CN103685306A - Method and device for integrating network safety equipment - Google Patents
Method and device for integrating network safety equipment Download PDFInfo
- Publication number
- CN103685306A CN103685306A CN201310728152.9A CN201310728152A CN103685306A CN 103685306 A CN103685306 A CN 103685306A CN 201310728152 A CN201310728152 A CN 201310728152A CN 103685306 A CN103685306 A CN 103685306A
- Authority
- CN
- China
- Prior art keywords
- layers
- protection module
- layer network
- message
- header data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention provides a method and a device for integrating network safety equipment. The method comprises the following steps: S1, resolving a received head message needing security check into each partial data related to forwarding information of each layer network; S2, distributing each partial data to corresponding protective modules of each layer network for security check; S3, establishing corresponding forwarding tables or blacklist tables according to the output check result of each protective module; S4, matching subsequent messages needing security check with the forwarding tables or the blacklist tables, and carrying out corresponding operation according to the matching result. According to the method and the device for integrating the network security equipment disclosed by the invention, the messages are resolved for synchronizing the security check since different parts of the messages need different characteristics of security check, thus the processing speed of the messages is greatly improved.
Description
Technical field
The present invention relates to network security technology field, be specifically related to a kind of method and device of integration networks safety means.
Background technology
Along with developing rapidly of computer networking technology, network is used widely at numerous areas such as economy, military affairs, culture and education, finance, business, can say that network is ubiquitous, and it is changing our working method and life style.Computer network, when facilitating to people, bringing benefit, also makes facing mankind the huge challenge of information security.How protecting the confidential information of individual, enterprise, country not to be subject to hacker and spy's invasion, how to guarantee computer network security and work incessantly, is the major issue that country and unit information construction must be considered.Yet the safety of computer network is a complicated problem, involvement aspect is very wide, and existing technical factor has again management factors; Existing natural cause, has again human factor; The security threat of existing outside, has again inner potential safety hazard.
Computer network security refers to and utilizes network management control and technical measures, guarantees that the confidentiality of information data, integrality and workability are protected in a network environment.The basic goal of network safety prevention, prevents that the information of computer network storage, transmission is illegally used, destroys and distorts exactly.Firewall technology is realized a kind of conventional computer network security technology of above-mentioned purpose just.
So-called " fire compartment wall ", refers to a kind of method that in-house network and public access net (as Internet) are separated, and it is actually a kind of isolation technology.Fire compartment wall is a kind of access control yardstick of carrying out when two network communications, it can allow the people of you " agreement " and the network that data enter you, people and the data you " disagreed with " are kept outside of the door simultaneously, stop to greatest extent the hacker in network to visit network, prevent change, copy, damage important information.
At present the security protection of network is mainly comprised: comprise double layer network attack protection (data link layer protection), three-layer network attacks protection (network layer protection) and (transport layer protection) protected in the attack of four-layer network network.
The method of network safety prevention is at present:
(1) buy a plurality of network security application apparatuss, and by the equipment protection of connecting, realize simple superposition and the security protection object of each simple function;
(2) on single network safety means, add network security module, module application separate configurations and maintenance to buying, reach network safety prevention object.
Wherein buy a plurality of network security application apparatuss, for example buy firewall box and prevent three layer service network attacks, buy ddos equipment and be placed on two layer service network attacks, buy waf, ips and ids equipment and prevent 4 layer service network attacks, and equipment is connected, reach the cleaning object to flow, this kind of method is concerning user, and cost is high, maintenance is southern, efficiency is low.
