SA security association according to a local policy, and the ESP is applied to an outbound message only after an IPSec (IP security) implementation determines that the data message is associated with the SA security association. Otherwise, starting a new key negotiation process and establishing a new SA security association.

Filling the ESP message, and encrypting the filled ESP message by using a secret key, an encryption algorithm, an algorithm mode and an IV (initialization vector) appointed by the SA security association;

Specifically, the encryption range includes payload data, padding, a padding length, and a next header.

Specifically, the serial number field is used for updating the SA security association at regular time, so that security is ensured.

Embodiment four:

third embodiment based on the above embodiment, a security plane is further described.

Referring to fig. 2, the security plane is responsible for coordinated operation of security functions, and various threats and attacks can be identified by adopting an analysis engine and scanning once, and the functions mainly comprise intrusion prevention, WEB application protection, real-time vulnerability analysis, data encryption, content filtering, virus prevention and the like.

Preferably, the security plane is further configured to:

specifically, the security plane marks the application labels on the data messages of all application layers through a special protocol at the kernel driving layer. The security plane searches application threat features according to the application labels, skips irrelevant application threat detection features by using a skip scanning technology, reduces invalid scanning, and improves scanning efficiency.

The security plane is also for:

And carrying out deep security scanning, fingerprint identification and vulnerability verification on the WEB server website through a preset WEB scanner, and comprehensively predicting the security status quo of the WEB application system.

The security plane is also for:

Specifically, the protection operation includes vulnerability protection, port shielding, and the like.

Preferably, the security plane is further configured to:

Specifically, the security plane can also realize access control based on application and region, and help users to perform accurate control better. The security plane is also provided with a vulnerability feature library and an application threat feature library, so that single security threats of various application layers and content levels can be comprehensively identified, and main attacks of mainstream web security threats can be effectively protected.

The security plane is also for:

Adopting a streaming mode and heuristic file scanning technology to search and kill various viruses and files of various protocol types in a physical server and a virtual machine; the protocol type comprises one or a combination of several protocols of the following: HTTP, SMTP, POP3 and FTP; the viruses comprise one or a combination of several of the following viruses: trojan horse, worm, macro virus and script virus. The files include multi-threaded concurrent, deep compressed files, and the like.

Besides, the security plane also provides various password services, realizes the password functions of data encryption and decryption, digital signature verification, HASH and true random number acquisition, generation and verification of a Message Authentication Code (MAC), user identity authentication and the like, and provides hardware module level acceleration of password services for various security applications.

The security plane adopts a container technology (such as a Docker technology) and supports the generation of a plurality of virtual crypto machines (VSMs) according to requirements. The supported virtualization functions include: VSM cluster, load balancing function, built-in load balancer, key security isolation and access control among VSMs, VSM performance on-demand distribution, VSM performance flexible scheduling and cloud management.

The security plane is provided with an authentication system module which supports an identity authentication function; that is, the user needs to access the application server protected by the identity authentication system to try, and must ensure that the user passes the identity authentication of the PCIE firewall and successfully establishes the secure channel. Referring to fig. 4, the following steps are the identity authentication method when the user accesses the application server:

the authentication system module receives the password or the certificate authentication login factor information input by the user through the authentication client, and when the password or the certificate authentication login factor information passes verification, a token is issued to the authentication client, see step ①、② in fig. 4;

When the application server (e.g., browser) receives the access request sent by the application client, the application server generates a random number, encodes the random number (e.g., using Base 64), and initiates a random number challenge to the application client, see step ③、④ in fig. 4;

The application client calls a corresponding interface of the authentication client to sign the received random number to obtain a signature value, and also obtains a token received by the authentication client, see step ⑤ in fig. 4;

The authentication client combines the received token with the signature value to obtain a combined token, and sends the combined token to the application client, see step ⑥ in fig. 4;

The application client sends the received combined token to the application server, see step ⑦ in fig. 4;

The application server sends the received random number, signature value, combined token and application ID corresponding to the access request to the authentication system module through the API interface of webservice, see step ⑧ in fig. 4;

the authentication system module verifies the received random number, signature value, combined token and application ID, and returns the verification result to the application server through webservice, when the verification result is passed, the authentication system performs identity authentication and single sign-on when receiving the access request of the application server again, see step ⑨ in fig. 4.

Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and not for limiting the same; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the invention, and are intended to be included within the scope of the appended claims and description.

Claims

1. A PCIE firewall comprising:

A network interface unit: realizing data interaction between the PCIE firewall and an external network;

the forwarding plane is specifically configured to:

Searching an SA security alliance according to a preset local strategy, and when the SA security alliance is not searched, establishing a new SA security alliance through a password operation chip, wherein the process is ended; when the SA security alliance is found, the data message is packaged into an ESP load to obtain an ESP message, and a serial number counter corresponding to a sender is set to be 0;

2. The PCIE firewall of claim 1, wherein the PCIE firewall further comprises:

3. The PCIE firewall of claim 1 or 2, wherein the control plane is specifically configured to:

4. The PCIE firewall of claim 3, wherein the control plane is further to:

the control plane is also for:

5. The PCIE firewall of claim 3, wherein the PCIE firewall further comprises:

6. The PCIE firewall of claim 5, wherein the security plane is further to:

the security plane is also for:

7. The PCIE firewall of claim 5, wherein the security plane is further to:

the security plane is also for:

8. The PCIE firewall of claim 5, wherein the security plane is provided with an authentication system module;