The method of fire compartment wall and invasion detecting system interlink
Technical field:
The present invention relates to a kind of interlock method of Network Security Device, especially the method for fire compartment wall and intruding detection system (Intrude Detection System is called for short IDS) interlock belongs to the network security technology field.
Background technology:
Fire compartment wall is a kind of network security xegregating unit, comprising: gateway firewall and host firewall.The technology such as packet filtering, application proxy, address transition or state-detection that adopt fire compartment wall realize the access control to Internet resources.The access control of fire compartment wall belongs to static preventing mechanism, and it filters or limit specific packet according to the safety regulation of customization, also allows open certain service or protocol port simultaneously.Fire compartment wall can not be adjusted the security strategy of self automatically, and general being difficult to adapts to the network environment that constantly changes, and therefore, its protective action has certain limitation.
Network or host computer system are monitored, detected to intruding detection system in real time, find in time and the Control Network system in the invasion or other the suspicious behavior that exist, belong to a kind of network security defense system of intelligence.Intruding detection system adopts the access way of network bypass usually, feature detection is duplicated and done to the data packets in the network, and intruding detection system is not intervened to the communication in the network generally.Therefore, its protective action also has certain limitation.
In traditional joint-action mechanism, mostly do not adopt or adopted the lower linkage protocol of fail safe, perhaps linkage protocol is too complicated, efficient is lower, do not meet practical environment, perhaps adopt traditional security socket layer (Security Socket Layer is called for short SSL), be subjected to a lot of limitations.
The intruding detection system that has existed at present and the linkage protocol of fire compartment wall; substantially consider the protection of interlock information integrity and to the Replay Attack of interlock message at secure context; no key management functions is directly used a changeless master key for a long time, is easy to be attacked.
Summary of the invention:
Main purpose of the present invention is to provide the method for a kind of fire compartment wall and invasion detecting system interlink, realize the interlock of intruding detection system and fire compartment wall, improve the Prevention-Security ability of intruding detection system on extra level, also can bring into play simultaneously peculiar advantage separately, improve the integral protection ability of safety product.
Another purpose of the present invention is to provide the method for a kind of fire compartment wall and invasion detecting system interlink, can be applied to fire compartment wall and intruding detection system, and open interface is provided, and is fit to the occasion of overwhelming majority interlock at present fully.
The present invention is achieved by the following technical solutions:
The method of a kind of fire compartment wall and invasion detecting system interlink comprises the steps: at least
Step 1: after intruding detection system detects intrusion behavior in the network, set up the secure communication channel of interlock with fire compartment wall; The process of setting up of secure communication channel is: fire compartment wall and intruding detection system adopt the Handshake Protocol consulting session key, utilize this session key that interlock information is carried out encrypted transmission then;
Step 2: intruding detection system sends the interlock content by secure communication channel to fire compartment wall;
Step 3: fire compartment wall generates corresponding safety regulation according to the interlock content of receiving, the blocking-up attack.
The negotiations process that above-mentioned secure communication channel is set up the session key of process comprises at least:
Step 210: when setting up secure communication channel, intruding detection system produces an interim conversation key, and uses the master key of oneself to encrypt this session key, sends key negotiation request and authentication request to fire compartment wall;
Step 211: fire compartment wall receives after the key agreement and authentication request that intruding detection system is sent that the interim conversation key that deciphering is obtained produces the session key of this session, and with sending to intruding detection system after the interim conversation secret key encryption;
Step 212: after intruding detection system is obtained above-mentioned information, use the interim conversation secret key decryption, obtain the session key of this session.
Fire compartment wall is received after key agreement and the authentication request, when the interim conversation key is obtained in deciphering, checking Nonce (random number sequence) value, time stamp and hash result's integrality, concrete grammar is: before each interlock, fire compartment wall carries out session key agreement as transmit leg and intruding detection system purpose side, simultaneously, fire compartment wall sends to intruding detection system with the main frame time of oneself, and intruding detection system and fire compartment wall carry out time synchronized.
Intruding detection system is after receiving the session key that fire compartment wall sends, at first verify Nonce value, time stamp and hash result's integrality, concrete method foot: before each interlock, intruding detection system is carried out session key agreement as transmit leg and fire compartment wall purpose side, simultaneously, intruding detection system side sends to fire compartment wall with the main frame time of oneself, and fire compartment wall and intruding detection system are carried out time synchronized.
Between above-mentioned transmit leg and the purpose side checking Nonce value, time stamp and hash as a result the concrete steps of integrality comprise:
Transmit leg as input variable, after the calculating of hash hash function, forms message, Nonce value, timestamp and session key message digest or message authentication sign indicating number and sends to purpose side;
Purpose side at first with message, Nonce value, timestamp and session key as input variable, calculate with the hash hash function; Secondly, with comparing of receiving by the message digest of originating party generation and the hash function result of calculating; If two unanimities as a result, what show that purpose side receives is the message that originating party sends, and does not have victim to revise in communication process, thereby has verified the integrality of the other side's message; At last, the purpose root according to the transmit leg cipher key agreement process in time synchronized mechanism, the time that message is received in checking whether in the time range of predesignating, if, think that then this message is the normal message that transmit leg sends, otherwise think the message that the assailant resets.
The way to manage of above-mentioned key is that (key distributed Center is called for short KDC or digital certificate (Public Key Infrastructure-Certificate Authority is called for short PKI-CA) in KMC.
When adopting the mode of KDC, will provide certificate for each entity that links before interlock, distribution process is:
Step 200:KDC starts the back and produces the master key of oneself;
Step 201:KDC is that fire compartment wall and intruding detection system are set up the user respectively, and input password separately;
Step 202: fire compartment wall and intruding detection system utilize the password of oneself to generate a symmetrical key respectively, and utilize the master key of this secret key encryption KDC, generate the certificate file that each has certain term of validity:
Step 203: fire compartment wall and intruding detection system copy the certificate of oneself to this locality respectively.
Above-mentioned fire compartment wall and intruding detection system copy the certificate of oneself to this locality respectively by Email or file transfer protocol (FTP) (FileTransfer Protocol is called for short FTP) mode.
When adopting the PKI-CA mode, before interlock, for interlocking equipment fire compartment wall and intruding detection system distributing key certificate as master key.
Above-mentioned interlock content comprises at least: the source Internet protocol of the main frame of launching a offensive (InternetProtocol, be called for short IP) address, source port number, attacked purpose IP address, the destination slogan of main frame, and protocol type is blocked direction, the blocking-up time.
The present invention not only can bring into play peculiar advantage separately, and can promote the Prevention-Security ability of intruding detection system on extra level, improved the integral protection ability of safety product,, can also be fit to the occasion of overwhelming majority interlock at present fully owing to have open interface.
Description of drawings:
Fig. 1 is a structural representation of the present invention.
Fig. 2 is a schematic flow sheet of the present invention.
Embodiment:
Below by specific embodiment and accompanying drawing the present invention is described in detail:
Referring to Fig. 1 and Fig. 2, the method for a kind of fire compartment wall and invasion detecting system interlink the steps include:
Step 1: intruding detection system detects network system;
Step 2: after intruding detection system detects intrusion behavior in the network, set up the secure communication channel of interlock with fire compartment wall;
Step 3: under the protection of secure communication channel, intruding detection system sends the interlock content to fire compartment wall;
Step 4: under the protection of safe lane, fire compartment wall generates corresponding safety regulation according to the interlock content of receiving, the blocking-up attack.
Particularly, as Fig. 1, in the present embodiment, employing has the agreement of Client/Server structure and sets up secure communication channel, client (Client) is an intruding detection system, and server end (Server) is a fire compartment wall, when needs manage or link, client intruding detection system and server end fire compartment wall adopt the Handshake Protocol consulting session key, and the secure communication of using this session key to encrypt.In this escape way, utilize the session key that generates that interlock information is carried out encrypted transmission, and the preventing playback attack and the integrality that adopt mechanism such as random sequence Nonce value, time stamp and hashing algorithm to improve agreement are attacked.
This joint-action mechanism adopts 2 kinds of key management modes: one is based on KDC; Two are based on PKI-CA.
When adopting the KDC mode, before interlock, at first provide certificate for each interlock entity (as fire compartment wall or intruding detection system etc.), process is as follows:
Step 200:KDC starts the back and produces the master key of oneself;
Step 201:KDC is that fire compartment wall and intruding detection system are set up the user respectively, and requires input password separately;
Step 202: fire compartment wall and intruding detection system utilize the password of oneself to generate a symmetrical key respectively, and utilize the master key of this secret key encryption KDC, generate certificate file separately, and certain term of validity is arranged;
Step 203: fire compartment wall and intruding detection system copy the certificate of oneself to this locality respectively, can adopt multiple mode, as Email or ftp mode etc.
When adopting PKI-CA digital certificate mode, before interlock, CA mechanism is an interlocking equipment, i.e. fire compartment wall and intruding detection system, and distributing key certificate (PKI and private key certificate) is as master key.
When setting up secure communication channel, the session key agreement process is:
Step 210: when setting up secure communication channel, intruding detection system produces an interim conversation key (a random at random number), and use the master key (passing through certificate file) of own password deciphering to encrypt this session key, send key negotiation request and authentication request to fire compartment wall;
Step 211: fire compartment wall is received after key agreement and the authentication request, utilize oneself password and certificate file to take out same master key, the interim conversation key is obtained in deciphering, simultaneous verification Nonce value, time stamp and hash result's integrality, produce the session key of this session at last, and with sending to intruding detection system after the interim conversation secret key encryption;
Step 212: after intruding detection system is obtained above-mentioned information, at first verify Nonce value, time stamp and hash integrality as a result, and use the interim conversation secret key decryption, obtain the session key of this session.The content of transmitting in escape way will be carried out safeguard protection, and safeguard protection comprises: prevent the Replay Attack of the information of linking, integrity protection, encipherment protection.
After consulting to obtain session key, intruding detection system is utilized this session key and cryptographic algorithm to encrypt to fire compartment wall and is sent interlock information, and fire compartment wall also utilizes this session key and cryptographic algorithm to encrypt to intruding detection system and sends feedback information.In this process, the fail safe of adopting mechanism such as Nonce value, time stamp and hashing algorithm to improve agreement prevents the Replay Attack of assailant to interlock information, and the interlock information content is carried out integrity protection.
Fire compartment wall is received after key agreement and the authentication request, when the interim conversation key is obtained in deciphering, checking Nonce (random number sequence) value, time stamp and hash result's integrality, concrete grammar is: before each interlock, fire compartment wall carries out session key agreement as transmit leg and intruding detection system purpose side, simultaneously, fire compartment wall sends to intruding detection system with the main frame time of oneself, and intruding detection system and fire compartment wall carry out time synchronized.
Intruding detection system is after receiving the session key that fire compartment wall sends, at first verify Nonce value, time stamp and hash result's integrality, concrete method is: before each interlock, intruding detection system is carried out session key agreement as transmit leg and fire compartment wall purpose side, simultaneously, intruding detection system side sends to fire compartment wall with the main frame time of oneself, and fire compartment wall and intruding detection system are carried out time synchronized.
No matter intruding detection system or fire compartment wall be as transmit leg or purpose side, between transmit leg and the purpose side checking Nonce value, time stamp and hash as a result the concrete steps of integrality comprise:
Transmit leg as input variable, after the calculating of hash hash function, forms message, Nonce value, timestamp and session key message digest or message authentication sign indicating number and sends to purpose side;
Purpose side at first with message, Nonce value, timestamp and session key as input variable, calculate with the hash hash function; Secondly, with comparing of receiving by the message digest of originating party generation and the hash function result of calculating; If, two unanimities as a result, what show that purpose side receives is the message that originating party sends, and does not have victim to revise in communication process, thereby has verified the integrality of the other side's message; At last, the purpose root according to the transmit leg cipher key agreement process in time synchronized mechanism, the time that message is received in checking whether in the time range of predesignating, if, think that then this message is the normal message that transmit leg sends, otherwise think the message that the assailant resets.
In above-mentioned interlock content, comprise at least: the source IP address of the main frame of launching a offensive, source port number, attacked purpose IP address, the destination slogan of main frame, protocol type, blocking-up direction, blocking-up time or the like.Fire compartment wall generates the blocking-up rule automatically according to these information.
By above process, set up secure communication channel between fire compartment wall and the IDS, fire compartment wall can receive the interlock information that IDS sends by this safe lane, and fire compartment wall can generate the blocking-up rule automatically according to these information.
It should be noted that at last: above embodiment is only unrestricted in order to explanation the present invention, although the present invention is had been described in detail with reference to preferred embodiment, those of ordinary skill in the art is to be understood that, can make amendment or be equal to replacement the present invention, and not breaking away from the spirit and scope of the present invention, it all should be encompassed in the middle of the claim scope of the present invention.