CN104519065B - A kind of industry control method of realizing fireproof wall for supporting filtering Modbus Transmission Control Protocol - Google Patents
A kind of industry control method of realizing fireproof wall for supporting filtering Modbus Transmission Control Protocol Download PDFInfo
- Publication number
- CN104519065B CN104519065B CN201410800901.9A CN201410800901A CN104519065B CN 104519065 B CN104519065 B CN 104519065B CN 201410800901 A CN201410800901 A CN 201410800901A CN 104519065 B CN104519065 B CN 104519065B
- Authority
- CN
- China
- Prior art keywords
- data packet
- modbus
- filtering
- transmission control
- control protocol
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001914 filtration Methods 0.000 title claims abstract description 44
- 230000005540 biological transmission Effects 0.000 title claims abstract description 22
- 238000000034 method Methods 0.000 title claims abstract description 20
- 238000007689 inspection Methods 0.000 claims description 9
- 238000001514 detection method Methods 0.000 claims description 5
- 230000003139 buffering effect Effects 0.000 claims description 3
- 230000006870 function Effects 0.000 description 13
- 238000010586 diagram Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 206010022000 influenza Diseases 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of industry control method of realizing fireproof wall for supporting filtering Modbus Transmission Control Protocol, this method passes through the Modbus TCP modules that are set in kernel, filtration treatment is carried out to data packet, the filtering and validity checking to industry control agreement Modbus TCP are not only realized, improves filter efficiency;And realize the content filtering function that can only be realized originally by agent way;In addition, this method has carried out safety precaution to administrator configurations, security is significantly improved.
Description
Technical field
The present invention relates to industry control fire wall field, more particularly to a kind of high-performance work for supporting filtering Modbus Transmission Control Protocol
Control method of realizing fireproof wall.
Background technology
Continuous with industrial control field information security demand increases, and fire wall, which seems, to become more and more important;With regard to the spy of industrial control field
Different property, to some common industrial control protocols, such as Modbus Transmission Control Protocol, it is that industry control fire wall is essential to carry out filtering
Function.
Modbus TCP are that the message based on MODBUS industrial field bus over ethernet is realized;However, traditional bag
Filter fire-proof wall works in network layer and transport layer, according to the IP source address of data packet, IP destination addresses, TCP source port number,
The factors such as TCP link states or their combination determine whether the data packet by the way that such a mode assists Modbus TCP
Discuss and do not apply to;And packet filter firewall is not directed to common industrial control protocols.In addition, firewall agent is operated in application
Layer, controls session, for specific application layer protocol, by establishing special agency service journey to every kind of application service completely
Sequence, although it can realize monitoring and the effect of control application layer communication stream, its speed is slower, consumes excessive CPU moneys
Source, have impact on the popularization and application of firewall agent.
The content of the invention
In view of the deficienciess of the prior art, support to filter Modbus Transmission Control Protocol the object of the present invention is to provide a kind of
Industry control method of realizing fireproof wall, this method are carried out at filtering data packet by the Modbus TCP modules set in kernel
Reason, not only realizes the filtering and validity checking to industry control agreement Modbus TCP, improves filter efficiency;And realize
Originally the content filtering function that can only be realized by agent way.
To achieve the above object, a kind of industry control method of realizing fireproof wall for supporting filtering Modbus Transmission Control Protocol, this method
Include the following steps:
1)Fire wall is arranged to bridge mode, Modbus TCP main websites and Modbus TCP slave stations are respectively arranged at anti-
On the different Ethernet interface of wall with flues;
2)Firewall package filtering module carries out system safety inspection to all data packets into fire wall;
3)Administrator's self-defining data packet filtering rules, allow to lead to when data packet meets self-defining data packet filtering rules
Cross, otherwise by data packet discarding;
4)Whether firewall package filtering module is that Modbus Transmission Control Protocol is detected to data packet, when data packet is
Allow during Modbus Transmission Control Protocol by otherwise by data packet discarding;
5)Fire wall carries out Modbus Transmission Control Protocol filterings by Modbus TCP modules.
Further, the step 2)In system safety inspection be specially:Security strategy is passed through using minimal data message
Principle, packet filtering module is based on source IP address, purpose IP address and based on source port, destination interface and based on protocol type
Safety inspection is provided.
Further, the step 3)Specially:
1. the administration order set of administrator be one it is special, closing simplify set, administrator matches somebody with somebody according to specified
Put the setting that operation carries out self-defining data packet filtering rules;
2. system checks the operational order of administrator, by the operational order of form against regulation or refusal or
It is to use default value, avoids the possibility that buffering area produces flooding.
Further, the step 5)Specially:
1. Modbus TCP modules are detected the integrality of data packet, next step inspection is carried out when data packet is complete
Survey, otherwise by data packet discarding;
2. Modbus TCP modules check whether the function code of message in data packet meets the function code of user's setting, work as symbol
Next step detection is carried out during the function code for sharing family setting, otherwise by data packet discarding;
3. the register value that Modbus TCP modules describe data content in data packet is detected, check whether to meet
The authority of user's setting, allows data packet by otherwise by data packet discarding when meeting the authority of user's setting.
Further, the step 1. in MBAP regions and data including data packet are detected to the integrality of data packet
Region.
A kind of industry control method of realizing fireproof wall for supporting filtering Modbus Transmission Control Protocol of the present invention in kernel by setting
The Modbus TCP modules put, carry out filtration treatment to data packet, not only realize the filtering to industry control agreement Modbus TCP
With validity checking, filter efficiency is improved;And realize the content filtering function that can only be realized originally by agent way;
In addition, this method has carried out safety precaution to administrator configurations, security is significantly improved.Modbus TCP in the present invention
Module is one section of code with programming languages in fire wall, and fire wall user can pass through the management of fire wall
Interface sets Modbus Transmission Control Protocol the access limit of filtering rule and Modbus TCP slave station registers.
Brief description of the drawings
Fig. 1 is the overall structure diagram of firewall system in the present invention;
Fig. 2 is fire wall in the present invention and Modbus TCP module connection diagrams;
Fig. 3 is the flow chart that the present invention filters Modbus Transmission Control Protocol.
Embodiment
The explanation present invention below in conjunction with the accompanying drawings.
As shown in Figs. 1-3, the present invention provides a kind of industry control fire wall realization side for supporting filtering Modbus Transmission Control Protocol
Method, it mainly by setting a Modbus TCP modules in the kernel of fire wall, realizes that industry control agreement Modbus TCP are assisted
The filtering of view, since Modbus TCP modules are directly in Core Operational, so the filter method of the present invention improves filter efficiency;
And the content filtering function that can only be realized originally by agent way is realized, agent way is avoided and disappears to the resource of CPU
Consumption.
The Modbus TCP modules of the present invention are one section of generations with programming language editor inside industry control fire wall
Code, fire wall user Modbus Transmission Control Protocol can be set by the management interface before fire prevention filtering rule and Modbus TCP from
Stand the reading authority of register.The filter method detailed process of the present invention is as follows:
Step 1:Fire wall is arranged to bridge mode, Modbus TCP main websites and Modbus TCP slave stations are set respectively
In on the different Ethernet interfaces that fire wall unifies bridge-jointing unit;Session is so set up in a stream;Wherein, to data
The integrality of bag is detected MBAP regions and data area including data packet.
Step 2:Firewall package filtering module carries out system safety inspection to all data packets into fire wall;It is not up to standard
Data packet will be dropped;Wherein, security strategy is using minimal data message by principle, and packet filtering module is with being based on source IP
Location, purpose IP address and based on source port, destination interface and based on protocol type provide safety inspection.
Step 3:Administrator's self-defining data packet filtering rules, permit when data packet meets self-defining data packet filtering rules
Perhaps pass through, otherwise by data packet discarding;Wherein, the administration order set of administrator be one it is special, closing simplify set,
Administrator carries out the setting of self-defining data packet filtering rules according to specified configuration operation, and cannot carry out other may endanger
The risky operation of system in itself, so prevents the maloperation of administrator from causing irremediable destruction to system;System is to management
The operational order of member is checked, by the operational order refusal of form against regulation or using default value, is kept away
The possibility that buffering area produces flooding is exempted from.
Step 4:Whether firewall package filtering module is that Modbus Transmission Control Protocol is detected to data packet, when data packet is
Allow during Modbus Transmission Control Protocol by otherwise by data packet discarding.
Step 5:Fire wall carries out Modbus Transmission Control Protocol filterings by Modbus TCP modules;Wherein, Modbus TCP
Module is first detected the integrality of data packet, and next step detection is carried out when data packet is complete, otherwise loses data packet
Abandon;Secondly, Modbus TCP modules check whether the function code of message in data packet meets the function code of user's setting, when meeting
Next step detection is carried out during the function code of user's setting, otherwise by data packet discarding;Finally, Modbus TCP modules are to data packet
The register value of interior data content description is detected, and checks whether the authority for meeting user's setting, when meeting user's setting
Allow data packet during authority by otherwise by data packet discarding.
Modbus TCP modules have identification protocol, examine the integrality of agreement, the function code of identification protocol message, equipment
Number, the function of offset address and register value, for not being inconsistent data packet normally, the default action of fire wall of the present invention is
Refusal;Rule performs in order, once with data packet successful match, with regard to carrying out corresponding operating, no longer performs rule below.This
Sample, when data message forwarding, which brings, minimum passes through delay.
The filter method of the present invention, not only realizes the filtering and validity checking to industry control agreement Modbus TCP, carries
High filter efficiency;And realize the content filtering function that can only be realized originally by agent way;In addition, this method is to pipe
Reason person's configuration has carried out safety precaution, and security is significantly improved.
Above is the preferred embodiment of the present invention, it is noted that for those skilled in the art,
Various improvements and modifications may be made without departing from the principle of the present invention, these improvements and modifications also should be regarded as this
The protection domain of invention.
Claims (1)
- A kind of 1. industry control method of realizing fireproof wall for supporting filtering Modbus Transmission Control Protocol, it is characterised in that the described method includes Following steps:1)Fire wall is arranged to bridge mode, Modbus TCP main websites and Modbus TCP slave stations are respectively arranged at fire wall On different Ethernet interfaces;2)Firewall package filtering module carries out system safety inspection to all data packets into fire wall;3)Administrator's self-defining data packet filtering rules, allow when data packet meets self-defining data packet filtering rules by, Otherwise by data packet discarding;4)Whether firewall package filtering module is that Modbus Transmission Control Protocol is detected to data packet, when data packet is Modbus Allow during Transmission Control Protocol by otherwise by data packet discarding;5)Fire wall carries out Modbus Transmission Control Protocol filterings by Modbus TCP modules;The step 2)In system safety inspection be specially:Security strategy uses the principle that minimal data message passes through, and wraps Module is filtered to be based on source IP address, purpose IP address and provide safety inspection based on source port, destination interface and based on protocol type Look into;The step 3)Specially:1. the administration order set of administrator be one it is special, closing simplify set, administrator is according to specified configuration behaviour Make the setting of progress self-defining data packet filtering rules;2. system checks the operational order of administrator, by the operational order refusal of form against regulation or make With default value, the possibility that buffering area produces flooding is avoided;The step 5)Specially:1. Modbus TCP modules are detected the integrality of data packet, next step detection is carried out when data packet is complete, it is no Then by data packet discarding;2. Modbus TCP modules check whether the function code of message in data packet meets the function code of user's setting, when meeting use Next step detection is carried out during the function code of family setting, otherwise by data packet discarding;3. the register value that Modbus TCP modules describe data content in data packet is detected, check whether to meet user The authority of setting, allows data packet by otherwise by data packet discarding when meeting the authority of user's setting;The step 1. in MBAP regions and data area including data packet are detected to the integrality of data packet.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410800901.9A CN104519065B (en) | 2014-12-22 | 2014-12-22 | A kind of industry control method of realizing fireproof wall for supporting filtering Modbus Transmission Control Protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410800901.9A CN104519065B (en) | 2014-12-22 | 2014-12-22 | A kind of industry control method of realizing fireproof wall for supporting filtering Modbus Transmission Control Protocol |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104519065A CN104519065A (en) | 2015-04-15 |
| CN104519065B true CN104519065B (en) | 2018-05-01 |
Family
ID=52793787
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410800901.9A Active CN104519065B (en) | 2014-12-22 | 2014-12-22 | A kind of industry control method of realizing fireproof wall for supporting filtering Modbus Transmission Control Protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104519065B (en) |
Families Citing this family (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105306463B (en) * | 2015-10-13 | 2018-04-13 | 电子科技大学 | Modbus TCP intrusion detection methods based on support vector machines |
| CN106888185B (en) * | 2015-12-15 | 2019-12-06 | 北京网御星云信息技术有限公司 | industrial network safety protection method based on serial link |
| CN105516162B (en) * | 2015-12-18 | 2019-02-19 | 中国电子信息产业集团有限公司第六研究所 | A kind of method of the dynamic configuration filtering rule of rule-based description language |
| TW201926108A (en) * | 2017-12-04 | 2019-07-01 | 和碩聯合科技股份有限公司 | Network security system and method thereof |
| CN109639624A (en) * | 2018-10-08 | 2019-04-16 | 上海大学 | Lopsided data filtering method in a kind of Modbus Transmission Control Protocol fuzz testing |
| CN109617866B (en) * | 2018-11-29 | 2021-10-12 | 英赛克科技(北京)有限公司 | Industrial control system host session data filtering method and device |
| CN111262861A (en) * | 2020-01-16 | 2020-06-09 | 四川效率源科技有限责任公司 | Method for identifying and filtering MODBUS TCP/UDP protocol |
| CN114244609B (en) * | 2021-12-17 | 2023-08-25 | 北京国泰网信科技有限公司 | Modbus TCP Protocol Protection Method for Industrial Firewall |
| CN115174219B (en) * | 2022-07-06 | 2024-04-19 | 哈尔滨工业大学(威海) | Management system capable of adapting to various industrial firewalls |
| CN116939065B (en) * | 2023-08-07 | 2024-02-06 | 山东九州信泰信息科技股份有限公司 | Modbus protocol TCP segmentation rapid deep inspection method |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101052046A (en) * | 2007-05-22 | 2007-10-10 | 网御神州科技(北京)有限公司 | Anti-virus method and device for fire-proof wall |
| CN103780601A (en) * | 2012-10-17 | 2014-05-07 | 北京力控华康科技有限公司 | Method for automatically establishing Ethernet communication safety rules |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101316271B (en) * | 2008-07-04 | 2011-11-02 | 成都市华为赛门铁克科技有限公司 | Method for implementing information backup, fire wall and network system |
| CN103973700A (en) * | 2014-05-21 | 2014-08-06 | 成都达信通通讯设备有限公司 | Mobile terminal preset networking address firewall isolation application system |
-
2014
- 2014-12-22 CN CN201410800901.9A patent/CN104519065B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101052046A (en) * | 2007-05-22 | 2007-10-10 | 网御神州科技(北京)有限公司 | Anti-virus method and device for fire-proof wall |
| CN103780601A (en) * | 2012-10-17 | 2014-05-07 | 北京力控华康科技有限公司 | Method for automatically establishing Ethernet communication safety rules |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104519065A (en) | 2015-04-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104519065B (en) | A kind of industry control method of realizing fireproof wall for supporting filtering Modbus Transmission Control Protocol | |
| CN104539600B (en) | A kind of industry control method of realizing fireproof wall for supporting to filter IEC104 agreements | |
| EP2382512B1 (en) | Communication module with network isolation and communication filter | |
| CA2980033C (en) | Bi-directional data security for supervisor control and data acquisition networks | |
| CN104767748B (en) | Opc server security protection system | |
| JP6269683B2 (en) | Quarantine protection system and method it performs bi-directional packet filtering inspection | |
| CN105245555B (en) | One kind is used for electric power serial server communication protocol security protection system | |
| CN106341404A (en) | IPSec VPN system based on many-core processor and encryption and decryption processing method | |
| CN108881328B (en) | Data packet filtering method and device, gateway equipment and storage medium | |
| US9100437B2 (en) | Methods, apparatus, and articles of manufacture to provide firewalls for process control systems | |
| CN104994094B (en) | Virtual platform safety protecting method based on virtual switch, device and system | |
| CN105847251B (en) | Using the industrial control system safety protecting method and system of S7 agreements | |
| CN101690104A (en) | Switched-based network security | |
| CN110768965B (en) | Remote operation safety permission method for power grid dispatching based on message replacement | |
| EP3275157B1 (en) | Bi-directional data security for supervisor control and data acquisition networks | |
| CN104333549A (en) | Data package filtering method applied to distributive firewall system | |
| CN106411863A (en) | Virtualization platform for processing network traffic of virtual switches in real time | |
| Luo et al. | Security analysis of the TSN backbone architecture and anomaly detection system design based on IEEE 802.1 Qci | |
| CN104519012A (en) | SIP-protocol-based method and system for detecting communication network attack | |
| JP7150552B2 (en) | Network protection devices and network protection systems | |
| JP2001249866A (en) | Network with distributed fire wall function, fire wall server with fire wall distribution function and edge node with fire wall function | |
| WO2019123523A1 (en) | Communication device, communication system, communication control method, and program | |
| CN104735043A (en) | Method for preventing suspicious data package from attacking PLC via industrial Ethernet | |
| CN108206828B (en) | Dual-monitoring safety control method and system | |
| Li et al. | Analysis and classification of ipsec security policy conflicts |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |