Shulou(Shulou.com)06/01 Report--

Brief introduction of active network firewall 1. Overview of active Network Firewall

The active network firewall supported by SylixOS is a network firewall suitable for embedded network security. It can effectively defend against common embedded networks and protect the system security of embedded devices.

The active network firewall includes five defense modules, which can defend against the following five categories:

Network storm; replay * *; ARP spoofing *; SYN flooding *; DDOS***. two。 Active network firewall function

2.1 Network Storm Prevention Module

Network storm refers to the phenomenon that the network is flooded with a large number of useless messages, affecting network equipment. This module can reduce the impact of embedded devices by network storms. Its main functions are:

Automatically identify the equipment and storm message types that generate the storm; monitor the flow of each type of message in real time to support the dynamic configuration of monitoring parameters; take the blocking operation on the problem equipment to support the dynamic configuration of blocking time.

2.2 replay the * defense module

Playback * *, also known as replay * * and playback * *, means that the user sends a message received by the destination host to deceive the system. This module can defend against this kind of *, and its main functions are:

Random CAPTCHA code is used to verify the uniqueness of the message, support the modification of CAPTCHA generation time interval, and support playback defense in LAN and non-LAN environments.

2.3 ARP spoofing Prevention Module

ARP spoofing means that people deceive other devices by sending ARP messages of false content between devices that communicate normally. This module can defend against this kind of *, and its main functions are:

Automatically identify the new network equipment information; automatically bind MAC and IP; intelligently identify the MAC changes of the current network equipment. Fast identification and processing are supported for the two network conditions of MAC, IP address change and ARP spoofing.

2.4 SYN flooding Prevention Modul

SYN flooding * * refers to the use of the TCP three-way handshake feature to send a large number of connected SYN messages to the target, thus exhausting equipment resources. This module can defend against this kind of *, and its main functions are:

Automatically identify the devices that generate SYN flooding *; automatically identify the start and end of SYN flooding; real-time monitor SYN message flow and support dynamic configuration of monitoring parameters; whitelist communication mechanism is adopted when SYN flooding is generated.

2.5 DDOS*** Defense Modul

In the embedded field, DDOS*** often refers to the establishment of a large number of blank TCP connections to the target computer, thus exhausting device resources. This module can defend against this kind of *, and its main functions are:

Monitor the connection status information of each port in real time, support the dynamic configuration of monitoring parameters, and adopt the abandonment mechanism for the excess connection of the port. 3. Characteristics of active network firewall

Less resource footprint

The active network firewall uses its own memory management mechanism. Each functional module takes up less resources, and each functional module can be opened and closed separately.

Accurate network condition identification

In embedded network, there are some unique phenomena, such as random setting or modification of MAC address, which is very interfering to defend against ARP spoofing. In view of similar phenomena, the active network firewall will detect independently, determine the real network condition and then deal with it to ensure the correctness of the defense.

Segmented defense processing

The active firewall adopts a "up and down" separated defense framework, which can intelligently identify the problem hosts on the network when suffering from the network, so as to protect the equipment without occupying too many system resources. in order to ensure the normal operation of other network communications. 4. Implementation Mechanism of active Network Firewall

4.1 overall framework

Active network firewall can be divided into two parts, one is detection management, the other is message filtering. This "up and down" separated defense processing framework is shown in figure 4.1.

Figure 4.1 active network firewall block diagram

The upper detection and management code of the firewall is located in the network protocol stack, and the filtering processing code is located in the network card driver. When the device is subjected to * *, this structure has little impact on the performance of the CPU.

In addition, these two parts reduce the occupation of system resources through their respective memory management units.

4.2 Internal mechanism

The active network firewall is composed of five functional modules and memory management unit. The five functional modules are independent of each other, but are all associated with the memory management unit, as shown in figure 4.2.

Figure 4.2 functional module

Among them, each functional module can be divided into two parts, one is the detection unit, the other is the defense unit. As shown in figure 4.3, the detection unit analyzes the messages received by the device. For some complex network situations, the detection unit will also take the initiative to detect, so as to determine the real network situation. After the problem is found, the detection unit will start the defense unit to filter the problem packets received later, such as blacklist, whitelist and so on.

Figure 4.3 implementation mechanism of defense module

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.