CN112954055B - Access control method and device based on FTP - Google Patents

Access control method and device based on FTP Download PDF

Info

Publication number
CN112954055B
CN112954055B CN202110184411.0A CN202110184411A CN112954055B CN 112954055 B CN112954055 B CN 112954055B CN 202110184411 A CN202110184411 A CN 202110184411A CN 112954055 B CN112954055 B CN 112954055B
Authority
CN
China
Prior art keywords
ftp
message
control
tcp message
fields
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110184411.0A
Other languages
Chinese (zh)
Other versions
CN112954055A (en
Inventor
赵艳丽
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN202110184411.0A priority Critical patent/CN112954055B/en
Publication of CN112954055A publication Critical patent/CN112954055A/en
Application granted granted Critical
Publication of CN112954055B publication Critical patent/CN112954055B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses an access control method and device based on FTP, wherein the method comprises the following steps: judging whether the FTP server side port number in the TCP message quintuple flowing through hits an FTP control channel port table or not, and extracting and storing FTP data channel information in the load if the FTP server side port number in the TCP message quintuple flows through the FTP control channel port table; if not, detecting whether the TCP message is an FTP control message, if so, adding the port number of the FTP server side into a port table of an FTP control channel, and extracting and storing information of the FTP data channel; and performing access control on the FTP data message based on the FTP data channel information. The method creates and dynamically updates the FTP control channel port table, determines the TCP message hitting the table as the FTP control message, and can also effectively identify the FTP control message and extract the FTP data channel information when the FTP server receives and transmits the FTP control message by using the user-defined port, and access control is carried out to avoid the problems of abnormal service and the like.

Description

Access control method and device based on FTP
Technical Field
The present application relates to the field of communications technologies, and in particular, to an access control method and apparatus based on FTP.
Background
In the interactive process based on the FTP (File Transfer Protocol), two network channels are constructed: the FTP control channel is used for transmitting control commands, and the FTP data channel is used for transmitting data files. The FTP client and the FTP server negotiate by using the FTP control channel so as to determine the information of the FTP data channel and complete subsequent file transmission by using the FTP data channel.
Because the FTP server generally uses a fixed port to receive and send FTP control messages, that is, the FTP control channel is fixed at a port on one side of the FTP server, in the related art, a gateway or other device that performs access control generally monitors the messages with the fixed port number, so as to obtain FTP data channel information negotiated by the FTP client and the FTP server from a load of the messages.
However, in some specific scenarios, in order to meet security requirements and the like, the FTP server will use a custom port instead of a fixed port to receive and transmit an FTP control message, and in this case, devices such as a gateway and the like cannot determine an FTP control channel, so that information of the FTP data channel negotiated under the FTP control channel cannot be known, and the devices such as the gateway and the like cannot perform access control on FTP data messages transmitted under subsequent FTP data channels, thereby causing problems such as abnormal services.
Disclosure of Invention
The application provides an access control method and device based on FTP.
According to a first aspect of the embodiments of the present application, there is provided a method for controlling access based on FTP, the method including:
judging whether the port number of the FTP server side in the five-tuple of the TCP message flowing through hits a port table of an FTP control channel;
if yes, FTP data channel information in the TCP message load is extracted and stored;
if not, detecting whether the TCP message is an FTP control message or not based on a plurality of preset FTP command fields or FTP response fields;
if yes, adding the port number of the FTP server side in the TCP message quintuple into the FTP control channel port table, and extracting and storing the FTP data channel information in the TCP message load;
and performing access control on the FTP data message based on the saved FTP data channel information.
According to a second aspect of embodiments of the present application, there is provided an FTP-based access control apparatus, the apparatus including a determination unit, an extraction unit, a detection unit, an addition unit, and an access control unit:
the judging unit is used for judging whether the port number of the FTP server side in the flowing TCP message quintuple hits an FTP control channel port table or not;
an extracting unit, configured to extract and store FTP data channel information in the TCP packet payload when a port number on the FTP server side in the TCP packet quintuple hits the FTP control channel port table; the FTP control channel port table is also used for extracting and storing FTP data channel information in the TCP message load when the port number at the FTP server side in the TCP message quintuple does not hit the FTP control channel port table and the TCP message is detected as the FTP control message;
the detection unit is used for detecting whether the TCP message is an FTP control message or not based on a plurality of preset FTP command fields or FTP response fields when the port number at the FTP server side in the TCP message quintuple does not hit the FTP control channel port table;
an adding unit, configured to add, when the port number on the FTP server side in the TCP packet quintuple does not hit the FTP control channel port table and the TCP packet is detected as an FTP control packet, the port number on the FTP server side in the TCP packet quintuple into the FTP control channel port table;
and the access control unit is used for carrying out access control on the FTP data message based on the saved FTP data channel information.
According to the technical scheme, the FTP control channel port table is created and dynamically updated to record a default port and a user-defined port used by the FTP server for receiving and sending the FTP control message, so that the TCP message of the FTP control channel port table is determined as the FTP control message by hitting the port number on the FTP server side in the quintuple, when the FTP server receives and sends the FTP control message by using the user-defined port, the FTP control message can be effectively identified, the FTP data channel information can be extracted from the message load, access control is carried out on the FTP data message transmitted under the FTP data channel, and the problems of abnormal service and the like are avoided.
Drawings
Fig. 1 is a schematic diagram of a network architecture according to an embodiment of the present application;
fig. 2 is a flowchart of an access control method based on FTP provided in the present application;
FIG. 3 is a schematic diagram illustrating that an FTP client and an FTP server negotiate an FTP data channel in PORT active mode in the embodiment of the present application;
fig. 4 is a schematic diagram illustrating that an FTP client negotiates an FTP data channel with an FTP server in a PASV passive mode in the embodiment of the present application;
fig. 5 is a flowchart of a method for extracting FTP data channel information in a TCP packet load according to the present application;
fig. 6 is a flowchart of a method for detecting whether a TCP packet is an FTP control packet based on a plurality of preset FTP command fields in the present application;
fig. 7 is a hardware configuration diagram of a network device in which an access control device based on FTP is provided in the present application;
fig. 8 is a block diagram of an access control device based on FTP according to the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at" \8230; "or" when 8230; \8230; "or" in response to a determination ", depending on the context.
FTP (File Transfer Protocol) is an application layer Protocol implemented based on TCP (Transmission Control Protocol), and is used for bidirectional Control Transmission of various files such as text, image, audio, and the like in a network. Two parties interacting based on FTP are respectively an FTP client and an FTP server, and the access control is carried out on the interaction messages of the two parties by network equipment such as a gateway, a firewall, a security server and the like.
Fig. 1 is a schematic diagram of a network architecture according to an embodiment of the present application.
The network comprises an FTP client, an FTP server and network equipment for executing access control.
When an FTP client interacts with an FTP server, an FTP control channel for transmitting a control command is first constructed, where a message transmitted in the FTP control channel is an FTP control message, for example: FTP control message containing user name or password sent from FTP client to FTP server.
The FTP client and the FTP server negotiate the subsequent FTP data channel information for file transmission by using the FTP control channel, the specific negotiation content is determined by the adopted FTP transmission mode, and the FTP data channel information negotiated by the FTP client and the FTP server is different from the FTP control channel information.
After the negotiation is finished, the FTP client and the FTP server construct an FTP data channel, and FTP data messages are transmitted in the FTP data channel, wherein the FTP data messages can carry various types of data files.
Because the FTP server usually uses the fixed port 21 to receive and transmit the FTP control message, currently, in the related art, the network device determines the TCP message with the source or destination port number 21 as the FTP control message, monitors the FTP control message and obtains the FTP data channel information from the load thereof, and then performs access control on the FTP data message transmitted under the FTP data channel.
However, the above scheme is not applicable when the FTP server uses the custom port to receive and transmit the FTP control message, and the network device executing access control cannot clearly monitor the object or acquire the information of the FTP data channel, so that it is difficult to access control the FTP data message transmitted through the FTP data channel, which may cause problems such as abnormal service.
In view of this, the present application provides an access control method based on FTP, which is applied to any network device that performs access control on an interactive packet between an FTP client and an FTP server, including a gateway device, a firewall device, a security server, and the like. As shown in fig. 2, the method specifically includes the following steps:
step 202, judging whether the port number of the FTP server side in the flowing TCP message quintuple hits the FTP control channel port table.
Because the FTP is an application layer protocol based on the TCP, only the TCP message needs to be detected for the message passing through the network equipment, and the UDP message does not need to be detected, so that the number of the messages to be detected can be reduced as much as possible.
If the TCP message flowing through is an uplink message, namely the TCP message sent to an FTP server by an FTP client, acquiring a target port number of the TCP message, and judging whether the target port number hits an FTP control channel port table or not; if the TCP message flowing through is a downlink message, namely the TCP message sent to the FTP client by the FTP server, the source port number of the TCP message is obtained, and whether the source port number hits an FTP control channel port table or not is judged.
The FTP control channel port table includes a plurality of port numbers used by the FTP server to receive and transmit the FTP control message, wherein the port number at least includes a default FTP control channel port number 21 of the FTP server, and in addition, other FTP control channel port numbers customized by the FTP server can be included.
TCP messages using any port number in the FTP control channel port table are identified as FTP control messages, and the load of the TCP messages may contain the negotiated FTP data channel information.
The FTP control channel port table is a dynamic table, and the specific form of setting and saving is not limited.
The FTP control channel port table, when created, may pre-store a number of FTP control channel port numbers, for example: the FTP control channel port number 21 used by the FTP server by default, or the FTP control channel port number that the FTP server would use if known from a particular traffic scenario.
After creation, the detected custom port number of the FTP control channel used by the FTP server is dynamically added to the FTP control channel port table based on the subsequent step 208.
The FTP control channel port table may further be configured with an aging mechanism to delete the failed FTP control channel port number in the table, for example: the aging mechanism may be to determine that a port number which is not hit by a TCP packet flowing through is aged for 7 days, and delete a certain port number in the FTP control channel port table when the port number is not hit by a TCP packet flowing through within 7 days.
And 204, if the port number of the FTP server side in the TCP message quintuple hits the FTP control channel port table, extracting and storing the FTP data channel information in the TCP message load.
When the port number of the FTP server side in a certain TCP message quintuple hits the port table of the FTP control channel, the TCP message is identified as the FTP control message. The FTP control message carries control commands such as authentication, configuration, negotiation, response and the like, and the specific content of the control commands is positioned in the load of the FTP control message.
In the present application, the FTP data channel information transmitted in the FTP control message is obtained, so that, based on step 202, after determining an FTP control message by the port number on the FTP server side in the quintuple, the FTP data channel information is extracted from the payload of the FTP control message.
In an alternative implementation, as shown in fig. 5, extracting the FTP data channel information from the payload may include the steps of:
step 2042, judge whether said TCP message load contains the preset negotiation field.
If the TCP packet payload contains a preset negotiation field, for example: if "PORT" or "ending Passive Mode", it can be determined that the TCP packet load carries the control command for negotiating the FTP data channel; if the TCP packet load does not contain the preset negotiation field, it may be determined that the control command carried in the TCP packet load is not the control command negotiating the FTP data channel, for example: the TCP message containing PASS field in the message load is FTP control message carrying control command for submitting password and sent from FTP client to FTP server.
Step 2044, if the preset negotiation field is contained, extracting and storing the FTP data channel information according to the field value of the negotiation field in the TCP packet load.
And the FTP data channel information to be extracted is determined by an FTP transmission mode. FTP has two transfer modes: the PORT active mode and the PASV passive mode are described separately below for these two transmission modes.
Suppose that the FTP control channel information between the constructed FTP client and the FTP server is as follows
Table 1 shows:
Figure BDA0002942426120000071
TABLE 1
(1) PORT active mode:
as shown in fig. 3, in the PORT active mode, the FTP client sends an FTP control message negotiating the FTP data channel to the FTP server by using the established FTP control channel, and carries the PORT control command to actively inform the FTP server of which IP address and PORT number the FTP server will use to send and receive the file to be transferred, and the FTP server replies a confirmation by using the FTP control channel after receiving the confirmation, so that the two parties complete the negotiation.
After the negotiation is finished, the FTP server sends a message for establishing TCP connection to the negotiated IP address and port number, and the FTP data channel is established after the two parties handshake, namely the FTP data message can be transmitted.
In the PORT active mode, the information of the negotiated FTP data channel is shown in table 2 below:
Figure BDA0002942426120000072
TABLE 2
The network device executing access control detects that the TCP message load contains a preset negotiation field 'PORT', and extracts the field value of the field, and the standard format is as follows: PORT (h 1, h2, h3, h4, p1, p 2), then the IP address of the FTP data channel used by the FTP client negotiated under the PORT active mode is h1, h2, h3, h4, and the PORT number is p1 + 256+ p2.
(2) PASV passive mode:
as shown in fig. 4, in the PASV Passive Mode, the FTP client sends an FTP control message negotiating an FTP data channel to the FTP server by using the established FTP control channel, and carries a PASV control command to request the FTP server to inform the FTP server of which IP address and port number to use for transceiving the transmission file, after receiving, the FTP server responds and informs the FTP client by using the FTP control channel, the FTP control message carries an ending Passive Mode control command, and the two parties negotiate the responded FTP control message.
After the negotiation is finished, the FTP client sends a message for establishing TCP connection to the negotiated IP address and port number, and the two parties handshake and then construct an FTP data channel, namely the FTP data message can be transmitted.
In PASV passive mode, the negotiated FTP data channel information is as shown in table 3 below:
Figure BDA0002942426120000081
TABLE 3
The network device executing access control detects that the TCP packet load contains a preset negotiation field "ending Passive Mode", and extracts the field value of the field, and the standard format of the field is as follows: and determining ambient Passive Mode (h 1, h2, h3, h4, p1, p 2), the IP address of the FTP data channel used by the FTP server negotiated in the PASV Passive Mode is h1, h2, h3, h4, and the port number is p1 + 256+ p2.
The method for extracting the FTP data channel information shown in fig. 5 is only one of alternative implementations, and the application is not limited thereto. For example, it is also possible to directly detect whether a character string in the (h 1, h2, h3, h4, p1, p 2) format is contained in a TCP packet load of the FTP control channel port table when a port number on the FTP server side in a five-tuple hits without detecting a negotiation field, thereby directly obtaining a specific value of a negotiated IP address and port number to obtain FTP data channel information.
And step 206, if the port number of the FTP server side in the TCP packet quintuple does not hit the FTP control channel port table, detecting whether the TCP packet is an FTP control packet based on a plurality of preset FTP command fields or FTP response fields.
If the port number of the FTP server side in a certain TCP message quintuple does not hit the port table of the FTP control channel, it does not mean that the TCP message is not the FTP control message, and the TCP message may also be an FTP control message transmitted under the condition that the FTP server uses a new self-defined port.
The FTP control message is used for transmitting the control command, and the message load of the FTP control message contains an FTP command field or an FTP response field for representing the transmitted control command, wherein the FTP command field exists in the load of the FTP control message transmitted from the FTP client to the FTP server, and the FTP response field exists in the load of the FTP control message responded from the FTP server to the FTP client; based on a plurality of preset FTP command fields or FTP response fields, whether the TCP message flowing through is the FTP control message can be detected.
FTP command fields possibly contained in a load of an FTP control message sent by the FTP client to the FTP server comprise an FTP command field 'USER' for representing submission of a USER name, an FTP command field 'MKD' for representing creation of a directory, an FTP command field 'PORT' for representing negotiation of an FTP data channel, an FTP command field 'QUIT' for representing logout and the like.
The FTP control message sent by the FTP server to the FTP client is mostly a response message for the FTP control message sent by the FTP client, and the FTP response field possibly contained in the message load may include an FTP response field "ending Passive Mode" representing that the response PASV negotiates an FTP data channel, an FTP response field "200" representing that the response is successful, and the like.
The application does not specifically limit the type and number of the preset FTP command field or FTP response field.
And detecting whether the TCP message is an FTP control message or not, wherein the method comprises the steps of extracting the load of the TCP message, and carrying out character string matching with a plurality of preset FTP command fields or FTP response fields based on various matching methods such as regular matching, KMP matching and the like so as to determine whether the TCP message is the FTP control message or not.
Next, taking the example of presetting a plurality of FTP command fields and detecting an FTP control message sent by an FTP client to an FTP server, an alternative implementation manner of detecting whether a TCP message is an FTP control message based on the preset plurality of FTP command fields or FTP response fields in step 206 is described, as shown in fig. 6, which specifically includes the following steps:
step 2062, extracting the preset field in the TCP message load.
The FTP client sends FTP control message to the FTP server by using the FTP control channel, wherein the load part of the FTP control message has 3 or 4 bytes from the first position and is a command field for representing the control command to be transmitted by the FTP control message, so the first 4 bytes for extracting TCP message load are preset.
Table 4 shows a part of the FTP command field, which is only used for illustration, and other FTP command fields not shown are applied to detect the FTP control message in the present embodiment, and shall also be within the protection scope of the present application.
Figure BDA0002942426120000101
TABLE 4
Step 2064, determining whether the extracted fields hit the predetermined plurality of FTP command fields.
Based on the step 2062, after the first 4 bytes of the TCP packet load are extracted, whether the extracted fields hit a plurality of preset FTP command fields shown in table 4 is determined, that is, the first 4 bytes of the TCP packet load are subjected to character string matching with the plurality of FTP command fields.
In an alternative implementation manner, the extracted fields may be input into a pre-constructed Aho-coraasic automaton, and whether the extracted fields hit the predetermined FTP command fields is determined according to an output result of the automaton, where the Aho-coraasic automaton is pre-constructed based on the predetermined FTP command fields.
The Aho-Corasick automaton is realized based on an Aho-Corasick algorithm, when the Aho-Corasick automaton is used for character string matching, the calculated amount is only related to the length of a text to be matched and is not related to a matching object, namely, in the scheme of the application, whether extracted fields hit a plurality of preset FTP command fields or not is judged, and the calculated amount is only related to the length of the extracted fields: 4 bytes are related, and the number and the length of the preset FTP command fields are unrelated, so that the FTP command fields can be freely added for character string matching, and the processing efficiency is not influenced.
The method for determining whether the extracted field hits the predetermined FTP command fields is only one of the optional implementations of step 2064, and the present application is not limited thereto. For example, the first 4 bytes of the extracted TCP packet payload may be matched with the preset FTP command fields one by one.
Step 2066, if hit, determining the message as FTP control message.
If the load of the TCP message contains the preset FTP command fields, the TCP message can be confirmed to be an FTP control message; if the load of the TCP message does not contain the preset FTP command fields, the non-FTP control message can be confirmed, and the processing flow of the preset non-FTP control message is executed.
And 208, if the TCP message is an FTP control message, adding the port number of the FTP server side in the five-tuple of the TCP message into the FTP control channel port table, and extracting and storing the FTP data channel information in the TCP message load.
And recording a default port and a user-defined port used for the FTP server to receive and transmit the FTP control message in the FTP control channel port table. If an uplink TCP message is detected and determined to be an FTP control message, namely the FTP control message sent to an FTP server by an FTP client, adding a destination port number of the TCP message into a port table of the FTP control channel; and if detecting and determining that a downlink TCP message is an FTP control message, namely the FTP control message sent to an FTP client by an FTP server, adding the source port number of the TCP message into the FTP control channel port table.
And after adding the user-defined port number of the FTP control channel used by the FTP server into the FTP control channel port table, subsequently monitoring the FTP control message using the user-defined port.
In addition, if the FTP control message is an FTP control message of the negotiation FTP data channel, the FTP data channel information in the FTP message load is extracted and stored, and the extraction manner is the same as that described above, and is not described herein again.
And step 210, performing access control on the FTP data message based on the stored FTP data channel information.
And saving the information of the FTP data channel obtained from the step 202 to the step 208, thereby performing access control on the FTP data message transmitted in the FTP data channel.
In an alternative mode, the FTP data channel information and the corresponding FTP control channel information are stored in the same FTP session entry, and corresponding access control actions are executed on a message hitting any channel in the FTP session entry, where the access control actions include passing, intercepting, and the like, for example: and releasing the FTP data message transmitted in the FTP data channel.
According to the technical scheme, the FTP control channel port table is created and dynamically updated to record a default port and a user-defined port used by the FTP server for receiving and sending the FTP control message, so that the TCP message of the FTP control channel port table is determined as the FTP control message by hitting the port number on the FTP server side in the quintuple, when the FTP server receives and sends the FTP control message by using the user-defined port, the FTP control message can be effectively identified, the FTP data channel information is extracted from the message load, access control is carried out on the FTP data message transmitted under the FTP data channel, and the problems of abnormal service and the like are avoided.
Further, the method of the present application may further include determining whether a load length of the TCP packet is nonzero before detecting whether the TCP packet is an FTP control packet; if not, detecting whether the TCP message is an FTP control message.
The FTP data channel information is in the load of the FTP control message, and the lengths of the handshake messages and other confirmation messages for establishing TCP connection between the FTP client and the FTP server are zero, so that the FTP control message does not carry effective information and does not need monitoring. Therefore, in the present application, it may be determined in advance whether the payload length of the TCP packet flowing through is non-zero, and the steps 206 to 210 are executed again when the payload length of the TCP packet is determined to be non-zero.
Further, the scheme of the application can also comprise that when a port number at the FTP server side in the TCP message quintuple hits the FTP control channel port table, whether FTP data channel information does not exist in the TCP message load or not and a preset exit field is contained in the TCP message load is judged; and if so, deleting the stored FTP data channel information corresponding to the TCP message.
Based on the above, assuming that the information of the FTP data channel and the corresponding FTP control channel is stored in the same session entry, when the port number on the FTP server side in the quintuple hits the port table of the FTP control channel to determine an FTP control message, and it is detected that there is no FTP data channel information in the load of the FTP control message but a preset exit field is included, the FTP data channel information in the FTP session entry corresponding to the FTP control message is deleted, and the FTP control channel information in the corresponding FTP session entry may also be deleted together or wait for natural aging, so that after the file transfer is finished, access control can no longer be performed on the FTP data message transferred under the FTP data channel, thereby saving resource consumption of the network device.
For example: the destination port number of TCP message flowing through network equipment hits FTP control channel port table, and determines it as FTP control message, and detects that the FTP control message load contains no FTP data channel information but contains preset "QUIT" field, and deletes the FTP data channel information stored in FTP session table correspondent to said FTP control message.
In order to make those skilled in the art better understand the technical solution in the present application, the FTP-based access control method shown in fig. 2 is applied to the networking architecture shown in fig. 1, and further detailed description is given below, and the embodiments described later are only a part of embodiments of the present application, but not all embodiments.
Suppose that the IP address of the FTP client is IP1 and the IP address of the FTP server is IP2, and the interactive messages between the two are accessed and controlled by a network device.
The FTP server self-defines a new port 35545 for receiving and sending FTP control messages.
The FTP client uses IP1 and port 1027, the FTP server uses IP2 and port 35545, TCP connection is established, an FTP control channel is constructed, the network equipment stores the information of the FTP control channel in an FTP session table item, but handshake messages with the load length of zero are not monitored.
The FTP client sends FTP control message 1 for submitting the USER name to the FTP server by using the FTP control channel, wherein the source IP of the FTP control message 1 is IP1, the source port number is 1027, the destination IP is IP2, the destination port number is 35545, the transport layer protocol is TCP, and the first 4 bytes of the load part are 'USER'.
Because the destination port number of the message 1 is not in the port table of the FTP control channel, the network device extracts the first 4 bytes of the message load part and inputs the established Aho-coral automaton based on a plurality of preset FTP command fields, and the plurality of preset FTP command fields comprise a USER field, so that the automaton outputs a result representing that the message 1 is an FTP control message.
After determining that the message 1 is an FTP control message, the network device adds the destination port number 35545 to an FTP control channel port table, and because the message 1 is not an FTP control message of a negotiation FTP data channel, FTP data channel information cannot be extracted.
Subsequently, the FTP control messages such as submitting passwords and creating directories interacted between the FTP client and the FTP server, because their source or destination port numbers hit the port 35545 in the port table of the FTP control channel, the network devices will monitor their message loads, but they are not the FTP control messages negotiating the FTP data channel, and thus the FTP data channel information is not extracted.
When the FTP client sends an FTP control message 2 for negotiating an FTP data channel to the FTP server, the source IP of the FTP control message 2 is IP1, the source PORT number is 1027, the destination IP is IP2, the destination PORT number is 35545, the transport layer protocol is TCP, and the first 4 bytes of the payload part are "PORT".
Because the destination PORT number 35545 of the message 2 hits the FTP control channel PORT table, the network device monitors the load part of the message, determines that the message contains a preset negotiation field "PORT", acquires the field value (h 1, h2, h3, h4, p1, p 2) of the PORT field, and obtains the negotiated FTP data channel information after calculation, that is, the IP address and PORT number of the FTP data channel to be used by the FTP client, the IP1 and 1253, the IP address and PORT number of the FTP data channel to be used by the FTP server, the original IP address IP2, and any random new PORT number.
The network device stores the FTP data channel information and the corresponding FTP control channel information in the same FTP session entry, where the FTP session entry is shown in table 5 below:
Figure BDA0002942426120000141
TABLE 5
Subsequently, the FTP server sends a message for establishing a TCP connection to the FTP client IP1 and the port 1253 by using the IP2 and the port 35546, and after "three-way TCP handshake", an FTP data channel is constructed, and the FTP data messages transmitted in the FTP data channel are all subject to access control by the network device.
The network device continues to monitor the FTP control message transmitted under the FTP control channel, if it is determined that the message load contains the preset exit field "QUIT", the FTP data channel information in the session entry shown in table 5 is deleted, the FTP data message transmitted under the FTP data channel cannot be released, however, the subsequent FTP client and the FTP server can still establish the FTP control channel and negotiate the FTP data channel by using the custom port 35545, and the network device can also obtain the FTP data channel information negotiated between the FTP client and the FTP server in time and perform access control.
According to the technical scheme, the FTP control channel port table is created and dynamically updated to record a default port and a user-defined port used by the FTP server for receiving and sending the FTP control message, so that the TCP message of the FTP control channel port table is determined as the FTP control message by hitting the port number on the FTP server side in the quintuple, when the FTP server receives and sends the FTP control message by using the user-defined port, the FTP control message can be effectively identified, the FTP data channel information can be extracted from the message load, access control is carried out on the FTP data message transmitted under the FTP data channel, and the problems of abnormal service and the like are avoided.
Corresponding to the foregoing embodiments of the FTP-based access control method, the present application also provides embodiments of an FTP-based access control apparatus.
The embodiment of the access control device based on the FTP can be applied to any network equipment which executes access control based on the FTP. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. In the case of software implementation, as a logical means, the device is formed by reading, by a processor of the network device where the device is located, corresponding computer program instructions in the nonvolatile memory into the memory for execution. From a hardware aspect, as shown in fig. 7, a hardware structure diagram of a network device where an access control device based on FTP is located is provided, except for the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 7, the network device where the device is located in the embodiment may also include other hardware according to the actual functions thereof, which is not described again.
Referring to fig. 8, a block diagram of an access control device based on FTP according to an embodiment of the present application includes a determining unit 810, an extracting unit 820, a detecting unit 830, an adding unit 840, and an access control unit 850:
the determining unit 810 is configured to determine whether a port number on the FTP server side in a flowing TCP packet quintuple hits a port table of an FTP control channel;
an extracting unit 820, configured to extract and store FTP data channel information in the TCP packet payload when the port number on the FTP server side in the TCP packet quintuple hits the FTP control channel port table; the FTP control channel port table is also used for extracting and storing FTP data channel information in the TCP message load when the port number at the FTP server side in the TCP message quintuple does not hit the FTP control channel port table and the TCP message is detected as the FTP control message;
a detecting unit 830, configured to detect whether a TCP packet is an FTP control packet based on a plurality of preset FTP command fields or FTP response fields when a port number on the FTP server side in the TCP packet quintuple does not hit the FTP control channel port table;
an adding unit 840, configured to add, when the port number on the FTP server side in the TCP packet quintuple does not hit the FTP control channel port table and the TCP packet is detected as an FTP control packet, the port number on the FTP server side in the TCP packet quintuple into the FTP control channel port table;
and an access control unit 850, configured to perform access control on the FTP data packet based on the saved FTP data channel information.
Optionally, the detecting unit 830 is specifically configured to, when detecting whether the TCP packet is an FTP control packet based on a plurality of preset FTP command fields or FTP response fields: extracting a preset field in the TCP message load; judging whether the extracted fields hit the preset FTP command fields or FTP response fields; and if the TCP message is hit, determining that the TCP message is an FTP control message.
Optionally, the determining whether the extracted fields hit the predetermined FTP command fields includes: inputting the extracted fields into a pre-constructed Aho-Corasick automaton, and judging whether the extracted fields hit the plurality of preset FTP command fields or FTP response fields or not according to the output result of the automaton; the Aho-Corasick automaton is constructed in advance based on the preset FTP command fields or FTP response fields.
Further, the detecting unit 830 is further configured to: before detecting whether the TCP message is an FTP control message, judging whether the load length of the TCP message is nonzero; if not, detecting whether the TCP message is an FTP control message.
Further, the apparatus further includes a deleting unit 860, configured to determine whether there is no FTP data channel information in the TCP packet payload and a preset exit field is included in the TCP packet payload when the port number on the FTP server side in the TCP packet quintuple hits the FTP control channel port table; and if so, deleting the stored FTP data channel information corresponding to the TCP message.
The specific details of the implementation process of the functions and actions of each unit in the above device are the implementation processes of the corresponding steps in the above method, and are not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
Embodiments of the subject matter and the functional operations described in this specification can be implemented in: digital electronic circuitry, tangibly embodied computer software or firmware, computer hardware including the structures disclosed in this specification and their structural equivalents, or a combination of one or more of them. Embodiments of the subject matter described in this specification can be implemented as one or more computer programs, i.e., one or more modules of computer program instructions, encoded on a tangible, non-transitory program carrier for execution by, or to control the operation of, data processing apparatus. Alternatively or additionally, the program instructions may be encoded on an artificially generated propagated signal, e.g., a machine-generated electrical, optical, or electromagnetic signal, that is generated to encode and transmit information to suitable receiver apparatus for execution by the data processing apparatus. The computer storage medium may be a machine-readable storage device, a machine-readable storage substrate, a random or serial access memory device, or a combination of one or more of them.
The processes and logic flows described in this specification can be performed by one or more programmable computers executing one or more computer programs to perform corresponding functions by operating on input data and generating output. The processes and logic flows can also be performed by, and apparatus can also be implemented as, special purpose logic circuitry, e.g., an FPGA (field programmable gate array) or an ASIC (application-specific integrated circuit).
Computers suitable for the execution of a computer program include, for example, general and/or special purpose microprocessors, or any other type of central processing unit. Generally, a central processing unit will receive instructions and data from a read-only memory and/or a random access memory. The basic components of a computer include a central processing unit for implementing or executing instructions and one or more memory devices for storing instructions and data. Generally, a computer will also include, or be operatively coupled to receive data from or transfer data to, or both, one or more mass storage devices for storing data, e.g., magnetic, magneto-optical disks, or optical disks. However, a computer does not necessarily have such a device. Moreover, a computer may be embedded in another device, e.g., a mobile telephone, a Personal Digital Assistant (PDA), a mobile audio or video player, a game console, a Global Positioning System (GPS) receiver, or a portable storage device such as a Universal Serial Bus (USB) flash drive, to name a few.
Computer-readable media suitable for storing computer program instructions and data include all forms of non-volatile memory, media and memory devices, including by way of example semiconductor memory devices (e.g., EPROM, EEPROM, and flash memory devices), magnetic disks (e.g., internal hard disk or removable disks), magneto-optical disks, and CD-ROM and DVD-ROM disks. The processor and the memory can be supplemented by, or incorporated in, special purpose logic circuitry.
While this specification contains many specific implementation details, these should not be construed as limitations on the scope of any invention or of what may be claimed, but rather as descriptions of features specific to particular embodiments of particular inventions. Certain features that are described in this specification in the context of separate embodiments can also be implemented in combination in a single embodiment. In other instances, features described in connection with one embodiment may be implemented as discrete components or in any suitable subcombination. Moreover, although features may be described above as acting in certain combinations and even initially claimed as such, one or more features from a claimed combination can in some cases be excised from the combination, and the claimed combination may be directed to a subcombination or variation of a subcombination.
Similarly, while operations are depicted in the drawings in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. In some cases, multitasking and parallel processing may be advantageous. Moreover, the separation of various system modules and components in the embodiments described above should not be understood as requiring such separation in all embodiments, and it should be understood that the described program components and systems can generally be integrated together in a single software product or packaged into multiple software products.
Thus, particular embodiments of the subject matter have been described. Other embodiments are within the scope of the following claims. In some cases, the actions recited in the claims can be performed in a different order and still achieve desirable results. Further, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some implementations, multitasking and parallel processing may be advantageous.
The above description is only a preferred embodiment of the present application and should not be taken as limiting the present application, and any modifications, equivalents, improvements and the like made within the spirit and principle of the present application should be included in the protection scope of the present application.

Claims (10)

1. An access control method based on FTP, the method comprising:
judging whether the port number of the FTP server side in the five-tuple of the TCP message flowing through hits a port table of an FTP control channel;
if yes, extracting and storing FTP data channel information in the TCP message load;
if not, detecting whether the TCP message is an FTP control message or not based on a plurality of preset FTP command fields or FTP response fields;
if yes, adding the port number of the FTP server side in the TCP message quintuple into the FTP control channel port table, and extracting and storing the FTP data channel information in the TCP message load;
and performing access control on the FTP data message based on the saved FTP data channel information.
2. The method according to claim 1, wherein the detecting whether the TCP packet is an FTP control packet based on a plurality of preset FTP command fields or FTP response fields comprises:
extracting a preset field in the TCP message load;
judging whether the extracted fields hit the preset FTP command fields or FTP response fields;
and if the TCP message is hit, determining that the TCP message is an FTP control message.
3. The method of claim 2, wherein the determining whether the extracted fields hit the predetermined FTP command fields or FTP response fields comprises:
inputting the extracted fields into a pre-constructed Aho-Corasick automaton, and judging whether the extracted fields hit the plurality of preset FTP command fields or FTP response fields according to the output result of the automaton; the Aho-Corasick automaton is constructed in advance based on the preset FTP command fields or FTP response fields.
4. The method of claim 1, further comprising:
before detecting whether the TCP message is an FTP control message, judging whether the load length of the TCP message is nonzero;
if not, detecting whether the TCP message is an FTP control message.
5. The method of claim 1, further comprising:
if the port number of the FTP server side in the TCP message quintuple hits the FTP control channel port table, judging whether the TCP message load has no FTP data channel information and contains a preset exit field;
and if so, deleting the stored FTP data channel information corresponding to the TCP message.
6. An access control apparatus based on FTP, the apparatus comprising a judging unit, an extracting unit, a detecting unit, an adding unit, and an access control unit:
the judging unit is used for judging whether the port number of the FTP server side in the flowing TCP message quintuple hits the port table of the FTP control channel;
the extracting unit is used for extracting and storing FTP data channel information in the TCP message load when the port number at the FTP server side in the TCP message quintuple hits the FTP control channel port table;
the FTP control channel port table is also used for extracting and storing FTP data channel information in the TCP message load when the port number at the FTP server side in the TCP message quintuple does not hit the FTP control channel port table and the TCP message is detected as the FTP control message;
the detection unit is used for detecting whether the TCP message is an FTP control message or not based on a plurality of preset FTP command fields or FTP response fields when the port number at the FTP server side in the TCP message quintuple does not hit the FTP control channel port table;
the adding unit is used for adding the port number of the FTP server side in the TCP message quintuple into the FTP control channel port table when the port number of the FTP server side in the TCP message quintuple does not hit the FTP control channel port table and the TCP message is detected as the FTP control message;
and the access control unit is used for performing access control on the FTP data message based on the saved FTP data channel information.
7. The apparatus according to claim 6, wherein the detecting unit, when detecting whether the TCP packet is an FTP control packet based on a plurality of preset FTP command fields or FTP response fields, is specifically configured to:
extracting a preset field in the TCP message load;
judging whether the extracted fields hit the plurality of preset FTP command fields or FTP response fields;
and if the TCP message is hit, determining that the TCP message is an FTP control message.
8. The apparatus of claim 7, wherein the determining whether the extracted fields hit the predetermined FTP command fields or FTP response fields comprises:
inputting the extracted fields into a pre-constructed Aho-Corasick automaton, and judging whether the extracted fields hit the plurality of preset FTP command fields or FTP response fields according to the output result of the automaton; the Aho-Corasick automaton is constructed in advance based on the preset FTP command fields or FTP response fields.
9. The apparatus of claim 6, wherein the detection unit is further configured to:
before detecting whether the TCP message is an FTP control message, judging whether the load length of the TCP message is nonzero;
if not, detecting whether the TCP message is an FTP control message.
10. The apparatus according to claim 6, characterized in that the apparatus further comprises a deletion unit:
the deleting unit is used for judging whether FTP data channel information does not exist in the TCP message load and a preset exit field is contained when the port number of the FTP server side in the TCP message quintuple hits the FTP control channel port table;
and if so, deleting the stored FTP data channel information corresponding to the TCP message.
CN202110184411.0A 2021-02-08 2021-02-08 Access control method and device based on FTP Active CN112954055B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110184411.0A CN112954055B (en) 2021-02-08 2021-02-08 Access control method and device based on FTP

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110184411.0A CN112954055B (en) 2021-02-08 2021-02-08 Access control method and device based on FTP

Publications (2)

Publication Number Publication Date
CN112954055A CN112954055A (en) 2021-06-11
CN112954055B true CN112954055B (en) 2023-04-07

Family

ID=76245504

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110184411.0A Active CN112954055B (en) 2021-02-08 2021-02-08 Access control method and device based on FTP

Country Status (1)

Country Link
CN (1) CN112954055B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102055813A (en) * 2010-11-22 2011-05-11 杭州华三通信技术有限公司 Access controlling method for network application and device thereof
CN108259378A (en) * 2017-03-30 2018-07-06 新华三技术有限公司 A kind of message processing method and device

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6219706B1 (en) * 1998-10-16 2001-04-17 Cisco Technology, Inc. Access control for networks
US6981278B1 (en) * 2000-09-05 2005-12-27 Sterling Commerce, Inc. System and method for secure dual channel communication through a firewall
CN100426786C (en) * 2004-08-18 2008-10-15 华为技术有限公司 Network access control method based on access control listing
GB2420043B (en) * 2004-11-03 2006-11-22 3Com Corp Rules engine for access control lists in network units
CN104426837B (en) * 2013-08-20 2019-09-13 南京中兴新软件有限责任公司 The application layer message filtering method and device of FTP
KR101564644B1 (en) * 2014-07-03 2015-10-30 한국전자통신연구원 Method and system of extracting access control list
CN111314286B (en) * 2019-12-20 2022-11-01 杭州迪普科技股份有限公司 Configuration method and device of security access control policy

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102055813A (en) * 2010-11-22 2011-05-11 杭州华三通信技术有限公司 Access controlling method for network application and device thereof
CN108259378A (en) * 2017-03-30 2018-07-06 新华三技术有限公司 A kind of message processing method and device

Also Published As

Publication number Publication date
CN112954055A (en) 2021-06-11

Similar Documents

Publication Publication Date Title
US10305904B2 (en) Facilitating secure network traffic by an application delivery controller
US10419461B2 (en) Method and an apparatus to perform multi-connection traffic analysis and management
US9100370B2 (en) Strong SSL proxy authentication with forced SSL renegotiation against a target server
US20180316767A1 (en) Facilitating a secure 3 party network session by a network device
US8595818B2 (en) Systems and methods for decoy routing and covert channel bonding
CN107046495B (en) Method, device and system for constructing virtual private network
US9992223B2 (en) Flow-based anti-replay checking
US9055108B2 (en) Method for increasing performance in encapsulation of TCP/IP packets into HTTP in network communication system
CN110417632B (en) Network communication method, system and server
WO2017148419A1 (en) Data transmission method and server
CN106487802A (en) The method for detecting abnormal of the IPSec SA based on DPD agreement and device
US10721250B2 (en) Automatic tunnels routing loop attack defense
GB2592315A (en) Methods and systems for sending packets through a plurality of tunnels
CN112954055B (en) Access control method and device based on FTP
KR101971995B1 (en) Method for decryping secure sockets layer for security
AU2018370383A1 (en) Method and system for transmitting data
CN112153001B (en) WAF-based network communication method, WAF-based network communication system, electronic device and storage medium
US8856304B2 (en) Accelerating UDP traffic
US11483394B2 (en) Delayed proxy-less network address translation decision based on application payload
WO2020103420A1 (en) Data transmission method and receiving method, devices and system
CN112995608B (en) Technical standard conversion method and device
JPWO2005050935A1 (en) Intrusion detection device and method
US11431492B2 (en) Mutable encrypted system
US20230083034A1 (en) Selective transport layer security encryption
US11601405B2 (en) Method for decoding secure socket layer for security of packet transmitted in preset operating system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant