CN102523212A - Method and device capable of adjusting firewall system testing flow automatically - Google Patents
Method and device capable of adjusting firewall system testing flow automatically Download PDFInfo
- Publication number
- CN102523212A CN102523212A CN2011104144111A CN201110414411A CN102523212A CN 102523212 A CN102523212 A CN 102523212A CN 2011104144111 A CN2011104144111 A CN 2011104144111A CN 201110414411 A CN201110414411 A CN 201110414411A CN 102523212 A CN102523212 A CN 102523212A
- Authority
- CN
- China
- Prior art keywords
- flow
- test
- firewall system
- configuration file
- stage
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method capable of adjusting firewall system testing flow automatically. The method comprises the steps of generating a configuration file; converting the configuration file into a control script; and automatically executing the firewall system test according to the control script. The configuration file comprises a stage needed by the test, the flow needing to be sent in the stage, configuration commands needing to be sent to a device according to the test, and adjusting commands to the flow according to the device state and the stage. By virtue of the technical scheme, a testing personnel conducts the test setting in the configuration file according to the system testing idea, the subsequent test can be completed automatically without the manual operation of the testing personnel. The invention also discloses a device capable of adjusting the firewall system testing flow, comprising a configuration file generating module, a configuration file converting module and a test executing module.
Description
Technical field
The present invention relates to the fire compartment wall technical field of measurement and test, relate in particular to a kind of method and apparatus of in the firewall system test, adjusting test traffic automatically.
Background technology
In the fire compartment wall test, can carry out System Integration Test after accomplishing the functional test of each module, integrated functional module carries out complete machine pressure stability property testing, and whole test is taken as the leading factor with analog subscriber.The system testing main feature has three: 1) complete machine; Function is accomplished in the functional test of each module; Complete machine is the combined test of each module of entire equipment, the joint test that this combined test time and opportunity can be from several modules to basic all modules; 2) pressure carries out the transmission and the adjustment of flow to content measurement; 3) stability is controlled the testing time to content measurement.
Traditional firewall system test adopts following two kinds of methods to carry out usually:
One of traditional firewall system method of testing, use test appearance or flow sender are carried out big flow and are sent, emphasis on pressure, its test process be generally block configuration->transmitted traffic pressure->certain hour after the facilities for observation result.The characteristics of this method are the configuring fixed of functional module in the test environment, and test traffic is more comprehensive, and multiple combined flow is tested for a long time.There is the defective of very flexible in this method, and its configuration and flow are unalterable, good analog subscriber true environment, and its result also need manually accomplish detection at test process and ending phase through the tester.The flow process of this method is as shown in Figure 1.
Two of traditional firewall system method of testing; The combination of module in the system testing is tested to carrying out from few more, and test traffic is carried out manual adjustment according to the combination of module, phase ratio method one its more can the analog subscriber true environment; But this adjustment that is combined to flow from module all is to need the tester manually to accomplish; Also need follow the tracks of whole process, needing according to test phase and equipment state is adjustment configuration and flow in the system testing environment, if the test of a plurality of versions all needs tester's repeat track and adjustment; More loaded down with trivial details, tester's efficient is very low.The flow process of this method is as shown in Figure 2.
Among the present invention, the system testing environment is meant that integrated equipment functional simulation user environment carries out the environment of complete machine pressure and stability test.
Summary of the invention
The present invention provides a kind of method and apparatus that can adjust the firewall system test traffic automatically, has very flexible and inefficient problem when adjusting the firewall system test traffic to solve in the prior art.
The present invention provides a kind of method that can adjust the firewall system test traffic automatically, comprising:
Generate configuration file;
Analyze said configuration file, write the corresponding scripts content, generate the control script;
Automatically perform the firewall system test according to said control script.
Further, the content of said configuration file comprises needs send in stage, stage of test needs flow, sends to the configuration of devices order, according to the adjustment order to flow of equipment state and stage according to the test needs.
Further, according to said control script executing firewall system test, specifically comprise:
According to said configuration file formation base flow;
Judge test phase and equipment state;
According to said test phase and equipment state, transmitting apparatus configuration and adjustment flow.
Further, said minimum flow comprises two or three layers of normal discharge, improper message flow, attack traffic and application layer traffic.
Again further, said adjustment flow is meant increases or reduces a kind of flow in the said minimum flow, and control cpu utilance.
The present invention also provides a kind of device that can adjust the firewall system test traffic automatically, comprising:
The configuration file generation module is used to generate configuration file;
The control script generation module is used to analyze said configuration file, writes the corresponding scripts content, generates the control script;
Testing execution module is used for according to said control script executing firewall system test.
Further, the content of said configuration file comprises needs send in stage, stage of test needs flow, sends to the configuration of devices order, according to the adjustment order to flow of equipment state and stage according to the test needs.
Further, according to said control script executing firewall system test, specifically comprise:
According to said configuration file formation base flow;
Judge test phase and equipment state;
According to said test phase and equipment state, transmitting apparatus configuration and adjustment flow.
Further, said minimum flow comprises two or three layers of normal discharge, improper message flow, attack traffic and application layer traffic.
Further, said adjustment flow is meant increases or reduces a kind of flow in the said minimum flow, and control cpu utilance.
Beneficial effect of the present invention is following:
Adopt firewall system testing scheme provided by the invention; The tester only needs in configuration file, to carry out testing setup according to system testing thought; The configuration of the transmission of follow-up test flow, adjustment and testing equipment all is automatic completion, does not need the tester that test process is monitored, and can write down corresponding information when going wrong; And when reproduction and orientation problem, can carry out the automatic retest process of control script; Improved testing efficiency, liberated tester's manual part, let the tester have the more time to put on Test Design and the MTD; Technical scheme environment for use of the present invention is simple simultaneously, and relatively independent between the script, flexibility is good, convenient expansion.
Description of drawings
Fig. 1 is one of firewall system method of testing sketch map in the prior art;
Fig. 2 is two sketch mapes of firewall system method of testing in the prior art;
Fig. 3 can adjust the logical architecture figure of the method for firewall system test traffic automatically for the embodiment of the invention;
Fig. 4 is the firewall system test logic block diagram of the embodiment of the invention;
Fig. 5 is the firewall system test phase design diagram of the embodiment of the invention;
Fig. 6 is the test implementation part schematic flow sheet of the embodiment of the invention;
Fig. 7 is the test case design framework figure of the embodiment of the invention;
Fig. 8 be the embodiment of the invention according to control script executing test process sketch map;
Fig. 9 is the concrete implementation procedure sketch map of the conversion script of the embodiment of the invention;
Figure 10 is the processing procedure sketch map of the middle script of the embodiment of the invention to configuration device;
Figure 11 is the processing procedure sketch map that the middle script convection current amount of the embodiment of the invention is sent;
Figure 12 is to be the apparatus structure sketch map that can adjust the firewall system test traffic automatically of the embodiment of the invention.
Embodiment
There are very flexible and inefficient problem when carrying out the firewall system test in the prior art for solving; The invention provides a kind of method and apparatus that can adjust the firewall system test traffic automatically, the present invention is through providing unified configuration file, and the analysis configuration file carries out the simulation of system testing; The process of manual adjustment configuration and flow in the analogue system test; The whole system test process need not tester's monitoring, and the tester only need provide the test thinking, is applied to the test thinking in the configuration file; The system testing process can be configured and adjust flow according to content in the configuration file automatically, and its test result can detect and monitor automatically.Below in conjunction with accompanying drawing and embodiment, the present invention is further elaborated.Should be appreciated that specific embodiment described herein only in order to explain the present invention, does not limit the present invention.
Fig. 3 can adjust the logical architecture figure of the method for firewall system test traffic automatically for the present invention; As shown in Figure 3, the method that the present invention can adjust the firewall system test traffic automatically specifically comprises the generation configuration file, configuration file is converted into the control script, automatically performs three parts of firewall system test according to the control script.
Wherein configuration file is that the tester need pay close attention to, and the control script is to resolve configuration file content by convert file to generate, and follow-up transmitting apparatus configuration and adjustment flow are all by the control of control script.
What configuration file embodied is tester's thought, specifically comprise needs send in stage, stage of test needs flow, according to test needs send to configuration of devices order, according to equipment state and stage to the adjustment order of flow etc.The follow-up system testing that the analysis configuration file is converted into this thought automatically automation; Because of each properties of product are different, it can transmit different with the flow of handling, and needs the tester in configuration file, to embody; The tester generally can have certain judgement to product performance and flow substantially when configuration file, some deviations may occur in the test process, can come adjustment flow automatically according to equipment state.
The control script is the converted executable script of configuration file, and tester's thought of having been translated comprises configuration, flow and the time etc. that need control in the follow-up test.
After carrying out the control script, the transmission of its follow-up test process flow and adjustment are transparent for the tester, are accomplished automatically by system, and its implementation part comprises: send minimum flow, judge test phase and equipment state, transmitting apparatus configuration and adjustment flow.
1) minimum flow generates: generate corresponding minimum flow according to configuration file; Minimum flow generally generates in the test phase I, and its discharge pattern comprises normal two or three laminar flow amounts, improper message flow, attack traffic, application layer traffic; Minimum flow is mainly two or three laminar flow amounts, and a small amount of attack traffic and application layer traffic are arranged.
2) judge test phase and equipment state: can provide the duration in each stage in the configuration file, each stage test emphasis is different, and its test configurations is also just different with transmitted traffic; Setting according to the stage in the configuration file judges that each stage begins and finish to need the judgment device communications status, in daily record, writes down corresponding information when devices communicating goes wrong; In the stage, also need judgment device cpu utilance and process status, according to the size of cpu utilance and process status adjustment transmitted traffic.
3) automatic transmitting equipment configuration and adjustment flow: before each stage begins to test, the configuration of automatic transmitting equipment, test process also needs carry out the adjustment of test traffic according to stage and equipment state; The adjustment flow is on the basis of minimum flow, to increase or reduce certain type flow; Can detect equipment cpu utilance or process cpu in the adjustment discharge process; Generally in configuration file, clearly be provided with, its type that need increase or reduce be set and need reach the cpu state by the tester.
Specify the implementation procedure that to adjust the method for firewall system test traffic automatically provided by the invention through a preferred embodiment below.
With certain fire compartment wall is example, comprises environment part and network components as the system testing environment of realizing basic condition; The tester need carry out the system testing stage design on basic condition, and design is embodied in mentality of designing in the configuration file after accomplishing; Then be to automatically perform test process afterwards according to the control script that configuration file is converted to.
Fig. 4 is among this embodiment, and the logic diagram of firewall system test is as shown in Figure 4, and the system testing environment comprises that PC node, tested fire compartment wall and system testing realize script; The system testing network has two kinds; A kind of is Control Network; Its Control Network of whole system test environment communicates entirely, sends each PC node through Control Network and need produce device command and the judgment device status command that the script command of flow, tested fire compartment wall need dispose; A kind of is test network, and test traffic all is to be produced by test network.
Among this embodiment, the design of firewall system test phase is as shown in Figure 5, specifically comprises:
Phase I is two or three layers of test.Be mainly the transmission of minimum flow, various flow sizes and combination pressure test for some time in the minimum flow process of transmitting; At first be two or three layers of normal discharge, a kind of type flow of every transmission continues for example 5 minutes a bit of time, checks that equipment cpu utilance changes, if the cpu utilance reaches 90%, follow-up flow no longer sends; If send less than 90%, begin to repeat to send from the flow of initial definition, the cpu utilance was controlled at 90% during flow sent; Pressure continues a period of time for example after one hour; Reduce two, three layers of normal discharge; The cpu utilance reaches 50%, increases background error message (checksum error message, fragment message etc.) and attack traffic (synflood, udpfllod, smurf etc.), and the cpu utilance rises to 90%; Lasting a period of time of pressure for example after one hour, reduces normal discharge and attack traffic, and equipment cpu utilance is controlled to be 40%; Increase application layer traffic, equipment cpu utilance is controlled to be 90%; Lasting a period of time for example after one hour, reduces attack traffic, and the cpu utilance reaches 70%; Increase application layer traffic, for example HTTP (HTTP), FTP (FTP), MAIL (mail), DNS (domain name system), TFTP (TFTP), TELENT (Telnet) etc., the cpu utilance rises to 90%.
Second stage is an attack test.On the basis of phase I, reduce two or three layers of normal discharge, the cpu utilance reaches 50%; Increase IDS (Intrusion Detection Systems, intruding detection system) configuration, configuration order provides in command file; Increase various IDS flows, every increase is a kind of, checks the cpu utilance; Its final cpu busy percentage is no more than 90%, for example controlledly is made as 90%.
Phase III is the application layer test.Reduce the IDS attack traffic, the cpu utilance reduces to 40%, strengthens application layer traffic (HTTP, FTP, MAIL, DNS, TFTP, TELENT etc.), and every increase is a kind of, checks the cpu utilance, and its final cpu utilance is no more than 90%, for example controlledly is made as 90%.The application layer traffic emphasis has two kinds: a kind of linking number is many, and its application layer data partial discharge is less, and a kind of linking number is fewer, and its application layer partial discharge is bigger; The test emphasis of two kinds of correspondences is different, and is different for the test emphasis, sends the flow difference, also can provide the setting of process cpu utilance.With tested fire compartment wall is example, and its application layer mainly contains the agency and virus killing is handled, if test emphasis the agency, and can be by first kind of application layer traffic test, if the test emphasis in virus killing, can be tested by second kind of application layer traffic.
Before beginning and finish, each stage all communicates inspection, if the inspection communication failure, EOT; This part does not embody in configuration file, is solidificated in the concrete script realization.
Certainly, the present invention also can be divided into more than three the firewall system test process or the following stage according to actual needs.
After the system testing stage design; Follow-up is the system testing implementation part; Be configured file edit by the tester according to system testing design, write the back and convert the control script into, carry out behind the control script it and call each basic script and carry out system testing and realize automatically by the conversion script.
Fig. 6 is the test implementation part schematic flow sheet of the embodiment of the invention; As shown in Figure 6; After carrying out the control script, system call connects the middle script base.tcl of client, on client, carries out the script that produces flow and automatically performs the transmission of system testing flow, adjustment and device command configuration.Its invoked procedure is: the control script->connect client and call the middle script base.tcl->transmission test traffic basis script of flow process of transmitting and the basic script of other miscellaneous function.Particularly, the test implementation part flow process of the embodiment of the invention comprises:
(1) configuration file
A plurality of stages are arranged in the system testing, and each stage is made up of a plurality of testcase (test case); The said system Test Design has three phases, and each stage is made up of the testcase that flow sends, and among the testcase there is particular content: the transmission of certain type flow, increase or reduce transmitted traffic, configuration transmission according to the cpu state.The test case design framework is as shown in Figure 7.
According to the said system stage design, the configuration file particular content is following:
[conf start] # represents the beginning of whole system test;
Whether Phase1=1 # identification phase carries out test, and 1 representative is carried out, and 0 representative is not carried out;
Each stage of P1_testcase1=1 # comprises a plurality of testcase, and each case defines a kind of transmission of discharge pattern, and this testcase is carried out in 1 representative, and 0 representative is not carried out;
Time that each testcase of P1_case1_time=0.5 # test continues is hour being unit;
P1_testcase2=1
P1_case2_time=0.5
P1_testcase3=1
P1_case3_time=0.5
P1_testcase4=1
P1_case4_time=0.5
P1_testcase5=1
P1_case5_time=0.5
............
............
The # phase I is generally the generation of several kinds of minimum flows, can make amendment according to testing equipment is different with needs;
[phase1 start] # represents the beginning of phase1, and Alpha test begins;
[testcase1 start] # represents the beginning of first testcase of phase I, sends normal two or three laminar flow amounts;
The flow size and the maximum that below are respectively client area, server zone, discharge pattern, each test node transmission are no more than size:
A B TCP 1M 10M
A B UDP 1M 10M
A B ICMP 1M 10M
............
............
On behalf of the definition of testcase1 among the phase1, [testcase1 end] # finish, and transmitted traffic finishes among its case but do not represent;
[testcase2 start] #testcase1 carried out after 0.5 hour, and testcase2 among the beginning phase1 increases by two or three laminar flow amounts, and equipment cpu reaches about 90%;
Increase?p1_testcase1?cpu?90%
Testcase2 finishes among [testcase2 end] #phase1;
[testcase3 start] # begins testcase3 among the phase1, reduces by two or three laminar flow amounts, reaches about cpu50%;
Decrease?p1_testcase1?cpu?50%
Testcase3 finishes among [testcase3 end] #phase1;
[testcase4 start] # begins testcase4 among the phase1, the transmission of error message and attack message;
Below be respectively size and the maximum that client area, server zone, error message or attack type, each test node need send and be no more than size:
# client area server zone fragment message 0.2M 1M
A B ?fragmentation 0.2M?1M
# client area server zone checksum error 0.2M 1M
A B ?badchecksum 0.2M?1M
# client area server zone syn attacks 0.2M 1M
A B ?synflood ?0.2M?1M
............
............
Testcase4 finishes among [testcase4 end] #Phase1;
[testcase5 start] # begins testcase5 among the phase1, and cpu is reached about 90%;
Increase?p1_testcase4?cpu?90%
Testcase5 finishes among [testcase5 end] #phase1;
[testcase6 start] # begins testcase6 among the phase1, reduces attack traffic, and equipment cpu reaches about 70%;
Decrease?p1_testcase4?cpu?70%
Testcase6 finishes among [testcase6 end] #phase1;
Testcase7 begins the transmission of application layer amount among [testcase7 start] #Phase1
Below be respectively the type of client area, server zone, application layer traffic, file size and the maximum that each test node need send is no more than size:
A B ?HTTP 1M 5M
A B ?FTP ?1M 5M
............
............
[testcase7?end]
[testcase8?start]
Increase?p1_testcase7?cpu?90%
[testcase8?end]
[phase1?end]
The # second stage begins, and generally this stage is main to send attack.
[phase2?start]
[testcase1?start]
Decrease p1_testcase1 cpu 50% # reduces normal two or three laminar flow amounts
[testcase1?end]
# disposes transmission, and generally this stage is for attacking configuration.
[testcase2?start]
Dut ids.conf superman talent # provides the username and password of connection device, and concrete configuration is ordered in ids.conf;
[testcase2?end]
[testcase3?start]
Increase p1_testcase4 cpu 90% # increases error message and attack traffic;
[testcase3?end]
[phase2?end]
The # phase III, generally this stage is main to send application layer traffic;
[phase3?start]
[testcase1?start]
Decrease p1_testcase4 cpu 40% # reduces attack traffic;
[testcase1?end]
[testcase2 start] # disposes transmission, and generally this stage is the application layer configuration;
Dut dpi.conf superman talent # application layer configuration order is in dpi.conf;
[testcase2?end]
[testcase3?start]
Increase p2_testcase7 cpu 90% # increases application layer traffic among the phase I testcase7, and equipment cpu reaches about 90%;
[testcase3?end]
[phase3?end]
(2) test node file
The tester only need dispose the source and destination zone when each flow of configuration sends, can be from regional document when flow sends main frame and used IP address in the seek area automatically;
Zone build-in test node file (area file) particular content:
Zone A:
Test network IP address, host name Control Network IP address
As:
Zone A:
A1 8.0.1.2 202.0.0.20
(3) after configuration file is accomplished, through changing the script configuration file, generate the control script, content is corresponding in analyzing the conversion generative process and controlling script.
Fig. 8 be the embodiment of the invention according to control script executing test process sketch map, as shown in Figure 8, specifically the comprising of the embodiment of the invention according to control script executing test process:
Judge test phase: be judged as which test phase and testcase, whether this stage and case carry out;
Stage begins the communication of part checkout facility: each stage begins preceding checkout equipment communication conditions (ping communicates by letter with http); The communication of each node in the inspection area, if communication is unsuccessful, inspection once more; Check and still can not communicate by letter the transmission of ends with system test traffic and test three times; The while log, content is the stage of current executed in the daily record, so also more helps carrying out the location and the reproduction of problem.
Configuration device and transmission test traffic: according to configuration of deploy content transmitting apparatus and test traffic in the stage; In said system Test Design and configuration file, second stage need be sent the IDS configuration, and the phase III need be sent DPI (Deep Packet Inspection, deep-packet detection) configuration.
The judgment device state: every kind of flow sends and finishes the back connection device and judge its cpu state, judges and controls according to set point.
According to order adjustment test traffic in the stage: increase or reduce test traffic according to setting in the stage, every increase or check whether cpu reaches set condition when reducing a kind of flow; Check cpu earlier when increasing or reducing,, no longer increase or reduce flow according to configuration order if cpu has reached set point; Every transmission or reduce a kind of flow delays one fen kind and sends or reduce a kind of flow down, and taking equipment cpu is three times within one minute, and three calculating mean values, cpu and predetermined cpu (as 90%) differ and are no more than 5% judgement and reach setting cpu state; If connection device is unsuccessful in the judgment device state procedure, the transmission of ends with system test traffic and test; The while log, the stage of record current executed in the daily record.
Stage finishes back checkout facility communication: each stage finishes back checkout facility communication conditions (ping communicates by letter with http), no longer continues follow-up test after going wrong; The while log, the stage of record current executed in the daily record.
The part of checkout facility communication conditions partial design for solidifying, this part also can expand to non-curing can be provided with part in designing at present.
(4) conversion script
Through regular expressions analysis configuration file, write the corresponding scripts content after the analysis, the control scenario process that generates at last is corresponding with above-mentioned Fig. 8 control procedure; The concrete implementation procedure of conversion script is as shown in Figure 9, specifically comprises:
# judges whether file finishes
Whether # each stage of analysis needs to carry out, and is recorded in the variable;
Whether # analyzes is the beginning in a stage, if the communication check action that record needs is in the control script;
Whether # analyzes is the beginning of a testcase, if, record stage testcase title and case duration;
# analyzes and is which kind of flow, and the record flow parameter is in corresponding flow tabulation variable; Have in the flow parameter: flow, maximum total flow that source client area, destination server zone, each node need send;
After # one testcase flow analysis finishes, write down stage testcase title and all flow that need produce tabulations, tabulation of every kind of discharge pattern comprises source region, purpose zone, each node flow size, maximum stream flow in the tabulation; As: its content of http_para be A B 1 10}{C D 1 10}}, this variable is a global variable; The middle script base.tcl that the corresponding case of control script calls handles, unification is handled and is sent one type flow according to flow tabulation variable in middle script, and record produces process number simultaneously;
All flow parameter variablees of testcase have also been write down in control in the script, read its flow parameter content again during follow-up increase flow and give global variable, so can according to before flow parameter transmitted traffic among the case;
Puts control script " set } "
Puts$ controls script " set http_para_pN_caseN "
Puts$ controls script " lappend http_para_pN_caseN "
#action phase_case cpu, the cpu utilance generally has appointment in increase, other transmitted traffic process acquiescence 90%;
Puts$ controls script " action "
# controls the case time of implementation, and the timed process was calculated according to the case duration, up to reaching setting-up time, just begins judgement and the execution of next case;
Puts$ controls script " timed "
............
............
#Increase is the testcase flow in the stage;
The flow parameter in each stage has a list records in the control script; List content is the flow parameter variable; Like pN_caseN, list content be http_para_pN_caseN ftp_para_pN_caseN} decomposes variable in its tabulation when increasing flow; get in the variable content and call the flow transmit operation, action pN_caseN; The flow that every increase is one type, inquiry cpu state is checked according to the cpu state of setting, and differs within 5% and finishes;
#Decrease is the testcase flow in the stage:
Can write down the process number of transmitted traffic on node and the node after each flow sends, content recorded is:
The stage+testcase title, discharge pattern, Control Network IP address, process number, be recorded in the variable with the form of tabulation; As: active_pid{{phaseN_testcaseN HTTP 8.0.1.4 2198}{phaseN_testcaseN FTP 8.0.1.2 2288}};
Search stage in the tabulation, testcase during the Decrease operation, the corresponding process of kill reduces flow; A kind of flow of every minimizing, corresponding contents in the delete list, and check equipment state, and check according to the cpu state of setting, differ within 5% and finish; Only reduce in this instance, can expand to according to the corresponding discharge pattern of testcase in the stage and reduce according to flow generation stage and testcase;
# sends configuration to equipment:
Identical with other flow parameter, the command file that need to send is recorded in the variable list, is follow-uply sent command procedure and is accomplished by the unified dut that calls of action;
So analogize, generated the control content for script, the transmission of control flow, time and adjustment;
Correspondence control script after the conversion:
package?require?Itcl
package?require?Expect
#source basis script
source?sshcon.tcl
source?ftp.tcl
source?mail.tcl
source?http.tcl
source?tftp.tcl
source?bt.tcl
source?base.tcl
source?dut.tcl
source?getdutinfo.tcl
source?telnet.tcl
source?stopexec.tcl
.............
...........
Whether case carries out and the variable of each case duration in each stage of #, each stage:
set?phase1?1
set?p1_case1?1
set?p1_case1_time?1
The inspection that each stage of # begins and finishes; This process of check_commu is solidified, and (domain test node file is defaulted as area_file) chosen first client and server and carried out ping and http communication check from each zone, if communicate by letter successfully, through; If communication is success not, triplicate is still unsuccessful, and failure stops all test traffics, the while log, and log content is the stage of current executed;
Check_commu?phase
When beginning, calculates the case duration #testcase;
set?case_starttime[clock?seconds]
set?after_time[expr$pN_caseN_time*3600]
set?case_time[expr?$case_starttime+$after_time]
The #testcase flow sends and control:
# flow list parameter
set?http_para{{A?B?1?10}{C?D?1?10}}
set?http_para_pN_caseN?$http_para
lappend?$phaseN_testcaseN?http_para_pN_caseN
............
............
action?phaseN_testcaseN
After the # flow sends and finishes, by timed process control case duration (being the time that next case begins to carry out);
timed$case_time
Certain type flow in certain stage of #Increase:
The flow in certain stage of #Decrease:
# transmitting apparatus configuration order is called:
set?dut_conf{{superman?talent?ids.conf}{superman?talent?dpi.conf}
action?phaseN_testcaseN
(5) script (base.tcl) in the middle of
Middle script has two types processing, and a kind of is that configuration device is handled, and a kind of flow sends to be handled.
Script is shown in figure 10 to the processing procedure of configuration device wherein; It at first generates dut (device under testing; Equipment under test) object connects the dut equipment of serial through object then, calls after the successful connection among the dut.tcl and orders among the main procedure dut order transmission .conf.
The processing procedure that middle script convection current amount is sent is shown in figure 11; At first analyze source region and purpose zone; Obtain the client-side management network address and server test network address; Connect client from the client-side management network address then, on client, call minimum flow script transmitted traffic, call the miscellaneous function script and equipment cpu is checked and control.
The processing of middle script is specific as follows:
The #http parameter list is handled (http_para), analyzes client and destination server, connects client and sends the http flow with calling, record transmitted traffic process;
(6) basic script
The basis script is a kind of to be the special script that produces minimum flow, and a kind of is the basic script of miscellaneous function, cpu control, configuration device order etc.
The minimum flow script sends various minimum flows, like HTTP, FTP, MAIL, DNS etc.; The present invention uses the relatively more real application process of user's common tool simulation;
Be that HTTP flow transmitting section realizes below: script name http.tcl, the size of server file is by providing in the configuration file, if do not reduce the flow operation, this flow continues always, up to whole EOT, its main procedure is geturl;
Cpu controls script: the connection device serial ports, take the order of cpu through expect transmission inspection cpu state or process, and if meet the cpu of setting, differ about 5%, then stop to increase or reduce flow and send; Also can be cpu detection in the multinuclear, as: the detection of cpu0 utilance and other cpu utilance;
Main procedure is that cpu_control realizes:
Script (dut.tcl) is sent in device command: be placed on to the order that dut sends and set in the conf file; User name, password, transmission command file have been arranged in the configuration file; Catch up with and state the cpu control section and realize identical; Its main procedure dut_order carries out configuration of devices through expect simulation man-machine interaction, from the conf file, takes out configuration order successively equipment is configured.
Figure 12 is the apparatus structure sketch map that can adjust the firewall system test traffic automatically of the embodiment of the invention; Shown in figure 12, the device that can adjust the firewall system test traffic automatically of the embodiment of the invention comprises configuration file generation module 1201, control script generation module 1202 and testing execution module 1203.
Wherein, configuration file generation module 1201 is used to generate configuration file.
The content of configuration file comprise needs send in stage, stage of test needs flow, according to the test needs send to the configuration of devices order, according to equipment state and stage to the adjustment order of flow etc.
The embodiment of the invention is divided the firewall system test process for three phases in configuration file, and wherein the phase I is two or three layers of test, and second stage is an attack test, and the phase III is the application layer test.Certainly, also can be divided into more than three the firewall system test process or the following stage according to actual needs.
Control script generation module 1201 is used for the analysis configuration file, writes the corresponding scripts content, generates the control script.
According to the test of control script executing firewall system, specifically comprise:
According to said configuration file formation base flow;
Judge test phase and equipment state;
According to said test phase and equipment state, transmitting apparatus configuration and adjustment flow.
Wherein, minimum flow comprises two or three layers of normal discharge, improper message flow, attack traffic and application layer traffic.
The adjustment flow is meant and increases or reduce a kind of flow in the said minimum flow, and control cpu utilance.
The embodiment details that the present invention can adjust the device of firewall system test traffic automatically can repeat no more referring to the above specific descriptions that can adjust the method for firewall system test traffic automatically to the present invention here.
Adopt the invention described above technical scheme; The whole system test process need not tester's monitoring; The tester only needs beginning to provide the test thinking most; Be applied to the test thinking in the configuration file, the system testing process can be configured and adjust flow according to content in the configuration file automatically, and its test result can detect and monitor automatically.The present invention also has following advantage:
(1) the simple configuration file is provided, the configuration caseization, the tester can be applied to the test thinking in the configuration file, and mode is more flexible;
(2) extensibility is good, and environment for use is simple, does not need special translation and compiling environment, all is to be realized by script, and script relatively all compares independent, and ratio is more convenient simple;
(3) the system testing flow can and obtain equipment state and dynamically adjust according to the setting stage in the configuration, saves tester's time, improves testing efficiency;
(4) but test result automatic inspection and monitoring improve testing efficiency;
(5) test traffic is truer, calls each real access request under the test node mostly;
(6) test process can repeat, and in the time of need testing again, carries out corresponding scripts and then can test automatically, does not need manual configuration equipment and adjustment test traffic.
Although be the example purpose, the preferred embodiments of the present invention are disclosed, it also is possible those skilled in the art will recognize various improvement, increase and replacement, therefore, scope of the present invention should be not limited to the foregoing description.
Claims (10)
1. the method that can adjust the firewall system test traffic automatically is characterized in that, comprising:
Generate configuration file;
Analyze said configuration file, write the corresponding scripts content, generate the control script;
Automatically perform the firewall system test according to said control script.
2. can adjust the method for firewall system test traffic according to claim 1 automatically; It is characterized in that the content of said configuration file comprises needs send in stage, stage of test needs flow, sends to the configuration of devices order, according to the adjustment order to flow of equipment state and stage according to the test needs.
3. can adjust the method for firewall system test traffic according to claim 1 or claim 2 automatically, it is characterized in that,, specifically comprise according to said control script executing firewall system test:
According to said configuration file formation base flow;
Judge test phase and equipment state;
According to said test phase and equipment state, transmitting apparatus configuration and adjustment flow.
4. like the said method that can adjust the firewall system test traffic automatically of claim 3, it is characterized in that said minimum flow comprises two or three layers of normal discharge, improper message flow, attack traffic and application layer traffic.
5. like the said method that can adjust the firewall system test traffic automatically of claim 4, it is characterized in that said adjustment flow is meant increases or reduce a kind of flow in the said minimum flow, and control cpu utilance.
6. the device that can adjust the firewall system test traffic automatically is characterized in that, comprising:
The configuration file generation module is used to generate configuration file;
The control script generation module is used to analyze said configuration file, writes the corresponding scripts content, generates the control script;
Testing execution module is used for automatically performing the firewall system test according to said control script.
7. the device that can adjust the firewall system test traffic automatically as claimed in claim 6; It is characterized in that the content of said configuration file comprises needs send in stage, stage of test needs flow, sends to the configuration of devices order, according to the adjustment order to flow of equipment state and stage according to the test needs.
8. like claim 6 or the 7 described devices that can adjust the firewall system test traffic automatically, it is characterized in that,, specifically comprise according to said control script executing firewall system test:
According to said configuration file formation base flow;
Judge test phase and equipment state;
According to said test phase and equipment state, transmitting apparatus configuration and adjustment flow.
9. like the said device that can adjust the firewall system test traffic automatically of claim 8, it is characterized in that said minimum flow comprises two or three layers of normal discharge, improper message flow, attack traffic and application layer traffic.
10. like the said device that can adjust the firewall system test traffic automatically of claim 8, it is characterized in that said adjustment flow is meant increases or reduce a kind of flow in the said minimum flow, and control cpu utilance.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110414411.1A CN102523212B (en) | 2011-12-13 | A kind of method and apparatus that can automatically adjust firewall system testing flow |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110414411.1A CN102523212B (en) | 2011-12-13 | A kind of method and apparatus that can automatically adjust firewall system testing flow |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102523212A true CN102523212A (en) | 2012-06-27 |
| CN102523212B CN102523212B (en) | 2016-12-14 |
Family
ID=
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105245393A (en) * | 2014-06-30 | 2016-01-13 | ***通信集团公司 | Method and device for testing performance of firewall |
| CN105740102A (en) * | 2016-02-02 | 2016-07-06 | 北京京东尚科信息技术有限公司 | Data backup equipment and method therein |
| CN106302412A (en) * | 2016-08-05 | 2017-01-04 | 江苏君立华域信息安全技术有限公司 | A kind of intelligent checking system for the test of information system crushing resistance and detection method |
| CN106998323A (en) * | 2017-03-06 | 2017-08-01 | 深信服科技股份有限公司 | Application layer network attack emulation mode, apparatus and system |
| CN107026766A (en) * | 2016-02-02 | 2017-08-08 | ***通信集团河北有限公司 | A kind of assessment detection method and device of network quality |
| CN109361711A (en) * | 2018-12-14 | 2019-02-19 | 泰康保险集团股份有限公司 | Firewall configuration method, apparatus, electronic equipment and computer-readable medium |
| CN109542777A (en) * | 2018-11-07 | 2019-03-29 | 北京搜狗科技发展有限公司 | A kind of method for testing pressure, device and readable medium |
| CN110597724A (en) * | 2019-09-18 | 2019-12-20 | 彩讯科技股份有限公司 | Calling method and device of application security test component, server and storage medium |
| CN110830330A (en) * | 2019-12-06 | 2020-02-21 | 浙江中控技术股份有限公司 | Firewall testing method, device and system |
| CN111083011A (en) * | 2019-12-18 | 2020-04-28 | 北京网太科技发展有限公司 | Automatic testing method and device for routing security firewall and management platform |
| CN114301638A (en) * | 2021-12-13 | 2022-04-08 | 山石网科通信技术股份有限公司 | Method and device for reproducing firewall rules, storage medium and processor |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1790957A (en) * | 2004-12-14 | 2006-06-21 | 华为技术有限公司 | Apparatus testing method |
| CN101770423A (en) * | 2009-12-25 | 2010-07-07 | 中兴通讯股份有限公司 | Test data generation method and test system |
| CN101883023A (en) * | 2010-06-05 | 2010-11-10 | 中国海洋大学 | Firewall pressure testing method |
| US7843843B1 (en) * | 2004-03-29 | 2010-11-30 | Packeteer, Inc. | Adaptive, application-aware selection of differntiated network services |
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7843843B1 (en) * | 2004-03-29 | 2010-11-30 | Packeteer, Inc. | Adaptive, application-aware selection of differntiated network services |
| CN1790957A (en) * | 2004-12-14 | 2006-06-21 | 华为技术有限公司 | Apparatus testing method |
| CN101770423A (en) * | 2009-12-25 | 2010-07-07 | 中兴通讯股份有限公司 | Test data generation method and test system |
| CN101883023A (en) * | 2010-06-05 | 2010-11-10 | 中国海洋大学 | Firewall pressure testing method |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105245393A (en) * | 2014-06-30 | 2016-01-13 | ***通信集团公司 | Method and device for testing performance of firewall |
| CN105740102A (en) * | 2016-02-02 | 2016-07-06 | 北京京东尚科信息技术有限公司 | Data backup equipment and method therein |
| CN107026766A (en) * | 2016-02-02 | 2017-08-08 | ***通信集团河北有限公司 | A kind of assessment detection method and device of network quality |
| CN106302412A (en) * | 2016-08-05 | 2017-01-04 | 江苏君立华域信息安全技术有限公司 | A kind of intelligent checking system for the test of information system crushing resistance and detection method |
| CN106998323A (en) * | 2017-03-06 | 2017-08-01 | 深信服科技股份有限公司 | Application layer network attack emulation mode, apparatus and system |
| CN106998323B (en) * | 2017-03-06 | 2020-08-14 | 深信服科技股份有限公司 | Application layer network attack simulation method, device and system |
| CN109542777A (en) * | 2018-11-07 | 2019-03-29 | 北京搜狗科技发展有限公司 | A kind of method for testing pressure, device and readable medium |
| CN109542777B (en) * | 2018-11-07 | 2022-03-04 | 北京搜狗科技发展有限公司 | Pressure testing method and device and readable medium |
| CN109361711A (en) * | 2018-12-14 | 2019-02-19 | 泰康保险集团股份有限公司 | Firewall configuration method, apparatus, electronic equipment and computer-readable medium |
| CN110597724A (en) * | 2019-09-18 | 2019-12-20 | 彩讯科技股份有限公司 | Calling method and device of application security test component, server and storage medium |
| CN110830330A (en) * | 2019-12-06 | 2020-02-21 | 浙江中控技术股份有限公司 | Firewall testing method, device and system |
| CN111083011A (en) * | 2019-12-18 | 2020-04-28 | 北京网太科技发展有限公司 | Automatic testing method and device for routing security firewall and management platform |
| CN114301638A (en) * | 2021-12-13 | 2022-04-08 | 山石网科通信技术股份有限公司 | Method and device for reproducing firewall rules, storage medium and processor |
| CN114301638B (en) * | 2021-12-13 | 2024-02-06 | 山石网科通信技术股份有限公司 | Firewall rule reproduction method and device, storage medium and processor |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8174996B2 (en) | Adaptive test system for network function and performance evaluation | |
| WO2020151483A1 (en) | Stress testing system for internet-of-things platform, method, device, and server | |
| US6263444B1 (en) | Network unauthorized access analysis method, network unauthorized access analysis apparatus utilizing the method, and computer-readable recording medium having network unauthorized access analysis program recorded thereon | |
| CN106687974B (en) | Attack observation device and attack observation method | |
| CN103780610A (en) | Network data recovery method based on protocol characteristics | |
| CN106878184B (en) | Data message transmission method and device | |
| CN108306804A (en) | A kind of Ethercat main station controllers and its communication means and system | |
| CN103532795A (en) | Monitoring system and method for detecting availability of WEB business system | |
| CN107959715A (en) | Remote terminal information recognition software system and recognition methods based on wireless telecommunications | |
| CN105824754A (en) | Method for abnormally capturing and uploading Python of client program | |
| CN108390937B (en) | Remote monitoring method, device and storage medium | |
| CN104461697B (en) | A kind of online IP address automatic capture system of virtual machine batch and method | |
| US20100138813A1 (en) | Method and apparatus for testing online performance on client/server architecture | |
| CN102546269A (en) | Method and system capable of fast monitoring internet protocol (IP) network | |
| CN109088957B (en) | NAT rule management method, device and equipment | |
| CN113364624A (en) | Mixed cloud flow acquisition method and system based on edge computing | |
| CN102970376A (en) | Cluster configuration method and device | |
| CN107094091A (en) | A kind of intelligent substation station level network configuration method of calibration and system | |
| CN106878333B (en) | A kind of third party authentication method, device and application system server | |
| CN100407635C (en) | Method for high effectively searching network equipment address in network | |
| CN104618148A (en) | Firewall device and backup method thereof | |
| CN102523212A (en) | Method and device capable of adjusting firewall system testing flow automatically | |
| WO2015196694A1 (en) | Single-board log information storage method and system | |
| CN105227422A (en) | A kind of method of transmitting video data based on polymerization network interface and device | |
| CN102523212B (en) | A kind of method and apparatus that can automatically adjust firewall system testing flow |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C53 | Correction of patent of invention or patent application | ||
| CB02 | Change of applicant information |
Address after: 100085 Beijing East Road, No. 1, building No. 301, building on the north side of the floor, room 3, room 3 Applicant after: BEIJING TOPSEC TECHNOLOGY CO., LTD. Address before: 100085 Beijing East Road, No. 1, building No. 301, building on the north side of the floor, room 3, room 3 Applicant before: Beijing heaven melts letter Science Technologies Co., Ltd. |
|
| COR | Change of bibliographic data |
Free format text: CORRECT: APPLICANT; FROM: BEIJING HEAVEN MELTS LETTER SCIENCE TECHNOLOGIES CO., LTD. TO: BEIJING TOPSEC TECHNOLOGY CO., LTD. |
|
| C53 | Correction of patent of invention or patent application | ||
| CB02 | Change of applicant information |
Address after: 100085 Beijing East Road, No. 1, building No. 301, building on the north side of the floor, room 3, room 3 Applicant after: Beijing heaven melts letter Science Technologies Co., Ltd. Address before: 100085 Beijing East Road, No. 1, building No. 301, building on the north side of the floor, room 3, room 3 Applicant before: BEIJING TOPSEC TECHNOLOGY CO., LTD. |
|
| COR | Change of bibliographic data |
Free format text: CORRECT: APPLICANT; FROM: BEIJING TOPSEC TECHNOLOGY CO., LTD. TO: BEIJING HEAVEN MELTS LETTER SCIENCE TECHNOLOGIES CO., LTD. |
|
| CB02 | Change of applicant information |
Address after: 100085 Beijing East Road, No. 1, building No. 301, building on the north side of the floor, room 3, room 3 Applicant after: BEIJING TOPSEC TECHNOLOGY CO., LTD. Address before: 100085 Beijing East Road, No. 1, building No. 301, building on the north side of the floor, room 3, room 3 Applicant before: Beijing heaven melts letter Science Technologies Co., Ltd. |
|
| COR | Change of bibliographic data | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100085 Beijing East Road, No. 1, building No. 301, building on the north side of the floor, room 3, room 3 Patentee after: Beijing heaven melts letter Science Technologies Co., Ltd. Address before: 100085 Beijing East Road, No. 1, building No. 301, building on the north side of the floor, room 3, room 3 Patentee before: BEIJING TOPSEC TECHNOLOGY CO., LTD. |