Method and device for speeding up matching of filter rules of firewalls

A firewall and rule technology, applied in the field of network security, can solve problems such as firewall performance degradation, and achieve the effect of improving efficiency and reducing the matching rule set

Active Publication Date: 2010-06-23
BEIJING TOPSEC NETWORK SECURITY TECH
View PDF0 Cites 28 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0005] The present invention provides a method and device for accelerating the matching of firewall filtering rules, which are used to solve the problem in the prior art that when the firewall performs filtering rule matching on data packets, if there are many filtering rules, the performance of the firewall will decrease significantly

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method and device for speeding up matching of filter rules of firewalls
  • Method and device for speeding up matching of filter rules of firewalls
  • Method and device for speeding up matching of filter rules of firewalls

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0029] The specific implementation process of the present invention will be described below in conjunction with each accompanying drawing.

[0030] see figure 1 , which is a flow chart of the method for accelerating firewall filter rule matching according to the present invention, which mainly includes steps:

[0031] Step 10, constructing the attribute information of the attribute items of the pre-selected firewall filtering rule set into a linearly distributed attribute interval;

[0032] The attribute item is a source address or a destination address or a source port number or a destination port number or a transmission protocol.

[0033] The linearly distributed attribute intervals corresponding to the attribute items are arranged linearly according to the size order of the attribute information of the attribute items, and there is no intersection between any two linearly distributed attribute intervals corresponding to an attribute item.

[0034] Step 11, associating th...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a method and a device for speeding up the matching of filter rules of firewalls, wherein the method comprises the steps: constructing attribute information of attribute items of a pre-selected firewall filter rule set to a linearly-distributed attribute interval, and associating the constructed attribute interval with the filter rules, containing the attribute interval, in attribute information of relative attribute items; querying the attribute information of the selected attribute items in data packets during the filtration of the data packets, searching the constructed attribute interval for the interval to which the queried attribute information belongs, and constructing rule sets corresponding one by one to the selected attribute items by using the searched interval-associated filter rules; acquiring the intersection of the constructed rule sets which are corresponding one by one to the selected attribute items and adding the intersection to a set of matched rules; and according to the priorities of the filter rules in the set of matched rules, sequentially performing rule matching on the data packets until the completely-matched rules are found out. The method and the device can enhance the efficiency of matching the filter rules of firewalls.

Description

technical field [0001] The invention relates to the technical field of network security, in particular to a method and device for accelerating the matching of firewall filtering rules. Background technique [0002] The packet filtering system is the most basic, important, and core part of a firewall. The firewall filtering rule set refers to the set of rules configured by the administrator to limit whether data packets in the network can pass through when the firewall performs access control. The common data packet filtering process generally adopts the strategy of sequentially matching data packets from the first rule of the firewall filter rule set. If a rule is successfully matched, the corresponding action of the rule is executed, and then the next data packet is matched. A firewall filtering rule set may contain dozens or more rules, but because there is a relationship between the rules, the rules must be arranged in a certain order, which is why the firewall filtering...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06G06F17/30
Inventor 陈强
Owner BEIJING TOPSEC NETWORK SECURITY TECH
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap