Security policy acceleration table construction method and device

Abstract

The embodiment of the invention provides a security policy acceleration table construction method and device. According to the scheme, the method comprises the following steps: storing an address cache table with a plurality of address cache table entries; wherein each address cache entry is an IP address set of different domain names, each IP address set is used for storing M IP addresses, and the aging time of each IP address is greater than M + 1 domain name address switching periods; receiving a first domain name system protocol message; searching a first address cache entry matched with adomain name carried by the first domain name system protocol message; if it is determined that the IP address set of the first address cache entry contains the IP address carried by the first domainname system protocol message, not generating an event for triggering refreshing of the security policy acceleration table; and refreshing the storage time of the IP address carried by the first domainname system protocol message in the IP address set of the first address cache entry. By applying the technical scheme provided by the embodiment of the invention, the consumption of memory and CPU resources can be reduced, and the probability of security policy check failure is reduced.

Description

technical field [0001] The present application relates to the technical field of network security, in particular to a method and device for constructing a security policy acceleration table. Background technique [0002] In order to improve the efficiency of message security processing, the network device uses the IP (Internet Protocol, Internet Protocol) address corresponding to the domain name of the website specified by the user as the Key (key), and the security policy rule corresponding to the IP address as the Value (value), and constructs The security policy acceleration table calculates the hash value according to the IP address of the domain name, quickly finds the security policy of the domain name corresponding to the IP address of the domain name, and avoids the security policy of looking up the domain name in the policy table according to the IP address of the domain name one by one. [0003] In a load balancing network, multiple servers provide the same service...

AI Technical Summary

Problems solved by technology

If the refresh cycle of the security policy acceleration table of the network device has not yet arrived, the corresponding relationship between the IP address and the security policy of each domain name that undergoes address switching at the current moment cannot be written into the security policy acceleration table, which will cause the security policy check to fail.

[0004] In addition, the acceleration table construction process consumes a lot of memory and CPU, and lasts for a long time

Network devices such as gateways need to access a large number of domain names. Switching between multiple IP addresses for each domain name will cause a large number of domain name change events to be processed by the network device. All domain names that need to be processed cannot be completed within one security policy acceleration table refresh cycle. Change events, the corresponding relationship between the IP address and the security policy cannot be written into the security policy acceleration table at the current moment, resulting in the failure of the security policy check

Images