CN103731417A - Internal and external network database access method based on information exchange bus - Google Patents
Internal and external network database access method based on information exchange bus Download PDFInfo
- Publication number
- CN103731417A CN103731417A CN201310680082.4A CN201310680082A CN103731417A CN 103731417 A CN103731417 A CN 103731417A CN 201310680082 A CN201310680082 A CN 201310680082A CN 103731417 A CN103731417 A CN 103731417A
- Authority
- CN
- China
- Prior art keywords
- data
- bus
- packet
- method based
- information exchange
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 20
- 238000004891 communication Methods 0.000 claims abstract description 10
- 238000001914 filtration Methods 0.000 claims description 14
- 238000004458 analytical method Methods 0.000 claims description 9
- 238000012790 confirmation Methods 0.000 claims description 4
- 230000005540 biological transmission Effects 0.000 abstract description 3
- 239000000758 substrate Substances 0.000 abstract 2
- 231100000279 safety data Toxicity 0.000 abstract 1
- 238000002955 isolation Methods 0.000 description 3
- 238000002347 injection Methods 0.000 description 2
- 239000007924 injection Substances 0.000 description 2
- 238000012550 audit Methods 0.000 description 1
- 238000011217 control strategy Methods 0.000 description 1
- 238000010908 decantation Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 230000001934 delay Effects 0.000 description 1
- 238000006073 displacement reaction Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to an internal and external network database access method based on an information exchange bus. The method comprises the first step that the bus analyzes the communication data entering the bus on a TCP/IP layer and analyzes a data package according to a closed form data flow protocol and a transparent network substrate protocol, the second step that a data package of the transparent network substrate protocol is processed, the third step that a data package of the closed form data flow protocol is processed, and the fourth step that the filtered safety data package are sent to an appointed database server through the bus. The internal and external network database access method based on the information exchange bus achieves safe transmission of information across the internal electric power information network and the external electric power information network, further analyzes and filters the operation access of the database, and prevents the external network from injecting attack to the database of the internal electric power information network.
Description
Technical field
The invention belongs to the message-switching technique field across internet and power information Intranet of information system for power enterprise information integration field, particularly a kind of intranet and extranet data bank access method based on information exchange bus.
Background technology
Power information net loaded multiple operation systems such as power market transaction, bid, marketing, internally provide as business such as audit, the assessment of bids, accounting, the respective services such as issue, bid, payment are externally provided.If a large amount of time delays that too much will cause each by stages exchanges data to be brought to information system classification.For this reason, Power Information Network is divided into information Intranet and information outer net.Between information outer net and internet, adopt fire compartment wall to be connected, belong to lower security rank region, information Intranet and information outer net logic isolation, with inner other data network physical isolation of electric power, belong to high-level safety zone, each operation system specifically need to be placed on respectively information intranet and extranet corresponding server according to it.
In order farthest to guarantee the safety of power information system; business as much as possible is put into information Intranet; the server that service is externally provided is located to outer net; the All hosts such as other internal servers, personal computer are all placed on information Intranet; require emphasis especially for the safety of protected data, the database of all operation systems is placed on information Intranet.
At present, because safety isolation bus is placed on the border of information intranet and extranet, so first will play the basic role of general fire compartment wall, guarantee the control to each access main frame.The host IP address of each operation system of Power Information Network, MAC Address, port etc. are all more fixing, and what electric power system range of application was the widest is oracle database and SQL Server database, and the two has occupied the more than 90% of Database Management System in Electrical Power System.The data communication of oracle database adopts TNS agreement, SQL Server and sybase database adopt TDS agreement, at present to be attacked maximum be the SQL injection attacks for database to information system, if can be these two kinds of protocal analysises out, and adopt JDBC to drive into line displacement component analysis to it, just can realize the reduction of SQL statement, and then can substantially meet the needs of power information system Access and control strategy of database.
In addition, power information system has more business to carry out intranet and extranet communication through bus, if the not high enough words of the efficiency of this device will become the bottleneck of intranet and extranet communication.
Summary of the invention
The object of the invention is to for the deficiencies in the prior art, a kind of intranet and extranet data bank access method based on information exchange bus is provided.
The present invention solves its technical problem and takes following technical scheme to realize:
An intranet and extranet data bank access method based on information exchange bus, step is as follows:
(1) bus is resolved at tcp/ip layer the communication data that enters bus, according to closing list data stream protocol and transparent network underlying protocol, does data packet analysis;
(2) transparent network underlying protocol processing data packets, treatment step comprises:
1. analyze data packet head, obtain data packet length, data length and comprise the type of data packet of connection, reception, confirmation, refusal, re-direction of content;
2. according to the parameter in data packet head, the side-play amount of calculated data in packet, analyzes data present position;
3. data are taken out and translated into data base querying character string;
4. data base querying character string is investigated according to the filtering rule configuring, the statement that meets filtering rule enters next step operation, and other does discard processing;
(3) close list data stream protocol processing data packets;
(4) the secure data bag after filtering is delivered to the database server of appointment through the flow forwarding of bus.
And the concrete grammar that described step (1) is done data packet analysis is:
1. according to the difference of data packet head, distinguish and close list data stream protocol packet and transparent network underlying protocol packet, the packet of different agreement enters parsing passage separately;
2. remaining packet does discard processing.
And the method step that described step (3) is closed list data stream protocol processing data packets is identical with step (2) transparent network underlying protocol processing data packets step.
Advantage of the present invention and good effect are
The present invention is directed to across the business application system of power information Intranet and internet data database safety access and operation have been done to the safety access method based on information exchange bus, the method has realized the safe information transmission across power information intranet and extranet, more the operational access of database has been carried out to analysis, filtration, avoided the database injection attacks of outer net to power information Intranet.
Accompanying drawing explanation
Fig. 1 is the principle schematic of the information exchange bus that the present invention is based on;
Fig. 2 the present invention is based on information exchange bus intranet and extranet data bank access method basic logic flow process.
Embodiment
Below in conjunction with accompanying drawing, the embodiment of the present invention is further described, following examples are descriptive, are not determinate, can not limit protection scope of the present invention with this.
Basic principle of the present invention
The realization of the inventive method is based on network communication protocol is analyzed, and then the database access protocol analysis based on transmission control/Internet protocol (TCP/IP) communication stream goes out query sentence of database and filters.
As shown in Figure 1, first, bus open communication port, makes the database access information of outer net enter bus by this entrance; Bus through circulation, enters into database manipulation filtering proxy module by the data of this part; The solution that proxy module carries out database protocol is separated by decantation to query statement reduction, according to the rule of formulating, filters; Packet after filtration sends from information exchange bus.Thereby realize the database security access of outer net to Intranet.
An intranet and extranet data bank access method based on information exchange bus, as shown in Figure 2, step is as follows:
(1) bus is resolved at tcp/ip layer the communication data that enters bus, according to closing list data stream protocol (TDS) and transparent network underlying protocol (TNS), does data packet analysis; Concrete grammar is,
1. according to the difference of data packet head, distinguish TDS protocol data bag and TNS protocol data bag, the packet of different agreement enters parsing passage separately;
2. remaining packet does discard processing;
(2) transparent network underlying protocol (TNS) processing data packets, treatment step is as follows:
1. analyze data packet head, obtain data packet length, data length and comprise the type of data packet of connection, reception, confirmation, refusal, re-direction of content;
2. according to the parameter in data packet head, the side-play amount of calculated data in packet, analyzes data present position;
3. data are taken out and translated into data base querying character string;
4. data base querying character string is investigated according to the filtering rule configuring; Such as, filter out all database definition statements, as: establishment table (Create), discarded table (Drop), cancel statement (Delete), the statement that meets filtering rule enters next step operation, does not meet the affiliated packet of regular statement and all does discard processing;
(3) close list data stream protocol (TDS) processing data packets, treatment step is as follows:
1. analyze data packet head, obtain data packet length, data length and comprise the type of data packet of connection, reception, confirmation, refusal, re-direction of content;
2. according to the parameter in data packet head, the side-play amount of calculated data in packet, analyzes data present position;
3. data are taken out and translated into data base querying character string;
4. data base querying character string is investigated according to the filtering rule configuring; Such as, filter out all database definition statements, as: establishment table (Create), discarded table (Drop), cancel statement (Delete), the statement that meets filtering rule enters next step operation, does not meet the affiliated packet of regular statement and all does discard processing;
(4) the secure data bag after filtering is delivered to the database server of appointment through the flow forwarding of bus.
Claims (3)
1. the intranet and extranet data bank access method based on information exchange bus, is characterized in that: step is as follows:
(1) bus is resolved at tcp/ip layer the communication data that enters bus, according to closing list data stream protocol and transparent network underlying protocol, does data packet analysis;
(2) transparent network underlying protocol processing data packets, treatment step comprises:
1. analyze data packet head, obtain data packet length, data length and comprise the type of data packet of connection, reception, confirmation, refusal, re-direction of content;
2. according to the parameter in data packet head, the side-play amount of calculated data in packet, analyzes data present position;
3. data are taken out and translated into data base querying character string;
4. data base querying character string is investigated according to the filtering rule configuring, the statement that meets filtering rule enters next step operation, and other does discard processing;
(3) close list data stream protocol processing data packets;
(4) the secure data bag after filtering is delivered to the database server of appointment through the flow forwarding of bus.
2. the intranet and extranet data bank access method based on information exchange bus according to claim 1, is characterized in that: the concrete grammar that described step (1) is done data packet analysis is:
1. according to the difference of data packet head, distinguish and close list data stream protocol packet and transparent network underlying protocol packet, the packet of different agreement enters parsing passage separately;
2. remaining packet does discard processing.
3. the intranet and extranet data bank access method based on information exchange bus according to claim 1, is characterized in that: the method step that described step (3) is closed list data stream protocol processing data packets is identical with step (2) transparent network underlying protocol processing data packets step.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310680082.4A CN103731417A (en) | 2013-11-26 | 2013-11-26 | Internal and external network database access method based on information exchange bus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310680082.4A CN103731417A (en) | 2013-11-26 | 2013-11-26 | Internal and external network database access method based on information exchange bus |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103731417A true CN103731417A (en) | 2014-04-16 |
Family
ID=50455344
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310680082.4A Pending CN103731417A (en) | 2013-11-26 | 2013-11-26 | Internal and external network database access method based on information exchange bus |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103731417A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104135414A (en) * | 2014-08-20 | 2014-11-05 | 国家电网公司 | Method for secondary safety protection of synchronous cross-district services based on information exchange bus |
| CN104135492A (en) * | 2014-08-20 | 2014-11-05 | 国家电网公司 | Internal and external network information exchange method based on information exchange bus |
| CN107465667A (en) * | 2017-07-17 | 2017-12-12 | 全球能源互联网研究院有限公司 | The safe synergic monitoring method and device of power network industry control based on stipulations deep analysis |
-
2013
- 2013-11-26 CN CN201310680082.4A patent/CN103731417A/en active Pending
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104135414A (en) * | 2014-08-20 | 2014-11-05 | 国家电网公司 | Method for secondary safety protection of synchronous cross-district services based on information exchange bus |
| CN104135492A (en) * | 2014-08-20 | 2014-11-05 | 国家电网公司 | Internal and external network information exchange method based on information exchange bus |
| CN107465667A (en) * | 2017-07-17 | 2017-12-12 | 全球能源互联网研究院有限公司 | The safe synergic monitoring method and device of power network industry control based on stipulations deep analysis |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105282169B (en) | Ddos attack method for early warning based on SDN controller threshold values and its system | |
| Cao et al. | Detecting and mitigating DDoS attacks in SDN using spatial-temporal graph convolutional network | |
| CN105245555B (en) | One kind is used for electric power serial server communication protocol security protection system | |
| CN104486336A (en) | Device for safely isolating and exchanging industrial control networks | |
| CN111797371A (en) | Switch encryption system | |
| CN103731417A (en) | Internal and external network database access method based on information exchange bus | |
| CN103139058A (en) | Internet of things security access gateway | |
| CN104917776A (en) | Industrial control network safety protection equipment and industrial control network safety protection method | |
| CN104539600B (en) | A kind of industry control method of realizing fireproof wall for supporting to filter IEC104 agreements | |
| CN101483649A (en) | Network safe content processing card based on FPGA | |
| CN105488396B (en) | A kind of intelligent grid service security gateway system based on data stream association analytical technology | |
| CN101127761A (en) | Unidirectional protocol isolation method and device in network | |
| CN103475727A (en) | Database auditing method based on bridged mode | |
| CN103248606A (en) | Network virus detection method and system for IPv4 (Internet Protocol Version 4) and IPv6 (Internet Protocol Version 6) | |
| CN107451469A (en) | A kind of process management system and method | |
| CN102316115A (en) | Security access control method oriented to transverse networking | |
| CN109495583A (en) | A kind of data safety exchange method that Intrusion Detection based on host feature is obscured | |
| CN106789892B (en) | Universal method for defending distributed denial of service attack for cloud platform | |
| CN202979014U (en) | Network isolation device | |
| CN103384222B (en) | A kind of method of data stream matches ACL | |
| CN104135492A (en) | Internal and external network information exchange method based on information exchange bus | |
| CN113114622A (en) | Real estate registration multi-source heterogeneous data exchange method | |
| CN102904770A (en) | High-bandwidth voice over Internet protocol (VoIP) detection system | |
| Assiri et al. | Blockchain in Saudi e-government: a systematic literature review | |
| CN203164961U (en) | Safe portable storage device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C53 | Correction of patent for invention or patent application | ||
| CB02 | Change of applicant information |
Address after: 300010 Tianjin city Hebei District Wujing Road No. 39 Applicant after: State Grid Corporation of China Applicant after: State Grid Tianjin Electric Power Company Address before: 100031 Xicheng District West Chang'an Avenue, No. 86, Beijing Applicant before: State Grid Corporation of China Applicant before: State Grid Tianjin Electric Power Company |
|
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140416 |
|
| RJ01 | Rejection of invention patent application after publication |