CN101888386A - Firewall device for No.7 signaling network - Google Patents
Firewall device for No.7 signaling network Download PDFInfo
- Publication number
- CN101888386A CN101888386A CN 201010226494 CN201010226494A CN101888386A CN 101888386 A CN101888386 A CN 101888386A CN 201010226494 CN201010226494 CN 201010226494 CN 201010226494 A CN201010226494 A CN 201010226494A CN 101888386 A CN101888386 A CN 101888386A
- Authority
- CN
- China
- Prior art keywords
- system number
- signaling system
- signaling
- firewall device
- net
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a No.7 signaling firewall device. The firewall device is applied to a No.7 signaling network, is arranged between a No.7 signaling core network and a No.7 signaling network element which is short of security trust, and can intercept an unauthorized No.7 signaling message sent to the core network by the No.7 signaling network element which is short of the security trust according to certain rules, and generate logs for all signaling messages passing through the No.7 signaling firewall so as to ensure the security of the core network.
Description
Technical field
The present invention relates to the Signaling System Number 7 field, relate in particular to a kind of security management of No. 7 signaling network and the firewall device of control.
Background technology
No. 7 signaling network is designed to the network of a complete closed at first, controls its operation by operator, and has exceptionally high degree of trust between each entity in the hypothesis network.Therefore can guarantee normal, the effectively operation of whole No. 7 signaling network by the signaling network management, may have malicious attack hardly.The emphasis of considering during the initial design signaling network is efficient and reliability, and in a single day therefore less employing safety measure external network interface occurs, and the assailant can launch a offensive to No. 7 signaling network easily.Along with the continuous development of information technology, carrying out and this irreversible trend of the network integration of new business makes No. 7 signaling network more and more to the interface that the external world exposes.The safety of No. 7 signaling network faces serious threat.
See also Fig. 1, there is shown in the prior art, the Signaling System Number 7 network element that lacks the safety trust is called for short the network topological diagram that business platform 1 ' is connected to Signaling System Number 7 core net 2 ', the Signaling System Number 7 network element that lacks the safety trust directly links to each other with Signaling System Number 7 core net 2 ', therefore, the safety of No. 7 signaling network has been subjected to great potential safety hazard.
Summary of the invention
The objective of the invention is to overcome the defective of prior art and a kind of firewall device that is used for the Signaling System Number 7 net is provided, the signaling message that it can send to the Signaling System Number 7 core net to the Signaling System Number 7 network element that lacks the safety trust all filters and tackles, and has guaranteed the safety of Signaling System Number 7 core net.
The technical scheme that realizes above-mentioned purpose is: a kind of firewall device that is used for the Signaling System Number 7 net, described Signaling System Number 7 net comprises the Signaling System Number 7 network element that Signaling System Number 7 core net and some shortage safety are trusted, wherein, described firewall device is deployed in the Signaling System Number 7 core net and lacks between the Signaling System Number 7 network element of safety trust, the signaling message that can send to the Signaling System Number 7 core net to the Signaling System Number 7 network element that lacks the safety trust filters and tackles according to the standard of setting, to legal signaling message, firewall device normally is transmitted to the Signaling System Number 7 core net with message, signaling message to illegal directly abandons.
The above-mentioned firewall device that is used for the Signaling System Number 7 net, wherein: filtration and interception standard that described firewall device is set, can be DPC (destination signaling point sign indicating number) and the OPC (local signaling point sign indicating number) that signaling message comprises appointment, SCCP (SCCP) the layer global title and the SubSystem Number that perhaps comprise appointment, TCAP (transaction capabilities part) the layer operation sign indicating number that perhaps comprises appointment, the calling number and the called number that perhaps comprise appointment also can be other suitable filtrations and interception standard.
The above-mentioned firewall device that is used for the Signaling System Number 7 net, wherein: described firewall device is done daily record to all signaling messages, checks for the related personnel.
The above-mentioned firewall device that is used for the Signaling System Number 7 net, wherein: link to each other by the Signaling System Number 7 link between Signaling System Number 7 network element that described some shortage safety are trusted and the firewall device, also pass through the Signaling System Number 7 link between firewall device and the Signaling System Number 7 core net and link to each other.
The above-mentioned firewall device that is used for the Signaling System Number 7 net, wherein: described firewall device carries out filtration, monitoring and the statistics of signaling to some Signaling System Number 7 network elements that lack the safety trust.
The invention has the beneficial effects as follows: firewall device of the present invention has following advantage,
Firewall device of the present invention links to each other with STP (Signalling Transfer Point) usually, the Signaling System Number 7 network element that lacks the safety trust is called for short business platform and links to each other with this firewall device, rather than directly link to each other with the Signaling System Number 7 core net, like this, the signaling message that is sent to the Signaling System Number 7 core net by business platform is all filtered and is tackled by firewall device, only allow the signaling message of appointment to pass through, other message abandon without exception, thereby have guaranteed the safety of Signaling System Number 7 core net;
The new business platform of going up only needs to link to each other with fire compartment wall, again need not directly to link to each other with the Signaling System Number 7 core net, alleviates the operating pressure of network operation department;
Firewall device can be placed on same machine room with business platform, makes things convenient for the connection between business platform and the firewall device;
Link to each other by the Signaling System Number 7 link between business platform and the firewall device, business platform is not had special cooperation requirement, business platform is as long as adopt the method the same with directly being connected the Signaling System Number 7 core net to be connected with firewall device;
Can tackle the Signaling System Number 7 message of particular type by configuration, or only allow the Signaling System Number 7 type of particular type to pass through.Allow also can realize only allowing its service number of business platform outgoing call by parameter settings such as DPC/OPC, SCCP, GT (global title)/SSN (Sub-System Number), TCAP layer operation sign indicating number interception standard, illegal outgoing call is tackled without exception.
Description of drawings
Fig. 1 is the network topological diagram that business platform of the prior art is connected to the Signaling System Number 7 core net;
Fig. 2 has disposed the network topological diagram that business platform behind the firebreak device of the present invention is connected to the Signaling System Number 7 core net.
Embodiment
The invention will be further described below in conjunction with accompanying drawing.
See also Fig. 2, there is shown the network topological diagram that the business platform of having disposed behind the firebreak device of the present invention is connected to the Signaling System Number 7 core net, the Signaling System Number 7 net comprises Signaling System Number 7 core net 1 and some Signaling System Number 7 network elements 2 that lacks the safety trust, be called for short business platform, whether certain Signaling System Number 7 network element 2 lacks safe trust, has the No. 7 signaling network manager to assert.Firewall device 3 is deployed in Signaling System Number 7 core net 1 and lacks between the Signaling System Number 7 network element 2 of safety trust, the signaling message that can send to Signaling System Number 7 core net 1 to the Signaling System Number 7 network element 2 that lacks the safety trust filters and tackles according to the standard of setting, to legal signaling message, firewall device 3 normally is transmitted to Signaling System Number 7 core net 1 with message, signaling message to illegal directly abandons.
Filtration and interception standard that firewall device 3 is set, can be DPC and the OPC that signaling message comprises appointment, the SCCP layer global title and the SubSystem Number that perhaps comprise appointment, the TCAP layer operation sign indicating number that perhaps comprises appointment, the calling number and the called number that perhaps comprise appointment also can be other suitable filtrations and interception standard.3 pairs of all signaling messages of firewall device are done daily record, check for the related personnel, also some Signaling System Number 7 network elements 2 that lack the safety trust are carried out filtration, monitoring and the statistics of signaling with convenient management to each business platform.Link to each other by the Signaling System Number 7 link between Signaling System Number 7 network element 2 that shortage safety is trusted and the firewall device 3, also pass through the Signaling System Number 7 link between firewall device and the Signaling System Number 7 core net and link to each other.
Above embodiment is only for the usefulness that the present invention is described, but not limitation of the present invention, person skilled in the relevant technique, under the situation that does not break away from the spirit and scope of the present invention, can also make various conversion or modification, therefore all technical schemes that are equal to also should belong to category of the present invention, should be limited by each claim.
Claims (5)
1. firewall device that is used for the Signaling System Number 7 net, described Signaling System Number 7 net comprises the Signaling System Number 7 network element that Signaling System Number 7 core net and some shortage safety are trusted, it is characterized in that, described firewall device is deployed in the Signaling System Number 7 core net and lacks between the Signaling System Number 7 network element of safety trust, the signaling message that can send to the Signaling System Number 7 core net to the Signaling System Number 7 network element that lacks the safety trust filters and tackles according to the standard of setting, to legal signaling message, firewall device normally is transmitted to the Signaling System Number 7 core net with message, signaling message to illegal directly abandons.
2. the firewall device that is used for the Signaling System Number 7 net according to claim 1, it is characterized in that: filtration and interception standard that described firewall device is set, can be DPC and the OPC that signaling message comprises appointment, the SCCP layer global title and the SubSystem Number that perhaps comprise appointment, the TCAP layer operation sign indicating number that perhaps comprises appointment, the calling number and the called number that perhaps comprise appointment also can be other suitable filtrations and interception standard.
3. the firewall device that is used for the Signaling System Number 7 net according to claim 1 is characterized in that: described firewall device is done daily record to all signaling messages, checks for the related personnel.
4. the firewall device that is used for the Signaling System Number 7 net according to claim 1, it is characterized in that: link to each other by the Signaling System Number 7 link between Signaling System Number 7 network element that described some shortage safety are trusted and the firewall device, also pass through the Signaling System Number 7 link between firewall device and the Signaling System Number 7 core net and link to each other.
5. the firewall device that is used for the Signaling System Number 7 net according to claim 1 is characterized in that: described firewall device carries out filtration, monitoring and the statistics of signaling to some Signaling System Number 7 network elements that lack the safety trust.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010226494 CN101888386A (en) | 2010-07-14 | 2010-07-14 | Firewall device for No.7 signaling network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010226494 CN101888386A (en) | 2010-07-14 | 2010-07-14 | Firewall device for No.7 signaling network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101888386A true CN101888386A (en) | 2010-11-17 |
Family
ID=43074107
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 201010226494 Pending CN101888386A (en) | 2010-07-14 | 2010-07-14 | Firewall device for No.7 signaling network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101888386A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105610813A (en) * | 2015-12-28 | 2016-05-25 | 中国人民解放军信息工程大学 | Mobile communication inter-network honeypot system and method |
| CN107979821A (en) * | 2016-10-21 | 2018-05-01 | 中国电信股份有限公司 | The processing method and device of illegal No. 7 signalings |
| CN108366364A (en) * | 2018-01-15 | 2018-08-03 | 中国人民解放军战略支援部队信息工程大学 | A kind of differentiation processing method of exception MAP operations |
| CN111955014A (en) * | 2018-06-26 | 2020-11-17 | 甲骨文国际公司 | Method, system, and computer readable medium for multi-transaction capability application part TCAP OPCODE OPCODE screening |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2001019010A1 (en) * | 1999-09-07 | 2001-03-15 | Icom Technologies, Inc. | Ss7 firewall system |
| CN1529482A (en) * | 2003-10-08 | 2004-09-15 | 中兴通讯股份有限公司 | Method for realing signalling fire wall in soft exchange network |
| CN101453528A (en) * | 2007-11-30 | 2009-06-10 | 上海粱江通信系统有限公司 | System and method for implementing call authentication gateway |
-
2010
- 2010-07-14 CN CN 201010226494 patent/CN101888386A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2001019010A1 (en) * | 1999-09-07 | 2001-03-15 | Icom Technologies, Inc. | Ss7 firewall system |
| CN1529482A (en) * | 2003-10-08 | 2004-09-15 | 中兴通讯股份有限公司 | Method for realing signalling fire wall in soft exchange network |
| CN101453528A (en) * | 2007-11-30 | 2009-06-10 | 上海粱江通信系统有限公司 | System and method for implementing call authentication gateway |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105610813A (en) * | 2015-12-28 | 2016-05-25 | 中国人民解放军信息工程大学 | Mobile communication inter-network honeypot system and method |
| CN105610813B (en) * | 2015-12-28 | 2018-10-16 | 中国人民解放军信息工程大学 | Honey pot system and method between a kind of mobile radio communication |
| CN107979821A (en) * | 2016-10-21 | 2018-05-01 | 中国电信股份有限公司 | The processing method and device of illegal No. 7 signalings |
| CN107979821B (en) * | 2016-10-21 | 2021-07-02 | 中国电信股份有限公司 | Method and device for processing illegal No.7 signaling |
| CN108366364A (en) * | 2018-01-15 | 2018-08-03 | 中国人民解放军战略支援部队信息工程大学 | A kind of differentiation processing method of exception MAP operations |
| CN108366364B (en) * | 2018-01-15 | 2020-11-03 | 中国人民解放军战略支援部队信息工程大学 | Discrimination processing method for abnormal MAP operation |
| CN111955014A (en) * | 2018-06-26 | 2020-11-17 | 甲骨文国际公司 | Method, system, and computer readable medium for multi-transaction capability application part TCAP OPCODE OPCODE screening |
| JP2021528915A (en) * | 2018-06-26 | 2021-10-21 | オラクル・インターナショナル・コーポレイション | Multiple Transaction Function Application (TCAP) Operation Code (Opcode) Methods for Screening, Systems and Computers Readable Media |
| JP7273070B2 (en) | 2018-06-26 | 2023-05-12 | オラクル・インターナショナル・コーポレイション | Method, system and computer readable medium for multiple transaction capability application part (TCAP) operation code (opcode) screening |
| CN111955014B (en) * | 2018-06-26 | 2023-09-29 | 甲骨文国际公司 | Methods, systems, and computer readable media for multi-transaction capability application part TCAP OPCODE screening |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101465770B (en) | Method for disposing inbreak detection system | |
| US6308276B1 (en) | SS7 firewall system | |
| CN110572412A (en) | Firewall based on intrusion detection system feedback in cloud environment and implementation method thereof | |
| CN105610813B (en) | Honey pot system and method between a kind of mobile radio communication | |
| JP2007006054A (en) | Packet repeater and packet repeating system | |
| CN108574698B (en) | Method for carrying out network security protection on Internet of things system | |
| CN101888386A (en) | Firewall device for No.7 signaling network | |
| CN101034976B (en) | Intrusion detection in an IP connected security system | |
| CN105873063B (en) | Method and device for protecting signaling between mobile communication networks | |
| CN101494639A (en) | Method and apparatus for preventing aggression in packet communication system | |
| CN112104540A (en) | Cross-domain resource dynamic arranging method and cross-domain interconnection system | |
| KR101871406B1 (en) | Method for securiting control system using whitelist and system for the same | |
| CN101355567B (en) | Method for protecting safety of route-exchanging device central processing unit | |
| CN101136767B (en) | Assets safety management method, system and network element equipment of telecom network | |
| CN107733941A (en) | A kind of realization method and system of the data acquisition platform based on big data | |
| CN101621427B (en) | Anti-intrusion method and system for a communication network | |
| CN105577705A (en) | Safety protection method and system for IEC60870-5-104 protocol | |
| CN101827283A (en) | System and method for realizing signaling firewall based on signaling point-free access technology | |
| CN110417725B (en) | Multi-layer cooperative defense model suitable for source network load control private network | |
| CN115987675B (en) | Illegal external connection detection method and device, mobile terminal and storage medium | |
| CN102045320A (en) | Aging method and device for security policy | |
| CN101714990A (en) | Network security safeguarding integrated system and control method thereof | |
| Huang et al. | Requirements and system architecture design consideration for first responder systems | |
| CN102594616B (en) | Network security detection method and device | |
| CN108768996A (en) | A kind of detection guard system of SQL injection attack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20101117 |