CN103731417A - Internal and external network database access method based on information exchange bus - Google Patents
Internal and external network database access method based on information exchange bus Download PDFInfo
- Publication number
- CN103731417A CN103731417A CN201310680082.4A CN201310680082A CN103731417A CN 103731417 A CN103731417 A CN 103731417A CN 201310680082 A CN201310680082 A CN 201310680082A CN 103731417 A CN103731417 A CN 103731417A
- Authority
- CN
- China
- Prior art keywords
- data
- packet
- bus
- data packet
- information exchange
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 19
- 238000004458 analytical method Methods 0.000 claims abstract description 10
- 238000004891 communication Methods 0.000 claims abstract description 10
- 238000001914 filtration Methods 0.000 claims description 14
- 238000012790 confirmation Methods 0.000 claims description 4
- 230000005540 biological transmission Effects 0.000 abstract description 3
- 238000002347 injection Methods 0.000 abstract description 3
- 239000007924 injection Substances 0.000 abstract description 3
- 238000002955 isolation Methods 0.000 description 3
- 238000012550 audit Methods 0.000 description 1
- 238000011217 control strategy Methods 0.000 description 1
- 238000010908 decantation Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 230000001934 delay Effects 0.000 description 1
- 238000006073 displacement reaction Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本发明涉及一种基于信息交换总线的内外网数据库访问方法,步骤包括:(1)总线对进入总线的通信数据在TCP/IP层进行解析,根据关表格数据流协议和透明网络底层协议做数据包分析;(2)透明网络底层协议数据包处理,处理步骤包括:(3)关表格数据流协议数据包处理;(4)将过滤后的安全数据包经过总线的流转发送至指定的数据库服务器。本发明方法实现了跨电力信息内外网的信息安全传输,更加对数据库的操作访问进行了分析、过滤,避免了外网对电力信息内网的数据库注入攻击。
The present invention relates to a method for accessing internal and external network databases based on an information exchange bus. The steps include: (1) the bus analyzes the communication data entering the bus at the TCP/IP layer, and generates data according to the data flow protocol of the related table and the underlying protocol of the transparent network Packet analysis; (2) Transparent network underlying protocol data packet processing, the processing steps include: (3) Form data flow protocol data packet processing; (4) Send the filtered security data packet to the designated database server through the bus flow . The method of the invention realizes the safe transmission of information across the internal and external networks of the electric power information, further analyzes and filters the operation and access of the database, and avoids the database injection attack of the external network on the internal network of the electric power information.
Description
Technical field
The invention belongs to the message-switching technique field across internet and power information Intranet of information system for power enterprise information integration field, particularly a kind of intranet and extranet data bank access method based on information exchange bus.
Background technology
Power information net loaded multiple operation systems such as power market transaction, bid, marketing, internally provide as business such as audit, the assessment of bids, accounting, the respective services such as issue, bid, payment are externally provided.If a large amount of time delays that too much will cause each by stages exchanges data to be brought to information system classification.For this reason, Power Information Network is divided into information Intranet and information outer net.Between information outer net and internet, adopt fire compartment wall to be connected, belong to lower security rank region, information Intranet and information outer net logic isolation, with inner other data network physical isolation of electric power, belong to high-level safety zone, each operation system specifically need to be placed on respectively information intranet and extranet corresponding server according to it.
In order farthest to guarantee the safety of power information system; business as much as possible is put into information Intranet; the server that service is externally provided is located to outer net; the All hosts such as other internal servers, personal computer are all placed on information Intranet; require emphasis especially for the safety of protected data, the database of all operation systems is placed on information Intranet.
At present, because safety isolation bus is placed on the border of information intranet and extranet, so first will play the basic role of general fire compartment wall, guarantee the control to each access main frame.The host IP address of each operation system of Power Information Network, MAC Address, port etc. are all more fixing, and what electric power system range of application was the widest is oracle database and SQL Server database, and the two has occupied the more than 90% of Database Management System in Electrical Power System.The data communication of oracle database adopts TNS agreement, SQL Server and sybase database adopt TDS agreement, at present to be attacked maximum be the SQL injection attacks for database to information system, if can be these two kinds of protocal analysises out, and adopt JDBC to drive into line displacement component analysis to it, just can realize the reduction of SQL statement, and then can substantially meet the needs of power information system Access and control strategy of database.
In addition, power information system has more business to carry out intranet and extranet communication through bus, if the not high enough words of the efficiency of this device will become the bottleneck of intranet and extranet communication.
Summary of the invention
The object of the invention is to for the deficiencies in the prior art, a kind of intranet and extranet data bank access method based on information exchange bus is provided.
The present invention solves its technical problem and takes following technical scheme to realize:
An intranet and extranet data bank access method based on information exchange bus, step is as follows:
(1) bus is resolved at tcp/ip layer the communication data that enters bus, according to closing list data stream protocol and transparent network underlying protocol, does data packet analysis;
(2) transparent network underlying protocol processing data packets, treatment step comprises:
1. analyze data packet head, obtain data packet length, data length and comprise the type of data packet of connection, reception, confirmation, refusal, re-direction of content;
2. according to the parameter in data packet head, the side-play amount of calculated data in packet, analyzes data present position;
3. data are taken out and translated into data base querying character string;
4. data base querying character string is investigated according to the filtering rule configuring, the statement that meets filtering rule enters next step operation, and other does discard processing;
(3) close list data stream protocol processing data packets;
(4) the secure data bag after filtering is delivered to the database server of appointment through the flow forwarding of bus.
And the concrete grammar that described step (1) is done data packet analysis is:
1. according to the difference of data packet head, distinguish and close list data stream protocol packet and transparent network underlying protocol packet, the packet of different agreement enters parsing passage separately;
2. remaining packet does discard processing.
And the method step that described step (3) is closed list data stream protocol processing data packets is identical with step (2) transparent network underlying protocol processing data packets step.
Advantage of the present invention and good effect are
The present invention is directed to across the business application system of power information Intranet and internet data database safety access and operation have been done to the safety access method based on information exchange bus, the method has realized the safe information transmission across power information intranet and extranet, more the operational access of database has been carried out to analysis, filtration, avoided the database injection attacks of outer net to power information Intranet.
Accompanying drawing explanation
Fig. 1 is the principle schematic of the information exchange bus that the present invention is based on;
Fig. 2 the present invention is based on information exchange bus intranet and extranet data bank access method basic logic flow process.
Embodiment
Below in conjunction with accompanying drawing, the embodiment of the present invention is further described, following examples are descriptive, are not determinate, can not limit protection scope of the present invention with this.
Basic principle of the present invention
The realization of the inventive method is based on network communication protocol is analyzed, and then the database access protocol analysis based on transmission control/Internet protocol (TCP/IP) communication stream goes out query sentence of database and filters.
As shown in Figure 1, first, bus open communication port, makes the database access information of outer net enter bus by this entrance; Bus through circulation, enters into database manipulation filtering proxy module by the data of this part; The solution that proxy module carries out database protocol is separated by decantation to query statement reduction, according to the rule of formulating, filters; Packet after filtration sends from information exchange bus.Thereby realize the database security access of outer net to Intranet.
An intranet and extranet data bank access method based on information exchange bus, as shown in Figure 2, step is as follows:
(1) bus is resolved at tcp/ip layer the communication data that enters bus, according to closing list data stream protocol (TDS) and transparent network underlying protocol (TNS), does data packet analysis; Concrete grammar is,
1. according to the difference of data packet head, distinguish TDS protocol data bag and TNS protocol data bag, the packet of different agreement enters parsing passage separately;
2. remaining packet does discard processing;
(2) transparent network underlying protocol (TNS) processing data packets, treatment step is as follows:
1. analyze data packet head, obtain data packet length, data length and comprise the type of data packet of connection, reception, confirmation, refusal, re-direction of content;
2. according to the parameter in data packet head, the side-play amount of calculated data in packet, analyzes data present position;
3. data are taken out and translated into data base querying character string;
4. data base querying character string is investigated according to the filtering rule configuring; Such as, filter out all database definition statements, as: establishment table (Create), discarded table (Drop), cancel statement (Delete), the statement that meets filtering rule enters next step operation, does not meet the affiliated packet of regular statement and all does discard processing;
(3) close list data stream protocol (TDS) processing data packets, treatment step is as follows:
1. analyze data packet head, obtain data packet length, data length and comprise the type of data packet of connection, reception, confirmation, refusal, re-direction of content;
2. according to the parameter in data packet head, the side-play amount of calculated data in packet, analyzes data present position;
3. data are taken out and translated into data base querying character string;
4. data base querying character string is investigated according to the filtering rule configuring; Such as, filter out all database definition statements, as: establishment table (Create), discarded table (Drop), cancel statement (Delete), the statement that meets filtering rule enters next step operation, does not meet the affiliated packet of regular statement and all does discard processing;
(4) the secure data bag after filtering is delivered to the database server of appointment through the flow forwarding of bus.
Claims (3)
1. the intranet and extranet data bank access method based on information exchange bus, is characterized in that: step is as follows:
(1) bus is resolved at tcp/ip layer the communication data that enters bus, according to closing list data stream protocol and transparent network underlying protocol, does data packet analysis;
(2) transparent network underlying protocol processing data packets, treatment step comprises:
1. analyze data packet head, obtain data packet length, data length and comprise the type of data packet of connection, reception, confirmation, refusal, re-direction of content;
2. according to the parameter in data packet head, the side-play amount of calculated data in packet, analyzes data present position;
3. data are taken out and translated into data base querying character string;
4. data base querying character string is investigated according to the filtering rule configuring, the statement that meets filtering rule enters next step operation, and other does discard processing;
(3) close list data stream protocol processing data packets;
(4) the secure data bag after filtering is delivered to the database server of appointment through the flow forwarding of bus.
2. the intranet and extranet data bank access method based on information exchange bus according to claim 1, is characterized in that: the concrete grammar that described step (1) is done data packet analysis is:
1. according to the difference of data packet head, distinguish and close list data stream protocol packet and transparent network underlying protocol packet, the packet of different agreement enters parsing passage separately;
2. remaining packet does discard processing.
3. the intranet and extranet data bank access method based on information exchange bus according to claim 1, is characterized in that: the method step that described step (3) is closed list data stream protocol processing data packets is identical with step (2) transparent network underlying protocol processing data packets step.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310680082.4A CN103731417A (en) | 2013-11-26 | 2013-11-26 | Internal and external network database access method based on information exchange bus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310680082.4A CN103731417A (en) | 2013-11-26 | 2013-11-26 | Internal and external network database access method based on information exchange bus |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103731417A true CN103731417A (en) | 2014-04-16 |
Family
ID=50455344
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310680082.4A Pending CN103731417A (en) | 2013-11-26 | 2013-11-26 | Internal and external network database access method based on information exchange bus |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103731417A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104135414A (en) * | 2014-08-20 | 2014-11-05 | 国家电网公司 | Method for secondary safety protection of synchronous cross-district services based on information exchange bus |
| CN104135492A (en) * | 2014-08-20 | 2014-11-05 | 国家电网公司 | A method for exchanging information between internal and external networks based on information exchange bus |
| CN107465667A (en) * | 2017-07-17 | 2017-12-12 | 全球能源互联网研究院有限公司 | The safe synergic monitoring method and device of power network industry control based on stipulations deep analysis |
-
2013
- 2013-11-26 CN CN201310680082.4A patent/CN103731417A/en active Pending
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104135414A (en) * | 2014-08-20 | 2014-11-05 | 国家电网公司 | Method for secondary safety protection of synchronous cross-district services based on information exchange bus |
| CN104135492A (en) * | 2014-08-20 | 2014-11-05 | 国家电网公司 | A method for exchanging information between internal and external networks based on information exchange bus |
| CN107465667A (en) * | 2017-07-17 | 2017-12-12 | 全球能源互联网研究院有限公司 | The safe synergic monitoring method and device of power network industry control based on stipulations deep analysis |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2021196911A1 (en) | Network security protection method and apparatus based on artificial intelligence, and electronic device | |
| CN101656634B (en) | Intrusion detection method based on IPv6 network environment | |
| CN104702584B (en) | A kind of Modbus communications access control methods based on self-learning-ruler | |
| CN105282169B (en) | Ddos attack method for early warning based on SDN controller threshold values and its system | |
| CN204392296U (en) | Secure isolation gateway in a kind of industrial control network | |
| WO2021253366A1 (en) | Switch encryption system | |
| CN110636096B (en) | Information Interaction Interface Service System of Electric Power Internal and External Network Based on Database Stored Procedure | |
| CN104486336A (en) | Device for safely isolating and exchanging industrial control networks | |
| US20200014659A1 (en) | System and method for midserver facilitation of long-haul transport of telemetry for cloud-based services | |
| CN103139058A (en) | Internet of things security access gateway | |
| CN103746982B (en) | A kind of http network condition code automatic generation method and its system | |
| CN105488396B (en) | A kind of intelligent grid service security gateway system based on data stream association analytical technology | |
| CN102984170A (en) | System and method for safe filtering of industrial control network | |
| CN105897674A (en) | DDoS attack protection method applied to CDN server group and system | |
| CN104994065A (en) | Access control list operation system and method based on software-defined network | |
| CN102468987B (en) | NetFlow characteristic vector extraction method | |
| CN103731417A (en) | Internal and external network database access method based on information exchange bus | |
| CN107294966A (en) | A kind of IP white list construction methods based on Intranet flow | |
| CN103179039A (en) | A Method of Efficiently Filtering Normal Network Data Packets | |
| CN110958231A (en) | Industrial control safety event monitoring platform and method based on Internet | |
| CN104539600A (en) | Industrial control firewall implementing method for supporting filtering IEC 104 protocol | |
| CN109995720A (en) | Heterogeneous device manages method, apparatus, system, equipment and medium concentratedly | |
| CN102316115A (en) | Security access control method oriented to transverse networking | |
| CN102263837B (en) | A kind of domain name system DNS analysis method and device | |
| CN106789892B (en) | Universal method for defending distributed denial of service attack for cloud platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C53 | Correction of patent for invention or patent application | ||
| CB02 | Change of applicant information |
Address after: 300010 Tianjin city Hebei District Wujing Road No. 39 Applicant after: State Grid Corporation of China Applicant after: State Grid Tianjin Electric Power Company Address before: 100031 Xicheng District West Chang'an Avenue, No. 86, Beijing Applicant before: State Grid Corporation of China Applicant before: State Grid Tianjin Electric Power Company |
|
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140416 |