Utility model content
Based on this, for solving the problems of the prior art, this utility model provides a kind of power monitoring system being layered deployment
System safety access device, relies on the existing security infrastructure of electrical network, based on uniform security policies and unified security management strategy,
The secure accessing district of layer architecture deployment mode can be built, it is adaptable to public communication network (including wired and wireless) and distribution lead to
Letter wireless private network, can fully meet the security protection demand of electric power monitoring system.
For achieving the above object, this utility model embodiment is by the following technical solutions:
A kind of electric power monitoring system safety access device being layered deployment, including access service layer and application-interface layer, institute
State access service layer and include safe access gateway, authority control system and secure data defecator, described application-interface layer
Including the application data interface communicated with the system main website produced in control great Qu;
Described safe access gateway is connected with terminal communication;
Described authority control system and described secure data defecator all communicate to connect with described safe access gateway;
Described secure data defecator is by described application data interface and the described system master producing and controlling in great Qu
Stand communication connection.
In the optional embodiment of one, described safe access gateway includes interconnective vpn server and longitudinal direction
Encryption device, described vpn server is connected with described terminal communication by wired or wireless public communication network.
Optionally, described vpn server is IPSec vpn server or SSL vpn server.
In the optional embodiment of another kind, described safe access gateway includes that interconnective combined identity certification fills
Putting and longitudinal encryption device, described combined identity certification device is connected with described terminal communication by power distribution communication wireless private network.
Optionally, described combined identity certification device is by the core of Radius interface with described power distribution communication wireless private network
Net equipment connects.
Optionally, described authority control system and described secure data defecator are all by bus and described secure accessing
Gateway communication connects.
Optionally, the described system main website controlled in great Qu that produces includes electricity distribution market main website and load
Management control system main website;Described application data interface includes and the production of described electricity distribution market master station communication
Interface and the marketing interface with described load management control system master station communication;Described terminal includes power distribution network terminal and load
Control terminal.
Optionally, described secure data defecator includes positive physical isolation device and reverse physical isolation apparatus.
The electric power monitoring system safety access device that the layering that this utility model provides is disposed, relies on the existing safety of electrical network
Infrastructure, based on uniform security policies and unified security management strategy, can build the secure accessing of layer architecture deployment mode
District.Safety access system is divided into access service layer and application-interface layer two-layer by this utility model, and gives the logic of every layer
Functional unit, jointly realize the reliable authentication of terminal identity, the security protection of communication channel, data safety filtering with exchange with
And effective control of access authority, be not only suitable for public communication network (including wired and wireless), be applicable to again power distribution communication without
Line private network, can fully meet the security protection demand of electric power monitoring system.Meanwhile, this utility model is from power distribution communication wireless private network
Security feature set out, use specific preventer, i.e. combined identity certification device, realize the logic merit of access service layer
Can, thus while meeting security protection requirement, reduce the system complexity caused by high intensity certification and propagation delay time.
Detailed description of the invention
Below in conjunction with preferred embodiment and accompanying drawing, content of the present utility model is described in further detail.Obviously, under
Embodiment described by literary composition is only used for explaining this utility model, rather than to restriction of the present utility model.Based in this utility model
Embodiment, the every other embodiment that those of ordinary skill in the art are obtained under not making creative work premise,
Broadly fall into the scope of this utility model protection.It should be noted that, for the ease of describing, accompanying drawing illustrate only new with this practicality
Part that type is relevant rather than full content.
Fig. 2 is the knot being layered the electric power monitoring system safety access device disposed in one embodiment of the present utility model
Structure schematic diagram, the electric power monitoring system safety access device being layered deployment in the present embodiment includes access service layer 100 and application
Interface layer 200.With reference to shown in Fig. 2, access service layer 100 passes downwardly through public correspondence and enlists the services of (including wired and wireless) or distribution
Communication wireless private network communicates to connect with terminal 400, is upwards connected with application-interface layer 200.Application-interface layer 200 downwards and accesses
Service layer 100 is connected, and is upwards connected with the system main website 300 produced in control great Qu.Optionally, with reference to shown in Fig. 2, control is produced
Zhi great district includes that scheduling produces control great Qu and marketing produces and controls great Qu, and accordingly, production controls the system main website in great Qu
300 can include electricity distribution market main website 31 and load management control system main website 32, and terminal 400 can include distribution
Network termination 41 and load control terminal 42.
