CN101051891A - Method and device for safety strategy uniformly treatment in safety gateway - Google Patents
Method and device for safety strategy uniformly treatment in safety gateway Download PDFInfo
- Publication number
- CN101051891A CN101051891A CNA2007101031609A CN200710103160A CN101051891A CN 101051891 A CN101051891 A CN 101051891A CN A2007101031609 A CNA2007101031609 A CN A2007101031609A CN 200710103160 A CN200710103160 A CN 200710103160A CN 101051891 A CN101051891 A CN 101051891A
- Authority
- CN
- China
- Prior art keywords
- security
- tunnel
- packet
- strategy
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 43
- 230000008878 coupling Effects 0.000 claims description 9
- 238000010168 coupling process Methods 0.000 claims description 9
- 238000005859 coupling reaction Methods 0.000 claims description 9
- 238000007689 inspection Methods 0.000 abstract description 5
- 238000001514 detection method Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 4
- 238000004590 computer program Methods 0.000 description 2
- 230000002950 deficient Effects 0.000 description 2
- 230000005641 tunneling Effects 0.000 description 2
- 101100217298 Mus musculus Aspm gene Proteins 0.000 description 1
- 230000015572 biosynthetic process Effects 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
Images
Abstract
Expanding security policy table of secure gateway, the invention adds operations for entering to tunnel, and index of tunnel based on actions of allowance and pass. Since policy inspection for secure gateway is based on TCP/UDP protocol state, thus, policy inspection also adds operations for entering to tunnel, and index ID of tunnel. Secure gateway carries out secure policy matching for first data packet in stream of accessing network. If matched secure policy includes tunnel option, then, tunnel option is added to new built state table. The invention solves issues that secure gateway carries out multiple times of policy match, and increases network processing property of secure gateway 10%. Using united process of secure policy can inspect secure control on centralized one point so as to reduce security loophole caused by dispersive, not unified secure policy.
Description
Technical field
The present invention carries out unified method and the device of handling of security strategy in a kind of security gateway, belong to the network information security technology field.
Background technology
Ipsec protocol be IP Safety Design framework and standard.In industrial quarters, this technology is mainly used on security gateway/VPN integrated security gateway device.Security gateway/VPN integrated security gateway device is mainly finished state-detection and the ipsec protection to network packet.
State-detection is packet is mated and to set up state table according to port, the type of agreements such as TCP/UDP/ICMP according to security strategy.Security strategy can correctly be controlled the whole process of access to netwoks.
IPSec VPN is on the basis of public network, sets up virtual private network technology.The network packet that satisfies the IPSec strategy is carried out the vpn tunneling protection.
Present Firewall/VPN integrated security gateway device, the method that realizes state-detection and VPN are to carry out security strategy and IPSec strategy respectively to check.Packet is at first carried out security strategy coupling and state-detection,, abandon this packet if packet does not meet security strategy.If packet meets security strategy, then packet enquiring IPSec strategy is checked.After if the IPSec strategy matching arrives, search Security Association (SecurityAssociation) according to the tunnel in the strategy.(with reference to Fig. 1 introduction) need all carry out the security strategy inspection as can be seen in two modules.Will cause security breaches or execution error if two inconsistent.Security Association is the combination that comprises a series of data of enciphering and deciphering algorithm, key, cipher key lifetimes, encapsulation mode, security processing.
There is following defective in this method:
1. strategy matching expends computational resource very much, carries out twice strategy matching and causes inefficiency.
2. need to add two safety regulations, if miss one, fail safe is with regard to defectiveness.
Summary of the invention
The present invention has proposed to carry out in a kind of security gateway unified method and the device of handling of security strategy just at the defective that exists in the prior art, the purpose of technical solution of the present invention has two, one provides the method for carrying out the unified processing of security strategy in a kind of security gateway, and this method has realized carrying out security gateway security strategy and the unified inspection of ipsec security strategy in security gateway.Make the user can carry out more convenient, safe policy configurations, obtain higher performance simultaneously.Another purpose provides a kind of device that carries out the unified method of handling of security strategy in the above-mentioned security gateway that is applicable to, this device can be finished above-mentioned access control policy processing on stream simultaneously and the IPSec strategy is handled two operations, and can carry out the operation of a plurality of Action Selection type of process to packet.
The objective of the invention is to realize by following measure:
Carry out the unified method of handling of security strategy in this kind security gateway,, on the basis that allows, passes through, increased the action that enters the tunnel, the index in tunnel by the security strategy table of expansion security gateway.Because the strategy inspection of security gateway is based on protocol statuss such as TCP/UDP,, the action that enters the tunnel, the index ID in tunnel have been increased so expanded the state table of security gateway simultaneously.Security gateway carries out the security strategy coupling to the first packet bag of access to netwoks stream.If the security strategy of coupling has the tunnel option, increase the option in tunnel in the then newly-built state table.
The security gateway state table has just increased the VPN processing section to the processing of packet.If packet is the data after the deciphering, find tunnel ID according to the Security Association of deciphering usefulness, whether consistently check with the tunnel ID in the state table.If packet through encrypting, does not obtain Security Association according to the tunnel ID in the state table.Carry out encryption and package process.
The present invention has expanded IKE tunnel configuration and Security Association, has increased tunnel ID option in the IKE tunnel configuration with in the Security Association.After the successful key agreement of this tunnel process, use PF KEY kernel interface to add Security Association.In PF_KEY message, transmit the tunnel ID in the IKE tunnel simultaneously.After kernel is received PF_KEY message, distribute the Security Association memory space, and according to tunnel ID Security Association is joined in the index and to go.After network access data is by security strategy, state table, just Security Association can have been obtained like this.
The ike negotiation process comprises the negotiation of IPSec strategy.Gateway security strategy safe in utilization is held consultation in ike negotiation.
Steps of the method are:
(1) index (ID) in increase tunnel in the configuration in IPSEC VPN (virtual private network) (VPN) tunnel, except as the index (ID) that has also increased this tunnel the algorithm in the tunnel configuration, cipher key lifetimes, the DH cipher key change group, in system, can arrive the configuration in this tunnel according to this index search;
(2) on the safe action of the security strategy table of security gateway, increase the selection type that enters the tunnel, to increasing the index in tunnel in the scaling option of security strategy table, the interface of increase and tunnel processing module increases entering the definition of tunnel type in the type of action of security strategy simultaneously in the security strategy of security gateway is handled.Increase tunnel index (TunnelID) data member in the data structure of security strategy;
When (3) the first packet of access to netwoks stream arrives, security gateway carries out the security strategy coupling, set up the state table of this access to netwoks stream after the match is successful, state table comprises the sign of access to netwoks stream such as source IP address, purpose IP address, source port, destination interface and the processing of this access to netwoks stream is moved and other options as allowing, abandon etc.In the type of action of state table, increased entering the definition of tunnel type of action as the expansion safety regulation, in state table, increased the tunnel Yellow Book.If the Action Selection type of security strategy is to enter the tunnel, the type of action at newly-built state table also is to enter the tunnel so, and in state table the tunnel index in the record security rule in the tunnel Yellow Book;
(4) security gateway is handled the packet of access stream according to state table, and processing mode is different and different according to type of action, and the Action Selection type refers to the processing to packet, is the important content in the security gateway.Increased in security gateway entering the processing module of tunnel type of action, type of action, network data flow path direction and tunnel index in this module user mode table are handled packet, and processing mode is following two kinds:
[4-1] then transmits or abandons according to the Action Selection type of state table if the Action Selection type of state table does not enter the tunnel;
[4-2] if the Action Selection type of state table enters a certain tunnel, and the packet of access stream is sent to the other side's security gateway by this locality, according to the Yellow Book in the tunnel in the state table, searches Security Association, and this moment, processing mode also was divided into following two kinds:
[4-2-1] encrypts the packet data of access stream if search successfully, sends to the telesecurity gateway then;
[4-2-2] sends the Security Association request message if search unsuccessfully to the cipher key change process, should comprise the tunnel index in the state table in this message;
(5) after the cipher key change process is received above-mentioned Security Association request message, begin to initiate ike negotiation according to the tunnel index in the Security Association request message, wherein, the security strategy that security policy negotiation adopted is the security strategy of the security gateway that binds together with this tunnel index in the security gateway security strategy table scaling option, after negotiation is passed through, load security strategy Security Association pointed to network system, network system is distributed the Security Association memory space, and according to the tunnel index Security Association is added security association database;
When (6) the other side's security gateway is received encrypted packet, security gateway is according to the Security Parameter Index of encrypted packet, searching Security Association is decrypted, if packet is the first packet of access to netwoks stream, security gateway carries out the security strategy coupling, set up the state table of this access to netwoks stream after the match is successful, if the Action Selection type of state table is to enter the tunnel, be for further processing, otherwise abandon, this processing is to obtain the tunnel index according to the Security Association that this packet of deciphering is used, and checks whether this tunnel index is consistent with the tunnel index in the state table, if consistent system carries out routing forwarding to it, otherwise abandons.
A kind ofly be applicable to the above-mentioned device that in security gateway, carries out the unified method of handling of security strategy, it comprises the packet receiver module, the network routing module, the Security Association administration module, data encrypting and deciphering module and packet forwarding module, it is characterized in that: this device also comprises a unified security strategy processing module, this module is finished above-mentioned access control policy processing on stream simultaneously and the IPSec strategy is handled two operations, in system, only there is a kind of strategy, this strategy is supported access control and IPSec strategy simultaneously, the data flow front end of this module is connected in the packet receiver module, the data flow rear end is connected in the network routing module simultaneously, packet loss module and Security Association administration module also comprise in the unified security strategy processing module:
A plurality of Action Selection type of process modules, different Action Selection type of process modules are carried out corresponding safety operation to packet, packet is given the network routing module or paid packet loss module, and the processing that enters the tunnel action is that packet is directly paid the Security Association processing module.
Description of drawings
Fig. 1 is the process chart of security gateway equipment in the prior art
Fig. 2 is the whole topo graph of the application of technical solution of the present invention
Fig. 3 is the flow chart of the computer software of processing data packets in the technical solution of the present invention
Fig. 4 is the flow chart of the computer software of cipher key change process in the technical solution of the present invention
Fig. 5 is the computer software flow chart of security strategy and state-detection process
Fig. 6 is the computer software flow chart of the strategic process in the request of security strategy alliance safe in utilization
Fig. 7 is the structural representation of technical solution of the present invention device
Embodiment
Below with reference to drawings and Examples technical solution of the present invention is further described:
Shown in accompanying drawing 2, set up a VPN (virtual private network) from Beijing to Shanghai, this network is formed and is connected by Beijing LAN 1, Beijing security gateway equipment 2, Shanghai security gateway equipment 3, Shanghai LAN 4, Beijing switch 5 and Shanghai switch 6.As transmitting terminal, above Hai'an full gateway equipment 3 is as receiving terminal with Beijing security gateway equipment 2.The IP address of Beijing LAN 1 is 192.168.1.0/24, and the IP address of Beijing security gateway equipment 2 is 211.218.85.1, and the IP address of Shanghai security gateway equipment 3 is 219.202.2.1, and the IP address of Shanghai LAN 4 is 192.168.2.0/24.
Beijing security gateway equipment and Shanghai security gateway equipment all are by the computer equipment that comprises a plurality of network interface cards, have wherein moved the operating system that network enabled is transmitted with the security gateway security strategy is handled, the IPSEC encryption and decryption is handled.And in operating system, install and realize the needed computer program file of technical solution of the present invention, the flow process of this computer program is shown in accompanying drawing 3~7.
Said system adopts the described unified method of handling of security strategy of carrying out of technical solution of the present invention at work in security gateway, its step is as follows:
(1) increases vpn tunneling, source address is 211.218.85.1, destination address is 219.202.2.1, algorithm adopts 3DES and SHA1, cipher key lifetimes is 1800 seconds, increase the index (ID) in tunnel in the configuration in IPSEC VPN (virtual private network) (VPN) tunnel, the index in the tunnel in the configuration in this tunnel (ID) is 1001;
(2) on the safe action of the security strategy table of security gateway, increase the selection type that enters the tunnel, to increasing the index in tunnel in the scaling option of security strategy table, increase security strategy, source address is 192.168.1.0/24, destination address is 192.168.2.0/24, action is for entering the tunnel, and the tunnel Yellow Book is 1001 in the security strategy;
(3) access to netwoks stream is when the first packet of the HTTP service of the source port 1025 visit 192.168.2.1 of 192.168.1.60 arrives, security gateway carries out the security strategy coupling, set up the state table of this access to netwoks stream after the match is successful, if the Action Selection type of security strategy is to enter the tunnel, in state table, increase the option of tunnel index; Similar other security gateway systems are set up state table, and keyword is COA8013C0401-COA802010050, increase the tunnel Yellow Book in state, and the tunnel Yellow Book that this state table is set is 1001.
(4) security gateway is handled the packet of access stream according to state table, and processing mode is divided into following two kinds:
[4-1] then transmits or abandons according to the Action Selection type of state table if the Action Selection type of state table does not enter the tunnel;
[4-2] if the Action Selection type of state table enters a certain tunnel, and the packet of access stream is sent to the other side's security gateway by this locality, according to the Yellow Book in the tunnel in the state table, searches Security Association, and this moment, processing mode also was divided into following two kinds:
[4-2-1] encrypts the packet data of access stream if search successfully, sends to the telesecurity gateway then;
[4-2-2] sends the Security Association request message if search unsuccessfully to the cipher key change process, should comprise the tunnel index in the state table in this message; If Security Association is searched not success, send the Security Association request to the cipher key change process, the tunnel index in the request message is set to 1001;
(5) after the cipher key change process is received above-mentioned Security Association request message, according to the tunnel index 1001 in the Security Association request message, find the configuration in this tunnel, begin to initiate ike negotiation, wherein, the security strategy that security policy negotiation adopted is the security strategy of the security gateway that binds together with this tunnel index in the security gateway security strategy table scaling option, be exactly in the present example source address be 192.168.1.0/24, destination address is that strategy of 192.168.2.0/24.After negotiation is passed through, load security strategy Security Association pointed to network system, network system is distributed the Security Association memory space, and according to the tunnel index Security Association is added security association database;
When (6) the other side's security gateway is received encrypted packet, security gateway is according to the Security Parameter Index of encrypted packet, searching Security Association is decrypted, if packet is the first packet of access to netwoks stream, security gateway carries out the security strategy coupling, set up the state table of this access to netwoks stream after the match is successful, if the Action Selection type of state table is to enter the tunnel, be for further processing, otherwise abandon, this processing is to obtain the tunnel index according to the Security Association that this packet of deciphering is used, and checks whether this tunnel index is consistent with the tunnel index in the state table, if consistent system carries out routing forwarding to it, otherwise abandons.
Shown in accompanying drawing 7, be applicable to the above-mentioned device that in security gateway, carries out the unified method of handling of security strategy, it comprises packet receiver module 7, network routing module 8, Security Association administration module 9, data encrypting and deciphering module 10 and packet forwarding module 11, it is characterized in that: this device also comprises a unified security strategy processing module 12, this module is finished above-mentioned access control policy processing on stream simultaneously and the IPSec strategy is handled two operations, the data flow front end of this module is connected in packet receiver module 7, the data flow rear end is connected in network routing module 8 simultaneously, packet loss module 13 and Security Association administration module 9 also comprise in the unified security strategy processing module 12:
A plurality of Action Selection type of process modules 14, different 14 pairs of packets of Action Selection type of process module carry out corresponding safety operation, packet is given network routing module 8 or paid packet loss module 13, and the processing that enters the tunnel action is that packet is directly paid Security Association processing module 9.
The network interface unit of driver module 15 produces the CPU interruption after receiving packet, and driver module 15 receives data from the electronic signal of network interface unit.The data that packet forward module calling driver module 15 will send are dealt in the formation of driving, and the network interface unit of driver module 15 is converted to packet electronic signal at one's leisure and sends in the network and go.The model of driver module 15 is selected Inteleepro100 for use.
The invention solves security gateway equipment and carry out repeatedly the problem of strategy matching, the network processes performance of security gateway has been improved 10%.Strategy safe in utilization is unified to be handled, and security control can be concentrated on the point simultaneously and check, has reduced because the security breaches that security strategy disperses disunity to cause.
Claims (3)
1. carry out the unified method of handling of security strategy in a security gateway, it is characterized in that: steps of the method are:
(1) index (ID) in increase tunnel in the configuration in IPSEC VPN (virtual private network) (VPN) tunnel;
(2) on the safe action of the security strategy table of security gateway, increase the selection type that enters the tunnel, to increasing the index in tunnel in the scaling option of security strategy table;
When (3) the first packet of access to netwoks stream arrived, security gateway carried out the security strategy coupling, set up the state table of this access to netwoks stream after the match is successful, if the Action Selection type of security strategy is to enter the tunnel, increased the option of tunnel index in state table;
(4) security gateway is handled the packet of access stream according to state table, and processing mode is divided into following two kinds:
[4-1] then transmits or abandons according to the Action Selection type of state table if the Action Selection type of state table does not enter the tunnel;
[4-2] if the Action Selection type of state table enters a certain tunnel, and the packet of access stream is sent to the other side's security gateway by this locality, according to the Yellow Book in the tunnel in the state table, searches Security Association, and this moment, processing mode also was divided into following two kinds:
[4-2-1] encrypts the packet data of access stream if search successfully, sends to the telesecurity gateway then;
[4-2-2] sends the Security Association request message if search unsuccessfully to the cipher key change process, should comprise the tunnel index in the state table in this message;
(5) after the cipher key change process is received above-mentioned Security Association request message, according to the configuration of the tunnel index search in the Security Association request message to the tunnel, begin to initiate ike negotiation, wherein, the security strategy that security policy negotiation adopted is the security strategy of the security gateway that binds together with this tunnel index in the security gateway security strategy table scaling option, after negotiation is passed through, load security strategy Security Association pointed to network system, network system is distributed the Security Association memory space, and according to the tunnel index Security Association is added security association database;
When (6) the other side's security gateway is received encrypted packet, security gateway is according to the Security Parameter Index of encrypted packet, searching Security Association is decrypted, if packet is the first packet of access to netwoks stream, security gateway carries out the security strategy coupling, set up the state table of this access to netwoks stream after the match is successful, if the Action Selection type of state table is to enter the tunnel, be for further processing, otherwise abandon, this processing is to obtain the tunnel index according to the Security Association that this packet of deciphering is used, and checks whether this tunnel index is consistent with the tunnel index in the state table, if consistent system carries out routing forwarding to it, otherwise abandons.
2. carry out the unified method of handling of security strategy in the security gateway according to claim 1, it is characterized in that: the tunnel index that increases in the configuration in IPSEC VPN (virtual private network) (VPN) tunnel is a unduplicated positive integer in system.
3. one kind is applicable to the above-mentioned device that carries out the unified method of handling of security strategy in security gateway, it comprises packet receiver module (7), network routing module (8), Security Association administration module (9), data encrypting and deciphering module (10) and packet forwarding module (11), it is characterized in that: this device also comprises a unified security strategy processing module (12), this module is finished above-mentioned access control policy processing on stream simultaneously and the IPSec strategy is handled two operations, the data flow front end of this module is connected in packet receiver module (7), the data flow rear end is connected in network routing module (8) simultaneously, packet loss module (13) and Security Association administration module (9) also comprise in the unified security strategy processing module (12):
A plurality of Action Selection type of process modules (7), different Action Selection type of process modules (7) are carried out corresponding safety operation to packet, packet is given network routing module (2) or paid packet loss module (8), and the processing that enters the tunnel action is that packet is directly paid Security Association processing module (3).
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200710103160A CN100594690C (en) | 2007-05-22 | 2007-05-22 | Method and device for safety strategy uniformly treatment in safety gateway |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200710103160A CN100594690C (en) | 2007-05-22 | 2007-05-22 | Method and device for safety strategy uniformly treatment in safety gateway |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101051891A true CN101051891A (en) | 2007-10-10 |
| CN100594690C CN100594690C (en) | 2010-03-17 |
Family
ID=38783108
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200710103160A Active CN100594690C (en) | 2007-05-22 | 2007-05-22 | Method and device for safety strategy uniformly treatment in safety gateway |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100594690C (en) |
Cited By (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101222412B (en) * | 2008-01-23 | 2010-08-04 | 成都市华为赛门铁克科技有限公司 | Network address commutation traversing method and system |
| CN101540999B (en) * | 2008-03-19 | 2012-04-25 | 华为技术有限公司 | Method and equipment for establishing safe data tunnel |
| CN102752171A (en) * | 2012-07-04 | 2012-10-24 | 汉柏科技有限公司 | Internet protocol security (IPSEC) consultation test method |
| CN102792637A (en) * | 2010-03-04 | 2012-11-21 | 微软公司 | Selectively disabling reliability mechanisms on a network connection |
| CN102801659A (en) * | 2012-08-15 | 2012-11-28 | 成都卫士通信息产业股份有限公司 | Implementation method and device for security gateway based on stream strategy |
| CN101741818B (en) * | 2008-11-05 | 2013-01-02 | 南京理工大学 | Independent network safety encryption isolator arranged on network cable and isolation method thereof |
| CN103095701A (en) * | 2013-01-11 | 2013-05-08 | 中兴通讯股份有限公司 | Open flow table security enhancement method and device |
| CN102065059B (en) * | 2009-11-16 | 2013-12-04 | 华为技术有限公司 | Security access control method, client and system |
| CN101997834B (en) * | 2009-08-10 | 2015-01-07 | 北京多思科技发展有限公司 | Device for supporting high-performance safety protocol |
| CN104901974A (en) * | 2015-06-26 | 2015-09-09 | 中国科学院大学 | Safety hypertext transport method |
| CN104995893A (en) * | 2013-10-31 | 2015-10-21 | 华为技术有限公司 | Data processing method, device and system |
| CN105052177A (en) * | 2013-03-22 | 2015-11-11 | 雅马哈株式会社 | Wireless network system, terminal management device, wireless relay device, and communications method |
| CN106254231A (en) * | 2016-08-18 | 2016-12-21 | 中京天裕科技(北京)有限公司 | A kind of industrial safety encryption gateway based on state and its implementation |
| CN106301765A (en) * | 2016-10-14 | 2017-01-04 | 盛科网络(苏州)有限公司 | Encryption and deciphering chip and realization thereof are encrypted and the method for encryption |
| CN108494744A (en) * | 2018-03-07 | 2018-09-04 | 杭州迪普科技股份有限公司 | A kind of IPsec VPN clients message processing method and device |
| CN109862435A (en) * | 2018-11-16 | 2019-06-07 | 京信通信系统(中国)有限公司 | Monitoring method, device, computer storage medium and the equipment of live video |
| CN110351308A (en) * | 2019-08-20 | 2019-10-18 | 北京天融信网络安全技术有限公司 | A kind of Virtual Private Network communication means and Virtual Private Network equipment |
| CN110572415A (en) * | 2019-10-14 | 2019-12-13 | 迈普通信技术股份有限公司 | Safety protection method, equipment and system |
| CN113949661A (en) * | 2021-09-27 | 2022-01-18 | 网络通信与安全紫金山实验室 | Data forwarding method and device |
| CN114070626A (en) * | 2021-11-17 | 2022-02-18 | 青岛信大云谷信息科技有限公司 | Network security policy decision method combining edge calculation |
| CN114143050A (en) * | 2021-11-23 | 2022-03-04 | 广东电网有限责任公司 | Video data encryption system |
| CN114175583A (en) * | 2019-07-29 | 2022-03-11 | 思科技术公司 | System resource management in self-healing networks |
| CN114301735A (en) * | 2021-12-10 | 2022-04-08 | 北京天融信网络安全技术有限公司 | Method, system, terminal and storage medium for managing and controlling IPSEC tunnel data distribution on demand |
-
2007
- 2007-05-22 CN CN200710103160A patent/CN100594690C/en active Active
Cited By (35)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101222412B (en) * | 2008-01-23 | 2010-08-04 | 成都市华为赛门铁克科技有限公司 | Network address commutation traversing method and system |
| CN101540999B (en) * | 2008-03-19 | 2012-04-25 | 华为技术有限公司 | Method and equipment for establishing safe data tunnel |
| CN101741818B (en) * | 2008-11-05 | 2013-01-02 | 南京理工大学 | Independent network safety encryption isolator arranged on network cable and isolation method thereof |
| CN101997834B (en) * | 2009-08-10 | 2015-01-07 | 北京多思科技发展有限公司 | Device for supporting high-performance safety protocol |
| CN102065059B (en) * | 2009-11-16 | 2013-12-04 | 华为技术有限公司 | Security access control method, client and system |
| CN102792637A (en) * | 2010-03-04 | 2012-11-21 | 微软公司 | Selectively disabling reliability mechanisms on a network connection |
| CN102792637B (en) * | 2010-03-04 | 2015-09-23 | 微软技术许可有限责任公司 | The method and system of the reliability mechanisms that selective disabling network connects |
| CN102752171B (en) * | 2012-07-04 | 2015-03-25 | 汉柏科技有限公司 | Internet protocol security (IPSEC) consultation test method |
| CN102752171A (en) * | 2012-07-04 | 2012-10-24 | 汉柏科技有限公司 | Internet protocol security (IPSEC) consultation test method |
| CN102801659A (en) * | 2012-08-15 | 2012-11-28 | 成都卫士通信息产业股份有限公司 | Implementation method and device for security gateway based on stream strategy |
| CN102801659B (en) * | 2012-08-15 | 2016-03-30 | 成都卫士通信息产业股份有限公司 | A kind of security gateway implementation method based on Flow Policy and device |
| CN103095701A (en) * | 2013-01-11 | 2013-05-08 | 中兴通讯股份有限公司 | Open flow table security enhancement method and device |
| CN103095701B (en) * | 2013-01-11 | 2016-04-13 | 中兴通讯股份有限公司 | Open flows table security enhancement method and device |
| CN105052177A (en) * | 2013-03-22 | 2015-11-11 | 雅马哈株式会社 | Wireless network system, terminal management device, wireless relay device, and communications method |
| CN105052177B (en) * | 2013-03-22 | 2018-11-30 | 雅马哈株式会社 | Radio Network System, terminal management apparatus, relay apparatus and communication means |
| US10575177B2 (en) | 2013-03-22 | 2020-02-25 | Yamaha Corporation | Wireless network system, terminal management device, wireless relay device, and communications method |
| CN104995893A (en) * | 2013-10-31 | 2015-10-21 | 华为技术有限公司 | Data processing method, device and system |
| CN104901974A (en) * | 2015-06-26 | 2015-09-09 | 中国科学院大学 | Safety hypertext transport method |
| CN104901974B (en) * | 2015-06-26 | 2018-01-02 | 中国科学院大学 | Secure hyper text transport method |
| CN106254231A (en) * | 2016-08-18 | 2016-12-21 | 中京天裕科技(北京)有限公司 | A kind of industrial safety encryption gateway based on state and its implementation |
| CN106301765B (en) * | 2016-10-14 | 2020-01-14 | 盛科网络(苏州)有限公司 | Encryption and decryption chip and method for realizing encryption and decryption |
| CN106301765A (en) * | 2016-10-14 | 2017-01-04 | 盛科网络(苏州)有限公司 | Encryption and deciphering chip and realization thereof are encrypted and the method for encryption |
| CN108494744A (en) * | 2018-03-07 | 2018-09-04 | 杭州迪普科技股份有限公司 | A kind of IPsec VPN clients message processing method and device |
| CN109862435A (en) * | 2018-11-16 | 2019-06-07 | 京信通信系统(中国)有限公司 | Monitoring method, device, computer storage medium and the equipment of live video |
| CN114175583A (en) * | 2019-07-29 | 2022-03-11 | 思科技术公司 | System resource management in self-healing networks |
| CN114175583B (en) * | 2019-07-29 | 2023-08-18 | 思科技术公司 | System resource management in self-healing networks |
| CN110351308A (en) * | 2019-08-20 | 2019-10-18 | 北京天融信网络安全技术有限公司 | A kind of Virtual Private Network communication means and Virtual Private Network equipment |
| CN110351308B (en) * | 2019-08-20 | 2021-12-31 | 北京天融信网络安全技术有限公司 | Virtual private network communication method and virtual private network device |
| CN110572415A (en) * | 2019-10-14 | 2019-12-13 | 迈普通信技术股份有限公司 | Safety protection method, equipment and system |
| CN113949661A (en) * | 2021-09-27 | 2022-01-18 | 网络通信与安全紫金山实验室 | Data forwarding method and device |
| CN113949661B (en) * | 2021-09-27 | 2024-04-02 | 网络通信与安全紫金山实验室 | Data forwarding method and device |
| CN114070626A (en) * | 2021-11-17 | 2022-02-18 | 青岛信大云谷信息科技有限公司 | Network security policy decision method combining edge calculation |
| CN114143050A (en) * | 2021-11-23 | 2022-03-04 | 广东电网有限责任公司 | Video data encryption system |
| CN114143050B (en) * | 2021-11-23 | 2023-09-08 | 广东电网有限责任公司 | Video data encryption system |
| CN114301735A (en) * | 2021-12-10 | 2022-04-08 | 北京天融信网络安全技术有限公司 | Method, system, terminal and storage medium for managing and controlling IPSEC tunnel data distribution on demand |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100594690C (en) | 2010-03-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101051891A (en) | Method and device for safety strategy uniformly treatment in safety gateway | |
| US7441262B2 (en) | Integrated VPN/firewall system | |
| CN102811169B (en) | Virtual private network (VPN) implementation method and system for performing multi-core parallel processing by using Hash algorithm | |
| JP3954385B2 (en) | System, device and method for rapid packet filtering and packet processing | |
| CN105763557B (en) | Exchange chip or NP cooperate with the method and system for completing message IPSEC encryption with CPU | |
| US20160171102A1 (en) | Runtime adaptable search processor | |
| US20050108518A1 (en) | Runtime adaptable security processor | |
| US20030058274A1 (en) | Interface device | |
| CN104767752A (en) | Distributed network isolating system and method | |
| US6983382B1 (en) | Method and circuit to accelerate secure socket layer (SSL) process | |
| CN1750538A (en) | Method for discovering and controlling of producing flow based on P2P high speed unloading software | |
| US11695837B2 (en) | Systems and methods for virtual multiplexed connections | |
| WO2005057851A1 (en) | Network communication security processor and data processing method | |
| CN103227742B (en) | A kind of method of ipsec tunnel fast processing message | |
| KR101275709B1 (en) | Packet processing system for network based data loss prevention capable of distributed processing depending on application protocol and method thereof | |
| CN101051987A (en) | Method and device for spreading network route to remote network using IPScc | |
| US20100265949A1 (en) | Methods, systems, and computer readable media for performing flow compilation packet processing | |
| CN114039795B (en) | Software defined router and data forwarding method based on same | |
| CN1291567C (en) | A high-performance multi-service network security processing equipment | |
| CN113453278B (en) | TCP packet segmentation packaging method based on 5G UPF and terminal | |
| CN113810397B (en) | Protocol data processing method and device | |
| CN1750533A (en) | Method for realizing safety coalition backup and switching | |
| CN1968264A (en) | Communication encryption method and system | |
| EP3890278B1 (en) | Data leakage prevention | |
| CN1856951A (en) | Method and apparatus of integrating link layer security into a physical layer transceiver |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee |
Owner name: WANGSHEN INFORMATION TECHNOLOGY (BEIJING) CO., LTD Free format text: FORMER NAME: WANGYUSHENZHOU TECH (BEIJING) CO., LTD. |
|
| CP01 | Change in the name or title of a patent holder |
Address after: 100085 Beijing city Haidian District Zone Development Road No. 7 Pioneer Building Patentee after: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc. Address before: 100085 Beijing city Haidian District Zone Development Road No. 7 Pioneer Building Patentee before: LEGENDSEC TECHNOLOGY Co.,Ltd. |
|
| ASS | Succession or assignment of patent right |
Owner name: LEGENDSEC TECHNOLOGY (BEIJING) CO., LTD. Effective date: 20121224 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20121224 Address after: 100085 Beijing city Haidian District on the pioneering Road No. 7 building two layer 1 pioneer Patentee after: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc. Patentee after: Legendsec Technology (Beijing) Co.,Ltd. Address before: 100085 Beijing city Haidian District Zone Development Road No. 7 Pioneer Building Patentee before: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) INC. |
|
| DD01 | Delivery of document by public notice |
Addressee: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) INC. Document name: Notification of Passing Examination on Formalities |
|
| CP03 | Change of name, title or address |
Address after: 2nd Floor, Building 1, Yard 26, Xizhimenwai South Road, Xicheng District, Beijing Patentee after: Qianxin Wangshen information technology (Beijing) Co.,Ltd. Patentee after: Legendsec Technology (Beijing) Co.,Ltd. Address before: 100085, 7, Pioneer Road, Haidian District, Beijing, building two, 1 Patentee before: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc. Patentee before: Legendsec Technology (Beijing) Co.,Ltd. |
|
| CP03 | Change of name, title or address |