CN104519065A - Implementation method of industrial control firewall supporting Modbus TCP protocol filtering - Google Patents
Implementation method of industrial control firewall supporting Modbus TCP protocol filtering Download PDFInfo
- Publication number
- CN104519065A CN104519065A CN201410800901.9A CN201410800901A CN104519065A CN 104519065 A CN104519065 A CN 104519065A CN 201410800901 A CN201410800901 A CN 201410800901A CN 104519065 A CN104519065 A CN 104519065A
- Authority
- CN
- China
- Prior art keywords
- packet
- modbus
- modbus tcp
- data packet
- filtering
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
Abstract
The invention discloses an implementation method of an industrial control firewall supporting Modbus TCP protocol filtering. The method has the advantages that a Modbus TCP module is disposed in a core to filter data packets, industrial control Modbus TCP filtering and validity checking are achieved, and filtering efficiency is increased; a content filtering function which can only be realized through a proxy manner originally is achieved; safety protection of administrator configuration is achieved, and safety is increased evidently.
Description
Technical field
The present invention relates to industry control fire compartment wall field, particularly relate to a kind of high-performance industry control method of realizing fireproof wall supporting to filter Modbus Transmission Control Protocol.
Background technology
Along with the continuous growth of industrial control field information security demand, fire compartment wall seems and becomes more and more important; With regard to the particularity of industrial control field, the industrial control protocols conventional to some, as Modbus Transmission Control Protocol, carrying out filtration is the requisite function of industry control fire compartment wall.
Modbus TCP realizes based on MODBUS industrial field bus message over ethernet; But, traditional packet filter firewall works in network layer and transport layer, determine whether to allow packet to pass through according to the factors such as the IP source address of packet, IP destination address, tcp source port number, TCP Link State or their combination, this kind of mode is inapplicable to Modbus Transmission Control Protocol; And packet filter firewall is not for conventional industrial control protocols.In addition, firewall agent is operated in application layer, control session completely, for specific application layer protocol, by setting up special agency service program to often kind of application service, although it can realize the effect monitoring and control application layer communication stream, its speed is slower, consume too much cpu resource, have impact on applying of firewall agent.
Summary of the invention
For the deficiency that prior art exists, the object of this invention is to provide a kind of industry control method of realizing fireproof wall supporting to filter Modbus Transmission Control Protocol, the Modbus tcp module of the method by arranging in kernel, filtration treatment is carried out to packet, not only achieve the filtration to industry control agreement Modbus TCP and validity checking, improve filter efficiency; And achieve the content filtering function that originally can only be realized by agent way.
For achieving the above object, a kind of industry control method of realizing fireproof wall supporting filtration Modbus Transmission Control Protocol, the method comprises the steps:
1) fire compartment wall is set to bridge mode, Modbus TCP main website is arranged on the different Ethernet interface of fire compartment wall with Modbus TCP slave station respectively;
2) firewall package filtering module carries out system safety inspection to all packets entering fire compartment wall;
3) keeper's self-defining data packet filtering rules, allows to pass through when packet meets self-defining data packet filtering rules, otherwise by data packet discarding;
4) whether firewall package filtering module is that Modbus Transmission Control Protocol detects to packet, allows to pass through when packet is Modbus Transmission Control Protocol, otherwise by data packet discarding;
5) fire compartment wall carries out the filtration of Modbus Transmission Control Protocol by Modbus tcp module.
Further, described step 2) in system safety inspection be specially: the principle that security strategy adopts minimal data message to pass through, packet filtering module is based on source IP address, object IP address and based on source port, destination interface with provide safety inspection based on protocol type.
Further, described step 3) is specially:
1. the administration order set of keeper be one special, close simplify set, keeper carries out the setting of self-defining data packet filtering rules according to the configuration operation of specifying;
2. the operational order of system to keeper checks, by the operational order of form against regulation or refusal or use default value, avoids the possibility that buffering area produces flooding.
Further, described step 5) is specially:
1. the integrality of Modbus tcp module to packet detects, and carries out next step detect when packet is complete, otherwise by data packet discarding;
2. Modbus tcp module checks whether the function code of message in packet meets the function code of user's setting, carries out next step detect when meeting the function code of user's setting, otherwise by data packet discarding;
3. Modbus tcp module detects the register value that data content in packet describes, and checks the authority whether meeting user's setting, allows packet to pass through when meeting the authority of user's setting, otherwise by data packet discarding.
Further, described step 1. in the MBAP region and data area that comprise packet are detected to the integrality of packet.
A kind of Modbus tcp module of industry control method of realizing fireproof wall by arranging in kernel supporting filtration Modbus Transmission Control Protocol of the present invention, filtration treatment is carried out to packet, not only achieve the filtration to industry control agreement Modbus TCP and validity checking, improve filter efficiency; And achieve the content filtering function that originally can only be realized by agent way; In addition, this method has carried out safety precaution to administrator configurations, and fail safe is significantly improved.Modbus tcp module in the present invention is one section of code with programming languages in fire compartment wall, and fire compartment wall user can set the access limit of filtering rule and Modbus TCP slave station register to Modbus Transmission Control Protocol by the management interface of fire compartment wall.
Accompanying drawing explanation
Fig. 1 is the overall structure schematic diagram of firewall system in the present invention;
Fig. 2 is fire compartment wall and Modbus tcp module connection diagram in the present invention;
Fig. 3 is the flow chart that the present invention filters Modbus Transmission Control Protocol.
Embodiment
Below in conjunction with accompanying drawing, the present invention is described.
As Figure 1-3, the invention provides a kind of industry control method of realizing fireproof wall supporting to filter Modbus Transmission Control Protocol, it mainly by arranging a Modbus tcp module in the kernel of fire compartment wall, realize the filtration of industry control agreement Modbus Transmission Control Protocol, because Modbus tcp module is directly at Core Operational, so filter method of the present invention improves filter efficiency; And achieve the content filtering function that originally can only be realized by agent way, avoid the resource consumption of agent way to CPU.
Modbus tcp module of the present invention is one section of code with programming language editor in industry control fire compartment wall inside, and fire compartment wall user sets the reading authority of filtering rule and Modbus TCP slave station register to Modbus Transmission Control Protocol by the management interface before fire prevention.Filter method detailed process of the present invention is as follows:
Step 1: fire compartment wall is set to bridge mode, is arranged at fire compartment wall respectively by Modbus TCP main website and Modbus TCP slave station and unifies on the different Ethernet interface of bridge-jointing unit; Set up session so in a stream; Wherein, the integrality of packet is detected to the MBAP region and data area that comprise packet.
Step 2: firewall package filtering module carries out system safety inspection to all packets entering fire compartment wall; Packet not up to standard will be dropped; Wherein, security strategy adopts minimal data message by principle, and packet filtering module is based on source IP address, object IP address and based on source port, destination interface with provide safety inspection based on protocol type.
Step 3: keeper's self-defining data packet filtering rules, allows to pass through when packet meets self-defining data packet filtering rules, otherwise by data packet discarding; Wherein, the administration order set of keeper be one special, close simplify set, keeper carries out the setting of self-defining data packet filtering rules according to the configuration operation of specifying, and the risky operation that other may endanger system itself can not be carried out, prevent the misoperation of keeper from causing irremediable destruction to system like this; The operational order of system to keeper checks, by the operational order of form against regulation or refusal or use default value, avoids the possibility that buffering area produces flooding.
Step 4: whether firewall package filtering module is that Modbus Transmission Control Protocol detects to packet, allows to pass through when packet is Modbus Transmission Control Protocol, otherwise by data packet discarding.
Step 5: fire compartment wall carries out the filtration of Modbus Transmission Control Protocol by Modbus tcp module; Wherein, first Modbus tcp module detects the integrality of packet, carries out next step detect when packet is complete, otherwise by data packet discarding; Secondly, Modbus tcp module checks whether the function code of message in packet meets the function code of user's setting, carries out next step detect when meeting the function code of user's setting, otherwise by data packet discarding; Finally, Modbus tcp module detects the register value that data content in packet describes, and checks the authority whether meeting user's setting, allows packet to pass through when meeting the authority of user's setting, otherwise by data packet discarding.
Modbus tcp module has the function of identification protocol, the inspection integrality of agreement, the function code of identification protocol message, device number, offset address and register value, and for the packet not meeting rule, the default action of fire compartment wall of the present invention is refusal; Rule performs in order, once and data packet matched success, just carry out corresponding operating, no longer perform rule below.Like this, bring during data message forwarding and minimum pass through time delay.
Filter method of the present invention, not only achieves the filtration to industry control agreement Modbus TCP and validity checking, improves filter efficiency; And achieve the content filtering function that originally can only be realized by agent way; In addition, this method has carried out safety precaution to administrator configurations, and fail safe is significantly improved.
It is more than the preferred embodiment of the present invention; it should be pointed out that for those skilled in the art, under the premise without departing from the principles of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.
Claims (5)
1. support the industry control method of realizing fireproof wall filtering Modbus Transmission Control Protocol, it is characterized in that, described method comprises the steps:
1) fire compartment wall is set to bridge mode, Modbus TCP main website is arranged on the different Ethernet interface of fire compartment wall with Modbus TCP slave station respectively;
2) firewall package filtering module carries out system safety inspection to all packets entering fire compartment wall;
3) keeper's self-defining data packet filtering rules, allows to pass through when packet meets self-defining data packet filtering rules, otherwise by data packet discarding;
4) whether firewall package filtering module is that Modbus Transmission Control Protocol detects to packet, allows to pass through when packet is Modbus Transmission Control Protocol, otherwise by data packet discarding;
5) fire compartment wall carries out the filtration of Modbus Transmission Control Protocol by Modbus tcp module.
2. implementation method according to claim 1, it is characterized in that, described step 2) in system safety inspection be specially: the principle that security strategy adopts minimal data message to pass through, packet filtering module is based on source IP address, object IP address and based on source port, destination interface with provide safety inspection based on protocol type.
3. implementation method according to claim 1, is characterized in that, described step 3) is specially:
1. the administration order set of keeper be one special, close simplify set, keeper carries out the setting of self-defining data packet filtering rules according to the configuration operation of specifying;
2. the operational order of system to keeper checks, by the operational order of form against regulation or refusal or use default value, avoids the possibility that buffering area produces flooding.
4. implementation method according to claim 1, is characterized in that, described step 5) is specially:
1. the integrality of Modbus tcp module to packet detects, and carries out next step detect when packet is complete, otherwise by data packet discarding;
2. Modbus tcp module checks whether the function code of message in packet meets the function code of user's setting, carries out next step detect when meeting the function code of user's setting, otherwise by data packet discarding;
3. Modbus tcp module detects the register value that data content in packet describes, and checks the authority whether meeting user's setting, allows packet to pass through when meeting the authority of user's setting, otherwise by data packet discarding.
5. implementation method according to claim 4, is characterized in that, described step 1. in the MBAP region and data area that comprise packet are detected to the integrality of packet.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410800901.9A CN104519065B (en) | 2014-12-22 | 2014-12-22 | A kind of industry control method of realizing fireproof wall for supporting filtering Modbus Transmission Control Protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410800901.9A CN104519065B (en) | 2014-12-22 | 2014-12-22 | A kind of industry control method of realizing fireproof wall for supporting filtering Modbus Transmission Control Protocol |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104519065A true CN104519065A (en) | 2015-04-15 |
| CN104519065B CN104519065B (en) | 2018-05-01 |
Family
ID=52793787
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410800901.9A Active CN104519065B (en) | 2014-12-22 | 2014-12-22 | A kind of industry control method of realizing fireproof wall for supporting filtering Modbus Transmission Control Protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104519065B (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105306463A (en) * | 2015-10-13 | 2016-02-03 | 电子科技大学 | Modbus TCP intrusion detection method based on support vector machine |
| CN105516162A (en) * | 2015-12-18 | 2016-04-20 | 中国电子信息产业集团有限公司第六研究所 | Method for dynamically configuring filtering rule based on rule description language |
| CN106888185A (en) * | 2015-12-15 | 2017-06-23 | 北京网御星云信息技术有限公司 | A kind of industrial network security means of defence based on serial link |
| CN109617866A (en) * | 2018-11-29 | 2019-04-12 | 英赛克科技(北京)有限公司 | Industrial control system host session data filtering method and device |
| CN109639624A (en) * | 2018-10-08 | 2019-04-16 | 上海大学 | Lopsided data filtering method in a kind of Modbus Transmission Control Protocol fuzz testing |
| CN109873799A (en) * | 2017-12-04 | 2019-06-11 | 和硕联合科技股份有限公司 | Network safety system and its method |
| CN111262861A (en) * | 2020-01-16 | 2020-06-09 | 四川效率源科技有限责任公司 | Method for identifying and filtering MODBUS TCP/UDP protocol |
| CN114244609A (en) * | 2021-12-17 | 2022-03-25 | 北京国泰网信科技有限公司 | Modbus TCP protocol protection method for industrial firewall |
| CN115174219A (en) * | 2022-07-06 | 2022-10-11 | 哈尔滨工业大学(威海) | Management system capable of adapting to multiple industrial firewalls |
| CN116939065A (en) * | 2023-08-07 | 2023-10-24 | 山东九州信泰信息科技股份有限公司 | Modbus protocol TCP segmentation rapid deep inspection method |
| CN115174219B (en) * | 2022-07-06 | 2024-04-19 | 哈尔滨工业大学(威海) | Management system capable of adapting to various industrial firewalls |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101052046A (en) * | 2007-05-22 | 2007-10-10 | 网御神州科技(北京)有限公司 | Anti-virus method and device for fire-proof wall |
| CN101316271A (en) * | 2008-07-04 | 2008-12-03 | 华为技术有限公司 | Method for implementing information backup, fire wall and network system |
| CN103780601A (en) * | 2012-10-17 | 2014-05-07 | 北京力控华康科技有限公司 | Method for automatically establishing Ethernet communication safety rules |
| CN103973700A (en) * | 2014-05-21 | 2014-08-06 | 成都达信通通讯设备有限公司 | Mobile terminal preset networking address firewall isolation application system |
-
2014
- 2014-12-22 CN CN201410800901.9A patent/CN104519065B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101052046A (en) * | 2007-05-22 | 2007-10-10 | 网御神州科技(北京)有限公司 | Anti-virus method and device for fire-proof wall |
| CN101316271A (en) * | 2008-07-04 | 2008-12-03 | 华为技术有限公司 | Method for implementing information backup, fire wall and network system |
| CN103780601A (en) * | 2012-10-17 | 2014-05-07 | 北京力控华康科技有限公司 | Method for automatically establishing Ethernet communication safety rules |
| CN103973700A (en) * | 2014-05-21 | 2014-08-06 | 成都达信通通讯设备有限公司 | Mobile terminal preset networking address firewall isolation application system |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105306463B (en) * | 2015-10-13 | 2018-04-13 | 电子科技大学 | Modbus TCP intrusion detection methods based on support vector machines |
| CN105306463A (en) * | 2015-10-13 | 2016-02-03 | 电子科技大学 | Modbus TCP intrusion detection method based on support vector machine |
| CN106888185A (en) * | 2015-12-15 | 2017-06-23 | 北京网御星云信息技术有限公司 | A kind of industrial network security means of defence based on serial link |
| CN105516162A (en) * | 2015-12-18 | 2016-04-20 | 中国电子信息产业集团有限公司第六研究所 | Method for dynamically configuring filtering rule based on rule description language |
| CN105516162B (en) * | 2015-12-18 | 2019-02-19 | 中国电子信息产业集团有限公司第六研究所 | A kind of method of the dynamic configuration filtering rule of rule-based description language |
| CN109873799A (en) * | 2017-12-04 | 2019-06-11 | 和硕联合科技股份有限公司 | Network safety system and its method |
| CN109639624A (en) * | 2018-10-08 | 2019-04-16 | 上海大学 | Lopsided data filtering method in a kind of Modbus Transmission Control Protocol fuzz testing |
| CN109617866B (en) * | 2018-11-29 | 2021-10-12 | 英赛克科技(北京)有限公司 | Industrial control system host session data filtering method and device |
| CN109617866A (en) * | 2018-11-29 | 2019-04-12 | 英赛克科技(北京)有限公司 | Industrial control system host session data filtering method and device |
| CN111262861A (en) * | 2020-01-16 | 2020-06-09 | 四川效率源科技有限责任公司 | Method for identifying and filtering MODBUS TCP/UDP protocol |
| CN114244609A (en) * | 2021-12-17 | 2022-03-25 | 北京国泰网信科技有限公司 | Modbus TCP protocol protection method for industrial firewall |
| CN114244609B (en) * | 2021-12-17 | 2023-08-25 | 北京国泰网信科技有限公司 | Modbus TCP Protocol Protection Method for Industrial Firewall |
| CN115174219A (en) * | 2022-07-06 | 2022-10-11 | 哈尔滨工业大学(威海) | Management system capable of adapting to multiple industrial firewalls |
| CN115174219B (en) * | 2022-07-06 | 2024-04-19 | 哈尔滨工业大学(威海) | Management system capable of adapting to various industrial firewalls |
| CN116939065A (en) * | 2023-08-07 | 2023-10-24 | 山东九州信泰信息科技股份有限公司 | Modbus protocol TCP segmentation rapid deep inspection method |
| CN116939065B (en) * | 2023-08-07 | 2024-02-06 | 山东九州信泰信息科技股份有限公司 | Modbus protocol TCP segmentation rapid deep inspection method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104519065B (en) | 2018-05-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104519065A (en) | Implementation method of industrial control firewall supporting Modbus TCP protocol filtering | |
| CN104539600A (en) | Industrial control firewall implementing method for supporting filtering IEC 104 protocol | |
| US20100165878A1 (en) | Communication Module with Network Isolation and Communication Filter | |
| CN102255903B (en) | Safety isolation method for virtual network and physical network of cloud computing | |
| CN105847251B (en) | Using the industrial control system safety protecting method and system of S7 agreements | |
| JP2015050767A (en) | Network switch of whitelist foundation | |
| CN104539408A (en) | Redundant industry Ethernet system with message multistage filtering function and service classification control function | |
| CN105282169A (en) | DDoS attack warning method and system based on SDN controller threshold | |
| CN108881328B (en) | Data packet filtering method and device, gateway equipment and storage medium | |
| CN110768965B (en) | Remote operation safety permission method for power grid dispatching based on message replacement | |
| WO2012130523A1 (en) | A method for providing a firewall rule and a corresponding system | |
| WO2015160383A1 (en) | A network gateway and method for inspecting frames in communication network | |
| CN104333549A (en) | Data package filtering method applied to distributive firewall system | |
| CN104079444A (en) | Method and device for detecting depth of industrial Ethernet data frame | |
| CN105488396A (en) | Intelligent power grid service security gateway system based on data stream correlation analysis technology | |
| KR101235206B1 (en) | Apparatus and method for parsing packet | |
| CN109167774B (en) | Data message and data stream safety mutual access method on firewall | |
| US9591025B2 (en) | IP-free end-point management appliance | |
| EP3346663B1 (en) | Apparatus, system, and method for accelerating security inspections using inline pattern matching | |
| US20120291116A1 (en) | Network Security Device | |
| KR101453980B1 (en) | Packet relay and transmission apparatus for semiconductor manufacturing equipment | |
| CN108810009B (en) | L2TP data processing method, device and system | |
| CN107948139B (en) | Transformer substation monitoring network debugging method based on security policy management and control | |
| CN111835709B (en) | Network security monitoring system and method based on controllable data flow direction | |
| CN109525534A (en) | A kind of method and system for guaranteeing message in secure network and not being fragmented |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |