CN103780601A - Method for automatically establishing Ethernet communication safety rules - Google Patents
Method for automatically establishing Ethernet communication safety rules Download PDFInfo
- Publication number
- CN103780601A CN103780601A CN201310552467.2A CN201310552467A CN103780601A CN 103780601 A CN103780601 A CN 103780601A CN 201310552467 A CN201310552467 A CN 201310552467A CN 103780601 A CN103780601 A CN 103780601A
- Authority
- CN
- China
- Prior art keywords
- rule
- information
- safety regulation
- communication
- safety
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention relates to a method for automatically establishing an Ethernet communication safety rule. The steps are as follows: 1, a safety device is connected to a network; 2, the safety device acquires a data packet in the Ethernet passively; 3, the safety device sends the acquired data packet to a protocol analysis module; 4, the protocol analysis module analyzes the content of the data packet, acquires information of the type of a communication protocol, and determines whether the communication protocol is an industrial communication protocol or not; 5, if the communication protocol is the industrial communication protocol, key information in the data packet is analyzed and extracted; 6, the extracted information is sent to a rule auxiliary generation guide module; and 7, the rule auxiliary generation guide module receives the information and forms the safety rule after judging the information is complete. The method provided by the invention form the safety rule according to data information in actual communication, enables setting of the safety rule to be targeted, not missing and convenient for labor saving, and ensures the real-time performance of transmission and the integrity of data in an industrial network.
Description
Technical field
The present invention relates to field of communication security, particularly relate to a kind of method of automatically setting up ethernet communication safety regulation.
Background technology
Fire compartment wall in the market, in the time being deployed in network, first needs fire compartment wall to carry out rule configuration.Firewall rule layoutprocedure bothers very much, before configuration, first will collect a large amount of network informations, such as, which equipment network the inside has, and the communication bag of which equipment allows to pass through, and which refusal passes through etc.; After having compiled information, need to add in list of firewall rules, but adding rule easily makes mistakes, once rule configuration is made mistakes, some legal communication bags may will be blocked, and impact is communication normally, in industrial network the inside, its impact is larger, because in industrial network, need to guarantee to transmit real-time and data integrity.
Summary of the invention
For solving the problems of the technologies described above, the invention provides a kind of method that can automatically set up ethernet communication safety regulation.
For achieving the above object, technical scheme provided by the present invention is:
Automatically a method of setting up ethernet communication safety regulation, comprises the steps:
Step 1 is by safety device access network;
The passive packet obtaining in ethernet network of safety device described in step 2;
Described in step 3 safety device by the Packet Generation obtaining to protocol analysis module,
The network layer of protocol analysis module parses packet, transport layer and application layer content described in step 4, obtain its communication protocol type information, determines whether as industrial communication agreement;
Step 5 is if industrial communication agreement, the key message in resolution data bag, and extract;
Step 6 sends to the auxiliary generation of rule to guide module the information extracting;
Described in step 7, auxiliary generation of rule receives after information to guide module, judges whether complete;
If step 8 information completely, will form safety regulation.
Further, key message described in step 5 comprises source IP, Target IP, source port, target port, protocol type, device address, function code, register district, read-write properties, register address scope, content of registers scope etc.
Further, also comprise step 8 ': if information is imperfect, cannot form safety regulation.
Further, safety regulation described in described step 8 comprises firewall rule and industrial communication protocol rule.
Further, described firewall rule is according to partly or entirely element formation in five elements such as source IP, Target IP, source port, target port, protocol type.
Further, described industrial communication protocol rule is according to partly or entirely element formation in the elements such as device address, function code, register district, read-write properties, register address scope, content of registers scope.
Adopt technique scheme, beneficial effect of the present invention has:
The present invention resolves by the packet of intercepting and capturing in Ethernet, and forms safety regulation according to actual communication data information, makes the specific aim that is provided with of safety regulation, can not omit, convenient and strength-saving, guarantees real-time and the data integrity in industrial network, transmitted.
Automatically the method for setting up ethernet communication safety regulation disclosed in this invention, judge communication protocol type and the key message thereof of packet, then automatically provide the recommended configuration of communication security rule according to these information, add rule to Network Security Device, by efficiency and the accuracy of raising equipment configuration greatly, allow network equipments configuration no longer need to understand specialized network knowledge, also can easily complete configuration for the Mechanic Engineer who is unfamiliar with network.
Accompanying drawing explanation
Fig. 1 is the method flow diagram of automatically setting up ethernet communication safety regulation.
Embodiment
In order to make object of the present invention, technical scheme and advantage clearer, below in conjunction with drawings and Examples, the present invention is further elaborated.Should be appreciated that specific embodiment described herein, only in order to explain the present invention, is not intended to limit the present invention.
Fig. 1 is flow chart of the present invention, and as shown in Figure 1, a kind of method of automatically setting up ethernet communication safety regulation, comprises the steps:
Step 1 is by safety device access network;
The passive packet obtaining in ethernet network of safety device described in step 2;
Described in step 3 safety device by the Packet Generation obtaining to protocol analysis module,
The network layer of protocol analysis module parses packet, transport layer and application layer content described in step 4, obtain its communication protocol type information, determines whether as industrial communication agreement;
Step 5 is if industrial communication agreement, key message in resolution data bag, and extract, described key message comprises source IP, Target IP, source port, target port, protocol type, device address, function code, register district, read-write properties, register address scope, content of registers scope etc.;
Step 6 sends to the auxiliary generation of rule to guide module the information extracting;
Described in step 7, auxiliary generation of rule receives after information to guide module, judges whether complete;
If step 8 information is imperfect, cannot form safety regulation, if information completely, further form safety regulation, described safety regulation comprises firewall rule and industrial communication protocol rule, described firewall rule is according to partly or entirely element formation in five elements such as source IP, Target IP, source port, target port, protocol type, and described industrial communication protocol rule is according to partly or entirely element formation in the elements such as device address, function code, register district, read-write properties, register address scope, content of registers scope.
The above-mentioned method of automatically setting up ethernet communication safety regulation, according to the packet of intercepting and capturing, automatically provide the recommended configuration of communication security rule, like this, only in communication, the communication type of necessary being is set up, and makes arranging of safety regulation pointed, can not omit, can add at any time firewall rule, convenient and strength-saving, and guaranteed the real-time transmitted in industrial network and the integrality of data.
embodiment
The safety device of access network intercepts the message of attempting to pass through, and by protocol-analysis model, analysis result is as follows:
Source IP:172.18.16.121;
Source port: 1032
Target IP: 172.18.16.122;
Target port: 502;
Device address: 1;
Function code: 3;
Initial address: 100;
Address size is: 20;
Analysis result information is sent to Rule Wizard module, and Rule Wizard module will, automatically for safety device forms two rules, be respectively firewall rule and industrial communication protocol rule, as follows respectively:
Firewall rule:
172.18.16.121:1032->172.18.16.122:502;
Industrial communication protocol rule:
Device address 1, function code 3, register address scope is 100-119.
Firewall rule and industrial communication protocol rule are added in communication security rule, complete the automatic foundation of ethernet communication safety regulation.
The above-mentioned method of automatically setting up ethernet communication safety regulation, by judging communication protocol type and the key message thereof of packet, then automatically provide the recommended configuration of communication security rule according to these information, add rule to Network Security Device, by efficiency and the accuracy of raising equipment configuration greatly, allow network equipments configuration no longer need to understand specialized network knowledge, also can easily complete configuration for the Mechanic Engineer who is unfamiliar with network.And form safety regulation according to the data message in actual communication, make the specific aim that is provided with of safety regulation, can not omit, convenient and strength-saving, guarantee real-time and the data integrity in industrial network, transmitted.
The above embodiment has only expressed embodiments of the present invention, and it describes comparatively concrete and detailed, but can not therefore be interpreted as the restriction to the scope of the claims of the present invention.It should be pointed out that for the person of ordinary skill of the art, without departing from the inventive concept of the premise, can also make some distortion and improvement, these all belong to protection scope of the present invention.Therefore, the protection range of patent of the present invention should be as the criterion with claims.
Claims (6)
1. a method of automatically setting up ethernet communication safety regulation, is characterized in that comprising the steps:
Step 1 is by safety device access network;
The passive packet obtaining in ethernet network of safety device described in step 2;
Described in step 3 safety device by the Packet Generation obtaining to protocol analysis module;
The network layer of protocol analysis module parses packet, transport layer and application layer content described in step 4, obtain its communication protocol type information, determines whether as industrial communication agreement;
Step 5 is if industrial communication agreement, the key message in resolution data bag, and extract;
Step 6 sends to the auxiliary generation of rule to guide module the information extracting;
Described in step 7, auxiliary generation of rule receives after information to guide module, judges whether complete;
If step 8 information completely, will form safety regulation.
2. the method for automatically setting up ethernet communication safety regulation according to claim 1, is characterized in that: key message described in step 5 comprises source IP, Target IP, source port, target port, protocol type, device address, function code, register district, read-write properties, register address scope, content of registers scope etc.
3. the method for automatically setting up ethernet communication safety regulation according to claim 1, characterized by further comprising step 8 ': if information is imperfect, cannot form safety regulation.
4. the method for automatically setting up ethernet communication safety regulation according to claim 1, is characterized in that: safety regulation described in described step 8 comprises firewall rule and industrial communication protocol rule.
5. the method for automatically setting up ethernet communication safety regulation according to claim 4, is characterized in that: described firewall rule is according to partly or entirely element formation in five elements such as source IP, Target IP, source port, target port, protocol type.
6. the method for automatically setting up ethernet communication safety regulation according to claim 4, is characterized in that: described industrial communication protocol rule is according to partly or entirely element formation in the elements such as device address, function code, register district, read-write properties, register address scope, content of registers scope.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310552467.2A CN103780601A (en) | 2012-10-17 | 2013-10-16 | Method for automatically establishing Ethernet communication safety rules |
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210394876.X | 2012-10-17 | ||
| CN201210394876 | 2012-10-17 | ||
| CN201310552467.2A CN103780601A (en) | 2012-10-17 | 2013-10-16 | Method for automatically establishing Ethernet communication safety rules |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103780601A true CN103780601A (en) | 2014-05-07 |
Family
ID=50572431
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310552467.2A Pending CN103780601A (en) | 2012-10-17 | 2013-10-16 | Method for automatically establishing Ethernet communication safety rules |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103780601A (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104519065A (en) * | 2014-12-22 | 2015-04-15 | 北京卓越信通电子股份有限公司 | Implementation method of industrial control firewall supporting Modbus TCP protocol filtering |
| CN104539600A (en) * | 2014-12-22 | 2015-04-22 | 北京卓越信通电子股份有限公司 | Industrial control firewall implementing method for supporting filtering IEC 104 protocol |
| CN105491014A (en) * | 2015-11-20 | 2016-04-13 | 成都科来软件有限公司 | Data packet detection method based on national number |
| CN105791289A (en) * | 2016-03-02 | 2016-07-20 | 夏杰 | Network protection method and system based on big data computing |
| CN107046509A (en) * | 2016-12-30 | 2017-08-15 | 上海三零卫士信息安全有限公司 | A kind of intelligent industrial-control network data integration method parsed based on mirror port |
| CN109194700A (en) * | 2018-11-28 | 2019-01-11 | 深信服科技股份有限公司 | A kind of traffic management and control method and relevant apparatus |
| CN109309687A (en) * | 2018-11-27 | 2019-02-05 | 杭州迪普科技股份有限公司 | Network security defence method, device and the network equipment |
| CN110943873A (en) * | 2018-09-21 | 2020-03-31 | 中移(杭州)信息技术有限公司 | Message flow processing method and device and readable medium |
| CN112997466A (en) * | 2018-09-18 | 2021-06-18 | 西门子股份公司 | Method and apparatus for configuring an access protection system |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020083331A1 (en) * | 2000-12-21 | 2002-06-27 | 802 Systems, Inc. | Methods and systems using PLD-based network communication protocols |
| US20020080784A1 (en) * | 2000-12-21 | 2002-06-27 | 802 Systems, Inc. | Methods and systems using PLD-based network communication protocols |
| US20020080771A1 (en) * | 2000-12-21 | 2002-06-27 | 802 Systems, Inc. | Methods and systems using PLD-based network communication protocols |
| US6480892B1 (en) * | 1998-12-16 | 2002-11-12 | Siemens Information And Communication Networks, Inc. | Apparatus and method for inserting predetermined packet loss into a data flow |
| US6606744B1 (en) * | 1999-11-22 | 2003-08-12 | Accenture, Llp | Providing collaborative installation management in a network-based supply chain environment |
| CN1564547A (en) * | 2004-03-25 | 2005-01-12 | 上海复旦光华信息科技股份有限公司 | High speed filtering and stream dividing method for keeping connection features |
| US20060123481A1 (en) * | 2004-12-07 | 2006-06-08 | Nortel Networks Limited | Method and apparatus for network immunization |
| CN101364893A (en) * | 2007-08-08 | 2009-02-11 | 华为技术有限公司 | Control device, execution device, method and system for generating filtering rules |
| CN102238023A (en) * | 2010-04-23 | 2011-11-09 | 中兴通讯股份有限公司 | Method and device for generating warning data of network management system |
| CN102546217A (en) * | 2010-12-31 | 2012-07-04 | 上海可鲁系统软件有限公司 | Message filtering method |
| CN102594625A (en) * | 2012-03-07 | 2012-07-18 | 北京启明星辰信息技术股份有限公司 | White data filter method and system in APT (Advanced Persistent Threat) intelligent detection and analysis platform |
-
2013
- 2013-10-16 CN CN201310552467.2A patent/CN103780601A/en active Pending
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6480892B1 (en) * | 1998-12-16 | 2002-11-12 | Siemens Information And Communication Networks, Inc. | Apparatus and method for inserting predetermined packet loss into a data flow |
| US6606744B1 (en) * | 1999-11-22 | 2003-08-12 | Accenture, Llp | Providing collaborative installation management in a network-based supply chain environment |
| US20020083331A1 (en) * | 2000-12-21 | 2002-06-27 | 802 Systems, Inc. | Methods and systems using PLD-based network communication protocols |
| US20020080784A1 (en) * | 2000-12-21 | 2002-06-27 | 802 Systems, Inc. | Methods and systems using PLD-based network communication protocols |
| US20020080771A1 (en) * | 2000-12-21 | 2002-06-27 | 802 Systems, Inc. | Methods and systems using PLD-based network communication protocols |
| CN1564547A (en) * | 2004-03-25 | 2005-01-12 | 上海复旦光华信息科技股份有限公司 | High speed filtering and stream dividing method for keeping connection features |
| US20060123481A1 (en) * | 2004-12-07 | 2006-06-08 | Nortel Networks Limited | Method and apparatus for network immunization |
| CN101364893A (en) * | 2007-08-08 | 2009-02-11 | 华为技术有限公司 | Control device, execution device, method and system for generating filtering rules |
| CN102238023A (en) * | 2010-04-23 | 2011-11-09 | 中兴通讯股份有限公司 | Method and device for generating warning data of network management system |
| CN102546217A (en) * | 2010-12-31 | 2012-07-04 | 上海可鲁系统软件有限公司 | Message filtering method |
| CN102594625A (en) * | 2012-03-07 | 2012-07-18 | 北京启明星辰信息技术股份有限公司 | White data filter method and system in APT (Advanced Persistent Threat) intelligent detection and analysis platform |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104519065A (en) * | 2014-12-22 | 2015-04-15 | 北京卓越信通电子股份有限公司 | Implementation method of industrial control firewall supporting Modbus TCP protocol filtering |
| CN104539600A (en) * | 2014-12-22 | 2015-04-22 | 北京卓越信通电子股份有限公司 | Industrial control firewall implementing method for supporting filtering IEC 104 protocol |
| CN104519065B (en) * | 2014-12-22 | 2018-05-01 | 北京卓越信通电子股份有限公司 | A kind of industry control method of realizing fireproof wall for supporting filtering Modbus Transmission Control Protocol |
| CN105491014A (en) * | 2015-11-20 | 2016-04-13 | 成都科来软件有限公司 | Data packet detection method based on national number |
| CN105791289A (en) * | 2016-03-02 | 2016-07-20 | 夏杰 | Network protection method and system based on big data computing |
| CN107046509A (en) * | 2016-12-30 | 2017-08-15 | 上海三零卫士信息安全有限公司 | A kind of intelligent industrial-control network data integration method parsed based on mirror port |
| CN112997466A (en) * | 2018-09-18 | 2021-06-18 | 西门子股份公司 | Method and apparatus for configuring an access protection system |
| CN112997466B (en) * | 2018-09-18 | 2023-10-31 | 西门子股份公司 | Method and apparatus for configuring an access protection system |
| CN110943873A (en) * | 2018-09-21 | 2020-03-31 | 中移(杭州)信息技术有限公司 | Message flow processing method and device and readable medium |
| CN109309687A (en) * | 2018-11-27 | 2019-02-05 | 杭州迪普科技股份有限公司 | Network security defence method, device and the network equipment |
| CN109194700A (en) * | 2018-11-28 | 2019-01-11 | 深信服科技股份有限公司 | A kind of traffic management and control method and relevant apparatus |
| CN109194700B (en) * | 2018-11-28 | 2021-09-17 | 深信服科技股份有限公司 | Flow control method and related device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103780601A (en) | Method for automatically establishing Ethernet communication safety rules | |
| CN108965215B (en) | Dynamic security method and system for multi-fusion linkage response | |
| CN101022340B (en) | Intelligent control method for realizing city Ethernet exchanger switch-in security | |
| EP4290918A3 (en) | Access stratum security for efficient packet processing | |
| CN104104561A (en) | SDN (self-defending network) firewall state detecting method and system based on OpenFlow protocol | |
| CN107864162B (en) | fusion gateway dual system and communication safety protection method thereof | |
| CN101136777A (en) | Security management method of dual-encryption channel cooperation in network management system | |
| CN103269332A (en) | Safeguard system for power secondary system | |
| CN104253820A (en) | Software defined network safety control system and control method | |
| CN104079545A (en) | Method, device and system for extracting data package filtering rules | |
| CN103763309A (en) | Safety domain control method and system based on virtual network | |
| CN101945116A (en) | Method for exchanging cross-domain video data safely | |
| CN103428032A (en) | Attack positioning and assistant positioning device and method | |
| CN103840983A (en) | WEB tunnel detection method based on protocol behavior analysis | |
| CN104660554A (en) | Method for implementing communication data security of virtual machines | |
| CN103200123A (en) | Safety control method of switchboard port | |
| CN103414575A (en) | Method, system and device for network wakeup | |
| MY179999A (en) | A system for the management of access points | |
| TW200746749A (en) | Wireless local area network with protection function and method for preventing attack | |
| CN104539600A (en) | Industrial control firewall implementing method for supporting filtering IEC 104 protocol | |
| CN104320305A (en) | Forwarding service monitoring method and system for network equipment | |
| CN103905467A (en) | Efficient and safe image data network one-way physical channel importing system and application thereof | |
| CN104079408B (en) | Strengthen the method for communications security in a kind of industrial control system | |
| CN103001966B (en) | The process of a kind of private network IP, recognition methods and device | |
| CN106161386A (en) | A kind of method and apparatus realizing that IPsec shunts |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20140507 |