CN100334868C - Dynamically switching on/off TNS protocol communication port in firewall packet filtering - Google Patents
Dynamically switching on/off TNS protocol communication port in firewall packet filtering Download PDFInfo
- Publication number
- CN100334868C CN100334868C CNB031023851A CN03102385A CN100334868C CN 100334868 C CN100334868 C CN 100334868C CN B031023851 A CNB031023851 A CN B031023851A CN 03102385 A CN03102385 A CN 03102385A CN 100334868 C CN100334868 C CN 100334868C
- Authority
- CN
- China
- Prior art keywords
- packet
- tns
- state
- redirected
- execution
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The present invention discloses a method of fire wall packet filtration dynamic switch TNS protocol communication ports, which relates to the technical field of fire wall dynamic packet filtration. The method comprises the following steps: a data packet is taken out from a queue in a buffer zone of a fire wall data receiving packet; state packet filtration is carried out on the data packet; dynamic TNS status detection is carried out on the data packet with permit to pass after filtration; the data packet is forwarded by the fire wall. According to the present invention, the problem that in the prior art, communication based on a TNS protocol needs opening more than 1024 Transfer Control Protocol (TCP) high ports, which seriously influences the security of the fire wall, is solved. The technology of the present invention is suitable for the dynamic packet filtration of a link layer, an IP layer and an application layer under the TNS protocol of Oracle.
Description
Technical field
The present invention relates to the technical field of fire compartment wall dynamic packet filter, relate in particular to the method for firewall package filtering dynamic switch communication port.
Background technology
Fire compartment wall is arranged on the barrier together between protected network and the external network, to prevent uncertain, potential destructive intrusion.Fire compartment wall is divided into two kinds of packet filter firewall and application level proxies according to the difference of working mechanism.Packet filter firewall is divided into static packet filtering and dynamic packet filter again.
Whether static packet filter firewall is examined each packet according to the filtering rule that defines, mate with a certain packet filtering rules so that determine it.Packet filtering rules is worked out based on the header packet information of packet, comprises IP source address, IP destination address, host-host protocol (TCP, UDP, ICMP or the like), TCP/UDP target port, icmp message type etc. in the header packet information.The basic principle that the fire compartment wall of packet filtering type will be followed is " principle of least privilege ", promptly clearly allows those keepers to wish the packet that passes through, and forbids other packet.
The dynamic packet filter fire compartment wall adopts the method that dynamically arranges packet filtering rules, has avoided the problem that static packet filtering had.This technology developed into so-called bag status monitoring (Stateful Inspection) technology afterwards.Adopt the fire compartment wall of this technology that each connection by its foundation is all followed the tracks of, and dynamically in packet filtering rules, increase as required or the renewal clauses and subclauses.Using more firewall technology at present is the dynamic packet filter fire compartment wall.It is based on the fire compartment wall of Packet Filtering formula, and the total state packet filtering is provided.When the network layer information of bag is filtered, more emphasize to the filtration of application layer message with to the resist technology of server, so fail safe is higher.
TNS (Transparent Network Substrate) agreement is by the unified network communication applications agreement of a cover of Oracle company exploitation, can make things convenient for, transparent being applied in the network application.It mainly uses in the network service that the client and server end of oracle database is carried out, and is the base application agreement of oracle database communication.One of characteristics of TNS agreement are the employed ports of dynamic negotiation.
A high safe fire compartment wall must be opened its employed port dynamically, close port timely after communication finishes.But the port of being consulted by the TNS protocol dynamic can't be opened and close to traditional firewall package filtering technology dynamically; So, if communicate by letter open transmission control protocol (Transfer Control Protocol the is called for short TCP) high port more than 1024 of just having between the client and server end of permission based on the oracle database of TNS agreement normally.Can so can produce very big influence to the fail safe of fire compartment wall again.
Summary of the invention
Main purpose of the present invention is must open transmission control protocol more than 1024 (Transfer Control Protocol is called for short TCP) high port and have a strong impact on the defective of fail safe of fire compartment wall and the method for dynamic switch TNS protocol communication port in a kind of fire compartment wall of providing at the proper communication based on the TNS agreement that exists in the prior art.
In order to reach described purpose, the method for firewall package filtering dynamic switch TNS protocol communication port of the present invention may further comprise the steps:
1) takes out a packet in the buffering area formation of slave firewall reception packet;
2) judge the state information that whether comprises described packet in the state table, if judged result is for being that then execution in step 4), otherwise execution in step 3);
3) judge whether described packet meets the firewall package filtering rule, if judged result is for being that then execution in step 4), otherwise abandon described packet;
4) method of the redirected connection of employing is carried out dynamic TNS state-detection to the packet that allows after filtering to pass through at the TNS agreement, dynamically opens and close TNS protocol communication port when redirected connection foundation and end;
5) fire compartment wall is transmitted this packet.
The method of firewall package filtering dynamic switch TNS protocol communication port of the present invention can realize dynamically opening in the fire compartment wall and closing the port of the TNS protocol dynamic negotiation of Oracle; can make the use of fire compartment wall more transparent, effectively protect oracle database client and server end communication security.
The present invention will be illustrated by its specific embodiments and the drawings subsequently.
Description of drawings
Fig. 1 is a 0racle data communication process schematic diagram.
Fig. 2 is the method flow diagram of firewall package filtering dynamic switch TNS protocol communication port.
Embodiment
The present invention proposes a kind of method of firewall package filtering dynamic switch TNS protocol communication port; promptly utilize dynamic packet filter mechanism; realize that fire compartment wall is dynamically open, close TNS protocol communication port; both guarantee the security of operation of fire compartment wall, also reached the purpose of protection oracle database client and server end communication security simultaneously.
Please refer to shown in Figure 1ly, we at first learn about Oracle data communication process.In the oracle database system, communication pattern mainly adopts Client/Server pattern, i.e. Client.The client of oracle database by with the communicating by letter of server end, reach the purpose in the storehouse that reads and writes data.The course of work is such:
At first, the user end to server end 1521 (annotate: 1521 ports are ports that oracle database server end acquiescence receives client's initial request, also can be configured to other port numbers, all are to 1521 quote in this article, represent that all the oracle database server end receives the port numbers of client-requested, this port numbers can not change in normal use after the Oracle system configuration.) initiate a TCP connection, secondly on connecting, this transmits the data of TNS agreement, and content is that the user end to server end sends the request that requires to provide service in the TNS agreement, asks to comprise the information of database manipulation; If server has been accepted this request, will return the response message of a TNS.This response message is exactly that a TNS is redirected packet, the content of this packet is a notice Oracle client, server will be intercepted on port Listen_Port, just on client and the Listen_Port port that communicating by letter of server end will be redirected to server end.Client receives that server end returns reply TNS and be redirected packet after, will carry out TCP with the Listen_Port port of server end and be connected, will on this TCP connects, carry out the operation of database later on, this TCP connects to be called and is redirected connection.
Here explaining TCP connects.TCP communication is based upon on the connection-oriented basis, has realized the notion of a kind of " virtual circuit ".Be before the intercommunication, set up a connection earlier, both sides just can transmit data flow thereon then, and this connection is called TCP and connects.Each standard TCP establishment of connection comprises the process of three-way handshake, at first is that the requesting party sends a SYN message to service side; After SYN receives in service side, can represent to confirm to SYN-ACK of requesting party's loopback; Then send an ACK message to service side once more after the requesting party receives SYN-ACK, once successful TCP connects thus just foundation, can carry out follow-up work.
The method of 2 pairs of firewall package filtering dynamic switch TNS protocol communication ports of the present invention is described in detail below with reference to the accompanying drawings.
The technical basis of packet filtering type fire compartment wall is the subpackage transmission technology in the network.Data on the network are that unit transmits with " bag " all, and data are divided into a certain size packet.Each packet all comprises header packet information and text message, and header packet information comprises some state informations: IP source address, IP destination address, tunneling (TCP, UDP or IP Tunnel), TCP/UDP source port, ICMP wrap type, packet input interface and bag output interface.Packet filtering rules is to be used for the header packet information that the IP direct motion is handled, just fire compartment wall judges whether this packet is complementary with packet filtering rules (annotating: only check the content of header packet information, ignore the text message content in the bag) by IP address information in the read data packet header packet information and port information.If find a coupling, and this bag of rule permission, this Bao Ze moves ahead; If find a coupling, and this bag of rule refusal, this Bao Ze is rejected; If there is not matched rule, user configured default parameter will determine this bag to move ahead or be rejected.
This method may further comprise the steps:
1) takes out a packet in the buffering area formation of slave firewall reception packet.
2) described packet is carried out the state packet filtering, promptly
2-1) judge the state information that whether comprises this packet in the state table, if execution in step 3 then), otherwise execution in step 2-2);
2-2) judge whether this packet meets the filtering rule of this fire compartment wall, if execution in step 3 then), otherwise abandon this packet.
3) packet that allows after filtering to pass through is carried out dynamic TNS state-detection at the TNS agreement; Promptly
3-1) whether the state information of judging described packet is mated TNS and is redirected state, if execution in step 4 then), otherwise execution in step 3-2);
3-2) judge that whether this packet is that TNS is redirected packet, if execution in step 3-3 then), otherwise execution in step 4);
3-3) from described packet data district, search for redirection information;
3-4) redirection information is redirected state write state table as TNS.
4) fire compartment wall is transmitted this packet.
Because including in advance, state table is redirected the state list item that connects like this, the communication of TNS later on just can utilize state packet filtering mechanism, when running into the redirected connection of matching status table, be 2-1) when going on foot, just can when being redirected connection foundation, open port, be redirected close port when connecting end, to realize the purpose of dynamic switch TNS protocol communication port.
Step 2) described state packet filtering promptly when a new connection takes place, with the filter rule list coupling of fire compartment wall, if allow to pass through, is then set up corresponding list item earlier in state table; Matching status table at first when later packet is come, if it belongs to a connection, just allow to pass through, and do not reexamine filter rule list.The state packet filtering is safeguarded a dynamic state table and follow-up packet is checked.
The function of the described dynamic TNS state-detection of step 3) mainly is to adopt state inspection, the complete packet state information of obtaining, and the state in the transfer of data monitored in real time.So-called state-detection is exactly to follow the tracks of to detect the interapplication communications connection from being established to the whole process of termination, the required port of open communication when communication is set up, the used port of communication close in sign off.
When step 3-2) described TNS is redirected packet just the client of oracle database is communicated by letter with server end foundation, the TNS response message that server end returns.
Step 3-3) described search redirection information is exactly that Searching I P address information is redirected the port information that is connected with TNS.Specifically, be exactly search key " HOST=" and " PORT=" from the tcp data district of described packet, from the string of " HOST=" back, the IP address is taken out, from the string of " PORT=" back TNS is redirected the port numbers that connects and takes out, this IP address is redirected the port numbers that is connected with TNS and is redirection information.
In current data packet is TNS when being redirected packet, searches out redirection information and be redirected in the state write state table as TNS from packet; Because the state packet filtering is a kind of based on the strobe utility that connects, when the port that is redirected of user end to server end next time connects, state table is redirected state owing to match TNS, just match one and connect list item, therefore can be automatically connect set up in the open communication port allow packet to pass through fire compartment wall, when connecting end, finish the state list item of connection in the deletion state table, close the employed communication port of connection simultaneously, so just reached the purpose of dynamic switch communication port.
Therefore fire compartment wall is in the communication of protection oracle database; need only packet filtering rules under the TCP1521 port that accepts request at the oracle database server end; oracle database client and server end uses the TNS protocol negotiation; communication port after fire compartment wall processing automatically, dynamic switch are consulted makes that the client and server end can proper communication.
In sum; be not difficult to find that the method for firewall package filtering dynamic switch TNS protocol communication port of the present invention is to improve a kind of efficient ways of firewall security; the proper communication of adopting this method to solve conscientiously to exist in the prior art based on the TNS agreement must be opened transmission control protocol (the Transfer Control Protocol more than 1024; be called for short TCP) high port and have a strong impact on the problem of the fail safe of fire compartment wall, and effectively protect the communication of oracle database client and server end.
Should be noted that at last: above enforcement is the unrestricted technical scheme of the present invention in order to explanation only, although the present invention is had been described in detail with reference to the foregoing description, but, all should be encompassed in the middle of the claim scope of the present invention by any modification or partial replacement that does not break away from the spirit and scope of the present invention that those of ordinary skill in the art makes.
Claims (3)
1. the method for a firewall package filtering dynamic switch TNS protocol communication port is characterized in that this method may further comprise the steps:
1) takes out a packet in the buffering area formation of slave firewall reception packet;
2) judge the state information that whether comprises described packet in the state table, if judged result is for being that then execution in step 4), otherwise execution in step 3);
3) judge whether described packet meets the firewall package filtering rule, if judged result is for being that then execution in step 4), otherwise abandon described packet;
4) method of the redirected connection of employing is carried out dynamic TNS state-detection to the packet that allows after filtering to pass through at the TNS agreement, dynamically opens and close TNS protocol communication port when redirected connection foundation and end;
5) fire compartment wall is transmitted this packet.
2. the method for firewall package filtering dynamic switch TNS protocol communication port as claimed in claim 1 is characterized in that, the described dynamic TNS state-detection of step 4) further may further comprise the steps:
4-1) whether the state information of judging described packet is mated TNS and is redirected state, if judged result is for being that then execution in step 5), otherwise execution in step 4-2);
4-2) judge that whether described packet is that TNS is redirected packet, if judged result is for being, execution in step 4-3 then), otherwise execution in step 5);
4-3) from described packet data district, search for redirection information;
4-4) redirection information is redirected state write state table as TNS.
3. the method for firewall package filtering dynamic switch TNS protocol communication port as claimed in claim 2 is characterized in that: step 4-3) described redirection information comprises that further the IP address information is redirected the port information that is connected with TNS.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB031023851A CN100334868C (en) | 2003-02-12 | 2003-02-12 | Dynamically switching on/off TNS protocol communication port in firewall packet filtering |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB031023851A CN100334868C (en) | 2003-02-12 | 2003-02-12 | Dynamically switching on/off TNS protocol communication port in firewall packet filtering |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1522019A CN1522019A (en) | 2004-08-18 |
| CN100334868C true CN100334868C (en) | 2007-08-29 |
Family
ID=34281694
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB031023851A Expired - Fee Related CN100334868C (en) | 2003-02-12 | 2003-02-12 | Dynamically switching on/off TNS protocol communication port in firewall packet filtering |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100334868C (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101630351B (en) * | 2009-06-04 | 2012-10-03 | 中国人民解放军理工大学指挥自动化学院 | Method for enhancing safety of Oracle database server by utilizing progress infusion and TNS protocol analysis |
| CN102025745B (en) * | 2010-12-20 | 2014-06-04 | 西安西电捷通无线网络通信股份有限公司 | Method and system for filtering network packets based on CS (client/server) structure |
| CN103338198A (en) * | 2013-06-24 | 2013-10-02 | 柳州钢铁股份有限公司 | Method for solving problems of network safety and data silos by using Linux system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO1999012298A2 (en) * | 1997-09-02 | 1999-03-11 | Telefonaktiebolaget Lm Ericsson | Arrangement in a data communication system |
| US6061798A (en) * | 1996-02-06 | 2000-05-09 | Network Engineering Software, Inc. | Firewall system for protecting network elements connected to a public network |
| WO2002050680A1 (en) * | 2000-12-21 | 2002-06-27 | Sooriya Networks, Inc. | Integrated intelligent inter/intra-networking device |
-
2003
- 2003-02-12 CN CNB031023851A patent/CN100334868C/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6061798A (en) * | 1996-02-06 | 2000-05-09 | Network Engineering Software, Inc. | Firewall system for protecting network elements connected to a public network |
| WO1999012298A2 (en) * | 1997-09-02 | 1999-03-11 | Telefonaktiebolaget Lm Ericsson | Arrangement in a data communication system |
| WO2002050680A1 (en) * | 2000-12-21 | 2002-06-27 | Sooriya Networks, Inc. | Integrated intelligent inter/intra-networking device |
Non-Patent Citations (1)
| Title |
|---|
| 防火墙中动态过滤技术的研究与实现 王新生,何立,燕山大学学报,第23卷第4期 1999 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1522019A (en) | 2004-08-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP2945350B1 (en) | Protocol splitter and corresponding communication method | |
| US8176187B2 (en) | Method, system, and program for enabling communication between nodes | |
| US6717943B1 (en) | System and method for routing and processing data packets | |
| CN104486336A (en) | Device for safely isolating and exchanging industrial control networks | |
| US7966380B2 (en) | Method, system, and program for forwarding messages between nodes | |
| US20030182580A1 (en) | Network traffic flow control system | |
| US20090232152A1 (en) | Method and apparatus for aggregating ports | |
| JP3478200B2 (en) | Two-way communication system between server and client | |
| CN105812387A (en) | Unidirectional safe data exchange device | |
| CN101986638A (en) | Gigabit one-way network isolation device | |
| CN108055244B (en) | SRIO interface technology-based network security isolation method for dual-processing system | |
| CN110351233A (en) | A kind of two-way transparent transmission technology based on safety isolation network gate | |
| KR101472685B1 (en) | Network connection gateway, a network isolation method and a computer network system using such a gateway | |
| CN100592711C (en) | Integrated circuit and method for packet switching control | |
| CN109660565A (en) | A kind of isolation gap equipment and implementation method | |
| CN100334868C (en) | Dynamically switching on/off TNS protocol communication port in firewall packet filtering | |
| CN108768841A (en) | AFDX security gateway systems and its transmission method | |
| CN111585653A (en) | Double-unidirectional isolation exchange method based on optical fiber communication | |
| JP2001077857A (en) | Filtering processing device, network provided with it and its storage medium | |
| Yina | Discussion on computer network security technology and firewall technology | |
| US7113984B1 (en) | Applications for networked storage systems | |
| US20050044407A1 (en) | Low-to-high information security protection mechanism | |
| KR102246290B1 (en) | Method, apparatus and computer program for network separation of software defined network | |
| CN110383281A (en) | Asymmetric system and network architecture | |
| US20030018831A1 (en) | Application programming interface for providing direct access to a WSP layer of a WAP stack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: LEGEND WANGYU TECHNOLOGY (BEIJING) LTD. Free format text: FORMER OWNER: LIANXIANG (BEIJING) CO. LTD. Effective date: 20050218 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20050218 Address after: 100086, room 801-810, CLP information building, 6 South Avenue, Beijing, Haidian District, Zhongguancun Applicant after: Lenovo Leadsec (Beijing) Co., Ltd Address before: 100085, No. 6, Pioneer Road, Haidian District information industry base, Beijing Applicant before: Lenovo (Beijing) Co., Ltd. |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee |
Owner name: BEIJING LEADSEC TECHNOLOGY CO.,LTD. Free format text: FORMER NAME: LENOVO NET DEFENSE TECHNOLOGY (BEIJING) CO., LTD. |
|
| CP01 | Change in the name or title of a patent holder |
Address after: 100086, room 801-810, CLP information building, 6 South Avenue, Beijing, Haidian District, Zhongguancun Patentee after: Beijing Leadsec Technology Co.,Ltd. Address before: 100086, room 801-810, CLP information building, 6 South Avenue, Beijing, Haidian District, Zhongguancun Patentee before: Lenovo Wangyu Technology (Beijing) Ltd. |
|
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20070829 Termination date: 20150212 |
|
| EXPY | Termination of patent right or utility model |