[go: up one dir, main page]

CN116192921B - Database auditing method and device based on multiple firewalls - Google Patents

Database auditing method and device based on multiple firewalls Download PDF

Info

Publication number
CN116192921B
CN116192921B CN202310199274.7A CN202310199274A CN116192921B CN 116192921 B CN116192921 B CN 116192921B CN 202310199274 A CN202310199274 A CN 202310199274A CN 116192921 B CN116192921 B CN 116192921B
Authority
CN
China
Prior art keywords
firewall
data packet
database
session
firewalls
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310199274.7A
Other languages
Chinese (zh)
Other versions
CN116192921A (en
Inventor
刘晓韬
高强花
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Dbsec Technology Co ltd
Original Assignee
Beijing Dbsec Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Dbsec Technology Co ltd filed Critical Beijing Dbsec Technology Co ltd
Priority to CN202310199274.7A priority Critical patent/CN116192921B/en
Publication of CN116192921A publication Critical patent/CN116192921A/en
Application granted granted Critical
Publication of CN116192921B publication Critical patent/CN116192921B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本申请公开了一种基于多防火墙的数据库审计方法和装置,该方法包括:多个防火墙中的每个防火墙均将通过该防火墙建立的会话的会话信息发送给所述多个防火墙中的其他防火墙;第一防火墙接收到所述数据库客户端和所述数据库之间交互的数据包;判断所述数据包所属的会话是否通过所述第一防火墙建立的,如果是,则将所述数据包发送给所述第一防火墙上设置的审计程序进行审计;如果不是,则获取建立所述数据包所属会话的第二防火墙,并将所述数据包发送给所述第二防火墙。通过本申请解决了现有技术中访问数据库的流量被分散到不同的防火墙进行审计所导致的无法得到完整审计结果的问题,能够在一定程度上保证数据库审计结果的完整性。

The present application discloses a database audit method and device based on multiple firewalls, the method comprising: each of the multiple firewalls sends the session information of the session established through the firewall to other firewalls in the multiple firewalls; the first firewall receives the data packet exchanged between the database client and the database; determines whether the session to which the data packet belongs is established through the first firewall, if so, sends the data packet to the audit program set on the first firewall for audit; if not, obtains the second firewall that established the session to which the data packet belongs, and sends the data packet to the second firewall. The present application solves the problem in the prior art that the traffic accessing the database is dispersed to different firewalls for auditing, resulting in the inability to obtain a complete audit result, and can ensure the integrity of the database audit result to a certain extent.

Description

Database auditing method and device based on multiple firewalls
Technical Field
The application relates to the field of database auditing, in particular to a database auditing method and device based on multiple firewalls.
Background
Database audit (DBAudit for short) is centered on security events, based on comprehensive audit and accurate audit, database activities on a network are recorded in real time, compliance management of fine-grained audit is performed on database operation, and real-time warning is performed on risk behaviors suffered by the database. The method helps the user to generate compliance reports and accident tracing sources afterwards by recording, analyzing and reporting the behaviors of the user access database, and simultaneously provides high-efficiency inquiry audit reports and positions event reasons through a big data searching technology so as to inquire, analyze and filter the event reasons later, thereby realizing the monitoring and audit of the network behaviors of the internal database and the external database and improving the safety of data assets.
When auditing the database, the flow accessing the database is generally obtained, and the flow is audited. In order to ensure the security of the database, a firewall (or referred to as a firewall) is provided to protect the database. A network firewall is a special internetworking device used to enhance access control between networks. All network traffic flowing in and out of the computer passes through the firewall. The firewall scans its network traffic for some attacks so that it can be filtered from being executed on the target computer. The firewall may also close ports that are not in use. But it also can prohibit outgoing communication from a particular port, blocking trojans. Finally, it may prohibit access from a particular site, thereby preventing all communications from unknown intruders.
In the case where the database is behind a firewall, traffic accessing the database may be sent through the firewall to an auditing program for auditing, which may be located on the firewall or on other devices connected to the firewall.
In order to solve the problem, two or more firewalls are used before the database, so that the number of available firewalls is increased, the potential safety hazard after one firewall fails is avoided, and on the other hand, a plurality of firewalls can also play a role in shunting so as to achieve load balancing of the firewalls. However, this is problematic for database auditing, for example, accesses to the database by the same database session may be distributed across different firewalls, and thus different auditing procedures may be performed to audit, and a complete auditing result may not be obtained.
Disclosure of Invention
The embodiment of the application provides a database auditing method and device based on multiple firewalls, which at least solve the problem that in the prior art, complete auditing results cannot be obtained because traffic accessing a database is scattered to different firewalls for auditing.
According to one aspect of the application, a database auditing method based on multiple firewalls is provided, and the method comprises the steps that each firewall of the multiple firewalls sends session information of sessions established through the firewall to other firewalls of the multiple firewalls, wherein the session is established between a database client and a database through at least one of the multiple protection walls, each firewall is provided with an auditing program, the auditing program is used for auditing data packets interacted between the database client and the database, a first firewall receives the data packets interacted between the database client and the database, the first firewall is one of the multiple firewalls, the first firewall judges whether the sessions to which the data packets belong are established through the first firewall, if so, the first firewall sends the data packets to the auditing program arranged on the first firewall, if not, the first firewall obtains the data packets to establish the sessions, and sends the second data packets to the second firewall, and the second firewall sends the data packets to the second firewall after the second firewall receives the data packets, the second firewall carries out the auditing program.
According to another aspect of the application, a database auditing device based on multiple firewalls is further provided, and the device is located in a first firewall, and comprises a sending module, a judging module and an auditing module, wherein the sending module is used for sending session information of a session established through the firewall to other firewalls in the multiple firewalls, the session is established between a database client and a database through at least one of the multiple protection walls, each firewall is provided with an auditing program, the auditing program is used for auditing data packets interacted between the database client and the database, the receiving module is used for receiving the data packets interacted between the database client and the database, the first firewall is one of the multiple firewalls, the judging module is used for judging whether the session to which the data packets belong is established through the first firewall, if so, the first firewall sends the data packets to the auditing program arranged on the first firewall, if not, the second audit program for establishing the data packets to which the session belongs is acquired, the second firewall is used for auditing the data packets, and the second firewall is sent to the second firewall, and the second firewall is used for auditing the data packets after the second firewall is received.
According to another aspect of the present application, there is also provided an electronic device comprising a memory and a processor, wherein the memory is adapted to store one or more computer instructions, wherein the one or more computer instructions are executed by the processor to implement the above-described method steps.
According to another aspect of the present application there is also provided a readable storage medium having stored thereon computer instructions which when executed by a processor perform the above-mentioned method steps.
In the embodiment of the application, each firewall of a plurality of firewalls is adopted to send session information of a session established through the firewall to other firewalls of the plurality of firewalls, wherein the session is established between a database client and the database through at least one of a plurality of protection walls, each firewall is provided with an audit program, the audit program is used for auditing a data packet interacted between the database client and the database, a first firewall receives the data packet interacted between the database client and the database, the first firewall is one of the plurality of firewalls, the first firewall judges whether the session to which the data packet belongs is established through the first firewall, if so, the first firewall sends the data packet to an audit program arranged on the first firewall, if not, the first firewall obtains a second firewall for establishing the session to which the data packet belongs and sends the data packet to the database client, the first firewall receives the data packet to the second firewall, and the second firewall sends the data packet to the second firewall after the second firewall receives the data packet, and the second firewall sets the second firewall. The application solves the problem that the flow accessing the database is scattered to different firewalls for auditing in the prior art, so that the complete auditing result can not be obtained, and the integrity of the auditing result of the database can be ensured to a certain extent.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application. In the drawings:
