A kind of implementation method of authentication function of firewall fast
Technical field:
The present invention relates to the firewall technology field, be specifically related to a kind of implementation method of authentication function of firewall fast.
Background technology:
Fire compartment wall mainly carries out regular weaves according to the header information of network layer, transport layer, promptly carries out rule setting according to information such as IP address, ports.When handling, need the IP message sequence transmitted rule is mated, and take the respective handling action according to matching result.At present, a small amount of part fire compartment wall has authentication function, it in realization, often according to user authentication information, increase acl rule dynamically in fire compartment wall, so the problem that prior art exists is: when a large number of users authenticates, the fire compartment wall internal rule will be on the increase, system performance descends fast, finally influences the overall performance of user network.
Summary of the invention:
The purpose of this invention is to provide a kind of implementation method of authentication function of firewall fast, exist when a large number of users authenticates to overcome prior art, the fire compartment wall internal rule will be on the increase, and system performance descends fast, finally influence the problem of the overall performance of user network.
For overcoming the problem that prior art exists, technology solution of the present invention is: a kind of implementation method of authentication function of firewall fast, comprise following step successively,
(1), label definition:
According to the concrete tag format of customer attribute information (for example: the Authorization Attributes of user's correspondence, bandwidth attribute etc.) definition, processing so that system can classify;
(2), the binding of label and Role Information:
According to concrete customer attribute information and label definition format, form concrete label value, when authentification of user, concrete label is arranged in the kernel, when arriving, take out corresponding label, handle according to concrete label value with convenient user datagram literary composition;
(3), label setting:
According to the specifying information of network data message, take out the pairing label of user's message, and it is arranged on the message buffer head, so that the follow-up functional module of system is handled.
(4), based on the processing of label:
After the label setting of data message was finished, in repeating process, follow-up functional module was carried out respective handling according to label definition and concrete label value.
In the above-mentioned steps (), the label definition format can be similar to the definition of network message header format, by the definition different field, defines different meanings or function, by the value difference of each field, defines the different disposal of similar function.
Adopted the fast mapping algorithm in the above-mentioned steps (three), be about to source IP address and label and set up corresponding relation, taken out the pairing label of each user's message by source IP address.This method is applicable to that the data section that distributes is wider, intensive relatively data directory, lookup method but data distribute on some segments, by array of indexes to the data sectional management
In the above-mentioned steps (three), the concrete steps of fast mapping algorithm are: after 1) safe access authentication platform receives User IP, tag, check whether the array of indexes of this IP address correspondence exists, if exist, tag writes IP-IP﹠amp with label; In the position of FFFFFFOO correspondence; If there is no, it is 256 array that kernel is set up a length, and with the IP address range (IP﹠amp of group address, index; FFFFFFOO~IP﹠amp; FFFFFFOO+255) write in the kernel in the specific chained list (list), tag is written in the corresponding position of array of indexes simultaneously, promptly be written to the IP-IP﹠amp of array; In the element of FFFFFFOO;
2) when data message was transmitted by safe access authentication platform, kernel was searched chained list list according to message IP header information, so that find corresponding array of indexes, at the IP-IP﹠amp of array of indexes; On the FFFFFFOO position, take out the label tag of this IP correspondence, and fill in the head of the buffering area of bearing IP packet, so that follow-up functional module is used.
Compared with prior art, advantage of the present invention is:
1, realize quick firewall authentication: the present invention uses the various rules of coming organization system inside based on the label sorting technique, its core is by with user role and label binding, realize access rights and the access profile of control user to network, each user's message only needs mating with the own affiliated corresponding rule of role as can be seen, need not strictly all rules is mated, it can effectively overcome the fire compartment wall order shortcoming of coupling one by one, reduce the rule match clauses and subclauses, improve systematic function, the firewall class of its function and common support authentication function seemingly, by implementing the present invention, the effective number of the inner ACL of control system is so that support the large-scale consumer authentication.In technical scheme, speed is set, has also further proposed the fast mapping algorithm, ensured that when a large number of users authenticates systematic function does not have remarkable decline, prevent that seek rate from increasing with data volume and obviously decline for improving label.
The present invention can effectively reduce the regular number in the system by the label sorting technique, also can effectively control the regular number of the required coupling of each message simultaneously.
2, applied widely: the present invention has substantially proposed a kind of specific implementation of new regular weaves model, and it can use in a lot of systems, as: fire compartment wall, authentication and accounting system etc.
Embodiment:
Below will the present invention will be further described by specific embodiment.
Embodiment 1: the present invention comprises the steps: successively
(1), label definition
Tag length is 4 bytes, and in order to handle conveniently, each information field length is a byte, and is as shown in the table:
Extend information |
Acl rule |
The downlink bandwidth rule |
The upstream bandwidth rule |
1) extend information:
Length is a byte, mainly is provided with the back expansion and uses;
2) acl rule:
Length is a byte, is mainly used in control user capture scope, and is corresponding with acl rule;
3) downlink bandwidth rule:
Length is a byte, is mainly used in control user downlink bandwidth, and is corresponding with the downlink bandwidth rule;
4) upstream bandwidth rule:
Length is a byte, is mainly used in control user uplink bandwidth, and is corresponding with the upstream bandwidth rule;
Because each information field length is a byte, has determined that each information field at most can be corresponding with 256 rules, but in actual use, be enough to meet consumers' demand.
(2), based on role's ACL, the foundation of bandwidth rule, realize the binding of label and Role Information:
In actual applications, a large number of users has identical characteristic, as: Internet access profile, Bandwidth Management mode etc., according to these attributes is the good corresponding role of user definition, and in system, set up and the corresponding regular ACL of role, bandwidth rule, corresponding with each information field of label field, in system kernel, form correspondence table, (* represents arbitrary value) as shown in the table:
Label |
Acl rule |
0x?**01**** |
ACL1 |
0x?**02**** |
ACL2 |
Label |
The downlink bandwidth rule |
0x?****01** |
Inband1 |
0x?****02** |
Inband2 |
Label |
The downlink bandwidth rule |
0x?******01 |
Outband1 |
0x?******02 |
Outband2 |
(3), according to user profile the IP message is carried out the label setting
After an IP message enters system, system finds corresponding user authentication information according to source IP address, if do not find, also not authentication of user then is described, notifications the user authenticate, if find, then according to user profile, user's message is carried out Fast Classification, respective labels is set, so that the follow-up functional module of system is handled.Concrete step is as follows:
1) after authentification of user passes through, certificate server forms corresponding label tag according to affiliated role's various information.For example: the ACL of role's correspondence is ACL1 under the user, and the downlink bandwidth rule is inband2, and the downlink bandwidth rule is outband3, and the label tag that certificate server forms is 0x00010203;
2) certificate server is with the tag and the user's IP address that form, return to safe access authentication platform, by its writing system kernel, after the user data message enters system, system is according to source IP address, find corresponding label, and fill in the head of the buffering area of bearing IP packet, so that follow-up functional module is used.
(4), carry out corresponding ACL, Bandwidth Management according to label
After the label setting of IP message was finished, in repeating process, message was successively by follow-up relevant functional module, and the mapping table that these functional modules are set up according to step 2 carries out corresponding ACL, bandwidth processing.
Embodiment 2: in order to realize the label setting further improving label lookup speed fast, adopted quick mapping method to be optimized in step (three), the specific implementation step is as follows:
1) after safe access authentication platform receives User IP, tag, check whether the array of indexes of this IP address correspondence exists, if exist, tag writes IP-IP﹠amp with label; In the position of FFFFFFOO correspondence; If there is no, it is 256 array that kernel is set up a length, and with the IP address range (IP﹠amp of group address, index; FFFFFFOO ~ IP﹠amp; FFFFFFOO+255) write in the kernel in the specific chained list (list), tag is written in the corresponding position of array of indexes simultaneously, promptly be written to the IP-IP﹠amp of array; In the element of FFFFFFOO;
2) when data message was transmitted by safe access authentication platform, kernel was searched chained list list according to message IP header information, so that find corresponding array of indexes, at the IP-IP﹠amp of array of indexes; On the FFFFFFOO position, take out the label tag of this IP correspondence, and fill in the head of the buffering area of bearing IP packet, so that follow-up functional module is used.
The present invention has substantially proposed a kind of specific implementation of new regular weaves model, it can use in a lot of systems, as fire compartment wall, authentication and accounting system etc., further expansion, modification for model according to this carries out all belong within the range of rights and interests of the present invention.