The five-tuple of IP refers to: source IP address, object IP address, protocol number, source port and destination interface.Conventionally fire compartment wall is all based on IP five-tuple, data stream to be carried out the message repeating of connection status, the advantage of this kind of method is to carry out can forming connection presentation after safety inspection to the message being verified for the first time, follow-uply to the presentation message that the match is successful, all can think safe, also just without checking again direct clearance, reach the object that fast and safely inspection forwards of message.For some message, need to carry out the inspection of non-five-tuple business, this fire compartment wall just needs the extra checking module that adds, final form has become fire compartment wall and has processed three layer services, four layer services carry out scan process again, if because two layer services are attacked to the processing needs of protection, so also need to add a special Business Processing for two layers of attack protection, in fact be exactly simply by two layers, three layers, four layer services carry out serialization processing, if use separately the IP five-tuple processing speed can be very fast, if but need to process above three kinds of business simultaneously, same packet is constantly scanned through every layer service, create connection table, scanning again, again create connection table, what processing speed will become so is very slow.
Therefore a kind of method that, is necessary to propose integration networks safety means is to solve the above problems.
Summary of the invention
For the problems referred to above, the invention provides a kind of method and device of integration networks safety means.
According to an aspect of the present invention, provide a kind of method of integration networks safety means, comprised the following steps: S1, the literary composition of reporting for the first time that need to carry out safety inspection receiving is decomposed, be decomposed into the each several part data relevant to each layer network forwarding information; S2, carries out safety inspection to the protection module of each corresponding layer network described each several part Data dissemination; S3, according to the check result of each protection module output, sets up corresponding transmitting or blacklist table; S4, by the subsequent packet that needs safety inspection with described in transmit or blacklist table mates, according to matching result, carry out corresponding operating.
Further, the protection module of described each layer network is the protection module that matrixing is integrated in same equipment.
Further, the protection module of described each layer network comprises: double layer network protection module, three-layer network protection module and four-layer network network protection module;
Wherein, described step S1 is specially: the literary composition of reporting for the first time that need to carry out safety inspection receiving is decomposed, decompose and extract two layers of header data, three layers of header data and four layers of header data;
Described step S2 is specially: will after two layers of header data copy of message, be distributed to double layer network protection module, to after three layers of header data copy of message, be distributed to three-layer network protection module, will after four layers of header data copy, be distributed to four-layer network network protection module.
Further, wherein said step S3 is specially: according to check result, when result is two layers or three layers or four layers while forbidding forwarding, just message is directly abandoned, and creating a blacklist table, this table is only preserved two layers or three layers or four layers and is forbidden the characteristic informations that forward, when result is for can forward time, create transmitting of can E-Packeting, this table has comprised two layers or three layers or four layers of characteristic information that can E-Packet.
Further, wherein said step S4 is specially: when having subsequent packet to carry out safety inspection, first mate blacklist table, when matching, message is abandoned, when unmatching, coupling can be transmitted, when match transmit in after all features of each layer network, forward the packet, if do not matched, think that this message is the literary composition of reporting for the first time that needs safety inspection, enter described step S1 and start to carry out.
As another aspect of the present invention, a kind of device of integration networks safety means is provided, comprise following part: resolving cell, for the literary composition of reporting for the first time that need to carry out safety inspection receiving is decomposed, is decomposed into the each several part data relevant to each layer network forwarding information; Transmitting element, for carrying out safety inspection to the protection module of each corresponding layer network described each several part Data dissemination; Creating unit, according to the check result of each protection module output, sets up corresponding transmitting or blacklist table; Processing unit, for by the subsequent packet that needs safety inspection with described in transmit or blacklist table mates, according to matching result, carry out corresponding operating.
Further, the protection module of described each layer network is the protection module that matrixing is integrated in same equipment.
Further, the protection module of described each layer network comprises: double layer network protection module, three-layer network protection module and four-layer network network protection module;
Wherein, described resolving cell specifically for: the literary composition of reporting for the first time that need to carry out safety inspection receiving is decomposed, decompose to extract two layers of header data, three layers of header data and four layers of header data;
Described transmitting element specifically for: after two layers of header data copy that will message, be distributed to double layer network protection module, to after three layers of header data copy of message, be distributed to three-layer network protection module, will after four layers of header data copy, be distributed to four-layer network network protection module.
Further, wherein said creating unit specifically for: according to check result, when result is two layers, three layers, four layers while forbidding forwarding, just message is directly abandoned, and creating a blacklist table, this table is only preserved three layers and is forbidden the characteristic informations that forward, when result is for can forward time, create transmitting of can E-Packeting, this table has comprised two layers, three layers and four layers of characteristic information that can E-Packet.
Further, wherein said processing unit specifically for: when having subsequent packet to carry out safety inspection, first mate blacklist table, when matching, message is abandoned, when unmatching, coupling can be transmitted, when match transmit in after all features of each layer network, forward the packet, if do not matched, think that this message is the literary composition of reporting for the first time that needs safety inspection, send into described resolving cell and start to process.
The present invention has advantages of following:
The method of integration networks safety means of the present invention and device, used message different piece need to carry out the feature difference of safety inspection, and message is disassembled to synchronous safety inspection, greatly improved message processing speed.Equipment purchase only need to once drop into, and just can obtain the safety means of high-performance high reliability.
Except object described above, feature and advantage, the present invention also has other object, feature and advantage.Below with reference to figure, the present invention is further detailed explanation.
The accompanying drawing that forms the application's a part is used to provide a further understanding of the present invention, and schematic description and description of the present invention is used for explaining the present invention, does not form inappropriate limitation of the present invention.
Accompanying drawing explanation
Fig. 1 is the method flow diagram of integration networks safety means of the present invention;
Fig. 2 is the flow chart of the step S4 in the method for integration networks safety means of the present invention;
Fig. 3 is the structural representation of the device of integration networks safety means of the present invention.
Embodiment
For making the object, technical solutions and advantages of the present invention more cheer and bright, below in conjunction with embodiment and with reference to accompanying drawing, the present invention is described in more detail.Should be appreciated that, these descriptions are exemplary, and do not really want to limit the scope of the invention.In addition, in the following description, omitted the description to known configurations and technology, to avoid unnecessarily obscuring concept of the present invention.
Fig. 1 has shown the method flow diagram of integration networks safety means of the present invention.
As shown in Figure 1, the method for a kind of integration networks safety means of the present invention, comprises the following steps:
S1, decomposes the literary composition of reporting for the first time that need to carry out safety inspection receiving, and is decomposed into the each several part data relevant to each layer network forwarding information;
S2, carries out safety inspection to the protection module of each corresponding layer network described each several part Data dissemination;
S3, according to the check result of each protection module output, sets up corresponding transmitting or blacklist table;
S4, by the subsequent packet that needs safety inspection with described in transmit or blacklist table mates, according to matching result, carry out corresponding operating.
The protection module of described each layer network is the protection module that matrixing is integrated in same equipment.
The protection module of described each layer network comprises: double layer network protection module, three-layer network protection module and four-layer network network protection module;
Wherein, described step S1 is specially: the literary composition of reporting for the first time that need to carry out safety inspection receiving is decomposed, decompose and extract two layers of header data, three layers of header data and four layers of header data;
Described step S2 is specially: will after two layers of header data copy of message, be distributed to double layer network protection module, to after three layers of header data copy of message, be distributed to three-layer network protection module, will after four layers of header data copy, be distributed to four-layer network network protection module.
Wherein said step S3 is specially: according to check result, when result is two layers, three layers or four layers while forbidding forwarding, just message is directly abandoned, and create a blacklist table, this table is only preserved two layers, three layers or four layers and is forbidden the characteristic information forwarding, when result is for can forward time, create transmitting of can E-Packeting, this table has comprised two layers, three layers or four layers of characteristic information that can E-Packet.
Visible, by message is split, and each part of message is distributed to corresponding safety protection module carries out security inspection, last each module outgoing inspection result, and result is analyzed, set up corresponding transmitting or blacklist table, use message different piece need to carry out the feature difference of safety inspection, message is disassembled to synchronous safety inspection, greatly improved message processing speed, message is carried out to five-tuple characteristic information in addition to be described, disposable message is mated comprehensively, avoided message repeatedly to copy the result of repeatedly mating poor efficiency.
Fig. 2 is the flow chart of the step S4 in the method for integration networks safety means of the present invention.
As shown in Figure 2, wherein said step S4 is specially: when having subsequent packet to carry out safety inspection, first mate blacklist table, when matching, message is abandoned, when unmatching, coupling can be transmitted, when match transmit in after all features of each layer network, forward the packet, if do not matched, think that this message is the literary composition of reporting for the first time that needs safety inspection, enter described step S1 and start to carry out.
By transmitting of having set up, blacklist table, directly subsequent packet is mated and carries out security inspection, improve the security inspection treatment effeciency E-Packeting.
Fig. 3 is the structural representation of the device of integration networks safety means of the present invention.
As shown in Figure 3, the device of integration networks safety means of the present invention comprises following part:
Resolving cell, for the literary composition of reporting for the first time that need to carry out safety inspection receiving is decomposed, is decomposed into the each several part data relevant to each layer network forwarding information;
Transmitting element, for carrying out safety inspection to the protection module of each corresponding layer network described each several part Data dissemination;
Creating unit, according to the check result of each protection module output, sets up corresponding transmitting or blacklist table;
Processing unit, for by the subsequent packet that needs safety inspection with described in transmit or blacklist table mates, according to matching result, carry out corresponding operating.
The protection module of described each layer network is the protection module that matrixing is integrated in same equipment.
The protection module of described each layer network comprises: double layer network protection module, three-layer network protection module and four-layer network network protection module;
Wherein, described resolving cell specifically for: the literary composition of reporting for the first time that need to carry out safety inspection receiving is decomposed, decompose to extract two layers of header data, three layers of header data or four layers of header data;
Described transmitting element specifically for: after two layers of header data copy that will message, be distributed to double layer network protection module, to after three layers of header data copy of message, be distributed to three-layer network protection module, will after four layers of header data copy, be distributed to four-layer network network protection module.
Wherein said creating unit specifically for: according to check result, when result is two layers, three layers or four layers while forbidding forwarding, just message is directly abandoned, and create a blacklist table, this table is only preserved three layers and is forbidden the characteristic information forwarding, when result is for can forward time, create transmitting of can E-Packeting, this table has comprised two layers, three layers or four layers of characteristic information that can E-Packet.
Wherein said processing unit specifically for: when having subsequent packet to carry out safety inspection, first mate blacklist table, when matching, message is abandoned, when unmatching, coupling can be transmitted, when match transmit in after all features of each layer network, forward the packet, if do not matched, think that this message is the literary composition of reporting for the first time that needs safety inspection, send into described resolving cell and start to process.
In sum, the method for integration networks safety means of the present invention, is used message different piece need to carry out the feature difference of safety inspection, and message is disassembled to synchronous safety inspection, has greatly improved message processing speed.Equipment purchase only need to once drop into, and just can obtain the safety means of high-performance high reliability.
Should be understood that, above-mentioned embodiment of the present invention is only for exemplary illustration or explain principle of the present invention, and is not construed as limiting the invention.Therefore any modification of, making, be equal to replacement, improvement etc., within protection scope of the present invention all should be included in without departing from the spirit and scope of the present invention in the situation that.In addition, claims of the present invention are intended to contain whole variations and the modification in the equivalents that falls into claims scope and border or this scope and border.
Claims (10)
1. a method for integration networks safety means, is characterized in that: comprise the following steps:
S1, decomposes the literary composition of reporting for the first time that need to carry out safety inspection receiving, and is decomposed into the each several part data relevant to each layer network forwarding information;
S2, carries out safety inspection to the protection module of each corresponding layer network described each several part Data dissemination;
S3, according to the check result of each protection module output, sets up corresponding transmitting or blacklist table;
S4, by the subsequent packet that needs safety inspection with described in transmit or blacklist table mates, according to matching result, carry out corresponding operating.
2. the method for integration networks safety means according to claim 1, is characterized in that, the protection module of described each layer network is the protection module that matrixing is integrated in same equipment.
3. the method for integration networks safety means according to claim 1, is characterized in that, the protection module of described each layer network comprises: double layer network protection module, three-layer network protection module and four-layer network network protection module;
Wherein, described step S1 is specially: the literary composition of reporting for the first time that need to carry out safety inspection receiving is decomposed, decompose and extract two layers of header data, three layers of header data and four layers of header data;
Described step S2 is specially: will after two layers of header data copy of message, be distributed to double layer network protection module, to after three layers of header data copy of message, be distributed to three-layer network protection module, will after four layers of header data copy, be distributed to four-layer network network protection module.
4. the method for integration networks safety means according to claim 1, wherein said step S3 is specially: according to check result, when result is two layers, three layers or four layers while forbidding forwarding, just message is directly abandoned, and creating a blacklist table, this table is only preserved two layers, three layers or four layers and is forbidden the characteristic informations that forward, when result is for can forward time, create transmitting of can E-Packeting, this table has comprised two layers, three layers or four layers of characteristic information that can E-Packet.
5. the method for integration networks safety means according to claim 1, wherein said step S4 is specially: when having subsequent packet to carry out safety inspection, first mate blacklist table, when matching, message is abandoned, when unmatching, coupling can be transmitted, when match transmit in after all features of each layer network, forward the packet, if do not matched, think that this message is the literary composition of reporting for the first time that needs safety inspection, enter described step S1 and start to carry out.
6. a device for integration networks safety means, is characterized in that: comprise following part:
Resolving cell, for the literary composition of reporting for the first time that need to carry out safety inspection receiving is decomposed, is decomposed into the each several part data relevant to each layer network forwarding information;
Transmitting element, for carrying out safety inspection to the protection module of each corresponding layer network described each several part Data dissemination;
Creating unit, according to the check result of each protection module output, sets up corresponding transmitting or blacklist table;
Processing unit, for by the subsequent packet that needs safety inspection with described in transmit or blacklist table mates, according to matching result, carry out corresponding operating.
7. device according to claim 6, is characterized in that, the protection module of described each layer network is the protection module that matrixing is integrated in same equipment.
8. device according to claim 6, is characterized in that, the protection module of described each layer network comprises: double layer network protection module, three-layer network protection module and four-layer network network protection module;
Wherein, described resolving cell specifically for: the literary composition of reporting for the first time that need to carry out safety inspection receiving is decomposed, decompose to extract two layers of header data, three layers of header data and four layers of header data;
Described transmitting element specifically for: after two layers of header data copy that will message, be distributed to double layer network protection module, to after three layers of header data copy of message, be distributed to three-layer network protection module, will after four layers of header data copy, be distributed to four-layer network network protection module.
9. device according to claim 6, wherein said creating unit specifically for: according to check result, when result is two layers or three layers or four layers while forbidding forwarding, just message is directly abandoned, and creating a blacklist table, this table is only preserved two layers or three layers or four layers and is forbidden the characteristic informations that forward, when result is for can forward time, create transmitting of can E-Packeting, this table has comprised two layers or three layers or four layers of characteristic information that can E-Packet.
10. device according to claim 6, wherein said processing unit specifically for: when having subsequent packet to carry out safety inspection, first mate blacklist table, when matching, message is abandoned, when unmatching, coupling can be transmitted, when match transmit in after all features of each layer network, forward the packet, if do not matched, think that this message is the literary composition of reporting for the first time that needs safety inspection, send into described resolving cell and start to process.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310728152.9A CN103685306A (en) | 2013-12-20 | 2013-12-20 | Method and device for integrating network safety equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310728152.9A CN103685306A (en) | 2013-12-20 | 2013-12-20 | Method and device for integrating network safety equipment |
Publications (1)
Publication Number | Publication Date |
---|---|
CN103685306A true CN103685306A (en) | 2014-03-26 |
Family
ID=50321620
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310728152.9A Pending CN103685306A (en) | 2013-12-20 | 2013-12-20 | Method and device for integrating network safety equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103685306A (en) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1794661A (en) * | 2005-12-26 | 2006-06-28 | 北京交通大学 | Network performance analysis report system based on IPv6 and its implementing method |
CN101753333A (en) * | 2008-11-28 | 2010-06-23 | 中华电信股份有限公司 | Management system for integrated information security service and the protection method thereof |
CN101800753A (en) * | 2010-03-16 | 2010-08-11 | 中国电子科技集团公司第三十研究所 | Comprehensive safety protecting method based on integral network safety service framework |
US20110004932A1 (en) * | 2009-05-08 | 2011-01-06 | Oliver Spatscheck | Firewall for tunneled IPv6 traffic |
CN102143143A (en) * | 2010-10-15 | 2011-08-03 | 华为数字技术有限公司 | Method and device for defending network attack, and router |
-
2013
- 2013-12-20 CN CN201310728152.9A patent/CN103685306A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1794661A (en) * | 2005-12-26 | 2006-06-28 | 北京交通大学 | Network performance analysis report system based on IPv6 and its implementing method |
CN101753333A (en) * | 2008-11-28 | 2010-06-23 | 中华电信股份有限公司 | Management system for integrated information security service and the protection method thereof |
US20110004932A1 (en) * | 2009-05-08 | 2011-01-06 | Oliver Spatscheck | Firewall for tunneled IPv6 traffic |
CN101800753A (en) * | 2010-03-16 | 2010-08-11 | 中国电子科技集团公司第三十研究所 | Comprehensive safety protecting method based on integral network safety service framework |
CN102143143A (en) * | 2010-10-15 | 2011-08-03 | 华为数字技术有限公司 | Method and device for defending network attack, and router |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR102465085B1 (en) | Methods and apparatus for hypersecure last mile communication | |
RU2707715C2 (en) | Dynamic secure communication network and protocol | |
Morante et al. | Cryptobotics: Why robots need cyber safety | |
CN103746996A (en) | Packet filtering method for firewall | |
Usmonov et al. | The cybersecurity in development of IoT embedded technologies | |
CN110190955A (en) | Information processing method and device based on secure socket layer protocol certification | |
Fahrnberger et al. | SafeChat: A tool to shield children's communication from explicit messages | |
Soldatov | The taming of the internet | |
CN101753553A (en) | Safety isolating and message switching system and method | |
He et al. | A secure and efficient password‐authenticated group key exchange protocol for mobile ad hoc networks | |
CN105743868B (en) | A kind of data collection system and method for supporting encryption and non-encrypted agreement | |
CN107666395A (en) | One population file management method, user terminal, group chat system | |
Yusof et al. | A secure private instant messenger | |
CN113949523A (en) | Cross-network transmission system and method for individual soldier | |
Faujdar et al. | Network security in Software defined Networks (SDN) | |
CN103685306A (en) | Method and device for integrating network safety equipment | |
CN105306441A (en) | Peer-to-peer (P2P) network online transmission based burn after reading method and device | |
RU2449361C2 (en) | Method of protecting computer network having dedicated server | |
Mendhe et al. | Survey on security, storage, and networking of cloud computing | |
CN114124514A (en) | Electric power universe thing networking safety protection system | |
Sánchez et al. | Security Enhancement through Effective Encrypted Communication using ELK | |
Zhang et al. | ADTM: an Anonymous Data Transmission Model based on Multiple Oblivious Internet Channels | |
Mathewson et al. | Mixminion: Strong anonymity for financial cryptography | |
Yusof et al. | An architecture for securing a private instant messenger | |
KR102661985B1 (en) | Secure Dynamic Communication Network And Protocol |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140326 |