FIG. 1 is a system diagram of a firewall database audit according to an embodiment of the application;
FIG. 2 is a flow chart of a multi-firewall based database auditing method according to an embodiment of the application, and
Fig. 3 is a schematic diagram of session information sent between firewalls according to an embodiment of the present application.
Detailed Description
It should be noted that, without conflict, the embodiments of the present application and features of the embodiments may be combined with each other. The application will be described in detail below with reference to the drawings in connection with embodiments.
It should be noted that the steps illustrated in the flowcharts of the figures may be performed in a computer system such as a set of computer executable instructions, and that although a logical order is illustrated in the flowcharts, in some cases the steps illustrated or described may be performed in an order other than that illustrated herein.
Database auditing, firewalls, and the like are referred to in the following embodiments, and technical terms in the following embodiments will be first described.
TCP protocol
The transmission control protocol (TransmissionControlProtocol, abbreviated TCP) is a connection-oriented, reliable, byte-stream based transport layer communication protocol defined by IETF RFC 793. TCP is intended to accommodate a layered protocol hierarchy that supports multiple network applications. Reliable communication services are provided by means of TCP between pairs of processes in host computers connected to different but interconnected computer communication networks. TCP assumes that it can obtain simple, possibly unreliable datagram services from lower level protocols. In principle, TCP should be able to operate over a variety of communication systems from hardwired to packet-switched or circuit-switched networks.
TCP connection
A TCP connection is a connection established at two communication ends using the TCP protocol, e.g., a client and a server may establish a TCP connection via the TCP protocol.
In a TCP connection there are a plurality of states, the following are meanings of the respective states:
CLOSED state (CLOSED): no connected state.
Listening state (LISTEN) LISTENs for connection requests from a remote TCP port.
And a synchronous packet transmission state (SYN-SENT) for retransmitting the connection request and waiting for a matched connection request (client).
And a synchronization packet receiving state (SYN-RCVD) for waiting for the confirmation of the connection request (server) by the opposite party after receiving and transmitting a connection request again.
The ESTABLISHED state (ESTABLISHED) represents an ESTABLISHED connection.
The following describes a state change in a connection in a TCP connection. Initially, both the server and the client are in a CLOSED state before the connection is established, and after the server starts to create a socket (socket), the server starts to monitor and changes to a list state. The client requests to establish a connection, sends a synchronization (synchronize, abbreviated as SYN) message to the server, and the state of the client changes to syn_send. After receiving the message from the client, the server sends an Acknowledgement (ACK) and a SYN message to the client, and the state of the server becomes syn_rcvd. Then, after receiving the ACK and SYN messages, the client sends an ACK to the server, the client state becomes ESTABLISHED, and the server also becomes ESTABLISHED after receiving the ACK from the client. At this time, the three-way handshake is completed and the connection is established.
The three-way handshake process may be as follows:
1. Firstly, a client sends a connection establishment request with syn=1 to a server, and seq is a data packet sequence number.
2. After the service end receives the data packet, the ACK is set to 1 to indicate that the data packet is received, and the ACK field is set to x+1 to indicate that the data packet with the sequence number x is received, so that the next data packet with the sequence number x+1 is expected to be received. Syn=1 is then sent, indicating a request to establish a connection (this ensures full duplex communication).
3. The client sends a message confirming receipt to the server, ack=1 represents the message in the process of confirming receipt of 2, and similarly, ACK is set to y+1, which means that the next data packet y+1 is expected to be received, and then the data packet x+1 expected to be sent by the server is sent.
Fig. 1 is a schematic diagram of a system for auditing a database with a firewall according to an embodiment of the present application, as shown in fig. 1, where the system may include a plurality of firewalls (two firewalls, namely, firewall 1 and firewall 2, are shown in fig. 1), the database access traffic may pass through a load balancing server, the load balancing server may send the database access traffic to the firewall 1 or firewall 2 according to the operation states of the firewall 1 and firewall 2, the firewall 1 and firewall 2 may send the database access traffic to the database on the one hand, and audit the database access traffic and the access results returned by the database on the other hand, that is, audit programs (not shown in fig. 1) are provided on the firewall 1 and firewall 2, and the access (including the database access traffic and the access results returned by the database) of the database is audited by the audit programs on the firewall 1 and firewall 2.
In fig. 1, due to the existence of the load balancing server, the database access traffic of the same session may be sent to the firewall 1 and the firewall 2 by the load balancing server, which may cause the audit result to be scattered on the firewall 1 and the firewall 2, so that the complete audit result cannot be obtained.
In order to solve the above-mentioned problems, in the following embodiments, a multi-firewall-based database auditing method is provided, and fig. 2 is a flowchart of the multi-firewall-based database auditing method according to an embodiment of the present application, as shown in fig. 2, and the steps included in the method referred to in fig. 2 are described below.
Step S202, each firewall in the plurality of firewalls sends session information of a session established through the firewall to other firewalls in the plurality of firewalls, wherein the session is established between a database client and a database through at least one of the plurality of protection walls, and each firewall is provided with an audit program used for auditing data packets interacted between the database client and the database.
In step S204, a first firewall receives a data packet interacted between the database client and the database, where the first firewall is one of the plurality of firewalls.
Step S206, the first firewall judges whether the session to which the data packet belongs is established through the first firewall, if so, the first firewall sends the data packet to an auditing program arranged on the first firewall for auditing.
Step S208, if not, the first firewall obtains a second firewall that establishes a session to which the data packet belongs, and sends the data packet to the second firewall, where the second firewall is one of the multiple firewalls.
Step S210, after receiving the data packet, the second firewall sends the data packet to an auditing program set on the second firewall for auditing.
In the above steps, each firewall records all sessions created by the firewall, so that each firewall can clearly know the firewall where the session to which a data packet belongs, and thus the data packet can be sent to the firewall where the session belongs, and the data packets of the same session can be ensured to be audited by the same firewall. The method solves the problem that the complete auditing result cannot be obtained because the flow accessing the database is scattered to different firewalls for auditing in the prior art, and can ensure the integrity of the auditing result of the database to a certain extent.
Fig. 3 is a schematic diagram of sending session information between firewalls according to an embodiment of the present application, where the system shown in fig. 3 is basically the same as that shown in fig. 1, and includes multiple firewalls, where the database access traffic passes through a load balancing server, and the load balancing server sends the database access traffic to the firewall 1 or the firewall 2 according to the operation states of the firewall 1 and the firewall 2, where the firewall 1 and the firewall 2 send the database access traffic to the database on one hand, and audit the database access traffic and the access results returned by the database on the other hand, that is, audit programs are provided on the firewall 1 and the firewall 2, and the database access is audited through the audit programs on the firewall 1 and the firewall 2. Unlike fig. 1, in fig. 3, information interaction is performed between the firewall 1 and the firewall 2, the firewall 1 transmits session information of a session established thereon to the firewall 2, and the firewall 2 transmits session information of a session established on the firewall to the firewall 1.
As an optional implementation manner, the load balancing server is connected with a plurality of firewalls, and when the load balancing server receives a first synchronous message for establishing a TCP connection from a database client, the load balancing server obtains loads of all auditing programs on the fireproof walls or the number of data packets for which the auditing programs on all the fireproof walls have completed auditing, the load balancing server selects a firewall where the auditing program with the smallest load is located or a firewall where the auditing program with the smallest number of auditing data packets has been completed, and the load balancing server sends the first synchronous message to the selected firewall.
And under the condition that the selected firewall receives the first synchronous message, judging whether the number of data packets which are not audited by an audit program on the firewall exceeds a threshold value, if so, forwarding the first synchronous message to the database, and if so, retransmitting the first synchronous message to the load balancing server by the selected firewall, and retransmitting the firewall by the load balancing server and transmitting the first synchronous message to the reselected firewall.
The session information may include a network address of the database client, a port number of the database client, a network address of the database, and a port number of the database. In this case, the connections established by different database clients with the same database belong to different sessions, as do the connections of the same database client with different databases. In an optional implementation manner, the first firewall judges whether the session to which the data packet belongs is established through the first firewall, wherein the first firewall searches session information recorded in the first firewall according to a source network address and a port number of the data packet and a destination network address and a port number, the session information comprises a network address of a database client, the port number of the database client, the network address of the database and the port number of the database, and if the first firewall can find session information matched with the source network address and the port number of the data packet and the destination network address and the port number, whether the session corresponding to the matched session information is established in the first firewall is judged.
And the second firewall can also distinguish whether the data packet comes from other firewalls or not, so that different processing is carried out, namely the second firewall judges whether the data packet comes from other firewalls or not, and after the second firewall determines that the data packet comes from other firewalls, the second firewall sends the data packet to an auditing program arranged on the second firewall for auditing.
As an optional implementation manner, if the second firewall determines that the data packet originates from another firewall, on one hand, the second firewall sends the data packet to an auditing program set on the second firewall for auditing, and on the other hand, the second firewall also obtains a source network address, a port number, a destination network address and a port number of the data packet, and sends the obtained network address and port number as session information to the other firewall, so as to instruct the other firewall that the session to which the data packet belongs is located in the second firewall.
And under the condition that the second firewall determines that the data packet originates from the database client or the database, the second firewall searches the session to which the data packet belongs in the locally recorded session information, and under the condition that the session to which the data packet belongs is established by the second firewall, the second firewall sends the data packet to an auditing program arranged on the second firewall for auditing.
After the data packet reaches the firewall, whether the data packet is a packet of the database protected by the firewall is judged, only the packet accessing the protected database enters the following processing flow, the packet not accessing the protected database is not accessed, and the firewall does not need to process the data packet and transfer the data packet.
In the case of two firewalls, the first firewall (i.e., firewall 1) receives a syn+ack packet (or called a message) for a session, since the received data packets are a SYN message and an ACK message, indicating that there is already a database client sending the first SYN packet to the database. In this case the first firewall records the sequence number (seq) and ACK information carried in the SYN message and ACK message. After the first firewall records the SYN message and the ACK message, the SYN message and the ACK message are transferred to the second firewall (namely, the firewall 2), the second firewall records the seq and the ACK information after receiving the SYN message and the ACK message, and the second firewall forwards the information to the first firewall (receives the SYNACK packet), and through the forwarding operation, the first firewall informs the second firewall that the session established through the SYN message and the ACK message is processed by the first firewall.
The first firewall receives a non-SYN request packet for a session and creates the session. At this time, if the first firewall has recorded the SYN packet and the ACK packet of the session, it is determined that the data packet of the session is processed by the first firewall, and then the non-SYN request packet is sent to a protocol analysis process (NPP), and the protocol analysis process directly transfers the data packet to an auditing program for auditing.
If the second firewall receives the response packet of the session, the second firewall also records that the session is processed by the first firewall, the response packet of the session is directly transferred to the first firewall, the first firewall judges that the session is established, the second firewall is put on the first firewall for auditing, and the response packet is transferred away according to the port record of the session after the auditing. If the first firewall does not create the session, the session is transferred back to the second firewall, the second firewall judges whether to process on the second firewall after receiving the response packet, if yes, the session is processed on the second firewall, and if not, the session is transferred to the other firewall for processing.
In an alternative embodiment, in order to prevent the data packet from being forwarded between the first firewall and the second firewall, at this time, after the first firewall receives the data packet sent by the second firewall, if the first firewall finds that the session corresponding to the data packet is not processed on the first firewall, the first firewall records the data packet, where the record is used to instruct the first firewall to forward the received data packet to the second firewall, if the first firewall receives the data packet again, the first firewall determines that the data packet has been forwarded to the second firewall once, the first firewall forwards the data packet to other firewalls except the second firewall, if the data packet has been forwarded to all firewalls, the first firewall audits the data packet, records session information corresponding to the data packet, and processes the data packet of the session in future by the first firewall.
By the embodiment, the session can be judged to be created by which firewall, and all data packets of the session are audited on the firewall when the session is created by which firewall. Thus, the database access flow of one session can be ensured to be audited on the same firewall.
In this embodiment, there is provided an electronic device including a memory in which a computer program is stored, and a processor configured to run the computer program to perform the method in the above embodiment.
The above-described programs may be run on a processor or may also be stored in memory (or referred to as computer-readable media), including both permanent and non-permanent, removable and non-removable media, and information storage may be implemented by any method or technique. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device.
These computer programs may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart block or blocks and/or block diagram block or blocks, and corresponding steps may be implemented in different modules.
Such an apparatus or system is provided in this embodiment. The device is called a multi-firewall-based database auditing device and is located in a first firewall, and comprises a sending module, a judging module and an auditing module, wherein the sending module is used for sending session information of a session established through the firewall to other firewalls in a plurality of firewalls, the session is established between a database client and a database through at least one of a plurality of protection walls, each firewall is provided with an auditing program, the auditing program is used for auditing data packets interacted between the database client and the database, the receiving module is used for receiving the data packets interacted between the database client and the database, the first firewall is one of the firewalls, the judging module is used for judging whether the session to which the data packets belong is established through the first firewall, if so, the first firewall sends the data packets to the auditing program arranged on the first firewall, if not, the second firewall is obtained, the data packets to which the data packets belong are established are sent to the second firewall, the second firewall is used for auditing the second firewall, and the second firewall is arranged after the second firewall receives the data packets.
The system or the device is used for realizing the functions of the method in the above embodiment, and each module in the system or the device corresponds to each step in the method, which has been described in the method, and will not be described herein.
Optionally, the judging module is configured to search for session information recorded in the first firewall according to the source network address and the port number and the destination network address and the port number of the data packet, where the session information includes the network address of the database client, the port number of the database client, the network address of the database, and the port number of the database, and if session information matched with the source network address and the port number and the destination network address and the port number of the data packet can be found, judge whether a session corresponding to the matched session information is established in the first firewall.
Optionally, the system further comprises a second judging module and a second sending module, wherein the second judging module and the second sending module are located in the second firewall, the second judging module is used for judging whether the data packet is sourced from other firewalls, and the second sending module is used for sending the data packet to an auditing program arranged on the second firewall for auditing after determining that the data packet is sourced from the other firewalls.
Optionally, the second sending module is configured to, when it is determined that the data packet originates from the database client or the database, search, by the second firewall, a session to which the data packet belongs in locally recorded session information, and when the session to which the data packet belongs is established by the second firewall, send, by the second firewall, the data packet to an audit program set on the second firewall for auditing.
The method and the device solve the problem that in the prior art, the flow accessing the database is scattered to different firewalls for auditing, so that a complete auditing result cannot be obtained, and the integrity of the auditing result of the database can be ensured to a certain extent.
The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and variations of the present application will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. which come within the spirit and principles of the application are to be included in the scope of the claims of the present application.

Claims (2)

1. A multi-firewall based database auditing method, comprising:
each firewall in the plurality of firewalls sends session information of a session established through the firewall to other firewalls in the plurality of firewalls, wherein the session is established between a database client and a database through at least one of the plurality of firewalls, and each firewall is provided with an audit program for auditing data packets interacted between the database client and the database;
A first firewall receives a data packet interacted between the database client and the database, wherein the first firewall is one of the plurality of firewalls;
The first firewall judges whether a session to which the data packet belongs is established through the first firewall, if so, the first firewall sends the data packet to an audit program arranged on the first firewall for audit, wherein the first firewall searches session information recorded in the first firewall according to a source network address and a port number of the data packet and a destination network address and a port number, and the session information comprises a network address of a database client, the port number of the database client, the network address of the database and the port number of the database;
If not, the first firewall acquires a second firewall for establishing the session to which the data packet belongs and sends the data packet to the second firewall, wherein the second firewall is one of the plurality of firewalls;
The second firewall sends the data packet to an auditing program arranged on the second firewall for auditing after receiving the data packet, wherein the second firewall judges whether the data packet is sourced from other firewalls, the second firewall sends the data packet to the auditing program arranged on the second firewall for auditing after determining that the data packet is sourced from other firewalls, the second firewall searches session information of the data packet in a local record under the condition that the data packet is sourced from the database client or the database, and the second firewall sends the data packet to the auditing program arranged on the second firewall for auditing under the condition that the session of the data packet is established by the second firewall.
2. A multi-firewall based database auditing apparatus, located in a first firewall, comprising:
The system comprises a firewall, a sending module, a database client and a database, wherein the firewall is used for receiving session information of a session established through the firewall, and the sending module is used for sending the session information of the session established through the firewall to other firewalls in a plurality of firewalls, wherein the session is established between the database client and the database through at least one of the firewalls, and each firewall is provided with an audit program which is used for auditing data packets interacted between the database client and the database;
The receiving module is used for receiving the data packet interacted between the database client and the database, wherein the first firewall is one of the plurality of firewalls;
A judging module, configured to judge whether a session to which the data packet belongs is established through the first firewall, if yes, the first firewall sends the data packet to an audit program set on the first firewall for audit, if not, a second firewall for establishing the session to which the data packet belongs is obtained and sent to the second firewall, where the second firewall is one of the multiple firewalls, the second firewall is configured to send the data packet to an audit program set on the second firewall after receiving the data packet, if yes, the first firewall searches for session information recorded in the first firewall according to a source network address and a port number of the data packet and a destination network address and a port number of the data packet, where the session information includes a network address of a client of the database, a port number of the client of the database, a network address of the database and a port number of the database, if the first firewall can send the data packet to the second firewall, and the second firewall can determine whether the data packet is received from the second firewall, if the data packet is from the second firewall, and the second firewall matches the data packet, and if the second firewall matches the data packet with the second firewall, and if the second firewall matches the data packet with the second firewall, and the second firewall determines if the data packet is found, and the second firewall searches the session to which the data packet belongs in the session information recorded locally, and sends the data packet to an auditing program arranged on the second firewall for auditing under the condition that the session to which the data packet belongs is established by the second firewall.
CN202310199274.7A 2023-02-28 2023-02-28 Database auditing method and device based on multiple firewalls Active CN116192921B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310199274.7A CN116192921B (en) 2023-02-28 2023-02-28 Database auditing method and device based on multiple firewalls

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310199274.7A CN116192921B (en) 2023-02-28 2023-02-28 Database auditing method and device based on multiple firewalls

Publications (2)

Publication Number Publication Date
CN116192921A CN116192921A (en) 2023-05-30
CN116192921B true CN116192921B (en) 2025-05-13

Family

ID=86447380

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310199274.7A Active CN116192921B (en) 2023-02-28 2023-02-28 Database auditing method and device based on multiple firewalls

Country Status (1)

Country Link
CN (1) CN116192921B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104135461A (en) * 2013-05-02 2014-11-05 中国移动通信集团河北有限公司 Firewall policy processing method and device
CN109040089A (en) * 2018-08-15 2018-12-18 深圳前海微众银行股份有限公司 Network strategy auditing method, equipment and computer readable storage medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2807560B1 (en) * 2012-01-24 2019-12-04 SSH Communications Security Oyj Privileged access auditing

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104135461A (en) * 2013-05-02 2014-11-05 中国移动通信集团河北有限公司 Firewall policy processing method and device
CN109040089A (en) * 2018-08-15 2018-12-18 深圳前海微众银行股份有限公司 Network strategy auditing method, equipment and computer readable storage medium

Also Published As

Publication number Publication date
CN116192921A (en) 2023-05-30

Similar Documents

Publication Publication Date Title
US11509672B2 (en) Method and system for limiting the range of data transmissions
US10630784B2 (en) Facilitating a secure 3 party network session by a network device
CN113169981B (en) Using Blockchain for Distributed Denial of Service Attack Mitigation
US9729655B2 (en) Managing transfer of data in a data network
US20180124052A1 (en) Facilitating secure network traffic by an application delivery controller
EP3092749B1 (en) Method and apparatus of identifying proxy ip address
US9654445B2 (en) Network traffic filtering and routing for threat analysis
US20070294209A1 (en) Communication network application activity monitoring and control
US10735453B2 (en) Network traffic filtering and routing for threat analysis
CN112738095A (en) Method, device, system, storage medium and equipment for detecting illegal external connection
CN111886840B (en) Systems, methods, devices, computer-readable media for auditing application network traffic
US7552206B2 (en) Throttling service connections based on network paths
US9509777B2 (en) Connection method and management server
CN102598637B (en) Communication Systems
CN116192921B (en) Database auditing method and device based on multiple firewalls
CN116708041B (en) Camouflage proxy method, device, equipment and medium
CN115118640B (en) Database auditing processing method and system in presence of proxy equipment
Al Awadi Dual-layer sdn model for deploying and securing network forensic in distributed data center
CN117093639B (en) Socket connection processing method and system based on audit service
Takemori et al. Host-based traceback; tracking bot and C&C server
CN119276533A (en) A method and system for testing a client in a local area network
CN119814615A (en) A TCP service network status detection method based on OVN
CN116450679A (en) Block chain event processing method, device, node device and storage medium
CN116248471A (en) Flow detection system, method, device and storage medium thereof
JP2009055222A (en) Attack packet countermeasure system, attack packet countermeasure method, attack packet countermeasure device, and attack packet countermeasure program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant