Search

US-12627710-B2 - Network security protection method and protection device

US12627710B2US 12627710 B2US12627710 B2US 12627710B2US-12627710-B2

Abstract

This application provides a network security protection method and a protection device, and pertains to the field of communication technologies. When a client and a server exchange a packet in a first session, a protection device identifies an application layer protocol type based on application layer data in the packet in the first session, and if determining, based on the application layer protocol type, that a detection mode is a proxy mode, the protection device performs security detection on a subsequent packet in the first TCP session in the proxy mode. This breaks a technical bottleneck that the packet in the first TCP session can be detected in only a flow mode, ensures that the packet in the first TCP session can also be detected in the proxy mode, and avoids missing attack detection caused because the packet in the first TCP session is limited to the flow mode.

Inventors

  • Xinqian HE
  • Kan Zhou

Assignees

  • HUAWEI TECHNOLOGIES CO., LTD.

Dates

Publication Date
20260512
Application Date
20230509
Priority Date
20201110

Claims (16)

  1. 1 . A network security protection method, wherein the method comprises: obtaining, by a protection device, a first data packet in a first transmission control protocol (TCP) session between a client device and a server, wherein the first TCP session is an initial session established between the client device and the server, and the protection device is deployed between the client device and the server; identifying, by the protection device, an application layer protocol type of the first data packet based on application layer data of the first data packet; determining, by the protection device, based on a correspondence between application layer protocol types and detection modes supported by the protection device, that a detection mode corresponding to the application layer protocol type of the first data packet is a proxy mode, wherein the detection modes include the proxy mode and a flow mode; and performing, by the protection device, security detection on a subsequent packet in the first TCP session in the proxy mode.
  2. 2 . The method according to claim 1 , wherein before the obtaining, by a protection device, a first data packet in a first transmission control protocol TCP session between a client device and a server, the method further comprises: obtaining, by the protection device, a first handshake packet transmitted between the client device and the server, wherein the first handshake packet is used to create the first TCP session, the first handshake packet comprises a first option and a second option, the first option is an option supported by the protection device, and the second option is an option not supported by the protection device; deleting, by the protection device, the second option from the first handshake packet, to obtain a second handshake packet; and sending, by the protection device, the second handshake packet to a destination device of the first handshake packet.
  3. 3 . The method according to claim 2 , wherein the subsequent packet in the first TCP session comprises a second data packet, and the performing, by the protection device, security detection on a subsequent packet in the first TCP session in the proxy mode comprises: receiving and buffering, by the protection device, the second data packet; generating, by the protection device, an acknowledgment packet for the second data packet based on the first option; and sending, by the protection device, the acknowledgement packet for the second data packet to a source device of the second data packet, wherein the source device of the second data packet is the client device or the server.
  4. 4 . The method according to claim 2 , wherein the subsequent packet in the first TCP session comprises a third data packet, and the performing, by the protection device, security detection on a subsequent packet in the first TCP session in the proxy mode comprises: sending and buffering, by the protection device, the third data packet; and based on the third data packet satisfying a retransmission condition, resending, by the protection device, the third data packet to a destination device of the third data packet based on the first option, wherein the destination device of the third data packet is the client device or the server.
  5. 5 . The method according to claim 4 , wherein the retransmission condition comprises: the protection device does not receive an acknowledgement packet for a data packet; or the first option is a selective acknowledgement (SACK) option, and the retransmission condition comprises: the protection device determines, based on information in a SACK option from a destination device of a data packet, that a packet loss occurs in the data packet.
  6. 6 . The method according to claim 2 , wherein the first handshake packet is a synchronize sequence number (SYN) packet from the client device, and the destination device of the first handshake packet is the server; or the first handshake packet is a synchronize sequence number acknowledgement (SYN ACK) packet from the server, and the destination device of the first handshake packet is the client device.
  7. 7 . The method according to claim 1 , wherein the security detection is anti-virus (AV) detection, and the performing, by the protection device, security detection on a subsequent packet in the first TCP session in the proxy mode comprises: performing, by the protection device, AV detection on a fourth data packet in the first TCP session in the proxy mode, wherein the fourth data packet is a packet transmitted after the first data packet in the first TCP session; and the method further comprises: based on a result of the AV detection performed by the protection device on the fourth data packet in the first TCP session being that there is no virus, switching, by the protection device, to the flow mode, and continuing to perform, in the flow mode, security detection on a subsequent packet transmitted after the fourth data packet in the first TCP session.
  8. 8 . The method according to claim 1 , wherein the performing, by the protection device, security detection on a subsequent packet in the first TCP session in the proxy mode comprises: detecting, by the protection device, a fifth data packet in the first TCP session in the proxy mode, wherein the fifth data packet is a packet transmitted after the first data packet in the first TCP session; and the method further comprises: based on application layer data of the fifth data packet indicating that the client device and the server are to perform encrypted communication in the TCP session, switching, by the protection device, to the flow mode, and continuing to perform, in the flow mode, security detection on a subsequent packet transmitted after the fifth data packet in the first TCP session.
  9. 9 . A protection device, wherein the protection device comprises: an obtaining unit, configured to obtain a first data packet in a first transmission control protocol (TCP) session between a client device and a server, wherein the first TCP session is an initial session established between the client device and the server, and the protection device is deployed between the client device and the server; and a processor, configured to identify an application layer protocol type of the first data packet based on application layer data of the first data packet, wherein the processor is further configured to determine, based on a correspondence between application layer protocol types and detection modes supported by the protection device, that a detection mode corresponding to the application layer protocol type of the first data packet is a proxy mode, wherein the detection modes include the proxy mode and a flow mode; and the processor is further configured to perform security detection on a subsequent packet in the first TCP session in the proxy mode.
  10. 10 . The protection device according to claim 9 , wherein the obtaining unit is further configured to obtain a first handshake packet transmitted between the client device and the server, wherein the first handshake packet is used to create the first TCP session, the first handshake packet comprises a first option and a second option, the first option is an option supported by the protection device, and the second option is an option not supported by the protection device; the processor is further configured to delete the second option from the first handshake packet, to obtain a second handshake packet; and the protection device further comprises a sending unit, and the sending unit is configured to send the second handshake packet to a destination device of the first handshake packet.
  11. 11 . The protection device according to claim 10 , wherein the subsequent packet in the first TCP session comprises a second data packet; the protection device further comprises a receiving unit and a storage unit, the receiving unit is configured to receive the second data packet, and the storage unit is configured to buffer the second data packet; the processor is configured to generate an acknowledgment packet for the second data packet based on the first option; and the sending unit is configured to send the acknowledgement packet for the second data packet to a source device of the second data packet, wherein the source device of the second data packet is the client device or the server.
  12. 12 . The protection device according to claim 10 , wherein the subsequent packet in the first TCP session comprises a third data packet, and the sending unit is configured to send the third data packet; the protection device further comprises a storage unit, and the storage unit is configured to buffer the third data packet; and the sending unit is further configured to: based on the third data packet satisfying a retransmission condition, resend the third data packet to a destination device of the third data packet based on the first option, wherein the destination device of the third data packet is the client device or the server.
  13. 13 . The protection device according to claim 9 , wherein the security detection is anti-virus (AV) detection, and the processor is configured to perform AV detection on a fourth data packet in the first TCP session in the proxy mode, wherein the fourth data packet is a packet transmitted after the first data packet in the first TCP session; and the processor is further configured to: based on a result of the AV detection performed on the fourth data packet in the first TCP session being that there is no virus, switch to the flow mode, and continue to perform, in the flow mode, security detection on a subsequent packet transmitted after the fourth data packet in the first TCP session.
  14. 14 . The protection device according to claim 9 , wherein the processor is configured to detect a fifth data packet in the first TCP session in the proxy mode, wherein the fifth data packet is a packet transmitted after the first data packet in the first TCP session; and the processor is further configured to: based on application layer data of the fifth data packet indicating that the client device and the server are to perform encrypted communication in the TCP session, switch to the flow mode, and continue to perform, in the flow mode, security detection on a subsequent packet transmitted after the fifth data packet in the first TCP session.
  15. 15 . A protection device, wherein the protection device comprises a processor and a communication interface, the processor is configured to execute program code to enable the protection device to perform the method according to claim 1 , and the communication interface is configured to receive or send a packet.
  16. 16 . A computer program product, wherein the computer program product comprises one or more computer program instructions, and when the computer program instructions are loaded and executed by a computer, the computer is enabled to perform the network security protection method according to claim 1 .

Description

CROSS-REFERENCE TO RELATED APPLICATIONS This application is a continuation of International Application No. PCT/CN2021/088488, filed on Apr. 20, 2021, which claims priority to Chinese Patent Application No. 202011248794.5, filed on Nov. 10, 2020. The disclosures of the aforementioned applications are hereby incorporated by reference in their entireties. TECHNICAL FIELD This application relates to the field of communication technologies, and in particular, to a network security protection method and a protection device. BACKGROUND A basic principle of an existing network security protection solution is that a protection device (such as a firewall) is deployed between a client and a protected server, and the protection device detects a packet exchanged between the client and the server. A proxy mode is an important detection mode of the protection device. A principle of the proxy mode is that the protection device instead of a server sends an acknowledgement packet to a client, and the protection device instead of the client sends an acknowledgement packet to the server. In the proxy mode, the protection device needs to use a transmission control protocol/internet protocol (TCP/IP) protocol stack to reliably send a packet. The proxy mode helps detect a complex network attack and can better meet a security protection requirement. However, in the proxy mode, the protection device needs to buffer and reassemble a large quantity of data packets and support a complete protocol stack. Therefore, a large quantity of resources are consumed. In a related technology, when there are a large quantity of clients and servers, due to a limitation of processing performance, it is difficult for a protection device to detect, in the proxy mode, packets exchanged in all sessions between each client and each server. A common practice is that the protection device performs identification in a process in which the first session is established between the client and the server, and records information such as an IP address, a destination port number, and a protocol type of the first session, to determine whether it is necessary to perform, in the proxy mode, detection on a subsequent session established between the same client and the same server through a same port. In this solution, the protection device actually does not perform security detection on a packet in the first session established between the client and the server. In this solution, if attack behavior exists in the packet exchanged between the client and the server in the first session, the protection device has a problem of missing detection. SUMMARY Embodiments of this application provide a network security protection method and a protection device, to help avoid missing detection when attack behavior exists in a packet in the first session. The technical solutions are as follows. According to a first aspect, a network security protection method is provided. In the method, a protection device obtains a first data packet in a first TCP session between a client device and a server, where the first TCP session is the 1st session established between the client device and the server, and the protection device is deployed between the client device and the server; the protection device identifies an application layer protocol type of the first data packet based on application layer data of the first data packet; the protection device determines that a detection mode corresponding to the application layer protocol type is a proxy mode; and the protection device performs security detection on a subsequent packet in the first TCP session in the proxy mode. The first aspect provides a solution for quickly switching to the proxy mode. When the client and the server exchange a packet in the first session, the protection device identifies an application layer protocol type based on application layer data in the packet in the first session, and if determining, based on the application layer protocol type, that a detection mode is the proxy mode, the protection device performs security detection on a subsequent packet in the first TCP session in the proxy mode. This breaks a technical bottleneck that the packet in the first TCP session can be detected in only a flow mode, ensures that the packet in the first TCP session can also be detected in the proxy mode, and avoids missing attack detection caused because the packet in the first TCP session is limited to the flow mode. Optionally, before the protection device obtains the first data packet in the first TCP session between the client device and the server, the method further includes: The protection device obtains a first handshake packet transmitted between the client device and the server, where the first handshake packet is used to create the first TCP session, the first handshake packet includes a first option and a second option, the first option is an option supported by the protection device, and the second option is an op