CN100414928C - Method for preventing offence between inserted users - Google Patents
Method for preventing offence between inserted users Download PDFInfo
- Publication number
- CN100414928C CN100414928C CNB2005100535568A CN200510053556A CN100414928C CN 100414928 C CN100414928 C CN 100414928C CN B2005100535568 A CNB2005100535568 A CN B2005100535568A CN 200510053556 A CN200510053556 A CN 200510053556A CN 100414928 C CN100414928 C CN 100414928C
- Authority
- CN
- China
- Prior art keywords
- message
- compartment wall
- fire compartment
- access device
- ggsn
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The present invention provides a method for preventing attack between access users. A firewall is arranged between an access device and an external packet data network, and the method comprises the following steps: A. the access device receives an uploaded message, judges whether the message is sent to the other access user, and if the message is sent to the other access user, the message is sent to the firewall; B. the firewall receives the message, and after the message is detected and filtered by the firewall, a legal message is sent back to the access device; C. the access device sends the message to the corresponding access user. When the present invention is used, the firewall level prevention against the attack between the access users can be realized under the condition of not changing an existing network.
Description
Technical field
The present invention relates to GPRS access technology field, be meant a kind of method that prevents offence between inserted users especially.
Background technology
Show the GPRS/WCDMA network configuration as Fig. 1.Wherein, GGSN and SGSN are two basic equipments in the GPRS/WCDMA packet domain core network.The major function of SGSN provides the access function of UTRAN/BSS, and the major function of GGSN is as the gateway between GPRS/WCDMA system and the external packet data net (PDN).The data service that inserts user (TE, Terminal Equipment) initiation inserts through SGSN equipment, mails to GGSN then, mails to the external packet data net via GGSN then, the inverse process that the process of reception data can think to initiate data.
In order to protect the access user not attacked, between GGSN and external packet data net (being generally Internet), be provided with fire compartment wall (Firewall) usually.Stop the invalid data from the external packet data net that may exist to flow the attack of docking access customer by fire compartment wall.
Along with the growth that inserts customer service, inserting the possibility of running foul of each other potential between the user is also increasing gradually.And the position of the residing network configuration of fire compartment wall has determined that its effect is the invalid data stream that is used for filtering from the external packet data net, and the data flow that can't dock between the access customer is filtered.Analyze below:
From the network configuration shown in Fig. 1 as can be seen, insert when transmitting data between the user, TE uploads to GGSN with data flow through SGSN, and GGSN just directly is handed down to another TE through SGSN after with Data Stream Processing, and data flow can not passed through fire compartment wall.
Data flow transmitted detects the words of attacking to take precautions against between the increase fire compartment wall comes TE between GGSN and subordinate equipment such as the SGSN if adopt, then can increase networking cost, and, packet from the external packet data net can just can pass to TE through two fire compartment walls, will certainly reduce the data transmission bauds of TE and external packet data net.
Therefore, prevent that at present the method for offence between inserted users from being: directly realize simple message packet filtering by GGSN, the data flow of transmitting between the access customer that achieves a butt joint detects filtration, prevents to insert the attack between the user.Packet filtering is a kind of simple filtering means, can only filter as parameters such as source address, destination address, source port, destination interface, TTL by the simple attributes of data message.But the packet filtering strategy that is based on the GGSN detection can only prevent to insert the attack between the user in limited extent, is difficult to prevent for the complex attack that inserts user's employing.This reason also is understood that: GGSN itself is not special-purpose firewall box, so be difficult to reach the high level ability that prevents complex attack of fire compartment wall, can not satisfy higher security requirement.
Summary of the invention
In view of this, main purpose of the present invention is to provide a kind of method that prevents offence between inserted users, makes realizing satisfying the strick precaution of attacking between other butt joint access customer of fire compartment wall level under the situation that does not change existing network.
Realize the method that prevents offence between inserted users of the present invention, between access device and external packet data network, be provided with fire compartment wall, may further comprise the steps:
A, access device receive the message of uploading, and judge whether this message is to send to the message that another inserts the user, if then this message is sent to fire compartment wall;
B, fire compartment wall receive described message, carry out after fire compartment wall detects filtration legal message being sent it back access device;
C, access device are handed down to corresponding access user with described message.
Optionally, steps A is described sends to fire compartment wall with this message and takes a step forward and comprise: the heading that message is added appointment; Step B is described further to be comprised after receiving described message: the appointment heading of removing this message.
Optionally, access device is provided with and detects rule, judges when message need detect, and adds the heading of described appointment.
Preferable, also comprise in the heading of appointment: the flag bit that whether needs fire compartment wall to detect; Step B further comprises: fire compartment wall determines whether to detect according to this flag bit.
The described fire compartment wall of step B detects the step of filtering and comprises: detects according to message source address, destination address, source port, destination interface, life time TTL parameter by fire compartment wall,
Filter according to the filtering rule that is disposed.Further comprise: the data to the message encapsulation detect, or/and detect after the data recombination with the message encapsulation.
Optionally, described access device is GGSN GGSN.
By said method as can be seen, the present invention cooperates the firewall filtering of realizing inserting message between the user by access device GGSN and firewall box, prevents to insert the rogue attacks between the user.Implementation method of the present invention does not need existing networking mode is changed, and does not need to be provided with in addition fire compartment wall, is implemented in the strobe utility based on fire compartment wall that does not change under the network configuration situation, can satisfy other high security requirement of fire compartment wall level.And kept low cost owing to existing networking not being changed.
Description of drawings
Fig. 1 is the GPRS/WCDMA network structure.
Fig. 2 fits into line data detection figure for GGSN and fire compartment wall.
Fig. 3 docks the testing process figure of data flow between the access customer for the present invention.
Embodiment
The present invention is not changing on the basis of existing networking structure, and by cooperatively interacting of GGSN and firewall box, the data flow that achieves a butt joint between the access customer detects filtration, thereby the attack that reaches between the butt joint access customer is taken precautions against.Referring to accompanying drawing, the method for offence between inserted users that prevents of the present invention is described in detail.
Still adopt the network structure shown in Fig. 1, fire compartment wall still is arranged between GGSN and the external packet data net.As shown in Figures 2 and 3, this method may further comprise the steps:
Step 301: access device GGSN receives the message of the TE transmission of uploading through SGSN, GGSN judges whether this message is to send to the message that another inserts the user, can go up the TE address configuration information of record according to GGSN, destination address to this message is judged, when judging this message is when sending to another user's message, then this message is added the heading of appointment, then this message is sent to fire compartment wall.The form of the appointment heading here can be consulted by GGSN and fire compartment wall, to guarantee that both sides can both identify this heading.
In addition, can also on GGSN, be provided with in advance and detect strategy, for example can not specify the message from the TE that trusts is detected.Like this, in step 301, when judging strategy that GGSN is provided with is when not needing message to certain TE to filter, and can not add the heading of described appointment to this message, and certain flag bit that perhaps comprises by being provided with in the heading is represented will not detect this message.
The implementation of a heading can for: can comprise information such as sign sequence number of message and flag bit in the heading, wherein flag bit can be used for representing whether this message needs fire compartment wall to detect.Provided the example of a structure message below, message can be configured to: Sequence Number+Flag+Length+ (UDP/IP initial data message), Sequence Number is above-mentioned sequence number, and Flag is above-mentioned flag bit, and Length represents the length of back message.Certainly, GGSN also will encapsulate the address of fire compartment wall, here no longer explanation when transmitting this message to fire compartment wall.
Step 302: after fire compartment wall receives message, it is the message that GGSN sends up that the appointment heading that carries according to message is judged, and then removes the heading of appointment, and the fire compartment wall of proceeding standard detects and filters, detected abnormal packet filtering is fallen, no longer transmitted.
If the heading in the step 301 is provided with the flag bit that whether detects, fire compartment wall also will determine whether to detect according to this flag bit.
Wherein, the function that can make full use of fire compartment wall and provide detects message.Can detect filtration according to parameters such as message source address, destination address, source port, destination interface, TTL by fire compartment wall.For example can be in advance on fire compartment wall configuration pin to the filtering rule of source address and destination address, also can be at the configurating filtered rule of some protocol ports, for example forbid the message (promptly prevent MS1 attack to MS2) of MS1 if desired to MS2, just can dispose on fire compartment wall and forbid that source address is the rule that the data message of MS2 passes through for the MS1 destination address, such message will be dropped and can not be handed down to GGSN again this moment.Moreover, also can utilize fire compartment wall to carry out more complicated detection, the detection rule of message content for example is set on fire compartment wall, fire compartment wall can detect according to the data of message content, i.e. encapsulation, and after the data recombination with encapsulation, carry out detection of upper layer data or the like.
Step 303: fire compartment wall will detect the normal above-mentioned message in back and be handed down to GGSN, carry out the forwarding of normal message by GGSN, be handed down to corresponding access user.
Above process as can be seen, this process does not need existing network is changed, and does not need to increase new fire compartment wall.And can not exert an influence to the original fire prevention measuring ability of fire compartment wall at external packet data net and GPRS core net.All are constant to the data flow of Internet as: original TE, still be by TE through SGSN to GGSN, pass through fire compartment wall and arrive Internet afterwards; And Internet is also constant to the data flow of TE, still is to GGSN, again through SGSN arrival TE via firewall filtering.
With the GPRS/WCDMA network configuration the present invention is described in this example.For different network configurations, its networking entity can be distinct, therefore, for above-mentioned GGSN, perhaps the entity that is other in other network configurations is realized, so long as and the essentially identical entity of GGSN function, use method of the present invention all can realize inserting the strick precaution that accuses each other between the user.
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being done, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (7)
1. a method that prevents offence between inserted users is provided with fire compartment wall between access device and the external packet data network, it is characterized in that, may further comprise the steps:
A, access device receive the message of uploading, and judge whether this message is to send to the message that another inserts the user, if then this message is sent to fire compartment wall;
B, fire compartment wall receive described message, carry out will confirming as legal message after the fire compartment wall detection is filtered and send it back access device;
C, access device are handed down to described message the access user who receives this message.
2. method according to claim 1 is characterized in that, steps A is described to send to fire compartment wall with this message and take a step forward and comprise: the heading that message is added appointment;
Step B is described further to be comprised after receiving described message: the appointment heading of removing this message.
3. method according to claim 2 is characterized in that, further comprises: access device is provided with and detects rule, in the time of need being detected by the described message of detection rule judgment, adds the heading of described appointment.
4. method according to claim 2 is characterized in that, further comprises in the heading of appointment: the flag bit that whether needs fire compartment wall to detect;
Step B further comprises: fire compartment wall determines whether this message is detected according to this flag bit.
5. method according to claim 1 is characterized in that, described access device is GGSN GGSN.
6. method according to claim 1, it is characterized in that, the described fire compartment wall of step B detects the step of filtering and comprises: detected according to message source address, destination address, source port, destination interface, life time TTL parameter by fire compartment wall, filter according to the filtering rule that is disposed.
7. method according to claim 6 is characterized in that, further comprises: the data to the message encapsulation detect, or/and detect after the data recombination with the message encapsulation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100535568A CN100414928C (en) | 2005-03-08 | 2005-03-08 | Method for preventing offence between inserted users |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100535568A CN100414928C (en) | 2005-03-08 | 2005-03-08 | Method for preventing offence between inserted users |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1832450A CN1832450A (en) | 2006-09-13 |
| CN100414928C true CN100414928C (en) | 2008-08-27 |
Family
ID=36994457
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005100535568A Expired - Fee Related CN100414928C (en) | 2005-03-08 | 2005-03-08 | Method for preventing offence between inserted users |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100414928C (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101202756B (en) | 2007-12-20 | 2011-02-02 | 杭州华三通信技术有限公司 | Method and apparatus of message processing |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1489355A (en) * | 2002-10-10 | 2004-04-14 | 华为技术有限公司 | Network system and method for processing VOIP business based on media net-link control protocol |
| CN1498482A (en) * | 2001-03-21 | 2004-05-19 | Method and communication system for monitoring data flow in data network | |
| CN1529482A (en) * | 2003-10-08 | 2004-09-15 | 中兴通讯股份有限公司 | Method for realing signalling fire wall in soft exchange network |
-
2005
- 2005-03-08 CN CNB2005100535568A patent/CN100414928C/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1498482A (en) * | 2001-03-21 | 2004-05-19 | Method and communication system for monitoring data flow in data network | |
| CN1489355A (en) * | 2002-10-10 | 2004-04-14 | 华为技术有限公司 | Network system and method for processing VOIP business based on media net-link control protocol |
| CN1529482A (en) * | 2003-10-08 | 2004-09-15 | 中兴通讯股份有限公司 | Method for realing signalling fire wall in soft exchange network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1832450A (en) | 2006-09-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8402538B2 (en) | Method and system for detecting and responding to harmful traffic | |
| CN108063765B (en) | SDN system suitable for solving network security | |
| US8320242B2 (en) | Active response communications network tap | |
| CN101616129A (en) | The methods, devices and systems of anti-network attack flow overload protection | |
| CN105991637A (en) | Network attack protection method and network attack protection device | |
| CN101465855B (en) | Method and system for filtrating synchronous extensive aggression | |
| JP2004185622A5 (en) | ||
| CN101547187B (en) | Network attack protection method for broadband access equipment | |
| JP2006352831A (en) | Network controller and method of controlling the same | |
| CN101227289A (en) | Uniform intimidation managing device and loading method of intimidation defense module | |
| JP2007184799A (en) | Packet communication device | |
| EP1521397A3 (en) | Determination of the location of flow entry points in a communications network | |
| CN103036733A (en) | Unconventional network access behavior monitoring system and monitoring method | |
| CN101494639A (en) | Method and apparatus for preventing aggression in packet communication system | |
| CN100420197C (en) | Method for guarding against attack realized for networked devices | |
| CN107370715A (en) | Network safety protection method and device | |
| JP2005184792A (en) | Band control device, band control method, and program | |
| JP4602158B2 (en) | Server equipment protection system | |
| CN101340275A (en) | Data card, data processing and transmitting method | |
| CN100414928C (en) | Method for preventing offence between inserted users | |
| CN101826991A (en) | Method and system for identifying illegal data packet | |
| CN101494598B (en) | Flow control method, device and system | |
| US20110078283A1 (en) | Service providing system, filtering device, filtering method and method of confirming message | |
| JP2005293550A (en) | Method and system for monitoring and protecting private network against attack from public network | |
| CN107210969B (en) | Data processing method based on software defined network and related equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20080827 Termination date: 20130308 |