CN102025745A - Method and system for filtering network packets based on CS (client/server) structure - Google Patents
Method and system for filtering network packets based on CS (client/server) structure Download PDFInfo
- Publication number
- CN102025745A CN102025745A CN201010597645XA CN201010597645A CN102025745A CN 102025745 A CN102025745 A CN 102025745A CN 201010597645X A CN201010597645X A CN 201010597645XA CN 201010597645 A CN201010597645 A CN 201010597645A CN 102025745 A CN102025745 A CN 102025745A
- Authority
- CN
- China
- Prior art keywords
- protocol
- mobile node
- management entity
- network
- field management
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a method and system for filtering network packets based on a CS (client/server) structure. The method comprises the following steps: (1) connecting a ground field management entity with a mobile node; and (2) filtering the ground field management entity and the mobile node. The method and system based on the CS structure provided by the invention can be capable of ensuring correct transceiving of the network packets between the mobile node and the ground field management entity and strengthening the safety of the system.
Description
Technical field
The invention belongs to the network security technology field, relate to a kind of network data packet filter method and system based on CS (client/server) structure.
Background technology
Packet Filtering (Packet Filtering) is one and uploads with software or hardware device subtend network or carry out selectable control procedure from the data flow of network download.Packet filtering normally with packet from a network to the process that another network transmits, more commonly from internet during to inner transmitted data on network, or network allows or stops passing through of they when internet transmits internally.If will finish Packet Filtering, will set rule and specify the packet of which type to be allowed to be prevented from by packet with which type.
The Packet Filtering technology generally is applied in above the fire compartment wall.Current for the Packet Filtering technology, generally be provided with by filtering rule to fire compartment wall, according to filtering rule situation is set, the turnover data by fire compartment wall are controlled, to allow or to stop the transmission of network packet.
Present this Packet Filtering only mainly exists can partly carry out the filtration of packet by slave firewall, and between the equipment to internal system, for example, between the client or the data access between client and the server, equipment can't carry out the active data filter operation.
Summary of the invention
In order to solve the above-mentioned technical problem that exists in the background technology, the invention provides a kind of correct transmitting-receiving of guaranteeing the network packet between mobile node and the ground field management entity, and the filter method and the system based on the network packet of CS structure of the fail safe of enhanced system.
Technical solution of the present invention is: the invention provides a kind of network data packet filter method based on the CS structure, its special character is: described network data packet filter method based on the CS structure may further comprise the steps:
1) ground field management entity and mobile node connect:
1.1) by the WEB management system of ground field management entity carrying, the parameter that filter is configured;
1.2) the ground field management entity filters set filtration parameter;
1.3) after ground field management entity and mobile node connect, then by the communication tunnel between ground field management entity and the mobile node, corresponding protocol filtration parameter configuration data is transmitted to the mobile node end by communication tunnel, mobile node receives after the protocol filtering parameter configuration data, by the I/O data processing protocol filtering parameter configuration data is transmitted to the intermediate layer and drives, the intermediate layer drives carries out filtration treatment;
2) ground field management entity and mobile node carry out filtration treatment:
2.1) intermediate driver realizes the filtration of network packet;
2.2) intermediate driver and mobile node mutual.
When the ground field management entity promptly filters set filtration parameter above-mentioned steps 1.2), utilize Iptables to realize.
Above-mentioned steps 2.1) embodiment is:
2.1.1) mobile node transmission user data, user data is packaged into network packet through protocol driver;
2.1.2) utilize intermediate driver to realize the network data packet filtering.
Above-mentioned steps 2.1.2) embodiment is:
2.1.2.1.1) after the intermediate layer drives and to receive network packet, send to the protocol filtering parameter that the intermediate layer drives according to mobile node, network packet is filtered, the filtered data bag is according to filtering policy, or abandons, or continues to transmit;
2.1.2.1.2) intermediate layer drives the filtered data bag is encrypted, and forms encrypted packets, directly be transmitted to physical network card and send;
2.1.2.1.3) processing of encrypted packets process package, become encapsulated data packet;
2.1.2.1.4) send to the ground field management entity after becoming new network packet through physical network card again after the encapsulated data packet that obtains of intermediate driver.
Above-mentioned steps 2.1.2) embodiment is:
2.1.2.2.1) after the intermediate layer drives and to receive network packet, send to the protocol filtering parameter that the intermediate layer drives according to mobile node, network packet is filtered, the filtered data bag is according to filtering policy, or abandons, or continues to transmit;
2.1.2.2.2) intermediate layer drives and the filtered data bag directly to be transmitted to physical network card to send;
2.1.2.2.3) step 2.1.2.2.2) processing of resulting packet process package, become encapsulated data packet;
2.1.2.2.4) send to the ground field management entity after becoming new network packet through physical network card again after the encapsulated data packet that obtains of intermediate driver.
Above-mentioned steps 2.2) embodiment is:
2.2.1) mobile node is transmitted to intermediate driver with filtration parameter by the I/O data handling procedure;
2.2.2) intermediate driver will filter state and be transmitted to mobile node by the I/O data processing.
Above-mentioned steps 2.2) embodiment is at step 2.2.2) also comprise afterwards:
2.2.3) mobile node comes the state of intermediate driver is inquired about to I/O data handling procedure transmit status querying command.
Above-mentioned intermediate driver is the driver between little port and protocol, is the interface of reserving in the network-driven, and is used for the user and realizes that the user handles the program of operation to packet.
When above-mentioned steps 1.1) parameter that will filter being configured, described configuration is filtering protocol, IP information or filtering policy; Described filtering protocol is one or more in Transmission Control Protocol, udp protocol, ICMP agreement, IGMP agreement, http protocol, File Transfer Protocol, smtp protocol, POP3 agreement, TELNET agreement, IMAP agreement, Citrix ICA agreement, RDP agreement and the PCOIP agreement; Described IP information is equipment source IP address, purpose IP address, source port or target port; Described filtering policy is to allow and refuse to pass through configuration
A kind of network packet filtration system based on the CS structure, its special character is: described network packet filtration system based on the CS structure comprises ground field management entity WEB management system, ground field management entity and mobile node; Described ground field management entity WEB management system is configured the protocol parameter that will filter; Described ground field management entity carries out the corresponding protocol filtration treatment according to the protocol filtering parameter configuration that ground field management entity WEB management system is carried out; After described mobile node and ground field management entity end connected, described ground field management entity was transmitted to the mobile node end with corresponding protocol filtration parameter configuration data by communication tunnel; Described mobile node receives after the protocol filtering parameter configuration data, carries out the corresponding protocol filtration treatment.
The present invention connects mobile node and ground field management entity, finishes mutual safety certification; The IP adaptive mesh technique is applied in the data communication aspect between mobile node and the ground field management entity, promptly pass through the data communication tunnel of IP adaptive mesh technique system, the ground field management entity is transmitted to mobile node with the protocol filtering configuration parameter, the filtering protocol that the mobile node acquisition of system issues, and then the protocol filtering module of the mobile node by system again, the agreement that issues is carried out filtration treatment.The protocol filtering module of the mobile node of system is finished the protocol filtering to packet, guarantees the correct transmitting-receiving of the network packet between mobile node and the ground field management entity, and then in the mobile node part, the fail safe of enhanced system.
Description of drawings
Fig. 1 is the preferred embodiment schematic diagram of the network data packet filter method based on the CS structure provided by the present invention;
Fig. 2 is that intermediate layer provided by the present invention drives the data flow diagram that realizes the network data packet filtering;
Fig. 3 is the interaction data flow graph of mobile node provided by the present invention and intermediate driver.
Embodiment
The invention provides a kind of network data packet filter method and system based on the CS structure.
Referring to Fig. 1, provide the embodiment of the network data packet filter method that the present invention is based on the CS structure, its concrete steps are as follows:
1, the system manager is configured configurable filtering protocol and/or IP information and/or filtering policy by the WEB management system of ground field management entity carrying to the parameter that will filter.Wherein, filtering protocol comprises one or more application protocols, and this application protocol can be TCP, UDP, ICMP, IGMP, HTTP, FTP, SMTP, POP3, TELNET, IMAP, Citrix ICA, RDP and PCOIP etc.; IP information can be equipment source IP address, purpose IP address, source port and/or target port etc.; Filtering policy comprises configurations such as permission and refusal pass through.Wherein, the ground field management entity can be common server, (Adaptive-IPNetwork Technologies, IP self adaptation mobile security access technology) server etc.
2, by ground field management entity WEB management system, the keeper has finished after the parameter configuration that will filter, and the ground field management entity can filter set filtration parameter.Wherein, during filtration, can utilize Iptables (Iptables is the integrated IP packet filtration system of linux kernel) to realize.
3, mobile node (for example, normal client end, AIPN client etc.) connect with ground field management entity end, the better embodiment that connects is to finish by the security protocol of the access control method TePA of ternary equity discriminating, also can adopt other modes of the prior art to connect in other embodiments.After setting up relevant connection with the ground field management entity, transfer of data between mobile node and the ground field management entity, adopt a kind of safe well known data encapsulation technology (tunneling technique that suggestion adopts Chinese patent 200410073140.8 to be put down in writing) to carry out transfer of data, the ground field management entity is with the protocol filtering parameter, by this communication tunnel, send the data to mobile node, mobile node receives after the protocol filtering parameter, adopt the protocol filtering module of mobile node, finish filtration treatment to the agreement that will filter, the final filtration of on mobile node, finishing agreement, and then the fail safe of reinforcement whole system.
Wherein, the protocol filtering module can utilize the intermediate layer of mobile node to drive that (intermediate layer drives the driving that is meant between little port and protocol, it is the interface of reserving in the network-driven, be convenient to the user and realize own processing packet) program or utilize the service routine (for example, the service routine of being put down in writing in the Chinese patent 200810017919.6 etc.) of mobile node to realize protocol filtering.Wherein, it is higher to adopt the intermediate layer to drive the data communication efficient that realizes the mobile node data filter.
The intermediate driver of being set forth is herein realized protocol filtering, comprise two parts content, be respectively mutual two parts that (1) intermediate driver is realized filtration, (2) intermediate driver and the mobile node of network packet, this two-part data flow diagram and description is mainly described in this part:
(1) intermediate layer drives data flow diagram and the description that realizes the network data packet filtering:
Referring to Fig. 2, it (for example can be the HTTP data of access websites that the user at first sends out user data by application program (for example IE browser, Foxmail etc.), also can be the SMTP of receiving and dispatching mail or POP3 data etc.), user data is packaged into network packet through the protocol driver of window with user data.Next just can utilize intermediate driver to realize the network data packet filtering: the intermediate layer drives and receives network packet, send to the protocol filtering parameter that the intermediate layer drives according to mobile node, packet is filtered, the filtered data bag is according to filtration, abandon, or continue to transmit; The intermediate layer drives can proceed cryptographic operation to this packet, becomes encrypted packets, directly is transmitted to physical network card and sends; The intermediate layer drives also and can send and do not carry out cryptographic operation directly be transmitted to physical network card by the packet that filters; Packet or encrypted packets are handled through package, become encapsulated data packet.The encapsulated data packet that obtains by intermediate driver sends to the ground field management entity after becoming new network packet through physical network card again.
(2) the interaction data flow graph and the description of mobile node and intermediate driver:
Referring to Fig. 3, mobile node by the I/O data handling procedure, is transmitted to intermediate driver with filtration parameter, and intermediate driver will filter state, be transmitted to mobile node by the I/O data processing; Mobile node comes the state of intermediate driver is inquired about to I/O data handling procedure transmit status querying command.In other embodiments, can save mobile node and come process that the state of intermediate driver is inquired about to I/O data handling procedure transmit status querying command.
System provided by the present invention comprises following three parts and corresponding operating thereof:
1, ground field management entity WEB management system part, carry out the protocol parameter configuration, the WEB management system of the ground field management entity by system is configured the protocol parameter that will filter, for after the ground field management entity and the protocol filtering of mobile node preparation is provided;
2, ground field management entity part according to the protocol filtering parameter configuration that ground field management entity WEB management system is carried out, is carried out the corresponding protocol filtration treatment at the ground field management entity;
3, mobile node part, at first connect with ground field management entity end, the better embodiment that connects is to finish by the security protocol of the access control method TePA of ternary equity discriminating, also can adopt other modes of the prior art to connect in other embodiments.After the process that connects, the ground field management entity is with corresponding protocol filtration parameter configuration data, and the tunnel that passes through is transmitted to the mobile node end; Move
Node receives after the protocol filtering parameter configuration data, carries out the corresponding protocol filtration treatment.
Claims (10)
1. network data packet filter method based on the CS structure, it is characterized in that: described network data packet filter method based on the CS structure may further comprise the steps:
1) ground field management entity and mobile node connect:
1.1) by the WEB management system of ground field management entity carrying, the parameter that filter is configured;
1.2) the ground field management entity filters set filtration parameter;
1.3) after ground field management entity and mobile node connect, then by the communication tunnel between ground field management entity and the mobile node, corresponding protocol filtration parameter configuration data is transmitted to the mobile node end by communication tunnel, mobile node receives after the protocol filtering parameter configuration data, by the I/O data processing protocol filtering parameter configuration data is transmitted to the intermediate layer and drives, the intermediate layer drives carries out filtration treatment;
2) ground field management entity and mobile node carry out filtration treatment:
2.1) intermediate driver realizes the filtration of network packet;
2.2) intermediate driver and mobile node mutual.
2. the network data packet filter method based on the CS structure according to claim 1 is characterized in that: when the ground field management entity promptly filters set filtration parameter described step 1.2), utilize Iptables to realize.
3. the network data packet filter method based on the CS structure according to claim 1, it is characterized in that: embodiment described step 2.1) is:
2.1.1) mobile node transmission user data, user data is packaged into network packet through protocol driver;
2.1.2) utilize intermediate driver to realize the network data packet filtering.
4. the network data packet filter method based on the CS structure according to claim 3, it is characterized in that: embodiment described step 2.1.2) is:
2.1.2.1.1) after the intermediate layer drives and to receive network packet, send to the protocol filtering parameter that the intermediate layer drives according to mobile node, network packet is filtered, the filtered data bag is according to filtering policy, or abandons, or continues to transmit;
2.1.2.1.2) intermediate layer drives the filtered data bag is encrypted, and forms encrypted packets, directly be transmitted to physical network card and send;
2.1.2.1.3) processing of encrypted packets process package, become encapsulated data packet;
2.1.2.1.4) send to the ground field management entity after becoming new network packet through physical network card again after the encapsulated data packet that obtains of intermediate driver.
5. the network data packet filter method based on the CS structure according to claim 3, it is characterized in that: embodiment described step 2.1.2) is:
2.1.2.2.1) after the intermediate layer drives and to receive network packet, send to the protocol filtering parameter that the intermediate layer drives according to mobile node, network packet is filtered, the filtered data bag is according to filtering policy, or abandons, or continues to transmit;
2.1.2.2.2) intermediate layer drives and the filtered data bag directly to be transmitted to physical network card to send;
2.1.2.2.3) step 2.1.2.2.2) processing of resulting packet process package, become encapsulated data packet;
2.1.2.2.4) send to the ground field management entity after becoming new network packet through physical network card again after the encapsulated data packet that obtains of intermediate driver.
6. according to claim 1 or 2 or 3 or 4 or 5 described network data packet filter methods based on the CS structure, it is characterized in that: embodiment described step 2.2) is:
2.2.1) mobile node is transmitted to intermediate driver with filtration parameter by the I/O data handling procedure;
2.2.2) intermediate driver will filter state and be transmitted to mobile node by the I/O data processing.
7. the network data packet filter method based on the CS structure according to claim 6, it is characterized in that: embodiment described step 2.2) is at step 2.2.2) also comprise afterwards:
2.2.3) mobile node comes the state of intermediate driver is inquired about to I/O data handling procedure transmit status querying command.
8. the network data packet filter method based on the CS structure according to claim 7, it is characterized in that: described intermediate driver is the driver between little port and protocol, be the interface of reserving in the network-driven, be used for the user and realize that the user handles the program of operation to packet.
9. the network data packet filter method based on the CS structure according to claim 1 is characterized in that: when described step 1.1) parameter that will filter being configured, described configuration is filtering protocol, IP information or filtering policy; Described filtering protocol is one or more in Transmission Control Protocol, udp protocol, ICMP agreement, IGMP agreement, http protocol, File Transfer Protocol, smtp protocol, POP3 agreement, TELNET agreement, IMAP agreement, CitrixICA agreement, RDP agreement and the PCOIP agreement; Described IP information is equipment source IP address, purpose IP address, source port or target port; Described filtering policy is to allow and refuse to pass through configuration.
10. network packet filtration system based on the CS structure, it is characterized in that: described network packet filtration system based on the CS structure comprises ground field management entity WEB management system, ground field management entity and mobile node; Described ground field management entity WEB management system is configured the protocol parameter that will filter; Described ground field management entity carries out the corresponding protocol filtration treatment according to the protocol filtering parameter configuration that ground field management entity WEB management system is carried out; After described mobile node and ground field management entity end connected, described ground field management entity was transmitted to the mobile node end with corresponding protocol filtration parameter configuration data by communication tunnel; Described mobile node receives after the protocol filtering parameter configuration data, handles that by I/O the protocol filtering parameter configuration data is transmitted to the intermediate layer driving, and the intermediate layer drives carries out the corresponding protocol filtration treatment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010597645.XA CN102025745B (en) | 2010-12-20 | 2010-12-20 | Method and system for filtering network packets based on CS (client/server) structure |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010597645.XA CN102025745B (en) | 2010-12-20 | 2010-12-20 | Method and system for filtering network packets based on CS (client/server) structure |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102025745A true CN102025745A (en) | 2011-04-20 |
| CN102025745B CN102025745B (en) | 2014-06-04 |
Family
ID=43866599
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010597645.XA Active CN102025745B (en) | 2010-12-20 | 2010-12-20 | Method and system for filtering network packets based on CS (client/server) structure |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102025745B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103368914A (en) * | 2012-03-31 | 2013-10-23 | 百度在线网络技术(北京)有限公司 | Method, apparatus and device for intercepting message |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1260924A (en) * | 1997-04-11 | 2000-07-19 | Ent回波技术有限公司 | Personal audio massage processor and method |
| CN1522019A (en) * | 2003-02-12 | 2004-08-18 | 联想(北京)有限公司 | Dynamically switching on/off TNS protocol communication port in firewall packet filtering |
| CN101227287A (en) * | 2008-01-28 | 2008-07-23 | 华为技术有限公司 | Data message processing method and data message processing equipment |
| CN101272246A (en) * | 2008-04-09 | 2008-09-24 | 西安西电捷通无线网络通信有限公司 | Data safety transmission method and system of virtual network card and physical network card |
| US20100290479A1 (en) * | 2009-05-13 | 2010-11-18 | Canon Kabushiki Kaisha | Method and device for parameterizing a bridge within a communication network |
-
2010
- 2010-12-20 CN CN201010597645.XA patent/CN102025745B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1260924A (en) * | 1997-04-11 | 2000-07-19 | Ent回波技术有限公司 | Personal audio massage processor and method |
| CN1522019A (en) * | 2003-02-12 | 2004-08-18 | 联想(北京)有限公司 | Dynamically switching on/off TNS protocol communication port in firewall packet filtering |
| CN101227287A (en) * | 2008-01-28 | 2008-07-23 | 华为技术有限公司 | Data message processing method and data message processing equipment |
| CN101272246A (en) * | 2008-04-09 | 2008-09-24 | 西安西电捷通无线网络通信有限公司 | Data safety transmission method and system of virtual network card and physical network card |
| US20100290479A1 (en) * | 2009-05-13 | 2010-11-18 | Canon Kabushiki Kaisha | Method and device for parameterizing a bridge within a communication network |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103368914A (en) * | 2012-03-31 | 2013-10-23 | 百度在线网络技术(北京)有限公司 | Method, apparatus and device for intercepting message |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102025745B (en) | 2014-06-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9948611B2 (en) | Packet tagging for improved guest system security | |
| CN103650436B (en) | Service path distribution method, router and business perform entity | |
| CN1905555B (en) | Fire wall controlling system and method based on NGN service | |
| EP2213045B1 (en) | Security state aware firewall | |
| KR101339512B1 (en) | Soc-based device for packet filtering and packet filtering method thereof | |
| CN102006307A (en) | Application proxy-based network management system isolation control device | |
| CN105917339B (en) | Method for operating the security gateway being directed between the data/address bus of vehicle | |
| EP2543162B1 (en) | Selectively disabling reliability mechanisms on a network connection | |
| US11700199B2 (en) | Transmission of packets relating to a processing rule | |
| DE19740547A1 (en) | Secure network proxy for connecting entities | |
| CN101635665A (en) | Method for managing a transmission of data streams on a transport channel of a tunnel, corresponding tunnel end-point, computer program product and computer-readable storage medium | |
| EP1891784A1 (en) | Secure network communication system and method | |
| EP3038314A1 (en) | Ftp application layer packet filtering method, device and computer storage medium | |
| CN104767748A (en) | OPC server safety defending system | |
| US20090323691A1 (en) | Method and apparatus to provide virtual toe interface with fail-over | |
| CN104333549A (en) | Data package filtering method applied to distributive firewall system | |
| CN104539600B (en) | A kind of industry control method of realizing fireproof wall for supporting to filter IEC104 agreements | |
| CN101895529B (en) | Method for judging process of TCP/IP packet in driver layer | |
| CN102025745B (en) | Method and system for filtering network packets based on CS (client/server) structure | |
| CN102497380A (en) | Internal network data packet filtering method | |
| US7561574B2 (en) | Method and system for filtering packets within a tunnel | |
| CN104618323B (en) | Operation system transmission safety encryption based on networks filter driver | |
| CN103905302B (en) | A kind of method that source IP is bound on Windows main frames using Microsoft Loopback Adapter | |
| Ganek | Autonomic computing: implementing the vision | |
| CN107070970A (en) | A kind of method for closing and device of transmission control protocol TCP connection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |