CN102790775A - Method and system for enhancing network safety performance - Google Patents
Method and system for enhancing network safety performance Download PDFInfo
- Publication number
- CN102790775A CN102790775A CN201210271797XA CN201210271797A CN102790775A CN 102790775 A CN102790775 A CN 102790775A CN 201210271797X A CN201210271797X A CN 201210271797XA CN 201210271797 A CN201210271797 A CN 201210271797A CN 102790775 A CN102790775 A CN 102790775A
- Authority
- CN
- China
- Prior art keywords
- data
- terminal equipment
- authentication
- network
- encryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention discloses a method and a system for enhancing a network safety performance. The method comprises the following steps of: in an industrial network, determining data of first terminal equipment, which needs to be sent to second terminal equipment; at a data sending end, carrying out encryption treatment on the data based on an established tunnel and sending the data which is subjected to the encryption treatment; and at a data receiving end, based on the established tunnel, carrying out decrypting operation on the received data which is subjected to the encryption treatment, and sending the decrypted data to the second terminal equipment. The embodiment of the invention provides a technical scheme for enhancing the network safety performance under an industrial network environment including an industrial redundancy Ethernet and the like. According to the technical scheme, an encryption tunnel technology is used for protecting the confidentiality and the integrity of the data on the network, so that the safety performance of data transmission in the industrial network can be effectively guaranteed.
Description
Technical field
The present invention relates to communication technical field, relate in particular to a kind of method and system that strengthen the network security performance.
Background technology
Under industrial environment, perhaps require in the data communication field of high reliability; For example; Factory automation system, intelligent transport system (ITS), transformer station or other adverse circumstances are medium; The widely-used ethernet technology of corresponding network design connects industrial equipment to set up corresponding dedicated network, and comes for data link protection to be provided through the network topology structure of redundancy usually.
Particularly, as shown in Figure 1, in industrial Redundant Ethernet, the loop network that adopts some EPA switches (hereinafter to be referred as switch) to connect into provides the data communication of high reliability for harsh industrial environment.The industry Redundant Ethernet is faced with many-sided fail safe challenge.For example, as shown in Figure 2, assailant's attack pattern can in following three kinds any one or multiple:
(1) assailant can insert dedicated network (being industrial Redundant Ethernet) by forged identity (personation terminal);
(2) assailant also can eavesdrop or distort communication data on network;
(3) assailant can also destroy the operate as normal of industrial Redundant Ethernet through the management switch.
At present, for guaranteeing the security performance of industrial Redundant Ethernet, specifically adopted following technological means:
Technological means one: broadcast storm control technology
The broadcast storm control technology is to limit amount of broadcast traffic through suppressing strategy at switch ports themselves configuration broadcast storm; Particularly, as shown in Figure 3, if the configuration broadcast storm suppresses strategy on switch ports themselves, then have only the broadcast traffic in the assigned rate can pass through switch, the flow that surpasses will be dropped.
Technological means two: divide VLAN
Divide the mode of VLAN (VLAN) and can dwindle broadcast domain, to realize professional the isolation.Particularly; As shown in Figure 4; Switch ports themselves is divided into different VLAN, and the broadcast traffic that gets into switch only can be forwarded to the port that belongs to identical VLAN, for example; The broadcast traffic that gets into switch from VLAN10 only can be forwarded to the port that belongs to VLAN10, and the port that belongs to other VLAN does not then receive this flow.
Technological means three: IEEE802.1x secure authentication technology
In the IEEE802.1x secure authentication technology, specifically be that the equipment that is connected to the switch physical port is carried out authentification of user and mandate, thereby forbid the access of unauthorized device.For example, with reference to shown in Figure 5, after having launched the IEEE802.1x authentication techniques, switch ports themselves is in undelegated initial condition, at this moment, and can not accesses network through this port.When this port was inserted at the terminal, switch was initiated authentication requesting to the terminal, and the user profile and the password information of terminal response are carried out authentication: if authentication success, then switch is authorized this port, allows terminal access network; If authentification failure, then switch is set to unauthorized state with this port, forbids terminal access network.
For above-mentioned three kinds of technological means that are used for guaranteeing network security at present, it can not overcome 3 kinds of attack forms shown in Fig. 2 well.Wherein, though the broadcast storm control technology can be resisted extensive aggression with the mode of dividing VLAN, it is like water off a duck's back to attacks such as eavesdropping on the network and camouflages; Though the IEEE802.1x secure authentication technology can effectively be taken precautions against the personation accessing terminal to network, safety problem such as can't solve the eavesdropping on the loop and distort.
In a word, the protective capability that existing EPA switch safe practice is provided is more limited, can't effectively guarantee industrial Redundant Ethernet data communication confidentiality and integrality.
Summary of the invention
The purpose of this invention is to provide a kind of method and system that strengthen the network security performance, to guarantee the security performance of the data passes in the industrial network.
The objective of the invention is to realize through following technical scheme:
A kind of method that strengthens the network security performance comprises:
In industrial network, confirm that first terminal equipment need send to the data of second terminal equipment;
At data sending terminal, said data are carried out encryption based on the tunnel of setting up, the data after the encryption are crossed in the concurrent warp let-off;
At data receiver, carry out decryption oprerations based on the data of the tunnel of setting up after, and the data after will deciphering are sent said second terminal equipment to the encryption that receives.
Alternatively, described data sending terminal comprises: terminal equipment or switch or access device; Described data receiver comprises: terminal equipment or switch or access device.
Alternatively, described industrial network comprises: industrial Redundant Ethernet.
Further, this method also comprises:
Data sending terminal is after the access that detects first terminal equipment; Or after receiving the data that first terminal equipment sends; Said first terminal equipment is carried out access authentication, and the data of only first terminal equipment through access authentication being sent are carried out follow-up said encryption;
And/or,
After the bookkeeping information that network equipment receiving management user sends, said leading subscriber is carried out authentication, and the corresponding bookkeeping of bookkeeping information and executing that only leading subscriber through authentication is sent;
And/or,
After data sending terminal receives needs that first terminal equipment sends and sends to the data of second terminal equipment; Determine whether to allow to send said data according to predefined first access control list ACL; And only confirming under the situation about allowing said data to be carried out follow-up encryption;
And/or,
After data receiver receives the data after the encryption that data sending terminal sends; Determine whether to allow to continue to receive said data according to predefined second access control list ACL; And only confirming under the situation about allowing said data to be carried out follow-up decryption oprerations.
Further, described access authentication comprises: based on the authentication of IEEE802.1x, perhaps, based on the access authentication of port security.
Alternatively; If described access authentication is the authentication based on IEEE802.1x; Then said data sending terminal or data receiver need and the certificate server of network side between carry out the mutual of authentication information, and the tunnel of said authentication information through said foundation transmits.
Alternatively, the destination address or the network service that have defined the source address of terminal equipment among the described ACL in advance and allowed this terminal equipment to visit, the characteristic that has defined process of passing through tunnel ciphered data frame in advance among the 2nd ACL.
A kind of system that strengthens the network security performance comprises:
Data sending terminal; Be arranged in the industrial network; Be used for after definite first terminal equipment need send to the data of second terminal equipment, said data are carried out encryption based on the tunnel of setting up, and the data that will pass through after the encryption send to data receiver;
Data receiver is arranged in the industrial network, be used for carrying out decryption oprerations based on the data of the tunnel of setting up after to the encryption that receives, and the data after will deciphering is sent said second terminal equipment.
Further, this system also comprises:
After said data sending terminal receives needs that first terminal equipment sends and sends to the data of second terminal equipment; Also said first terminal equipment is carried out access authentication, and the data of only first terminal equipment through access authentication being sent are carried out follow-up said encryption;
And/or,
After the bookkeeping information that network equipment receiving management user sends, said leading subscriber is carried out authentication, and the corresponding bookkeeping of bookkeeping information and executing that only leading subscriber through authentication is sent;
And/or,
After said data sending terminal receives needs that first terminal equipment sends and sends to the data of second terminal equipment; Also determine whether to allow to send said data according to predefined first access control list ACL; And only confirming under the situation about allowing said data to be carried out follow-up encryption;
And/or,
After said data receiver receives the data after the encryption that data sending terminal sends; Determine whether to allow to continue to receive said data according to predefined second access control list ACL; And only confirming under the situation about allowing said data to be carried out follow-up decryption oprerations.
If described access authentication be the authentication based on IEEE802.1x, then said data sending terminal or data receiver need and the certificate server of network side between carry out authentication information alternately, and the tunnel of said authentication information through said foundation transmits.
Technical scheme by the invention described above provides can find out that the embodiment of the invention provides a kind of can strengthen the technical scheme of network security features under industrial network environment such as industrial Redundant Ethernet.In this technical scheme, adopt the confidentiality and the integrality of data on the encryption tunnel technical protection network, thereby can effectively guarantee the security performance of data passes in the industrial network.Further, can also adopt the data of ACL technical filter through equipment such as switches; And can adopt I EEE802.1x or port security technology effectively to take precautions against the access of unauthorized device on the switch physical port, thereby further strengthen self anti-attack ability of equipment such as switch.
Description of drawings
In order to be illustrated more clearly in the technical scheme of the embodiment of the invention; The accompanying drawing of required use is done to introduce simply in will describing embodiment below; Obviously, the accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skill in the art; Under the prerequisite of not paying creative work, can also obtain other accompanying drawings according to these accompanying drawings.
Fig. 1 is the structural representation of industrial Redundant Ethernet in the prior art;
Fig. 2 is the potential safety hazard sketch map of industrial Redundant Ethernet in the prior art;
Fig. 3 suppresses technological sketch map for broadcast storm of the prior art;
Fig. 4 is a VLAN partitioning technology sketch map of the prior art;
Fig. 5 is an access authentication technique processing procedure sketch map of the prior art;
Fig. 6 is a processing procedure sketch map provided by the invention;
Fig. 7 is the processing procedure sketch map of application implementation example provided by the invention;
Fig. 8 is the security strategy sketch map of industrial Redundant Ethernet provided by the invention;
Fig. 9 is the processing procedure sketch map of local data provided by the invention;
Figure 10 is a remote data processing procedure sketch map provided by the invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is carried out clear, intactly description, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on embodiments of the invention, those of ordinary skills belong to protection scope of the present invention not making the every other embodiment that is obtained under the creative work prerequisite.
To combine accompanying drawing that the embodiment of the invention is done to describe in detail further below.
The invention provides a kind of method that strengthens the network security performance, as shown in Figure 6, its implementation procedure specifically can comprise following treatment step:
Step S600 in industrial network, confirms that first terminal equipment need send to the data of second terminal equipment; Wherein, corresponding industrial network can but be not limited to comprise: industrial Redundant Ethernet perhaps, also can be other industrial networks in similar network safeguard protection demand.
Step S602 at data sending terminal, carries out encryption with said data based on the tunnel of setting up, and the data after the encryption are crossed in the concurrent warp let-off;
Wherein, corresponding data sending terminal can but be not limited to adopt terminal equipment or switch or access device or the like, same, corresponding data receiver also can but be not limited to adopt terminal equipment or switch or access device or the like;
Step S604 at data receiver, carry out decryption oprerations based on the data of the tunnel of setting up after to the encryption that receives, and the data after will deciphering is sent said second terminal equipment.
In the present invention, be further to improve the network security performance, can also but be not limited to adopt following any one or multiple technologies processing means protection to be provided to the safety of data that transmits in the network, specifically comprise:
Technical finesse means one: data sending terminal is after the access that detects first terminal equipment; Or after receiving the data that first terminal equipment sends; Said first terminal equipment is carried out access authentication, and the data of only first terminal equipment through access authentication being sent carry out follow-up said encryption, the data of sending for first terminal equipment through access authentication not; Then abandon or ignore, promptly do not allow it in network, to transmit;
Wherein, in above-mentioned technical finesse means one, corresponding access authentication can but be not limited to adopt: based on the authentication of IEEE802.1x, perhaps, based on the access authentication of port security; Further; If described access authentication is the authentication based on IEEE802.1x; The then said data sending terminal or the network equipment need and the certificate server of network side between carry out the mutual of authentication information, and the tunnel of said authentication information through said foundation transmits;
Technical finesse means two: after the bookkeeping information that network equipment receiving management user sends, said leading subscriber is carried out authentication, and the corresponding bookkeeping of bookkeeping information and executing that only leading subscriber through authentication is sent; Corresponding network device can be switch or access device etc.;
Wherein, In above-mentioned technical finesse means two; If described authentication be the authentication based on certificate server, the then said data sending terminal or the network equipment need and the certificate server of network side between carry out authentication information alternately, and the tunnel of said authentication information through said foundation transmits;
Technical finesse means three: after data sending terminal receives needs that first terminal equipment sends and sends to the data of second terminal equipment; Determine whether to allow to send said data according to predefined first access control list ACL; And only confirming said data to be carried out follow-up encryption, for the data that do not meet predefined condition among the ACL under the situation about allowing; Then abandon or ignore, promptly do not allow it in network, to transmit;
Technical finesse means four: after data receiver receives the data after the encryption that data sending terminal sends; Determine whether to allow to continue to receive said data according to predefined second access control list ACL, and only confirming under the situation about allowing said data to be carried out follow-up decryption oprerations; Equally; For the data that do not meet predefined condition among the 2nd ACL, then abandon or ignore, promptly do not allow it in network, to transmit.
Need to prove; The destination address or the network service that in an above-mentioned ACL, specifically can define the source address of terminal equipment in advance and allow this terminal equipment to visit; The characteristic that has defined process of passing through tunnel ciphered data frame in advance among the 2nd ACL; Thereby make data sending terminal and data receiver all can carry out filtration treatment to the data of process according to corresponding ACL; The data that promptly only allow to meet predefined rule among an ACL or the 2nd ACL are transmitted in network, thereby further effectively guarantee the security performance of network.
Through technique scheme, the present invention provided a kind of can be under industrial network environment such as industrial Redundant Ethernet, strengthen the technical scheme of network security features.In this technical scheme, adopt the confidentiality and the integrality of data on the encryption tunnel technical protection network.Further, can also adopt the data of ACL technical filter through equipment such as switches; And can adopt IEEE802.1x or port security technology effectively to take precautions against the access of unauthorized device on the switch physical port; Wherein, adopt in the IEEE802.1x authentication techniques process, specifically can with AAA (authentication authorization and accounting Authentication; Authorize Authorization; Record keeping Accounting) certificate server communication realizing corresponding aaa authentication, thereby is effectively strengthened self anti-attack ability of equipment such as switch.
For ease of understanding, will combine concrete application implementation example that implementation procedure of the present invention is described in detail below.
In the following embodiment of the invention, be specially and adopt redundancy protocol, ACL, IEEE802.1x authentication or port security technology, and the encryption tunnel agreement is set up the industrial Redundant Ethernet of safety.In following description process; Specifically with corresponding switch as above-mentioned data sending terminal and corresponding data receiver; And for ease of describing and understanding; The port that also switch is connected to industrial Redundant Ethernet is called network-side port, and all of the port except that network-side port on the switch is referred to as the equipment side port.
Like Fig. 7 and shown in Figure 8, the concrete implementation procedure of the embodiment of the invention can may further comprise the steps:
Step S700, can but be not limited to adopt vlan technology that switch ports themselves is divided into network-side port and equipment side port.Network-side port is used for switch is connected to Redundant Ethernet (being industrial Redundant Ethernet), and the equipment side port is used for connecting terminal equipment.
Step S702 adopts the link redundancy agreement on the network-side port of switch, for example, can but be not limited to adopt RSTP (RSTP), make up loop network, so that the redundancy backup link is provided for data communication.
Step S704, the network-side port on switch adopts the mode of encryption tunnel respectively business datum to be encrypted, and with the eavesdropping on the guarding network, camouflage or man-in-the-middle attack etc., effectively guarantees the confidentiality and the integrality of uplink and downlink link data;
Wherein, corresponding encryption tunnel can but be not limited to comprise tunnel based on foundation among IPSec (internet protocol security), PPTP (Point to Point Tunnel Protocol), L2TP (Layer 2 Tunneling Protocol) VPN (Virtual Private Network) of etc.ing; For example,, then can adopt ipsec tunnel mechanism communication service is encrypted and to verify, promptly set up corresponding ipsec tunnel, transmit with the safety that is used to carry out follow-up data if communication service all is the IP data; If communication service is a multi-protocol data, then can adopt PPTP or L2TP grade in an imperial examination two layer tunnel mechanism protection to be provided to communication service, promptly set up corresponding two layer tunnel, to be used to carry out the safety transmission of follow-up data.
Step S706, all equipment side ports can also adopt IEEE802.1x or port security technology on switch, to take precautions against the access of unauthorized terminal equipment.
If adopt the IEEE802.1x authentication techniques, then need the terminal equipment of access network based on ethernet must support IEEE802.1x client (requestor) agreement.If adopt authentication service (as: RADIUS (far-end checking dial-in customer service), TACACS+ (terminal access controller access control system)) to IEEE802.1x request carrying out authentication; Then certificate server (or claiming the aaa authentication server) must be positioned over after the vpn server, thereby makes the authentication flow receive the protection of the said encryption tunnel of step S704;
Further; For switch or the access terminal equipment of not supporting IEEE802.1x authentication techniques or port security technology; Can also adopt the mode of IP-MAC address binding to insert restriction; The MAC Address that is about to access device is tied on the designated port, and forbids the appearance of other all MAC Addresss.
Step S708 can adopt ACL on all of the port of switch, only allow safe traffic to pass through, and filters (i.e. shielding) every other data;
Certainly, if do not support the ACL technology in switch or the access device, then can omit this step;
Particularly, for guaranteeing that the bi-directional data in switch all can be controlled, specifically can comprise:
At switch all devices side ports configuration ACL (being an ACL noted earlier), the data of the terminal equipment that only allows to have authorized get into the switch as data sending terminal, filter every other data.The filtering rule that uses can have MAC Address, IP address, required service (agreement) type.
At switch network side ports configuration ACL (being the 2nd ACL noted earlier), only allow the encipher flux of the said tunneling mechanism of step S704 to get into switch as data receiver, filter every other data.
Step S710; On all switches can but be not limited to adopt aaa authentication service (as: RADIUS, TACACS+); To guarantee that switch is managed with the mode of safety; Promptly on certificate server, set up switch management person's user and authority information, only have user through authentication just to can be used as switch management person switch is carried out bookkeeping.S706 is similar with above-mentioned steps, and this certificate server also must be positioned over after the vpn server, thereby makes the authentication flow receive the protection of the said encryption tunnel of step S704;
Need to prove, in this step S710,, then can also adopt other rights management means that the administration authority of switch or access device is limited if switch is not supported the aaa authentication technology.
Based on above-mentioned processing, will be example with corresponding data transfer below, concrete implementation procedure of the present invention is done to describe further.
As shown in Figure 9, according to step S700 after step S710 has implemented the present invention program, the handling process that the local data that sends from terminal equipment is experienced the process through switch can comprise:
(1) local data that sends of terminal equipment gets into after the equipment side port of switch, will carry out the judgement of IEEE802.1x authentication state or port security; Wherein, when adopting the IEEE802.1x authentication techniques, if local data belongs to terminal use's data that this port has been authorized, execution in step (2) then, otherwise will be dropped; When adopting the port security technology, if source MAC (medium access control) address packet of local data frame is contained in the secure mac address tabulation of this port, execution in step (2) then, otherwise will be dropped.
(2) switch will carry out matching treatment to local data according to predefined rule among the predefined ACL on this equipment side port: if mate successfully and predefined ACL action is clearance; Then to local data execution in step (3); Otherwise local data will be dropped; Wherein, the rule definition among the ACL source address and the information such as destination address, network service of the visit that allows of this terminal equipment.
(3) switch is forwarded to local data on the corresponding network-side port according to exchange (or route) forwarding rule, and execution in step (4).
(4) switch uses the tunnel that foundation is good in advance that local data is carried out encryption, and the local data that process of passing through tunnel is encrypted sends on the industrial Redundant Ethernet through network-side port.
Corresponding, shown in figure 10, according to step S700 after step S710 has implemented the present invention program, the handling process that in the process through switch, is experienced from the remote data on the industrial Redundant Ethernet comprises:
(5) remote data is after network-side port gets into switch; To carry out matching treatment to local data according to predefined acl rule on this network-side port: if mate successfully and predefined ACL action is clearance; Then to remote data execution in step (6); Otherwise local data will be dropped; Wherein, the rule definition among this ACL the characteristic of process of passing through tunnel ciphered data frame.
(6) switch is forwarded to local data on the corresponding equipment side ports according to exchange (or route) forwarding rule, and execution in step (7).
(7) switch uses the tunnel that foundation is good in advance that remote data is carried out decryption processing, and the data after will deciphering send through the equipment side port.
In above-mentioned processing procedure, encrypt technology through adopting the tunnel with ACL, from the aspect of data channel the safe data channel through encryption is provided, resist the attacks such as eavesdropping and camouflage on the network.Further, also through adopting IEEE802.1x (or port security) and ACL technology, the aspect that inserts from the terminal prevents the unauthorized device access network.In addition, also adopt aaa authentication technology in the embodiment of the invention, and certificate server is positioned over after the vpn server, guarantee the network equipment to be managed with the mode of safety from the aspect of network management.
Generally speaking, the present invention can strengthen the security performance of industrial Redundant Ethernet effectively, and the data communication field that requires high reliability, high security under industrial environment has important Practical significance.
In the described step S604 of the present invention program, encryption tunnel not necessarily will be based upon between switch and the remote equipment, can be based upon between local terminal and the remote equipment.
The present invention also provides a kind of system that strengthens the network security performance, and it specifically can comprise:
Data sending terminal; Be arranged in the industrial network; Be used for after definite first terminal equipment need send to the data of second terminal equipment, said data are carried out encryption based on the tunnel of setting up, and the data that will pass through after the encryption send to data receiver;
Data receiver is arranged in the industrial network, be used for carrying out decryption oprerations based on the data of the tunnel of setting up after to the encryption that receives, and the data after will deciphering is sent said second terminal equipment.
In this system, data sending terminal can but be not limited to adopt terminal equipment or switch or access device or the like, same, data receiver also can but be not limited to adopt terminal equipment or switch or access device or the like.
Be the further security performance of raising system, in this system can also but be not limited to comprise following at least a technical finesse means, specifically comprise:
(1) data sending terminal is after the access that detects first terminal equipment; Or after receiving the data that first terminal equipment sends; Also said first terminal equipment is carried out access authentication, and the data of only first terminal equipment through access authentication being sent are carried out follow-up said encryption;
(2) after the bookkeeping information that network equipment receiving management user sends, said leading subscriber is carried out access authentication, and the corresponding bookkeeping of bookkeeping information and executing that only leading subscriber through access authentication is sent; Corresponding network device can be switch or access device etc.;
(3) after data sending terminal receives needs that first terminal equipment sends and sends to the data of second terminal equipment; Also determine whether to allow to send said data according to predefined first access control list ACL; And only confirming under the situation about allowing said data to be carried out follow-up encryption;
(4) after data receiver receives the data after the encryption that data sending terminal sends; Determine whether to allow to continue to receive said data according to predefined second access control list ACL; And only confirming under the situation about allowing said data to be carried out follow-up decryption oprerations.
Wherein, if described access authentication be the authentication based on IEEE802.1x, the then said data sending terminal or the network equipment need and the certificate server of network side between carry out authentication information alternately, and the tunnel of said authentication information through said foundation transmits.
In this system, the concrete processing mode that data sending terminal and data receiver adopted has been described in detail in method is before described, so repeating no more.
The above; Be merely the preferable embodiment of the present invention, but protection scope of the present invention is not limited thereto, any technical staff who is familiar with the present technique field is in the technical scope that the present invention discloses; The variation that can expect easily or replacement all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claims.
Claims (10)
1. a method that strengthens the network security performance is characterized in that, comprising:
In industrial network, confirm that first terminal equipment need send to the data of second terminal equipment;
At data sending terminal, said data are carried out encryption based on the tunnel of setting up, the data after the encryption are crossed in the concurrent warp let-off;
At data receiver, carry out decryption oprerations based on the data of the tunnel of setting up after, and the data after will deciphering are sent said second terminal equipment to the encryption that receives.
2. method according to claim 1 is characterized in that, described data sending terminal comprises: terminal equipment or switch or access device; Described data receiver comprises: terminal equipment or switch or access device.
3. method according to claim 1 is characterized in that, described industrial network comprises: industrial Redundant Ethernet.
4. according to claim 1,2 or 3 described methods, it is characterized in that this method also comprises:
Data sending terminal is after the access that detects first terminal equipment; Or after receiving the data that first terminal equipment sends; Said first terminal equipment is carried out access authentication, and the data of only first terminal equipment through access authentication being sent are carried out follow-up said encryption;
And/or,
After the bookkeeping information that network equipment receiving management user sends, said leading subscriber is carried out authentication, and the corresponding bookkeeping of bookkeeping information and executing that only leading subscriber through authentication is sent;
And/or,
After data sending terminal receives needs that first terminal equipment sends and sends to the data of second terminal equipment; Determine whether to allow to send said data according to predefined first access control list ACL; And only confirming under the situation about allowing said data to be carried out follow-up encryption;
And/or,
After data receiver receives the data after the encryption that data sending terminal sends; Determine whether to allow to continue to receive said data according to predefined second access control list ACL; And only confirming under the situation about allowing said data to be carried out follow-up decryption oprerations.
5. method according to claim 4 is characterized in that, described access authentication comprises: based on the authentication of IEEE802.1x, perhaps, based on the access authentication of port security.
6. method according to claim 5; It is characterized in that; If described access authentication is the authentication based on IEEE802.1x; Then said data sending terminal or data receiver need and the certificate server of network side between carry out the mutual of authentication information, and the tunnel of said authentication information through said foundation transmits.
7. method according to claim 4; It is characterized in that; The destination address or the network service that have defined the source address of terminal equipment among the described ACL in advance and allowed this terminal equipment to visit, the characteristic that has defined process of passing through tunnel ciphered data frame in advance among the 2nd ACL.
8. a system that strengthens the network security performance is characterized in that, comprising:
Data sending terminal; Be arranged in the industrial network; Be used for after definite first terminal equipment need send to the data of second terminal equipment, said data are carried out encryption based on the tunnel of setting up, and the data that will pass through after the encryption send to data receiver;
Data receiver is arranged in the industrial network, be used for carrying out decryption oprerations based on the data of the tunnel of setting up after to the encryption that receives, and the data after will deciphering is sent said second terminal equipment.
9. system according to claim 8 is characterized in that, this system also comprises:
Said data sending terminal is after the access that detects first terminal equipment; Or after receiving the data that first terminal equipment sends; Also said first terminal equipment is carried out access authentication, and the data of only first terminal equipment through access authentication being sent are carried out follow-up said encryption;
And/or,
After the bookkeeping information that network equipment receiving management user sends, said leading subscriber is carried out authentication, and the corresponding bookkeeping of bookkeeping information and executing that only leading subscriber through authentication is sent;
And/or,
After said data sending terminal receives needs that first terminal equipment sends and sends to the data of second terminal equipment; Also determine whether to allow to send said data according to predefined first access control list ACL; And only confirming under the situation about allowing said data to be carried out follow-up encryption;
And/or,
After said data receiver receives the data after the encryption that data sending terminal sends; Determine whether to allow to continue to receive said data according to predefined second access control list ACL; And only confirming under the situation about allowing said data to be carried out follow-up decryption oprerations.
10. system according to claim 9; It is characterized in that; If described access authentication is the authentication based on IEEE802.1x; Then said data sending terminal or data receiver need and the certificate server of network side between carry out the mutual of authentication information, and the tunnel of said authentication information through said foundation transmits.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210271797XA CN102790775A (en) | 2012-08-01 | 2012-08-01 | Method and system for enhancing network safety performance |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210271797XA CN102790775A (en) | 2012-08-01 | 2012-08-01 | Method and system for enhancing network safety performance |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102790775A true CN102790775A (en) | 2012-11-21 |
Family
ID=47156075
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210271797XA Pending CN102790775A (en) | 2012-08-01 | 2012-08-01 | Method and system for enhancing network safety performance |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102790775A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103023892A (en) * | 2012-12-03 | 2013-04-03 | 江苏乐买到网络科技有限公司 | Network information processing system |
| CN103746815A (en) * | 2014-02-14 | 2014-04-23 | 浙江中控研究院有限公司 | Secure communication method and device |
| CN104243420A (en) * | 2013-06-18 | 2014-12-24 | 沈阳中科博微自动化技术有限公司 | Data encryption method for communication between integrated circuit factory automation system and equipment |
| WO2015192657A1 (en) * | 2014-06-19 | 2015-12-23 | Huawei Technologies Co., Ltd. | Method for communication between femto access points and femto access point |
| CN106998327A (en) * | 2017-03-24 | 2017-08-01 | 新华三技术有限公司 | A kind of connection control method and device |
| CN107579895A (en) * | 2017-09-07 | 2018-01-12 | 张家口安智科为新能源有限公司 | Realize that case becomes the method for measure and control device ethernet ring network communication in a kind of new energy power station |
| CN111009966A (en) * | 2019-11-22 | 2020-04-14 | 贵州电网有限责任公司 | Data interaction system, method and device of transformer substation equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1838638A (en) * | 2006-03-21 | 2006-09-27 | 杭州华为三康技术有限公司 | VPN data forwarding method and VPN device for data forwarding |
| CN1901499A (en) * | 2005-07-22 | 2007-01-24 | 上海贝尔阿尔卡特股份有限公司 | Safety access method for special local area net and device used for said method |
| CN101052001A (en) * | 2007-05-16 | 2007-10-10 | 杭州看吧科技有限公司 | System and method for P2P network information safety sharing |
| CN102185840A (en) * | 2011-04-22 | 2011-09-14 | 上海华为技术有限公司 | Authentication method, authentication equipment and authentication system |
-
2012
- 2012-08-01 CN CN201210271797XA patent/CN102790775A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1901499A (en) * | 2005-07-22 | 2007-01-24 | 上海贝尔阿尔卡特股份有限公司 | Safety access method for special local area net and device used for said method |
| CN1838638A (en) * | 2006-03-21 | 2006-09-27 | 杭州华为三康技术有限公司 | VPN data forwarding method and VPN device for data forwarding |
| CN101052001A (en) * | 2007-05-16 | 2007-10-10 | 杭州看吧科技有限公司 | System and method for P2P network information safety sharing |
| CN102185840A (en) * | 2011-04-22 | 2011-09-14 | 上海华为技术有限公司 | Authentication method, authentication equipment and authentication system |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103023892A (en) * | 2012-12-03 | 2013-04-03 | 江苏乐买到网络科技有限公司 | Network information processing system |
| CN104243420A (en) * | 2013-06-18 | 2014-12-24 | 沈阳中科博微自动化技术有限公司 | Data encryption method for communication between integrated circuit factory automation system and equipment |
| CN103746815A (en) * | 2014-02-14 | 2014-04-23 | 浙江中控研究院有限公司 | Secure communication method and device |
| CN103746815B (en) * | 2014-02-14 | 2017-11-03 | 浙江中控研究院有限公司 | Safety communicating method and device |
| WO2015192657A1 (en) * | 2014-06-19 | 2015-12-23 | Huawei Technologies Co., Ltd. | Method for communication between femto access points and femto access point |
| CN105325020A (en) * | 2014-06-19 | 2016-02-10 | 华为技术有限公司 | Method for communication between femto access points and femto access point |
| CN105325020B (en) * | 2014-06-19 | 2019-02-12 | 华为技术有限公司 | For the communication means and femto access point between femto access point |
| CN106998327A (en) * | 2017-03-24 | 2017-08-01 | 新华三技术有限公司 | A kind of connection control method and device |
| CN107579895A (en) * | 2017-09-07 | 2018-01-12 | 张家口安智科为新能源有限公司 | Realize that case becomes the method for measure and control device ethernet ring network communication in a kind of new energy power station |
| CN111009966A (en) * | 2019-11-22 | 2020-04-14 | 贵州电网有限责任公司 | Data interaction system, method and device of transformer substation equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102790775A (en) | Method and system for enhancing network safety performance | |
| US8407462B2 (en) | Method, system and server for implementing security access control by enforcing security policies | |
| US7690040B2 (en) | Method for network traffic mirroring with data privacy | |
| CN110996318A (en) | Safety communication access system of intelligent inspection robot of transformer substation | |
| US20080141360A1 (en) | Wireless Linked Computer Communications | |
| CN103441991A (en) | Mobile terminal security access platform | |
| JP2005503047A (en) | Apparatus and method for providing a secure network | |
| CN110999223A (en) | Secure encrypted heartbeat protocol | |
| Samociuk | Secure communication between OpenFlow switches and controllers | |
| CN106209883A (en) | Based on link selection and the multi-chain circuit transmission method and system of broken restructuring | |
| CN108712364A (en) | A kind of safety defense system and method for SDN network | |
| CN101267303A (en) | Communication method between service nodes | |
| CN109474581A (en) | A kind of LTE private electric power safety protecting method | |
| KR101429179B1 (en) | Combination security system for wireless network | |
| CN102882859A (en) | Security protection method based on public network data transmission information system | |
| CN104852902A (en) | SWIM user identity authentication method based on improved Diameter/EAP-TLS protocol | |
| CN100466599C (en) | Safety access method for special local area net and device used for said method | |
| CN102316119A (en) | Security control method and equipment | |
| Umasuthan | Protecting the Communications Network at Layer 2 | |
| Indukuri | Layer 2 security for smart grid networks | |
| CN105099849B (en) | A kind of method for building up and equipment in the tunnels IPsec | |
| EP1836559A2 (en) | Apparatus and method for traversing gateway device using a plurality of batons | |
| CN113347004A (en) | Encryption method for power industry | |
| Hallak et al. | Security Concepts Based on IEEE 802.1 X for G. hn Broadband PLC Access Networks | |
| Feil | 802.11 wireless network policy recommendation for usage within unclassified government networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20121121 |