CN105656655B - A kind of network safety managing method, device and system - Google Patents
A kind of network safety managing method, device and system Download PDFInfo
- Publication number
- CN105656655B CN105656655B CN201410650194.XA CN201410650194A CN105656655B CN 105656655 B CN105656655 B CN 105656655B CN 201410650194 A CN201410650194 A CN 201410650194A CN 105656655 B CN105656655 B CN 105656655B
- Authority
- CN
- China
- Prior art keywords
- data packet
- configuration information
- encryption
- decryption
- network equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The embodiment of the invention discloses a kind of network safety managing method, device and system, wherein the realization of method include: configuration center determine encryption configuration information and with corresponding decryption configuration information;Encryption configuration information is sent to the inlet module of the network equipment, decryption configuration information is sent to the outlet module of the network equipment;The data packet that the encryption configuration information is used to that inlet module encryption to be made to enter the network equipment, the data packet of the data packet that the decryption configuration information is used to that outlet module decryption to be made to issue the network equipment, the outlet module decryption is the data packet encrypted through the inlet module.Data packet is encrypted when entering the network equipment, into the content of the data packet of the network equipment since encryption changes for the network equipment, back door present in the message triggering network equipment comprising special data can be sent to avoid malicious user, it not only can solve the trust problem of network equipment itself, the safety of the network equipment can also be improved.
Description
Technical field
The present invention relates to field of communication technology, especially a kind of network safety managing method, device and system
Background technique
The network equipments such as router, interchanger are faced with severe safety problem.Such as: China national internet emergency
Center publication report claims, and there are loopholes and back door for a large amount of routers.These loopholes and back door have plenty of external attacker by inverse
It is obtained to analysis, has plenty of the purpose of equipment vendor is for debugging intentionally for it.Common attack means include being embedded in dislike in equipment
Anticipate circuit, default power user name and password, reserved transmission control protocol (Transmission Control Protocol,
TCP the port)/User Datagram Protocol (User Datagram Protocol, UDP) carries out the message containing special data
Specially treated, the sensitive data for carrying user secretly etc..The presence at these loopholes and back door allows operator and user to produce the network equipment
Trust crisis is given birth to, the strong influence safety image of equipment vendor.
In order to solve problem above, currently used processing mode are as follows: the circuit diagram of the open network equipment, software source generation
Code, related data etc. are examined to third party censorship, provide examination result by examination structure to prove the network equipment
Safety.
The above processing mode needs equipment vendor to disclose the vital strategic secrets of the network equipment, influences the commercial interest of equipment vendor.Separately
Outside, disclosed information may be obtained by malicious person, and modified existing procucts realization and started new network attack.Therefore the above processing
There are huge security risks for mode.
Summary of the invention
The embodiment of the invention provides a kind of network safety managing method, device and systems, for improving the network equipment
Safety.
On the one hand the embodiment of the present invention provides a kind of network safety managing method, comprising:
Configuration center determines encryption configuration information and decryption configuration information corresponding with the encryption configuration information;
The encryption configuration information is sent to the inlet module of the network equipment by the configuration center, and the decryption is configured
Information is sent to the outlet module of the network equipment;
The data packet that the encryption configuration information is used to that the inlet module encryption to be made to enter the network equipment, the solution
The data packet that close configuration information is used to that the outlet module decryption to be made to issue the network equipment, the number of the outlet module decryption
It is the data packet encrypted through the inlet module according to packet.
In conjunction with the implementation of one side, in the first possible implementation, the encryption configuration information includes: to add
Close object and encryption rule, the encrypted object specify the part that data packet needs to encrypt;
The decryption configuration information includes: that decryption object and decryption rule, the decryption object specify data packet and need
The part to be decrypted, it is identical as the part for needing to encrypt.
In conjunction with the first possible implementation of one side, in the second possible implementation, the network is set
Standby is router, and the inlet module and the outlet module are optical module;
The encrypted object includes: scrambling object, and the scrambling object specifies data packet and needs scrambled part;It is described
Encryption rule includes: scrambling algorithms and key;The decryption object includes: descrambling object, and the descrambling object specifies number
The part descrambled is needed according to packet;The decryption rule includes: Descrambling Algorithms corresponding with the scrambling algorithms and the key.
In conjunction with second of possible implementation of one side, in the third possible implementation, if scrambled portion
Divide the protocol header part including data packet, the method also includes:
The configuration center sends the encryption configuration information to the network equipment, makes the network equipment to forwarding table
List item carry out identical with data packet scrambling and handle;
Alternatively, the configuration center sends scrambled treated forwarding table to the network equipment;The scrambling processing
The scrambling mode that forwarding table afterwards uses is identical as the scrambling mode of the data packet;
Alternatively, the configuration center sends the encryption configuration information to software-defined network SDN controller, make described
SDN controller carries out identical with data packet scrambling to forwarding table and handles, and will scramble that treated forwarding table is sent to
The network equipment.
In conjunction on the one hand, on the one hand the first, second or the third possible implementation, in the 4th kind of possibility
Implementation in, the method also includes:
The configuration center determines the first filtering configuration information and corresponding second filtering configuration information, first filtering
Configuration information specifies the data packet for not needing encryption, and the second filtering configuration information, which specifies, is not required to data to be decrypted
Packet;
The first filtering configuration information is sent to the inlet module by the configuration center, and second filtering is matched
Confidence breath is sent to the outlet module.
A kind of configuration center is provided in terms of the embodiment of the present invention two, comprising:
Configuration information determination unit, for determining encryption configuration information and decryption corresponding with the encryption configuration information
Configuration information;
Information transmitting unit, for the encryption configuration information to be sent to the inlet module of the network equipment, by the solution
Close configuration information is sent to the outlet module of the network equipment;The encryption configuration information is for encrypting the inlet module
Into the data packet of the network equipment, the decryption configuration information is set for making the outlet module decryption issue the network
The data packet of standby data packet, the outlet module decryption is the data packet encrypted through the inlet module.
In conjunction with the implementation of two aspects, in the first possible implementation, the encryption configuration information includes: to add
Close object and encryption rule, the encrypted object specify the part that data packet needs to encrypt;The decryption configuration information packet
Include: decryption object and decryption rule, the decryption object specify the part that data packet needs to decrypt, need to encrypt with described
Part it is identical.
In conjunction with the first possible implementation of two aspects, in the second possible implementation, the encryption pair
As including: scrambling object, the scrambling object specifies data packet and needs scrambled part;The encryption rule includes: scrambling
Algorithm and key;The decryption object includes: descrambling object, and the descrambling object specifies the portion that data packet needs to descramble
Point;The decryption rule includes: Descrambling Algorithms corresponding with the scrambling algorithms and the key;
The information transmitting unit, specifically for the encryption configuration information to be sent to the optical module of router entrance,
The decryption configuration information is sent to the optical module of the router outlet.
In conjunction with second of possible implementation of two aspects, in the third possible implementation, if scrambled portion
Divide the protocol header part including data packet;
The information transmitting unit is also used to send the encryption configuration information to the network equipment, makes the network
Equipment carries out scrambling identical with the data packet to the list item of forwarding table and handles;
Alternatively, the information transmitting unit, it is also used to send scrambled treated forwarding table to the network equipment;Institute
Scrambling is stated treated the scrambling mode that forwarding table uses, it is identical as the scrambling mode of the data packet;
Alternatively, the information transmitting unit, is also used to send the encryption configuration to software-defined network SDN controller
Information makes the SDN controller carry out identical with data packet scrambling to forwarding table and handles, and will scrambling treated turn
It delivers and is sent to the network equipment.
In conjunction with two aspects, two aspects the first, second or the third possible implementation, in the 4th kind of possibility
Implementation in, the configuration center further include:
Information determination unit is filtered, for determining the first filtering configuration information and corresponding second filtering configuration information, institute
It states the first filtering configuration information and specifies the data packet for not needing encryption, the second filtering configuration information, which specifies, not to be needed to solve
Close data packet;
The information transmitting unit is also used to the first filtering configuration information being sent to the inlet module, by institute
It states the second filtering configuration information and is sent to the outlet module.
A kind of inlet module is additionally provided in terms of the embodiment of the present invention three, comprising:
Data packet receiving unit, for receiving the data packet for needing the approach network equipment;
Data packet encryption unit, for being encrypted according to encryption configuration information to the data packet;
Data packet sending unit sets the network for the encrypted data packet to be sent to the network equipment
It is standby to be transmitted to the outlet module with packet decryption function.
In conjunction with the implementation of three aspects, in the first possible implementation, the inlet module further include:
Information receiving unit is filtered, for receiving the first filtering configuration information from configuration center;
Whether the data packet encryption unit belongs to the first filtering configuration information specifically for the determination data packet
In specify do not need encryption data packet, if it is not, then being encrypted according to the encryption configuration information to the data packet.
In conjunction with the first possible implementation of three aspects or three aspects, in the second possible implementation,
The encryption configuration information includes: encrypted object and encryption rule;The encrypted object specifies what data packet needed to encrypt
Part;
The data packet encryption unit, specifically for being added using the encryption rule to the needs in the data packet
Close part is encrypted.
In conjunction with the first or second of possible implementation of three aspects, three aspects, in the third possible realization
In mode, the inlet module is optical module, and the network equipment is router;
The data packet receiving unit needs the data packet of approach router specifically for receiving.
A kind of outlet module is provided in terms of the embodiment of the present invention four, comprising:
Receiving unit needs to be sent to the data packet of destination after the approach network equipment for receiving, and the data packet is by institute
State the inlet module encryption of the network equipment;
Decryption unit, for the data packet to be decrypted according to decryption configuration information;
Transmission unit, for the data packet after the decryption to be sent to the destination.
In conjunction with the implementation of four aspects, in the first possible implementation, the outlet module is optical module, institute
Stating the network equipment is router;
The receiving unit, specifically for needing to be sent to the data packet of destination, the data after reception approach router
Wrap the optical mode block encryption by the router entrance.
In conjunction with the implementation of four aspects, in the second possible implementation, the receiving unit is also used to receive
The second filtering configuration information from configuration center;
Whether the decryption unit belongs to described specifically for the determination received data packet of received data packet unit
The data packet for not needing decryption specified in two filtering configuration informations, if it is not, then according to the decryption configuration information to the number
It is decrypted according to packet.
A kind of network equipment is additionally provided in terms of the embodiment of the present invention five, comprising:
The inlet module of any one provided in an embodiment of the present invention and any one provided in an embodiment of the present invention
Outlet module.
A kind of network security management system is additionally provided in terms of the embodiment of the present invention six, comprising:
The configuration center of any one provided in an embodiment of the present invention, the entrance of any one provided in an embodiment of the present invention
The outlet module of module and any one provided in an embodiment of the present invention;Or, comprising: provided in an embodiment of the present invention
The configuration center and the network equipment provided in an embodiment of the present invention of meaning one.
In conjunction with the implementation of six aspects, in the first possible implementation, if the configuration center is controlled to SDN
Device sends encryption configuration information, the system also includes: SDN controller;
The SDN controller is handled for carrying out scrambling identical with data packet to forwarding table, and treated by scrambling
Forwarding table is sent to the network equipment.
As can be seen from the above technical solutions, the embodiment of the present invention has the advantage that data packet is entering the network equipment
When be encrypted, for the network equipment into the network equipment data packet content due to encryption change, can keep away
Exempt from malicious user and send back door present in the message triggering network equipment comprising special data, not only can solve the network equipment
The trust problem of itself can also improve the safety of the network equipment.
Detailed description of the invention
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment
Attached drawing is briefly introduced, it should be apparent that, drawings in the following description are only some embodiments of the invention, for this
For the those of ordinary skill in field, without any creative labor, it can also be obtained according to these attached drawings
His attached drawing.
Fig. 1 is present invention method flow diagram;
Fig. 2 is present invention method flow diagram;
Fig. 3 is present invention method flow diagram;
Fig. 4 is that system structure of the embodiment of the present invention and message flow to schematic diagram;
Fig. 5 is that system structure of the embodiment of the present invention and message flow to schematic diagram;
Fig. 6 is that system structure of the embodiment of the present invention and message flow to schematic diagram;
Fig. 7 is configuration center of embodiment of the present invention structural schematic diagram;
Fig. 8 is configuration center of embodiment of the present invention structural schematic diagram;
Fig. 9 is inlet module of embodiment of the present invention structural schematic diagram;
Figure 10 is inlet module of embodiment of the present invention structural schematic diagram;
Figure 11 is outlet module of embodiment of the present invention structural schematic diagram;
Figure 12 is network equipment infrastructure of embodiment of the present invention schematic diagram;
Figure 13 is system structure diagram of the embodiment of the present invention;
Figure 14 is system structure diagram of the embodiment of the present invention;
Figure 15 is system structure diagram of the embodiment of the present invention;
Figure 16 is configuration center of embodiment of the present invention structural schematic diagram;
Figure 17 is inlet module of embodiment of the present invention structural schematic diagram;
Figure 18 is outlet module of embodiment of the present invention structural schematic diagram.
Specific embodiment
To make the objectives, technical solutions, and advantages of the present invention clearer, below in conjunction with attached drawing to the present invention make into
It is described in detail to one step, it is clear that the described embodiments are only some of the embodiments of the present invention, rather than whole implementation
Example.Based on the embodiments of the present invention, obtained by those of ordinary skill in the art without making creative efforts
All other embodiment, shall fall within the protection scope of the present invention.
The embodiment of the invention provides a kind of network safety managing methods, as shown in Figure 1, referring to Figure 2 together and Fig. 3
It is shown, comprising:
101: configuration center determines encryption configuration information and decryption configuration information corresponding with above-mentioned encryption configuration information;
Encryption configuration information is used to refer to the fixed configuration information how to encrypt, such as: encryption rule, the letter such as encrypted object
Breath.Encryption rule may include: Encryption Algorithm and key or Encryption Algorithm, public key and private key;The algorithm of encryption has very
It is more, such as: symmetry algorithm (Data Encryption Standard, DES), Digital Signature Algorithm (Digital Signature
Algorithm, DSA), Message Digest Algorithm 5 (Message Digest Algorithm, MD5) etc., in addition to adding above
Other than close algorithm, scrambling algorithms also belong to Encryption Algorithm, such as: XOR operation is carried out to data and upsets the algorithm of former data.Add
Close object, then be to specify partially to encrypt which of data packet, such as: entire data packet is encrypted or right
Protocol header is encrypted, or is only encrypted to payload segment.The different application demand of concrete foundation is set, and the present invention is implemented
Example does not do uniqueness restriction.Configuration center determines encryption configuration information and decryption corresponding with above-mentioned encryption configuration information configuration
The process of information, can be receive user setting, be also possible to the fixed configurations based on current application scenarios, specifically how
Determine that encryption configuration information and the corresponding process for decrypting configuration information do not interfere with the realization of the embodiment of the present invention, because
This embodiment of the present invention does not make uniqueness restriction yet.
102: above-mentioned encryption configuration information is sent to the inlet module of the network equipment by above-mentioned configuration center, by above-mentioned decryption
Configuration information is sent to the outlet module of the above-mentioned network equipment;Above-mentioned encryption configuration information for make above-mentioned inlet module encrypt into
Enter the data packet of the above-mentioned network equipment, above-mentioned decryption configuration information is for making above-mentioned outlet module decryption issue the above-mentioned network equipment
Data packet, the data packet of above-mentioned outlet module decryption is the data packet encrypted through above-mentioned inlet module.
In the present embodiment, configuration center sends encryption configuration information to inlet module, and sends decryption configuration information
After outlet module;It please refers to shown in Fig. 2, data packet enters from inlet module, is encrypted after inlet module encrypts
The data packet of data packet, encryption is sent to the network equipment by inlet module, and then the data packet of encryption is transmitted to by the network equipment
The data packet of encryption is decrypted in outlet module, outlet module, the data packet after being decrypted.
The present embodiment, data packet are encrypted when entering the network equipment, into the network equipment for the network equipment
The content of data packet can send the message comprising special data to avoid malicious user and trigger network since encryption is changed
Back door present in equipment not only can solve the trust problem of network equipment itself, can also improve the safety of the network equipment
Property.
The embodiment of the present invention gives encryption configuration information and the optinal plan of corresponding decryption configuration information is as follows:
Above-mentioned encryption configuration information includes: encrypted object and encryption rule, and above-mentioned encrypted object specifies what data packet needed to encrypt
Part;
Above-mentioned decryption configuration information includes: that decryption object and decryption rule, above-mentioned decryption object specify data packet and need
The part to be decrypted, it is identical as the part of above-mentioned needs encryption.
In the present embodiment, it in encryption configuration information other than encryption rule, also carries and needs to encrypt for specified
Part information, therefore can flexibly control to data packet encryption specific part.Due to being encrypted to data packet, meeting
Network service is impacted, such as: protocol header is encrypted, then the business service of network equipment offer may be provided.
It therefore, can be according to the security requirement of business demand or data packet by the way that encrypted object is added in encryption configuration information
Flexibly control, without necessarily being encrypted to entire data packet.Decryption configuration information is to encryption configuration information with corresponding
The information of relationship, since outlet module is not necessarily able to detect which of data packet is partially encrypted, and is being decrypted
Also it joined decryption object in configuration information.In addition, even if outlet module can detecte data packet encryption part, by
Also decryption object is added in decryption configuration information can also save computing resource required for detection encryption part.
In embodiments of the present invention, the network equipment can be arbitrary the network equipment embodiment of the present invention and not make to this uniquely
The restriction of property;In addition, to give a specific application scenarios as follows for the embodiment of the present invention: the above-mentioned network equipment is router,
Above-mentioned inlet module and above-mentioned outlet module are optical module;
Above-mentioned encrypted object includes: scrambling object, and above-mentioned scrambling object specifies data packet and needs scrambled part;It is above-mentioned
Encryption rule includes: scrambling algorithms and key;Above-mentioned decryption object includes: descrambling object, and above-mentioned descrambling object specifies number
The part descrambled is needed according to packet;Above-mentioned decryption rule includes: Descrambling Algorithms corresponding with above-mentioned scrambling algorithms and above-mentioned key.
In the present embodiment, encryption completed using scrambled mode, specific application scenarios this for router and
Speech, if calculating can be reduced in this way without carrying out complicated Encryption Algorithm merely to data packet is avoided to trigger back door
Amount avoids influence of the encrypting and decrypting to router response speed.Scrambling is one kind of encryption, compared to other such as the encryption of MD5 class
For, calculation amount can be much smaller, can be used as the preferred implementation scheme under this specific application scene of router.
Above-mentioned optical module can be using field programmable gate array (Field Programmable Gate Array,
FPGA) the optical module realized.
In embodiments of the present invention, even if scrambled part can be entirely in this specific application scenarios of router
Data packet is also possible to only payload segment, can also be other arbitrary setting sections;But due to the protocol header to data packet
It is scrambled, it is impacted to will lead to data packet forwarding, therefore based on this embodiment of the invention provides following three kinds of solutions,
It is as follows: if scrambled part includes the protocol header part of data packet, the above method further include:
Above-mentioned configuration center sends above-mentioned encryption configuration information to the above-mentioned network equipment, makes the above-mentioned network equipment to forwarding table
List item carry out identical with above-mentioned data packet scrambling and handle;
Alternatively, above-mentioned configuration center sends scrambled treated forwarding table to the above-mentioned network equipment;Above-mentioned scrambling processing
The scrambling mode that forwarding table afterwards uses is identical as the scrambling mode of above-mentioned data packet;
Alternatively, above-mentioned configuration center to software-defined network switched data network (Switched Data Network,
SDN) controller sends above-mentioned encryption configuration information, carries out above-mentioned SDN controller to forwarding table identical with above-mentioned data packet
Scrambling processing, and will scrambling treated that forwarding table is sent to the above-mentioned network equipment.
In the present embodiment, the network equipment is router.In the present embodiment, new equipment SDN controller is also introduced,
Therefore process flow has a few modifications, please refers to shown in Fig. 3, and compared with Fig. 2, difference is that configuration center can also match encryption
Confidence breath is sent to SDN controller, and SDN controller scrambles forwarding table, and the forwarding table after scrambling is then sent to net
Network equipment, the network equipment will use the forwarding table after scrambling and execute forwarding capability.
Three of the above scheme has carried out scrambling processing to forwarding table, due to the scrambling mode to forwarding table and to data
The scrambling mode of packet is identical, therefore the forwarding table after scrambling can be proper use of by router.This gives routing tables
Example carry out for example bright this point, it is specific as follows:
Assuming that routing table has 3:
10.10.10.10 port1
10.11.*.* port2
10.*.*.* port3
The message that the address a purpose network protocol (Internet Protocol, IP) is 10.11.1.1 is received now
(data packet), according to longest matching principle, it should match the 2nd list item.
The destination IP of message is expressed as (0x0a, 0x0b, 0x01,0x01) with 16 systems, the purpose of scrambling algorithms message
IP and 0x81 do exclusive or, become (0x8b, 0x8a, 0x80,0x80) after exclusive or;
3 route table items also carry out exclusive or with 0x81 respectively, obtain:
0x8b,0x8b,0x8b,0x8b port1
0x8b,0x8a,*,* port2
0x8b,*,*,* port3
Using the message routing corresponding with the routing table matching port2 after scrambling after scrambling, with original matching result
Unanimously.Therefore, routing is not interfered with as long as scrambling mode is identical using the message after scrambling and the routing table after scrambling
Specific implementation.
Other than control controls the part that data packet encrypts, it can also control whether to need to carry out data packet
Encryption, concrete scheme are as follows: the above method further include:
Above-mentioned configuration center determines the first filtering configuration information and corresponding second filtering configuration information, above-mentioned first filtering
Configuration information specifies the data packet for not needing encryption, and above-mentioned second filtering configuration information, which specifies, is not required to data to be decrypted
Packet;
Above-mentioned first filtering configuration information is sent to above-mentioned inlet module by above-mentioned configuration center, and above-mentioned second filtering is matched
Confidence breath is sent to above-mentioned outlet module.
In the present embodiment, filtering configuration information has been used to specify which data packet does not need encryption and which data
Packet does not need to decrypt.Since inlet module and outlet module can be two independent physical entities, and intermediate also network
Equipment, what outlet module can't be inevitable knows which data packet is encrypted by inlet module, and not encrypted for which
For data packet, decryption is not needed;If but encrypting using scrambled mode, then the data not being scrambled
Packet, being descrambled when issuing the network equipment can not identify the equipment that will lead to destination, so in the present embodiment, in addition to the
One filtering configuration information, it is also necessary to which the second filtering configuration information is corresponding to it.It controls whether to need by filtering configuration information
Data packet is encrypted, with compared with encrypted object is come by way of controlling there are larger difference, it is specific as follows: using configuration
The mode of encrypted object can't be such that a part of data packet does not encrypt, but determine the part of these data packets encryption.And it uses
Filter configuration information, then can directly determination data packet whether can be encrypted.Such as: there are some data packets to be inherently sent to net
Network equipment is handled, if this partial data packet encrypts, it is also necessary to decryption configuration information is sent to the network equipment again, this
Sample can have security risk, and also result in unnecessary encryption and decryption calculating.It therefore, can using this embodiment scheme
To improve safety, and computing resource can be saved.
Following embodiment will provide the citing of three concrete application scene of the network equipment by taking router as an example, corresponding road
By the application scenarios of device, inlet module and outlet module will be optical module, in order to distinguish two optical modules, be referred to as entrance
Optical module and outlet optical module, it is single that optical module can be plugged on Line Processing Unit (Line Processing Unit, LPU)
On plate, since signal is reversible, optical module can be used as entrance optical module use, while can also be used as outlet optical module make
With, following embodiment be shown as convenience, in schematic diagram two independent optical modules respectively represent outlet optical module and
The optical module of entrance, other two optical module can be on one piece of LPU veneers, and the independent LPU veneer of two pieces of diagram is logical
It crosses switching network and connects the restriction that should not be construed as to the embodiment of the present invention.It in the router, also include central processing unit
(Central Processing Unit, CPU) and network processing unit (Network Processor, NP), practical application Road
There can also be other functional components by device, the schematic diagram of the present embodiment should not be construed as the restriction to the embodiment of the present invention.
One, the CPU in hypothesis router is safe, and other function component is dangerous;
The flow direction of system structure and message, as shown in figure 4, there is optical module on LPU, CPU and NP, LPU use switching network
Connection, LPU, CPU, NP and switching network are the component of router;Optical module can be independent when selling, and can also make
It is sold together for the component of router.Configuration center is independent equipment.
In this example, it is assumed that the chips such as NP, traffic management (Traffic Management TM) in router are equal
It is unsafe (or uncertain whether safe), wherein there may be back doors.Assuming that the CPU in router is safe.CPU
Safety, this can give third party censorship to examine and realize by open operating system together with the source code of software.Specifically
Realization process it is as follows:
First: before router device works normally, first being issued on configuration information to each LPU veneer by configuration center
Optical module and CPU;
Configuration information set according to business, may include to message in the algorithm that configuration center issues
Which field handled, and how to handle.
The field for needing to encrypt may is that the load of entire IP packet or IP packet or the load of TCP/UDP etc.;Encryption
Used Encryption Algorithm can be such as: data encryption standards (Data Encryption Standard, DES), RSA Algorithm (RSA
Algorithm), or scramble, scramble corresponding algorithm such as exclusive or algorithm etc..The length of key be it is variable, can be
8bit, 56bit, 128bit equal length.The embodiment of the present invention does not make uniqueness restriction to this.
By taking scrambling as an example, the configuration information that configuration center issues includes: algorithm and key.
Then: after message enters the optical module of entrance, algorithm and key pair report that optical module is issued according to configuration center
Text carries out scrambling processing, and the message after scrambling is handled by NP;If treated that message hands to CPU by NP, CPU is to report
Text is descrambled, and then proceedes to handle;If NP treated message enters other router cable fasteners, most Zhongdao by switching network
Up to outlet optical module, then exports optical module and message is descrambled.
An example as scrambling processing: it is assumed that the load of original message includes 0x010x020x030x040x050x0
The data of this 8 bytes of 60x070x08, each byte carry out exclusive or with 0x80, then result is exactly 0x810x820x830x84
0x850x860x870x88。
In the present embodiment, the algorithm that configuration center issues is likely to affect the business processing of NP, such as: configuration center
The algorithm requirement issued has carried out scrambling processing to entire IP packet, will lead in this way purpose IP address, TCP message port all
It changes, therefore route querying, ACL (Access control list, accesses control list), NAT (Network
Address Transform, network address translation) etc. business can all be affected, the embodiment of the invention provides the sides of solution
Case, at least can there are two types of:
A kind of method is: the business that router needs support is assessed before configuration center issues configuration information, according to industry
Business is to determine avoiding handling it to IP, TCP header using which type of algorithm (for example only handling the load of TCP/UDP)
The normal business processing of NP is influenced afterwards;This method can issue filter table to the optical module of outlet and entrance by configuration center Lai real
It is existing, the specified type of data packet for not needing encryption of the list item of filter table.Such as the specified business to IP and TCP header is without adding
It is close, alternatively, passing through the IP head and TCP header that do not include message in specified encrypted object in Encryption Algorithm.
Another method is: processing is synchronized to the corresponding list item of business, such as: the algorithm of configuration is required to entire IP
Message is scrambled, and in order to guarantee the normal message forwarding of NP, when CPU issues forwarding table to NP, is scrambled to forwarding table
Processing, ACL table item also carry out scrambling processing, and guaranteeing that business is appointed by this method so can normally be handled.To forwarding table and
The scrambling processing mode of ACL table item is identical as scrambling processing mode of the optical module of entrance to message.
In the present embodiment due to being encrypted to all messages, then the message that CPU is externally sent, if unencryption exists
Outlet optical module will appear the case where mistake decryption, and the embodiment of the invention provides solutions, as follows, and: CPU externally transmits messages text
When, CPU carries out scrambling processing to the message of outgoing, in this way, exporting optical module when optical module of the message of CPU outgoing through exporting
It can still be descrambled accordingly or decryption processing, finally be reduced into normal message and send.
In the present embodiment, optical module and router (being free of optical module) can be provided by different manufacturers, due to optical mode
Block has carried out encryption to message, is the message by encryption always in the message of router interior (except CPU) processing, draws
The message of the special data of hair back door triggering becomes not identical as former message, thus can due to have passed through encryption after encryption
Substantially reduce the probability that back door is triggered.
Two, assume that component all in router is all unsafe;
The flow direction of system structure and message, as shown in figure 5, there is optical module on LPU, CPU and NP, LPU use switching network
Connection, LPU, CPU, NP and switching network are the component of router;Optical module can be independent when selling, and can also make
It is sold together for the component of router.Configuration center is independent equipment.
In this example, it is assumed that the NP etc. in router is unsafe, wherein there may be back doors.As for CPU
Whether safety can be examined together with the source code of software to third party censorship by open operating system is realized.Therefore,
It assume that being sent to router needs by the message that CPU is handled to be safe.
First: before router device works normally, first being issued on configuration information to each LPU veneer by configuration center
Optical module;Unlike previous embodiment, configuration information does not have to be handed down to CPU, in addition in the present embodiment, also issues filtering
Table is to the optical module on each LPU veneer.
In the present embodiment, set in filter table and do not need scrambled type of message, if do not send configuration information to
CPU then filter table should be comprising being sent to the message of CPU, therefore can be used to filter NP in filter table and need to be transmitted to CPU
The message of processing, such as routing protocol packet, for these messages, optical module can be according to the guidance of filter table without scrambling
Processing, therefore CPU is also there is no need to descramble, it can be by original flow processing.
Then: after message enters the optical module of entrance, optical module carries out message according to the filter table that configuration center issues
Filtering, if one or more list item in message matching filter table, optical module do not carry out scrambling processing to message;If report
Text mismatches any list item in filter table, then the algorithm that optical module will use that configuration center issues is added with key pair message
Processing is disturbed, details are not described herein with previous embodiment for specific processing method.
If treated that message hands to CPU by NP, this segment message should meet filter table rule, not by light
Module scrambling;Therefore CPU can be normally carried out processing.If NP treated message hands to other optical modes as outlet
Block, then other descramble message as the optical module of outlet.
In the present embodiment, the list item of filter table can be made of one or more field of header, such as root
According to virtual LAN (Virtual Local Area Network, VLAN) number, the protocol fields of IP packet, source IP address, mesh
IP address, TCP port (source port, destination port), udp port (source port, destination port) etc..The list item of filter table can be with
According to being set, the particular content embodiment of the present invention does not make uniqueness restriction.
In the present embodiment, when CPU externally sends message, CPU is not due to receiving configuration information, and CPU is not
Scrambling processing can be carried out to the message of outgoing, and since there are corresponding filter table list items on the optical module exported, also not
Scramble process is carried out to such message.
Optical module and router (being free of optical module) in the present embodiment can be provided by different manufacturers, due to optical module
Scrambling processing has been carried out to message, has been scrambled message always in the message of router interior (except CPU) processing, causes
The message of the special data of back door triggering becomes not identical as former message due to have passed through scrambling, scrambling later, thus can be big
The big probability for reducing back door and being triggered.
Three, assume that component all in router is all unsafe;
In this example, it is assumed that router is using software-defined network (Software Defined
Network, SDN) framework, SDN controller is deployed in SDN network.In the route network of this framework, router is no longer
Need to handle Routing Protocol, the forwarding table in router is issued by SDN controller.This scene and the basic class of previous embodiment
Seemingly, it please refers to shown in Fig. 6, the difference is that if necessary to carry out scrambling processing to entire IP packet, then configuration center meeting
Configuration information (add/Descrambling Algorithms and key) is issued to SDN controller, the forwarding table that then SDN controller issues need into
Row scrambling processing identical with message;If configuration information configuration is that only to the load of message, (such as IP load, TCP/UDP are carried
Lotus) it is handled, then configuration center does not need to issue SDN controller configuration information, and SDN does not need to add forwarding table yet
Disturb processing.
Since Routing Protocol function is realized via SDN controller, the CPU on line processing unit only needs to receive from SDN
The message of controller, therefore the list item of the filter table on optical module will be less, rule also will be simpler;Correspondingly, optical mode
Block does not need that scrambled message is also less, can greatly reduce the probability that back door is triggered.
Influence to NP business and solution, which is encrypted, to message in the embodiment of the present invention can refer to the first
The solution of application scenarios, the difference is that forwarding table is to be handed down to CPU by SDN controller in the present embodiment, under
SDN controller needs to carry out forwarding table scrambling processing identical with message before hair forwarding table.
The present embodiment, router interior, except CPU, the message of processing is scrambled message always, causes back door touching
The message of the special data of hair becomes not identical as former message, thus will be greatly reduced due to have passed through scrambling after scrambling
The probability that back door is triggered.
The embodiment of the invention also provides a kind of configuration center, as shown in fig. 7, comprises:
Configuration information determination unit 701, for determining encryption configuration information and corresponding with above-mentioned encryption configuration information
Decrypt configuration information;
Information transmitting unit 702 will be above-mentioned for above-mentioned encryption configuration information to be sent to the inlet module of the network equipment
Decryption configuration information is sent to the outlet module of the above-mentioned network equipment;Above-mentioned encryption configuration information is for adding above-mentioned inlet module
The close data packet into the above-mentioned network equipment, above-mentioned decryption configuration information is for making above-mentioned outlet module decryption issue above-mentioned network
The data packet of the data packet of equipment, above-mentioned outlet module decryption is the data packet encrypted through above-mentioned inlet module.
Encryption configuration information is used to refer to the fixed configuration information how to encrypt, such as: encryption rule, the letter such as encrypted object
Breath.Encryption rule may include: Encryption Algorithm and key or Encryption Algorithm, public key and private key;The algorithm of encryption has very
It is more, such as: DES, DSA, MD5 etc., other than the above Encryption Algorithm, scrambling algorithms also belong to Encryption Algorithm, such as: to data
It carries out XOR operation and upsets the algorithm of former data.Encrypted object is then to specify partially to encrypt which of data packet.
The present embodiment, data packet are encrypted when entering the network equipment, into the network equipment for the network equipment
The content of data packet can send the message comprising special data to avoid malicious user and trigger network since encryption is changed
Back door present in equipment not only can solve the trust problem of network equipment itself, can also improve the safety of the network equipment
Property.
The embodiment of the present invention gives encryption configuration information and the optinal plan of corresponding decryption configuration information is as follows:
Optionally, above-mentioned encryption configuration information includes: encrypted object and encryption rule, and above-mentioned encrypted object specifies data packet needs
The part of encryption;Above-mentioned decryption configuration information includes: that decryption object and decryption rule, above-mentioned decryption object specify data packet
The part for needing to decrypt, it is identical as the part of above-mentioned needs encryption.
In the present embodiment, it in encryption configuration information other than encryption rule, also carries and needs to encrypt for specified
Part information, therefore can flexibly control to data packet encryption specific part.Due to being encrypted to data packet, meeting
Network service is impacted, such as: protocol header is encrypted, then the business service of network equipment offer may be provided.
It therefore, can be according to the security requirement of business demand or data packet by the way that encrypted object is added in encryption configuration information
Flexibly control, without necessarily being encrypted to entire data packet.Decryption configuration information is to encryption configuration information with corresponding
The information of relationship is being decrypted since outlet module is not necessarily able to detect that that part of data packet is encrypted
Also it joined decryption object in configuration information.In addition, even if outlet module can detecte data packet encryption part, by
Also decryption object is added in decryption configuration information can also save computing resource required for detection encryption part.Therefore this implementation
Example can be used as a preferred implementation.
In embodiments of the present invention, the network equipment can be arbitrary the network equipment, and the embodiment of the present invention does not make only this
The restriction of one property;In addition, to give a specific application scenarios as follows for the embodiment of the present invention: optionally, above-mentioned encrypted object
It include: scrambling object, above-mentioned scrambling object specifies data packet and needs scrambled part;Above-mentioned encryption rule includes: that scrambling is calculated
Method and key;Above-mentioned decryption object includes: descrambling object, and above-mentioned descrambling object specifies the part that data packet needs to descramble;
Above-mentioned decryption rule includes: Descrambling Algorithms corresponding with above-mentioned scrambling algorithms and above-mentioned key;
Above- mentioned information transmission unit 702 will for above-mentioned encryption configuration information to be sent to the optical module of router entrance
Above-mentioned decryption configuration information is sent to the optical module of above-mentioned router outlet.
In the present embodiment, encryption completed using scrambled mode, specific application scenarios this for router and
Speech, if calculating can be reduced in this way without carrying out complicated Encryption Algorithm merely to data packet is avoided to trigger back door
Amount avoids influence of the encrypting and decrypting to router response speed.Scrambling is one kind of encryption, compared to other such as the encryption of MD5 class
For, calculation amount can be much smaller, can be used as the preferred implementation scheme under this specific application scene of router.
In embodiments of the present invention, even if scrambled part can be entirely in this specific application scenarios of router
Data packet is also possible to only payload segment, can also be other arbitrary setting sections;But due to the protocol header to data packet
It is scrambled, it is impacted to will lead to data packet forwarding, therefore based on this embodiment of the invention provides following three kinds of solutions,
It is as follows: optionally, if scrambled part includes the protocol header part of data packet;
Above- mentioned information transmission unit 702 is also used to send above-mentioned encryption configuration information to the above-mentioned network equipment, makes above-mentioned net
Network equipment carries out scrambling identical with above-mentioned data packet to the list item of forwarding table and handles;
Alternatively, above- mentioned information transmission unit 702, it is also used to send scrambled treated forwarding to the above-mentioned network equipment
Table;Above-mentioned scrambling treated scrambling mode that forwarding table uses is identical as the scrambling mode of above-mentioned data packet;
Alternatively, above- mentioned information transmission unit 702, is also used to send above-mentioned encryption to software-defined network SDN controller
Configuration information makes above-mentioned SDN controller carry out identical with above-mentioned data packet scrambling processing to forwarding table, and after scrambling is handled
Forwarding table be sent to the above-mentioned network equipment.
In the present embodiment, the network equipment is router.In the present embodiment, new equipment SDN controller is also introduced,
Encryption configuration information can be also sent to SDN controller by configuration center, and SDN controller scrambles forwarding table, then will be added
Forwarding table after disturbing is sent to the network equipment, and the network equipment will use the forwarding table after scrambling and execute forwarding capability.Above scheme
Scrambling processing has been carried out to forwarding table, since the scrambling mode to forwarding table is identical as the scrambling mode to data packet, plus
Forwarding table after disturbing can be proper use of by router.
Other than control controls the part that data packet encrypts, it can also control whether to need to carry out data packet
Encryption, concrete scheme are as follows: further, as shown in figure 8, above-mentioned configuration center further include:
Information determination unit 801 is filtered, for determining the first filtering configuration information and corresponding second filtering configuration information,
Above-mentioned first filtering configuration information specifies the data packet for not needing encryption, and above-mentioned second filtering configuration information, which specifies, not to be needed
The data packet of decryption;
Above- mentioned information transmission unit 702 is also used to above-mentioned first filtering configuration information being sent to above-mentioned inlet module, will
Above-mentioned second filtering configuration information is sent to above-mentioned outlet module.
A part of data packet can't be made not encrypt by the way of configuring encrypted object, but determine that these data packets add
Close part.And use filtering configuration information, then can directly determination data packet whether can be encrypted.Such as: there are some data packets
Inherently it is sent to what the network equipment was handled, if this partial data packet encrypts, it is also necessary to configuration information will decrypted
It is sent to the network equipment, there can be security risk in this way, and also results in unnecessary encryption and decryption calculating.Therefore, it adopts
With this embodiment scheme, safety can be improved, and computing resource can be saved.
The embodiment of the invention also provides a kind of inlet modules, as shown in Figure 9, comprising:
Data packet receiving unit 901, for receiving the data packet for needing the approach network equipment;
Data packet encryption unit 902, for being encrypted according to encryption configuration information to above-mentioned data packet;
Data packet sending unit 903 makes above-mentioned network for above-mentioned encrypted data packet to be sent to the above-mentioned network equipment
Device forwards give the outlet module with packet decryption function.
In the present embodiment, data packet is encrypted when entering the network equipment by inlet module, is entered for the network equipment
The content of the data packet of the network equipment can send the report comprising special data since encryption is changed to avoid malicious user
Back door present in the text triggering network equipment, not only can solve the trust problem of network equipment itself, can also improve network
The safety of equipment.
Optionally, above-mentioned encryption configuration information includes: encrypted object and encryption rule;Above-mentioned encrypted object specifies
Data packet needs the part encrypted;
Above-mentioned data packet encryption unit 902, specifically for using above-mentioned encryption rule to the above-mentioned need in above-mentioned data packet
The part to be encrypted is encrypted.
In the present embodiment, it in encryption configuration information other than encryption rule, also carries and needs to encrypt for specified
Part information, therefore can flexibly control to data packet encryption specific part.
Further, as shown in Figure 10, above-mentioned inlet module further include:
Information receiving unit 1001 is filtered, for receiving the first filtering configuration information from configuration center;
Above-mentioned data packet encryption unit 902 is configured specifically for whether the above-mentioned data packet of determination belongs to above-mentioned first filtering
That specifies in information does not need the data packet of encryption, if it is not, then adding according to above-mentioned encryption configuration information to above-mentioned data packet
It is close.
In the present embodiment, a part of data packet can't be made not encrypt by the way of configuring encrypted object, but certainly
The part of fixed these data packets encryption.And use filtering configuration information, then can directly determination data packet whether can be encrypted.Example
As: there are some data packets to be inherently sent to the network equipment handled, if this partial data packet encrypts, it is also necessary to
Decryption configuration information is sent to the network equipment, there can be security risk in this way, and also results in unnecessary encryption reconciliation
Close calculating.Therefore, using this embodiment scheme, safety can be improved, and computing resource can be saved.
Optionally, above-mentioned inlet module is optical module, and the above-mentioned network equipment is router;
Above-mentioned data packet receiving unit 901 needs the data packet of approach router specifically for receiving.
This gives the concrete application scenes of inlet module, are the optical modules under router applications scene.As
One optional application scenarios of the embodiment of the present invention should not be construed as limiting the uniqueness of the embodiment of the present invention.
The embodiment of the invention also provides a kind of outlet modules, as shown in figure 11, comprising:
Receiving unit 1101 needs to be sent to the data packet of destination after the approach network equipment for receiving, above-mentioned data packet
It is encrypted by the inlet module of the above-mentioned network equipment;
Decryption unit 1102, for above-mentioned data packet to be decrypted according to decryption configuration information;
Transmission unit 1103, for the data packet after above-mentioned decryption to be sent to above-mentioned purpose end.
In the present embodiment, data packet is encrypted when entering the network equipment by inlet module, goes out network equipment warp in data packet
When crossing outlet module, it is decrypted by outlet module;For the network equipment into the network equipment data packet content by
Changed in encryption, after being sent to avoid malicious user present in the message triggering network equipment comprising special data
Door, not only can solve the trust problem of network equipment itself, can also improve the safety of the network equipment.
Optionally, above-mentioned outlet module is optical module, and the above-mentioned network equipment is router;
Above-mentioned receiving unit 1101, it is above-mentioned specifically for needing to be sent to the data packet of destination after reception approach router
Data packet by above-mentioned router entrance optical mode block encryption.
This gives the concrete application scenes of outlet module, are the optical modules under router applications scene.As
One optional application scenarios of the embodiment of the present invention should not be construed as limiting the uniqueness of the embodiment of the present invention.
Further, above-mentioned receiving unit 1101 is also used to receive the second filtering configuration information from configuration center;
Whether above-mentioned decryption unit 1102 belongs to specifically for the above-mentioned received data packet of received data packet unit of determination
The data packet for not needing decryption specified in the second filtering configuration information is stated, if it is not, then according to above-mentioned decryption configuration information to upper
Data packet is stated to be decrypted.
In the present embodiment, a part of data packet can't be made non-decrypting in such a way that object is decrypted in configuration, but certainly
The part of these fixed packet decryptions.And use filtering configuration information, then can directly determination data packet whether can be decrypted.Example
As: there are some data packets to be inherently sent to the network equipment handled, if this partial data packet encrypts, it is also necessary to
Decryption configuration information is sent to the network equipment, there can be security risk in this way, and also results in unnecessary encryption reconciliation
Close calculating.Therefore, using this embodiment scheme, safety can be improved, and computing resource can be saved.
The embodiment of the invention also provides a kind of network equipments, as shown in figure 12, comprising:
The inlet module 1201 of any one provided in an embodiment of the present invention and provided in an embodiment of the present invention any one
The outlet module 1202 of item.
The present embodiment, data packet are encrypted when entering the network equipment, into the network equipment for the network equipment
The content of data packet can send the message comprising special data to avoid malicious user and trigger network since encryption is changed
Back door present in equipment not only can solve the trust problem of network equipment itself, can also improve the safety of the network equipment
Property.
The embodiment of the invention also provides a kind of network security management systems, as shown in figure 13, comprising: the embodiment of the present invention
The configuration center 1301 of any one of offer, the inlet module 1302, Yi Jiben of any one provided in an embodiment of the present invention
The outlet module 1302 for any one that inventive embodiments provide;Alternatively, as shown in figure 14, comprising: the embodiment of the present invention provides
Any one configuration center 1401 and the network equipment provided in an embodiment of the present invention 1402.
The present embodiment, data packet are encrypted when entering the network equipment, into the network equipment for the network equipment
The content of data packet can send the message comprising special data to avoid malicious user and trigger network since encryption is changed
Back door present in equipment not only can solve the trust problem of network equipment itself, can also improve the safety of the network equipment
Property.
Further, as shown in figure 15, if above-mentioned configuration center sends encryption configuration information, above-mentioned system to SDN controller
System further include: SDN controller 1501;
Above-mentioned SDN controller 1501 handles for carrying out scrambling identical with data packet to forwarding table, and scrambling is handled
Forwarding table afterwards is sent to the above-mentioned network equipment 1402.
In the present embodiment, the network equipment is router.In the present embodiment, new equipment SDN controller is also introduced,
Encryption configuration information can be also sent to SDN controller by configuration center, and SDN controller scrambles forwarding table, then will be added
Forwarding table after disturbing is sent to the network equipment, and the network equipment will use the forwarding table after scrambling and execute forwarding capability.Above scheme
Scrambling processing has been carried out to forwarding table, since the scrambling mode to forwarding table is identical as the scrambling mode to data packet, plus
Forwarding table after disturbing can be proper use of by router.
The present invention implements to additionally provide another configuration center in fact, as shown in figure 16, comprising: processor 1601, transmitter
1602 and memory 1603;Above-mentioned memory 1603 can be used for the storage function such as data buffer storage when processor is handled
Energy;
Wherein, processor 1601, for determining encryption configuration information and decryption corresponding with above-mentioned encryption configuration information
Configuration information;
Transmitter 1602, for above-mentioned encryption configuration information to be sent to the inlet module of the network equipment, by above-mentioned decryption
Configuration information is sent to the outlet module of the above-mentioned network equipment;Above-mentioned encryption configuration information for make above-mentioned inlet module encrypt into
Enter the data packet of the above-mentioned network equipment, above-mentioned decryption configuration information is for making above-mentioned outlet module decryption issue the above-mentioned network equipment
Data packet, the data packet of above-mentioned outlet module decryption is the data packet encrypted through above-mentioned inlet module.
The present embodiment, data packet are encrypted when entering the network equipment, into the network equipment for the network equipment
The content of data packet can send the message comprising special data to avoid malicious user and trigger network since encryption is changed
Back door present in equipment not only can solve the trust problem of network equipment itself, can also improve the safety of the network equipment
Property.
The embodiment of the present invention gives encryption configuration information and the optinal plan of corresponding decryption configuration information is as follows:
Above-mentioned encryption configuration information includes: encrypted object and encryption rule, and above-mentioned encrypted object specifies what data packet needed to encrypt
Part;
Above-mentioned decryption configuration information includes: that decryption object and decryption rule, above-mentioned decryption object specify data packet and need
The part to be decrypted, it is identical as the part of above-mentioned needs encryption.
In embodiments of the present invention, the network equipment can be arbitrary the network equipment, and the embodiment of the present invention does not make only this
The restriction of one property;In addition, to give a specific application scenarios as follows for the embodiment of the present invention: the above-mentioned network equipment is routing
Device, above-mentioned inlet module and above-mentioned outlet module are optical module;
Above-mentioned encrypted object includes: scrambling object, and above-mentioned scrambling object specifies data packet and needs scrambled part;It is above-mentioned
Encryption rule includes: scrambling algorithms and key;Above-mentioned decryption object includes: descrambling object, and above-mentioned descrambling object specifies number
The part descrambled is needed according to packet;Above-mentioned decryption rule includes: Descrambling Algorithms corresponding with above-mentioned scrambling algorithms and above-mentioned key.
In embodiments of the present invention, even if scrambled part can be entirely in this specific application scenarios of router
Data packet is also possible to only payload segment, can also be other arbitrary setting sections;But due to the protocol header to data packet
It is scrambled, it is impacted to will lead to data packet forwarding, therefore based on this embodiment of the invention provides following three kinds of solutions,
As follows: if scrambled part includes the protocol header part of data packet, above-mentioned transmitter 1602 is also used to send out to the above-mentioned network equipment
It serves and states encryption configuration information, carry out the above-mentioned network equipment at scrambling identical with above-mentioned data packet to the list item of forwarding table
Reason;
Alternatively, above-mentioned transmitter 1602, it is also used to send scrambled treated forwarding table to the above-mentioned network equipment;It is above-mentioned
Scrambling treated scrambling mode that forwarding table uses is identical as the scrambling mode of above-mentioned data packet;
Alternatively, above-mentioned transmitter 1602, is also used to send above-mentioned encryption configuration information to SDN, makes above-mentioned SDN controller pair
Forwarding table carries out identical with above-mentioned data packet scrambling processing, and the forwarding table that will scramble that treated is sent to above-mentioned network and sets
It is standby.
Other than control controls the part that data packet encrypts, it can also control whether to need to carry out data packet
Encryption, concrete scheme are as follows: above-mentioned processor 1601, are also used to determine that the first filtering configuration information and corresponding second filtering are matched
Confidence breath, above-mentioned first filtering configuration information specify the data packet for not needing encryption, and above-mentioned second filtering configuration information is specified
The data packet of decryption is not needed;
Above-mentioned transmitter 1602 is also used to above-mentioned first filtering configuration information being sent to above-mentioned inlet module, will be above-mentioned
Second filtering configuration information is sent to above-mentioned outlet module.
The embodiment of the invention also provides another inlet modules, as shown in figure 17, comprising: receiver 1701, transmitter
1702, processor 1703 and memory 1704;Wherein memory 1704 can mention in 1703 operational process of processor for it
For storage resource;
Above-mentioned receiver 1701, for receiving the data packet for needing the approach network equipment;
Above-mentioned processor 1703, for being encrypted according to encryption configuration information to above-mentioned data packet;
Above-mentioned transmitter 1702 sets above-mentioned network for above-mentioned encrypted data packet to be sent to the above-mentioned network equipment
It is standby to be transmitted to the outlet module with packet decryption function.
In the present embodiment, data packet is encrypted when entering the network equipment by inlet module, is entered for the network equipment
The content of the data packet of the network equipment can send the report comprising special data since encryption is changed to avoid malicious user
Back door present in the text triggering network equipment, not only can solve the trust problem of network equipment itself, can also improve network
The safety of equipment.
Optionally, above-mentioned encryption configuration information includes: encrypted object and encryption rule;Above-mentioned encrypted object specifies
Data packet needs the part encrypted;
Above-mentioned processor 1703, specifically for what is encrypted using above-mentioned encryption rule to the above-mentioned needs in above-mentioned data packet
Part is encrypted.
In the present embodiment, it in encryption configuration information other than encryption rule, also carries and needs to encrypt for specified
Part information, therefore can flexibly control to data packet encryption specific part.
Further, above-mentioned receiver 1701 is also used to receive the first filtering configuration information from configuration center;
Whether above-mentioned processor 1703 belongs to above-mentioned first filtering configuration information middle finger specifically for the above-mentioned data packet of determination
The fixed data packet for not needing encryption, if it is not, then being encrypted according to above-mentioned encryption configuration information to above-mentioned data packet.
Optionally, above-mentioned inlet module is optical module, and the above-mentioned network equipment is router;
Above-mentioned receiver 1701 needs the data packet of approach router specifically for receiving.
This gives the concrete application scenes of inlet module, are the optical modules under router applications scene.As
One optional application scenarios of the embodiment of the present invention should not be construed as limiting the uniqueness of the embodiment of the present invention.
The embodiment of the invention also provides another outlet modules, as shown in figure 18, comprising: receiver 1801, transmitter
1802, processor 1803 and memory 1804;Wherein memory 1804 can mention in 1803 operational process of processor for it
For storage resource;
Above-mentioned receiver 1801 needs to be sent to the data packet of destination after the approach network equipment for receiving, above-mentioned data
Packet is encrypted by the inlet module of the above-mentioned network equipment;
Above-mentioned processor 1803, for above-mentioned data packet to be decrypted according to decryption configuration information;
Above-mentioned transmitter 1802, for the data packet after above-mentioned decryption to be sent to above-mentioned purpose end.
Optionally, above-mentioned outlet module is optical module, and the above-mentioned network equipment is router;
Above-mentioned receiver 1801, specifically for needing to be sent to the data packet of destination, above-mentioned number after reception approach router
According to packet by the optical mode block encryption of above-mentioned router entrance.
This gives the concrete application scenes of outlet module, are the optical modules under router applications scene.As
One optional application scenarios of the embodiment of the present invention should not be construed as limiting the uniqueness of the embodiment of the present invention.
Further, above-mentioned receiver 1801 is also used to receive the second filtering configuration information from configuration center;
Whether above-mentioned processor 1803 belongs to specifically for the above-mentioned received data packet of received data packet unit of determination
The data packet for not needing decryption specified in above-mentioned second filtering configuration information, if it is not, then according to above-mentioned decryption configuration information pair
Above-mentioned data packet is decrypted.
In the present embodiment, a part of data packet can't be made non-decrypting in such a way that object is decrypted in configuration, but certainly
The part of these fixed packet decryptions.And use filtering configuration information, then can directly determination data packet whether can be decrypted.Example
As: there are some data packets to be inherently sent to the network equipment handled, if this partial data packet encrypts, it is also necessary to
Decryption configuration information is sent to the network equipment, there can be security risk in this way, and also results in unnecessary encryption reconciliation
Close calculating.Therefore, using this embodiment scheme, safety can be improved, and computing resource can be saved.
It is worth noting that, above-mentioned apparatus is only divided according to the functional logic, but it is not limited to above-mentioned draw
Point, as long as corresponding functions can be realized;In addition, the specific name of each functional unit is also only to facilitate mutual area
Point, the protection scope being not intended to restrict the invention.
In addition, those of ordinary skill in the art will appreciate that realizing all or part of the steps in above-mentioned each method embodiment
It is that relevant hardware can be instructed to complete by program, corresponding program can store in a kind of computer readable storage medium
In, storage medium mentioned above can be read-only memory, disk or CD etc..
The above is only the preferable specific embodiments of the present invention, but scope of protection of the present invention is not limited thereto, any
Those familiar with the art the variation that can readily occur in or replaces in the technical scope that the embodiment of the present invention discloses
It changes, should be covered by the protection scope of the present invention.Therefore, protection scope of the present invention should be with the protection model of claim
Subject to enclosing.
Claims (20)
1. a kind of network safety managing method characterized by comprising
Configuration center determines encryption configuration information and decryption configuration information corresponding with the encryption configuration information;
The encryption configuration information is sent to the inlet module of the network equipment by the configuration center, by the decryption configuration information
It is sent to the outlet module of the network equipment;
The data packet that the encryption configuration information is used to that the inlet module encryption to be made to enter the network equipment, the decryption are matched
Confidence breath is for making the outlet module decryption issue the data packet of the network equipment, the data packet of the outlet module decryption
It is the data packet encrypted through the inlet module.
2. method according to claim 1, which is characterized in that the encryption configuration information includes: encrypted object and encryption
Rule, the encrypted object specify the part that data packet needs to encrypt;
The decryption configuration information includes: that decryption object and decryption rule, the decryption object specify data packet and need to solve
Close part, it is identical as the part for needing to encrypt.
3. method according to claim 2, which is characterized in that the network equipment is router, the inlet module and institute
Stating outlet module is optical module;
The encrypted object includes: scrambling object, and the scrambling object specifies data packet and needs scrambled part;The encryption
Rule includes: scrambling algorithms and key;The decryption object includes: descrambling object, and the descrambling object specifies data packet
The part for needing to descramble;The decryption rule includes: Descrambling Algorithms corresponding with the scrambling algorithms and the key.
4. method according to claim 3, which is characterized in that if scrambled part includes the protocol header part of data packet, institute
State method further include:
The configuration center sends the encryption configuration information to the network equipment, makes the network equipment to the table of forwarding table
Item carries out scrambling processing identical with the data packet;
Alternatively, the configuration center sends scrambled treated forwarding table to the network equipment;Treated for the scrambling
The scrambling mode that forwarding table uses is identical as the scrambling mode of the data packet;
Alternatively, the configuration center sends the encryption configuration information to software-defined network SDN controller, make the SDN
Controller carries out identical with data packet scrambling to forwarding table and handles, and will scrambling treated described in forwarding table is sent to
The network equipment.
5. according to claim 1 to 4 any one the methods, which is characterized in that the method also includes:
The configuration center determines the first filtering configuration information and corresponding second filtering configuration information, the first filtering configuration
Information specifies the data packet for not needing encryption, and the second filtering configuration information specifies the data packet for not needing decryption;
The first filtering configuration information is sent to the inlet module by the configuration center, and confidence is matched in second filtering
Breath is sent to the outlet module.
6. a kind of configuration center characterized by comprising
Configuration information determination unit, for determining encryption configuration information and decryption corresponding with encryption configuration information configuration
Information;
Information transmitting unit matches the decryption for the encryption configuration information to be sent to the inlet module of the network equipment
Confidence ceases the outlet module for being sent to the network equipment;The encryption configuration information is for entering the inlet module encryption
The data packet of the network equipment, the decryption configuration information are used to that the outlet module decryption to be made to issue the network equipment
The data packet of data packet, the outlet module decryption is the data packet encrypted through the inlet module.
7. configuration center according to claim 6, which is characterized in that
The encryption configuration information includes: encrypted object and encryption rule, and the encrypted object specifies data packet and needs to add
Close part;The decryption configuration information includes: that decryption object and decryption rule, the decryption object specify data packet and need
The part to be decrypted, it is identical as the part for needing to encrypt.
8. configuration center according to claim 7, which is characterized in that the encrypted object includes: scrambling object, the scrambling
Object specifies data packet and needs scrambled part;The encryption rule includes: scrambling algorithms and key;The decryption object
It include: descrambling object, the descrambling object specifies the part that data packet needs to descramble;The decryption rule include: with it is described
The corresponding Descrambling Algorithms of scrambling algorithms and the key;
The information transmitting unit, specifically for the encryption configuration information to be sent to the optical module of router entrance, by institute
State the optical module that decryption configuration information is sent to the router outlet.
9. configuration center according to claim 8, which is characterized in that if scrambled part includes the protocol headers of data packet
Point;
The information transmitting unit is also used to send the encryption configuration information to the network equipment, makes the network equipment
Scrambling processing identical with the data packet is carried out to the list item of forwarding table;
Alternatively, the information transmitting unit, it is also used to send scrambled treated forwarding table to the network equipment;It is described to add
The scrambling mode that forwarding table of disturbing that treated uses is identical as the scrambling mode of the data packet;
Alternatively, the information transmitting unit, is also used to send the encryption configuration letter to software-defined network SDN controller
Breath makes the SDN controller carry out identical with data packet scrambling to forwarding table and handles, and will scrambling treated forwards
Table is sent to the network equipment.
10. according to configuration center described in claim 6 to 9 any one, which is characterized in that the configuration center further include:
Information determination unit is filtered, for determining the first filtering configuration information and corresponding second filtering configuration information, described the
One filtering configuration information specifies the data packet for not needing encryption, and the second filtering configuration information, which specifies, does not need decryption
Data packet;
The information transmitting unit is also used to the first filtering configuration information being sent to the inlet module, by described the
Two filtering configuration informations are sent to the outlet module.
11. a kind of inlet module characterized by comprising
Data packet receiving unit, for receiving the data packet for needing the approach network equipment;
Data packet encryption unit, for being encrypted according to encryption configuration information to the data packet;
Data packet sending unit turns the network equipment for the encrypted data packet to be sent to the network equipment
Issue the outlet module with packet decryption function;
The encryption configuration information includes: encrypted object and encryption rule, and the encrypted object specifies the data packet and needs
The part to be encrypted.
12. inlet module according to claim 11, which is characterized in that the inlet module further include:
Information receiving unit is filtered, for receiving the first filtering configuration information from configuration center;
Whether the data packet encryption unit belongs to the first filtering configuration information middle finger specifically for the determination data packet
The fixed data packet for not needing encryption, if it is not, then being encrypted according to the encryption configuration information to the data packet.
13. 1 or 12 inlet module according to claim 1, which is characterized in that the encryption configuration information includes: encryption pair
As and encryption rule;The encrypted object specifies the part that data packet needs to encrypt;
The data packet encryption unit, specifically for what is encrypted using the encryption rule to the needs in the data packet
Part is encrypted.
14. 1 or 12 inlet module according to claim 1, which is characterized in that the inlet module is optical module, the net
Network equipment is router;
The data packet receiving unit needs the data packet of approach router specifically for receiving.
15. a kind of outlet module characterized by comprising
Receiving unit needs to be sent to the data packet of destination after the approach network equipment for receiving, and the data packet is by the net
The inlet module of network equipment encrypts;
Decryption unit, for the data packet to be decrypted according to decryption configuration information;
Transmission unit, for the data packet after the decryption to be sent to the destination;
The decryption configuration information includes: that decryption object and decryption rule, the decryption object specify the data packet and need
The part to be decrypted.
16. outlet module according to claim 15, which is characterized in that the outlet module is optical module, and the network is set
Standby is router;
The receiving unit needs to be sent to the data packet of destination after approach router specifically for receiving, the data packet by
The optical mode block encryption of the router entrance.
17. outlet module according to claim 15, which is characterized in that
The receiving unit is also used to receive the second filtering configuration information from configuration center;
Whether the decryption unit belongs to second mistake specifically for the determination received data packet of received data packet unit
The data packet for not needing decryption specified in filter configuration information, if it is not, then according to the decryption configuration information to the data packet
It is decrypted.
18. a kind of network equipment characterized by comprising
The inlet module of claim 11~14 any one and the outlet module of claim 15~17 any one.
19. a kind of network security management system characterized by comprising
The configuration center of claim 6~10 any one, the inlet module and right of claim 11~14 any one
It is required that the outlet module of 15~17 any one;Or, comprising: the configuration center of claim 6~10 any one, Yi Jiquan
Benefit requires 18 network equipment.
20. 9 system according to claim 1, which is characterized in that match if the configuration center sends encryption to SDN controller
Confidence breath, the system also includes: SDN controller;
The SDN controller is handled for carrying out identical with data packet scrambling to forwarding table, and will scrambling treated forwards
Table is sent to the network equipment.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410650194.XA CN105656655B (en) | 2014-11-14 | 2014-11-14 | A kind of network safety managing method, device and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410650194.XA CN105656655B (en) | 2014-11-14 | 2014-11-14 | A kind of network safety managing method, device and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105656655A CN105656655A (en) | 2016-06-08 |
CN105656655B true CN105656655B (en) | 2019-07-23 |
Family
ID=56478977
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410650194.XA Active CN105656655B (en) | 2014-11-14 | 2014-11-14 | A kind of network safety managing method, device and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105656655B (en) |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106657121B (en) * | 2016-12-30 | 2019-10-08 | 盛科网络(苏州)有限公司 | The method and exchange chip of mirror image 802.1AE plaintext and ciphertext |
CN108632201A (en) * | 2017-03-16 | 2018-10-09 | 中兴通讯股份有限公司 | Encryption device, decryption device and judge message whether the method that encrypt or decrypt |
CN107800716B (en) * | 2017-11-14 | 2020-05-01 | 中国银行股份有限公司 | Data processing method and device |
CN110011939B (en) * | 2019-04-12 | 2021-06-01 | 无锡中金鼎讯信通科技股份有限公司 | Ethernet switch supporting quantum key to encrypt data |
CN111756767A (en) * | 2020-07-06 | 2020-10-09 | 成都卫士通信息产业股份有限公司 | Streaming media data transmission method and device, electronic equipment and computer storage medium |
CN111885070A (en) * | 2020-07-29 | 2020-11-03 | 解来斌 | Network and information security management system |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1443318A (en) * | 2000-07-21 | 2003-09-17 | 惠普公司 | Dual level encrypted cache for secure document print on demand |
CN101179374A (en) * | 2006-11-09 | 2008-05-14 | 日电(中国)有限公司 | Communication equipment, communications system and method therefor |
CN101261666A (en) * | 2008-04-10 | 2008-09-10 | 北京深思洛克数据保护中心 | A method for realizing software copyright protection based on encrypted executable program file |
CN101741827A (en) * | 2008-11-11 | 2010-06-16 | 刘芳 | Network safety processing equipment and method |
CN103746815A (en) * | 2014-02-14 | 2014-04-23 | 浙江中控研究院有限公司 | Secure communication method and device |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2002093826A1 (en) * | 2001-05-14 | 2002-11-21 | Matsushita Electric Industrial Co., Ltd. | Electronic device control apparatus |
-
2014
- 2014-11-14 CN CN201410650194.XA patent/CN105656655B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1443318A (en) * | 2000-07-21 | 2003-09-17 | 惠普公司 | Dual level encrypted cache for secure document print on demand |
CN101179374A (en) * | 2006-11-09 | 2008-05-14 | 日电(中国)有限公司 | Communication equipment, communications system and method therefor |
CN101261666A (en) * | 2008-04-10 | 2008-09-10 | 北京深思洛克数据保护中心 | A method for realizing software copyright protection based on encrypted executable program file |
CN101741827A (en) * | 2008-11-11 | 2010-06-16 | 刘芳 | Network safety processing equipment and method |
CN103746815A (en) * | 2014-02-14 | 2014-04-23 | 浙江中控研究院有限公司 | Secure communication method and device |
Also Published As
Publication number | Publication date |
---|---|
CN105656655A (en) | 2016-06-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105656655B (en) | A kind of network safety managing method, device and system | |
CN109842585B (en) | Network information safety protection unit and protection method for industrial embedded system | |
CN110996318B (en) | Safety communication access system of intelligent inspection robot of transformer substation | |
US8448238B1 (en) | Network security as a service using virtual secure channels | |
US9219709B2 (en) | Multi-wrapped virtual private network | |
CN102882789B (en) | A kind of data message processing method, system and equipment | |
EP2357763B1 (en) | Methods apparatuses for crossing virtual firewall to transmit and receive data | |
KR100940525B1 (en) | Apparatus and method for VPN communication in socket-level | |
US20130332724A1 (en) | User-Space Enabled Virtual Private Network | |
CN105721317B (en) | A kind of data stream encryption method and system based on SDN | |
CN106341404A (en) | IPSec VPN system based on many-core processor and encryption and decryption processing method | |
Lu et al. | Ipsec implementation on xilinx virtex-ii pro fpga and its application | |
CN108712364B (en) | Security defense system and method for SDN (software defined network) | |
CN110266725A (en) | Cryptosecurity isolation module and mobile office security system | |
CN110430178A (en) | A kind of safety chip protected for network safety system and the network safety system using the chip | |
WO2014046604A2 (en) | Method and device for network communication management | |
US20110145572A1 (en) | Apparatus and method for protecting packet-switched networks from unauthorized traffic | |
Touil et al. | Secure and guarantee QoS in a video sequence: a new approach based on TLS protocol to secure data and RTP to ensure real-time exchanges | |
Tippenhauer et al. | Vbump: Securing ethernet-based industrial control system networks with vlan-based traffic aggregation | |
O'Raw et al. | IEC 61850 substation configuration language as a basis for automated security and SDN configuration | |
Shah et al. | A review on security on internet of things | |
CN110417706A (en) | A kind of safety communicating method based on interchanger | |
WO2014106028A1 (en) | Network security as a service using virtual secure channels | |
Qu et al. | Research and application of encrypted data transmission based on IPSec | |
Heigl et al. | Embedded plug-in devices to secure industrial network communications |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |