CN101277302A - Apparatus and method for safety centralized protection of distributed network equipment - Google Patents
Apparatus and method for safety centralized protection of distributed network equipment Download PDFInfo
- Publication number
- CN101277302A CN101277302A CNA2008100972192A CN200810097219A CN101277302A CN 101277302 A CN101277302 A CN 101277302A CN A2008100972192 A CNA2008100972192 A CN A2008100972192A CN 200810097219 A CN200810097219 A CN 200810097219A CN 101277302 A CN101277302 A CN 101277302A
- Authority
- CN
- China
- Prior art keywords
- data
- interface unit
- network equipment
- distributed network
- protection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention discloses a device and a method for integrated protection of a distributive network apparatus, the device comprises: at least one interface unit for sending the received data to an integrated protection unit for cleaning, and sending the cleaned data; an integrated protection unit for cleaning the data sent by the interface unit, and sending the cleaned data to the corresponding interface unit. Due to the lessened occupied resources in the interface unit, the invention promotes protection ability of the apparatus to a great extend; furthermore, the apparatus safety policies are all defined and managed by the integrated protection unit together, bringing the excellent expandability; and what needs to be upgraded is only the edition of the integrated protection unit instead of the editions of each interface unit.
Description
Technical field
The present invention relates to communication technical field, relate in particular to the apparatus and method that a kind of distributed network equipment safety is concentrated protection.
Background technology
Development along with the Internet technology, network environment is increasingly sophisticated, network attack is frequent day by day, it is various day by day to attack kind, attack as DOS (Denial of Service, denial of service), phishing is attacked, the webpage malicious code is attacked, virus, worm, wooden horse attack, system vulnerability, spam attack etc.Wherein especially attack with dos attack, DDOS (Distributed Denial of Service, distributed denial of service) particularly common, also maximum to the harmfulness that the network equipment causes.Dos attack refers to Denial of Service attack, use mass data bag or lopsided message constantly to initiate to connect or the request response in assailant's short time to the network equipment, cause network equipment overload and can not handle legitimate traffic, thereby cause appliance services to be interrupted even the equipment paralysis.
In order to tackle network attack, virus etc., the network equipment must possess reliable safe precaution measure.To control data and the management data that last SCN Space Cable Network Equipment Control core is handled, must possess more effectively firm security strategy, for example the data handled of transmitted to CPU (Center Process Unit, CPU) etc.Otherwise in case attack the paralysis that the network equipment takes place to cause, thereby cause network meltdown.Distributed network equipment uses the device security Scheme of Strengthening of interface unit integrated security safeguard function usually, interface unit integrated equipment function of safety protection, promptly the security strategy of each interface unit (being responsible for service access) has all concentrated in the handling process of self with plate.
In realizing process of the present invention, the inventor finds to exist in the prior art following shortcoming:
In the prior art, the device security safeguard function is restricted by the interface unit resource bottleneck, and expandability is poor, and every kind of dissimilar interface unit needs carry out safeguard function design, exploitation in conjunction with unique characteristics, and workload is big, the cost height.In addition, because attack pattern renewal speed such as virus, wooden horse are very fast, the attack prevention method of the inevitable requirement network equipment also upgrades thereupon, because of interface unit mainly is responsible for service access, a large amount of service access characteristics is arranged, big variation can not take place in the control and management flow process of these service access characteristics usually, the business release that is interface unit is normally relatively more fixing, the safe precaution method of upgrade interface unit will inevitably cause the version generation conversion of whole interface unit if desired thus, promptly may have influence on the normal operation of original appliance services.
Summary of the invention
The apparatus and method that the embodiment of the invention provides a kind of distributed network equipment safety to concentrate protection have solved the problems such as interface unit resource anxiety, upgrade maintenance suffering of distributed network equipment.
The embodiment of the invention provides a kind of distributed network equipment safety to concentrate the device of protection, comprising:
At least one interface unit, the data that are used for receiving send to concentrates protective unit to clean, and sends the data after the described cleaning;
Concentrate protective unit, be used for the data from described interface unit are cleaned, and will send it back corresponding interface unit through the data of cleaning.
The embodiment of the invention provides a kind of distributed network equipment safety to concentrate the method for protection, comprising:
Receive the data that at least one interface unit is transmitted;
According to security strategy described data are cleaned;
Will be through the interface unit of the transmission of the data after cleaning to correspondence.
In the embodiments of the invention,, the equipment protection ability is increased dramatically owing to take a resource shrinkage of interface unit; In addition, device security policy is in concentrated protective unit unified Definition, unified management, and extensibility is good; And only need upgrade and concentrate the protective unit version, each interface unit version does not need to upgrade.
Description of drawings
Fig. 1 is that distributed network equipment safety is concentrated the protector structure chart in the embodiment of the invention one;
Fig. 2 is that the embodiment of the invention two distributed network equipment safety are concentrated the protector structure chart;
Fig. 3 is an interface unit structure chart in the embodiment of the invention;
Fig. 4 concentrates the protective unit structure chart in the embodiment of the invention;
Fig. 5 is the method flow diagram that distributed network equipment safety is concentrated protection in the embodiment of the invention.
Embodiment
The embodiment of the invention one provides a kind of distributed network equipment safety to concentrate the device of protection, is adapted at realizing on fire compartment wall, router, Ethernet switch, the broadband access equipment, but is not limited to the said equipment, also can use on other equipment.This device comprises: at least one interface unit and concentrated protective unit as shown in Figure 1.
Interface unit is used to receive data, these data is sent to concentrate protective unit to clean, and will send the data through cleaning;
Concentrate protective unit,, be responsible for the security protection of the network equipment self, the data from interface unit are cleaned, and will send it back corresponding interface unit through the data of cleaning as the cleaning center of distributed network equipment control and management data.
Further, a kind of distributed network equipment safety that the embodiment of the invention two provides concentrates the device of protection can also comprise other unit, as shown in Figure 2:
Interface unit is used to receive data, these data is sent to concentrate protective unit to clean, and will send the data through cleaning; For ease of understanding, only show 2 interface units in the accompanying drawing, in the practical application, in the distributed network equipment a plurality of interface units can be arranged.
Concentrate protective unit,, be responsible for the security protection of the network equipment self, the data from interface unit are cleaned, and will send it back corresponding interface unit through the data of cleaning as the cleaning center of distributed network equipment control and management data.
Main control unit is used to carry out institute's protocols having control, forwarding control and the distributed network equipment management of distributed network equipment integral body;
Switching matrix is used for the internal exchange of data that distributed network equipment is concentrated protector.
Concrete, in the present embodiment, switching matrix is used for distributed network equipment and concentrates exchanges data between main control unit, interface unit and the concentrated protective unit of protector;
Wherein, interface unit comprises as shown in Figure 3:
Be redirected subelement 120, the data that are used for described Data Receiving subelement is received send to described concentrated protective unit by described switching matrix;
Handle back Data Receiving subelement 130, be used to receive the data that described concentrated protective unit cleaned;
Concentrated protective unit comprises as shown in Figure 4:
Receive subelement 210, be used to receive the data that described interface unit sends;
Send subelement 230, be used for, the data after cleaning are returned corresponding interface unit according to described forwarding of data information.
In the present embodiment, described forwarding of data information comprises: described data from the groove position of interface unit and information such as port numbers.When concentrating protective unit to receive the data of interface unit transmission, write down these information, after data being cleaned according to security strategy with the concentrated protective unit of box lunch, data can be sent it back correct interface unit.
Further, as shown in Figure 5, concentrated protective unit also comprises:
In the present embodiment, maintainable management comprises: trace to the source, add up, at least one of alarm, log etc.Wherein, trace to the source and be meant and search the source interface unit that sends data; Statistics is meant the quantity of statistics packet discard; Alarm is meant and sends alarm when the quantity of determining packet discard reaches preset value; Log is meant the time of record packet discard.
The embodiment of the invention also provides a kind of distributed network equipment safety to concentrate the method for protection, as shown in Figure 5, comprising:
501, interface unit receives data, and this data forwarding is arrived concentrated protective unit.
In the present embodiment, interface unit can arrive this data forwarding and concentrate protective unit by being redirected, transmitting automatically methods such as data, manual configuration forwarding data purpose.Wherein, the redirected data forwarding that will mail to a purpose that is meant is to another purpose.
502, concentrate protective unit after receiving the data of each interface unit, carry out flow cleaning according to default security strategy, security strategy includes but not limited to the blacklist processing, white list processing, CP-CAR (restriction transmitted to CPU deal with data bandwidth) strategy or packet filtering etc.
If concentrate protective unit to abandon data, then concentrate at least one maintainable management such as protective unit is responsible for abandoning tracing to the source after the data, is added up, alarm, log according to the security strategy needs.In the present embodiment, tracing to the source is meant the source interface unit of searching the transmission data; Statistics is meant the quantity of statistics packet discard; Alarm is meant concentrates protective unit when the quantity of determining packet discard reaches preset value, sends alarm; Log is meant the time of concentrating protective unit record packet discard.
Wherein, blacklist is handled and is specially: determine known spam producer and ISP thereof (Internetservice Provider, ISP) domain name or IP address, then these domain names or IP address are organized into blacklist, blacklist is stored in the concentrated protective unit, makes and concentrate the protective unit refusal to handle/abandon any from the data on the blacklist.White list is handled: make preferentially and send the data that meet the white list defined feature to each interface unit.The CP-CAR strategy, data from interface unit are classified, for example according to the data message type, receive data order, data and send source information etc. and classify, and send to the bandwidth of main control unit according to the class limitations of data, guarantee the fail safe of system.Packet filtering is filtered the data from interface unit by the ACL (Access Control List (ACL)) that sets in advance.
In the embodiment of the invention, after according to security strategy described data being cleaned, the data that abandon are carried out the maintainability management, be specially: search the interface unit that sends the described data that abandon; And/or statistics abandons the data packet number of data; And/or when the data packet number of the data that abandon reaches preset value, send alarm; And/or record abandons the time of data.
503, the forwarding information that writes down when concentrating protective unit according to the reception data sends back to corresponding interface unit with the secure data flow after cleaning.In the present embodiment, forwarding of data information comprises information such as interface unit groove position, port numbers.
504, interface unit no longer cleans after receiving the data of concentrating protective unit to transmit, send main control unit to handle on directly.
In the embodiments of the invention,, the equipment protection ability is increased dramatically owing to take a resource shrinkage of interface unit; In addition, device security policy is in concentrated protective unit unified Definition, unified management, and extensibility is good; And only need upgrade and concentrate the protective unit version, each interface unit version does not need to upgrade.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by the mode that software adds essential general hardware platform, can certainly pass through hardware, but the former is better execution mode under a lot of situation.Based on such understanding, the part that technical scheme of the present invention contributes to prior art in essence in other words can embody with the form of software product, this computer software product is stored in the storage medium, comprise that some instructions are with so that a computer equipment (can be a personal computer, server, the perhaps network equipment etc.) carry out the described method of each embodiment of the present invention.
More than disclosed only be several specific embodiment of the present invention, still, the present invention is not limited thereto, any those skilled in the art can think variation all should fall into protection scope of the present invention.
Claims (12)
1, a kind of distributed network equipment safety is concentrated the device of protection, it is characterized in that, comprising:
At least one interface unit, the data that are used for receiving send to concentrates protective unit to clean, and sends the data after the described cleaning;
Concentrate protective unit, be used for the data from described interface unit are cleaned, and will send it back corresponding interface unit through the data of cleaning.
2, distributed network equipment safety is concentrated the device of protection according to claim 1, it is characterized in that described device also comprises:
Main control unit is used to carry out institute's protocols having control, forwarding control and the equipment control of equipment integral;
Switching matrix is used for the internal exchange of data that distributed network equipment is concentrated protector.
3, concentrate the device of protection as distributed network equipment safety as described in the claim 2, it is characterized in that, described switching matrix is used for the internal exchange of data that distributed network equipment is concentrated protector, is specially:
Described switching matrix is used for the exchanges data between described main control unit, interface unit and the concentrated protective unit.
4, concentrate the device of protection as distributed network equipment safety as described in the claim 3, it is characterized in that described interface unit specifically comprises:
The Data Receiving subelement is used to receive data;
Be redirected subelement, the data that are used for described Data Receiving subelement is received send to described concentrated protective unit by described switching matrix;
Handle back Data Receiving subelement, be used to receive the data that described concentrated protective unit cleaned;
The core processing subelement is used for the data after the described cleaning are sent to described main control unit by described switching matrix.
5, concentrate the device of protection as distributed network equipment safety as described in claim 3 or 4, it is characterized in that described concentrated protective unit specifically comprises:
Receive subelement, be used to receive the data that described interface unit sends;
Clean subelement, be used for described data being cleaned according to security strategy;
Send subelement, be used for, the data after cleaning are returned corresponding interface unit according to described forwarding of data information.
6, concentrate the device of protection as distributed network equipment safety as described in the claim 5, it is characterized in that described concentrated protective unit also comprises:
Maintainable subelement is used for after described cleaning subelement cleans described data according to security strategy, and the data that abandon are carried out the maintainability management.
7, a kind of distributed network equipment safety is concentrated the method for protection, it is characterized in that, comprising:
Receive the data that at least one interface unit is transmitted;
According to security strategy described data are cleaned;
To send corresponding interface unit through the data after cleaning.
8, concentrate the method for protection as distributed network equipment safety as described in the claim 7, it is characterized in that, described will specifically comprising through the interface unit of the transmission of the data after cleaning to correspondence:
According to described forwarding of data information, the data after cleaning are returned corresponding interface unit.
9, concentrate the method for protection as distributed network equipment safety as described in the claim 8, it is characterized in that, described forwarding information comprises interface unit groove position, the port numbers that writes down when receiving described data.
10, concentrate the method for protection as distributed network equipment safety as described in the claim 7, it is characterized in that described security strategy comprises: CP-CAR strategy, blacklist strategy, white list strategy or packet filtering.
11, concentrate the method for protection as distributed network equipment safety as described in the claim 10, it is characterized in that, after according to security strategy described data being cleaned, the data that abandon are carried out maintainability manage.
12, concentrate the method for protection as distributed network equipment safety as described in the claim 11, it is characterized in that, the data that abandon are carried out maintainability manage, be specially:
Search the interface unit that sends the described data that abandon; And/or
Statistics abandons the data packet number of data; And/or
When the data packet number of the data that abandon reaches preset value, send alarm; And/or
Record abandons the time of data.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008100972192A CN101277302A (en) | 2008-05-06 | 2008-05-06 | Apparatus and method for safety centralized protection of distributed network equipment |
| PCT/CN2009/071611 WO2009135427A1 (en) | 2008-05-06 | 2009-04-30 | Device and method of centralized protection of equipment safety in distributed network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008100972192A CN101277302A (en) | 2008-05-06 | 2008-05-06 | Apparatus and method for safety centralized protection of distributed network equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101277302A true CN101277302A (en) | 2008-10-01 |
Family
ID=39996314
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2008100972192A Pending CN101277302A (en) | 2008-05-06 | 2008-05-06 | Apparatus and method for safety centralized protection of distributed network equipment |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN101277302A (en) |
| WO (1) | WO2009135427A1 (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009135427A1 (en) * | 2008-05-06 | 2009-11-12 | 华为技术有限公司 | Device and method of centralized protection of equipment safety in distributed network |
| CN102143143A (en) * | 2010-10-15 | 2011-08-03 | 华为数字技术有限公司 | Method and device for defending network attack, and router |
| CN103561001A (en) * | 2013-10-21 | 2014-02-05 | 华为技术有限公司 | Safety protection method and routing device |
| CN102137072B (en) * | 2010-01-27 | 2016-07-06 | 中兴通讯股份有限公司 | The method and system of protecting network attack |
| CN107302395A (en) * | 2017-06-21 | 2017-10-27 | 北京船舶通信导航有限公司 | Marine satellite juncture station secure communication management-control method and system |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1863211A (en) * | 2006-03-23 | 2006-11-15 | 华为技术有限公司 | Content filtering system and method thereof |
| CN101064878A (en) * | 2006-04-24 | 2007-10-31 | 华为技术有限公司 | Mobile terminal for realizing content filtering, system, network entity and method |
| CN101150583A (en) * | 2007-10-23 | 2008-03-26 | 华为技术有限公司 | Anti-virus method and device for terminal device |
| CN101277302A (en) * | 2008-05-06 | 2008-10-01 | 华为技术有限公司 | Apparatus and method for safety centralized protection of distributed network equipment |
-
2008
- 2008-05-06 CN CNA2008100972192A patent/CN101277302A/en active Pending
-
2009
- 2009-04-30 WO PCT/CN2009/071611 patent/WO2009135427A1/en active Application Filing
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009135427A1 (en) * | 2008-05-06 | 2009-11-12 | 华为技术有限公司 | Device and method of centralized protection of equipment safety in distributed network |
| CN102137072B (en) * | 2010-01-27 | 2016-07-06 | 中兴通讯股份有限公司 | The method and system of protecting network attack |
| CN102143143A (en) * | 2010-10-15 | 2011-08-03 | 华为数字技术有限公司 | Method and device for defending network attack, and router |
| CN102143143B (en) * | 2010-10-15 | 2014-11-05 | 北京华为数字技术有限公司 | Method and device for defending network attack, and router |
| CN103561001A (en) * | 2013-10-21 | 2014-02-05 | 华为技术有限公司 | Safety protection method and routing device |
| CN107302395A (en) * | 2017-06-21 | 2017-10-27 | 北京船舶通信导航有限公司 | Marine satellite juncture station secure communication management-control method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2009135427A1 (en) | 2009-11-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10839075B2 (en) | System and method for providing network security to mobile devices | |
| US10171475B2 (en) | Cloud email message scanning with local policy application in a network environment | |
| US10284603B2 (en) | System and method for providing network and computer firewall protection with dynamic address isolation to a device | |
| US9516048B1 (en) | Contagion isolation and inoculation via quarantine | |
| JP6080910B2 (en) | System and method for network level protection against malicious software | |
| US7607021B2 (en) | Isolation approach for network users associated with elevated risk | |
| US7738373B2 (en) | Method and apparatus for rapid location of anomalies in IP traffic logs | |
| JP4630896B2 (en) | Access control method, access control system, and packet communication apparatus | |
| Kim et al. | Preventing DNS amplification attacks using the history of DNS queries with SDN | |
| JPWO2006087908A1 (en) | Communication control device | |
| JP2009515426A (en) | High reliability communication network | |
| JP5699162B2 (en) | How to detect hijacking of computer resources | |
| CN101277302A (en) | Apparatus and method for safety centralized protection of distributed network equipment | |
| Teng et al. | Firmware over the air for home cybersecurity in the Internet of Things | |
| CN101141396B (en) | Packet processing method and network appliance | |
| KR20180046894A (en) | NFV based messaging service security providing method and system for the same | |
| CN2775947Y (en) | Network safety system based on server data exchange | |
| US20160205135A1 (en) | Method and system to actively defend network infrastructure | |
| CN112565203A (en) | Centralized management platform | |
| WO2008086224A2 (en) | Systems and methods for detecting and blocking malicious content in instant messages | |
| ZHANG et al. | SDN Based Security Services | |
| JPWO2009066347A1 (en) | Load balancer | |
| US20080148385A1 (en) | Sectionalized Terminal System And Method | |
| JPWO2009066346A1 (en) | Log output control device and log output control method | |
| JPWO2009066348A1 (en) | Communication control device and communication control method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20081001 |