CN101800753B - Comprehensive safety protecting method based on integral network safety service framework - Google Patents
Comprehensive safety protecting method based on integral network safety service framework Download PDFInfo
- Publication number
- CN101800753B CN101800753B CN 201010125026 CN201010125026A CN101800753B CN 101800753 B CN101800753 B CN 101800753B CN 201010125026 CN201010125026 CN 201010125026 CN 201010125026 A CN201010125026 A CN 201010125026A CN 101800753 B CN101800753 B CN 101800753B
- Authority
- CN
- China
- Prior art keywords
- network
- node
- service
- security
- transmission
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a comprehensive safety protecting method based on an integral network safety service framework. The method comprises the following steps of: isolating information of service, control, management, and the like by adopting a classified isolation safety protection technique of network bear information; performing access certification on a terminal device by adopting a safety access protection technique of a user; certifying the validity of interconnected nodes by adopting a safety interconnection protection technique of the node; and certifying the user identity and the service authority by adopting an access control technique of the service. The invention has the advantages that the network communication and safety security are organically integrated to construct a multilevel and all-around comprehensive safety secrecy system, the problems that signaling, management and service plane are not distinguished in the general IP network, network address and user address are not distinguished, range of application and the time of the network resource are not controlled, and the like are solved, thereby effectively overcoming the detects that a superposition-type security secrecy mechanism has low efficiency and incomplete protection, and can not provide stream-oriented rapid safety transmission and the like.
Description
Technical field
The present invention relates to a kind of network safety protection method, especially relate to a kind of comprehensive safety protecting method based on integral network safety service framework.
Background technology
Along with the fast development of IP technology, be the common recognition that core integration construct network has obtained industry with the IP technology.Yet the safety issue of general purpose I P network has restricted the fast development of integrated network.
In traditional IP, the general all kinds of safe and secret equipment of stack that adopt improve network and service security property.Such as safety means such as Network Isolation, fire compartment wall, authentication service, intrusion detection, vulnerability scannings, and privacy devices such as link layer, network layer and application layer.This security protection system that makes up through stacked system has improved network and service security security performance to a certain extent, but also has some problems:
1) network performance is limited: the safe and secret equipment of stack produces additional transmissions and administration overhead in network, taken the part bandwidth resources, has increased the forwarding time delay of business datum, and is bigger to the communication performance influence; And with respect to the network switching equipment; The packet forward rate of safe and secret equipment is generally lower, lacks corresponding queue scheduling mechanism, and the network exchange forwarding performance can't be given full play to; Be prone to produce communication performance bottleneck, professional service quality (QoS) is difficult to be guaranteed.
2) equipment room is difficult to co-ordination: each safe and secret equipment works alone in network, in different aspects corresponding safe and secret function is provided respectively.Because lack incorporate Security Architecture, each equipment room has formed safe slit.For example the safety measure of physical layer and link layer (like single channel encryption equipment) can't solve the network layer address fraud problem; The safety measure of network layer (like fire compartment wall) is difficult to discern the malicious data with the filtration applications layer, and the safety measure of application layer is then powerless to the attack to the underlying basis facility.The network switching equipment and safe and secret equipment room also lack necessary contact simultaneously, influence each other, can not co-ordination.And also have safe slit through the interconnect interface of External cable, bring hidden danger to network security.
3) security protection is incomplete: the safety prevention measure of each equipment or strategy are different with functional localization; Its completeness and complexity have nothing in common with each other; Cause the part safety function overlapping on the one hand; Reduced communication usefulness, the security strategy of each equipment is difficult for keeping harmonious on the other hand, and the strategy of mutual exclusion or omission is prone to cause the unusual or generation security breaches of network service.Under Traditional IP agreement system, safety prevention measure is difficult to effectively be dissolved into each aspect of network, can't carry out security monitoring to the overall process of service communication.In addition, communication between devices adopts general procotol, and intrinsic safety problem still exists, the security protection ability of self a little less than.
4) various, the deployment of device category and way to manage is different, network opening and working service difficulty: safe and secret equipment various in style, that function is different has not only reduced the reliability of the network operation, and has consumed a large amount of funds spendings.Safe and secret equipment needs to dispose planning accordingly according to different application environments; And the configuration of various kinds of equipment, condition managing; And key management and distribution are established one's own system; Policy configurations and working service operation are very complicated, require the network planning and management maintenance personnel to possess higher professional skill.In the face of the continuous expansion of applied business and the security threat that emerges in an endless stream, need continuous revision strategies or device upgrade, the sustainable development of network and function expansion are restricted.
Summary of the invention
In order to overcome the above-mentioned shortcoming of prior art; The invention provides a kind of comprehensive safety protecting method based on integral network safety service framework; With network service and safe and secret organically blending, make up the secret system of multi-level, omnibearing comprehensive safety, thoroughly solved the signaling, management, the service plane that exist in the general purpose I P network and be regardless of; The network address and station address are regardless of; Problems such as the Internet resources scope of application and time are not controlled, avoided the efficient of the safe and secret mechanism of superposing type low effectively, the protection incomplete, defectives such as stream-oriented transmission fast and safely can not be provided; Can effectively resist personation, distort, insert, network attack means such as playback, denial of service, the safety of the professional and network of protection.
Technical scheme of the present invention is: a kind of comprehensive safety protecting method based on integral network safety service framework comprises:
1) employing of information classification isolation safe measure:
Business datum and system information are carried out independently route switching: node exchange apparatus is that the route switching of various information data provides routing table separately, and through a plurality of core switching matrixs relatively independent packet switching is provided;
At trunking port and user port is that business datum and system information are set up special-purpose transmission channel, and allocates bandwidth in advance for each transmission channel: between the route switching node, be that transmission channel is set up in real time business, data service, session connection signaling and network management respectively through the node security interconnection agreement; Through each other opening respective channel respectively after the authentication, and allocate bandwidth in advance for each transmission channel between node; Internodal grouped data is through node security interconnection agreement encapsulation, and in the transmission channel of correspondence encrypted transmission;
Between user terminal and route switching node, be that transmission channel is set up in real time business, data service, session connection signaling and equipment control respectively through the user security access protocol; User terminal and the professional respective channel of behind access authentication, successively opening, and allocate bandwidth in advance for each transmission channel; User's all kinds of grouped datas are through user security access protocol encapsulation, and in the transmission channel of correspondence encrypted transmission;
Characteristic logarithm based on data that each transmission channel is transmitted is executed the respective classified rule factually; And carry out QoS sign and Differentiated Services: real time business passage and data service channel are classified by User Priority and type of service; And carry out QoS sign with flow label or label equivalence class; Signalling path is carried out QoS classification and sign by protocol type, the data service channel is carried out QoS classification and sign by purpose IP address, source, TCP/UDP port numbers and tos field;
According to the characteristic of data that each transmission channel is transmitted, implement corresponding queue management and scheduling: signalling path adopts the custom queuing mode to dispatch; Real time business passage and management channels adopt the Priority Queues mode to dispatch; Data service channel selects to use First Input First Output, Priority Queues and Weighted Fair Queuing mode according to the QoS demand of business;
2) user security inserts the employing of measure:
Adopt the user security access protocol to realize the safe transmission of signaling, agreement and the service message of terminal and inter-exchange: user terminal inserts the mutual discriminating that at first need pass through terminal equipment and inter-exchange; After discriminating is passed through; The user security access protocol is accepted the application of upper-layer protocol; Set up and also to open signaling transmission link and management transmission link, serve for signaling message and network management information provide transmission;
In the communication link termination process; The session connection control protocol at terminal is filed an application to the user security access protocol; For business datum is set up transmission link, the user security access protocol is set up control flow through passage, sets up corresponding transmission link at terminal and inter-exchange; After session was set up, the user security access protocol was set up the binding relationship of link No. and label, source/purpose IP address, the unlatching transmission channel, and the business datum of this communication is transmitted in this passage; Simultaneously, the user security access protocol is accomplished the conversion of the terminal iidentification and the network address, realizes that address (ADDR separates; The address of user terminal in network is presented on network internal, when each communication, distributed automatically by network; The user security access protocol is set up and is safeguarded binding relationship this time professional and terminal iidentification, the network address, and switching equipment is responsible for accomplishing based on this binding relationship the conversion of the station address and the network address;
3) employing of node security interconnection measure:
Adopt the node security interconnection agreement to realize the safe transmission of signaling, agreement and service message between network node: the node security interconnection agreement is that upper-layer protocol message and the label forwarding message between adjacent node provides the data security interaction platform; Node interconnection at first need pass through internodal mutual discriminating; After discriminating is passed through; The node security interconnection agreement generates safe authentication code; The safe transmission that is used for grouped data at first will be to node security interconnection agreement application security token when internodal upper-layer protocol carries out information interaction, and through security token tunneling message; The node security interconnection agreement is differentiated security token, and only for legal protocol massages the transmission service is provided;
With signaling, management, business with activate business and be divided into four independently designated lanes, each passage has configurable bandwidth and different forwarding priorities to the node security interconnection agreement on repeated line; Signalling path carrier signaling message, key distribution message, routing protocol packet, tag distribution protocol message, Link State maintain message and node interconnection are differentiated message, and wherein link state messages is drawn together the error rate, packet loss and link on off operating mode; Management channels carries network management information; Service channel carries communication service, computer data is professional; The control that the unlatching of each passage is differentiated by node interconnection, only after internodal legitimacy discriminating was passed through, Various types of data could transmitted on corresponding passage; The node security interconnection agreement is that upper-layer protocol provides protection, has only the protocol massages of differentiating through legitimacy just can be regarded as effective message;
4) employing of service admittance control safety measure:
Applied business receives the control of session connection, and to not accomplishing the business datum of session connection, the network refusal carries; In the session connection process, the authenticity of signaling is verified; System sets up transmission channel end to end for business datum down in session connection control, and the path in network is by the QoS characteristic selection of source node according to link, also can pass through the network management configuration specified circuit by or tactful route;
5) employing of protecting data encryption safety measure: user service data is implemented omnidistance end to end the encryption, and password does not land in network transmission process.
Compared with prior art, good effect of the present invention is: follow the principle of network service and safe and secret integrated design, safe and secret measures effectively is dissolved in the network in each equipment and each aspect; Closely cooperate each other,, improve network resource utilization to strengthen the security protection performance; Guarantee QoS, realize unified control and management, avoid function of safety protection to become network bottleneck; Reduce overhead, help improving QoS.It is strong to have security performance with respect to stacked system, and control and management is simple, unified, the high outstanding advantage of network resource utilization and reliability.Be in particular in:
Adopt the classification isolation safe guard technology of network carrying information; Information such as business, control and management are isolated each other; Various information has independently route switching, transmission bandwidth, QoS guarantee and safety prevention measure in network, can effectively guarantee the safety of network system self; Adopt user's security to insert guard technology, terminal equipment is carried out access authentication, realize the address (ADDR conversion, business datum is carried out integrality wait security protection, can effectively improve the security protection ability of network boundary with anti-playback; Adopt the safety interconnection guard technology of node, the legitimacy of interconnecting nodes is carried out authentication, internodal data are carried out integrality wait security protection, can effectively stop illegal node access network with anti-playback; Professional access control is carried out authentication to user identity and authority, and at Web portal the session connection of business, type, flow etc. is controlled, and can effectively stop invalid data entering network.
Embodiment
Disclosed all characteristics in this specification, or the step in disclosed all methods or the process except mutually exclusive characteristic and/or the step, all can make up by any way.
Disclosed arbitrary characteristic in this specification (comprising any accessory claim, summary and accompanying drawing) is only if special narration all can be replaced by other equivalences or the alternative features with similar purpose.That is, only if special narration, each characteristic is an example in a series of equivalences or the similar characteristics.
A kind of comprehensive safety protecting method based on integral network safety service framework; In each equipment and each aspect of network, classification isolation, the user's security that effectively incorporates information inserts, the safe and secret measures of each item such as safety interconnection, applied business access control and protecting data encryption of node.
In the vertical, system has carried out Safety Design at Network-Network interface (NNI), terminal-network interface (UNI), user-terminal interface (UTI).Wherein the safety of NNI interface mainly realizes through node security interconnection agreement (NSIP); The safety of uni interface mainly realizes through user security access protocol (USAP); The safety of TNI interface adopts technology such as key card (terminal use), ID card and password (webmaster personnel).
In the horizontal; System carries out safety Design in applied business, each aspects such as control, route switching, access transmission and network management of calling out; With network service and safe and secret organically blending, ensured the safe and secret of network management system, network exchange and applied business, as:
For network system,, stop illegal node to insert at first to the switching node discriminating that interconnects.It is said that logarithm is input into capable integrality and the anti-protection of resetting, and guarantees the data security transmission, prevent that the assailant from attacking network from the trunk main incision.Data qualifications such as business, control and management are isolated in the network, avoid influencing each other, and guarantee signaling system and network management system safety.Various types of data information to the network carrying on the trunk main is carried out encipherment protection.Trunk line encryption has not only carried out the superencipher protection to professional and network management information, has strengthened professional encryption strength, and signaling between node and procotol message have been carried out encipherment protection, has strengthened the security protection ability of network system.To passages such as professional, signaling and webmasters, trunk line encryption can adopt the different encryption keys encryption of classifying.
For service terminal, at first user terminal is inserted discriminating, stop illegal terminal to insert.Secondly,, guarantee the safe transmission of data on subscriber's line, prevent to distort and attack such as playback it is said that logarithm is input into capable integrality and the anti-protection of resetting.In addition, call signaling is protected, prevented subscriber signaling analysis and attack.End-to-end omnidistance encryption of business datum, password does not land in network, guarantees the confidentiality of communication service.
For NMS, important network management information carries out encrypted transmission.Network management system adopts the differentiated control pattern, and each leading subscriber is carried out strict empowerment management, and the safety of self is audited.In addition, network management center is responsible for the information such as various operating states, Trouble Report and Operation Log of collection network and equipment, and the network of relation incident is carried out security audit.
To introduce the employing of the safe and secret measure of each item below in detail:
1) classification of information is isolated
Business datum and system information are carried out independently route switching: node exchange apparatus is that the route switching of various information data provides routing table separately, and through a plurality of core switching matrixs relatively independent packet switching is provided;
At trunking port and user port is that business datum and system information are set up special-purpose transmission channel, and allocates bandwidth in advance for each transmission channel: between the route switching node, be that transmission channel is set up in real time business, data service, session connection signaling and network management respectively through the node security interconnection agreement; Through each other opening respective channel respectively after the authentication, and allocate bandwidth in advance for each transmission channel between node; Internodal grouped data is through node security interconnection agreement encapsulation, and in the transmission channel of correspondence encrypted transmission;
Between user terminal and route switching node, be that transmission channel is set up in real time business, data service, session connection signaling and equipment control respectively through the user security access protocol; User terminal and the professional respective channel of behind access authentication, successively opening, and allocate bandwidth in advance for each transmission channel; User's all kinds of grouped datas are through user security access protocol encapsulation, and in the transmission channel of correspondence encrypted transmission;
Characteristic logarithm based on data that each transmission channel is transmitted is executed the respective classified rule factually; And carry out QoS sign and Differentiated Services: real time business passage and data service channel are classified by User Priority and type of service; And carry out QoS sign with flow label or label equivalence class; Signalling path is carried out QoS classification and sign by protocol type, the data service channel is carried out QoS classification and sign by purpose IP address, source, TCP/UDP port numbers and tos field;
According to the characteristic of data that each transmission channel is transmitted, implement corresponding queue management and scheduling: signalling path adopts the custom queuing mode to dispatch; Real time business passage and management channels adopt the Priority Queues mode to dispatch; Data service channel selects to use First Input First Output, Priority Queues and Weighted Fair Queuing mode according to the QoS demand of business;
2) user security inserts
Network boundary is a system safety protection system emphasis of design, will (be called for short: the USAP agreement) realize through the user security access protocol.The USAP agreement is that signaling, agreement and the service message of terminal and inter-exchange provides safe transmission; Major function comprises access discriminating, transmission link foundation, channel separation, data integrity and the anti-protection etc. of resetting at terminal; And for upper-layer protocol provides the field protect sign indicating number, for the secure interactive of agreement provides support.USAP agreement and high-level communications protocol are combined closely, and can prevent effectively that illegal terminal from inserting, and avoid network system to receive the attack of illegal terminal, guarantee the communication security of customer service.The principle of USAP agreement with the effect as follows:
User terminal inserts and at first need pass through the mutual discriminating between terminal equipment and multi-service security switch.After the terminal insert to be differentiated and to be passed through, the USAP agreement was accepted the application of upper-layer protocol, set up and also opened signaling transmission link and management transmission link, for signaling message and network management information provide safe transmission service.
In the communication link termination process, the session connection control protocol at terminal is filed an application to the USAP agreement, for business datum is set up transmission link.USAP sets up control flow through passage and sets up corresponding transmission link at terminal and inter-exchange.After session was set up, the binding relationship of USAP link No. and label, source/purpose IP address was set up, and transmission channel is opened, and the business datum of this communication is carried out safe transmission in this passage, realized professional access control.Simultaneously, the USAP agreement is accomplished the conversion of the terminal iidentification and the network address, realizes that address (ADDR separates.The address (be the routing address of switching equipment user port) of user terminal in network only is presented on network internal, when each communication, distributed automatically by network.USAP sets up and safeguards binding relationship this time professional and terminal iidentification, the network address, and switching equipment is responsible for accomplishing according to this binding relationship the conversion of the station address and the network address.Because network is to user transparent, the safety of network boundary is effectively guaranteed.
The USAP agreement periodically inserts discrimination process, the connected condition of real-time servicing transmission channel, and dynamically update the safety label field in the USAP head, the incorrect data of safety label will be dropped.Grouped data through the USAP encapsulation possesses security features such as integrality, anti-playback, can effectively prevent to distort and Replay Attack.The grouping of in the USAP link, transmitting does not simultaneously present IP information, has hidden data flow, can prevent the data flow analysis.
The USAP agreement realizes the mutual isolation of business, signaling and network management data on subscriber's line.The service channel that the business datum that switch receives on the USAP transmission channel can only get into network exchanges forwarding, and the data of coming on the same Network passage can only be transmitted in corresponding USAP link.
The USAP agreement can be upper-layer protocol protection is provided in addition, has only the protocol massages of differentiating through legitimacy just can be regarded as effective message, otherwise will be dropped.
3) node security interconnection
Safety between network node (is called for short: the NSIP agreement) realize through the node security interconnection agreement.The NSIP agreement is that upper-layer protocol message and the label forwarding message between adjacent node provides the data security interaction platform; Major function comprises node interconnection discriminating, transmission channel isolation, data integrity and anti-playback protection, trunk line encryption and error correction etc.; And for upper-layer protocol provides the field protect sign indicating number, for the secure interactive of agreement provides support.NSIP agreement and upper layer communication agreement are combined closely, and can prevent effectively that illegal node from inserting, and avoid protocol system, signaling system, network management system and the operation system of network to receive the attack from illegal access node, guarantee the secure exchange of various information between node.The principle of NSIP agreement with the effect as follows:
Node interconnection at first need pass through internodal mutual discriminating.After node interconnection was differentiated and passed through, the NSIP agreement generated safe authentication code, is used for the safe transmission of grouped data.When carrying out information interaction, internodal upper-layer protocol at first to apply for security token to NSIP, and through security token tunneling message.The NSIP agreement is differentiated security token, and for legal protocol massages provides the transmission service, illegal protocol massages will be dropped.The corresponding relation of NSIP real-time servicing security token and safe authentication code is accomplished the packet header conversion, and the native protocol message that encapsulates through the safety authentication code carries out encrypted transmission with E-Packeting.Grouped data through the NSIP protocol encapsulation possesses security features such as integrality, anti-playback and confidentiality, can effectively prevent to reset, distort and impersonation attack.The NSIP agreement discrimination process that periodically interconnects, the connected condition of maintenance channel, and dynamically change safe authentication code, the data message of differentiating through safety will not be dropped.
NSIP realizes network system information and the mutual isolation of business datum on repeated link.With signaling, webmaster, business with activate business and be divided into four independently designated lanes, each passage has configurable bandwidth and different forwarding priorities on repeated line.Signalling path carrier signaling message, key distribution message, routing protocol packet, tag distribution protocol message, Link State maintain message and node interconnection are differentiated message etc., and wherein link state messages is drawn together states such as the error rate, packet loss and link break-make; Management channels carries network management information; Communication services such as voice-over, video on the real time business passage; It is professional that data service channel carries computer data.The control that the unlatching of each passage is differentiated by node interconnection.Only after internodal legitimacy was differentiated, Various types of data could be transmitted on main line.
NSIP carries out cryptoguard to disparate networks information and user service data on trunk.Trunk main has linear speed encryption and decryption ability, and except that node interconnection was differentiated message, each passage can adopt the different working key that various information is encrypted.Trunk line encryption receives the control of node interconnection authentication, only after internodal legitimacy discriminating is passed through, could work.
In addition, the NSIP agreement can be upper-layer protocol protection is provided, and has only the protocol massages of differentiating through legitimacy just can be regarded as effective message, otherwise will be dropped.
4) service admittance control
Applied business receives the control of session connection, and to not accomplishing the business datum of session connection, the network refusal carries.In the session connection process, the authenticity of signaling is verified, prevent the Signaling attack of illegal terminal or node.Be to guarantee service security, system sets up transmission channel end to end for business datum down in session connection control, and the path in network is by the QoS characteristic selection of source node according to link, also can pass through the network management configuration specified circuit by or tactful route.User's business datum is transmitted on this transmission channel and is exchanged forwarding, and the outer data of refusal transmission channel get into.Because service communication receives the terminal to insert the control successively and the protection of discriminating, session control, USAP link establishment control, USAP safe transmission, can effectively stop abnormal data to get into network system, guarantee that user service data safety inserts and transmission.
5) protecting data encryption
Business datum and system information encipherment protection are the important means of guaranteeing professional and network security.User service data is implemented omnidistance end to end the encryption, and password does not land in network transmission process, guarantees the confidentiality of communication service.To all protecting data encryptions on the trunk main; Not only business datum has been carried out the superencipher protection; Strengthen professional encryption strength, and signaling between node and procotol message have been carried out encipherment protection, strengthened the security protection ability of network system.
The present invention is not limited to aforesaid embodiment.The present invention expands to any new feature or any new combination that discloses in this manual, and the arbitrary new method that discloses or step or any new combination of process.
Claims (1)
1. comprehensive safety protecting method based on integral network safety service framework is characterized in that:
1) employing of information classification isolation safe measure:
Business datum and system information are carried out independently route switching: node exchange apparatus is that the route switching of various information data provides routing table separately, and through a plurality of core switching matrixs relatively independent packet switching is provided;
At trunking port and user port is that business datum and system information are set up special-purpose transmission channel, and allocates bandwidth in advance for each transmission channel: between the route switching node, be that transmission channel is set up in real time business, data service, session connection signaling and network management respectively through the node security interconnection agreement; Through each other opening respective channel respectively after the authentication, and allocate bandwidth in advance for each transmission channel between node; Internodal grouped data is through node security interconnection agreement encapsulation, and in the transmission channel of correspondence encrypted transmission;
Between user terminal and route switching node, be that transmission channel is set up in real time business, data service, session connection signaling and equipment control respectively through the user security access protocol; User terminal and the professional respective channel of behind access authentication, successively opening, and allocate bandwidth in advance for each transmission channel; User's all kinds of grouped datas are through user security access protocol encapsulation, and in the transmission channel of correspondence encrypted transmission;
Characteristic logarithm based on data that each transmission channel is transmitted is executed the respective classified rule factually; And carry out QoS sign and Differentiated Services: real time business passage and data service channel are classified by User Priority and type of service; And carry out QoS sign with flow label or label equivalence class; Signalling path is carried out QoS classification and sign by protocol type, the data service channel is carried out QoS classification and sign by purpose IP address, source, TCP/UDP port numbers and tos field;
According to the characteristic of data that each transmission channel is transmitted, implement corresponding queue management and scheduling: signalling path adopts the custom queuing mode to dispatch; Real time business passage and management channels adopt the Priority Queues mode to dispatch; Data service channel selects to use First Input First Output, Priority Queues and Weighted Fair Queuing mode according to the QoS demand of business;
2) user security inserts the employing of measure:
Adopt the user security access protocol to realize the safe transmission of signaling, agreement and the service message of terminal and inter-exchange: user terminal inserts the mutual discriminating that at first need pass through terminal equipment and inter-exchange; After discriminating is passed through; The user security access protocol is accepted the application of upper-layer protocol; Set up and also to open signaling transmission link and management transmission link, serve for signaling message and network management information provide transmission;
In the communication link termination process; The session connection control protocol at terminal is filed an application to the user security access protocol; For business datum is set up transmission link, the user security access protocol is set up control flow through passage, sets up corresponding transmission link at terminal and inter-exchange; After session was set up, the user security access protocol was set up the binding relationship of link No. and label, source/purpose IP address, the unlatching transmission channel, and the business datum of this communication is transmitted in this passage; Simultaneously, the user security access protocol is accomplished the conversion of the terminal iidentification and the network address, realizes that address (ADDR separates; The address of user terminal in network is presented on network internal, when each communication, distributed automatically by network; The user security access protocol is set up and is safeguarded binding relationship this time professional and terminal iidentification, the network address, and switching equipment is responsible for accomplishing based on this binding relationship the conversion of the station address and the network address;
3) employing of node security interconnection measure:
Adopt the node security interconnection agreement to realize the safe transmission of signaling, agreement and service message between network node: the node security interconnection agreement is that upper-layer protocol message and the label forwarding message between adjacent node provides the data security interaction platform; Node interconnection at first need pass through internodal mutual discriminating; After discriminating is passed through; The node security interconnection agreement generates safe authentication code; The safe transmission that is used for grouped data at first will be to node security interconnection agreement application security token when internodal upper-layer protocol carries out information interaction, and through security token tunneling message; The node security interconnection agreement is differentiated security token, and only for legal protocol massages the transmission service is provided;
With signaling, management, business with activate business and be divided into four independently designated lanes, each passage has configurable bandwidth and different forwarding priorities to the node security interconnection agreement on repeated line; Signalling path carrier signaling message, key distribution message, routing protocol packet, tag distribution protocol message, Link State maintain message and node interconnection are differentiated message, and wherein the Link State maintain message comprises the error rate, packet loss and link on off operating mode; Management channels carries network management information; Service channel carries communication service, computer data is professional; The control that the unlatching of each passage is differentiated by node interconnection, only after internodal legitimacy discriminating was passed through, Various types of data could transmitted on corresponding passage; The node security interconnection agreement is that upper-layer protocol provides protection, has only the protocol massages of differentiating through legitimacy just can be regarded as effective message;
4) employing of service admittance control safety measure:
Applied business receives the control of session connection, and to not accomplishing the business datum of session connection, the network refusal carries; In the session connection process, the authenticity of signaling is verified; System sets up transmission channel end to end for business datum down in session connection control, and the path in network is by the QoS characteristic selection of source node according to link, perhaps pass through the network management configuration specified circuit by or tactful route;
5) employing of protecting data encryption safety measure:
User service data is implemented omnidistance end to end the encryption, and password does not land in network transmission process.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010125026 CN101800753B (en) | 2010-03-16 | 2010-03-16 | Comprehensive safety protecting method based on integral network safety service framework |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010125026 CN101800753B (en) | 2010-03-16 | 2010-03-16 | Comprehensive safety protecting method based on integral network safety service framework |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101800753A CN101800753A (en) | 2010-08-11 |
| CN101800753B true CN101800753B (en) | 2012-07-18 |
Family
ID=42596244
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 201010125026 Active CN101800753B (en) | 2010-03-16 | 2010-03-16 | Comprehensive safety protecting method based on integral network safety service framework |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101800753B (en) |
Families Citing this family (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8661500B2 (en) * | 2011-05-20 | 2014-02-25 | Nokia Corporation | Method and apparatus for providing end-to-end privacy for distributed computations |
| CN103095596A (en) * | 2013-01-08 | 2013-05-08 | 太仓市同维电子有限公司 | Method for segregating management channel and service channel in gigabit passive optical network (GPON) |
| CN103281316A (en) * | 2013-05-20 | 2013-09-04 | 国家电网公司 | Safe protection method for intelligent energy consuming system |
| CN103685306A (en) * | 2013-12-20 | 2014-03-26 | 汉柏科技有限公司 | Method and device for integrating network safety equipment |
| CN103716192B (en) * | 2013-12-31 | 2017-03-22 | 大连环宇移动科技有限公司 | Non-inductive series connection device based on virtual IP |
| CA2936358C (en) * | 2014-02-07 | 2021-09-07 | Oracle International Corporation | Mobile cloud service architecture |
| CN105320877B (en) * | 2014-06-27 | 2018-12-21 | 北京中油瑞飞信息技术有限责任公司 | Equipment access and management-control method based on open platform |
| CN105490938B (en) * | 2016-01-29 | 2019-05-14 | 浪潮电子信息产业股份有限公司 | A kind of design method of the router of configurable server engine |
| CN108055288B (en) * | 2018-01-29 | 2019-09-17 | 平安科技(深圳)有限公司 | Authentication method, terminal device and the medium of identity information |
| CN108471413B (en) * | 2018-03-22 | 2020-09-29 | 杭州万为科技有限责任公司 | Edge network security admittance defense system and method thereof |
| CN108881285B (en) * | 2018-07-17 | 2021-04-02 | 湖北理工学院 | Big data implementation control system based on internet network security |
| CN111385239A (en) * | 2018-12-27 | 2020-07-07 | 茂杉信息技术(上海)有限公司 | Network security online monitoring system |
| CN111817854B (en) * | 2020-06-04 | 2022-03-18 | 中国电子科技集团公司第三十研究所 | Security authentication method and system based on centerless identification mapping synchronous management |
| CN113347169B (en) * | 2021-05-25 | 2022-09-06 | 浙江科技学院 | Communication system based on wireless mobile and wired discontinuous mobile |
| CN116886405B (en) * | 2023-08-03 | 2024-01-09 | 广东九博科技股份有限公司 | Miniaturized packet router and single point access information encryption protection method thereof |
| CN117852015A (en) * | 2024-03-04 | 2024-04-09 | 南京国云电力有限公司 | Information safety protection method and system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1463124A (en) * | 2002-05-28 | 2003-12-24 | 华为技术有限公司 | Method for realizing signaling transit point in IP domain of user adaption layer in signaling network layer |
| CN101197768A (en) * | 2006-12-04 | 2008-06-11 | 西门子公司 | Method and node equipment for improving mobile self-network grouping security |
| CN101447916A (en) * | 2008-12-25 | 2009-06-03 | 中国电子科技集团公司第五十四研究所 | Method for bi-directionally locating compound information source of multi-protocol label switching network |
-
2010
- 2010-03-16 CN CN 201010125026 patent/CN101800753B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1463124A (en) * | 2002-05-28 | 2003-12-24 | 华为技术有限公司 | Method for realizing signaling transit point in IP domain of user adaption layer in signaling network layer |
| CN101197768A (en) * | 2006-12-04 | 2008-06-11 | 西门子公司 | Method and node equipment for improving mobile self-network grouping security |
| CN101447916A (en) * | 2008-12-25 | 2009-06-03 | 中国电子科技集团公司第五十四研究所 | Method for bi-directionally locating compound information source of multi-protocol label switching network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101800753A (en) | 2010-08-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101800753B (en) | Comprehensive safety protecting method based on integral network safety service framework | |
| CN101771619B (en) | Network system for realizing integrated security services | |
| US7035289B2 (en) | Communications switching architecture | |
| CN110535653A (en) | A kind of safe distribution terminal and its means of communication | |
| CN114302402A (en) | Electric power regulation and control business safety communication method based on 5G | |
| US20160021224A1 (en) | Stealth Packet Communications | |
| CN101326763A (en) | System and method for authentication of SP Ethernet aggregation networks | |
| CN101808420A (en) | Intelligent network | |
| US9015825B2 (en) | Method and device for network communication management | |
| CN110855707A (en) | Internet of things communication pipeline safety control system and method | |
| da Silveira et al. | IEC 61850 network cybersecurity: Mitigating GOOSE message vulnerabilities | |
| CN111988328A (en) | Safety guarantee method and system for acquiring terminal data of power generation unit of new energy plant station | |
| CN109617875A (en) | A kind of the secure accessing platform and its implementation of terminal communication network | |
| Zhang et al. | An adaptive encryption-as-a-service architecture based on fog computing for real-time substation communications | |
| Hajduczenia et al. | On EPON security issues | |
| CN101697539A (en) | Bare network | |
| CN109150829A (en) | Software definition cloud network trust data distribution method, readable storage medium storing program for executing and terminal | |
| CN115766271A (en) | Network isolation equipment based on backward hash chain information source authentication | |
| CN108900518A (en) | Believable software definition cloud network data distribution systems | |
| CN109039841A (en) | The method, apparatus and girff of cascade network is added | |
| CN109039612B (en) | Secure interaction method and system for software defined optical network | |
| CN101827079A (en) | Blocking and attacking-resistant terminal connection building method and terminal access authenticating system | |
| Fu et al. | ISCP: Design and implementation of an inter-domain Security Management Agent (SMA) coordination protocol | |
| Jin et al. | Analysis of security vulnerabilities and countermeasures of ethernet passive optical network (EPON) | |
| Mei et al. | Realization of communication security in substation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |