CN101771619B - Network system for realizing integrated security services - Google Patents
Network system for realizing integrated security services Download PDFInfo
- Publication number
- CN101771619B CN101771619B CN201010125028XA CN201010125028A CN101771619B CN 101771619 B CN101771619 B CN 101771619B CN 201010125028X A CN201010125028X A CN 201010125028XA CN 201010125028 A CN201010125028 A CN 201010125028A CN 101771619 B CN101771619 B CN 101771619B
- Authority
- CN
- China
- Prior art keywords
- network
- service
- control
- business
- qos
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The invention discloses a network system for realizing integrated security services, which comprises the classification separation of data transmission, the security, confidentiality and the QoS (quality of service) guarantee of application services, the integrated security protection of the network system and network management. The network system has the advantage of integrated design of the data transmission, the security protection and application services, thereby constructing a high-efficient security network platform with the QoS guarantee capable of bearing various types of services. Integrated network security is to apply security protective measures in all aspects of network communication and make the security protective measures mutually cooperate and support to guarantee security performance and communication efficiency; and the integrated network services support integrated services such as voice, video, data and the like and guarantee security and QoS of various types of services.
Description
Technical field
The present invention relates to a kind of network system that realizes the integrated safe service.
Background technology
Continuous development evolution along with informationized society; People's communication requirement from single speech or data communication to the interactive multimedia information Communication Development, network system is from the integrated network development to speech, video and uniform data service of the autonomous system of service respectively.In recent years, the IP technology has obtained fast development, is the common recognition that core integration construct network has obtained industry with the IP technology.Yet problems such as the fail safe of general purpose I P network and QoS have restricted the fast development of integrated network.
There is following safety problem in IP network:
The original intention of IP design of protocol is to follow the principle of open and equality, aspect network security, does not do too much consideration, makes to have many potential safety hazards in the existing IP protocol architecture.These safety problems are mainly from design, management, planning and application to the IP technology.With regard to the IP technology itself, exist following point to influence network security:
1) network is put on an equal footing management information, control signaling and the business datum of carrying, and does not have user and network interface interface clearly, causes influencing each other.As easy as rolling off a log influence and the interference that receives user behavior of the normal operation of network, even controlled by the user.
2) IP address and network ip address are not distinguished.The Any user terminal can directly send to any apparatus in the network with the IP grouping.User terminal is attacked the network equipment become possibility.
3) the free access network of user, and lack effective source address check.User terminal can be initiated flow attack or spoofing attack to network by cook source address, and can't trace.
4) customer service lacks control, can't supervise, cause illegal use out of control, spread unchecked.
5) IP grouping plaintext transmission, information very easily eavesdropped, distorted, counterfeit, the IP head has complete source, destination address information very easily by illegal utilization, analysis.
In traditional IP, the general all kinds of safe and secret equipment of stack that adopt improve network and service security property.Such as safety means such as Network Isolation, fire compartment wall, authentication service, intrusion detection, vulnerability scannings, and privacy devices such as link layer, network layer and application layer.This security protection system that makes up through stacked system has improved network and service security security performance to a certain extent, but also has some problems:
Network performance is limited: the safe and secret equipment of stack produces additional transmissions and administration overhead in network, taken the part bandwidth resources, has increased the forwarding time delay of business datum, and is bigger to the communication performance influence; And with respect to the network switching equipment, the packet forward rate of safe and secret equipment is generally lower, lacks corresponding queue scheduling mechanism, and the network exchange forwarding performance can't be given full play to, and is prone to produce communication performance bottleneck, and professional QoS is difficult to be guaranteed.
Equipment room is difficult to co-ordination: each safe and secret equipment works alone in network, in different aspects corresponding safe and secret function is provided respectively.Because lack incorporate Security Architecture, each equipment room has formed safe slit.For example the safety measure of physical layer and link layer (like single channel encryption equipment) can't solve the network layer address fraud problem; The safety measure of network layer (like fire compartment wall) can't be discerned the malicious data with the filtration applications layer, and the safety measure of application layer is then powerless to the attack to the underlying basis facility.The network switching equipment and safe and secret equipment room also lack necessary contact simultaneously, influence each other, can not co-ordination.And also have safe slit through the interconnect interface of External cable, bring hidden danger to network security.
Security protection is incomplete: the safety prevention measure of each equipment or strategy are different with functional localization; Its completeness and complexity have nothing in common with each other; Cause the part safety function overlapping on the one hand; Reduced communication usefulness, the security strategy of each equipment is difficult for keeping harmonious on the other hand, and the strategy of mutual exclusion or omission is prone to cause the unusual or generation security breaches of network service.Under Traditional IP agreement system, safety prevention measure is difficult to effectively be dissolved into each aspect of network, can't carry out security monitoring to the overall process of service communication.In addition, communication between devices adopts general procotol, and intrinsic safety problem still exists, the security protection ability of self a little less than.
Device category is various, deployment and way to manage is different, network opening and working service difficulty: safe and secret equipment various in style, that function is different has not only reduced the reliability of the network operation, and has consumed a large amount of funds spendings.Safe and secret equipment needs to dispose planning accordingly according to different application environments; And the configuration of various kinds of equipment, condition managing; And key management and distribution are established one's own system; Policy configurations and working service operation are very complicated, require the network planning and management maintenance personnel to possess higher professional skill.In the face of the continuous expansion of applied business and the security threat that emerges in an endless stream, need continuous revision strategies or device upgrade, the sustainable development of network and function expansion are restricted.
The NGN/IMS framework can provide multi-service to use and reach flexibly application extension easily, has become to fix the basis of merging evolution with the mobile network.That the NGN/IMS framework adopts is professional, control, carry the horizontal framework that separates fully, has concentrated user property and inserts characteristics such as irrelevant, supports user mobility, and the business interface of IP multimedia service and standard open flexibly is provided.But, still there are some problems to be solved at present in this structure system:
1) the QoS problem of bearing bed: to IP QoS technology itself, InterServ and DiffServ service model are that QoS provides technical support in different aspects.Along with the development and the application of MPLS technology, effective way is provided for thoroughly solving IP QoS problem.Yet IP network is main with data service still at present, because in large scale; System is different, and standard differs, and each item QoS technology is difficult to effective enforcement in IP network; Can not bring into play its design performance, so real time business such as speech, video can not get gratifying QoS performance all the time.In addition, the NGN key-course lacks necessary, unified control to bearing bed, and making different loading is that the QoS that provides of business is inconsistent.
2) safety issue: NGN mainly with IP network as bearer network, exist the safety of IP network intrinsic safety issue, particularly key-course bigger to the influence of communication service.The safety measure that in present NGN framework, relates to is far from being enough, need solve the key-course safety issue from system.
3) connectivity problem end to end: the fusion of multiple business is linked in the network different terminals.Because the sign of terminal iidentification in network there are differences; Use telephone number, terminal to use the IP address such as telephone terminal; Even the part terminal uses Customs Assigned Number as sign, how to set up session between different terminals, and realizing interconnects becomes the problem that at first need solve.And the NAT at user network and public network edge and user move to make to be connected end to end and become more complicated.Therefore need unified session connection controlling mechanism to realize connecting end to end, and realize the mapping of the terminal iidentification and the network address, thereby accomplish routing addressing through unified changing the mechanism.
4) network interconnection intercommunication problem: since the NGN technology this in continuous development, agreement itself also need constantly be improved and replenish based on business demand.Present agreement identical or similar functions is also failed unified, and the compatibility between agreement makes interconnecting of network also have defective.
5) network and professional problem of management: along with increasing of professional and customer volume, network management becomes and becomes increasingly complex, and except that performance, configuration, fault and accounting management, also should possess administrative mechanisms such as unified network security and QoS.And management such as user's service bandwidth, QoS of survice, business function, business safety grade are also needed to strengthen.
Summary of the invention
In order to overcome the above-mentioned shortcoming of prior art, the invention provides a kind of network system that realizes integrated safe service, through network security and network integration of services design, structure safety and QoS is guaranteed, can carry the multiple services network platform.
Technical scheme of the present invention is: a kind of network system that realizes the integrated safe service comprises information classification isolated system, integrated service service system, service quality guarantee system, comprehensive safety protecting system and Integrated Network Management system;
Said information classification isolated system: for the various information in the network provides independently route switching; In user's access, route switching, relay transmission, QoS assurance, each safe and secret link business datum, signaling message and network management information are carried out classification processing, realize the classification isolation in network of business, control and management information; The information data that classification is isolated has independently bandwidth resources in network, and independently route switching and QoS safeguard measure; Has relatively independent transmission channel between terminal and switching node and between switching node;
Said integrated service service system: adopt the secured session connection protocol, realization service admittance control function, the professional transmission channel of realization are set up controlled function, address (ADDR relationship map function, key distribution bearing function, QoS accommodating control function and function of safety protection;
Said service quality guarantee system: the end-to-end service that connection is arranged is provided; Data to business, control and management layer are carried out Differentiated Services; Data flow in the network is carried out traffic policing; Dynamically find to satisfy the optimal path of QoS requirement through the QoS route, realize traffic engineering; Admit control that control is admitted in the session connection of business through QoS;
Said comprehensive safety protecting system: comprise the employing of information classification isolation, network boundary protection, applied business access control and protecting data encryption measure; Said information classification is isolated the attribute of the user port that is meant network, network trunk port, management port and is distinguished; User terminal is inserted from user port; What its signaling message and management information can only be transmitted to access node is connected controller and OAMAgent, and business datum can only exchange forwarding in service layer; The network switching equipment carries out independently route switching to business, control and management data, and trunk is set up independently transmission channel respectively for business, control and management data, and each interchannel does not disturb mutually; Said network boundary protection is meant through the user security access protocol, legitimacy is carried out in the access of user terminal differentiate, the transmission link of user service data is set up under the connection control of key-course in real time, removes after the service ending; Said applied business access control is meant that in the session connection process connection of key-course control is carried out authenticity verification to signaling, under session connection control, sets up transmission channel end to end for business datum;
Said Integrated Network Management system: adopt differentiated control, gather step by step, central controlled way to manage, realize the subregion decentralized management.
Compared with prior art, good effect of the present invention is: the present invention makes up the network platform of secure and trusted and diversification service through network security and network integration of services design.
Integral network safety is each aspect of safety prevention measure being dissolved into network service, cooperatively interacts, and supports each other, guarantees the security performance and the usefulness of communicating by letter.Integral network safety is mainly reflected in: the classification of information is isolated information such as business, control and management is isolated each other; Various information has independently route switching, transmission bandwidth, QoS guarantee and safety prevention measure in network, can effectively guarantee the safety of network system self; User's security inserts carries out access authentication to terminal equipment, realizes the address (ADDR conversion, business datum is carried out integrality wait security protection with anti-playback, can effectively improve the security protection ability of network boundary; The safety interconnection of node is carried out authentication to the legitimacy of interconnecting nodes, internodal data is carried out integrality wait security protection with anti-playback, can effectively stop illegal node access network; Professional access control is carried out authentication to user identity and authority, and at Web portal the session connection of business, type, flow etc. is controlled, and can effectively stop invalid data entering network.
Integrated services such as integrated network service support speech, video and data guarantee the QoS of all kinds of business.Under unified service conversation control, network provides three kinds to carry service: the service that connection is arranged, have QoS to guarantee is applicable to real time business; The service of connection is arranged, be applicable to business such as instant messaging and P2P; The service of doing one's best is applicable to common data services; Isolate through information classification, network can be all kinds of business relatively independent network environment is provided, and isolates each other between business, and provides corresponding QoS to ensure to the characteristics of Various types of data; Service conversation Control Allocation address (ADDR mapping relations match with the network route switching and to realize that address (ADDR separates, and have improved network and service security performance on the one hand, can support on the other hand to move and application such as multicast.
Embodiment
Disclosed all characteristics in this specification, or the step in disclosed all methods or the process except mutually exclusive characteristic and/or the step, all can make up by any way.
Disclosed arbitrary characteristic in this specification (comprising any accessory claim, summary and accompanying drawing) is only if special narration all can be replaced by other equivalences or the alternative features with similar purpose.That is, only if special narration, each characteristic is an example in a series of equivalences or the similar characteristics.
A kind of safety service system of integrated network should satisfy the user to using professional and safe and secret demand, guarantees the service quality of communication service, guarantees the security performance of network system.Comprise: classification isolation network, integrated service service, service quality assurance, comprehensive safety protecting and five basic fundamental systems of Integrated Network Management.Classification isolation network technical system provides relatively independent route switching and transmission service for information such as business, control and management; Integrated service service technology system realizes professional session connection control, and multiple application service is provided, and possesses the extended capability of applied business simultaneously; The service quality guarantee system is that real time business such as speech, video provide the excellent communications quality assurance through the multiple measure of integrated use, improves the service performance of entire system; The comprehensive safety protecting technical system is dissolved into each aspect of business, network and management, and each item safety prevention measure is interrelated, harmonious, guarantees the safety of professional and network; The Integrated Network Management technical system is responsible for, effectively management comprehensive, unified to network, equipment and service implementation.
1) classification isolation network technical system
In conjunction with the technical advantage of IP and MPLS, realize the grouping route switching of big capacity, high bandwidth, to support integrated services such as speech, video and data; Simultaneously; For guaranteeing network security and service quality; Each links such as system guarantees in user's access, route switching, relay transmission, QoS, safe and secret are carried out classification processing to business datum, signaling message and network management information, realize that professional, control and the classification of management information in network isolate; The information data that classification is isolated has independently bandwidth resources in network, and independently route switching and QoS safeguard measure; Have independently transmission channel between terminal and switching node and between switching node, Various types of data is taken their own roads, and does not disturb mutually; Be the relatively independent network environment of different service system constructing, on unified network foundation platform, service layer can further be divided into a plurality of professional sublayers, constitutes the separate subnet of a plurality of different scales and topological structure.Applied business between subnet can be independently, is independent of each other, also can be in intercommunication under the controlled condition.Such as, real time business such as real time business subnet voice-over, video; It is professional that data service subnet A carries the point-to-point compunication; Data service subnet B carries web browsing business etc.System sets up independently transmission channel for each subnet, and distributing independent address and bandwidth resources are carried out independently route switching and QoS and guaranteed.
2) integrated service service technology system
With reference to the NGN framework model, follow business, control and carry the design philosophy that is separated from each other, provide professional comprehensive service capability such as speech, video and data, support to move and insert and multicast service:
Key-course is mainly accomplished session connection control, realizes basic call and session connection function; Operation layer mainly provides services such as business, authentication, strategy, database; Broadband users' such as multimedia terminal, LAN, broadband dialing, broadband wireless access is mainly realized in the access sublayer of transport layer, and the access of telephone network, mobile network; The carrying sublayer of transport layer is that signaling and business provide the service of independently carrying; Integrated service service technology system makes business be independent of network, for providing new business to create an enabling environment fast, flexibly, effectively future.
Connecting control is the Core Feature of integrated service service system, mainly accomplishes following function:
Session connection controlled function: accomplish basic and the session connection flow process that strengthens.
Number or address resolution function: accomplish the telephone number of customer call or the parsing of other address information, carry out route analysis, search called node or redirected according to number.
IWF: accomplish conversion and flow process control to the signaling or the agreement of existing network through SGW.
Media gateway controlling: be responsible for to accomplish Link State, the time interval resource of WMG and divide control such as connection function again, to the subscriber signaling of terminal access media gateway and professional transmitting-receiving control.
Agreement (signaling) adaption function: be responsible for carrying out adaptive and transmission to existing network protocol.
Service management: accomplish record, comprise Subscriber Number or address, call duration time, failure cause etc., the related data of service management is provided to network management system to service condition.
Integral network safety service framework carries out unified session connection control to all kinds of business.In packet network, call out the general Session Initiation Protocol that adopts of control and realize.The Session Initiation Protocol simple and flexible, autgmentability is strong, possesses terminal detectability, online detection, supports abilities such as mobility, multicast, is designated as the control protocol of third generation network, uses very extensively.For realizing network security and network integration of services; System uses for reference the basic design philosophy and the flow process of Session Initiation Protocol; And the requirement that combines the key-course function to expand, Session Initiation Protocol is optimized and replenishes, incorporate safety Design; The secured session connection protocol of formation special use (be called for short: the SCLP agreement), particular content comprises:
(1) service admittance control function: session control is carried out the legitimacy authentication to communicating pair, and transmission channel and route switching service are opened or closed to the Control Network inlet for this business.
(2) professional transmission channel is set up controlled function: session control is set up the transmission channel of bearer service data to the network application.According to the QoS demand of business, mainly comprise the path of three kinds of fundamental types: the path that has connection and QoS to guarantee is applicable to real time business; The path that has connection, no QoS to guarantee is applicable to business such as instant messaging and P2P; Do not have the path that connects, does one's best, be applicable to common data services.In addition, according to business the QoS demand also can be the transmission channel that QoS characteristics such as minimal time delay, maximum bandwidth or minimal-overhead are set up in professional application.
(3) address (ADDR relationship map function: in the session connection process, confirm the mapping relations of terminal iidentification, ID and service identification and the network address, and offer user port and carry out address (ADDR conversion, realize that address (ADDR separates.When each session connection, can be the automatic distribution network of user port address and be used for routing addressing, after service ending, lost efficacy.
(4) key distribution bearing function: portability association key distribution protocol data in the session control signaling, set up in session and to accomplish key distribution in the process, to reduce the session settling time of security service, improve key distribution efficient and fail safe.
(5) QoS accommodating control function: realize professional admittance according to current Internet resources situation and professional QoS demand.Carry out relevant qos policy, such as the resource race to control of high-priority users etc.
(6) function of safety protection: accomplish the legitimacy of calling out the connection protocol message and differentiate, guarantee the safety of key-course.
3) service quality guarantees technical system
Under integral network safety service framework, to isolate through information classification, network is carried on different business on the separate exchange transmission channel.According to the QoS of survice demand, but the multiple QoS technology of integrated use provides effective service quality guarantee on each passage; And the qos policy through unified plan, make that respective services quality assurance measure cooperatively interacts, effectively operation.
The end-to-end service that connection arranged is the primary condition that ensures real time business QoS.System is that communicating pair is set up end-to-end transmission channel connection, that quality assurance is arranged that has.Business data flow is enterprising line data exchange and transmission in this path, thereby guarantees that business data flow arrives with metastable transmission characteristic according to the order of sequence.
The classification Differentiated Services is that the data of business, control and management layer are carried out corresponding Differentiated Services respectively.Each aspect can be carried out Differentiated Services separately according to data characteristics such as News Category, data type and priority.Through corresponding queue scheduling algorithm, make Various types of data stream by arranging occupying system resources in advance.
For guaranteeing that the actual data carried by data flow of network meets prior appointed resource and distributes, avoid abnormal flow conversion Internet resources, system carries out traffic monitor and restriction to the data flow in the network.Traffic policing abandons crossing ampacity through collocation strategy, guarantees that the business data flow of high priorities such as speech, video is normally transmitted processing.
The QoS route is to realize that QoS guarantees, improves the essential condition of network integrity service performance.The QoS route dynamically finds to satisfy the optimal path of QoS requirement according to the operating position of Internet resources.The QoS route is that traffic engineering provides the route basis, realizes that service traffics rationally distribute in network, thereby reduces the network congestion probability, strengthens the network throughput performance, improves utilization rate of network resource.
It is to measure and add up through QoS to realize control of system resource rational and effective and utilization that resource statistics distributes.QoS measures with the object of adding up and comprises flow, the error rate, packet loss and exception message etc.Generate all kinds of qos parameters according to measuring, realize control system resource with statistics.
It is according to current resource situation of network and professional QoS demand that QoS admits control, and control is admitted in the session connection of business, and the service traffics of avoiding being beyond the bearing capacity get into network.System mainly puts forth effort on the various technology of integrated use, through unified design and unified management, is a kind of professional end to end transmission platform with the QoS technical change, to satisfy the requirement to QoS.
4) comprehensive safety protecting technical system
Integral network safety service framework is based on solving network security problem from system's system.Safe and secret measures effectively is dissolved in the network in each equipment and each aspect, closely cooperates each other, to strengthen the security protection performance, improves network resource utilization, guarantees QoS, realizes unified control and management.The comprehensive safety protecting system mainly comprises aspects such as information classification isolation, network boundary protection, applied business access control and protecting data encryption:
(1) information classification is isolated
The attribute of the user port of network, network trunk port, management port is strict to be distinguished.User terminal inserts from user port, and what its signaling message and management information can only be transmitted to access node is connected controller and OAMAgent, and business datum can only exchange forwarding in service layer.The equipment or the address of other aspect of user terminal in can not accesses network.The network switching equipment carries out independently route switching to data such as business, control and management, is independent of each other.Set up independently transmission channel respectively for business, control and management data on the trunk, each passage has independently bandwidth resources, and interchannel is isolated each other.
(2) network boundary protection
Network boundary is a system safety protection system emphasis of design, will (be called for short: the USAP agreement) realize through the user security access protocol.The USAP agreement is responsible for that legitimacy is carried out in the access of user terminal and is differentiated, stops illegal terminal and inserts.The discrimination process periodicmaintenance.
The USAP agreement is isolated the business on the subscriber's line, signaling and managing data transmission link, and corresponding with the transmission channel on the network trunks.The transmission link of user service data is set up under the connection control of key-course in real time, removes after the service ending.Possess integrality and anti-security protection ability of resetting through USAP protocol encapsulation data carried by data on the subscriber's line, can prevent to insert attack message from subscriber's line.
Can realize that through the USAP agreement terminal iidentification separates with the network address.The address (be the routing address of switching equipment user port) of user terminal in network only is presented on network internal, when each communication, distributed automatically by network.USAP sets up and safeguards binding relationship this time professional and terminal iidentification, the network address, and switching equipment is responsible for accomplishing according to this binding relationship the conversion of the terminal iidentification and the network address.Because network is to user transparent, the safety of network boundary is effectively guaranteed.
Safety between network node will (be called for short: the NSIP agreement) realize through the node security interconnection agreement.Interconnection must be differentiated through legitimacy between node, stops illegal node and inserts.Simultaneously, possess integrality and anti-security protection ability of resetting through NSIP protocol encapsulation data carried by data on the trunk main.
(3) applied business access control
Applied business receives the control of session connection, and to the business datum that incomplete call connects, the network refusal carries.In the session connection process, the connection of key-course control is carried out authenticity verification to signaling, prevents the Signaling attack of illegal terminal or node.Be to guarantee service security, system sets up transmission channel end to end for business datum down in session connection control, and the path in network can be by the QoS characteristic selection of source node according to link, also can pass through the network management configuration specified circuit by or tactful route.User's business datum is transmitted on this transmission channel and is exchanged forwarding, and the outer data of refusal transmission channel get into.
(4) protecting data encryption
Business datum and system information encipherment protection are the important means of guaranteeing professional and network security.User service data is implemented omnidistance end to end the encryption, and password does not land in network transmission process, guarantees the confidentiality of communication service.To all protecting data encryptions on the trunk main; Not only business datum has been carried out the superencipher protection; Strengthen professional encryption strength, and signaling between node and procotol message have been carried out encipherment protection, strengthened the security protection ability of network system.
5) Integrated Network Management technical system
NMS realizes the unified management to network, equipment, business and user, adopts differentiated control, gathers step by step, central controlled way to manage, realizes the subregion decentralized management.NMS comprises subsystems such as network resource management, applied business management, user property management, and management functions such as configuration management, fault management, performance management, Topology Management, service management, safety management and QoS management are provided.
The present invention is not limited to aforesaid embodiment.The present invention expands to any new feature or any new combination that discloses in this manual, and the arbitrary new method that discloses or step or any new combination of process.
Claims (1)
1. a network system that realizes the integrated safe service is characterized in that: comprise information classification isolated system, integrated service service system, service quality guarantee system, comprehensive safety protecting system and Integrated Network Management system;
Said information classification isolated system: for the various information in the network provides independently route switching; In user's access, route switching, relay transmission, QoS assurance, each safe and secret link business datum, signaling message and network management information are carried out classification processing, realize the classification isolation in network of business, control and management information; The information data that classification is isolated has independently bandwidth resources in network, and independently route switching and QoS safeguard measure; Has relatively independent transmission channel between terminal and switching node and between switching node;
Said integrated service service system: adopt the secured session connection protocol, realization service admittance control function, the professional transmission channel of realization are set up controlled function, address (ADDR relationship map function, key distribution bearing function, QoS accommodating control function and function of safety protection; Wherein: said address (ADDR relationship map function is meant in the session connection process, confirms the mapping relations of terminal iidentification, ID and service identification and the network address, and offers user port and carry out address (ADDR conversion, realizes that address (ADDR separates;
Said service quality guarantee system: the end-to-end service that connection is arranged is provided; Data to business, control and management layer are carried out Differentiated Services; Data flow in the network is carried out traffic policing; Dynamically find to satisfy the optimal path of QoS requirement through the QoS route, realize traffic engineering; Admit control that control is admitted in the session connection of business through QoS;
Said comprehensive safety protecting system: comprise the employing of information classification isolation, network boundary protection, applied business access control and protecting data encryption measure; Wherein: said information classification is isolated the attribute of the user port that is meant network, network trunk port, management port and is distinguished; User terminal is inserted from user port; What its signaling message and management information can only be transmitted to access node is connected controller and OAMAgent, and business datum can only exchange forwarding in service layer; The network switching equipment carries out independently route switching to business, control and management data, and trunk is set up independently transmission channel respectively for business, control and management data, and each interchannel does not disturb mutually; Said network boundary protection is meant through the user security access protocol, legitimacy is carried out in the access of user terminal differentiate, the transmission link of user service data is set up under the connection control of key-course in real time, removes after the service ending; Said applied business access control is meant that in the session connection process connection of key-course control is carried out authenticity verification to signaling, under session connection control, sets up transmission channel end to end for business datum;
Said Integrated Network Management system: adopt differentiated control, gather step by step, central controlled way to manage, realize the subregion decentralized management.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010125028XA CN101771619B (en) | 2010-03-16 | 2010-03-16 | Network system for realizing integrated security services |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010125028XA CN101771619B (en) | 2010-03-16 | 2010-03-16 | Network system for realizing integrated security services |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101771619A CN101771619A (en) | 2010-07-07 |
| CN101771619B true CN101771619B (en) | 2012-07-04 |
Family
ID=42504229
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010125028XA Active CN101771619B (en) | 2010-03-16 | 2010-03-16 | Network system for realizing integrated security services |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101771619B (en) |
Families Citing this family (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102164092B (en) * | 2011-05-23 | 2013-12-18 | 北京交通大学 | Method and system for guaranteeing service quality of integrated identification network |
| CN102724175B (en) * | 2011-08-26 | 2015-09-09 | 北京天地互连信息技术有限公司 | The telecommunication safety management framework of ubiquitous green community net control and method |
| CN103428028B (en) * | 2013-07-31 | 2016-10-26 | 邦彦技术股份有限公司 | Service quality maintenance method and system for heterogeneous network |
| CN103491641B (en) * | 2013-09-05 | 2016-09-14 | 北京创毅讯联科技股份有限公司 | Method and the Intranet of speech business is realized in Long Term Evolution enterprise network |
| CN105471611A (en) * | 2014-09-05 | 2016-04-06 | 中兴通讯股份有限公司 | Processing method, device and system for providing user service |
| CN106789533A (en) * | 2016-12-27 | 2017-05-31 | 福建三元达网络技术有限公司 | Method and its system that service channel with management passage separate |
| CN108234677B (en) * | 2018-03-09 | 2021-04-27 | 高飞 | Block chain network node service device facing multi-block chain platform |
| CN109639735B (en) * | 2019-01-24 | 2021-12-17 | 重庆邮电大学 | Method for testing safety level of IPv6 industrial wireless network |
| US11626983B1 (en) | 2019-09-10 | 2023-04-11 | Wells Fargo Bank, N.A. | Systems and methods for post-quantum cryptography optimization |
| US11477016B1 (en) | 2019-09-10 | 2022-10-18 | Wells Fargo Bank, N.A. | Systems and methods for post-quantum cryptography optimization |
| US11240014B1 (en) | 2019-09-10 | 2022-02-01 | Wells Fargo Bank, N.A. | Systems and methods for post-quantum cryptography optimization |
| US11449799B1 (en) * | 2020-01-30 | 2022-09-20 | Wells Fargo Bank, N.A. | Systems and methods for post-quantum cryptography optimization |
| US11322050B1 (en) | 2020-01-30 | 2022-05-03 | Wells Fargo Bank, N.A. | Systems and methods for post-quantum cryptography optimization |
| US11533175B1 (en) | 2020-01-30 | 2022-12-20 | Wells Fargo Bank, N.A. | Systems and methods for post-quantum cryptography on a smartcard |
| US11838410B1 (en) | 2020-01-30 | 2023-12-05 | Wells Fargo Bank, N.A. | Systems and methods for post-quantum cryptography optimization |
| CN114967504B (en) * | 2022-07-07 | 2023-02-17 | 广东长天思源环保科技股份有限公司 | Environment monitoring operation and maintenance platform based on identification analysis |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101212464B (en) * | 2006-12-28 | 2011-09-07 | 北京交通大学 | Method for implementing general-purpose services in integrated network |
| CN101640825A (en) * | 2009-08-19 | 2010-02-03 | 刘文祥 | Integration of three networks |
-
2010
- 2010-03-16 CN CN201010125028XA patent/CN101771619B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN101771619A (en) | 2010-07-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101771619B (en) | Network system for realizing integrated security services | |
| CN101800753B (en) | Comprehensive safety protecting method based on integral network safety service framework | |
| EP1527570B1 (en) | Communications switching architecture | |
| CN100583773C (en) | Method and device for controlling data link layer elements with network layer elements | |
| CN101326763B (en) | System and method for authentication of SP Ethernet aggregation networks | |
| US7151772B1 (en) | Method for performing lawfully-authorized electronic surveillance | |
| CN101815032B (en) | Method for classifying and isolating information based on integrated network security service architecture | |
| US20130201987A1 (en) | Service communication method and system for access network apparatus | |
| CN101483588B (en) | Gateway and edge device using verified QoS transmission information | |
| KR20010099946A (en) | Wireless local loop system supporting voice/ip | |
| CN101808420A (en) | Intelligent network | |
| US20080049781A1 (en) | System and method for integrated service access | |
| RU2402881C2 (en) | Method and facility for control of data streams of protected distributed information systems in network of coded communication | |
| CN106210034B (en) | A kind of intelligent terminal management-control method and system based on IMS enterprise network | |
| US7733788B1 (en) | Computer network control plane tampering monitor | |
| CN106027491B (en) | Separated links formula communication processing method and system based on isolation IP address | |
| CN1941740B (en) | System and method for controlling access network resource | |
| Schneider et al. | Building trustworthy systems: Lessons from the PTN and Internet | |
| Ojugo et al. | Technical issues for IP-based telephony in Nigeria | |
| CN100414938C (en) | Network safety system and method | |
| FR2961367A1 (en) | SYSTEM AND METHOD FOR MANAGING SECURE FLOWS BETWEEN SEVERAL REMOTE SITES | |
| Cisco | T | |
| CN108270717A (en) | VoIP communication means, equipment and communication system | |
| CN109150527A (en) | A kind of switched telephone network quantum cryptography system and encryption communication method | |
| CN102388568A (en) | Forwarding method and forwarding device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |