A dynamic expansion system for firewall modules
By abstracting firewall modules into micro-applications and dynamically adjusting their priorities, the problem of firewall systems failing to meet diverse security needs in different cloud computing scenarios is solved, enabling flexible security policy adjustments and cost reduction.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- CHINA TELECOM CLOUD TECH CO LTD
- Filing Date
- 2022-12-29
- Publication Date
- 2026-07-03
AI Technical Summary
Existing firewall systems are difficult to flexibly adapt to different cloud computing use cases to meet diverse security needs, leading to increased maintenance and usage costs.
The firewall functional modules are abstracted into micro-applications. By setting extension framework rules and priorities, and formulating operation policies, the functions of micro-applications can be extended. At system startup, the processor chain is adjusted according to security requirements, and the priorities between micro-applications are dynamically adjusted to meet the needs of different scenarios.
It reduces maintenance and usage costs, improves system flexibility and adaptability, and enables rapid response to different security needs without custom development.
Smart Images

Figure CN115834243B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of firewalls, and more particularly to a dynamic expansion system for firewall modules. Background Technology
[0002] Beyond basic protection, cloud computing applications present varying security needs across different scenarios, each with its own emphasis. Basic protection includes intrusion detection systems (IDS), intrusion prevention systems (IPS), and virus protection. When firewalls act as entry and exit points for traffic in different directions within a cloud computing environment, their security focus cannot be limited to traditional detection and defense functions. For example, enterprises using cloud desktops may have security requirements such as internet access auditing and control over the outward distribution of resource files. Custom development can be tailored to meet these diverse needs, but this undoubtedly increases maintenance and usage costs. Summary of the Invention
[0003] To address the security requirements of different usage scenarios, this invention proposes a dynamic firewall module expansion system. This system abstracts each firewall functional module into a corresponding micro-application, adjusts the priority of the micro-applications according to the needs of each scenario, and thus expands the functionality of the micro-applications. Each micro-application corresponds to multiple pipes, and each pipe corresponds to a pipe data processor. The system includes:
[0004] The rule setting module is used to set extension framework rules applicable to each micro-application. The basic attributes of the extension framework rules include the priority between each micro-application, and the micro-application on / off status, pipeline data processor and pipeline data processor priority corresponding to each micro-application.
[0005] The IPS policy setting module is used to formulate the operation policy of each micro-application, and to set the defense actions of each processor for the corresponding micro-application during runtime.
[0006] The micro-application association configuration module includes an association configuration file that corresponds one-to-one with each micro-application. This configuration file is used to set the association parameters of the corresponding micro-application, define the dependency relationship between micro-applications based on the association parameters, and control the start and stop status of the associated micro-applications when a micro-application starts. The association parameters include: micro-application identifier, auto-start function parameters, and associated micro-application identifier.
[0007] An extension module is used to adjust the priorities between micro-applications according to security requirements, and register a processor chain at system startup based on the adjusted micro-application priorities and the priorities of pipeline data processors in the micro-applications; the priority of the dependencies in the micro-application association configuration module is higher than the priority of the adjusted micro-application; the processor chain consists of pipeline data processors of each micro-application.
[0008] The defense module is used to sequentially call the processors in the processor chain when the packet capture program detects the data stream of a new connection, so that the processors can perform the corresponding defense actions.
[0009] Furthermore, the IPS policy setting module includes:
[0010] The first strategy module is used to load custom IPS engine configuration, set the default rule base in the pre hook function to set the risk level of micro-application identification and the defense actions of each processor when the micro-application is running;
[0011] The second strategy module is used to configure the built-in URL category library in the pre hook function to set the defense actions of each processor when the microapplication recognizes the accessed URL.
[0012] Furthermore, the defense module includes a transceiver queue and a pipe connector. The transceiver queue is used to store data streams and forward them to the pipe connector. Specifically, the defense module is used to sequentially call the processors on the processor chain, so that each processor performs corresponding defense actions on the data streams received by the pipe connector.
[0013] Furthermore, the rule setting module also includes:
[0014] The data direction division module is used to divide the data flow into a first direction and a second direction, wherein the first direction is from the client to the server and the second direction is from the server to the client.
[0015] The execution parameter setting module is used to set the timing for the pipeline data processor to perform defensive actions.
[0016] Furthermore, the execution timing includes: when the connection is created, when the connection is disconnected, and when the connection is reset.
[0017] Furthermore, the defense module is also used to set the execution direction of the processor chain according to the direction of the data flow, wherein the execution direction of the processor chain corresponding to the first direction is opposite to the execution direction of the processor chain corresponding to the second direction;
[0018] Furthermore, the defense module is specifically used to sequentially call the processors on the processor chain according to the execution direction of the processor chain corresponding to the data stream, so that each processor performs the corresponding defense action on the data stream received by the pipe connector.
[0019] Furthermore, the defense module is also used to generate connection sessions during the process of sequentially calling each processor in the processor chain, and to use the connection sessions as containers for data streams.
[0020] Furthermore, each micro-application has its corresponding lifecycle; the lifecycle includes loading, running, stopping, and unloading states, and hook functions are set in each state; the IPS strategy setting module is specifically used to customize the running strategy of the corresponding micro-application according to the hook functions set in each state, and to set the defense actions of each processor for the corresponding micro-application during runtime through the running strategy.
[0021] Furthermore, the system also includes a log monitoring module, which monitors the running data of each micro-application and stores it in the corresponding log file; one log file corresponds to one micro-application.
[0022] Compared with the prior art, the present invention has at least the following beneficial effects:
[0023] (1) This invention sets an extension framework rule applicable to each micro-application, sets the priority between each micro-application and the priority of each pipeline data processor in the micro-application, formulates the operation strategy of each micro-application, sets the defense action of each processor of the corresponding micro-application during operation through the operation strategy, and can adjust the priority between each micro-application according to security requirements. When the system starts, the processor chain is registered according to the adjusted priority of the micro-application and the priority of the pipeline data processor in the micro-application. When the packet capture program listens to the data stream of the new connection, the processors on the processor chain are called in sequence to make the processors execute the corresponding defense action. Based on the extension framework rule, it only needs to adjust the priority between each micro-application according to security requirements to change the processor chain (to obtain different security capabilities), thereby meeting the current security requirements. This avoids the problem of needing to customize development to meet different scenario requirements (security requirements), and greatly reduces the cost of maintenance and use.
[0024] (2) This invention sets the auto-start function parameters of micro-applications in the associated configuration file, thereby controlling the running status of each micro-application when the system starts, and then flexibly combining different micro-application combinations to obtain different processor chains to meet different security requirements. This reduces the cost of development and deployment and improves the user experience. Attached Figure Description
[0025] Figure 1 This is a diagram of a firewall module dynamically expanding system module. Detailed Implementation
[0026] The following are specific embodiments of the present invention, which are described in conjunction with the accompanying drawings. However, the present invention is not limited to these embodiments.
[0027] Example 1
[0028] This invention aims to provide flexible, rapid, and convenient security solutions for different usage scenarios, without requiring custom development. Figure 1 As shown, this invention proposes a dynamic expansion system for firewall modules, which abstracts each firewall functional module into a corresponding micro-application, adjusts the priority of the micro-applications according to the needs of various scenarios, and realizes the functional expansion of the micro-applications; each micro-application corresponds to multiple pipes, and each pipe corresponds to a pipe data processor; the system includes:
[0029] The rule setting module is used to set extension framework rules applicable to each micro-application. The basic attributes of the extension framework rules include the priority between each micro-application, and the micro-application on / off status, pipeline data processor and pipeline data processor priority corresponding to each micro-application.
[0030] The rule setting module also includes:
[0031] The data direction division module is used to divide the data flow into a first direction and a second direction, wherein the first direction is from the client to the server and the second direction is from the server to the client.
[0032] The execution parameter setting module is used to set the timing for the pipeline data processor to perform defensive actions.
[0033] The execution timing includes: when a connection is created, when a connection is closed, and when a connection is reset.
[0034] The IPS policy setting module is used to formulate the operation policy of each micro-application, and to set the defense actions of each processor for the corresponding micro-application during runtime.
[0035] Each microapplication has its corresponding lifecycle; the lifecycle includes loading, running, stopping and unloading states, and hook functions related to Pre and Post are set in each state; the IPS strategy setting module is specifically used to customize the running strategy of the corresponding microapplication according to the hook functions set in each state, and to set the defense actions of each processor for the corresponding microapplication during runtime through the running strategy.
[0036] The IPS policy setting module includes:
[0037] The first strategy module is used to load custom IPS engine configuration, set the default rule base in the pre hook function to set the risk level of micro-application identification and the defense actions of each processor when the micro-application is running;
[0038] The risk levels identified by the micro-application include three levels: lenient, medium, and strict. Different blocking behaviors are implemented for low, medium, and high-risk data streams. High-risk data streams are blocked in the lenient mode, while medium-risk data streams are also blocked in the medium mode. In internet behavior management, blocking actions are performed based on the desktop and the accessed URL.
[0039] The second strategy module is used to configure the built-in URL category library in the `pre` hook function to set the defense actions of each processor when the microapplication detects an accessed URL. For example, if microapplication A does not allow access to URLs of category C and has set up an interception action, then when a request from a URL of category C tries to access microapplication A, it will be blocked.
[0040] The micro-application association configuration module includes an association configuration file that corresponds one-to-one with each micro-application. This configuration file is used to set the association parameters of the corresponding micro-application, define the dependency relationship between micro-applications based on the association parameters, and control the start and stop status of the associated micro-applications when a micro-application starts. The association parameters include: micro-application identifier name, autostart function parameter autostart, and associated micro-application identifier parents.
[0041] It should be noted that before launching a micro-application, the associated micro-application will be launched first. The priority of this launch execution order is higher than the priority of the micro-applications that have been adjusted below.
[0042] An extension module is used to adjust the priorities between micro-applications according to security requirements, and register a processor chain at system startup based on the adjusted micro-application priorities and the priorities of pipeline data processors in the micro-applications; the priority of dependencies in the micro-application association configuration module is higher than the priority of the adjusted micro-application; the processor chain consists of pipeline data processors of each micro-application, and the linking order of each processor in the processor chain is determined by the micro-application priority and the priority of pipeline data processors in the micro-application.
[0043] The defense module is used to sequentially call the processors in the processor chain when the packet capture program detects the data stream of a new connection, so that the processors can perform the corresponding defense actions.
[0044] The defense module includes a transmit / receive queue and a pipe connector. The transmit / receive queue is used to store data streams and forward them to the pipe connector. Specifically, the defense module is used to sequentially call the processors on the processor chain, so that each processor performs the corresponding defense action on the data stream received by the pipe connector.
[0045] The defense module is also used to set the execution direction of the processor chain according to the direction of the data flow, wherein the execution direction of the processor chain corresponding to the first direction is opposite to the execution direction of the processor chain corresponding to the second direction.
[0046] The defense module is specifically used to sequentially call the processors on the processor chain according to the execution direction of the processor chain corresponding to the data stream, so that each processor performs the corresponding defense action on the data stream received by the pipe connector.
[0047] The defensive actions include forwarding, interception, and logging.
[0048] In this invention, each pipeline data processor in a microapplication can set an event window, which can be used to respond to specific connection events. For example, when a TCP connection handshake completes, each pipeline data processor in the microapplication can receive an event notification through the event window as processors in the processor chain are called sequentially.
[0049] It should be noted that the pipeline data processor in a micro-application can be empty. For example, when a data stream (data packet) is detected, the pipeline data processors of each micro-application in the processor chain will be called sequentially. For micro-applications that do not directly handle data traffic, such as the reporting module, which mainly analyzes the runtime logs, the processor can be set to empty, indicating that the micro-application does not participate in the current link. When the pipeline data processor is not empty, the data characteristics of the data stream (data packet) can be compared with the application parameters of the micro-application. If the comparison is consistent, it means that the pipeline data processor participates in the current link and executes the corresponding defense action. The data characteristics include: request address, destination address, port, URL, traffic type (ftp, ssl, http), email traffic, whether the file is a virus, whether it is attack traffic, etc.
[0050] The defense module is also used to generate connection sessions corresponding to each processor during the process of sequentially calling each processor in the processor chain, and to use the connection sessions as containers for data streams.
[0051] The system also includes a log monitoring module, which monitors the running data of each micro-application and stores it in the corresponding log file; one log file corresponds to one micro-application.
[0052] This invention establishes extended framework rules applicable to each micro-application, sets priorities between micro-applications and among the pipeline data processors within each micro-application, and formulates operational strategies for each micro-application. These operational strategies define the defensive actions of each processor during the runtime of the corresponding micro-application. The priorities between micro-applications can be adjusted according to security requirements. Upon system startup, a processor chain is registered based on the adjusted priorities of the micro-applications and their pipeline data processors. When a packet capture program detects a newly connected data stream, the processors in the processor chain are called sequentially, causing them to execute corresponding defensive actions. Based on the extended framework rules, this invention only requires adjusting the priorities between micro-applications according to security requirements to change the processor chain, thereby meeting current security needs. This avoids the need for customized development to meet different scenario requirements (security requirements), significantly reducing maintenance and usage costs.
[0053] It should be noted that all directional indications (such as up, down, left, right, front, back, etc.) in the embodiments of the present invention are only used to explain the relative positional relationship and movement of each component in a certain specific posture (as shown in the figure). If the specific posture changes, the directional indication will also change accordingly.
[0054] Furthermore, in this invention, descriptions involving terms such as "first," "second," and "a" are for descriptive purposes only and should not be construed as indicating or implying their relative importance or implicitly specifying the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one of that feature. In the description of this invention, "a plurality of" means at least two, such as two, three, etc., unless otherwise explicitly specified.
[0055] In this invention, unless otherwise explicitly specified and limited, the terms "connection," "fixed," etc., should be interpreted broadly. For example, "fixed" can mean a fixed connection, a detachable connection, or an integral part; it can mean a mechanical connection or an electrical connection; it can mean a direct connection or an indirect connection through an intermediate medium; it can mean the internal communication of two components or the interaction between two components, unless otherwise explicitly limited. Those skilled in the art can understand the specific meaning of the above terms in this invention according to the specific circumstances.
[0056] Furthermore, the technical solutions of the various embodiments of the present invention can be combined with each other, but only if they are feasible for those skilled in the art. If the combination of technical solutions is contradictory or cannot be implemented, it should be considered that such combination of technical solutions does not exist and is not within the scope of protection claimed by the present invention.
Claims
1. A firewall module dynamic expansion system, characterized in that, It is used to abstract each firewall functional module into a corresponding micro-application, adjust the priority of the micro-application according to the needs of various scenarios, and realize the functional expansion of the micro-application; one micro-application corresponds to multiple pipes, and one pipe corresponds to one pipe data processor; the system includes: The rule setting module is used to set extension framework rules applicable to each micro-application. The basic attributes of the extension framework rules include the priority between each micro-application, and the micro-application on / off status, pipeline data processor and pipeline data processor priority corresponding to each micro-application. The IPS policy setting module is used to formulate the operation policy of each micro-application, and to set the defense actions of each processor for the corresponding micro-application during runtime. The micro-application association configuration module includes an association configuration file that corresponds one-to-one with each micro-application. This configuration file is used to set the association parameters of the corresponding micro-application, define the dependency relationship between micro-applications based on the association parameters, and control the start and stop status of the associated micro-applications when a micro-application starts. The association parameters include: micro-application identifier, auto-start function parameters, and associated micro-application identifier. An extension module is used to adjust the priorities between micro-applications according to security requirements, and register a processor chain at system startup based on the adjusted micro-application priorities and the priorities of pipeline data processors in the micro-applications; the priority of the dependencies in the micro-application association configuration module is higher than the priority of the adjusted micro-application; the processor chain consists of pipeline data processors of each micro-application. The defense module is used to sequentially call the processors in the processor chain when the packet capture program detects the data stream of a new connection, so that the processors can perform the corresponding defense actions.
2. The firewall module dynamic expansion system according to claim 1, characterized in that, The IPS policy setting module includes: The first strategy module is used to load custom IPS engine configuration, set the default rule base in the pre hook function to set the risk level of micro-application identification and the defense actions of each processor when the micro-application is running; The second strategy module is used to configure the built-in URL category library in the pre hook function to set the defense actions of each processor when the microapplication recognizes the accessed URL.
3. A firewall module dynamic expansion system according to claim 2, characterized in that, The defense module includes a transmit / receive queue and a pipe connector. The transmit / receive queue is used to store data streams and forward them to the pipe connector. Specifically, the defense module is used to sequentially call the processors on the processor chain, so that each processor performs the corresponding defense action on the data stream received by the pipe connector.
4. A firewall module dynamic expansion system according to claim 3, characterized in that, The rule setting module also includes: The data direction division module is used to divide the data flow into a first direction and a second direction, wherein the first direction is from the client to the server and the second direction is from the server to the client. The execution parameter setting module is used to set the timing for the pipeline data processor to perform defensive actions.
5. A firewall module dynamic expansion system according to claim 4, characterized in that, The execution timing includes: when a connection is created, when a connection is closed, and when a connection is reset.
6. A firewall module dynamic expansion system according to claim 5, characterized in that, The defense module is also used to set the execution direction of the processor chain according to the direction of the data flow, wherein the execution direction of the processor chain corresponding to the first direction is opposite to the execution direction of the processor chain corresponding to the second direction.
7. A firewall module dynamic expansion system according to claim 6, characterized in that, The defense module is specifically used to sequentially call the processors on the processor chain according to the execution direction of the processor chain corresponding to the data stream, so that each processor performs the corresponding defense action on the data stream received by the pipe connector.
8. A firewall module dynamic expansion system according to claim 7, characterized in that, The defense module is also used to generate connection sessions during the process of sequentially calling each processor in the processor chain, and to use the connection sessions as containers for data streams.
9. A firewall module dynamic expansion system according to claim 8, characterized in that, Each microapplication has its corresponding lifecycle; the lifecycle includes loading, running, stopping and unloading states, and hook functions are set in each state; the IPS strategy setting module is specifically used to customize the running strategy of the corresponding microapplication according to the hook functions set in each state, and to set the defense actions of each processor for the corresponding microapplication during runtime through the running strategy.
10. A firewall module dynamic expansion system according to claim 9, characterized in that, The system also includes a log monitoring module, which monitors the running data of each micro-application and stores it in the corresponding log file; one log file corresponds to one micro-application.