Wherein, access service layer 100 includes safe access gateway 1, authority control system 2 and secure data defecator
3 three big logic block, application-interface layer 200 includes and answering that the system main website 300 produced in control great Qu communicates
With data-interface 4, application data interface 4 defines the two-way interactive rule of application data, and checks when transmitting user data
Whether these application data match with the rules of interaction defined.Optionally, with reference to shown in Fig. 2, application data interface 4 includes and joins
Automation system for the power network dispatching main website 31 communication produce interface 401 and the battalion communicated with load management control system main website 32
Pin joint mouth 402.
Fig. 3 shows that to be layered the electric power monitoring system safety access device of deployment in the present embodiment internal and with outside
Communication connection relation, with reference to shown in Fig. 3, safe access gateway 1 communicates to connect with terminal 400, authority control system 2 and safe number
All communicating to connect with safe access gateway 1 according to defecator 3, secure data defecator 3 is by application data interface 4 and production
The system main website 300 controlled in great Qu communicates to connect.Optionally, authority control system 2 and secure data defecator 3 all pass through
Bus (such as high speed information bus) communicates to connect with safe access gateway 1.
In the present embodiment, access service layer 100 receives public communication network (including wired and wireless) or power distribution communication
The data of the terminal 400 of wireless private network carrying, or wireless by public communication network (including wired and wireless) or power distribution communication
Private network comes from the data of application-interface layer 200 to terminal 400 transmission.Access service layer 100 is received by application-interface layer 200
The data transmission of terminal 400 is to producing the system main website 300 controlled in great Qu, or transmits the data of system main website 300 to connecing
Enter service layer 100.Below the workflow of the electric power monitoring system safety access device being layered deployment in the present embodiment is carried out
Explanation.
Fig. 4 is a kind of workflow signal of the electric power monitoring system safety access device being layered deployment in the present embodiment
Figure.With reference to shown in Fig. 4, when terminal 400 initiates connection request to safe access gateway 1, safe access gateway 1 is to terminal 400
Carry out strong identity authentication, and between terminal 400 and safe access gateway 1, set up two-way encryption tunnel.Authority control system 2 depends on
According to the safe access gateway 1 authentication information to terminal 400, and based on the security strategy specified, terminal 400 is carried out high intensity body
Part certification and Access Control, confirm the legitimacy of terminal 400, and clearly access the control authority of power business system.Hereafter, peace
The full gateway 1 that accesses distributes address to terminal 400, and the address that terminal 400 is distributed according to safe access gateway 1 is to safe access gateway
The external data interface of 1 sends data, and data are transferred to secure data by internal data interface and filter by safe access gateway 1
Device 3.The packet from safe access gateway 1 received is entered by secure data defecator 3 with the rule being pre-configured with
Row the matching analysis (filtering server of secure data defecator 3 can be pre-configured with rule), and by the number after the matching analysis
It is transferred to corresponding system main website 300 according to by application data interface 4.
In the optional embodiment of one, with reference to shown in Fig. 5, for terminal 400 by wired or wireless public correspondence
The scene of network insertion, safe access gateway 1 includes interconnective vpn server 111 and longitudinal encryption device 112, and VPN is i.e.
Virtual Private Network (VPN), refers to set up the technology of dedicated network in public communication network.
Vpn server 111 is communicated to connect with terminal 400 by wired or wireless public communication network, and vpn server 111 can use
IPSec (Internet Protocol Security, network security protocol) vpn server or SSL (Security Socket
Layer, SSL) vpn server, use hardware binding code uniquely to identify terminal 400, be responsible for paired terminal 400
Authentication, foundation transmission signaling and the Special safety passage of data.Longitudinal encryption device 112 is power industry special equipment,
It is responsible for the End to End Encryption to terminal traffic data.Now authority control system 2 can rely on vpn server 111 to realize,
Carry out identity permission match to encrypting the terminal after certification 400 by safe access gateway 1, confirm the legitimacy of terminal 400.
With reference to shown in Fig. 5, secure data defecator 3 comprises positive physical isolation device 301 and reverse physical isolation dress
Putting 302, positive physical isolation device 301 can provide the gigabit outer net/interior network interface of forward, and reverse physical isolation apparatus 302 can
Reverse gigabit outer net/interior network interface is provided.Wherein the signal of forward Intranet/outer network interface flows to as unidirectional, and data are by applying
Interface layer 200 transmission, to wired or wireless public communication network, is supported based on MAC, IP, the comprehensive packet filtering of host-host protocol;
Reversely the signal of Intranet/outer network interface flows to as unidirectional, and data, are supported to Intranet by the transmission of wired or wireless public communication network
Based on MAC, IP, the comprehensive packet filtering of host-host protocol.Positive physical isolation device 301 and reversely physical isolation apparatus 302 carry
The above-mentioned interface of confession is responsible for the data security isolation of terminal 400 and application data interface 4, prevents from illegally linking and penetrates production control
Conduct interviews inside great Qu, it is ensured that terminal 400 and safe, the correct data exchange of application data interface 4.
In the optional embodiment of another kind, with reference to shown in Fig. 6, for terminal 400 by power distribution communication wireless private network
The scene accessed, proprietary due to power distribution communication wireless private network network and equipment, its communication channel is the most encrypted and realizes specially
With, therefore need not use vpn server to set up virtual private passage on this basis, but only need terminal 400 is entered
Row authentication and business datum is encrypted.Therefore, as shown in Figure 6, now safe access gateway 1 includes interconnective
Combined identity certification device 121 and longitudinal encryption device 122.Wherein combined identity certification device 121 is wireless by power distribution communication
Private network communicates to connect with terminal 400.Combined identity certification device 121 is that one can be to IMEI (International Mobile
Equipment Identity, International Mobile Equipment Identity code), IMSI (International Mobile Subscriber
Identification Number, international mobile subscriber identity), ICCID (Integrate circuit card
Identity, integrated circuit handset serial) and terminal MAC address, the identity information such as No. ID carry out associating binding authentication
Device, may insure that by combined identity certification device 121 identity of terminal 400 is legal.Optionally, combined identity certification device
121 can be with the equipment of the core network of power distribution communication wireless private network by RADIUS (Remote Authentication Dial In
User Service, remote customer dialing authentication service) interface interconnection.Longitudinal encryption device 122 is power industry special equipment,
It is responsible for the End to End Encryption to terminal traffic data.Now authority control system 2 can rely on combined identity certification device 121
Realize, carry out identity permission match to encrypting the terminal after certification 400 by safe access gateway 1, distribute specific APN for it
(Access Point Name, APN), makes each APN connect corresponding to the application data in different application-interface layers
Mouth 4.
With reference to shown in Fig. 6, secure data defecator 3 comprises positive physical isolation device 301 and reverse physical isolation dress
Putting 302, positive physical isolation device 301 can provide the outer net/interior network interface of forward, and reverse physical isolation apparatus 302 can provide
Reverse outer net/interior network interface.Wherein the signal of forward Intranet/outer network interface flows to as unidirectional, and data are by application-interface layer 200
Transmit to power distribution communication wireless private network, support based on MAC, IP, the comprehensive packet filtering of host-host protocol;Reversely Intranet/outer net connects
Mouthful signal flow to as unidirectional, data by power distribution communication wireless private network transmission to Intranet, are supported based on MAC, IP, host-host protocol
Comprehensive packet filtering.Positive physical isolation device 301 and the above-mentioned interface that reversely physical isolation apparatus 302 provides can ensure terminal
400 and the data security isolation of application data interface 4, prevent from illegally linking and penetrate production and control to conduct interviews, really inside great Qu
Protect safe, the correct data exchange of terminal 400 and application data interface 4.
In sum, the electric power monitoring system safety access device that the layering that this utility model provides is disposed.Rely on electrical network
Existing security infrastructure, based on uniform security policies and unified security management strategy, can build layer architecture deployment mode
Secure accessing district.The electric power monitoring system safety access device that the layering that this utility model provides is disposed is divided into access service layer
With application-interface layer two-layer, and give the logic block of every layer, jointly realize the reliable authentication of terminal identity, communication letter
The security protection in road, safety filtering and exchange and effective control of access authority of data.The most wireless specially from power distribution communication
The security feature of net is set out, and uses specific preventer, i.e. combined identity certification device, realizes the logic of access service layer
Function, thus while meeting security protection requirement, reduce the system complexity caused by high intensity certification and propagation delay time.
It should be noted that each technical characteristic of embodiment described above can combine arbitrarily, for making description letter
Clean, all possible combination of each technical characteristic in above-described embodiment is not all described, but, as long as these technology are special
There is not contradiction in the combination levied, is all considered to be the scope that this specification is recorded.
Embodiment described above only have expressed several embodiments of the present utility model, and it describes more concrete and detailed,
But therefore can not be interpreted as the restriction to utility model patent scope.It should be pointed out that, for the common skill of this area
For art personnel, without departing from the concept of the premise utility, it is also possible to make some deformation and improvement, these broadly fall into
Protection domain of the present utility model.Therefore, the protection domain of this utility model patent should be as the criterion with claims.