CN111711616A - Network zone boundary safety protection system, method and equipment - Google Patents

Network zone boundary safety protection system, method and equipment Download PDF

Info

Publication number
CN111711616A
CN111711616A CN202010476376.5A CN202010476376A CN111711616A CN 111711616 A CN111711616 A CN 111711616A CN 202010476376 A CN202010476376 A CN 202010476376A CN 111711616 A CN111711616 A CN 111711616A
Authority
CN
China
Prior art keywords
data
switch
management
port
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010476376.5A
Other languages
Chinese (zh)
Other versions
CN111711616B (en
Inventor
张婉怡
李坤玉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Spider Tang Ping (Beijing) Technology Co.,Ltd.
Original Assignee
Wuhan Yiyi Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Yiyi Technology Co ltd filed Critical Wuhan Yiyi Technology Co ltd
Priority to CN202010476376.5A priority Critical patent/CN111711616B/en
Publication of CN111711616A publication Critical patent/CN111711616A/en
Application granted granted Critical
Publication of CN111711616B publication Critical patent/CN111711616B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to a network area boundary safety protection system, a method and equipment, wherein a server management module monitors the operation condition of a system, formulates a safety management strategy, and collects, stores and calculates associated data; the intelligent identification module of the switch identifies the equipment information of the switch; the switch monitoring management module acquires corresponding information and generates alarm information when the switch protocol state information is abnormal; the port fingerprint analysis module performs unique fingerprint identification and calibration on physical ports of all switches; the device fingerprint analysis module collects relevant information of the on-line access device and then calibrates the information; the data fingerprint analysis module performs fingerprint calibration on all data streams in the network, and analyzes the source, the destination, the type and the content of the data to release and block the data; the port access control module monitors the operation state and data throughput condition of the access port in the zone boundary so as to close or open the port. And basic guarantee and protection are provided for network area boundary protection.

Description

Network zone boundary safety protection system, method and equipment
Technical Field
The invention relates to the technical field of network security, in particular to a network area boundary security protection system, method and device.
Background
With the continuous development of the information digital era, the network scale is gradually enlarged, the quantity of network access assets and the types of network access equipment are continuously increased, the types of equipment in the network are diversified, the access mode is diversified, the data communication interface mode is rich, the communication protocol is complicated, the traditional regional boundary safety protection means is based on the limitation of passive defense, only can carry out safety protection at the important exit of the network and cannot relate to all boundary ranges of the network region, so that network safety events occur occasionally and are difficult to position and dispose, difficulty is brought to the network informatization safety management, and the potential risks of data information safety are gradually increased.
In the related technology, the types of the devices in the network are diversified, the number of the devices is large, the necessary technical means is lacked in the asset combing of the network devices, the safety of the devices is difficult to guarantee, the security violation of the devices in the network often occurs, and the informatization safety management system is difficult to implement. The monitoring object of the network management software is only limited in the core and convergence layer, and the lack of monitoring and management of the access layer results in a large number of unmanaged switches in the network, strange equipment can randomly enter the intranet, and a real-time discovery and positioning means for the network access behavior of the equipment is lacked. Traditional network area boundary protection products such as firewalls, IPS (Intrusion Prevention System), IDS (Intrusion detection System), WAF (web application level Intrusion Prevention System) and the like are mostly concentrated at gateway exit positions, and analyze and filter application data passing through a core, and the traditional network area boundary protection products lack necessary monitoring means at an intranet access level, lack monitoring and protection capabilities for application access behaviors of data not passing through the core level, and lack necessary monitoring and management for internal access and internal penetration attacks.
Disclosure of Invention
In view of this, a system, a method and a device for network zone boundary security protection are provided to solve the problem of poor protection capability in network zone boundary security protection in the related art.
The invention adopts the following technical scheme:
in a first aspect, an embodiment of the present application provides a network area boundary security protection system, where the system includes a server management module, an intelligent switch identification module, a switch monitoring management module, a port fingerprint analysis module, an equipment fingerprint analysis module, a data fingerprint analysis module, and a port access control module, where:
the server management module is used for monitoring the running condition of the system, formulating a safety management strategy and carrying out automatic acquisition, classified storage and intelligent calculation on the associated data;
the intelligent switch identification module is used for identifying the equipment information of all switches in the current network range through a network protocol;
the switch monitoring management module is used for acquiring access equipment information, switch data forwarding information and switch protocol state information of a switch and generating alarm information when the switch protocol state information is abnormal;
the port fingerprint analysis module is used for carrying out unique fingerprint identity identification and calibration on physical ports of all switches in the current network range and generating an identity logic corresponding relation between the physical ports of the switches and switch equipment;
the device fingerprint analysis module is used for collecting relevant information of the on-line access device and calibrating the access device by setting a fingerprint identification algorithm;
the data fingerprint analysis module is used for applying a session to perform fingerprint calibration on all data streams in the network so as to analyze the source, destination, type and content of each data and apply a flow management strategy to release and block the data;
the port access control module is used for monitoring the running state and data throughput condition of all access ports in the zone boundary through a two-layer network protocol, and closing or opening each port by applying a port management strategy.
In a second aspect, an embodiment of the present application provides a network area boundary security protection method, which is applied to the system in the first aspect, and the method includes:
configuring a server management module in a page encryption login mode, setting different authority management accounts, setting management ranges of the different accounts, and setting a region boundary control rule; wherein the service data supports file export;
inputting corresponding IP sections and characters of a switch management group to automatically scan and discover used switches in the whole network aiming at an intelligent switch identification module, bringing the used switches into a network area boundary safety management system for management, and encrypting, classifying and storing acquired data;
collecting equipment data in the network and switch data information aiming at a switch monitoring management module;
the device fingerprint analysis module and the data fingerprint analysis module analyze and process the acquired device data and flow data, store the data in a classified encryption manner, judge the device access compliance and the flow application compliance on the regional boundary port according to the requirements of management rules, and give an alarm in time and block the network regional boundary access port when a security violation event occurs so as to protect the data security and the device access security of the network regional boundary port.
In a third aspect, an embodiment of the present application provides a network area boundary security protection device, where the device includes the network area boundary security protection system described in the first aspect, an HTTPS server, and a MySQL database, where:
the HTTPS server provides a WEB access mode, makes a management strategy and basic configuration, and each functional module automatically monitors and manages the security protection of the network region boundary;
the network area boundary safety protection equipment is deployed at a bypass position of a core or a convergence switch and provides service for port mirror image data of the core or the convergence switch to the equipment;
the network area boundary safety protection device is configured with a management IP, wherein the management IP is accessible to the management device IP in the network, and the management IP has data access authority.
By adopting the technical scheme, the invention realizes the integral safety protection of the network area boundary by monitoring and protecting three layers of real-time monitoring and analysis of the network switch and the port, automatic discovery and identification of the network equipment and real-time accurate analysis of the data flow in the network. In addition, the security protection of the network area boundary is realized by monitoring and protecting the network core layer, the convergence layer, the access layer, the terminal layer and the data access layer, so that the network security events occurring in the network area boundary layer are avoided and reduced. The protection loss of the traditional safety protection system at an access level and an equipment data level is made up, and the safety of the boundary of the intranet network area is greatly improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic structural diagram of a network region boundary security protection system according to an embodiment of the present invention;
fig. 2 is a flowchart of a network area boundary security protection method according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a network area boundary safety protection device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be described in detail below. It is to be understood that the described embodiments are merely exemplary of the invention, and not restrictive of the full scope of the invention. All other embodiments, which can be derived by a person skilled in the art from the examples given herein without any inventive step, are within the scope of the present invention.
The terminology used in the present application is first explained. The network device is a device capable of normally communicating using a network, and includes but is not limited to a terminal computer, a printer, an IP phone, a video conference system, a server, an access control system, a card punching system, and the like. The data flow refers to network data of all equipment and system service communication in the network, and comprises data bidirectional flow.
Fig. 1 is a schematic diagram of a structure of a network area boundary security protection system according to an embodiment of the present invention, configured to execute a network area boundary security protection method. Referring to fig. 1, the system may specifically include: the system comprises a server management module 11, a switch intelligent identification module 12, a switch monitoring management module 13, a port fingerprint analysis module 14, an equipment fingerprint analysis module 15, a data fingerprint analysis module 16 and a port access control module 17.
The server management module 11 is used for monitoring the operation condition of the system, formulating a security management strategy, and automatically acquiring, classifying, storing and intelligently calculating associated data; the switch intelligent identification module 12 is used for identifying the equipment information of all switches in the current network range through a network protocol; the switch monitoring management module 13 is configured to obtain access device information, switch data forwarding information, and switch protocol state information of the switch, and generate alarm information when the switch protocol state information is abnormal; the port fingerprint analysis module 14 is configured to perform unique fingerprint identification and calibration on physical ports of all switches within a current network range, and generate an identity logical correspondence between the physical ports of the switches and the switch devices; the device fingerprint analysis module 15 is used for collecting relevant information of the on-line access device and calibrating the access device by setting a fingerprint identification algorithm; the data fingerprint analysis module 16 is used for applying a session to perform fingerprint calibration on all data streams in the network so as to analyze the source, destination, type and content of each data, and applying a traffic management strategy to pass and block the data; the port access control module 17 is configured to monitor the operation states and data throughput conditions of all access ports in the area boundary through a two-layer network protocol, and apply a port management policy to close or open each port.
The embodiment of the application carries out safety protection on the network area boundary from the area network equipment identification layer, the boundary access port control layer, the equipment identification layer and the protocol data identification layer. The method comprises the steps of monitoring equipment accessed from a regional boundary port in real time, analyzing fingerprint calibration identification, and monitoring data traffic generated by all equipment in a network in real time and analyzing content. The embodiment of the invention provides basic guarantee and protection for regional boundary protection of an office network and a production network from an equipment level, a data level and an access behavior level. The safety protection of the network area boundary is realized by carrying out safety protection on the area network equipment, the boundary access port, the equipment type and the application data, safety events occurring at the network area boundary are timely found and blocked, and basic guarantee is provided for the safety of a data intranet.
The first server management module is used for managing and maintaining normal operation of other modules, appointing a security management strategy or a management rule, monitoring the operation condition of a system, and automatically acquiring, classifying and storing associated data and intelligently calculating the associated data. In addition, the server management module receives service data among the modules through data communication with the modules, monitors equipment access behaviors and data use behaviors occurring in the boundary of the network area in real time, is associated and matched with built-in management rules to analyze and judge the security behaviors on the boundary of the network area, and timely issues corresponding management instructions to realize security protection on the boundary of the network area once illegal behavior access and illegal data access behaviors are found.
Optionally, the security management policy includes a switch management policy, an equipment management policy, a port management policy, and a traffic management policy, and correspondingly, the server management module 11 is configured to issue the switch management policy to the switch monitoring management module 13, issue the equipment management policy to the equipment fingerprint analysis module 15, issue the port management policy to the port management module and the port access control module 17, and issue the traffic management policy to the data fingerprint analysis module 16.
And secondly, the intelligent switch identification module uniformly discovers all used switch equipment in the network area boundary, and optionally, the equipment information comprises the switch type, the switch brand, the switch model, the switch integrated software version and the switch manufacturer category. The method realizes the discovery and identification of all switches in the network without blind areas.
And thirdly, the switch monitoring management module is used for acquiring access equipment information, switch data forwarding information and switch protocol state information of the switch and generating alarm information when the switch protocol state information is abnormal. The switch Protocol state information includes a Protocol running state, a port total number, a port switch state, and a device access state, and the alarm information includes an abnormal switch IP (Internet Protocol) and physical port information. Specifically, Access device data information on the switch is acquired through a protocol detection technology, and the corresponding relation between the MAC (Media Access Control Address) and the IP (Internet protocol) of the Access device is automatically associated through an intelligent analysis technology, so that the switch is not required to be uniformly managed in a manner of logging in a user name and a password through the switch. The method and the system realize the unified monitoring and management of the switches in the network, monitor the running state of the switch protocol, the total number of ports, the switching state of the ports and the access state of equipment in real time, including but not limited to the used switch ports, and can further realize the real-time monitoring of the used ports.
And fourthly, the port fingerprint analysis module is used for carrying out unique fingerprint identity identification and calibration on the physical ports of all the switches in the current network range and generating an identity logic corresponding relation between the physical ports of the switches and the switch equipment, so that the uniqueness and uniqueness of all access ports on the boundary of the network area are ensured. Specifically, unique identification and calibration are carried out on all access ports in the network area range, and the uniqueness, the safety and the manageability of the access ports are ensured through the associated identification of specific access ports and specific switches. The unique identification and calibration of all physical ports of all switches in the network are realized, the identity logic corresponding relation between the switch physical ports and the switch equipment is determined, and the corresponding relation is classified and stored in an encrypted data format, so that the uniqueness of all switch physical ports in the network is ensured. In addition, the port fingerprint analysis module is used for encrypting the corresponding relation and then performing classified storage.
And fifthly, the equipment fingerprint analysis module is used for collecting relevant information of the on-network access equipment, calibrating the access equipment by setting a fingerprint identification algorithm, and calibrating the unique identity fingerprint of all the equipment in the network to ensure the uniqueness of the network equipment. Specifically, the device fingerprint analysis module performs unique fingerprint analysis and calibration on all devices on the network, intelligently identifies the device types, and realizes service butt joint with the server management module through an internal interface, so that classified encryption storage of device data is realized. The method comprises the steps of automatic discovery, intelligent identification and automatic classification of all equipment in the area boundary, wherein the identified equipment types comprise equipment which is not limited to network terminal computers, printers, IP telephone equipment and the like and performs service communication through network protocols. Therefore, the unique identities of all the access devices in the network are identified and calibrated, the uniqueness and the particularity of all the devices in the network are ensured, and the unique fingerprints of the device identities are encrypted and stored.
And the data fingerprint analysis module is used for performing fingerprint calibration on all data streams in the network by applying the session so as to analyze the source, destination, type and content of each data and release and block the data by applying a flow management strategy. Specifically, the traffic management policy may determine compliance of the data, and the compliance rule is released, otherwise, the traffic management policy is blocked. The unique fingerprint analysis and calibration of all application data in the network are realized, and the application session of each piece of data is tracked and analyzed, so that the real-time monitoring of all data behaviors in the network area boundary is realized.
Optionally, the data fingerprint analysis module is further configured to obtain core or aggregation switch data traffic through a port mirroring technology, perform octave analysis on the data, where the analysis content includes a data source MAC, a source IP, a source port number, a destination MAC, a destination IP, a destination port number, a protocol type, and data content, and perform unique fingerprint tagging on all network data, thereby implementing tracking recording and backtracking query on all application sessions.
And seventhly, the port access control module 17 is used for monitoring the operation states and data throughput conditions of all access ports in the regional boundary through a two-layer network protocol, and closing or opening each port by applying a port management strategy. Specifically, management control of the area boundary access port is provided, and the switching operation of the access port is realized by automatically adapting the management requirements. Therefore, the data application protocol type and the specific content of the data application on each port of the network area boundary can be analyzed in real time, the built-in port management rule is correlated, and the access port on the area boundary is automatically closed or opened.
Optionally, the port access control module is further configured to implement processing of the security event through a port management policy issued by the server, perform closing or opening operation on the switch port after the security event is completed, and generate an operation log record. Specifically, through the management requirements and the behavior instructions issued by the server management module, the switch management user name and the password are avoided being used in a network protocol access mode, the switch port with the security event or after the security event is processed is closed or opened, a detailed operation log record is generated, and an administrator can conveniently count and record all security events occurring at the boundary of a network area within a certain time.
By adopting the technical scheme, the invention realizes the integral safety protection of the network area boundary by monitoring and protecting three layers of real-time monitoring and analysis of the network switch and the port, automatic discovery and identification of the network equipment and real-time accurate analysis of the data flow in the network. In addition, the security protection of the network area boundary is realized by monitoring and protecting the network core layer, the convergence layer, the access layer, the terminal layer and the data access layer, so that the network security events occurring in the network area boundary layer are avoided and reduced. The protection loss of the traditional safety protection system at an access level and an equipment data level is made up, and the safety of the boundary of the intranet network area is greatly improved.
Fig. 2 is a flowchart of a network area boundary security protection method provided in an embodiment of the present invention, which is applied to a network area boundary security protection system in an embodiment of the present application, and referring to fig. 2, the method may specifically include the following steps:
s201, aiming at a server management module, configuring through a page encryption login mode, setting up different authority management accounts, setting up management ranges of the different accounts, and setting up region boundary control rules; wherein the service data supports file export.
S202, aiming at the intelligent switch identification module, inputting corresponding IP sections and characters of a switch management group to automatically scan and discover used switches in the whole network, bringing the used switches into a network area boundary safety management system to be managed, and encrypting, classifying and storing the obtained data.
S203, collecting the in-network equipment data and the switch data information aiming at the switch monitoring management module.
And S204, analyzing and processing the acquired equipment data and flow data by the equipment fingerprint analysis module and the data fingerprint analysis module, classifying, encrypting and storing, judging equipment access compliance and flow application compliance on the regional boundary port according to the requirements of management rules, and giving an alarm and blocking a network regional boundary access port in time when a security violation event occurs so as to protect the data security and equipment access security of the network regional boundary port.
Specifically, the modules are automatically started and orderly operated along with the normal power-up of the equipment, the functions and data of the modules are associated with each other, when the equipment is normally used, the functions of the server management module can be configured and managed in a page encryption login mode, different authority management accounts can be formulated, different management ranges of different accounts can be flexibly set, all service data are exported in a supporting file mode, area boundary control rules are formulated, corresponding IP sections and switch management group characters are input for the switch intelligent identification module, all used switches in the whole network can be automatically scanned and found, the switches are brought into a network area boundary safety management system for management, the obtained data are encrypted, classified and stored, the equipment data and switch data information in the network are automatically collected through the switch monitoring management module, and the collected equipment data and flow data are analyzed and processed by the equipment fingerprint analysis module and the data fingerprint analysis module, and classified encryption storage is carried out, equipment access compliance and flow application compliance on the regional boundary port are judged according to the requirements of management rules, when a security violation event occurs, an alarm is given in time, the network regional boundary access port is blocked, and the data security and the equipment access security of the network regional boundary port are protected.
In addition, the port fingerprint analysis module, the equipment fingerprint analysis module and the data fingerprint analysis module are adopted to monitor and analyze the compliance behaviors of equipment and data in the network in real time in a management mode, the port access control module is automatically called through the management rule formulated in the server management module to realize the management and control of the access behaviors of illegal equipment and application data, and detailed management log records and management data information are generated to realize the automatic safety protection of the boundary of a network area.
Fig. 3 is a schematic structural diagram of a network area boundary security protection device according to an embodiment of the present invention, where the network area boundary security protection device 30 includes a network area boundary security protection system 31 according to an embodiment of the present application, an HTTPS server 32, and a MySQL database 33.
Wherein, an HTTPS (Hyper Text Transfer Protocol over Secure Socket Layer) server provides a WEB (World Wide WEB) access mode, makes a management strategy and a basic configuration, and each functional module automatically realizes intelligent monitoring and management of network region boundary security protection; the network area boundary safety protection equipment is deployed at a bypass position of a core or a convergence switch and provides service for port mirror image data of the core or the convergence switch to the equipment; the network area boundary safety protection device is configured with a management IP, wherein the management IP can reach the management device IP in the network, and the management IP has data access authority.
Specifically, the network area boundary safety protection system adopts a modular design, each functional module does not need to be deployed independently, the integrated deployment and installation of the functional modules are realized, the characteristics of flexible deployment and implementation are realized, the deployment can be realized in a software and hardware linkage deployment mode, the installation and deployment can also be carried out in a cloud terminal or virtual machine mode, and the following is a typical deployment mode introduction of a software and hardware integration. The hardware of the software and hardware integrated typical deployment mode can be called as network area boundary safety protection equipment, and the network area boundary safety protection equipment adopts a bypass deployment mode without changing the original network structure. The equipment is deployed at a bypass position of a core or a convergence switch, provides port mirror image data of the core or the convergence switch to network area boundary safety protection equipment, does not need to be connected in series, does not need to change an original network structure, and does not influence the use of an original service system. The network can be reached: the network area boundary safety protection device needs to be configured with a management IP, and ensures that the management IP can reach the management device in the network, has data access authority, and ensures that the server device can normally access the switch to be managed.
It is understood that the same or similar parts in the above embodiments may be mutually referred to, and the same or similar parts in other embodiments may be referred to for the content which is not described in detail in some embodiments.
It should be noted that the terms "first," "second," and the like in the description of the present invention are used for descriptive purposes only and are not to be construed as indicating or implying relative importance. Further, in the description of the present invention, the meaning of "a plurality" means at least two unless otherwise specified.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process, and alternate implementations are included within the scope of the preferred embodiment of the present invention in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the present invention.
It should be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.
It will be understood by those skilled in the art that all or part of the steps carried by the method for implementing the above embodiments may be implemented by hardware related to instructions of a program, which may be stored in a computer readable storage medium, and when the program is executed, the program includes one or a combination of the steps of the method embodiments.
In addition, functional units in the embodiments of the present invention may be integrated into one processing module, or each unit may exist alone physically, or two or more units are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. The integrated module, if implemented in the form of a software functional module and sold or used as a stand-alone product, may also be stored in a computer readable storage medium.
The storage medium mentioned above may be a read-only memory, a magnetic or optical disk, etc.
In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
Although embodiments of the present invention have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present invention, and that variations, modifications, substitutions and alterations can be made to the above embodiments by those of ordinary skill in the art within the scope of the present invention.

Claims (10)

1. The utility model provides a network region border safety protection system which characterized in that, includes server management module, switch intelligent identification module, switch control management module, port fingerprint analysis module, equipment fingerprint analysis module, data fingerprint analysis module and port access control module, wherein:
the server management module is used for monitoring the running condition of the system, formulating a safety management strategy and carrying out automatic acquisition, classified storage and intelligent calculation on the associated data;
the intelligent switch identification module is used for identifying the equipment information of all switches in the current network range through a network protocol;
the switch monitoring management module is used for acquiring access equipment information, switch data forwarding information and switch protocol state information of a switch and generating alarm information when the switch protocol state information is abnormal;
the port fingerprint analysis module is used for carrying out unique fingerprint identity identification and calibration on physical ports of all switches in the current network range and generating an identity logic corresponding relation between the physical ports of the switches and switch equipment;
the device fingerprint analysis module is used for collecting relevant information of the on-line access device and calibrating the access device by setting a fingerprint identification algorithm;
the data fingerprint analysis module is used for applying a session to perform fingerprint calibration on all data streams in the network so as to analyze the source, destination, type and content of each data and apply a flow management strategy to release and block the data;
the port access control module is used for monitoring the running state and data throughput condition of all access ports in the zone boundary through a two-layer network protocol, and closing or opening each port by applying a port management strategy.
2. The system according to claim 1, wherein the security management policy includes a switch management policy, a device management policy, a port management policy, and a traffic management policy, and correspondingly, the server management module is configured to issue the switch management policy to the switch monitoring management module, issue the device management policy to the device fingerprint analysis module, issue the port management policy to the port management module and the port access control module, and issue the traffic management policy to the data fingerprint analysis module.
3. The system of claim 1, wherein the switch protocol state information comprises protocol running state, port total number, port switch state, device access state, and the alarm information comprises IP and physical port information of the abnormal switch.
4. The system of claim 1, wherein the device information comprises a switch type, a switch brand, a switch model, a switch integration software version, and a switch vendor category.
5. The system according to claim 1, wherein the port fingerprint analysis module is configured to encrypt the correspondence and store the encrypted correspondence in a classified manner.
6. The system of claim 1, wherein the access device comprises a device for communicating traffic via a network protocol.
7. The system of claim 1, wherein the data fingerprinting module is further configured to:
the method comprises the steps of obtaining core or aggregation switch data flow through a port mirroring technology, carrying out octave analysis on data, wherein analysis content comprises data source MAC, source IP, source port number, destination MAC, destination IP, destination port number, protocol type and data content, and carrying out unique fingerprint marking on all network data so as to carry out tracking record and backtracking query on all application sessions.
8. The system of claim 1, wherein the port access control module is further configured to:
and processing the security event through a port management strategy issued by the server, closing or opening the switch port after the security event is completed, and generating an operation log record.
9. A network area boundary security protection method applied to the system of any one of claims 1 to 8, comprising:
configuring a server management module in a page encryption login mode, setting different authority management accounts, setting management ranges of the different accounts, and setting a region boundary control rule; wherein the service data supports file export;
inputting corresponding IP sections and characters of a switch management group to automatically scan and discover used switches in the whole network aiming at an intelligent switch identification module, bringing the used switches into a network area boundary safety management system for management, and encrypting, classifying and storing acquired data;
collecting equipment data in the network and switch data information aiming at a switch monitoring management module;
the device fingerprint analysis module and the data fingerprint analysis module analyze and process the acquired device data and flow data, store the data in a classified encryption manner, judge the device access compliance and the flow application compliance on the regional boundary port according to the requirements of management rules, and give an alarm in time and block the network regional boundary access port when a security violation event occurs so as to protect the data security and the device access security of the network regional boundary port.
10. A network area border security protection device, comprising the network area border security protection system of any one of claims 1 to 8, and an HTTPS server, a MySQL database, wherein:
the HTTPS server provides a WEB access mode, makes a management strategy and basic configuration, and intelligently monitors and manages the security protection of the boundary of the network region by each functional module;
the network area boundary safety protection equipment is deployed at a bypass position of a core or a convergence switch so as to provide service for port mirror image data of the core or the convergence switch to the equipment;
the network area boundary safety protection device is configured with a management IP, wherein the management IP is accessible to the management device IP in the network, and the management IP has data access authority.
CN202010476376.5A 2020-05-29 2020-05-29 Network zone boundary safety protection system, method and equipment Active CN111711616B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010476376.5A CN111711616B (en) 2020-05-29 2020-05-29 Network zone boundary safety protection system, method and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010476376.5A CN111711616B (en) 2020-05-29 2020-05-29 Network zone boundary safety protection system, method and equipment

Publications (2)

Publication Number Publication Date
CN111711616A true CN111711616A (en) 2020-09-25
CN111711616B CN111711616B (en) 2022-07-12

Family

ID=72538191

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010476376.5A Active CN111711616B (en) 2020-05-29 2020-05-29 Network zone boundary safety protection system, method and equipment

Country Status (1)

Country Link
CN (1) CN111711616B (en)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112272189A (en) * 2020-11-04 2021-01-26 国网湖南省电力有限公司 Boundary protection standardization and white list automatic deployment method for power system
CN112419130A (en) * 2020-11-17 2021-02-26 北京京航计算通讯研究所 Emergency response system and method based on network security monitoring and data analysis
CN112468373A (en) * 2020-12-08 2021-03-09 武汉蜘易科技有限公司 Accurate positioning analysis system and method for network flow of fingerprint equipment
CN112804131A (en) * 2021-01-08 2021-05-14 上海自恒信息科技有限公司 Access control method based on VLAN structure
CN112953928A (en) * 2020-12-30 2021-06-11 山东鲁能软件技术有限公司 Network security protection system and method for video monitoring front-end equipment
CN113037705A (en) * 2020-12-30 2021-06-25 智网安云(武汉)信息技术有限公司 Network terminal port scanning method and network terminal port scanning system
CN113127904A (en) * 2021-04-26 2021-07-16 北京中启赛博科技有限公司 Intelligent optimization system and method for access control strategy
CN113300872A (en) * 2020-11-11 2021-08-24 众源科技(广东)股份有限公司 Safety gateway
CN113922984A (en) * 2021-09-02 2022-01-11 成都安恒信息技术有限公司 Network access identification and management and control method for client application
CN114448689A (en) * 2022-01-19 2022-05-06 烽台科技(北京)有限公司 Method, device and equipment for determining boundary equipment of industrial control network and storage medium
CN114465963A (en) * 2021-12-24 2022-05-10 北京环宇博亚科技有限公司 Switch abnormity detection method and device, electronic equipment and computer readable medium
CN114745276A (en) * 2022-02-18 2022-07-12 北京环宇博亚科技有限公司 Switch bandwidth adjusting method and device, electronic equipment and computer readable medium
CN116418587A (en) * 2023-04-19 2023-07-11 中国电子科技集团公司第三十研究所 Data cross-domain switching behavior audit trail method and data cross-domain switching system
CN117202193A (en) * 2023-11-08 2023-12-08 中国电子科技集团公司第三十研究所 Communication module safety protection method and assembly based on host terminal connection authentication

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103179130A (en) * 2013-04-06 2013-06-26 杭州盈高科技有限公司 Intranet security unified management platform and management method of management platform
CN106411673A (en) * 2016-11-08 2017-02-15 西安云雀软件有限公司 Network admission control management platform and management method
CN107295010A (en) * 2017-08-02 2017-10-24 杭州谷逸网络科技有限公司 A kind of enterprise network security management cloud service platform system and its implementation
US20180309788A1 (en) * 2017-04-24 2018-10-25 Unisys Corporation Enterprise security management tool
CN110958262A (en) * 2019-12-15 2020-04-03 国网山东省电力公司电力科学研究院 Ubiquitous Internet of things safety protection gateway system, method and deployment architecture in power industry
CN111131332A (en) * 2020-01-16 2020-05-08 沈阳铁道科学技术研究所有限公司 Network service interconnection and flow acquisition, analysis and recording system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103179130A (en) * 2013-04-06 2013-06-26 杭州盈高科技有限公司 Intranet security unified management platform and management method of management platform
CN106411673A (en) * 2016-11-08 2017-02-15 西安云雀软件有限公司 Network admission control management platform and management method
US20180309788A1 (en) * 2017-04-24 2018-10-25 Unisys Corporation Enterprise security management tool
CN107295010A (en) * 2017-08-02 2017-10-24 杭州谷逸网络科技有限公司 A kind of enterprise network security management cloud service platform system and its implementation
CN110958262A (en) * 2019-12-15 2020-04-03 国网山东省电力公司电力科学研究院 Ubiquitous Internet of things safety protection gateway system, method and deployment architecture in power industry
CN111131332A (en) * 2020-01-16 2020-05-08 沈阳铁道科学技术研究所有限公司 Network service interconnection and flow acquisition, analysis and recording system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
张辰: "信息化下的交换机数据实时监测技术研究", 《中国锰业》 *
樊化军: "基于交换机实时动态监控的网络自动化管理系统", 《中国优秀硕士学位论文全文数据库(信息科技辑)》 *

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112272189A (en) * 2020-11-04 2021-01-26 国网湖南省电力有限公司 Boundary protection standardization and white list automatic deployment method for power system
CN113300872A (en) * 2020-11-11 2021-08-24 众源科技(广东)股份有限公司 Safety gateway
CN112419130A (en) * 2020-11-17 2021-02-26 北京京航计算通讯研究所 Emergency response system and method based on network security monitoring and data analysis
CN112419130B (en) * 2020-11-17 2024-02-27 北京京航计算通讯研究所 Emergency response system and method based on network security monitoring and data analysis
CN112468373A (en) * 2020-12-08 2021-03-09 武汉蜘易科技有限公司 Accurate positioning analysis system and method for network flow of fingerprint equipment
CN113037705B (en) * 2020-12-30 2022-07-15 智网安云(武汉)信息技术有限公司 Network terminal port scanning method and network terminal port scanning system
CN112953928A (en) * 2020-12-30 2021-06-11 山东鲁能软件技术有限公司 Network security protection system and method for video monitoring front-end equipment
CN113037705A (en) * 2020-12-30 2021-06-25 智网安云(武汉)信息技术有限公司 Network terminal port scanning method and network terminal port scanning system
CN112804131A (en) * 2021-01-08 2021-05-14 上海自恒信息科技有限公司 Access control method based on VLAN structure
CN113127904A (en) * 2021-04-26 2021-07-16 北京中启赛博科技有限公司 Intelligent optimization system and method for access control strategy
CN113922984A (en) * 2021-09-02 2022-01-11 成都安恒信息技术有限公司 Network access identification and management and control method for client application
CN113922984B (en) * 2021-09-02 2024-02-02 成都安恒信息技术有限公司 Network access identification and control method for client application
CN114465963A (en) * 2021-12-24 2022-05-10 北京环宇博亚科技有限公司 Switch abnormity detection method and device, electronic equipment and computer readable medium
CN114448689A (en) * 2022-01-19 2022-05-06 烽台科技(北京)有限公司 Method, device and equipment for determining boundary equipment of industrial control network and storage medium
CN114745276B (en) * 2022-02-18 2022-12-02 北京环宇博亚科技有限公司 Switch bandwidth adjusting method and device, electronic equipment and computer readable medium
CN114745276A (en) * 2022-02-18 2022-07-12 北京环宇博亚科技有限公司 Switch bandwidth adjusting method and device, electronic equipment and computer readable medium
CN116418587A (en) * 2023-04-19 2023-07-11 中国电子科技集团公司第三十研究所 Data cross-domain switching behavior audit trail method and data cross-domain switching system
CN116418587B (en) * 2023-04-19 2024-04-30 中国电子科技集团公司第三十研究所 Data cross-domain switching behavior audit trail method and data cross-domain switching system
CN117202193A (en) * 2023-11-08 2023-12-08 中国电子科技集团公司第三十研究所 Communication module safety protection method and assembly based on host terminal connection authentication
CN117202193B (en) * 2023-11-08 2024-01-05 中国电子科技集团公司第三十研究所 Communication module safety protection method and assembly based on host terminal connection authentication

Also Published As

Publication number Publication date
CN111711616B (en) 2022-07-12

Similar Documents

Publication Publication Date Title
CN111711616B (en) Network zone boundary safety protection system, method and equipment
CN110149350B (en) Network attack event analysis method and device associated with alarm log
US8458301B1 (en) Automated configuration of network devices administered by policy enforcement
KR100502068B1 (en) Security engine management apparatus and method in network nodes
Lakkaraju et al. NVisionIP: netflow visualizations of system state for security situational awareness
Mukherjee et al. Network intrusion detection
JP5038888B2 (en) Pattern discovery method and system in network security system
Perdisci et al. Alarm clustering for intrusion detection systems in computer networks
CN101924757B (en) Method and system for reviewing Botnet
US20050021683A1 (en) Method and apparatus for correlating network activity through visualizing network data
Spyridopoulos et al. Incident analysis & digital forensics in SCADA and industrial control systems
JP2016508353A (en) Improved streaming method and system for processing network metadata
CN108076041A (en) A kind of DNS flow rate testing methods and DNS flow quantity detecting systems
CN113794276A (en) Power distribution network terminal safety behavior monitoring system and method based on artificial intelligence
CN114553537A (en) Abnormal flow monitoring method and system for industrial Internet
CN115134099A (en) Network attack behavior analysis method and device based on full flow
CN114598499B (en) Network risk behavior analysis method combined with business application
CN113794590B (en) Method, device and system for processing network security situation awareness information
CN116232770B (en) Enterprise network safety protection system and method based on SDN controller
CN112565202A (en) Internet of things access gateway for video network system
Liao et al. Managing networks through context: Graph visualization and exploration
KR102131496B1 (en) security provenance providing system for providing of the root cause of security problems and the method thereof
Jakić The overview of intrusion detection system methods and techniques
Mahmoud et al. Detecting cyber attacks through measurements: learnings from a cyber range
CN111147516B (en) SDN-based dynamic interconnection and intelligent routing decision system and method for security equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20230630

Address after: No. 481, 11th Floor, Building 1, No. 158 West Fourth Ring North Road, Haidian District, Beijing, 100000

Patentee after: Spider Tang Ping (Beijing) Technology Co.,Ltd.

Address before: Room C018, 4 / F (1-3), building 5, international enterprise center, No.1, Guanshan 2nd Road, Donghu New Technology Development Zone, Wuhan City, Hubei Province, 430000

Patentee before: Wuhan Yiyi Technology Co.,Ltd.

TR01 Transfer of patent right