CN105282157B - A kind of secure communication control method - Google Patents
A kind of secure communication control method Download PDFInfo
- Publication number
- CN105282157B CN105282157B CN201510696503.1A CN201510696503A CN105282157B CN 105282157 B CN105282157 B CN 105282157B CN 201510696503 A CN201510696503 A CN 201510696503A CN 105282157 B CN105282157 B CN 105282157B
- Authority
- CN
- China
- Prior art keywords
- data packet
- terminal
- trusted
- security
- gateway
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The present invention provides a kind of secure communication control methods.Wherein, administrative center sends terminal security strategy file to trusted terminal and sends gateway security strategy file to trusted gateway;Trusted terminal carries out security control according to terminal security strategy file to the data packet for flowing in and out trusted terminal;Trusted gateway carries out security control according to gateway security strategy file to the data packet for flowing in and out trusted gateway.Since trusted terminal and trusted gateway carry out corresponding safety verification and processing to the data packet flowed in and out, data packet is avoided to be maliciously tampered and avoid the unauthorized access in network between domain, realizes the secure communication between different network domains.
Description
Technical field
The present invention relates to trust computing and network communication field, in particular to a kind of secure communication control method.
Background technology
With the development of information technology, Network Communicate Security has become the major issue of constraint information development.How to ensure
Network interconnection safety, realizes each safety communication between devices in network, it has also become urgent problem at present.
Currently, itself is received by technologies such as intrusion detections and antivirus protection mainly by the terminal in network
Information carry out safety detection, investigate the invalid information of malicious attack, the safety to communicate with Logistics networks.
But it can only detect whether included in the information that terminal receives by technologies such as intrusion detection and antivirus protections
Virus or wooden horse, and security control can not be carried out to the communication between different network domains, terminal may be to its net without access rights
Domain sends information, it is also possible to receive the information that the terminal of the domain from no access rights is sent.
Invention content
In view of this, the embodiment of the present invention is designed to provide a kind of secure communication control method, realizes different network domains
Between secure communication.
In a first aspect, an embodiment of the present invention provides a kind of secure communication control method, the method includes:
Trusted terminal is by networks filter driver intercepted data packet, according to the source address and destination address of the data packet,
Judge the type of the data packet, the type of the data packet includes outflow type and inflow type;
When the type for judging the data packet is outflow type, the trusted terminal is according to the destination address and terminal
Java.policy carries out safe handling to the data packet;
When the type for judging the data packet is inflow type, the trusted terminal is according to the source address and the end
Java.policy is held to carry out safety verification to the data packet.
With reference to first aspect, an embodiment of the present invention provides the first possible realization method of above-mentioned first aspect,
In, the trusted terminal carries out the data packet safe handling, packet according to the destination address and terminal security strategy file
It includes:
The trusted terminal according to the destination address, judge to receive terminal whether with the trusted terminal be located at it is same can
Believe in the corresponding range of gateway;
If it is, the data packet is sent to the reception terminal;If it is not, then according to the destination address and terminal
The access control list that Java.policy includes, judges whether the reception terminal belongs to exception equipment;
If belonging to exception equipment, the data packet is sent to the reception terminal;If being not belonging to exception equipment,
Stream label is generated for the data packet, by stream label addition in the data packet, will be added described in the stream label
Data packet is sent to the reception terminal.
The possible realization method of with reference to first aspect the first, an embodiment of the present invention provides the of above-mentioned first aspect
Two kinds of possible realization methods, wherein, it is described to generate stream label for the data packet, the stream label is added in the data
Bao Zhong, including:
The trusted terminal obtains the safe class of the security domain belonging to itself;
According to the port numbers of the data packet institute is obtained from the label allocation list that the terminal security strategy file includes
State the corresponding priority level of port numbers;
The security domain belonging to the trusted terminal is obtained in the multicast key table included from the terminal security strategy file
Mark and the corresponding multicast key of the security domain;
By the multicast key to the identifying of the security domain, the safe class, the priority level, the data
Source address, destination address, virtual machine mark, reserved field and the data segment of packet carry out Hash operation, obtain check value;
By the identifying of the security domain, the priority level, the virtual machine mark, the reserved field and the verification
Value forms the stream label of the data packet, the stream label is added in the data packet head of the data packet.
With reference to first aspect, an embodiment of the present invention provides the third possible realization method of above-mentioned first aspect,
In, the trusted terminal carries out safety verification according to the source address and the terminal security strategy file to the data packet,
Including:
The trusted terminal judges whether include stream label in the data packet head of the data packet;
If judge not including stream label, according to the source address of the data packet and the terminal security strategy file packet
The access control list included, judge send terminal whether for external equipment, if it is, the data packet is received, if it is not, then losing
Abandon the data packet;
If judge, comprising stream label, to test to the stream label, if upchecking, receive the data
Packet, if the test fails, abandons the data packet.
The third possible realization method with reference to first aspect, an embodiment of the present invention provides the of above-mentioned first aspect
Four kinds of possible realization methods, wherein, it is described to test to the stream label, including:
Obtain mark, priority level, virtual machine mark, reserved field and the verification for the security domain that the stream label includes
Value and acquisition source address, destination address and data segment from the data packet;
According to the mark of the security domain, the multicast key and safe class of the security domain are obtained;
By the multicast key to the identifying of the security domain, virtual machine mark, the reserved field, the peace
Congruent grade, the priority level, the source address of the data packet, destination address and data segment carry out Hash operation, and Hash is transported
The value of calculation is compared with the check value, if the two is identical, is upchecked, if the two differs, the test fails.
With reference to first aspect, an embodiment of the present invention provides the 5th kind of possible realization method of above-mentioned first aspect,
In, the method further includes:
The trusted terminal receives the terminal security strategy file that administrative center sends, the terminal security strategy file packet
Include label allocation list, multicast key table, access control list and security domain correlation table;
The trusted terminal record access behavioural information, by the access behavioural information compositing terminal security log, and often
The terminal security daily record is sent to the administrative center every the first preset time period.
Second aspect, an embodiment of the present invention provides a kind of secure communication control method, the method includes:
Whether trusted gateway receives the data packet that terminal is sent, judge the data packet comprising stream label;
If judging not including stream label, included according to the source address of the data packet and gateway security strategy file
Make an exception list of devices, judge the terminal whether for external equipment, if it is, forward the data packet, if it is not, then abandoning
The data packet;
If judging, comprising stream label, to test to the stream label according to the gateway security strategy file, if
It upchecks, then forwards the data packet, if the test fails, abandon the data packet.
With reference to second aspect, an embodiment of the present invention provides the first possible realization method of above-mentioned second aspect,
In, before the trusted gateway receives the data packet that terminal is sent, further include:
The trusted gateway receives the gateway security strategy file that administrative center sends, the gateway security strategy file packet
Include exception list of devices, sign test Policy Table and security domain multicast key table.
With reference to second aspect, an embodiment of the present invention provides second of possible realization method of above-mentioned second aspect,
In, the method further includes:
The trusted gateway records data packet exception information, and the data packet exception information is formed gateway security daily record,
And the gateway security daily record is sent to administrative center every the second preset time period.
The third aspect, an embodiment of the present invention provides a kind of secure communication control method, the method includes:
Administrative center sends terminal security strategy file to trusted terminal and sends gateway security strategy file to credible
Gateway makes the trusted terminal securely communicate control according to the terminal security strategy file and make the trusted networks
It closes and control is securely communicated according to the gateway security strategy file;
The administrative center receives terminal security daily record and the reception trusted gateway hair that the trusted terminal is sent
The gateway security daily record sent, according to the terminal security daily record and the gateway security daily record respectively to the trusted terminal and institute
It states trusted gateway and carries out security monitoring.
In method provided in an embodiment of the present invention, administrative center is trusted terminal configurating terminal Java.policy, with
And gateway security strategy file is configured for trusted gateway.Trusted terminal is credible to flowing in or out according to terminal security strategy file
The data packet of terminal carries out security control.Trusted gateway according to gateway security strategy file to by trusted gateway data packet into
Row security control.It can so realize the secure communication between different network domains, avoid the malice between the domain of no access rights
It accesses.
For the above objects, features and advantages of the present invention is enable to be clearer and more comprehensible, preferred embodiment cited below particularly, and coordinate
Appended attached drawing, is described in detail below.
Description of the drawings
It in order to illustrate the technical solution of the embodiments of the present invention more clearly, below will be to needed in the embodiment attached
Figure is briefly described, it should be understood that the following drawings illustrates only certain embodiments of the present invention, therefore is not construed as pair
The restriction of range, for those of ordinary skill in the art, without creative efforts, can also be according to this
A little attached drawings obtain other relevant attached drawings.
Fig. 1 shows the method flow diagram of a kind of secure communication control that the embodiment of the present invention 1 is provided;
Fig. 2A shows the signaling interaction diagram of a kind of secure communication control that the embodiment of the present invention 2 is provided;
Fig. 2 B show the schematic diagram of a kind of trusted terminal processing data packet that the embodiment of the present invention 2 is provided;
Fig. 2 C show a kind of sign test strategy schematic diagram that the embodiment of the present invention 2 is provided;
Fig. 2 D show a kind of communication network schematic diagram that the embodiment of the present invention 2 is provided;
Fig. 3 shows the system structure diagram of a kind of secure communication control that the embodiment of the present invention 3 is provided.
Specific embodiment
Below in conjunction with attached drawing in the embodiment of the present invention, the technical solution in the embodiment of the present invention is carried out clear, complete
Ground describes, it is clear that described embodiment is only part of the embodiment of the present invention, instead of all the embodiments.Usually exist
The component of the embodiment of the present invention described and illustrated in attached drawing can be configured to arrange and design with a variety of different herein.Cause
This, the detailed description of the embodiment of the present invention to providing in the accompanying drawings is not intended to limit claimed invention below
Range, but it is merely representative of the selected embodiment of the present invention.Based on the embodiment of the present invention, those skilled in the art are not doing
Go out all other embodiments obtained under the premise of creative work, shall fall within the protection scope of the present invention.
In view of that can not carry out security control to the communication between different network domains in the relevant technologies, terminal may be to it without visit
Ask that the domain of permission sends information, it is also possible to receive the information that the terminal of the domain from no access rights is sent.Based on this,
An embodiment of the present invention provides a kind of secure communication control methods.It is described below by embodiment.
Embodiment 1
Referring to Fig. 1, an embodiment of the present invention provides a kind of secure communication control methods.This method specifically includes following step
Suddenly:
Step 101:Administrative center sends terminal security strategy file to trusted terminal and sends gateway security strategy text
Part is to trusted gateway;
It is related that above-mentioned terminal security strategy file includes label allocation list, multicast key table, access control list and security domain
Table.Above-mentioned gateway security strategy file includes exception list of devices, sign test Policy Table and security domain multicast key table.
Step 102:Trusted terminal receives the terminal security strategy file that administrative center sends, according to the terminal security strategy
File carries out security control to the data packet Jing Guo trusted terminal;
Trusted terminal, according to the source address and destination address of data packet, is judged by networks filter driver intercepted data packet
The type of data packet, the type of data packet include outflow type and inflow type;When the type for judging data packet is outflow type, root
Safe handling is carried out to data packet according to destination address and terminal security strategy file;When the type for judging data packet is inflow type
When, safety verification is carried out to data packet according to source address and terminal security strategy file.
Step 103:Trusted gateway receives the gateway security strategy file that administrative center sends, according to the gateway security strategy
File by the data packet of trusted gateway to carrying out security control.
Whether trusted gateway receives the data packet that terminal is sent, judge data packet comprising stream label;If judge not including
Whether stream label, the then exception list of devices included according to the source address of data packet and gateway security strategy file, judge terminal
For external equipment, if it is, forwarding data packet, if it is not, then packet discard;If judge comprising stream label, basis
Gateway security strategy file convection tags are tested, if upchecking, forward data packet, if the test fails, are abandoned
Data packet.
In embodiments of the present invention, administrative center is trusted terminal configurating terminal Java.policy and is trusted networks
Close configuration gateway security strategy file.Trusted terminal is according to terminal security strategy file to flowing in or out the data of trusted terminal
Packet carries out security control.Trusted gateway is according to gateway security strategy file to carrying out safe control by the data packet of trusted gateway
System.It can so realize the secure communication between different network domains, data packet is avoided to be maliciously tampered and avoid no access rights
Domain between malicious access.
Embodiment 2
Referring to Fig. 2A, an embodiment of the present invention provides a kind of secure communication control methods.In embodiments of the present invention, pass through
Administrative center is managed collectively the trusted terminal in network and trusted gateway, passes through multiple trusted terminals and multiple trusted networks
Pass can form different domains.The secure communication control method provided through the embodiment of the present invention can realize different domains
Between secure communication.This method specifically includes following steps:
Wherein, before communication between the network domains carries out security control, the operation of 201-204 is completed as follows first
To the initial configuration of trusted terminal and trusted gateway.
Step 201:Administrative center generates terminal security strategy file, which is sent to credible end
End, the terminal security strategy file include label allocation list, multicast key table, access control list and security domain correlation table;
In embodiments of the present invention, trusted terminal and trusted gateway can be enhanced by credible enhancing technology, be increased
Add trusted terminal and the credibility of trusted gateway.Can multiple virtual machines be installed according to user demand in trusted terminal.Exception is set
The standby equipment for credible enhancing can not be carried out.Making an exception in the communication networks of compositions such as equipment, trusted terminal and trusted gateway can be with
Including multiple and different domains, a domain covers one section of IP (Internet Protocol Address, internet protocol address)
Address field can include multiple trusted terminals or exception equipment in each domain, can be by credible between different domains
Gateway is attached.
For each domain, administrative center is provided with security domain ID (Identity, mark), safe class and the group of domain
Key is broadcast, security domain ID is the mark of domain, and the safe class of domain is divided according to the IP address section of domain, can be divided into
The different brackets such as top-secret, secret, secret and disclosure, since domain is provided with safe class, domain can be described as again in the present invention
Security domain.Each domain has its corresponding multicast key, and the safety between domain can be realized according to the multicast key of domain
Communication.For each domain, administrative center is also provided with the domain that domain is allowed to access and forbids the net of domain access
Domain.Wherein, all terminals in a security domain can free communication, can communicate between the security domain of same security level,
Can set as needed cannot communicate between some domains.
When administrative center is a trusted terminal configurating terminal Java.policy, administrative center is first according to the trusted terminal
IP address determine domain belonging to the trusted terminal, the multicast key of the security domain ID of the domain and the domain are formed this can
Believe the multicast key table of terminal.
Domain of the administrative center according to belonging to the trusted terminal determines to allow domain that the trusted terminal accesses and really
Surely the mark of exception equipment that the domain accessed is allowed to include will allow security domain ID, IP address section, the multicast of the domain accessed
Key and the mark of exception equipment that the domain accessed is allowed to include form the access control list of the trusted terminal.Make an exception equipment
Mark can for external equipment IP address.
Domain of the administrative center according to belonging to the trusted terminal determines the domain that the trusted terminal is forbidden to access, will forbid
The security domain ID for the domain that the trusted terminal accesses forms the security domain mutual exclusion table of the trusted terminal.
Additionally, it is sometimes desirable to change the domain belonging to trusted terminal, need to record the variation of the affiliated domain of the trusted terminal
Situation, administrative center record the security domain history table for having trusted terminal, which includes credible end
The security domain ID of virtual machine mark, the affiliated domain of virtual machine on end and the beginning and ending time for belonging to the domain.When by the credible end
It holds after marking off to come from the domain belonging to it, due to that can not communicate between the affiliated domain of original and certain specific domains, that
This trusted terminal cannot be subdivided in these specific domains.Therefore, administrative center should be every time trusted terminal or can
Virtual machine in letter terminal is when reassigning domain, need to first check for this domain whether with the domain in security domain history table
Mutual exclusion.The security domain mutual exclusion table of trusted terminal and security domain history table are formed security domain correlation table by administrative center.
Trusted terminal has multiple ports, and administrative center can set the priority level of each port, the priority of port
Can be the different stages such as low, high or real-time.Administrative center is by the port numbers of each port of the trusted terminal and each port
Priority level form the label allocation list of the trusted terminal.
Administrative center is by above-mentioned multicast key table, access control list, security domain correlation table and label allocation list compositing terminal
Java.policy, and the terminal security strategy file is sent to the trusted terminal.
For other each trusted terminals in network, administrative center is other each trusted terminals all in accordance with aforesaid way
Configurating terminal Java.policy.
In embodiments of the present invention, when changing the security domain belonging to trusted terminal, being selected by way of list will
The security domain of distribution.Check whether the security level of the security domain is higher than the security level of trusted terminal.Check trusted terminal
Security domain history table and security domain mutual exclusion table check what whether currently selected security domain was recorded with its historical record
Security domain mutual exclusion if mutual exclusion need to reselect, if not mutual exclusion, prompts chosen successfully, and the safety belonging to by this trusted terminal
It is revised as selected security domain in domain.Then new record is added into security domain history table, adds in current trusted terminal
ID and current security domain ID.
When terminal security strategy file updates, administrative center needs in time to be sent to updated terminal security strategy file
Trusted terminal.
In addition, in embodiments of the present invention, before terminal security strategy file is sent to trusted terminal by administrative center, also
First the identity of trusted terminal can be authenticated.Authentication can be initiated by trusted terminal, using pair based on public key system
Wait identity authentication protocols, certification by and trusted terminal obtain terminal security strategy file after, trusted terminal can pacify terminal
Multicast key table in full strategy file is stored in Ukey (small memory device).
Step 202:Trusted terminal receives and stores the terminal security strategy file of administrative center's transmission;
While administrative center completes the initial configuration to the trusted terminal in network, it is also desirable to as follows
The initial configuration to trusted gateway is completed in 203 and 204 operation.
Step 203:Administrative center generates gateway security strategy file, which is sent to trusted networks
It closes, which includes exception list of devices, sign test Policy Table and security domain multicast key table;
The security domain ID and multicast key of all domains are formed security domain multicast key table by administrative center.Administrator is by institute
Exception list of devices is formed by the ID and the exception equipment of exception the equipment IP address section of security domain that can be accessed.
In embodiments of the present invention, the sign test mode of trusted gateway is by two factor controllings, first, the priority of port, high
The data packet of priority, sign test ratio is relatively low, otherwise higher.Second is that the security level of trusted terminal or virtual machine, safety
Rank is higher, then the ratio of sign test is higher.Administrative center considers above-mentioned two factor, specifies sign test Policy Table.Sign test plan
Sketch form can be that administrative center is based on the bivariate table that " risk Metrics " are formulated, as shown in table 1.
Table 1
| It is low | It is high | In real time |
| It is top-secret | 100% | 50% | 20% |
| Secret | 50% | 30% | 10% |
| It is secret | 30% | 20% | 5% |
| It is open | 20% | 10% | 0% |
Percent data in above-mentioned table 1 represents sign test ratio, as safe class is top-secret and priority level be low when test
Label ratio is 100%, that is, it is that low data packet carries out sign test to need to be top-secret and priority level to each safe class.Above-mentioned hundred
Divide and can be pre-configured with than data by administrator.It first has to load stream label to data packet before trusted terminal transmission data packet,
Security domain ID and priority level field are contained in stream label.When data packet is sent to trusted gateway, trusted gateway is according to above-mentioned
The sampling proportion in bivariate table shown in table 1 carries out sign test to the stream label of data packet.
Above-mentioned exception list of devices, sign test Policy Table and security domain multicast key table are formed gateway security plan by administrative center
Slightly file, trusted gateway is sent to by the gateway security strategy file.For each trusted gateway in network, administrative center is all
Gateway security strategy file is sent to each trusted gateway in the manner described above.When gateway security strategy file updates, pipe
Reason center needs that updated gateway security strategy file is sent to trusted gateway in time.
It in embodiments of the present invention, can be with before gateway security strategy file is sent to trusted gateway by administrative center
Authentication first is carried out to trusted gateway.Trusted gateway carries out bidirectional identity authentication, body when starting first time with administrative center
Part certification is that administrative center is initiated by trusted gateway, is recognized using the peer-to-peer authentication agreement based on public key system
Card, by rear, trusted gateway could obtain gateway security strategy file for certification.
The verification process of the above-mentioned peer-to-peer authentication agreement based on public key system is as follows:
Trusted gateway initiates session to administrative center, utilizes the ID and trusted networks of the public key encryption trusted gateway of administrative center
The public key digital certificate of pass, and administrative center is sent to, administrative center obtains after receiving the public key digital certificate of trusted gateway
The public key of trusted gateway;Administrative center utilizes the public key of trusted gateway, by the public key digital certificate, identity ID and production of administrative center
The first raw random number encryption, and it is sent to trusted gateway;After trusted gateway receives above- mentioned information, the public affairs of administrative center are utilized
Key digital certificate obtains the public key of administrative center, then using the public key of administrative center by the ID of trusted gateway, generate second
Random number and above-mentioned first random number encryption, and it is sent to administrative center;Administrative center is confirmed after being decrypted using the private key of oneself
The identity of trusted gateway, last administrative center are close using the multicast of security domain that the public key of trusted gateway is administered trusted gateway
Trusted gateway is transferred to after key and security domain ID encryptions, both sides carry out peer-to-peer authentication and terminate.
Step 204:Trusted gateway receives and stores the Java.policy of administrative center's transmission;
In embodiments of the present invention, be trusted terminal configurating terminal Java.policy and be trusted gateway configuration net
Strategy file is closed, Java.policy collectively referred to as is configured for terminal, which there can be following two modes:
1. terminal actively initiates certification.
Connection request is sent out by terminal, administrative center pre-sets server-side watcher thread, and real-time reception carrys out self terminal
Connection request.TCP (Transmission Control Protocol, transmission control protocol) between terminal and administrative center
After the completion of connection is established, administrative center will need the Java.policy pushed, is digitally signed using administrative center's private key,
It is subsequently sent to terminal.After terminal receives Java.policy, digital signature is verified, and add using the public key certificate of administrative center
Enter the current timestamp of administrative center, ensure the safety of Java.policy, if authentication failed, need request management center
Retransmit Java.policy.
2. administrative center actively initiates certification.
When the Java.policy update of administrative center, request is sent to terminal from administrative center and establish TCP connection.Eventually
End needs open listening port in advance, after whether real time inspection has the request from administrative center, TCP connection to establish, using with
Newer Java.policy is sent to terminal by the same method of digital signature authentication in first way.
By being completed the step of above-mentioned steps 201-204 to the trusted terminal and the initial configuration of trusted gateway in network
Afterwards, trusted terminal and trusted gateway the operation of 205-212 can to carry out the data communication in network as follows
Security control.
Step 205:Trusted terminal is by networks filter driver intercepted data packet, according to the source address of data packet and destination
Location judges the type of data packet, and step 206 is performed when the type of data packet is outflow type, when the type of data packet is flows into
Step 207 is performed during type;
Due to being equipped with multiple virtual machines in trusted terminal, may there is virtual machine transmission data packet or reception outward simultaneously
The data packet sent to miscellaneous equipment, is divided into inflow type and outflow type two in the embodiment of the present invention by the type of data packet accordingly
Kind.The data packet of inflow type is the data packet that miscellaneous equipment sends over, and the data packet of outflow type is the virtual machine of trusted terminal
The data packet sent outward.
Trusted terminal intercepts and captures the data packet Jing Guo trusted terminal by networks filter driver, and the number is obtained from the data packet
According to the source address and destination address of packet, the IP address of the source address of the data packet and destination address and trusted terminal is carried out respectively
Compare, if the source address of data packet is identical with the IP address of trusted terminal, the type for judging the data packet is outflow type.If
The destination address of data packet is identical with the IP address of trusted terminal, then the type for judging the data packet is inflow type.
Step 206:Trusted terminal carries out safe handling according to destination address and terminal security strategy file to data packet;
When the type for judging data packet is outflow type, trusted terminal judges the number according to the destination address of data packet
Whether it is located in the corresponding range of same trusted gateway with trusted terminal according to the reception terminal of packet, the corresponding model of same trusted gateway
The domain for referring to receive belonging to the domain and the trusted terminal belonging to terminal in enclosing is connect with same trusted gateway, same credible
Trusted terminal in the corresponding range of gateway can be accessed mutually.Wherein, the destination address of data packet is exactly to receive terminal
IP address, according to the IP address for receiving terminal, the IP for the domain that the access control list checked in terminal security strategy file includes
Address field determines the domain belonging to the reception terminal, judge the domain belonging to the domain and trusted terminal whether be located at it is same can
In the range of letter gateway.If it is, trusted terminal, which sends the data packet, gives reception terminal.If it is not, then according to data packet
Destination address checks in the exception list of devices that terminal security strategy file includes whether include the destination address, if comprising,
Judge that receiving terminal belongs to exception equipment, delivers a packet to reception terminal.If not including, judge to receive terminal not
Belong to exception equipment, then generate stream label for data packet, by stream label addition in the packet, the data packet of stream label will be added
It is sent to reception terminal.
It is above-mentioned for data packet generation stream label and the process of stream label addition in the packet is as follows:
Trusted terminal obtains the safe class of the security domain belonging to itself;According to the port numbers of data packet from terminal security plan
The corresponding priority level of port numbers is obtained in the label allocation list that slightly file includes;The multicast included from terminal security strategy file
The mark of security domain and the corresponding multicast key of security domain belonging to trusted terminal are obtained in key list;Trusted terminal is from data packet
The middle source address for obtaining the data packet, destination address, virtual machine mark, reserved field and data segment;By multicast key to peace
Mark, safe class, priority level, the source address of data packet, destination address, virtual machine mark, reserved field and the number of universe
Hash operation is carried out according to section, obtains check value;By mark, priority level, virtual machine mark, reserved field and the verification of security domain
It is worth the stream label of composition data packet, stream label is added in the data packet head of data packet.
Above-mentioned virtual machine mark is the mark that administrative center is configured by each virtual machine, and once after the completion of configuration not
It can be modified again, be mainly used for audit function.Reserved field is mainly used for extending tagged content stream;Check value is to ensure
The authenticity for the IP address that data packet includes, prevents IP address to be tampered, and uses source IP address of the multicast key to data packet, mesh
IP address, priority level, the mark of security domain, virtual machine mark, reserved field and data packet data segment calculated, obtain
Go out the check value of stream label.
Above-mentioned stream label is mainly used for access control, ensures the authenticity of data, identity is prevented to be forged, IP address is usurped
Change.In addition, stream label can be used for controlling flow, do not allow to exist in the communications and be not belonging to make an exception again without stream label
The data flow of equipment, i.e., do not allow communication in there are abnormal flows.
In embodiments of the present invention, trusted terminal is according to terminal security strategy file inspection first to transmission data
It is no to communicate with recipient, after verification, stream label is added for data packet, then normal transmission data.For outflow type
Data packet, trusted terminal in the manner described above judges the reception terminal of the data packet, and is carried out according to judging result
Safe handling, to prevent the virtual machine in trusted terminal from carrying out unauthorized access to the domain for forbidding accessing.
Step 207:Trusted terminal carries out safety verification according to source address and terminal security strategy file to data packet;
When trusted terminal judges that the data packet bit stream that networks filter driver is intercepted and captured enters type, trusted terminal is needed to sending
The terminal of the data packet is judged, and carries out security control according to judging result, to prevent other terminal-pair trusted terminals
Unauthorized access.
The process of above-mentioned safety verification is as follows:
Trusted terminal judges whether include stream label in the data packet head of data packet;If judging not including stream label,
According to the source address of data packet, the exception list of devices that terminal security strategy file includes is checked, if checking out, exception equipment arranges
Comprising the source address in table, then external equipment for transmission terminal is judged, then received data packet, if checking out exception list of devices
In do not include the source address, then abandon the data packet;
If trusted terminal is judged to include stream label in the data packet head of data packet, test to the stream label, if
It upchecks, then received data packet, if the test fails, packet discard.
It can carry out convection tags in the following way in embodiments of the present invention to test, specifically include:
Trusted terminal obtains the mark of security domain, priority level, virtual machine mark, reserved field and the school that stream label includes
It tests value and source address, destination address and data segment is obtained from data packet;According to the mark of security domain, security domain is obtained
Safe class and corresponding group is obtained from the multicast key table that terminal security strategy file includes according to the mark of security domain
Broadcast key;By multicast key to the mark of security domain, virtual machine mark, reserved field, safe class, priority level, data
Source address, destination address and the data segment of packet carry out Hash operation, the value of Hash operation are compared with check value, if the two
It is identical, then it upchecks, if the two differs, the test fails.
Trusted terminal receives the malice that untrusted terminal administered from same gateway and unauthorized is sent in order to prevent
Data, and in order to improve terminal even the sign test efficiency of whole network, for carrying the data packet of stream label, trusted terminal can be with
First judge this data packet whether from same security domain according to the source address of data packet;If being not belonging to same security domain, check
Security domain mutual exclusion table if the security domain is present in security domain mutual exclusion table, does not allow this data packet to flow into upper strata, if being not present
In security domain mutual exclusion table, then allow flow into.If belonging to same security domain, according to above-mentioned sign test operate to the data packet into
Row sign test.
In embodiments of the present invention, trusted terminal is to receive data, according to terminal security strategy file to the number of reception
Sign test is carried out according to the stream label in packet, ensures the integrality of stream label.
As shown in Figure 2 B, the networks filter driver intercepted data packet of trusted terminal judges the type of data packet for inflow type
Or outflow type, if outflow type, then adds stream label for data packet, if inflow type, then to the stream label that data packet includes into
Row sign test.All data packets Jing Guo the trusted terminal are carried out by the operation of above-mentioned steps 205-207 safe handling and
Shi Faxian and the data packet for abandoning unauthorized access, while the virtual machine in trusted terminal is avoided to visit the domain for forbidding accessing
It asks, improves safety and the credibility of network communication.
It, can also as follows 208 and 209 after the communication security control that trusted terminal is carried out by aforesaid operations
Operation comes to trusted terminal further security control.
Step 208:Trusted terminal record access behavioural information will access behavioural information compositing terminal security log, and every
Terminal security daily record is sent to administrative center every the first preset time period;
Above-mentioned first preset time period can be one day or one week etc..Access behavioural information can include virtual machine ID or can
Believe gateway ID, source IP, source port, destination IP, destination interface, security level, event and date etc..
Step 209:Administrative center receives the terminal security daily record that trusted terminal is sent, according to terminal security daily record to credible
Terminal carries out security monitoring;
The terminal security daily record is sent to the terminal of audit administrator by administrative center, and the terminal of audit administrator receives simultaneously
Display terminal security log so that audit administrator to carrying out security audit in terminal security daily record, check attempt to carry out it is non-
The user that method accesses.
Ukey is authorized to log in trusted terminal in addition, audit administrator can also use, trusted terminal of directly auditing generation
Terminal security daily record.
In embodiments of the present invention, trusted gateway can be according to gateway security strategy file, 210-212 as follows
Operation come to by the trusted gateway data packet carry out safe handling.
Step 210:Trusted gateway receives the data packet that terminal is sent, and carries out safety verification to the data packet, upchecks,
The data packet is then forwarded, inspection does not pass through, then abandons the data packet;
Trusted gateway receives the data packet that terminal is sent, and whether the data packet is judged comprising stream label, if judging not wrap
Containing stream label, then according to the source address of data packet, check in the exception list of devices that gateway security strategy file includes whether wrap
Containing the source address, if comprising judging external equipment for the terminal, then forwarding the data packet.If in the list of devices that makes an exception not
Comprising the source address, then it is not exception equipment to judge the terminal, then abandons the data packet.
If trusted gateway judges that the data packet includes stream label, identifying, being excellent for the security domain that stream label includes is obtained
First rank, virtual machine mark, reserved field and check value and acquisition source address, destination address and data segment from data packet;
According to the mark of security domain, the safe class of security domain is obtained and according to the mark of security domain from gateway security strategy file
Including security domain multicast key table in obtain corresponding multicast key;Pass through mark of the multicast key to security domain, virtual machine
Mark, reserved field, safe class, priority level, the source address of data packet, destination address and data segment carry out Hash operation,
The value of Hash operation with check value is compared, if the two is identical, is upchecked, if the two differs, is examined and do not lead to
It crosses.
In embodiments of the present invention, it can also be divided by the data packet of trusted gateway and flow into gateway and two kinds of gateway of outflow
Type.Trusted gateway can be to the process flow of the data packet of inflow:Whether trusted gateway first looks at data packet with stream
Label;If not band stream label, check that exception list of devices judges whether it belongs to exception and set according to the source address of data packet
It is standby;If belonging to, data packet is allowed to flow into, if being not belonging to, forbid receiving the data packet;If with stream label, to data
Packet carries out sign test, and the successful data packet of sign test allows flow into trusted gateway.Trusted gateway flows out the processing of the data packet of outflow
It is as follows:Trusted gateway is implemented the processing that the data packet that will be flowed out performs by the networks filter driver of trusted gateway, works as data
Packet from network interface card be transferred to networks filter driver when, networks filter driver intercepts the data packet, then check data packet whether band
There is stream label;If carrying, directly transferred out;If without checking whether it belongs to exception equipment;If belonging to,
Then transferred out;If being not belonging to, the data packet is abandoned.
Trusted gateway can also carry out load balancing to sign test, can be dropped when trusted gateway carries out sign test to mass data packet
The low execution efficiency of its own, it is therefore necessary to consider the problem of load balancing of sign test.
The sign test mode of trusted gateway can be divided into not sign test, sampling sign test and whole sign tests.Not sign test expression just looks at
Whether credible label is carried in data packet, and according to the forwarding of credible label and gateway security strategy file control data packet;It can
Letter gateway itself has the terminal IP tables in its institute's compass of competency, and when trusted gateway flow is larger, trusted gateway is according to the IP
Table checks the IP of data packet, belongs to the data packet of this table, and gateway can be to its not sign test.Sign test of sampling can be as set by table 1
Sampling proportion or according to sampling proportion adjustment formula randomly select data packet carry out sign test;Whole sign tests represent all
The data packet of trusted gateway is flowed through by sign test.
Furthermore it is possible to the ratio of adjust automatically trusted gateway sampling sign test, sampling proportion and trusted terminal or security domain
Level of confidentiality requirement is adapted, and level of confidentiality is higher, and the ratio of sign test is higher.Sampling proportion and the requirement of real-time of business are inversely proportional, in real time
Property requirement it is higher, the ratio of sign test is lower.Therefore, the priority in stream label can be used to ensure the real-time of some specific process
Property, when network flow is larger, trusted gateway can directly forward data packet according to the priority level in stream label.Root
In the sign test bivariate table set according to the security level corresponding to the security domain ID in stream label and priority level according to administrative center
The ratio of examination at random carries out sign test.After networks filter driver intercepts data packet, first according to priority level in stream label and peace
Full rank checks the strategy schematic diagram of sign test as shown in fig. 2 c of formulation, then implements corresponding sign test mode to data packet, tests
The implementation of label is mainly the sign test bivariate table issued according to administrative center, and is carried out in a manner of counting packet number, such as Fig. 2 C
Shown, when the security level of data packet is top secret and priority level is " real-time ", sign test strategy is " every 5 packet sign tests one
It is secondary ", then the data packet currently intercepted is counted, then this data packet is let pass when data packet number does not reach 5,
If reaching 5, sign test is carried out to current data packet.
Step 211:Trusted gateway records data packet exception information, and data packet exception information is formed gateway security daily record,
And gateway security daily record is sent to administrative center every the second preset time period;
Above-mentioned second preset time period can be one day or one week etc..Data packet exception information can be trusted gateway right
Data packet carries out the data packet abandoned during safety verification, and there are security risks for these data packets.
Step 212:Administrative center receives the gateway security daily record that trusted gateway is sent, according to gateway security daily record to credible
Gateway carries out security monitoring.
Gateway security daily record is sent to the terminal of audit administrator by administrative center, and the terminal of audit administrator is received and shown
Show the gateway security daily record, so that the data packet progress there are security risk that audit administrator includes gateway security daily record
Security audit checks the user for attempting to carry out unauthorized access.
In embodiments of the present invention, the communication between equipment can there are many situation, in order to make it easy to understand, with reference to
Attached drawing illustrates.Communication network schematic diagram as shown in Figure 2 D, according to fig. 2 the communication network shown in D can summarize this hair
The a variety of situations to communicate in bright embodiment.Wherein, all exception equipment must all pass through trusted gateway ability and miscellaneous equipment
It communicates.Signal intelligence is illustrated respectively below:
1. it is connected between communicating pair by multiple trusted gateways, and both sides are conventional trusted terminal.In Fig. 2 D
Communication between shown trusted terminal C1 and trusted terminal C5;
2. there is trusted gateway connection between communicating pair, but there is external equipment for a side in both sides, as illustrated in fig. 2d
Communication between trusted terminal C1 and exception equipment C6;
3. connection is connected, both sides are conventional trusted terminal, such as without trusted gateway by interchanger between communicating pair
The communication between trusted terminal C1 and trusted terminal C3 shown in Fig. 2 D;
4. there is external equipment for a side in communicating pair, between trusted terminal C1 and exception equipment C2 as illustrated in fig. 2d
Communication;
5. communicating pair is connected through a trusted gateway, both sides are trusted terminal, trusted terminal as illustrated in fig. 2d
Communication between C1 and trusted terminal C7;
6. communicating pair all for external equipment, and connected by trusted gateway, by the data that trusted gateway sends it into
Row processing, the communication between exception equipment C2 and exception equipment C6 as illustrated in fig. 2d.
Wherein, above-mentioned 1. and 2. either way to be handled by trusted gateway, trusted gateway can pass through step
210 operation to carry out security control to data packet therethrough.Above-mentioned situation 3. does not have trusted gateway to carry out data packet
Control can carry out security control according to the operation of step 205-207 by the trusted terminal of transmitting terminal and receiving terminal to data packet.
And since all exception equipment are required for through trusted gateway, it is communicated and is managed to it by trusted gateway.
In embodiments of the present invention, in secure communication process, the networks filter driver of sending side terminal is according in management
The terminal security strategy file that the heart issues judges whether energy transmission data packet, and the loading stream label of the data packet to allowing to send out,
Data packet after loading stream label is sent.When data packet flows out trusted gateway, trusted gateway is not tested data packet
Whether label are just looked at stream label, if for external equipment, then carry out corresponding operating.When data packet flows into trusted gateway,
Trusted gateway will carry out sign test to data packet, with the security level and priority level in the number of data packet, data packet stream label
Determine the sign test mode of trusted gateway, sign test mode is broadly divided into whole sign tests, sampling sign test and non-sign test.Receive the net of terminal
Network filtration drive will to the data packet of inflow carry out sign test, allow sign test by data packet inflow terminal.
Wherein, server and exchange are also had other than trusted terminal, trusted gateway and exception equipment in communication network
The plurality of devices such as machine.No matter the topological structure of communication network, the data communication in network can be implemented according to the present invention
The method that example provides carries out security control by trusted terminal and trusted gateway to data packet.
In method provided in an embodiment of the present invention, administrative center is trusted terminal configurating terminal Java.policy, with
And gateway security strategy file is configured for trusted gateway.Trusted terminal is credible to flowing in or out according to terminal security strategy file
The data packet of terminal carries out security control.Trusted gateway according to gateway security strategy file to by trusted gateway data packet into
Row security control.It can so realize the secure communication between different network domains, avoid the malice between the domain of no access rights
It accesses.
Embodiment 3
Referring to Fig. 3, an embodiment of the present invention provides a kind of secure communication control system, which specifically includes:In management
The heart 301, trusted terminal 302 and trusted gateway 303;Lead to due to also carrying out data between trusted terminal 302 and trusted terminal 303
Believe, the communication connection in Fig. 3 with broken line representation between the two.
Administrative center 301, for sending terminal security strategy file to trusted terminal 302 and sending gateway security plan
Slightly file is to trusted gateway 303;It receives the terminal security daily record of the transmission of trusted terminal 302 and receives trusted gateway 303 and send
Gateway security daily record, according to terminal security daily record and gateway security daily record respectively to trusted terminal 302 and trusted gateway 303 into
Row security monitoring.
Trusted terminal 302, for receiving the terminal security strategy file of the transmission of administrative center 301, terminal security strategy text
Part includes label allocation list, multicast key table, access control list and security domain correlation table;Pass through networks filter driver intercepted data
Packet according to the source address and destination address of data packet, judges the type of data packet, and the type of data packet includes outflow type and inflow
Type;When the type for judging data packet is outflow type, data packet is carried out according to destination address and terminal security strategy file
Safe handling;When the type for judging data packet is inflow type, according to source address and terminal security strategy file to data packet
Carry out safety verification;
When the type of data packet is outflow type, trusted terminal 302 according to destination address, judge to receive terminal whether with can
Letter terminal 302 is located in the corresponding range of same trusted gateway;If it is, transmission data packet gives reception terminal;If it is not, then
According to the access control list that destination address and terminal security strategy file include, judge to receive whether terminal belongs to exception equipment;
If belonging to exception equipment, reception terminal is delivered a packet to;If being not belonging to exception equipment, fail to be sold at auction for data packet generation
The data packet for adding stream label by stream label addition in the packet, is sent to reception terminal by label.
Trusted terminal 302 obtains the safe class of the security domain belonging to itself;Pacified according to the port numbers of data packet from terminal
The corresponding priority level of port numbers is obtained in the label allocation list that full strategy file includes;Include from terminal security strategy file
The mark of security domain and the corresponding multicast key of security domain belonging to trusted terminal 302 are obtained in multicast key table;Pass through multicast
The mark of key pair security domain, priority level, the source address of data packet, destination address, virtual machine mark, is reserved safe class
Field and data segment carry out Hash operation, obtain check value;By mark, priority level, the virtual machine mark of security domain, write down characters in advance
The stream label of section and check value composition data packet, stream label is added in the data packet head of data packet.
When the type of data packet is inflow type, trusted terminal 302 judges whether include stream in the data packet head of data packet
Label;If judge not including stream label, the access control included according to the source address of data packet and terminal security strategy file
Tabulation, judge to send terminal whether for external equipment, if it is, received data packet, if it is not, then packet discard;If sentence
Break and comprising stream label, then convection tags are tested, if upchecking, received data packet if the test fails, abandons
Data packet.
Trusted terminal 302 obtain stream label include the mark of security domain, priority level, virtual machine mark, reserved field
And check value and source address, destination address and data segment are obtained from data packet;According to the mark of security domain, safety is obtained
The multicast key and safe class in domain;By multicast key to the mark of security domain, virtual machine mark, reserved field, safety etc.
Grade, priority level, the source address of data packet, destination address and data segment carry out Hash operation, by the value of Hash operation and verification
Value is compared, if the two is identical, is upchecked, if the two differs, the test fails.
Trusted terminal 302 goes back record access behavioural information, will access behavioural information compositing terminal security log, and every the
One preset time period sends terminal security daily record to administrative center 301.
Trusted gateway 303, for receiving the gateway security strategy file of the transmission of administrative center 301, gateway security strategy text
Part includes exception list of devices, sign test Policy Table and security domain multicast key table;The data packet that terminal is sent is received, judges data
Whether packet includes stream label;If judge not including stream label, according to the source address of data packet and gateway security strategy file
Including exception list of devices, judge terminal whether for external equipment, if it is, forwarding data packet, if it is not, then abandon number
According to packet;If judging, comprising stream label, to be tested according to gateway security strategy file convection tags, if upchecking,
Forward data packet, if the test fails, packet discard.
Trusted gateway 303 also records data packet exception information, and data packet exception information is formed gateway security daily record, and every
Gateway security daily record is sent to administrative center 301 every the second preset time period.
In system provided in an embodiment of the present invention, administrative center is trusted terminal configurating terminal Java.policy, with
And gateway security strategy file is configured for trusted gateway.Trusted terminal is credible to flowing in or out according to terminal security strategy file
The data packet of terminal carries out security control.Trusted gateway according to gateway security strategy file to by trusted gateway data packet into
Row security control.It can so realize the secure communication between different network domains, avoid the malice between the domain of no access rights
It accesses.
What the embodiment of the present invention was provided --- device can be equipment on specific hardware or be installed on soft in equipment
Part or firmware etc..It is apparent to those skilled in the art that for convenience and simplicity of description, foregoing description is
The specific work process of system, device and unit can refer to the corresponding process in above method embodiment.
In several embodiments provided herein, it should be understood that disclosed device and method, it can be by other
Mode realize.The apparatus embodiments described above are merely exemplary, for example, the division of the unit, only one
Kind of division of logic function, can there is other dividing mode in actual implementation, in another example, multiple units or component can combine or
Person is desirably integrated into another system or some features can be ignored or does not perform.Another point, shown or discussed is mutual
Between coupling, direct-coupling or communication connection can be the INDIRECT COUPLING or logical of device or unit by some communication interfaces
Letter connection can be electrical, machinery or other forms.
The unit illustrated as separating component may or may not be physically separate, be shown as unit
The component shown may or may not be physical unit, you can be located at a place or can also be distributed to multiple
In network element.Some or all of unit therein can be selected according to the actual needs to realize the mesh of this embodiment scheme
's.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, it can also
That each unit is individually physically present, can also two or more units integrate in a unit.
If the function is realized in the form of SFU software functional unit and is independent product sale or in use, can be with
It is stored in a computer read/write memory medium.Based on such understanding, technical scheme of the present invention is substantially in other words
The part contribute to the prior art or the part of the technical solution can be embodied in the form of software product, the meter
Calculation machine software product is stored in a storage medium, is used including some instructions so that a computer equipment (can be
People's computer, server or network equipment etc.) perform all or part of the steps of the method according to each embodiment of the present invention.
And aforementioned storage medium includes:USB flash disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), arbitrary access are deposited
The various media that can store program code such as reservoir (RAM, Random Access Memory), magnetic disc or CD.
The above description is merely a specific embodiment, but protection scope of the present invention is not limited thereto, any
Those familiar with the art in the technical scope disclosed by the present invention, can readily occur in change or replacement, should all contain
Lid is within protection scope of the present invention.Therefore, protection scope of the present invention described should be subject to the protection scope in claims.
Claims (8)
1. a kind of secure communication control method, which is characterized in that the method includes:
Trusted terminal, according to the source address and destination address of the data packet, is judged by networks filter driver intercepted data packet
The type of the data packet, the type of the data packet include outflow type and inflow type;
When the type for judging the data packet is outflow type, the trusted terminal is according to the destination address and terminal security
Strategy file carries out safe handling to the data packet;
When the type for judging the data packet is inflow type, the trusted terminal is judged in the data packet head of the data packet
Whether stream label is included;If judge not including stream label, according to the source address of the data packet and the terminal security plan
The slightly access control list that includes of file, judge to send terminal whether for external equipment, if it is, receiving the data packet, such as
Fruit is no, then abandons the data packet;If judging, comprising stream label, to test to the stream label, if upchecking,
The data packet is received, if the test fails, abandons the data packet.
2. according to the method described in claim 1, it is characterized in that, the trusted terminal is pacified according to the destination address and terminal
Full strategy file carries out safe handling to the data packet, including:
The trusted terminal judges to receive whether terminal with the trusted terminal is located at same trusted networks according to the destination address
It closes in corresponding range;
If it is, the data packet is sent to the reception terminal;If it is not, then according to the destination address and terminal security
The access control list that strategy file includes, judges whether the reception terminal belongs to exception equipment;
If belonging to exception equipment, the data packet is sent to the reception terminal;If exception equipment is not belonging to, for institute
Data packet generation stream label is stated, by stream label addition in the data packet, the data of the stream label will be added
Packet is sent to the reception terminal.
3. according to the method described in claim 2, it is characterized in that, described generate stream label for the data packet, by the stream
Label is added in the data packet, including:
The trusted terminal obtains the safe class of the security domain belonging to itself;
According to the port numbers of the data packet end is obtained from the label allocation list that the terminal security strategy file includes
The corresponding priority level of slogan;
The mark of the security domain belonging to the trusted terminal is obtained in the multicast key table included from the terminal security strategy file
Knowledge and the corresponding multicast key of the security domain;
By the multicast key to the identifying of the security domain, the safe class, the priority level, the data packet
Source address, destination address, virtual machine mark, reserved field and data segment carry out Hash operation, obtain check value;
By the identifying of the security domain, the priority level, the virtual machine mark, the reserved field and the check value group
Into the stream label of the data packet, the stream label is added in the data packet head of the data packet.
4. according to the method described in claim 1, it is characterized in that, described test to the stream label, including:
Mark, priority level, virtual machine mark, reserved field and the check value for the security domain that the stream label includes are obtained, with
And source address, destination address and data segment are obtained from the data packet;
According to the mark of the security domain, the multicast key and safe class of the security domain are obtained;
By the multicast key to the identifying of the security domain, virtual machine mark, the reserved field, the safety etc.
Grade, the priority level, the source address of the data packet, destination address and data segment carry out Hash operation, by Hash operation
Value is compared with the check value, if the two is identical, is upchecked, if the two differs, the test fails.
5. according to the method described in claim 1, it is characterized in that, the method further includes:
The trusted terminal receives the terminal security strategy file that administrative center sends, and the terminal security strategy file includes mark
Sign allocation list, multicast key table, access control list and security domain correlation table;
The trusted terminal record access behavioural information, by the access behavioural information compositing terminal security log, and every the
One preset time period sends the terminal security daily record to the administrative center.
6. a kind of secure communication control method, which is characterized in that the method includes:
Whether trusted gateway receives the data packet that terminal is sent, judge the data packet comprising stream label;
If judge not including stream label, the exception included according to the source address of the data packet and gateway security strategy file
List of devices, judge the terminal whether for external equipment, if it is, forward the data packet, if it is not, then described in abandoning
Data packet;
If judging comprising stream label, to check whether carry credible label in data packet, if it is, according to credible label and
Gateway security strategy file controls the forwarding of data packet;If it is not, then stream label inspection is carried out by pre-set sampling proportion,
Or randomly select data packet progress stream label inspection according to the adjustment formula of sampling proportion;When carrying out stream label inspection according to
The gateway security strategy file tests to the stream label, if upchecking, forwards the data packet, if examining not
Pass through, then abandon the data packet.
7. according to the method described in claim 6, it is characterized in that, the trusted gateway receive terminal send data packet it
Before, it further includes:
The trusted gateway receives the gateway security strategy file that administrative center sends, and the gateway security strategy file includes example
External equipment list, sign test Policy Table and security domain multicast key table.
8. according to the method described in claim 6, it is characterized in that, the method further includes:
The trusted gateway records data packet exception information, and the data packet exception information is formed gateway security daily record, and every
The gateway security daily record is sent to administrative center every the second preset time period.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510696503.1A CN105282157B (en) | 2015-10-22 | 2015-10-22 | A kind of secure communication control method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510696503.1A CN105282157B (en) | 2015-10-22 | 2015-10-22 | A kind of secure communication control method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105282157A CN105282157A (en) | 2016-01-27 |
| CN105282157B true CN105282157B (en) | 2018-07-06 |
Family
ID=55150483
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510696503.1A Expired - Fee Related CN105282157B (en) | 2015-10-22 | 2015-10-22 | A kind of secure communication control method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105282157B (en) |
Families Citing this family (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107181619A (en) * | 2017-06-08 | 2017-09-19 | 环球智达科技(北京)有限公司 | The monitoring system of service condition |
| CN107040548A (en) * | 2017-06-08 | 2017-08-11 | 环球智达科技(北京)有限公司 | The monitoring method of terminal traffic state |
| CN109992974B (en) * | 2017-12-29 | 2023-04-14 | 中兴通讯股份有限公司 | Method and device for protecting byte code file of virtual machine and readable storage medium |
| CN108563492B (en) * | 2018-05-07 | 2022-05-31 | 联想(北京)有限公司 | Data acquisition method, virtual machine and electronic equipment |
| CN112015111B (en) * | 2019-05-30 | 2022-02-11 | 中国科学院沈阳自动化研究所 | Industrial control equipment safety protection system and method based on active immunity mechanism |
| CN112202857B (en) * | 2020-09-21 | 2021-05-14 | 青岛国信会展酒店发展有限公司 | Intelligent management system applied to exhibition center |
| CN113055397A (en) * | 2021-03-29 | 2021-06-29 | 郑州中科集成电路与信息系统产业创新研究院 | Configuration method and device of security access control policy |
| CN113973303B (en) * | 2021-11-02 | 2024-04-02 | 上海格尔安全科技有限公司 | Method for realizing mobile terminal equipment access control gateway based on data packet analysis |
| CN114125583B (en) * | 2021-11-15 | 2023-08-18 | 浙江中控技术股份有限公司 | Communication control method of distributed control network |
| CN114019933A (en) * | 2021-11-27 | 2022-02-08 | 河南中烟工业有限责任公司 | Network security control method and device of industrial control system |
| CN116527403B (en) * | 2023-07-03 | 2023-09-08 | 国网四川省电力公司信息通信公司 | Network security control method and system for local area network |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101111053A (en) * | 2006-07-18 | 2008-01-23 | 中兴通讯股份有限公司 | System and method for defending network attack in mobile network |
| CN101330494A (en) * | 2007-06-19 | 2008-12-24 | 瑞达信息安全产业股份有限公司 | Method for implementing computer terminal safety admittance based on credible authentication gateway |
| CN101567888A (en) * | 2008-12-29 | 2009-10-28 | 郭世泽 | Safety protection method of network feedback host computer |
| CN104038478A (en) * | 2014-05-19 | 2014-09-10 | 瑞达信息安全产业股份有限公司 | Embedded platform identity authentication trusted network connection method and system |
-
2015
- 2015-10-22 CN CN201510696503.1A patent/CN105282157B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101111053A (en) * | 2006-07-18 | 2008-01-23 | 中兴通讯股份有限公司 | System and method for defending network attack in mobile network |
| CN101330494A (en) * | 2007-06-19 | 2008-12-24 | 瑞达信息安全产业股份有限公司 | Method for implementing computer terminal safety admittance based on credible authentication gateway |
| CN101567888A (en) * | 2008-12-29 | 2009-10-28 | 郭世泽 | Safety protection method of network feedback host computer |
| CN104038478A (en) * | 2014-05-19 | 2014-09-10 | 瑞达信息安全产业股份有限公司 | Embedded platform identity authentication trusted network connection method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105282157A (en) | 2016-01-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105282157B (en) | A kind of secure communication control method | |
| US11637696B2 (en) | End-to-end communication security | |
| CN104618396B (en) | A kind of trustable network access and access control method | |
| US9043589B2 (en) | System and method for safeguarding and processing confidential information | |
| US20150244684A1 (en) | Data security management system | |
| ES2768049T3 (en) | Procedures and systems to secure and protect repositories and directories | |
| JP2020516202A (en) | Core network access provider | |
| ES2875963T3 (en) | Method and system related to user authentication to access data networks | |
| CN106034104A (en) | Verification method, verification device and verification system for network application accessing | |
| CN105162763B (en) | Communication data processing method and device | |
| Sridhar et al. | A survey on cloud security issues and challenges with possible measures | |
| CN103647772A (en) | Method for carrying out trusted access controlling on network data package | |
| US9015825B2 (en) | Method and device for network communication management | |
| CN107196932A (en) | Managing and control system in a kind of document sets based on virtualization | |
| CN106899561A (en) | A kind of TNC authority control methods and system based on ACL | |
| US9338137B1 (en) | System and methods for protecting confidential data in wireless networks | |
| Rani et al. | Cyber security techniques, architectures, and design | |
| CN110417739A (en) | It is a kind of based on block chain technology safety Netowrk tape in measurement method | |
| CN111181955B (en) | Session control method, device and storage medium based on mark | |
| US20070150947A1 (en) | Method and apparatus for enhancing security on an enterprise network | |
| KR101858207B1 (en) | System for security network | |
| Kowalski et al. | Toward the mutual routing security in wide area networks: A scoping review of current threats and countermeasures | |
| CN107995222A (en) | A kind of exchange method of business's ciphertext part | |
| Kleberger et al. | Securing vehicle diagnostics in repair shops | |
| Foltz et al. | Secure Endpoint Device Agent Architecture. |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20180706 Termination date: 20191022 |