CN102035821A - Firewall / virtual private network integrated system and circuit - Google Patents

Firewall / virtual private network integrated system and circuit Download PDF

Info

Publication number
CN102035821A
CN102035821A CN2010102390668A CN201010239066A CN102035821A CN 102035821 A CN102035821 A CN 102035821A CN 2010102390668 A CN2010102390668 A CN 2010102390668A CN 201010239066 A CN201010239066 A CN 201010239066A CN 102035821 A CN102035821 A CN 102035821A
Authority
CN
China
Prior art keywords
virtual private
compartment wall
fire compartment
private network
firewall
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN2010102390668A
Other languages
Chinese (zh)
Inventor
陈之翔
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
O2Micro Inc
Original Assignee
O2Micro China Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US12/569,147 external-priority patent/US20100138909A1/en
Application filed by O2Micro China Co Ltd filed Critical O2Micro China Co Ltd
Publication of CN102035821A publication Critical patent/CN102035821A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention relates to a firewall / a virtual private network integrated system and a circuit for connecting at least one local area network (LAN) to a wide area network (WAN), which comprises a firewall / a virtual private network (VPN) integrated chipset for transmitting and receiving data packets between the WAN and the LAN and analyzing access control function according to the data packets.The firewall / virtual private network (VPN) at least comprises a firewall part for ensuring the access control function between the WAN and the LAN, a VPN part for ensuring the safety function of the data between the WAN and the LAN and a secondary firewall engine.Complete data packets between the WAN and the LAN are analyzed and the release of data is indicated in a buffer area based on the analyzed results by the secondary firewall engine.The firewall part at least comprises a firewall hardware platform and a firewall software platform.At least the firewall hardware platform ensures the repetition iteration function related to the access control.The VPN part at least comprises a VPN hardware platform and a VPN software platform.At least the VPN hardware platform ensures the repetition iteration function related to the safety function.

Description

Fire compartment wall/Virtual Private Network integrated system and circuit
Technical field
The present invention relates to network system, relate to the integrated system and the circuit of a kind of fire compartment wall and VPN(Virtual Private Network) more specifically.
Background technology
Along with the rapidly universal and in-depth of Internet in the application in enterprise field, VPN (Virtual Private Network is called for short VPN) more and more receives an acclaim as a kind of cheap safe networking plan.Traditional VPN/ fire compartment wall integrated system adopts encapsulation, opening dress, encryption, the deciphering of VPN software platform realization packet, when carrying out data processing, be difficult to realize the high-speed data processing, and the efficient of processing data packets is lower.
Summary of the invention
The technical problem to be solved in the present invention is to provide a kind of fire compartment wall/VPN integrated system and circuit, the performance of data flow is promoted on system level, and pass through the hierarchical design of the flexibility and changeability of hardware platform, guarantee the high speed processing of data, do not lose the fail safe of system simultaneously.
Fire compartment wall of the present invention/VPN integrated system is used at least one wide area network (WAN) is connected with at least one Local Area Network, this fire compartment wall/VPN integrated system comprises fire compartment wall/VPN integrated chip group, is used to send and receive the packet between this WAN and this LAN.According to described data packet analysis access control function, the VPN that this fire compartment wall/VPN integrated chip group comprises fire compartment wall part that the access control function between this WAN and this LAN is provided at least, provide safety function for the data between this LAN and this WAN partly and be used to analyze complete packet between described WAN and the described LAN, and according to analysis result, indication bag buffering area discharges the secondary firewall engine of data.This fire compartment wall partly comprises firewall hardware platform and firewall software platform, and wherein this firewall hardware platform provides the iteration function relevant with this access control at least; This VPN partly comprises VPN hardware platform and VPN software platform, and wherein this VPN hardware platform provides the iteration function relevant with this safety function at least.
Fire compartment wall of the present invention/VPN integrated system, described fire compartment wall/VPN integrated chip group also comprises: router is used for the data between described LAN of route and the described WAN.
Fire compartment wall of the present invention/VPN integrated system, described firewall hardware platform comprise the circuit that static state and/or dynamic data packet filtering are provided at least.
Fire compartment wall of the present invention/VPN integrated system, described circuit are included in the header matched data packet filtering circuit of the matching feature that supplies a pattern in the selected header of described data.
Fire compartment wall of the present invention/VPN integrated system, described fire compartment wall/VPN integrated chip group is further analyzed described access control function according to the preselected bytes of described packet.
Fire compartment wall of the present invention/VPN integrated system, described preselected bytes comprise preceding 144 bytes of described packet.
Fire compartment wall of the present invention/VPN integrated system, the safety function of described VPN part comprises: the encryption of described packet, deciphering, encapsulation and opening dress.
Fire compartment wall of the present invention/VPN integrated system, the access control function of described fire compartment wall part comprises user-defined access control function.
In addition, the present invention also provides fire compartment wall/VPN integrated circuit, and this fire compartment wall/VPN integrated circuit comprises router core, firewall system, VPN engine and secondary firewall engine at least.Wherein, this router core connects at least one unreliable network and at least one trustable network to send and to receive the packet between unreliable network and the trustable network; This firewall system provides the access control between this unreliable network and this trustable network, this firewall system comprises firewall hardware platform and firewall software platform at least, wherein this firewall hardware platform provides the iteration function relevant with this access control at least, and analyzes the access control function on the described packet; This VPN engine provides safety function for the data of transmitting between this unreliable network and this trustable network, and this VPN engine comprises VPN hardware platform and VPN software platform, and wherein this VPN hardware platform provides the iteration function relevant with this safety function at least; This secondary firewall engine is analyzed the complete packet between this unreliable network and this trustable network, and according to analysis result, indication bag buffering area discharges data.
Fire compartment wall of the present invention/VPN integrated circuit, described firewall hardware platform comprise the circuit that static state and/or dynamic data packet filtering are provided at least.
Fire compartment wall of the present invention/VPN integrated circuit, described circuit are included in the header matched data packet filtering circuit of the matching feature that supplies a pattern in the selected header of described data.
Fire compartment wall of the present invention/VPN integrated circuit, described firewall system is further analyzed described access control function according to the preselected bytes of described packet.
Fire compartment wall of the present invention/VPN integrated circuit, described preselected bytes comprise preceding 144 bytes of described packet.
Fire compartment wall of the present invention/VPN integrated circuit, the safety function of described VPN engine comprises: the encryption of described packet, deciphering, encapsulation and opening dress.
Fire compartment wall of the present invention/VPN integrated circuit, the access control function of described firewall system comprises user-defined access control function.
Adopt fire compartment wall of the present invention/VPN integrated system and circuit, the performance of data flow is promoted on system level, and pass through the hierarchical design of the flexibility and changeability of hardware platform, guarantee the high speed processing of data, do not lose the fail safe of system simultaneously.
Description of drawings
Figure 1 shows that the structured flowchart of fire compartment wall/VPN integrated system according to an embodiment of the invention;
Figure 2 shows that the functional block diagram of fire compartment wall/VPN integrated system according to an embodiment of the invention;
Figure 3 shows that the exemplary block diagram of the software and hardware assembly of fire compartment wall/VPN integrated system according to an embodiment of the invention;
Figure 4 shows that the detailed network level block diagram of the example use of fire compartment wall/VPN integrated system according to an embodiment of the invention;
Figure 5 shows that the functional block diagram of fire compartment wall/VPN integrated system in accordance with another embodiment of the present invention.
Embodiment
Other characteristic of the present invention and advantage will be in following detailed descriptions and more obvious in conjunction with illustrated explanation, wherein identical numeral similar elements.
Below will provide detailed explanation to embodiments of the invention.Although the present invention sets forth by these execution modes and illustrates, it should be noted that the present invention not merely is confined to these execution modes.On the contrary, all substitutes, variant and the equivalent in defined invention spirit of claim and the invention scope contained in the present invention.
In addition, for better explanation the present invention, provided numerous details in the embodiment hereinafter.It will be understood by those skilled in the art that does not have these details, and the present invention can implement equally.In the other example, method, flow process, element and the circuit known for everybody are not described in detail, so that highlight purport of the present invention.
Figure 1 shows that the structured flowchart of fire compartment wall/VPN integrated system 100 according to an embodiment of the invention.In an one exemplary embodiment, fire compartment wall/VPN integrated system 100 comprises VPN part 102 and fire compartment wall part 104, the network traffics between this fire compartment wall part 104 monitoring wide area network (WAN) 106 and the Local Area Network 108.Usually, VPN part 102 provides the safety encipher and the decipher function of packet between the gateway of WAN 106 sides.VPN part 102 comprises VPN hardware platform 110 and VPN software platform 112, and this VPN hardware platform 110 and VPN software platform 112 adopt encryption/decryption algorithm (process) routine well known to those skilled in the art and/or special use to carry out encrypt/decrypt.Network traffics (in mode well-known to those skilled in the art) between fire compartment wall part 104 monitoring LAN 108 and the WAN 106, it comprises the firewall hardware platform 114 and the firewall software platform 116 of monitoring traffic in network.The present invention makes software platform and hardware platform be able to optimization, realizes the integrated functionality of VPN and fire compartment wall, and the performance of data flow is promoted on system level.
Figure 2 shows that functional block Figure 200 of fire compartment wall of the present invention/VPN integrated system.Demonstrate data flow and the processing procedure in VPN part and fire compartment wall part thereof among functional block Figure 200.By the input data 202 (with the form of packet data streams (packet stream)) of network interface 204 receptions from LAN or WAN.In the present embodiment, as known to those skilled in the art, network interface 204 will be handled the agreement under the specific LAN/WAN environment.Network interface 204 receiver packet numbers are according to stream, and this packet data streams is put into bag buffer area (packet buffer memory) 206.In addition, system can dispose extra and/or outside memory device, and for example: flash memory, synchronous dynamic random internal memory (SDRAM) etc., this memory device is used for provisional storage packet.In the present embodiment, external memory storage 208 is used to store Internet protocol (IP) packet.
Network interface 204 judges that input data 202 are from the clear data of LAN or from the enciphered data of WAN.If input data 202 are clear datas from LAN, then network interface 204 is sent to fire compartment wall 220 by data path 222 with some bytes of preliminary election in the packet data streams.In the present embodiment, preceding 144 bytes are selected in the packet data streams, because these bytes have comprised the 2nd layer to the 7th layer header and content information.Yet 144 bytes are exemplary illustrating, and the value of other preliminary elections can also be arranged, as setting other values according to the firewall security rank or the treatment effeciency of expectation.If it is the enciphered datas from WAN that network interface 204 is judged input data 202, then Shu Ru packet data streams will be sent to inner VPN engine 210.
Inner VPN engine 210 generally includes enciphered data is converted to the deciphering of unencryption IP bag data and seals off the threading journey.The efficient that VPN of the present invention partly utilizes hardware and software to improve the VPN engine will be described in further detail in conjunction with Fig. 3.The input data 202 that arrive along data path 224 are stored in the conventional VPN bag buffer 212.Inner VPN processor 214 will be imported the unencryption IP bag data that data 202 are processed into deciphering and seal off dress.The internal security linked database 216 that provides according to mode well-known to those skilled in the art comprises the channel data storehouse of getting in touch two gateways of WAN side.Inner VPN processor 214 adopts the channel information in the internal security linked database 216 will import data 202 deciphering and seals off dress.In addition, provide the inner VPN processor 214 of protocol instructions 218 indication that comprises microcoding will import data 202 deciphering by general and/or user-defined security protocol and relative program and/or seal off and adorn.In case input data 202 decrypted and/or opening dresses, the unencryption IP that obtains bag data will be sent to network interface 204 along data path 225.As stated above, the preselected bytes (for example, preceding 144 bytes) of input data 202 will be sent to fire compartment wall 220 along data path 222.
Fire compartment wall 220 receives some bytes of preliminary election from network interface 204, thereby begins to carry out packet filtering and Route Selection.The efficient that fire compartment wall of the present invention partly utilizes hardware and software to improve fire compartment wall will be described in further detail in conjunction with Fig. 3.Fire compartment wall part according to pre-if user-defined security strategy is analyzed the input data in a usual manner.Wherein, this security strategy is well-known to those skilled in the art, and can comprise general and/or special-purpose security strategy.The fire compartment wall part provides the access control between an insincere net (WAN) and the trusted networks (LAN) in fact.
In the present embodiment, fire compartment wall 220 selects for use suitable hardware and software to analyze the data of preliminary election, rather than handles whole packet.Can improve the bulk velocity and the efficient of fire compartment wall like this.Those skilled in the art will appreciate that more preliminary election data can improve security performance, but also might reduce the speed that fire compartment wall is handled.Therefore, allow the user to adjust the setting of fire compartment wall in other embodiments of the invention, thereby meet the security performance of expectation and/or the rate request of expectation.
In case data are by security strategy, the present invention also can adopt quality management process 242 and service quality process 226.Quality management process 224 supervisory packet buffer areas 206, thus link between the packet of waiting in line to handle in the external memory storage 208 kept.Service quality process 226 is as packet priority scheduling program, and from service quality mapping and processor 228 reception information.In fact, as known to those skilled in the art, service quality process 226 is analyzed the data that arrive, and according to the consideration of the data type (for example, sound, IP, video etc.) or the network bandwidth, thereby judges which data of transmission earlier.Service quality process 226 also can be path best in the data judging network.
In general, will go to LAN if leave the data of fire compartment wall, service quality process 226 will be handled according to foregoing flow process, and a control signal 227 sends to output interface 238 in case finish soon in processing, thus indication bag buffer area 206 release data.To go to WAN if leave the data of fire compartment wall, then before data send to WAN, need encryption/encapsulation of data.In this case, can adopt outside VPN engine 230 to encrypt and/or encapsulate the data that export WAN to.Outside VPN engine 230 comprises outside VPN processor 232, and this outside VPN processor 232 is encrypted and encapsulation of data according to protocol instructions 234 and external security linked database 236, and its processing mode is similar to inner VPN engine 210 (as mentioned above).In one embodiment, security strategy in the external security linked database 236 and the security strategy in the fire compartment wall 220 coupling.In case data are encrypted, then are sent to output interface 238 and leave fire compartment wall and go to WAN240.
Figure 3 shows that the software platform and the hardware platform exemplary block diagram 300 of fire compartment wall/VPN integrated system according to an embodiment of the invention.Usually, software platform 302 further comprises firewall software platform 308 and VPN software platform 306, and hardware platform 304 (for example, application-specific IC abbreviates ASIC as) platform further comprises firewall hardware platform 310 and VPN hardware platform 312.As implied above, the present invention adopts hardware and software to improve overall efficiency.In general, the process with repeatability highly and/or intensive mathematical is solidified in hardware, and other processes adopt softwares to realize.Each process in the hardware platform 304 comprises distributed Reduced Instruction Set Computer (RSIC) the type processor of the above-mentioned task of one or more execution, can certainly adopt other type processor.Should be noted that shown in different levels among Fig. 3 an exemplary embodiment provides the stratification method to realize hardware and software feature.Certainly, those skilled in the art will appreciate that Fig. 3 only represents an illustrative methods, also exist other not break away from the stratification method for designing of spirit and scope of the invention.To each unit of Fig. 3 be described in detail below.
With reference to figure 3, the following firewall hardware platform 310 that will describe one embodiment of the present of invention in detail.
Integrated embedded data bag catches/and media interviews control unit 314 receives automatic network is the network data of unit with the frame.Router core 316 is guaranteed to send packet according to the various objectives way address with related security strategy based on fire compartment wall or VPN.TCP/UDP/ICMP connects monitoring means 318 and judges whether connection status is monitored fully.This TCP/UDP/ICMP connects monitoring means 318 and can be used for Hash inquiry (hashapproach), and then whether search is transmitted the packet that arrives on monitored and registered the connection.When the packet that will arrive is proved to be when transmitting in the connection that state can be monitored fully, thereby packet can directly be sent the process of accelerating security strategy.Like this, monitored fully and packet when directly being sent when present connection status, state is closed, with the performance of balance fire compartment wall/VPN integrated system.
144 bytes of content/320 pairs of inputs of signature monitoring means packet are carried out real-time analysis, thereby judge the pattern that whether has limited quantity in this input packet, and this pattern may be known virus or the code of worm.Security strategy static rule monitoring means 322 provides the function of static packet filtering.Wherein, this static filtering feature is meant the packet filtering of the current individual data bag of research, rather than searches before this packet or the packet filtering of packet correlation or context relation afterwards.This connection is discerned by the dynamic situation of checking connection protocol in protocol stateful inspection unit 324, therefore adopts the different application of TCP, UDP or ICMP agreement can utilize this protocol stateful inspection unit 324 to analyze the input data.After the composition of analyzing these input data, connection speed will further be checked in 318 communications thereby this protocol stateful inspection unit 324 will be connected monitoring means with TCP/UDP/ICMP.
Data packet discarding processing unit 326 receives from lower floor's processing unit output result of (protocol stateful inspection unit 324, TCP/UDP/ICMP connect monitoring means 318, content/signature monitoring means 320 and security strategy static rule monitoring means 322), according to security strategy make sell packet by or refuse the decision that packet passes through.The initial sum that connection or session were analyzed and followed the tracks of in foundation/end session unit 328 stops.Because the TCP establishment of connection can cause connecting the two ends state variation, so the safety that TCP connects relies on these state exchanges.By the tracking of foundation/end session unit 328, the monitoring of one embodiment of the present of invention utilizations hardware speed is also searched this establishment of connection, is searched and done state.The hardware memory of firewall policy administrative unit 330 common managing security policies, this hardware memory comprises internal storage.Alarm generation unit 332 is by causing in the software stack relevant interrupt event, thereby produces special event as alarm.Thereby can calculate separately by software based on different security strategies or statistics that rule is set and to produce Log Report.
With reference to figure 3, the following VPN hardware platform 312 that will describe one embodiment of the present of invention in detail.
Protocol aware VPN engine 3 42 comprises that several hardware-core embed funtion part, and this hardware-core embeds funtion part and comprises encapsulation unit 336, authentication ' unit 338 and encryption/decryption element 340.Consider flexibility and fail safe, also can in this protocol aware VPN engine 3 42, use distributed private core towards RSIC.By changing the microcode of each separate microprocessor, this protocol aware VPN engine 3 42 can be carried out different tasks according to desired different agreement, for example the IPsec agreement of the required superior performance of IPv4 or IPv6.
IPsec security association storehouse/security strategy library unit 346 comprises the hardware memory and the regular selector of IPsec channel attributes database.Wherein, in the described IPsec passage at least some packets needs with reference to this database, thereby determine to be applicable to the processing that packet adopted of this IPsec agreement.Required by optimizing this IPsec security association storehouse/security strategy library unit 346 reaching the IPsec protocol application.The passage that the content of this database is come from consulting via the IKE process.Microcode gathers unit 348 and preserves different microcodes for different security protocols.Alarm generation unit 350 produces alarm according to selected standard, for example the passage expiration of limitation period, run into the encrypted packets of malice, because passage causes incidents such as processing data packets failure synchronously.Log unit 352 is supported routine record that VPN is relevant by hardware statistics and based on the record of each passage.
With reference to figure 3, the following software platform 302 that will describe one embodiment of the present of invention in detail.
Device driver 354 provides the interface of 304 of software platform 302 and hardware platforms.Security strategy gathers unit 356 and is provided for the management software that security strategy is implemented.State table is followed the trail of applying unit 358 provides probe to adopt the component software of TCP/UCP/ICMP agreement to find out which application; Then, be the safeguard protection purpose, according to different application needs and its state-detection, this state table is followed the trail of applying unit 358 and generate the gateway that is associated in firewall system.Application proxies block 360 is usually located at kernel level, and provide more detailed investigation according to the rank of using, wherein, this process reconfigures the data flow and the context of embedded network traffics, thereby generates more detailed content analysis or carry out the pattern search of virus or worm or or filter unwanted instruction in database.Administrative software stack 362 is carried out management role for system, and wherein, this task comprises firewall system and VPN automotive engine system.Simple Network Management Protocol (smallnetwork management protocol is called for short SNMP) storehouse 364 is carried out SNMP according to the demand of conventional Request for Comment (RFC).This SNMP storehouse 364 is interfaces of universal network equipment or network software storehouse, can obtain state or any statistics or recorded information in the system by this interface.
Threats/alerts database 366 is collected from the attack or the alarm of hardware platform 304 and software platform 302.This incident is deposited with the database form, and can be connected with the database application that rank on this kernel is used is convenient.Automatic key/security attribute management (IKE/ISAMP) unit 368 provides main agreement among the IPsec according to the RFC2048 demand, thereby manually or automatically handles key and security attribute (SA).This automatic key/security attribute management (IKE/ISAMP) unit 368 is associated with the IPsec function.Authentication protocol gathers unit 370 and supports the IPsec authentication requesting.This authentication protocol gathers unit 370 and comprises the message authentication protocols (HMAC-96) [RFC-2104] that encapsulates in safe bearing load (Encapsulating Security Payload is called for short ESP) and the authorization header (Authentication Header is called for short AH).Described authentication mechanism guarantees that packet is credible, and can not change in transmission course.
Network browsing management unit 372 provides based on network managing pattern-user interface (GUI) assembly.In one embodiment of the invention, system's universal cpu is responsible for the webserver under the HTTPS agreement, and administration web page is stored in this webserver.Whole configurations of system and managing process can integratedly be presented on the described administration web page.By secure sockets layer (Secure Socket Layer, be called for short SSL), but the administration web page of remote browse on the WAN main frame, perhaps (for example has the connection of encryption, for providing high density to maintain secrecy, adopt the connection of selected cryptographic algorithm) local security LAN main frame on the browsing management webpage.Local command line interface/small files system 374 provides this accessing by order line and the interactive function of configuration file is provided.
Figure 4 shows that detailed network level block diagram 400 according to the example use of fire compartment wall of the present invention/VPN integrated system.As mentioned above, fire compartment wall/VPN integrated system 402 is as the access control module of public network (WAN) 414 and one or more lan network 408 and/or 410.In the present embodiment, fire compartment wall/VPN integrated system 402 links to each other with acting server 406 by conventional peripheral component (PCI) bus 404 that interconnects.Router and other parts are the common-sense content for those skilled in the art among the figure, have not repeated them here.
System survey and concrete example use:
As brief summary, following description details Fig. 2, Fig. 3, specific embodiments more of the present invention shown in Figure 4.These embodiment are exemplary, so application of the present invention is not limited to these embodiment.The invention provides the high-performance fire compartment wall that the SOC (system on a chip) scheme is used to obtain integrated VPN function.The fire compartment wall part provides the real-time policy of different densities to detect and standard tactical management flexibly for a plurality of layers of static state/dynamic packet filter engine as cryptographic system.Except carrying out static state/dynamic packet filter for complicated standard detection, embodiments of the invention also are included as the matching engine that " state-detection " that TCP/UDP/ICMP connects provides.Therefore the present invention connects the speed that interior packet has been accelerated packet filtering for the TCP/UDP that sets up clearly.
In an exemplary embodiment; do not cover rare virus or the worm that maybe can't handle for the hardware bundle filtration system; this rare virus or worm comprise and exceed 144 bytes range and have breakneck content, and system this packet can be sent to CPU together with the result who analyzes in advance or network processes parts (NPU) are gone up the protection agent process of operation.In the present embodiment, the protection agent process adopts hardware engine to analyze the header and the content of packet, and carries out preanalysis and handle, and alleviates the live load of analyzing or handle the individual data bag among the CPU (or NPU) with this.
By adopting hardware, fire compartment wall of the present invention can have 3Gbs Ethernet connecting line speed and 200Mbs 3DES VPN and IPsec, thereby is fit to all aspects of the high safety performance in the modern network architecture.
The exemplary functionality of hardware platform and the various assemblies of software platform below will be described:
1. router core and configured port
In an one exemplary embodiment, router core 316 provides basic routing function, and different packets is mail to a plurality of logic ports.For example, as shown in Figure 4, fire compartment wall/VPN integrated system 402 can link to each other with a plurality of different ports: a untrusted port that is connected to Internet Router, a trusted port, an isolated area (DMZ) port, a CPU host port and a selectable NPU port.Each port all have oneself IP level subnet (except can be in routing table the NPU port of manual configuration).In order to utilize the high bandwidth of handling of the present invention, port organization can provide two kinds of configurations to be provided with, for example, and a Gbs port or a plurality of 10/100Mbs port.The port of handling unreliable network flow and trustable network flow has two kinds.If this kind flexible port is configured to 10/100Mbs speed, entry port will be combined and be handled as the unity logic port by router.Similarly,, be merged into a port on the port logic, wherein select to export port according to the address of outlet data bag for export situation.
2. flexibly and upgradeable four layers of firewall system
Four layers of fire compartment wall comprise towards three layers and the virus of customization or one deck of worm monitoring agency of the static/dynamic packet filter engine of hardware.Each of guard system layer all has the feature of self, and the security protection of different stage is provided.
Ground floor is header matched data packet filter engine (Header Match packetfiltering Engine, abbreviate HEM as), this HEM mainly is responsible for carrying out pattern matching for the header of the packet that monitors, and this header comprises the OSI second layer, the 3rd layer and the 4th layer of header.Since header fields have to a certain extent be contained in the header pattern density and the expectation content, this layer is more direct usually to the filtration of packet.Therefore, the editor of this layer rule and management can simple form realize, thereby alleviate IT user's operation burden.This layer handled network traffics in the Gbs bandwidth status that continues, need not to sacrifice high bandwidth performance and just realize ease of Use.
In an one exemplary embodiment, for in ground floor (HEM), not having identified virus or worm, the second layer of fire compartment wall of the present invention has embedded the Packet Filtering engine (Contents Match hardwarepacket filtering Engine abbreviates CME as) with content match hardware.This CME can analyze 144 bytes of datagram header, and its analysis is more more deep than the analysis of header matched data packet filter engine.
The 3rd layer of several groups of different application agency who comprises operation among the CPU (or NPU) in the firewall system.Because the limitation of pure hardware data packet filter engine, it can not satisfy the monitoring needs that carry out rare pattern in the content that surpasses 144 bytes.Although the CPU ageng provides the three-layer protection of this profound level, " analyzing in advance " result who obtains by the content of analyzing from the ground floor and the second layer still makes a lot of contributions, and when packets need sent to cpu port, analysis result can combine with the result of the three-layer protection of profound level in advance.This architecture can alleviate the processing burden from conventional CPU greatly, and CPU can the different agencies of operation under detecting deep layer virus situation.
Session matching engine (Session Match Engine is called for short SME) is as the 4th layer of firewall system.This SME comprises an embedded session lookup table, and the TCP/UDP that this embedded session lookup table storage is set up by " state-detection " logic connects.In an one exemplary embodiment, the connection establishment step of TCP/UDP is through three-way handshake contact, and the TCP/UDP control information bag of shaking hands is caught by the SME of firewall system, then is sent to conventional CPU and follows the trail of the process of foundation.Deng CPU carry out and record connect set up process after, this SME is programmed into the adapter sleeve interface IP address in the session lookup table, inquires about for the packet of receiving in this connection in the future.In this embedded session lookup table, search the TCP/UDP packet of this SME that flows through, whether in the connection (session) of setting up, decide clearance still to abandon this packet by checking packet, thereby accelerate TCP/UDP joint detection speed.
Four all part hardware cells integrate, thereby the flexible and upgradeable while also have high security in the system that makes.
3. protocol aware VPN engine
In an one exemplary embodiment, in protocol aware VPN engine, a microcode array uPs is the basis of different security protocols (comprising IPsec) flexible Application.These microprocessors comprise that programmable command memory is to provide the update functions of multi-protocols.
For this reason, high bandwidth performance is designed in the VPN engine.Article two, inside and outside VPN network traffics of logic pipeline processes independently.Every streamline adopts microcode array uPs to carry out the task of distributing.Every streamline has an independently programmable IP, and this IP carries out and distributes to the particular task of this streamline, and finishes the work in the work period so that lasting available bandwidth to be provided.This VPN engine is carried out all kinds of VPN safety functions, comprises by different microcode programmings to keep the integrality and the Data Source of data.This basic authentication is provided by specialized hardware HMAC-MD5-96 and HMAC-SHA-1-96.In an one exemplary embodiment, the rudimentary algorithm of data confidentiality is according to the hardware core of data encryption standard (DES/3DES), Advanced Encryption Standard (AES), so be foreseeable the time of delay of data processing.Consider that for flexibility a streamline IP will provide an external system bus, this external system bus adds (separating) close chip and is connected with external dedicated, thereby need not any public system bus expense.
In addition, system comprises an integrated intelligent card reader, and this integrated intelligent card reader is stored seed effectively for regularly producing common key key (shared keys) or cipher key group (key pair) when setting up the VPN passage.
Having input buffering/output work queue's architecture is characteristics of the present invention, and this architecture can be eliminated the end of a thread obstruction (head of line blocking) in the router operation.The input buffering administrative unit is stored in the IP packet that receives in the link-list structure (Linked List Structure), thereby allows the forwarding module easy access and revise the IP packet that receives.Output work queue's scheme is also supported the bandwidth management capability of each port.This bandwidth management capability is as a part of output queuing capability module.Based on network address translation (nat)/network address port conversion (NAPT) responses match strategy execution of strategy and corresponding NAT conversion and the TCP/UDP port translation and the recovery of IP source address.
The present invention also provides service quality (Quality of Service is called for short QoS) to support.In an one exemplary embodiment, service quality performance according to be provided with in the policy engine with the coupling strategy.The COS of the header of packet (Type of Service, abbreviation TOS) territory is as difference service (Different Service, be called for short DiffServ) mark and Virtual Local Area Network mark, by this TOS territory, the priority of each dateout bag is judged or is lined up.By policy class process and DiffServ mapping, packet will obtain different queuing policys according to its bandwidth requirement, thereby satisfy the network flow management requirement.
(BGP)/Open Shortest Path First (OSPF) that Routing Protocol supports redundant fault to switch and load balance by Port Mirroring (ports mirroring) scheme and segment boundary gateway protocol in system.Escape way requires some state information is kept synchronously.Port Mirroring transmits and backup gateway transmit mode information by using an ethernet port and BGP/OSPF message, is so contracted to the shortest required switching time.
Modular software storehouse of the present invention allows system high efficiency work.Be the pros and cons between balance safety and optimize performance, the embedded software storehouse provides several basic agencies, and these act on behalf of the kernel that is arranged in based on the Lunix system substantially.Software also comprises " Transparent Proxy " or " Blended Agent " characteristic, thereby passes through the automatic log-on data packet filtering of hardware, and packet is forwarded to related proxy.An advantage of this method is to can't see this process from user perspective, and the user does not need to be external service communications setting system.As an alternative, system intercepts packet, and by the user that the agency is set packet is forwarded to the System Agent storehouse.Adopt this universal architecture, the more perfect safety measure that is provided by the agency is provided in system, and has the high speed performance of hardware filtering packet.The System Agent storehouse can be FTP agency, Telnet agency, mail agent (POP, POP3 etc.), and these agencies provide viral defencive function for the relevant function of highly concrete application.
Aspect configuration management, software possesses the centralized management control of all elements in the addressable distributed system.For example, software comprises provides the command line interface that adapts to multiple command script form, the based on network interface that comprises visual and understandable graphic user interface (GUI), in the central control management station, set up and upload to when needed the configuration file of vpn gateway, for third-party vendor is the API (Application Programming Interface is called for short API) of network configuration system development management software.
Integrated characteristic of the present invention comprises: the asic chip of integrated hardware fire compartment wall/VPN, be applicable to the 1Gb rate interface of enterprise-level link and the Ethernet interface of flexible 10/100Mbs, adopt the flexible external interface of proprietary encryption/deciphering asic chip, PCI-X (133/66/33MHz) interface that is connected with conventional CPU, the special purpose interface bus that is connected with NPU.
Exemplary performance characteristic of the present invention comprises: the firewall throughput that continues 2.1Gbs ethernet line speed and real-time header or content analysis, each packet all adopts the two-layer hardware bundle filter engine (two hardware bundle filter engines are all supported dynamic data packet filtering scheme) of definite clock signal, with 800Mbs, VPN throughput is 630Mbs/3DES, and the TCP/UDP of 1Gbs/DES speed operation connects filtration system.
As described below is typical firewall system features:
In one embodiment, firewall system comprises the strategy of 1000 strategies and increasable variable number on the sheet that external static memory (SRAM) array supports.Packet Filtering is analyzed the content of packet from IP layer 144 byte with linear speed, thereby the perception of content safety function that need not to increase overhead or fixed cost is provided.All Packet Filtering engine supports are dynamically changed strategy according to receiving packet content.By the hardware search in session lookup table, connecting filter engine provides TCP/UDP shaken hands and is established to the state-detection of connection.Can identify the monitoring network changes of topology structure in conjunction with Media Access Controlled address (MAC address) and arrival end.Network address port conversion (NAPT, network address/porttranslation) based on strategy can convert a plurality of implicit IP address to an outside ip address realization expansion virtual net (VPN) application.Like this, home address is also hidden safely.Be supported in transparent switch mode in the network address translation (nat) of separation.Network traffics and speed adjustment by the control of pure strategy density.High density and the tactful flexibly rogue attacks that prevents from ICMP is assembled passage that is provided with.Exempt from the protection of TCP-SYNFLOOD, high speed Denial of Service attacks such as Ping ofDeath, TearDrop.
As described below is typical VPN characteristic:
Support the IPsec security service of IPv4 network traffics fully.Support the double layer channel protocol (L2TP) among the IPsec.Support about 1000 sheet upper channels, the long-range or external may command safety with high speed and various commercial rank performances is provided.It is the authentication service of 800Mbs that HMAC-MD5-96 and HMAC-SHA-1-16, speed are provided.Adopt the data security of DES/3DES and the external interface bus of proprietary encryption/deciphering asic chip.Employing is held the VLAN of 801.1Q so that the safety measure of enhancing to be provided.
As described below is typical QoS network traffics controlling features:
Network traffics are adjusted (Traffic Shape) control, guarantee bandwidth, voice IP (Voice overIP), preferential bandwidth.
As described below is other characteristic feature of system:
The state backup of mission critical applications is switched.Configuration Gbs port or 10/100Mbs port can provide the link of enterprise-level bandwidth.A plurality of 10/100Mbs ports can provide the automatic switchover of link aggregation and physical link fault.One exemplary embodiment is based on that 0.15 μ m advanced person's CMOS technology realizes.
Figure 5 shows that the functional block diagram 500 of fire compartment wall/VPN integrated system according to a different embodiment.Fire compartment wall among Fig. 5/VPN integrated system is similar to the fire compartment wall/VPN integrated system among Fig. 2, and wherein identical drawing reference numeral is represented identical parts.For purpose clearly, in the fire compartment wall of Fig. 5/VPN integrated system to fire compartment wall/VPN integrated system of Fig. 2 in similar element and feature do not repeat them here.
Data flow in fire compartment wall/VPN integrated system 500 is similar to data flow shown in Figure 2.Input data (with the form of packet data streams 502 (packetstream)) from LAN or WAN are received by network interface 504.As known to those skilled in the art, network interface 504 will be handled the agreement under the specific LAN/WAN environment.Network interface 504 receiver packet numbers are put into a bag buffer area (packet buffer memory) 506 according to stream 502 and with this packet data streams 502.In addition, fire compartment wall/VPN integrated system 500 can dispose extra and/or external memory storage 508 (for example, internal memory, SDRAM (SDRAM) wait this type of memory device), and this external memory storage 508 can provisional storage packet.
As indicated above, the data of preceding 144 bytes or other preset value byte directly are sent to fire compartment wall 520 or are sent to fire compartment wall 520 via inner VPN engine in the packet data streams.Among the present invention, fire compartment wall 520 is selected the data of appropriate software and hardware analysis preliminary election for use, rather than handles whole packet.Can improve the bulk velocity and the efficient of fire compartment wall like this.Those skilled in the art will appreciate that more preliminary election data can improve security performance, but also might reduce the speed that fire compartment wall is handled.Therefore, the present invention allows the user to adjust the setting of fire compartment wall, thereby meets the security performance of expectation and/or the rate request of expectation.
In case data are by security strategy, the present invention also can adopt quality management process 524 and service quality process 526.Quality management process 524 supervisory packet buffer areas 506, thus link between the bag of waiting in line to handle in the external memory storage 508 kept.Service quality process 526 is as packet priority scheduling program, and receives data from service quality mapping and processor 528.
In general, to go to LAN if leave the data of firewall engine 520, service quality process 526 will be according to handling as previously mentioned, and a control signal 527 sends to output interface 538 in case finish soon in processing, thus indication bag buffer area 506 release data.To go to WAN if leave the data of fire compartment wall, then before data send to WAN, need encryption/encapsulation of data.In this case, can adopt outside VPN engine 530 to encrypt and/or encapsulate the data that export WAN to.In case data are encrypted, then are sent to coffret and leave fire compartment wall and go to WAN 540.
According to one embodiment of present invention, fire compartment wall/VPN integrated system 500 also comprises secondary firewall engine 550.This secondary firewall engine 550 also comprises the strategy of the content of checking packet data streams.In case the data of preceding 144 bytes or other preset value byte satisfy the strategy of the content of this inspection packet data streams in the packet data streams, this secondary firewall engine 550 will be triggered.When satisfying strategy, bag buffer area 506 discharges data to secondary firewall engine 550.
This secondary firewall engine 550 selects for use suitable hardware and software to analyze complete packet.In case complete packet is by security strategy, this packet will be sent to output interface 538, thereby indication bag buffer area 506 discharges data.In conjunction with firewall engine 520, this fire compartment wall/VPN integrated system 500 can will combine with the complete operation that realizes by the analysis complete data packet by analyzing the existing factually efficient operation of preselected number.
Exemplary method according to embodiment comprises a kind of method that the firewall access controlled function is provided, and the method comprising the steps of: define one or more access-control protocols; Receive a packet; Select some bytes of this packet; And adopt the some bytes of this access-control protocol treatment of selected.
The fire compartment wall of embodiment/VPN integrated system can be used for providing the total solution of the user's operation report that comprises internet network security solution, unified network management and comprehensive flow Network Based.In addition, receive intrinsic firewall protection because the VPN passage connects, so embodiment can prevent the attack from the internet.Adopt integrated fire compartment wall can monitor common " denial of service " (denial ofservice, be called for short DOS) and attack and suitably handle, this attack may jeopardize the safety of vpn gateway independently.
Embodiment comprises Embedded paralleling tactic, and this strategy provides the comprehensive safety function of suitable VPN network traffics, and therefore, this strategy provides access control for all network traffics.Fire compartment wall and VPN can share same authentification of user service, and therefore, personal user and predetermined group user can enjoy other security service of same level when the resource of access authorization.
Database update and security policy manager can be applied to VPN and fire compartment wall simultaneously, and this database update and security policy manager can reduce the processing time-delay influence in the complex network environment, and centralized management and better simply system configuration are provided.Therefore, network management needn't be carried out authentification of user between multisystem.
Fire compartment wall of the present invention/VPN integrated system can carry out Bandwidth Management by each pure strategy.By adjusting firewall policy, the present invention also can effectively realize the VPN channel bandwidth management.
Further safety function can be by changing integrated realization of encapsulation channel pattern of (NAPT, Network Address Port Translation) and procotol safety (IPsec) VPN based on the network address port of strategy.
Though those skilled in the art it should be understood that above detailed description based on describing preferred embodiment, the present invention is not limited to these embodiment.Beginning just will be appreciated that, the present invention will use " software " or " modularization process " these terms, and these terms should be by broad interpretation for comprising: terms such as one or more program process, data structure, source code, program code, and/or one or more traditional general processors and/or other storage data of application specific processor, this processor (for example can comprise memory storage apparatus, random access memory (RAM) and read-only memory (ROM)) and memory device (for example, computer-readable memory, disk array, direct access memory).Furtherly, this method or module handler can adopt customization to realize this function or/and ready-made circuit element disposes according to mode well known in the art.
Although above stated specification and accompanying drawing have been represented the preferred embodiment of the present invention, should be appreciated that and under the situation that does not depart from the present invention's spirit defined by the claims and purport scope, to carry out multiple apposition, correction and replacement it.Those skilled in the art is to be understood that, in using the present invention, can carry out the multiple correction of form, structure, configuration, ratio, material, element and parts, and in the invention process, be particularly suited for certain environmental conditions and operate other correction that does not depart from purport of the present invention that requires and carry out.Therefore, the execution mode of this disclosure should fully be understood illustrative, and nonrestrictive, and scope of the present invention is by claim and legal equivalent way thereof, and is not limited to above stated specification.

Claims (15)

1. fire compartment wall/Virtual Private Network integrated system is used at least one local area network (LAN) is connected to a wide area network, it is characterized in that described fire compartment wall/Virtual Private Network integrated system comprises at least:
Fire compartment wall/Virtual Private Network integrated chip group is used to send and receive the packet between described wide area network and the described local area network (LAN), and according to described data packet analysis access control function, described fire compartment wall/Virtual Private Network integrated chip group comprises at least:
The fire compartment wall part is used to provide the access control function between described wide area network and the described local area network (LAN);
The virtual private mesh portions is used to the data between described wide area network and the described local area network (LAN) that safety function is provided; With
The secondary firewall engine is used to analyze the complete packet between described wide area network and the described local area network (LAN), and according to analysis result, indication bag buffering area discharges data;
Wherein, described fire compartment wall part comprises firewall hardware platform and firewall software platform at least, wherein described at least firewall hardware platform is used to the iteration function that provides relevant with described access control function, described virtual private mesh portions comprises Virtual Private Network hardware platform and Virtual Private Network software platform at least, and wherein described at least Virtual Private Network hardware platform is used to the iteration function that provides relevant with described safety function.
2. fire compartment wall according to claim 1/Virtual Private Network integrated system is characterized in that, described fire compartment wall/Virtual Private Network integrated chip group also comprises:
Router is used for the data between described local area network (LAN) of route and the described wide area network.
3. fire compartment wall according to claim 1/Virtual Private Network integrated system is characterized in that, described firewall hardware platform comprises the circuit that static state and/or dynamic data packet filtering are provided at least.
4. fire compartment wall according to claim 3/Virtual Private Network integrated system is characterized in that, described circuit is included in the header matched data packet filtering circuit of the matching feature that supplies a pattern in the selected header of described data.
5. fire compartment wall according to claim 1/Virtual Private Network integrated system is characterized in that, described fire compartment wall/Virtual Private Network integrated chip group is further analyzed described access control function according to the preselected bytes of described packet.
6. fire compartment wall according to claim 5/Virtual Private Network integrated system is characterized in that, described preselected bytes comprises preceding 144 bytes of described packet.
7. fire compartment wall according to claim 1/Virtual Private Network integrated system is characterized in that, the safety function of described virtual private mesh portions comprises: the encryption of described packet, deciphering, encapsulation and opening dress.
8. fire compartment wall according to claim 1/Virtual Private Network integrated system is characterized in that, the access control function of described fire compartment wall part comprises user-defined access control function.
9. fire compartment wall/Virtual Private Network integrated circuit is characterized in that, described fire compartment wall/Virtual Private Network integrated circuit comprises at least:
Router core is used to connect at least one unreliable network and at least one trustable network to send and to receive the packet between described unreliable network and the described trustable network;
Firewall system, be used to provide the access control function between described unreliable network and the described trustable network, described firewall system comprises firewall hardware platform and firewall software platform at least, wherein described at least firewall hardware platform is used to the iteration function that provides relevant with described access control function, and analyzes the access control function on the described packet;
The Virtual Private Network engine, be used to the data between described unreliable network and the described trustable network that safety function is provided, described Virtual Private Network engine comprises Virtual Private Network hardware platform and Virtual Private Network software platform, and wherein described at least Virtual Private Network hardware platform is used to the iteration function that provides relevant with described safety function; With
The secondary firewall engine is used to analyze the complete packet between described unreliable network and the described trustable network, and according to analysis result, indication bag buffering area discharges data.
10. fire compartment wall according to claim 9/Virtual Private Network integrated circuit is characterized in that, described firewall hardware platform comprises the circuit that static state and/or dynamic data packet filtering are provided at least.
11. fire compartment wall according to claim 10/Virtual Private Network integrated circuit is characterized in that, described circuit is included in the header matched data packet filtering circuit of the matching feature that supplies a pattern in the selected header of described data.
12. fire compartment wall according to claim 9/Virtual Private Network integrated circuit is characterized in that described firewall system is further analyzed described access control function according to the preselected bytes of described packet.
13. fire compartment wall according to claim 12/Virtual Private Network integrated circuit is characterized in that, described preselected bytes comprises preceding 144 bytes of described packet.
14. fire compartment wall according to claim 9/Virtual Private Network integrated circuit is characterized in that, the safety function of described Virtual Private Network engine comprises: the encryption of described packet, deciphering, encapsulation and opening dress.
15. fire compartment wall according to claim 9/Virtual Private Network integrated circuit is characterized in that the access control function of described firewall system comprises user-defined access control function.
CN2010102390668A 2009-09-29 2010-07-23 Firewall / virtual private network integrated system and circuit Pending CN102035821A (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US12/569,147 US20100138909A1 (en) 2002-09-06 2009-09-29 Vpn and firewall integrated system
US12/569,147 2009-09-29

Publications (1)

Publication Number Publication Date
CN102035821A true CN102035821A (en) 2011-04-27

Family

ID=43888151

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2010102390668A Pending CN102035821A (en) 2009-09-29 2010-07-23 Firewall / virtual private network integrated system and circuit

Country Status (2)

Country Link
CN (1) CN102035821A (en)
TW (1) TW201116012A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104994028A (en) * 2015-07-15 2015-10-21 上海地面通信息网络有限公司 Bandwidth saving control device based on NAT address translator
CN110381074A (en) * 2019-07-26 2019-10-25 太仓红码软件技术有限公司 A kind of Scattered Attack defence method being directed under DHCP framework based on big data

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104038425B (en) * 2013-03-06 2018-01-02 阿里巴巴集团控股有限公司 The method and apparatus for forwarding ether network packet
TWI772832B (en) * 2020-07-07 2022-08-01 財金資訊股份有限公司 Information security blind spot detection system and method for normal network behavior

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020069356A1 (en) * 2000-06-12 2002-06-06 Kwang Tae Kim Integrated security gateway apparatus
US20020083344A1 (en) * 2000-12-21 2002-06-27 Vairavan Kannan P. Integrated intelligent inter/intra networking device
US6477646B1 (en) * 1999-07-08 2002-11-05 Broadcom Corporation Security chip architecture and implementations for cryptography acceleration
WO2003030004A1 (en) * 2001-09-28 2003-04-10 Netscreen Technologies, Inc. Method and apparatus for implementing a layer 3/layer 7 firewall in an l2 device
CN1536497A (en) * 2003-04-04 2004-10-13 上海广电应确信有限公司 Flame-proof wall for imlementing packet filtering and its method for implementing packet filtering
CN1173532C (en) * 1996-12-23 2004-10-27 国际商业机器公司 Web-based administration of IP tunneling on internet firewalls
EP1484887A2 (en) * 2003-06-06 2004-12-08 Microsoft Corporation A multi-layer based method for implementing network firewalls
CN1682197A (en) * 2002-09-06 2005-10-12 美国凹凸微系有限公司 VPN and firewall integrated system
US7058974B1 (en) * 2000-06-21 2006-06-06 Netrake Corporation Method and apparatus for preventing denial of service attacks
US20080209540A1 (en) * 1999-04-01 2008-08-28 Juniper Networks, Inc. Firewall including local bus
US20080215368A1 (en) * 1996-02-17 2008-09-04 Shelton Robert H Standing order database search system and method for internet and intranet application

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080215368A1 (en) * 1996-02-17 2008-09-04 Shelton Robert H Standing order database search system and method for internet and intranet application
CN1173532C (en) * 1996-12-23 2004-10-27 国际商业机器公司 Web-based administration of IP tunneling on internet firewalls
US20080209540A1 (en) * 1999-04-01 2008-08-28 Juniper Networks, Inc. Firewall including local bus
US6477646B1 (en) * 1999-07-08 2002-11-05 Broadcom Corporation Security chip architecture and implementations for cryptography acceleration
US20020069356A1 (en) * 2000-06-12 2002-06-06 Kwang Tae Kim Integrated security gateway apparatus
US7058974B1 (en) * 2000-06-21 2006-06-06 Netrake Corporation Method and apparatus for preventing denial of service attacks
US20020083344A1 (en) * 2000-12-21 2002-06-27 Vairavan Kannan P. Integrated intelligent inter/intra networking device
WO2003030004A1 (en) * 2001-09-28 2003-04-10 Netscreen Technologies, Inc. Method and apparatus for implementing a layer 3/layer 7 firewall in an l2 device
CN1682197A (en) * 2002-09-06 2005-10-12 美国凹凸微系有限公司 VPN and firewall integrated system
CN1536497A (en) * 2003-04-04 2004-10-13 上海广电应确信有限公司 Flame-proof wall for imlementing packet filtering and its method for implementing packet filtering
EP1484887A2 (en) * 2003-06-06 2004-12-08 Microsoft Corporation A multi-layer based method for implementing network firewalls

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104994028A (en) * 2015-07-15 2015-10-21 上海地面通信息网络有限公司 Bandwidth saving control device based on NAT address translator
CN104994028B (en) * 2015-07-15 2019-04-26 上海地面通信息网络股份有限公司 Bandwidth conservation control device based on NAT address translator
CN110381074A (en) * 2019-07-26 2019-10-25 太仓红码软件技术有限公司 A kind of Scattered Attack defence method being directed under DHCP framework based on big data

Also Published As

Publication number Publication date
TW201116012A (en) 2011-05-01

Similar Documents

Publication Publication Date Title
CN100389400C (en) VPN and firewall integrated system
US11750563B2 (en) Flow metadata exchanges between network and security functions for a security service
US10735511B2 (en) Device and related method for dynamic traffic mirroring
US9130826B2 (en) System and related method for network monitoring and control based on applications
US9813447B2 (en) Device and related method for establishing network policy based on applications
US9584393B2 (en) Device and related method for dynamic traffic mirroring policy
US9256636B2 (en) Device and related method for application identification
US9230213B2 (en) Device and related method for scoring applications running on a network
US20100138909A1 (en) Vpn and firewall integrated system
EP2853070A1 (en) Multi-tunnel virtual private network
US20220353240A1 (en) Distributed offload leveraging different offload devices
US11785048B2 (en) Consistent monitoring and analytics for security insights for network and security functions for a security service
EP4002866A1 (en) A device and method to establish a score for a computer application
CN114531263B (en) Method, system and medium for stream metadata exchange between network and security function of security service
CN102035821A (en) Firewall / virtual private network integrated system and circuit
Adeyinka Analysis of IPsec VPNs performance in a multimedia environment
Snyder et al. Results of Testing: Juniper Branch SRX Firewalls
Mihaylov Simultaneous Implementation Of Ssl And Ipsec Protocols For Remote Vpn Connection
GB2407464A (en) VPN and firewall integrated system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
ASS Succession or assignment of patent right

Owner name: O2 TECH. INTERNATIONAL LTD.

Free format text: FORMER OWNER: O2MICRO ELECTRONICS (WUHAN) CO., LTD.

Effective date: 20120215

C41 Transfer of patent application or patent right or utility model
TA01 Transfer of patent application right

Effective date of registration: 20120215

Address after: Grand Cayman British Cayman Islands

Applicant after: O2 Tech. International Ltd.

Address before: Wuhan City, Hubei province 430074 Luoyu Road No. 716 Hua Le Business Center Room 806

Applicant before: O2Micro International Ltd.

ASS Succession or assignment of patent right

Owner name: AIYOUKE SERVICE CO., LTD.

Free format text: FORMER OWNER: O2 TECH. INTERNATIONAL LTD.

Effective date: 20120821

C41 Transfer of patent application or patent right or utility model
TA01 Transfer of patent application right

Effective date of registration: 20120821

Address after: Delaware

Applicant after: O2Micro Inc.

Address before: Grand Cayman British Cayman Islands

Applicant before: O2 Tech. International Ltd.

C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20110427