Summary of the invention
For above-mentioned defect, the invention provides node protection method, packet filtering device and Virtual Networking System, effectively, reliably can protect for node provides while Logistics networks performance.
Node protection method provided by the invention comprises:
The packet filtering device of first node intercepts the message sent to first node, and in the authorized address list prestored, search the source address whether having described message, if so, then described message passes through safety examination;
If detect and know that by the message of described safety examination be connection request message, then the Section Point address that described connection request message carries is added into described authorized address list, to enable message from described Section Point address by described safety examination, wherein said first node is the requested node of connection request, and described Section Point is the initiation requesting node of described connection request.
Packet filtering device provided by the invention comprises:
Safety examination module, for intercepting the message sent to first node, in the authorized address list prestored, search the source address whether having described message, if so, then described message passes through safety examination;
Security strategy update module, if know that by the message of described safety examination be connection request message for detecting, then the Section Point address that described connection request message carries is added into described authorized address list, to enable message from described Section Point address by described safety examination, wherein said first node is the requested node of connection request, and described Section Point is the initiation requesting node of described connection request.
According to another aspect of the invention, additionally provide a kind of Virtual Networking System, comprise first node, Section Point and server;
Described first node, for intercepting the message sent to described first node, in the authorized address list prestored, search the source address whether having described message, if so, then described message passes through safety examination; If detect and know that by the message of described safety examination be connection request message, then the Section Point address that described connection request message carries is added into described authorized address list, to enable message from described Section Point address by described safety examination, and send the connection response message carrying described first node address to described Section Point via described server;
Described Section Point, for sending described connection request message via described server to described first node, and intercept the described connection response message of described first node transmission, the first node address of carrying in described connection response message is set to the authorized address of described Section Point, described authorized address is the source address that described Section Point can receive message;
Described server, for the described connection request message repeating extremely described first node sent by described Section Point; The described connection response message repeating sent by described first node is to described Section Point.
Node protection method provided by the invention, packet filtering device and Virtual Networking System are owing to can upgrade authorized address list in response to connection request message; so can need for node dynamic-configuration authorized address according to communication; both avoided and affected Internet normal use because being arranged by authorized address too strict; turn avoid because authorized address arranges too loose and cause fail safe lower, achieving reasonable, effective Node Protection.
Embodiment
For making the object, technical solutions and advantages of the present invention clearly, below in conjunction with accompanying drawing, technical scheme of the present invention is clearly and completely described.
Fig. 1 is the Organization Chart of the virtual network of the node protection method of the application embodiment of the present invention.As shown in Figure 1; this virtual network comprises server (server), multiple client (client) node and that arrange, that for XM protect packet filtering device corresponding to each client node; before this packet filtering device independently can be arranged on claimed client node, also can with the integrated setting of claimed client node.
The node protection method of the embodiment of the present invention is performed by the packet filtering device in virtual network; for the packet filtering device corresponding to the first node (any one client node) in virtual network, Node Protection is carried out to first node below, node protection method of the present invention is described in detail.
Fig. 2 is the flow chart of the node protection method of the embodiment of the present invention.As shown in Figure 2, this node protection method comprises the following steps:
Step S100, the packet filtering device of first node intercepts the message sent to first node, and in the authorized address list prestored, search the source address whether having message, if so, then message passes through safety examination;
Above-mentioned steps S100 can comprise:
Step S101, it is authorized address that the packet filtering device of first node prestores trusted node address;
Wherein, in packet filtering device, be previously stored with authorized address list, be included in message that subtend first node sends in this authorized address list when carrying out safety examination, allow the source address of the message passed through.Trusted node address is set to authorized address, and wherein, this trusted node is such as the server in this virtual network, below for this trusted node for server is described.When first node access of virtual network, the connection between packet filtering device acquiescence first node and server is secure connection, namely allows server to communicate with between first node.
During first node access of virtual network, first node carries out authentication to server, and the title of all on-line client (client) node of this virtual network is obtained from server, wherein, the title of all on-line client node is stored in the IP address list of server according to the mode corresponding with the IP address of each client node.
Step S102, intercepts the message sent to first node, resolves the source address of described message;
Wherein, packet filtering device can take any packet parsing mode of the prior art to obtain the source address of message.
Step S103, searches the source address whether having described message in the authorized address list prestored, and if so, then allows described message by be received by described first node.
Wherein, the message source address that packet filtering device query parse in authorized address list obtains, if comprise this address in authorized address list, then allows message to pass through, to be received by first node; If do not comprise this address in authorized address list, then by this message filtering.When initial condition, be authorized address owing to being only provided with server address in the authorized address list of packet filtering device, so the message only having server to send can by this safety examination, the message that other any client nodes send all is filtered out by packet filtering device in safety examination, and namely first node only can the message that sends of reception server.And, because first node does not know the IP address of other nodes, message can not be sent to other client nodes, namely now not connect between first node and other client nodes, can not communicate.
Step S200, if detect and know that by the message of described safety examination be connection request message, then the Section Point address that described connection request message carries is added into described authorized address list, to enable message from described Section Point address by described safety examination.
Wherein, first node is the requested node of connection request, and Section Point is the initiation requesting node of connection request, and Section Point can be the arbitrary client node except first node in virtual network.
Particularly, when Section Point will connect with first node, Section Point sends the connection request carrying Section Point IP address and first node title to server, after server receives this connection request, from the IP address list stored, search first node IP address according to first node title, and according to the first node IP address found, connection request is forwarded to first node.
Packet filtering device detects further to the safe packet being sent to first node, to judge whether it is connection request message.And when this message is connection request message, responds this connection request message and connect.Above-mentioned steps S200 can comprise:
Step S201, extracts the keyword of the described message by described safety examination;
Wherein, for the message by safety examination, extract its keyword, keyword is made an appointment in this virtual network, for characterizing message content.
If detect, step S202, knows that the keyword of described message is the keyword of predetermined connection request message, then extracts the Section Point address of carrying in described message;
Wherein, the keyword of connection request message of such as making an appointment in virtual network is ConnectionRequest.If the keyword of the message extracted in step s 201 is Connection Request, then know that this message is connection request message, and according to the message format of making an appointment, Section Point address is read from the assigned address message, namely (in such as connection request message, 4th ~ 7 bytes are for initiating requesting node address information to initiate requesting node address, 8 ~ 11 bytes are keyword, then the content by reading respective byte can obtain the keyword of message and initiate requesting node address).
Step S203, is set to authorized address by described Section Point address, to enable message from Section Point address by described safety examination.
Wherein, the Section Point address obtained in step S202 is added in authorized address list by packet filtering device, then when packet filtering device is truncated to the message sent to first node again, if detect and know that the source address of message is server address or Section Point address, then confirm that this message passes through safety examination.
According to the node protection method of above-described embodiment, owing to carrying out safety examination according to the authorized address list prestored to the message being sent to node, and to work as the received message through safety examination be connection request message, the Section Point address of carrying in this connection request message is added into authorized address list, for first node sets up new secure connection, thus realize needing for node dynamic-configuration authorized address according to communication; Due in an initial condition, only source address is that the message of trusted node (being such as server) address is by safety examination, the connection request message that first node receives must be the message forwarded via trusted node, under normal circumstances, the Section Point of initiating connection request by the safety certification of server, thus can guarantee that the Section Point that connection request message carries was security node before communicating with trusted node.Therefore, set up the connection of first node and Section Point by authorized address list Section Point address being added into first node, achieve first node and only connect with security node, fully ensured the safety of node; And both avoided because security strategy being arranged too strictly affect Internet normal use, turn avoid because security strategy arranges too loose and cause fail safe lower, achieving reasonable, effective Node Protection.
Further, in the node protection method of above-described embodiment, if detect and know that by the message of described safety examination be connection request message, then the Section Point address that described connection request message carries is added into authorized address list, to enable the message from described Section Point address by also comprising after the step of described safety examination: first node sends the connection response message carrying described first node address to described Section Point via described trusted node; The packet filtering device of described Section Point receives described connection response message, entrained first node address is set to the authorized address of Section Point, the authorized address of Section Point is the source address of the receivable message of Section Point, wherein, action first node address being set to the authorized address of Section Point is performed by the packet filtering device arranged corresponding to Section Point.
Particularly, first node is after upgrading authorized address list according to connection request message, the connection response message carrying own IP address is also returned to server, after server receives this connection response message, forward it to the initiation requesting node (Section Point namely in the present embodiment) of connection request, then for the protection of the packet filtering device of Section Point according to the acquisition of information first node IP address of carrying in connection response message, authorized address list (concrete steps are identical with the authorized address update method of first node in the present embodiment) is upgraded according to this first node IP address.Now, first node is aware of the IP address of Section Point, and Section Point is aware of the IP address of first node, and the IP address of the other side is all included in respective authorized address list, thus the connection established between first node and Section Point, realize secure communication between the two.
Fig. 3 is the structural representation of the packet filtering device of the embodiment of the present invention, and as shown in Figure 3, this packet filtering device 100 comprises:
Safety examination module 10, for intercepting the message sent to first node, in the authorized address list prestored, search the source address whether having described message, if so, then described message passes through safety examination;
Security strategy update module 20, if know that by the message of described safety examination be connection request message for detecting, then the Section Point address that described connection request message carries is added into described authorized address list, to enable message from described Section Point address by described safety examination, wherein said first node is the requested node of connection request, and described Section Point is the initiation requesting node of described connection request.
This packet filtering device 100 for integrated to be arranged on node or before being independently arranged on node to provide Node Protection, it provides the method for Node Protection identical with the node protection method of above-mentioned any embodiment, so place repeats no more.
According to the packet filtering device 100 of above-described embodiment, owing to being provided with the safety examination module can carrying out safety examination according to the source address of the authorized address list prestored and message to message, also be provided with the security strategy update module that Section Point (the initiation requesting node of connection request) address connection request message can carried when connection request message being detected is added into authorized address list, need for the list of node dynamic-configuration authorized address so achieve according to communication, both avoided and affected Internet normal use because being arranged by authorized address too strict, turn avoid because authorized address arranges too loose and cause fail safe lower, provide rationally, effective Node Protection.
Further, in the packet filtering device of above-described embodiment, safety examination module comprises:
Authorized address memory cell, for prestoring authorized address list;
Address resolution unit, for intercepting the message sent to first node, resolves the source address of described message;
Packet filtering unit, for searching the source address whether having described message in the authorized address list prestored, if so, then allows described message by be received by described first node.
Further, in the packet filtering device of above-described embodiment, security strategy update module comprises:
Packet parsing unit, for extracting the keyword of described message; If detect and know that the keyword of described message is the keyword of predetermined connection request message, then extract the Section Point address of carrying in described message;
Authorized address updating block, for described Section Point address is set to authorized address, to enable message from described Section Point address by described safety examination.
Further, in the packet filtering device of above-described embodiment, also comprise:
Connection response message intercept module; for intercept to described packet filtering device protect node to send connection response message; the node address carried in described connection response message is set to the authorized address of protected node, described authorized address by protection node can receive the source address of message.
Fig. 4 is the Organization Chart of the Virtual Networking System of the embodiment of the present invention.As shown in Figure 4, this system comprises first node, Section Point and server;
First node, for intercepting the message sent to described first node, in the authorized address list prestored, search the source address whether having described message, if so, then described message passes through safety examination; If detect and know that by the message of described safety examination be connection request message, then the Section Point address that described connection request message carries is added into described authorized address list, to enable message from described Section Point address by described safety examination, and send the connection response message carrying described first node address to described Section Point via described server;
Section Point, for sending described connection request message via described server to described first node, and intercept the described connection response message of described first node transmission, the first node address of carrying in described connection response message is set to the authorized address of described Section Point, described authorized address is the source address that described Section Point can receive message;
Described server, for the described connection request message repeating extremely described first node sent by described Section Point; The described connection response message repeating sent by described first node is to described Section Point.
According to the Virtual Networking System of above-described embodiment, realize the authorized address list dynamically updating node, both effectively protected this nodes safety, and fully ensured network performance again.
Last it is noted that above embodiment is only in order to illustrate technical scheme of the present invention, be not intended to limit; Although with reference to previous embodiment to invention has been detailed description, those of ordinary skill in the art is to be understood that: it still can be modified to the technical scheme described in foregoing embodiments, or carries out equivalent replacement to wherein portion of techniques feature; And these amendments or replacement, do not make the essence of appropriate technical solution depart from the spirit and scope of various embodiments of the present invention technical scheme.