CN102025745B - Method and system for filtering network packets based on CS (client/server) structure - Google Patents
Method and system for filtering network packets based on CS (client/server) structure Download PDFInfo
- Publication number
- CN102025745B CN102025745B CN201010597645.XA CN201010597645A CN102025745B CN 102025745 B CN102025745 B CN 102025745B CN 201010597645 A CN201010597645 A CN 201010597645A CN 102025745 B CN102025745 B CN 102025745B
- Authority
- CN
- China
- Prior art keywords
- mobile node
- protocol
- filtering
- packet
- management entity
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a method and system for filtering network packets based on a CS (client/server) structure. The method comprises the following steps: (1) connecting a ground field management entity with a mobile node; and (2) filtering the ground field management entity and the mobile node. The method and system based on the CS structure provided by the invention can be capable of ensuring correct transceiving of the network packets between the mobile node and the ground field management entity and strengthening the safety of the system.
Description
Technical field
The invention belongs to network security technology field, relate to a kind of network data packet filter method and system based on CS (client/server) structure.
Background technology
Packet Filtering (Packet Filtering) is that a data flow of uploading with software or hardware device subtend network or download from network is carried out selectable control procedure.Packet filtering, normally the process that packet is transmitted from a network to another network, more commonly when from internet to inner transmitted data on network, or while transmitting from internal network to internet, allows or stops passing through of they.If complete Packet Filtering, will set rule and specify the packet of which type to be allowed through with the packet of which type will to be prevented from.
Packet Filtering technology is generally applied in above fire compartment wall.Current for Packet Filtering technology, generally arrange by the filtering rule to fire compartment wall, according to filtering rule facilities, the turnover data by fire compartment wall are controlled, to allow or to stop the transmission of network packet.
Current this Packet Filtering only mainly exists can slave firewall part carry out the filtration of packet, and between the equipment of internal system, for example, the data access between client or between client and server, equipment cannot carry out active data filter operation.
Summary of the invention
In order to solve the above-mentioned technical problem existing in background technology, the invention provides a kind of correct transmitting-receiving of guaranteeing the network packet between mobile node and ground field management entity, and strengthen filter method and the system of the network packet based on CS structure of the fail safe of system.
Technical solution of the present invention is: the invention provides a kind of network data packet filter method based on CS structure, its special character is: the described network data packet filter method based on CS structure comprises the following steps:
1) ground field management entity and mobile node connect:
1.1) the WEB management system of carrying by ground field management entity, is configured the parameter that will filter;
1.2) ground field management entity filters set filtration parameter;
1.3) after ground field management entity and mobile node connect, then by the communication tunnel between ground field management entity and mobile node, corresponding protocol filtering parameter configuration data is transmitted to mobile node end by communication tunnel, after mobile node receives protocol filtering parameter configuration data, by I/O data processing, protocol filtering parameter configuration data is transmitted to intermediate layer and drives, intermediate layer drives carries out filtration treatment;
2) ground field management entity and mobile node carry out filtration treatment:
2.1) intermediate driver is realized the filtration of network packet;
2.2) intermediate driver and mobile node is mutual.
Above-mentioned steps 1.2) in ground field management entity when set filtration parameter is filtered, utilize Iptables to realize.
Above-mentioned steps 2.1) embodiment be:
2.1.1) mobile node sends user data, and user data is packaged into network packet through protocol driver;
2.1.2) utilize intermediate driver to realize network data packet filtering.
Above-mentioned steps 2.1.2) embodiment be:
2.1.2.1.1) intermediate layer drives and receives after network packet, and the protocol filtering parameter that sends to intermediate layer to drive according to mobile node, filters network packet, and the packet after filtration is according to filtering policy, or abandons, or continues to forward;
2.1.2.1.2) intermediate layer drives the packet after filtering is encrypted, and forms encrypted packets, is directly transmitted to physical network card and sends;
2.1.2.1.3) encrypted packets, through package processing, becomes encapsulated data packet;
2.1.2.1.4) after the encapsulated data packet that intermediate driver obtains, after becoming new network packet, physical network card sends to again ground field management entity.
Above-mentioned steps 2.1.2) embodiment be:
2.1.2.2.1) intermediate layer drives and receives after network packet, and the protocol filtering parameter that sends to intermediate layer to drive according to mobile node, filters network packet, and the packet after filtration is according to filtering policy, or abandons, or continues to forward;
2.1.2.2.2) intermediate layer drives the packet after filtering is directly transmitted to physical network card and is sent;
2.1.2.2.3) step 2.1.2.2.2) packet that obtains is through package processing, becomes encapsulated data packet;
2.1.2.2.4) after the encapsulated data packet that intermediate driver obtains, after becoming new network packet, physical network card sends to again ground field management entity.
Above-mentioned steps 2.2) embodiment be:
2.2.1) mobile node is transmitted to intermediate driver by filtration parameter by I/O data handling procedure;
2.2.2) intermediate driver is transmitted to mobile node by filtration condition by I/O data processing.
Above-mentioned steps 2.2) embodiment at step 2.2.2) also comprise afterwards:
2.2.3) mobile node is inquired about the state of intermediate driver to I/O data handling procedure transmission status inquiry command.
Above-mentioned intermediate driver is the driver between micro-port and protocol, is in network-driven, to reserve the interface coming, and realizes user packet is processed to the program operating for user.
Above-mentioned steps 1.1) in when the parameter that will filter is configured, described configuration is filtering protocol, IP information or filtering policy; Described filtering protocol is one or more in Transmission Control Protocol, udp protocol, ICMP agreement, IGMP agreement, http protocol, File Transfer Protocol, smtp protocol, POP3 agreement, TELNET agreement, IMAP agreement, Citrix ICA agreement, RDP agreement and PCOIP agreement; Described IP information is equipment source IP address, object IP address, source port or target port; Described filtering policy is allow and refuse by configuration
A network packet filtration system based on CS structure, its special character is: the described network packet filtration system based on CS structure comprises ground field management entity WEB management system, ground field management entity and mobile node; Described ground field management entity WEB management system is configured the protocol parameter that will filter; The protocol filtering parameter configuration that described ground field management entity carries out according to ground field management entity WEB management system is carried out corresponding protocol filtering processing; After described mobile node and ground field management entity end connect, described ground field management entity, by corresponding protocol filtering parameter configuration data, is transmitted to mobile node end by communication tunnel; After described mobile node receives protocol filtering parameter configuration data, carry out corresponding protocol filtering processing.
The present invention connects mobile node and ground field management entity, completes mutual safety certification; IP adaptive mesh technique is applied in the data communication aspect between mobile node and ground field management entity, by the data communication tunnel of IP adaptive mesh technique system, protocol filtering configuration parameter is transmitted to mobile node by ground field management entity, the mobile node of system obtains the filtering protocol issuing, and then the protocol filtering module of the mobile node by system again, the agreement issuing is carried out to filtration treatment.The protocol filtering module of the mobile node of system, the protocol filtering of complete paired data bag, guarantees the correct transmitting-receiving of the network packet between mobile node and ground field management entity, and then in mobile node part, strengthens the fail safe of system.
Accompanying drawing explanation
Fig. 1 is the preferred embodiment schematic diagram of the network data packet filter method based on CS structure provided by the present invention;
Fig. 2 is that intermediate layer provided by the present invention drives the data flow diagram that realizes network data packet filtering;
Fig. 3 is the interaction data flow graph of mobile node provided by the present invention and intermediate driver.
Embodiment
The invention provides a kind of network data packet filter method and system based on CS structure.
Referring to Fig. 1, provide the embodiment of the network data packet filter method that the present invention is based on CS structure, its concrete steps are as follows:
1, the WEB management system that system manager is carried by ground field management entity, is configured the parameter that will filter, configurable filtering protocol and/or IP information and/or filtering policy.Wherein, filtering protocol comprises one or more application protocols, and this application protocol can be TCP, UDP, ICMP, IGMP, HTTP, FTP, SMTP, POP3, TELNET, IMAP, Citrix ICA, RDP and PCOIP etc.; IP information can be equipment source IP address, object IP address, source port and/or target port etc.; Filtering policy comprises the configurations such as permission and refusal pass through.Wherein, ground field management entity can be common server, (Adaptive-IPNetwork Technologies, IP self adaptation mobile security access technology) server etc.
2, by ground field management entity WEB management system, after keeper has completed the parameter configuration that will filter, ground field management entity can filter set filtration parameter.Wherein, when filtration, can utilize Iptables (Iptables is the integrated IP packet filtration system of linux kernel) to realize.
3, mobile node (for example, normal client end, AIPN client etc.) connect with ground field management entity end, the preferred embodiments connecting is that the security protocol of the access control method TePA that differentiates by ternary peer completes, and also can adopt in other embodiments other modes of the prior art to connect.Set up after relevant connection with ground field management entity, transfer of data between mobile node and ground field management entity, adopt a kind of safe well known data encapsulation technology (tunneling technique that suggestion adopts Chinese patent 200410073140.8 to record) to carry out transfer of data, ground field management entity is by protocol filtering parameter, by this communication tunnel, send the data to mobile node, after mobile node receives protocol filtering parameter, adopt the protocol filtering module of mobile node, complete the filtration treatment of the agreement to filtering, finally on mobile node, complete the filtration to agreement, and then the fail safe of reinforcement whole system.
Wherein, protocol filtering module can utilize the intermediate layer of mobile node to drive that (intermediate layer drives and refers to driving between micro-port and protocol, it is in network-driven, to reserve the interface coming, be convenient to user and realize the own processing to packet) program or utilize the service routine (service routine of for example, recording in Chinese patent 200810017919.6 etc.) of mobile node to realize protocol filtering.Wherein, adopt intermediate layer to drive to realize the data communication efficiency of mobile node data filtering higher.
The intermediate driver set forth is herein realized protocol filtering, comprise two parts content, be respectively mutual two parts of (1) intermediate driver filtration, (2) intermediate driver and mobile node of realizing network packet, this two-part data flow diagram and description is mainly described in this part:
(1) intermediate layer drives the data flow diagram and the description that realize network data packet filtering:
Referring to Fig. 2, first user such as, sends out user data by application program (IE browser, Foxmail etc.) (can be for example the HTTP data of access websites, also can be SMTP or the POP3 data etc. of receiving and dispatching mail), user data, through the protocol driver of window, is packaged into network packet by user data.Next just can utilize intermediate driver to realize network data packet filtering: intermediate layer drives and receives network packet, the protocol filtering parameter that sends to intermediate layer to drive according to mobile node, packet is filtered, packet after filtration is according to filtration, abandon, or continue to forward; Intermediate layer drives can proceed cryptographic operation to this packet, becomes encrypted packets, is directly transmitted to physical network card and sends; Intermediate layer drives also and can send and not be encrypted operation be directly transmitted to physical network card by the packet filtering; Packet or encrypted packets, through package processing, become encapsulated data packet.The encapsulated data packet obtaining by intermediate driver sends to ground field management entity again after physical network card becomes new network packet.
(2) interaction data flow graph and the description of mobile node and intermediate driver:
Referring to Fig. 3, mobile node by I/O data handling procedure, is transmitted to intermediate driver by filtration parameter, and intermediate driver, by filtration condition, is transmitted to mobile node by I/O data processing; Mobile node sends status inquiry command to I/O data handling procedure the state of intermediate driver is inquired about.In other embodiments, can save mobile node and send to I/O data handling procedure the process that status inquiry command is inquired about the state of intermediate driver.
System provided by the present invention comprises following three parts and corresponding operating thereof:
1, ground field management entity WEB management system part, carry out protocol parameter configuration, the WEB management system of the ground field management entity by system, is configured the protocol parameter that will filter, for after ground field management entity and the protocol filtering of mobile node preparation is provided;
2, ground field management entity part, the protocol filtering parameter configuration of carrying out according to ground field management entity WEB management system, carries out corresponding protocol filtering processing at ground field management entity;
3, mobile node part, first connect with ground field management entity end, the preferred embodiments connecting is that the security protocol of the access control method TePA that differentiates by ternary peer completes, and also can adopt in other embodiments other modes of the prior art to connect.After the process that connects, ground field management entity is by corresponding protocol filtering parameter configuration data, and the tunnel passing through is transmitted to mobile node end; Mobile
After node receives protocol filtering parameter configuration data, carry out corresponding protocol filtering processing.
Claims (10)
1. the network data packet filter method based on CS structure, is characterized in that: the described network data packet filter method based on CS structure comprises the following steps:
1) ground field management entity and mobile node connect:
1.1) the WEB management system of carrying by ground field management entity, is configured the parameter that will filter;
1.2) ground field management entity filters set filtration parameter;
1.3), after ground field management entity and mobile node connect, then, by the communication tunnel between ground field management entity and mobile node, corresponding protocol filtering parameter configuration data is transmitted to mobile node end by communication tunnel;
2) ground field management entity and mobile node carry out filtration treatment:
2.1) intermediate driver and mobile node is mutual;
2.2) intermediate driver is realized the filtration of network packet.
2. the network data packet filter method based on CS structure according to claim 1, is characterized in that: described step 1.2) in ground field management entity when set filtration parameter is filtered, utilize Iptables to realize.
3. the network data packet filter method based on CS structure according to claim 1, is characterized in that: described step 2) embodiment be:
2.2.1) mobile node sends user data, and user data is packaged into network packet through protocol driver;
2.2.2) utilize intermediate driver to realize network data packet filtering.
4. the network data packet filter method based on CS structure according to claim 3, is characterized in that: described step 2.2.2) embodiment be:
2.2.2.1.1) intermediate layer drives and receives after network packet, and the protocol filtering parameter that sends to intermediate layer to drive according to mobile node, filters network packet, and the packet after filtration is according to filtering policy, or abandons, or continues to forward;
2.2.2.1.2) intermediate layer drives the packet after filtering is encrypted, and forms encrypted packets;
2.2.2.1.3) encrypted packets, through package processing, becomes encapsulated data packet;
2.2.2.1.4) after the encapsulated data packet that intermediate driver obtains, after becoming new network packet, physical network card sends to again ground field management entity.
5. the network data packet filter method based on CS structure according to claim 3, is characterized in that: described step 2.2.2) embodiment be:
2.2.2.2.1) intermediate layer drives and receives after network packet, and the protocol filtering parameter that sends to intermediate layer to drive according to mobile node, filters network packet, and the packet after filtration is according to filtering policy, or abandons, or continues to forward;
2.2.2.2.2) intermediate layer drives the packet after filtering is directly transmitted to physical network card and is sent; Or intermediate layer driving is to the packet process package processing after filtering, and becomes encapsulated data packet, sends to ground field management entity after the encapsulated data packet that intermediate driver obtains after physical network card becomes new network packet again.
6. according to the network data packet filter method based on CS structure described in claim 1 or 2 or 3 or 4 or 5, it is characterized in that: described step 2.1) embodiment be:
2.1.1) mobile node is transmitted to intermediate driver by filtration parameter by I/O data handling procedure;
2.1.2) intermediate driver is transmitted to mobile node by filtration condition by I/O data processing.
7. the network data packet filter method based on CS structure according to claim 6, is characterized in that: described step 2.1) embodiment at step 2.1.2) also comprise afterwards:
2.1.3) mobile node is inquired about the state of intermediate driver to I/O data handling procedure transmission status inquiry command.
8. the network data packet filter method based on CS structure according to claim 7, it is characterized in that: described intermediate driver is the driver between micro-port and protocol, be in network-driven, to reserve the interface coming, realize user for user and packet is processed to the program operating.
9. the network data packet filter method based on CS structure according to claim 1, is characterized in that: described step 1.1) in when the parameter that will filter is configured, described configuration is filtering protocol, IP information or filtering policy; Described filtering protocol is one or more in Transmission Control Protocol, udp protocol, ICMP agreement, IGMP agreement, http protocol, File Transfer Protocol, smtp protocol, POP3 agreement, TELNET agreement, IMAP agreement, CitrixICA agreement, RDP agreement and PCOIP agreement; Described IP information is equipment source IP address, object IP address, source port or target port; Described filtering policy is allow and refuse by configuration.
10. the network packet filtration system based on CS structure, is characterized in that: the described network packet filtration system based on CS structure comprises ground field management entity WEB management system, ground field management entity and mobile node; Described ground field management entity WEB management system is configured the protocol parameter that will filter; The protocol filtering parameter configuration that described ground field management entity carries out according to ground field management entity WEB management system is carried out corresponding protocol filtering processing; After described mobile node and ground field management entity end connect, described ground field management entity, by corresponding protocol filtering parameter configuration data, is transmitted to mobile node end by communication tunnel; After described mobile node receives protocol filtering parameter configuration data, processed protocol filtering parameter configuration data is transmitted to intermediate layer driving by I/O, intermediate layer drives carries out corresponding protocol filtering processing.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010597645.XA CN102025745B (en) | 2010-12-20 | 2010-12-20 | Method and system for filtering network packets based on CS (client/server) structure |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010597645.XA CN102025745B (en) | 2010-12-20 | 2010-12-20 | Method and system for filtering network packets based on CS (client/server) structure |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102025745A CN102025745A (en) | 2011-04-20 |
| CN102025745B true CN102025745B (en) | 2014-06-04 |
Family
ID=43866599
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010597645.XA Active CN102025745B (en) | 2010-12-20 | 2010-12-20 | Method and system for filtering network packets based on CS (client/server) structure |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102025745B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103368914A (en) * | 2012-03-31 | 2013-10-23 | 百度在线网络技术(北京)有限公司 | Method, apparatus and device for intercepting message |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1260924A (en) * | 1997-04-11 | 2000-07-19 | Ent回波技术有限公司 | Personal audio massage processor and method |
| CN1522019A (en) * | 2003-02-12 | 2004-08-18 | 联想(北京)有限公司 | Dynamically switching on/off TNS protocol communication port in firewall packet filtering |
| CN101227287A (en) * | 2008-01-28 | 2008-07-23 | 华为技术有限公司 | Data message processing method and data message processing equipment |
| CN101272246A (en) * | 2008-04-09 | 2008-09-24 | 西安西电捷通无线网络通信有限公司 | Data safety transmission method and system of virtual network card and physical network card |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| FR2945690B1 (en) * | 2009-05-13 | 2011-05-20 | Canon Kk | METHOD AND DEVICE FOR PARAMETERSING A BRIDGE IN A COMMUNICATION NETWORK. |
-
2010
- 2010-12-20 CN CN201010597645.XA patent/CN102025745B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1260924A (en) * | 1997-04-11 | 2000-07-19 | Ent回波技术有限公司 | Personal audio massage processor and method |
| CN1522019A (en) * | 2003-02-12 | 2004-08-18 | 联想(北京)有限公司 | Dynamically switching on/off TNS protocol communication port in firewall packet filtering |
| CN101227287A (en) * | 2008-01-28 | 2008-07-23 | 华为技术有限公司 | Data message processing method and data message processing equipment |
| CN101272246A (en) * | 2008-04-09 | 2008-09-24 | 西安西电捷通无线网络通信有限公司 | Data safety transmission method and system of virtual network card and physical network card |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102025745A (en) | 2011-04-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20210119975A1 (en) | Secure network communication system and method | |
| US9948611B2 (en) | Packet tagging for improved guest system security | |
| US10038668B2 (en) | Computerized system and method for handling network traffic | |
| US9843926B2 (en) | System and method for preventing an attack on a networked vehicle | |
| US9967193B2 (en) | Method and system for increasing data flow transmission | |
| CN102006307A (en) | Application proxy-based network management system isolation control device | |
| US20070208854A1 (en) | Network interface device | |
| EP2020799A1 (en) | Method for the transmission of data packets in a tunnel, corresponding computer program product, storage means and tunnel end-point | |
| US20120054316A1 (en) | Tcp multiplexing over a proxy | |
| US8782772B2 (en) | Multi-session secure tunnel | |
| AU2011223636B2 (en) | Selectively disabling reliability mechanisms on a network connection | |
| US10110557B2 (en) | FTP application layer packet filtering method, device and computer storage medium | |
| US20110289312A1 (en) | Tcp communication scheme | |
| GB2318031A (en) | Network firewall with proxy | |
| KR20110026415A (en) | Network-aware adapter for applications | |
| CN104333549A (en) | Data package filtering method applied to distributive firewall system | |
| CN102025745B (en) | Method and system for filtering network packets based on CS (client/server) structure | |
| CN102497380A (en) | Internal network data packet filtering method | |
| JP4506430B2 (en) | Application monitor device | |
| WO2007100542A2 (en) | Method and system for filtering packets within a tunnel | |
| CN104618323B (en) | Operation system transmission safety encryption based on networks filter driver | |
| CN106713355A (en) | PC-based network filtering method and client PC | |
| CN107070970A (en) | A kind of method for closing and device of transmission control protocol TCP connection | |
| CN108810009A (en) | A kind of L2TP data processing methods, equipment and system | |
| CN111149338B (en) | Consolidate for communication device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |