CN116405281B - A real-time information detection network exchange system - Google Patents
A real-time information detection network exchange system Download PDFInfo
- Publication number
- CN116405281B CN116405281B CN202310355532.6A CN202310355532A CN116405281B CN 116405281 B CN116405281 B CN 116405281B CN 202310355532 A CN202310355532 A CN 202310355532A CN 116405281 B CN116405281 B CN 116405281B
- Authority
- CN
- China
- Prior art keywords
- information detection
- network
- chip
- detection module
- messages
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 89
- 238000000034 method Methods 0.000 claims abstract description 16
- 238000004891 communication Methods 0.000 claims abstract description 15
- 230000008569 process Effects 0.000 claims abstract description 9
- 238000001914 filtration Methods 0.000 claims description 31
- 238000012545 processing Methods 0.000 claims description 23
- 230000006870 function Effects 0.000 claims description 20
- 238000012544 monitoring process Methods 0.000 claims description 9
- 238000006243 chemical reaction Methods 0.000 claims description 3
- 238000007689 inspection Methods 0.000 claims 5
- 239000010410 layer Substances 0.000 abstract description 53
- 239000012792 core layer Substances 0.000 abstract description 11
- 238000004458 analytical method Methods 0.000 description 26
- 238000007726 management method Methods 0.000 description 21
- 230000007547 defect Effects 0.000 description 9
- 230000006399 behavior Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 6
- 239000013078 crystal Substances 0.000 description 5
- 239000012634 fragment Substances 0.000 description 5
- 238000013461 design Methods 0.000 description 3
- RTZKZFJDLAIYFH-UHFFFAOYSA-N Diethyl ether Chemical compound CCOCC RTZKZFJDLAIYFH-UHFFFAOYSA-N 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 238000004377 microelectronic Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- MHABMANUFPZXEB-UHFFFAOYSA-N O-demethyl-aloesaponarin I Natural products O=C1C2=CC=CC(O)=C2C(=O)C2=C1C=C(O)C(C(O)=O)=C2C MHABMANUFPZXEB-UHFFFAOYSA-N 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000005856 abnormality Effects 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000003139 buffering effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004140 cleaning Methods 0.000 description 1
- 239000002131 composite material Substances 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000013467 fragmentation Methods 0.000 description 1
- 238000006062 fragmentation reaction Methods 0.000 description 1
- 230000017525 heat dissipation Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 230000035515 penetration Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 239000013589 supplement Substances 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0254—Stateful filtering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本发明提供一种实时信息检测网络交换系统,包括信息检测网络交换设备,信息检测网络交换设备包括CPU处理器、交换芯片、复位系统、电源、时钟、热插拔系统和管理系统;在交换芯片的前端设有网络接口,信息检测网络交换设备设置在核心层或接入层;还包括连接在CPU处理器和交换芯片之间的信息检测模块,信息检测模块通过至少二路万兆以太网接口连接交换芯片,数据报文在该网络交换过程中,交换芯片通过虚拟路由转发协议方式,将有需要的接口的报文转发给信息检测模块,信息检测模块按照设定规则进行检测、过滤和报警。本发明适用于安全要求较高的场景,部署于外网通信或者连接互联网的网络核心层或者接入层,监视内外网通信,防止内网受到外网的攻击或者监视。
The present invention provides a real-time information detection network switching system, including an information detection network switching device, the information detection network switching device including a CPU processor, a switching chip, a reset system, a power supply, a clock, a hot-swap system and a management system; a network interface is provided at the front end of the switching chip, and the information detection network switching device is arranged at a core layer or an access layer; it also includes an information detection module connected between the CPU processor and the switching chip, the information detection module is connected to the switching chip through at least two 10 Gigabit Ethernet interfaces, and during the network switching process, the switching chip forwards the message of the required interface to the information detection module through a virtual routing forwarding protocol, and the information detection module detects, filters and alarms according to set rules. The present invention is suitable for scenes with high security requirements, and is deployed in the core layer or access layer of a network that communicates with an external network or connects to the Internet, monitors internal and external network communications, and prevents the internal network from being attacked or monitored by the external network.
Description
Technical Field
The invention relates to the technical field of information network switching, in particular to a network switching system capable of detecting real-time information.
Background
At present and in the future, china will be in a high risk period of national security continuously. The risks of the enemy entering the network and the enemy being on the network exist in reality, and especially the advanced continuous penetration attack on key infrastructures such as finance, electric power, telecommunication, energy sources and the like of China form a great threat to national security.
The network security construction at the present stage mostly adopts a firewall technology, and the following defects exist in the actual use:
Defect 1, a traditional firewall is only deployed at a network core layer, and cannot protect security threats caused to other users of a local area network after a user single machine introduces threats through a storage medium or wireless communication mode and the like;
defect 2, aiming at the risk situations that enemy is on the network and enemy is on the network, the network security of a specific user cannot be effectively protected inside the local area network;
the defect 3, the traditional firewall is connected in series between the network core layer and the external network, so that when the firewall equipment fails, the external communication function of all users is affected, and the requirement on the network reliability is very high;
The defect 4, the traditional firewall is connected in series between the network core layer and the external network, so that when a threat is found, the path of the internal network and the external network can be blocked, the external communication of all internal users is refused, and the overall working efficiency is influenced;
Defect 5, traditional firewall equipment volume and consumption are great, if every LAN all installs one set outward, economic nature and practicality are lower like this, cause certain burden to whole system network planning.
Disclosure of Invention
Aiming at the technical problems, the invention provides a real-time information detection network switching system which is suitable for scenes with higher safety requirements, is deployed at a network core layer or an access layer of an external network communication or a connection internet, monitors internal and external network communication, and prevents an internal network from being attacked or monitored by the external network.
The technical scheme of the invention is that the real-time information detection network switching system comprises information detection network switching equipment, wherein the information detection network switching equipment comprises a CPU processor, a switching chip, a reset system, a power supply, a clock, a hot plug system and a management system, wherein a network interface is arranged at the front end of the switching chip, and the information detection network switching equipment is arranged at a core layer or an access layer;
also comprises an information detection module connected between the CPU processor and the exchange chip,
The information detection module is connected with the exchange chip through at least two paths of tera Ethernet interfaces, the exchange chip forwards the messages with the interfaces required to the information detection module through a virtual routing forwarding protocol mode in the network exchange process of the data messages, and the information detection module detects, filters and alarms according to set rules;
The information detection module is connected with the CPU processor through the PCI-E and one path of gigabit Ethernet interface, alarms are sent to the CPU processor through the PCI-E and one path of gigabit Ethernet interface when the threat data message is found by the information detection module, and after the CPU processor receives the alarm information, the exchange chip and the information detection module are controlled to block the threat data message.
Preferably, the information detection module comprises an FPGA chip, a storage chip, a DDR3 memory, an RS232 conversion chip, a reset chip and a connector,
The FPGA chip is connected with the storage chip through an SPI interface and is also connected with the DDR3 memory through a DDR3 interface;
The FPGA chip is connected with the CPU processor through PCIE and is also connected with the exchange chip through two paths of tera Ethernet interfaces.
Further preferably, the information detection module divides a data channel and a control channel on data processing, the data channel is responsible for storing and forwarding data, the control channel is responsible for functional processing, and the instruction is informed to the data channel through forwarding information;
The data channel mainly comprises an input/output interface module, an input/output segmented storage module, an input/output read-write arbitration module, a read-write data cache module, a cache management module, a queue scheduling management module and the like, an interrupt controller and a CPU control channel, wherein in order to lighten the load of the CPU, a high-speed PCIE interface and a DMA controller are integrated.
Further preferably, information detection software is stored in the FPGA chip, and the information detection software has the function of resisting server attack;
The information detection software also has a network access control function, wherein a primary rule supports 12 tuples, a secondary rule supports 4 custom fields, different access rules are allowed to be carried out on streams of a designated source port and a destination port, and the combination rules are supported to be forwarded to a processor through passing and discarding, so that software and hardware cooperation is realized.
Further preferably, the information detection software also supports protection of main stream denial of service attacks, flooding attacks, source routing attacks, land_attack attacks, ping_of_desath attacks, winnuke attacks, access control of special-shaped messages, management of two-layer unknown messages, three-layer unknown messages, overlong ICMP messages, excessively short fragmented messages, illegal IP (Internet protocol), UDP (user datagram protocol) check and error messages, TCP/IP protocol family risk message checking and protection, TCP SYN fragmented messages, TCP FIN fragmented messages and TCPRST fragmented message management, IP option checking, TCP mark checking, 3-layer security checking and 4-layer security checking.
Preferably, the information detection module sets rules that special messages from the external network in a specific period are prevented by monitoring the characteristics of the data messages in the network system.
Further preferably, the data message features in the monitoring network system comprise message information filtering processing, namely matching rules based on Layer 2-5 data message features are provided, and a user is allowed to set the filtering rules based on a message information domain.
Preferably, a network configuration is arranged in the switching chip to realize external data aiming at different ports, and whether the external data needs to be detected or not is controlled;
The method comprises the following steps:
the external communication needs to be sent to the information detection module by the terminal a and the terminal B,
Or the terminal C does not need to upload an information detection module for external communication and directly forwards the information on the information access exchange chip.
The beneficial effects of the invention are as follows:
The real-time information detection network switching system can be arranged on a core layer or an access layer, and can split functions according to the requirements of each user, for example, the core layer only needs to detect external attacks, and the access layer only needs to detect internal threats and the like. Secondly, the information detection network switching equipment is innovatively provided with the information detection module, so that the data information detection function can be realized in a targeted manner under the condition of downward system movement.
The invention fully meets the following requirements:
Firstly, the FPGA chip design is adopted to analyze the message once and store the message once, and a plurality of hardware modules independently look up the table, so that the delay is ensured to be relatively fixed and lower than 100us;
Secondly, the high bandwidth is realized by adopting the communication of a tera Ethernet interface, so that the forwarding of the line speed can still be realized under the condition that the access control rules are all configured, and the defect that the more the rules of the traditional equipment are, the lower the forwarding bandwidth is avoided;
the information detection module works independently of the switching system, so that on one hand, the equipment is not influenced by the attack of network messages, and on the other hand, even if the information detection module fails, the hardware is not influenced to realize message forwarding;
and fourthly, the FPGA chip is realized with low power consumption, and has lower power consumption compared with a multi-core processor.
Drawings
Figure 1 is a diagram of a network switching device operating scenario,
Figure 2 is a schematic block diagram of the network switching device hardware of the present invention,
Figure 3 is a logical block diagram of data flow forwarding of an information detection network switching device,
Figure 4 is a schematic block diagram of the information detection module hardware,
Figure 5 is a flow chart of the processing inside the information detection module,
Figure 6 is a block diagram of the information detection module processing logic,
Fig. 7 is a diagram of the internal network design of the information detecting network switching device.
Detailed Description
The following description of the embodiments of the present invention will be made apparent and fully in view of the accompanying drawings, in which some, but not all embodiments of the invention are shown. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Referring to fig. 1 to 7, the present embodiment provides a real-time information detection network switching system, including an information detection network switching device, referring to fig. 2, the information detection network switching device includes a CPU processor, a switching chip, a reset system, a power supply, a clock, a hot plug system, and a management system;
The CPU processor controls and manages peripheral devices such as the exchange chip and the information detection module, maintains protocol messages of the exchange system, and sends alarm information to the upper level;
the exchange chip is used for mainly realizing the exchange and forwarding of Ethernet data messages, the configuration, management, state monitoring and other functions of an external interface;
the reset system has the function that the watchdog circuit is arranged in the reset system and can reset all devices of the whole board card. After the system CPU is hung up, GPIO from the CPU does not have regular jump, SM706 can send WDO when detecting the signal change of WDI, WDO can trigger RESET signal, thus the whole system is RESET;
the power supply system has the functions that the external power supply voltage of the equipment is 220V alternating current, the power supply is converted into a direct current 12V power supply required by a main board through an internal AC/DC power supply of the equipment, and then the power supply is converted into various power supply voltages required by all systems through the DC/DC power supply;
The clock system has the main function of adopting high-precision crystal oscillator as a whole-plate clock generator and adopting temperature compensation crystal oscillator or recovered clock as a clock source. Providing various frequency clocks (% needed for all devices through each crystal oscillator;
The hot plug system has the function that the hot plug circuit can realize the overcurrent protection and short circuit protection functions of the board card and the electrothermal plug function of the board card belt;
The management system is used for monitoring the temperature inside the equipment, the voltage of a main circuit, the power-on control and other state information, and adjusting the fan rotation speed to control the temperature inside the equipment according to the temperature condition inside the equipment through the management circuit so as to realize the efficient heat dissipation of the whole machine;
In this embodiment, the CPU adopts a domestic Loongson 2K1000 processor, the exchange chip adopts a domestic Shengsheng CTC7132 exchange chip, the reset chip adopts a domestic microelectronic SM706 chip, the power supply chip adopts a domestic microelectronic SM4644 power supply chip, the clock system adopts a domestic morning crystal GJA144-25-C20-B4-D5-D crystal oscillator, the hot plug chip adopts a domestic Jewter JW7222 chip, the management chip adopts a domestic electric 58 CS32F103CB chip, and the connection method and the working principle between all the components are all in the prior art, so that the description is omitted.
The front end of the exchange chip is provided with a network interface, referring to fig. 1, the information detection network exchange device is arranged at a core layer (namely a data center of the whole unit) or an access layer (namely a network access port of each subordinate department);
also comprises an information detection module connected between the CPU processor and the exchange chip,
Referring to fig. 3, the information detection module is connected with the exchange chip through at least two paths of tera ethernet interfaces, the exchange chip forwards the message with the needed interface to the information detection module through a virtual routing forwarding protocol mode in the network exchange process of the data message, the information detection module is connected with the CPU processor through the PCI-E and one path of tera ethernet interfaces, the information detection module alarms to the CPU processor through the PCI-E and one path of tera ethernet interfaces when the threat data message is found, and the CPU processor controls the exchange chip and the information detection module to block the threat data message after receiving the alarm information. The threat data message is not sent outwards any more, and no influence is caused on other networks. The information detection module detects, filters and alarms according to a set rule;
Referring to fig. 4, in this embodiment, the information detection module includes an FPGA chip, a memory chip, a DDR3 memory, an RS232 conversion chip, a reset chip and a connector, in this embodiment, the FPGA chip uses a JFM VX690T20-AS chip of home-made composite denier,
The FPGA chip is connected with the storage chip through an SPI interface, mainly reads and writes the software of the FPGA from the FLASH, and is also connected with the DDR3 memory through a DDR3 interface, so that the working state of the current FPGA software is displayed;
The FPGA chip is connected with the CPU processor through the PCIE interface and is also connected with the switching chip through the two-path tera Ethernet interface.
In this embodiment, the rule set by the information detection module is to prevent a special message from the external network in a specific period by monitoring the characteristics of the data message in the network system.
The data message features in the monitoring network system comprise message information filtering processing, namely matching rules based on Layer 2-5 data message features are provided, and a user is allowed to set the filtering rules based on a message information domain.
The information detection function implementation mechanism comprises:
(1) Two-layer resolution and rate control
The two-layer protocol analysis and rate control process includes the steps of first L2 layer protocol analysis, judging whether VLAN label is marked on the original packet, judging 4 byte type-lengh field after VLAN and several subsequent byte information to judge message type, identifying ETHERNETII packet, SNAP packet, 802.3raw packet, LLC frame and the like, extracting corresponding packet information according to different packet types, carrying out validity check, and only entering the next process for detection by the data passing the validity check, otherwise discarding the data. The two-layer protocol parsing may be directed to message source and destination MAC/VLAN/type-length, CRC, two-layer protocol type, etc.
(2) Three-layer parsing and legitimacy check
The three-layer analysis flow is to judge whether it is IPv4 packet (protocol type 0x 0800), if it is IPV4 message, it is judged that the IP header length, if it is less than 20 bytes, it is abnormal error message, if it is more than 20 bytes, it is indicated that there is IP option, it is more than or equal to 20 bytes, it is 20 bytes IP header to extract, judge, 3 layer includes source and destination IP/IP type/IP length/slice message/slice length and position/TTL living time/IP header checksum, etc. to obtain whether the message is three-layer unicast/multicast/subnet broadcast by 3 layer analysis.
(3) IP option processing flow
And the IP option processing flow is to supplement the three-layer protocol analysis flow, split and analyze the packet header when the IP packet header is larger than 20 bytes, record the analyzed option type, enable the check option, and discard the data packet when the error option exists.
(4) Four-layer parsing and validity checking
Four layers of analysis and validity checking flow, namely in three layers of protocol analysis and validity checking flow, the IP protocol can be obtained from the IP packet header, and four layers of protocols comprise UDP, TCP, ICMP, IGMP and other common network protocols. The validity check of the corresponding different detection options is carried out on the four different protocols respectively, only the data conforming to the detection items can pass, otherwise, the data are discarded.
(5) ICMP parsing and legitimacy check
ICMP analysis and legitimacy checking flow, namely acquiring a data packet which is an ICMP protocol from a protocol analysis L3 analysis module, extracting the code, type and checksum of the ICMP, converting the ICMP type, respectively extracting the ID number serial number of the ICMP and the IP header and 8 bytes of IP data, checking the legitimacy of the ICMP protocol from the options of an ICMP type filter, legitimacy checking, checksum checking and the like, and only passing if the ICMP protocol meets the checking specification, or discarding the ICMP protocol.
(6) TCP option check
And a TCP option checking flow, wherein when TCP HEADER is longer than 20 bytes, the existence of a TCP option is indicated, the system extracts the content of the TCP option, performs matching and judgment according to the option content defined by the protocol, judges whether an error or abnormality exists, and determines the corresponding forwarding behavior.
(7) HTTP content parsing
If the HTTP content analysis flow is a tcp message with the destination port being 80 or a port other than 80, but the content header is the key information of 'HTTP', the HTTP content analysis flow can be judged to be an HTTP message, and further analysis is carried out on the HTTP content contained in the HTTP message, so that HTTP protocol (such as get/put/upload and the like)/HTTP content (such as attachment type/file name/application layer protocol and the like) is identified.
(8) Protocol analysis filtering table processing flow
The protocol analysis filtering list processing flow shows the processing procedure of the complete protocol analysis on the message, namely, from the two-layer head of the message to the message content layer, judging according to the analysis content of each layer and the corresponding setting of the system to determine whether the matching or filtering is carried out on the layer, wherein each action in the above graph is the matched behavior.
(9) Matching behavior flow
And the matching behavior flow is to judge the matched result to determine the final forwarding behavior of the message, and can set a safety area based on vlan and physical interface, set a matching level on the safety area, and carry out further analysis by a filtering/discarding/sending processor. If a plurality of matching results exist, judging according to the priorities set in the plurality of matching result tables, and selecting a forwarding result with high priority as the final forwarding behavior of protocol analysis.
In this embodiment, the information detection module divides a data channel and a control channel on data processing, the data channel is responsible for storing and forwarding data, the control channel is responsible for functional processing, and the control channel informs the data channel of an instruction through forwarding information;
The data channel mainly comprises an input/output interface module, an input/output segmented storage module, an input/output read-write arbitration module, a read-write data cache module, a cache management module, a queue scheduling management module and the like, an interrupt controller and a CPU control channel, wherein in order to lighten the load of the CPU, a high-speed PCIE interface and a DMA controller are integrated.
See fig. 5, wherein:
the input/output interface module is MAC/XGMAC/XAUI/SGMII and the like, and is PCIE channel for CPU interface;
The input/output segmented storage module is used for carrying out data caching in segments and is realized by an internal SRAM and control logic;
The input/data read-write arbitration module is used for input/output arbitration and is realized by an internal memory controller or DDR controller and design control logic;
the read-write data buffer module is used for storing internal data or external DDR memory and the like;
The buffer management module is used for buffering a plurality of data frames and scheduling the management module;
the queue scheduling management module is used for realizing QOS/enqueue/dequeue management and the like;
The DMA controller is used for carrying out high-speed maintenance on data by the receiving and transmitting channels of the CPU, wherein the number of the receiving and transmitting channels is 4 at present, and the receiving and transmitting channels support messages/messages and the like;
And the interrupt controller performs quick data/information access response through an interrupt mode and the CPU, defaults to an MSI mode, and can be compatible with an MSI-X mode in the later period.
The control channel mainly comprises a protocol analysis module, a first-stage information filtering module, a second-stage information filtering module, a strategy control and rule searching module, a bandwidth statistics and service control module, a control channel output information summarizing module, a message management module and the like.
Referring to fig. 6, the protocol parsing module is the most important module of the control channel, and is used as an inlet of the control channel of the system to receive the header information provided by the data channel, so as to complete the following functions:
1) Analyzing the message, namely analyzing the information domain of the message Layer 2-5, and checking the validity of the message;
2) Processing a two-layer related protocol;
3) Providing MATCH rules based on Layer 2-5 information fields, and allowing a user to set the filtering rules based on the message information fields;
4) Rate limiting for particular message types is provided, L2 reserve multicast, L3 reserve multicast, IP FIRST FRAGMETS, ipfragments.
5) Providing statistics based on MATCH rules and message PARSE;
Referring to fig. 6, the protocol parsing module extracts the synchronized frame header information, and performs some processes described:
a) Frame header parsing
Carrying out Layer 2-5 information analysis on frame header information, and extracting information fields of each Layer:
1) Identifying Ether II, 802.3 SNAP, 802.3 LLC and IPX-based 802.3 RAW two-layer packaging and analyzing;
2) Identifying ARP, RARP, ICMP, IGMP, IP messages and analyzing the messages;
3) Three layers, identifying IPV4 and non-IPV 4 messages and analyzing;
4) Identifying TCP and UDP messages and analyzing the TCP and UDP messages;
5) Five layers, identifying HTTP GET and HTTP PUT messages, and analyzing;
After the protocol analysis module identifies various message types, corresponding message validity check is carried out according to protocol definitions of different messages, and messages failing to be checked are discarded according to the setting.
B) VLAN handling
The protocol analysis module performs the following related processes according to the extracted VLAN and source port information:
1) VLAN protocol processing;
2) Obtaining the attribute of a virtual port to which the message belongs;
3) Acquiring the attribute of a security area to which the message belongs;
c) Protocol filtering
The protocol analysis module provides protocol filtering processing for various information fields of the analyzed LAYER 2-5, and the protocol filtering processing comprises the following steps:
1) DMAC-based protocol filtering;
2) Filtering based on ETHER TYPE protocols;
3) DIP/SIP-based protocol filtering;
4) Filtering based on IP PORTOCOL domain protocols;
5) Protocol filtering based on IP/TCP OPTION domain;
6) Protocol filtering based on TCP FLAG domain;
7) Filtering based on the protocol of the L4 layer destination port number plus the source port number;
8) Protocol filtering based on the type field of the ICMP message;
9) Protocol filtering based on the type domain of IGMP message;
10 Filtering based on the type field of the fragmented message;
11 Protocol filtering based on HTTP GET/PUT message;
and obtaining a final protocol filtering processing result according to a certain rule for each protocol filtering result.
D) Content filtering process
And the protocol analysis module is used for providing content filtering processing for the analyzed LAYER 5 information domain.
In the embodiment, information detection software is stored in an FPGA chip, and has the function of resisting server attack, supports the binding of MAC and IP, supports the protection of main stream denial of service attack, defends various flooding attacks such as fragmentation flooding, UDP flooding, TCP SYN flooding, ICMP flooding and the like, supports the source routing attack, the land_attack attack, the ping_of_desth attack and winnuke attack, supports the access control of special-shaped messages, supports the management of two-layer unknown messages, three-layer unknown messages, overlong ICMP messages, excessively short fragmented messages, illegal IP, UDP verification and error messages, supports the detection and protection of TCP/IP protocol family risk messages, supports the management of TCP SYN fragmented messages, TCP FIN fragmented messages and TCPRST fragmented messages, and supports the detection of IP option, the detection of TCP mark, the detection of 3-layer security and the detection of 4-layer security;
The information detection software also has a network access control function, wherein a primary rule supports 12 tuples, a secondary rule supports 4 custom fields, different access rules are allowed to be carried out on streams of a designated source port and a designated destination port, and the combination rules of software and hardware cooperation are realized by supporting passing and discarding and forwarding to a processor.
In this embodiment, referring to fig. 6 to 7, a network configuration is provided in the switching chip, the internal network configuration is as follows,
Ip access-list FPGA// create an access-list matching the message to be sent to the FPGA
10 permit any anyany
!
Route-MAP FPGA PERMIT 10// create policy route
MATCH IP ADDRESS FPGA// associating policy routing with access-list fpga
The next hop of set ip next-hop 10.10.10.2// set policy route is FPGA
!
interface eth-0-1
noswitchport
ip address 192.168.10.254/24
Ip policy route-map fpga// apply policy routing to eth-0-1 port
!
interface eth-0-2
noswitchport
ip address 192.168.11.254/24
ip policy route-map fpga
!
interface eth-0-3
noswitchport
ip address 192.168.12.254/24
!
interface eth-0-49
noswitchport
ip address 10.10.10.1/24
!
interface eth-0-50
noswitchport
ip address 10.10.20.1/24
!
IP route 0.0.0.0/0.20.20.20.20// default route points to the external network, 20.20.20.20 is the next hop IP to the external network
And (3) internal information forwarding flow:
s1, a terminal device accesses the traffic of an external network, a destination MAC is filled into a route-MAC (gateway MAC) of the device, and the route-MAC is sent to a switch;
s2, the module receives a message with the destination MAC being route-MAC, and judges that routing is needed;
S3, the module checks whether the port receiving the message is configured with a strategy route, and if so, the module preferentially matches the strategy route;
S4, setting the next hop of the strategy route as an IP address of the FPGA, and sending the flow accessing the external network to the FPGA from eth-0-49 through the strategy route by the module;
S5, after the FPGA cleans the flow, the flow after cleaning is sent back to the eth-0-50 of the exchange through the 10.10.20.1/24 of the exchange pointed by the default route of the FPGA, and the destination MAC of the message after the default route of the FPGA is restored to be the route-MAC of the module;
and S6, after the module receives the cleaned message from eth-0-50, finding that the destination MAC is the route-MAC of the exchange, and the route is needed, and 5 ports are not configured with the strategy route, so that the default route is matched, and the cleaned message is sent to the external network.
In this embodiment, external data for different ports may be further implemented to control whether the external data needs to be detected, specifically:
the external communication needs to be sent to the information detection module by the terminal a and the terminal B,
Or the terminal C directly forwards the external communication on the information access exchange chip without an upward sending detection information detection module.
Because different devices have different application scenes, the purpose of the arrangement is to treat threat devices of different degrees differently so as to save the computing resources of the information detection module.
And continuously detecting all messages forwarded by the interfaces of the part, monitoring network attacks and potential threats in real time, and reporting alarm information in time.
The real-time information detection network switching system provided by the embodiment is suitable for scenes with higher safety requirements, is deployed in a network core layer or an access layer of an external network communication or a connection internet, monitors internal and external network communication, and prevents an internal network from being attacked or monitored by the external network. The following requirements are met:
The method is characterized in that 1, low delay is realized, the equipment performs one-time message analysis and one-time storage, and a plurality of hardware modules independently look up a table, so that the delay is ensured to be relatively fixed and is lower than 100us;
and 2, under the conditions of the requirement 2 and high bandwidth, and under the condition that the access control rule is fully configured, the forwarding of the line speed can still be realized. The defect that the more the rules of the traditional equipment are, the lower the forwarding bandwidth is avoided;
The requirement 3 is high in reliability, on one hand, the equipment is not influenced by the attack of the network message, and on the other hand, even if the processor and the operating system have non-working defects, the hardware is not influenced to realize the message forwarding processing;
The FPGA chip is realized, and has lower power consumption compared with a multi-core processor;
And 5, the server attack resistance function is realized. The method supports the binding of MAC and IP, supports the protection of main stream denial of service attack, can actively defend various flooding attacks such as fragment flooding, UDP flooding, TCP SYN flooding, ICMP flooding and the like, supports the source routing attack, the land_attack attack, the ping_of_delay attack and the winnuke attack, supports the access control of special-shaped messages, supports the management of two-layer unknown messages, three-layer unknown messages, overlong ICMP messages, excessively short fragment messages, illegal IP, UDP check, error messages and the like, supports the detection and protection of TCP/IP protocol family risk messages, supports the management of TCP SYN fragment messages, TCP FIN fragment messages and TCPRST fragment messages, supports the detection of IP option, the detection of TCP mark, the detection of 3-layer security and the detection of 4-layer security;
The method comprises the steps of requiring 6, network access control function, supporting 12 tuples by primary rules and 4 custom fields by secondary rules, allowing different access rules to streams of a designated source port and a designated destination port, supporting passing and discarding, forwarding to a processor and realizing a combination rule of software and hardware cooperation.
The invention is not limited to the above embodiments, and based on the technical solution disclosed in the invention, a person skilled in the art may make some substitutions and modifications to some technical features thereof without creative effort according to the technical content disclosed, and all the substitutions and modifications are within the protection scope of the invention.
Claims (5)
1. The real-time information detection network switching system comprises information detection network switching equipment, wherein the information detection network switching equipment comprises a CPU processor, a switching chip, a reset system, a power supply, a clock, a hot plug system and a management system, wherein a network interface is arranged at the front end of the switching chip;
also comprises an information detection module connected between the CPU processor and the exchange chip,
The information detection module is connected with the exchange chip through at least two paths of tera Ethernet interfaces, the exchange chip forwards the messages with the interfaces required to the information detection module through a virtual routing forwarding protocol mode in the network exchange process of the data messages, and the information detection module detects, filters and alarms according to set rules;
The information detection module is connected with the CPU processor through a PCI-E and one gigabit Ethernet interface, and when the information detection module finds a threat data message, the information detection module alarms to the CPU processor through the PCI-E and one gigabit Ethernet interface, and after receiving the alarm information, the CPU processor controls the exchange chip and the information detection module to block the threat data message;
The information detection module comprises an FPGA chip, a storage chip, a DDR3 memory, an RS232 conversion chip, a reset chip and a connector, wherein the FPGA chip is connected with the storage chip through an SPI interface and is also connected with the DDR3 memory through a DDR3 interface;
The information detection module divides a data channel and a control channel on data processing, the data channel is responsible for storing and forwarding data, the control channel is responsible for functional processing, and an instruction is informed to the data channel through forwarding information;
The data channel mainly comprises an input/output interface module, an input/output segmented storage, an input/output read-write arbitration, a read-write data cache, a cache management, a queue scheduling management module, an interrupt controller and a CPU control channel, and in order to lighten the load of the CPU, a high-speed PCIE interface and a DMA controller are integrated;
information detection software is stored in the FPGA chip, and has the function of resisting server attack;
The information detection software also has a network access control function, wherein a primary rule supports 12 tuples, a secondary rule supports 4 custom fields, different access rules are allowed to be carried out on streams of a designated source port and a destination port, and the combination rules are supported to be forwarded to a processor through passing and discarding, so that software and hardware cooperation is realized.
2. The system of claim 1, wherein the information detection software further supports protection against main stream denial of service attacks, flooding attacks, source routing attacks, land_attack attacks, ping_of_delay attacks, winnuke attacks, access control of special-shaped messages, management of two-layer unknown messages, three-layer unknown messages, overlong ICMP messages, excessively short fragmented messages, illegal IP, UDP check and error messages, TCP/IP protocol family risk message inspection and protection, TCP SYN fragmented messages, TCP FIN fragmented messages, TCP RST fragmented message management, IP option inspection, TCP flag inspection, 3-layer security inspection and 4-layer security inspection.
3. The system of claim 1, wherein the rule of the information detection module is to prevent special messages from the external network in a specific period by monitoring the characteristics of data messages in the network system.
4. The real-time information detection network switching system according to claim 3, wherein the data message features in the monitoring network system comprise message information filtering processing, namely, matching rules based on Layer 2-5 data message features are provided, and a user is allowed to set the filtering rules based on message information fields.
5. The real-time information detection network switching system according to claim 1, wherein a network configuration is provided in the switching chip to realize external data for different ports, and control whether the external data needs to be detected;
The method comprises the following steps:
the external communication needs to be sent to the information detection module by the terminal a and the terminal B,
Or the terminal C does not need to upload an information detection module for external communication and directly forwards the information on the information access exchange chip.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310355532.6A CN116405281B (en) | 2023-04-04 | 2023-04-04 | A real-time information detection network exchange system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310355532.6A CN116405281B (en) | 2023-04-04 | 2023-04-04 | A real-time information detection network exchange system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116405281A CN116405281A (en) | 2023-07-07 |
| CN116405281B true CN116405281B (en) | 2024-12-10 |
Family
ID=87009815
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310355532.6A Active CN116405281B (en) | 2023-04-04 | 2023-04-04 | A real-time information detection network exchange system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116405281B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116866055B (en) * | 2023-07-26 | 2024-02-27 | 中科驭数(北京)科技有限公司 | Method, device, equipment and medium for defending data flooding attack |
| CN116962220A (en) * | 2023-09-05 | 2023-10-27 | 之江实验室 | Full-dimension definable intelligent communication network device |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115665071A (en) * | 2022-10-24 | 2023-01-31 | 扬州万方科技股份有限公司 | Network switching equipment architecture and data analysis method thereof |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111797371A (en) * | 2020-06-16 | 2020-10-20 | 北京京投信安科技发展有限公司 | Switch encryption system |
| CN113671869B (en) * | 2021-08-12 | 2023-03-21 | 江苏杰瑞信息科技有限公司 | Intelligent industrial control method based on FPGA industrial control protocol |
-
2023
- 2023-04-04 CN CN202310355532.6A patent/CN116405281B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115665071A (en) * | 2022-10-24 | 2023-01-31 | 扬州万方科技股份有限公司 | Network switching equipment architecture and data analysis method thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116405281A (en) | 2023-07-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11165887B2 (en) | Per-input port, per-control plane network data traffic class control plane policing | |
| CN116405281B (en) | A real-time information detection network exchange system | |
| US9977763B2 (en) | Network proxy for high-performance, low-power data center interconnect fabric | |
| US8958318B1 (en) | Event-based capture of packets from a network flow | |
| CN104539594B (en) | Merge DDoS and threaten filtering and SDN frameworks, system and the method for work of routing optimality | |
| Luo et al. | Prototyping fast, simple, secure switches for etha | |
| KR101516216B1 (en) | System and method for high-performance, low-power data center interconnect fabric | |
| JP5510687B2 (en) | Network system and communication traffic control method | |
| US20130259052A1 (en) | Communication system, forwarding node, received packet process method, and program | |
| CN105681313B (en) | A kind of flow quantity detecting system and method for virtualized environment | |
| US7555774B2 (en) | Inline intrusion detection using a single physical port | |
| CN101465855B (en) | A filtering method and system for synchronous flooding attack | |
| CN104539595B (en) | It is a kind of to integrate the SDN frameworks and method of work for threatening processing and routing optimality | |
| CN104378380A (en) | System and method for identifying and preventing DDoS attacks on basis of SDN framework | |
| WO2011131076A1 (en) | Method and data communication device for building a flow forwarding table item | |
| US11706152B2 (en) | Methods and systems for queue and pipeline latency metrology in network devices and smart NICs | |
| CN101106518A (en) | Service denial method for providing load protection of central processor | |
| JP2013247560A (en) | Transmission method, transmission apparatus, and transmission program | |
| Cisco | show1 | |
| Cisco | show1 | |
| Cisco | show Commands | |
| Cisco | show bootvar | |
| Cisco | show1 | |
| Cisco | I1 | |
| Cisco | hw-module reset |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |