CN105656655B

CN105656655B - A kind of network safety managing method, device and system

Info

Publication number: CN105656655B
Application number: CN201410650194.XA
Authority: CN
Inventors: 黄志钢; 张波; 陈建
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2014-11-14
Filing date: 2014-11-14
Publication date: 2019-07-23
Anticipated expiration: 2034-11-14
Also published as: CN105656655A

Abstract

The embodiment of the invention discloses a kind of network safety managing method, device and system, wherein the realization of method include: configuration center determine encryption configuration information and with corresponding decryption configuration information；Encryption configuration information is sent to the inlet module of the network equipment, decryption configuration information is sent to the outlet module of the network equipment；The data packet that the encryption configuration information is used to that inlet module encryption to be made to enter the network equipment, the data packet of the data packet that the decryption configuration information is used to that outlet module decryption to be made to issue the network equipment, the outlet module decryption is the data packet encrypted through the inlet module.Data packet is encrypted when entering the network equipment, into the content of the data packet of the network equipment since encryption changes for the network equipment, back door present in the message triggering network equipment comprising special data can be sent to avoid malicious user, it not only can solve the trust problem of network equipment itself, the safety of the network equipment can also be improved.

Description

A kind of network safety managing method, device and system

Technical field

The present invention relates to field of communication technology, especially a kind of network safety managing method, device and system

Background technique

The network equipments such as router, interchanger are faced with severe safety problem.Such as: China national internet emergency Center publication report claims, and there are loopholes and back door for a large amount of routers.These loopholes and back door have plenty of external attacker by inverse It is obtained to analysis, has plenty of the purpose of equipment vendor is for debugging intentionally for it.Common attack means include being embedded in dislike in equipment Anticipate circuit, default power user name and password, reserved transmission control protocol (Transmission Control Protocol, TCP the port)/User Datagram Protocol (User Datagram Protocol, UDP) carries out the message containing special data Specially treated, the sensitive data for carrying user secretly etc..The presence at these loopholes and back door allows operator and user to produce the network equipment Trust crisis is given birth to, the strong influence safety image of equipment vendor.

In order to solve problem above, currently used processing mode are as follows: the circuit diagram of the open network equipment, software source generation Code, related data etc. are examined to third party censorship, provide examination result by examination structure to prove the network equipment Safety.

The above processing mode needs equipment vendor to disclose the vital strategic secrets of the network equipment, influences the commercial interest of equipment vendor.Separately Outside, disclosed information may be obtained by malicious person, and modified existing procucts realization and started new network attack.Therefore the above processing There are huge security risks for mode.

Summary of the invention

The embodiment of the invention provides a kind of network safety managing method, device and systems, for improving the network equipment Safety.

On the one hand the embodiment of the present invention provides a kind of network safety managing method, comprising:

Configuration center determines encryption configuration information and decryption configuration information corresponding with the encryption configuration information；

The encryption configuration information is sent to the inlet module of the network equipment by the configuration center, and the decryption is configured Information is sent to the outlet module of the network equipment；

The data packet that the encryption configuration information is used to that the inlet module encryption to be made to enter the network equipment, the solution The data packet that close configuration information is used to that the outlet module decryption to be made to issue the network equipment, the number of the outlet module decryption It is the data packet encrypted through the inlet module according to packet.

In conjunction with the implementation of one side, in the first possible implementation, the encryption configuration information includes: to add Close object and encryption rule, the encrypted object specify the part that data packet needs to encrypt；

The decryption configuration information includes: that decryption object and decryption rule, the decryption object specify data packet and need The part to be decrypted, it is identical as the part for needing to encrypt.

In conjunction with the first possible implementation of one side, in the second possible implementation, the network is set Standby is router, and the inlet module and the outlet module are optical module；

The encrypted object includes: scrambling object, and the scrambling object specifies data packet and needs scrambled part；It is described Encryption rule includes: scrambling algorithms and key；The decryption object includes: descrambling object, and the descrambling object specifies number The part descrambled is needed according to packet；The decryption rule includes: Descrambling Algorithms corresponding with the scrambling algorithms and the key.

In conjunction with second of possible implementation of one side, in the third possible implementation, if scrambled portion Divide the protocol header part including data packet, the method also includes:

The configuration center sends the encryption configuration information to the network equipment, makes the network equipment to forwarding table List item carry out identical with data packet scrambling and handle；

Alternatively, the configuration center sends scrambled treated forwarding table to the network equipment；The scrambling processing The scrambling mode that forwarding table afterwards uses is identical as the scrambling mode of the data packet；

Alternatively, the configuration center sends the encryption configuration information to software-defined network SDN controller, make described SDN controller carries out identical with data packet scrambling to forwarding table and handles, and will scramble that treated forwarding table is sent to The network equipment.

In conjunction on the one hand, on the one hand the first, second or the third possible implementation, in the 4th kind of possibility Implementation in, the method also includes:

The configuration center determines the first filtering configuration information and corresponding second filtering configuration information, first filtering Configuration information specifies the data packet for not needing encryption, and the second filtering configuration information, which specifies, is not required to data to be decrypted Packet；

The first filtering configuration information is sent to the inlet module by the configuration center, and second filtering is matched Confidence breath is sent to the outlet module.

A kind of configuration center is provided in terms of the embodiment of the present invention two, comprising:

Configuration information determination unit, for determining encryption configuration information and decryption corresponding with the encryption configuration information Configuration information；

Information transmitting unit, for the encryption configuration information to be sent to the inlet module of the network equipment, by the solution Close configuration information is sent to the outlet module of the network equipment；The encryption configuration information is for encrypting the inlet module Into the data packet of the network equipment, the decryption configuration information is set for making the outlet module decryption issue the network The data packet of standby data packet, the outlet module decryption is the data packet encrypted through the inlet module.

In conjunction with the implementation of two aspects, in the first possible implementation, the encryption configuration information includes: to add Close object and encryption rule, the encrypted object specify the part that data packet needs to encrypt；The decryption configuration information packet Include: decryption object and decryption rule, the decryption object specify the part that data packet needs to decrypt, need to encrypt with described Part it is identical.

In conjunction with the first possible implementation of two aspects, in the second possible implementation, the encryption pair As including: scrambling object, the scrambling object specifies data packet and needs scrambled part；The encryption rule includes: scrambling Algorithm and key；The decryption object includes: descrambling object, and the descrambling object specifies the portion that data packet needs to descramble Point；The decryption rule includes: Descrambling Algorithms corresponding with the scrambling algorithms and the key；

The information transmitting unit, specifically for the encryption configuration information to be sent to the optical module of router entrance, The decryption configuration information is sent to the optical module of the router outlet.

In conjunction with second of possible implementation of two aspects, in the third possible implementation, if scrambled portion Divide the protocol header part including data packet；

The information transmitting unit is also used to send the encryption configuration information to the network equipment, makes the network Equipment carries out scrambling identical with the data packet to the list item of forwarding table and handles；

Alternatively, the information transmitting unit, it is also used to send scrambled treated forwarding table to the network equipment；Institute Scrambling is stated treated the scrambling mode that forwarding table uses, it is identical as the scrambling mode of the data packet；

Alternatively, the information transmitting unit, is also used to send the encryption configuration to software-defined network SDN controller Information makes the SDN controller carry out identical with data packet scrambling to forwarding table and handles, and will scrambling treated turn It delivers and is sent to the network equipment.

In conjunction with two aspects, two aspects the first, second or the third possible implementation, in the 4th kind of possibility Implementation in, the configuration center further include:

Information determination unit is filtered, for determining the first filtering configuration information and corresponding second filtering configuration information, institute It states the first filtering configuration information and specifies the data packet for not needing encryption, the second filtering configuration information, which specifies, not to be needed to solve Close data packet；

The information transmitting unit is also used to the first filtering configuration information being sent to the inlet module, by institute It states the second filtering configuration information and is sent to the outlet module.

A kind of inlet module is additionally provided in terms of the embodiment of the present invention three, comprising:

Data packet receiving unit, for receiving the data packet for needing the approach network equipment；

Data packet encryption unit, for being encrypted according to encryption configuration information to the data packet；

Data packet sending unit sets the network for the encrypted data packet to be sent to the network equipment It is standby to be transmitted to the outlet module with packet decryption function.

In conjunction with the implementation of three aspects, in the first possible implementation, the inlet module further include:

Information receiving unit is filtered, for receiving the first filtering configuration information from configuration center；

Whether the data packet encryption unit belongs to the first filtering configuration information specifically for the determination data packet In specify do not need encryption data packet, if it is not, then being encrypted according to the encryption configuration information to the data packet.

In conjunction with the first possible implementation of three aspects or three aspects, in the second possible implementation, The encryption configuration information includes: encrypted object and encryption rule；The encrypted object specifies what data packet needed to encrypt Part；

The data packet encryption unit, specifically for being added using the encryption rule to the needs in the data packet Close part is encrypted.

In conjunction with the first or second of possible implementation of three aspects, three aspects, in the third possible realization In mode, the inlet module is optical module, and the network equipment is router；

The data packet receiving unit needs the data packet of approach router specifically for receiving.

A kind of outlet module is provided in terms of the embodiment of the present invention four, comprising:

Receiving unit needs to be sent to the data packet of destination after the approach network equipment for receiving, and the data packet is by institute State the inlet module encryption of the network equipment；

Decryption unit, for the data packet to be decrypted according to decryption configuration information；

Transmission unit, for the data packet after the decryption to be sent to the destination.

In conjunction with the implementation of four aspects, in the first possible implementation, the outlet module is optical module, institute Stating the network equipment is router；

The receiving unit, specifically for needing to be sent to the data packet of destination, the data after reception approach router Wrap the optical mode block encryption by the router entrance.

In conjunction with the implementation of four aspects, in the second possible implementation, the receiving unit is also used to receive The second filtering configuration information from configuration center；

Whether the decryption unit belongs to described specifically for the determination received data packet of received data packet unit The data packet for not needing decryption specified in two filtering configuration informations, if it is not, then according to the decryption configuration information to the number It is decrypted according to packet.

A kind of network equipment is additionally provided in terms of the embodiment of the present invention five, comprising:

The inlet module of any one provided in an embodiment of the present invention and any one provided in an embodiment of the present invention Outlet module.

A kind of network security management system is additionally provided in terms of the embodiment of the present invention six, comprising:

The configuration center of any one provided in an embodiment of the present invention, the entrance of any one provided in an embodiment of the present invention The outlet module of module and any one provided in an embodiment of the present invention；Or, comprising: provided in an embodiment of the present invention The configuration center and the network equipment provided in an embodiment of the present invention of meaning one.

In conjunction with the implementation of six aspects, in the first possible implementation, if the configuration center is controlled to SDN Device sends encryption configuration information, the system also includes: SDN controller；

The SDN controller is handled for carrying out scrambling identical with data packet to forwarding table, and treated by scrambling Forwarding table is sent to the network equipment.

As can be seen from the above technical solutions, the embodiment of the present invention has the advantage that data packet is entering the network equipment When be encrypted, for the network equipment into the network equipment data packet content due to encryption change, can keep away Exempt from malicious user and send back door present in the message triggering network equipment comprising special data, not only can solve the network equipment The trust problem of itself can also improve the safety of the network equipment.

Detailed description of the invention

To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment Attached drawing is briefly introduced, it should be apparent that, drawings in the following description are only some embodiments of the invention, for this For the those of ordinary skill in field, without any creative labor, it can also be obtained according to these attached drawings His attached drawing.

Fig. 1 is present invention method flow diagram；

Fig. 2 is present invention method flow diagram；

Fig. 3 is present invention method flow diagram；

Fig. 4 is that system structure of the embodiment of the present invention and message flow to schematic diagram；

Fig. 5 is that system structure of the embodiment of the present invention and message flow to schematic diagram；

Fig. 6 is that system structure of the embodiment of the present invention and message flow to schematic diagram；

Fig. 7 is configuration center of embodiment of the present invention structural schematic diagram；

Fig. 8 is configuration center of embodiment of the present invention structural schematic diagram；

Fig. 9 is inlet module of embodiment of the present invention structural schematic diagram；

Figure 10 is inlet module of embodiment of the present invention structural schematic diagram；

Figure 11 is outlet module of embodiment of the present invention structural schematic diagram；

Figure 12 is network equipment infrastructure of embodiment of the present invention schematic diagram；

Figure 13 is system structure diagram of the embodiment of the present invention；

Figure 14 is system structure diagram of the embodiment of the present invention；

Figure 15 is system structure diagram of the embodiment of the present invention；

Figure 16 is configuration center of embodiment of the present invention structural schematic diagram；

Figure 17 is inlet module of embodiment of the present invention structural schematic diagram；

Figure 18 is outlet module of embodiment of the present invention structural schematic diagram.

Specific embodiment

To make the objectives, technical solutions, and advantages of the present invention clearer, below in conjunction with attached drawing to the present invention make into It is described in detail to one step, it is clear that the described embodiments are only some of the embodiments of the present invention, rather than whole implementation Example.Based on the embodiments of the present invention, obtained by those of ordinary skill in the art without making creative efforts All other embodiment, shall fall within the protection scope of the present invention.

The embodiment of the invention provides a kind of network safety managing methods, as shown in Figure 1, referring to Figure 2 together and Fig. 3 It is shown, comprising:

101: configuration center determines encryption configuration information and decryption configuration information corresponding with above-mentioned encryption configuration information；

Encryption configuration information is used to refer to the fixed configuration information how to encrypt, such as: encryption rule, the letter such as encrypted object Breath.Encryption rule may include: Encryption Algorithm and key or Encryption Algorithm, public key and private key；The algorithm of encryption has very It is more, such as: symmetry algorithm (Data Encryption Standard, DES), Digital Signature Algorithm (Digital Signature Algorithm, DSA), Message Digest Algorithm 5 (Message Digest Algorithm, MD5) etc., in addition to adding above Other than close algorithm, scrambling algorithms also belong to Encryption Algorithm, such as: XOR operation is carried out to data and upsets the algorithm of former data.Add Close object, then be to specify partially to encrypt which of data packet, such as: entire data packet is encrypted or right Protocol header is encrypted, or is only encrypted to payload segment.The different application demand of concrete foundation is set, and the present invention is implemented Example does not do uniqueness restriction.Configuration center determines encryption configuration information and decryption corresponding with above-mentioned encryption configuration information configuration The process of information, can be receive user setting, be also possible to the fixed configurations based on current application scenarios, specifically how Determine that encryption configuration information and the corresponding process for decrypting configuration information do not interfere with the realization of the embodiment of the present invention, because This embodiment of the present invention does not make uniqueness restriction yet.

102: above-mentioned encryption configuration information is sent to the inlet module of the network equipment by above-mentioned configuration center, by above-mentioned decryption Configuration information is sent to the outlet module of the above-mentioned network equipment；Above-mentioned encryption configuration information for make above-mentioned inlet module encrypt into Enter the data packet of the above-mentioned network equipment, above-mentioned decryption configuration information is for making above-mentioned outlet module decryption issue the above-mentioned network equipment Data packet, the data packet of above-mentioned outlet module decryption is the data packet encrypted through above-mentioned inlet module.

In the present embodiment, configuration center sends encryption configuration information to inlet module, and sends decryption configuration information After outlet module；It please refers to shown in Fig. 2, data packet enters from inlet module, is encrypted after inlet module encrypts The data packet of data packet, encryption is sent to the network equipment by inlet module, and then the data packet of encryption is transmitted to by the network equipment The data packet of encryption is decrypted in outlet module, outlet module, the data packet after being decrypted.

The present embodiment, data packet are encrypted when entering the network equipment, into the network equipment for the network equipment The content of data packet can send the message comprising special data to avoid malicious user and trigger network since encryption is changed Back door present in equipment not only can solve the trust problem of network equipment itself, can also improve the safety of the network equipment Property.

The embodiment of the present invention gives encryption configuration information and the optinal plan of corresponding decryption configuration information is as follows: Above-mentioned encryption configuration information includes: encrypted object and encryption rule, and above-mentioned encrypted object specifies what data packet needed to encrypt Part；

Above-mentioned decryption configuration information includes: that decryption object and decryption rule, above-mentioned decryption object specify data packet and need The part to be decrypted, it is identical as the part of above-mentioned needs encryption.

In the present embodiment, it in encryption configuration information other than encryption rule, also carries and needs to encrypt for specified Part information, therefore can flexibly control to data packet encryption specific part.Due to being encrypted to data packet, meeting Network service is impacted, such as: protocol header is encrypted, then the business service of network equipment offer may be provided. It therefore, can be according to the security requirement of business demand or data packet by the way that encrypted object is added in encryption configuration information Flexibly control, without necessarily being encrypted to entire data packet.Decryption configuration information is to encryption configuration information with corresponding The information of relationship, since outlet module is not necessarily able to detect which of data packet is partially encrypted, and is being decrypted Also it joined decryption object in configuration information.In addition, even if outlet module can detecte data packet encryption part, by Also decryption object is added in decryption configuration information can also save computing resource required for detection encryption part.

In embodiments of the present invention, the network equipment can be arbitrary the network equipment embodiment of the present invention and not make to this uniquely The restriction of property；In addition, to give a specific application scenarios as follows for the embodiment of the present invention: the above-mentioned network equipment is router, Above-mentioned inlet module and above-mentioned outlet module are optical module；

Above-mentioned encrypted object includes: scrambling object, and above-mentioned scrambling object specifies data packet and needs scrambled part；It is above-mentioned Encryption rule includes: scrambling algorithms and key；Above-mentioned decryption object includes: descrambling object, and above-mentioned descrambling object specifies number The part descrambled is needed according to packet；Above-mentioned decryption rule includes: Descrambling Algorithms corresponding with above-mentioned scrambling algorithms and above-mentioned key.

In the present embodiment, encryption completed using scrambled mode, specific application scenarios this for router and Speech, if calculating can be reduced in this way without carrying out complicated Encryption Algorithm merely to data packet is avoided to trigger back door Amount avoids influence of the encrypting and decrypting to router response speed.Scrambling is one kind of encryption, compared to other such as the encryption of MD5 class For, calculation amount can be much smaller, can be used as the preferred implementation scheme under this specific application scene of router.

Above-mentioned optical module can be using field programmable gate array (Field Programmable Gate Array, FPGA) the optical module realized.

In embodiments of the present invention, even if scrambled part can be entirely in this specific application scenarios of router Data packet is also possible to only payload segment, can also be other arbitrary setting sections；But due to the protocol header to data packet It is scrambled, it is impacted to will lead to data packet forwarding, therefore based on this embodiment of the invention provides following three kinds of solutions, It is as follows: if scrambled part includes the protocol header part of data packet, the above method further include:

Above-mentioned configuration center sends above-mentioned encryption configuration information to the above-mentioned network equipment, makes the above-mentioned network equipment to forwarding table List item carry out identical with above-mentioned data packet scrambling and handle；

Alternatively, above-mentioned configuration center sends scrambled treated forwarding table to the above-mentioned network equipment；Above-mentioned scrambling processing The scrambling mode that forwarding table afterwards uses is identical as the scrambling mode of above-mentioned data packet；

Alternatively, above-mentioned configuration center to software-defined network switched data network (Switched Data Network, SDN) controller sends above-mentioned encryption configuration information, carries out above-mentioned SDN controller to forwarding table identical with above-mentioned data packet Scrambling processing, and will scrambling treated that forwarding table is sent to the above-mentioned network equipment.

In the present embodiment, the network equipment is router.In the present embodiment, new equipment SDN controller is also introduced, Therefore process flow has a few modifications, please refers to shown in Fig. 3, and compared with Fig. 2, difference is that configuration center can also match encryption Confidence breath is sent to SDN controller, and SDN controller scrambles forwarding table, and the forwarding table after scrambling is then sent to net Network equipment, the network equipment will use the forwarding table after scrambling and execute forwarding capability.

Three of the above scheme has carried out scrambling processing to forwarding table, due to the scrambling mode to forwarding table and to data The scrambling mode of packet is identical, therefore the forwarding table after scrambling can be proper use of by router.This gives routing tables Example carry out for example bright this point, it is specific as follows:

Assuming that routing table has 3:

10.10.10.10 port1

10.11.*.* port2

10.*.*.* port3

The message that the address a purpose network protocol (Internet Protocol, IP) is 10.11.1.1 is received now (data packet), according to longest matching principle, it should match the 2nd list item.

The destination IP of message is expressed as (0x0a, 0x0b, 0x01,0x01) with 16 systems, the purpose of scrambling algorithms message IP and 0x81 do exclusive or, become (0x8b, 0x8a, 0x80,0x80) after exclusive or；

3 route table items also carry out exclusive or with 0x81 respectively, obtain:

0x8b,0x8b,0x8b,0x8b port1

0x8b,0x8a,*,* port2

0x8b,*,*,* port3

Using the message routing corresponding with the routing table matching port2 after scrambling after scrambling, with original matching result Unanimously.Therefore, routing is not interfered with as long as scrambling mode is identical using the message after scrambling and the routing table after scrambling Specific implementation.

Other than control controls the part that data packet encrypts, it can also control whether to need to carry out data packet Encryption, concrete scheme are as follows: the above method further include:

Above-mentioned configuration center determines the first filtering configuration information and corresponding second filtering configuration information, above-mentioned first filtering Configuration information specifies the data packet for not needing encryption, and above-mentioned second filtering configuration information, which specifies, is not required to data to be decrypted Packet；

Above-mentioned first filtering configuration information is sent to above-mentioned inlet module by above-mentioned configuration center, and above-mentioned second filtering is matched Confidence breath is sent to above-mentioned outlet module.

In the present embodiment, filtering configuration information has been used to specify which data packet does not need encryption and which data Packet does not need to decrypt.Since inlet module and outlet module can be two independent physical entities, and intermediate also network Equipment, what outlet module can't be inevitable knows which data packet is encrypted by inlet module, and not encrypted for which For data packet, decryption is not needed；If but encrypting using scrambled mode, then the data not being scrambled Packet, being descrambled when issuing the network equipment can not identify the equipment that will lead to destination, so in the present embodiment, in addition to the One filtering configuration information, it is also necessary to which the second filtering configuration information is corresponding to it.It controls whether to need by filtering configuration information Data packet is encrypted, with compared with encrypted object is come by way of controlling there are larger difference, it is specific as follows: using configuration The mode of encrypted object can't be such that a part of data packet does not encrypt, but determine the part of these data packets encryption.And it uses Filter configuration information, then can directly determination data packet whether can be encrypted.Such as: there are some data packets to be inherently sent to net Network equipment is handled, if this partial data packet encrypts, it is also necessary to decryption configuration information is sent to the network equipment again, this Sample can have security risk, and also result in unnecessary encryption and decryption calculating.It therefore, can using this embodiment scheme To improve safety, and computing resource can be saved.

Following embodiment will provide the citing of three concrete application scene of the network equipment by taking router as an example, corresponding road By the application scenarios of device, inlet module and outlet module will be optical module, in order to distinguish two optical modules, be referred to as entrance Optical module and outlet optical module, it is single that optical module can be plugged on Line Processing Unit (Line Processing Unit, LPU) On plate, since signal is reversible, optical module can be used as entrance optical module use, while can also be used as outlet optical module make With, following embodiment be shown as convenience, in schematic diagram two independent optical modules respectively represent outlet optical module and The optical module of entrance, other two optical module can be on one piece of LPU veneers, and the independent LPU veneer of two pieces of diagram is logical It crosses switching network and connects the restriction that should not be construed as to the embodiment of the present invention.It in the router, also include central processing unit (Central Processing Unit, CPU) and network processing unit (Network Processor, NP), practical application Road There can also be other functional components by device, the schematic diagram of the present embodiment should not be construed as the restriction to the embodiment of the present invention.

One, the CPU in hypothesis router is safe, and other function component is dangerous；

The flow direction of system structure and message, as shown in figure 4, there is optical module on LPU, CPU and NP, LPU use switching network Connection, LPU, CPU, NP and switching network are the component of router；Optical module can be independent when selling, and can also make It is sold together for the component of router.Configuration center is independent equipment.

In this example, it is assumed that the chips such as NP, traffic management (Traffic Management TM) in router are equal It is unsafe (or uncertain whether safe), wherein there may be back doors.Assuming that the CPU in router is safe.CPU Safety, this can give third party censorship to examine and realize by open operating system together with the source code of software.Specifically Realization process it is as follows:

First: before router device works normally, first being issued on configuration information to each LPU veneer by configuration center Optical module and CPU；

Configuration information set according to business, may include to message in the algorithm that configuration center issues Which field handled, and how to handle.

The field for needing to encrypt may is that the load of entire IP packet or IP packet or the load of TCP/UDP etc.；Encryption Used Encryption Algorithm can be such as: data encryption standards (Data Encryption Standard, DES), RSA Algorithm (RSA Algorithm), or scramble, scramble corresponding algorithm such as exclusive or algorithm etc..The length of key be it is variable, can be 8bit, 56bit, 128bit equal length.The embodiment of the present invention does not make uniqueness restriction to this.

By taking scrambling as an example, the configuration information that configuration center issues includes: algorithm and key.

Then: after message enters the optical module of entrance, algorithm and key pair report that optical module is issued according to configuration center Text carries out scrambling processing, and the message after scrambling is handled by NP；If treated that message hands to CPU by NP, CPU is to report Text is descrambled, and then proceedes to handle；If NP treated message enters other router cable fasteners, most Zhongdao by switching network Up to outlet optical module, then exports optical module and message is descrambled.

An example as scrambling processing: it is assumed that the load of original message includes 0x010x020x030x040x050x0 The data of this 8 bytes of 60x070x08, each byte carry out exclusive or with 0x80, then result is exactly 0x810x820x830x84 0x850x860x870x88。

In the present embodiment, the algorithm that configuration center issues is likely to affect the business processing of NP, such as: configuration center The algorithm requirement issued has carried out scrambling processing to entire IP packet, will lead in this way purpose IP address, TCP message port all It changes, therefore route querying, ACL (Access control list, accesses control list), NAT (Network Address Transform, network address translation) etc. business can all be affected, the embodiment of the invention provides the sides of solution Case, at least can there are two types of:

A kind of method is: the business that router needs support is assessed before configuration center issues configuration information, according to industry Business is to determine avoiding handling it to IP, TCP header using which type of algorithm (for example only handling the load of TCP/UDP) The normal business processing of NP is influenced afterwards；This method can issue filter table to the optical module of outlet and entrance by configuration center Lai real It is existing, the specified type of data packet for not needing encryption of the list item of filter table.Such as the specified business to IP and TCP header is without adding It is close, alternatively, passing through the IP head and TCP header that do not include message in specified encrypted object in Encryption Algorithm.

Another method is: processing is synchronized to the corresponding list item of business, such as: the algorithm of configuration is required to entire IP Message is scrambled, and in order to guarantee the normal message forwarding of NP, when CPU issues forwarding table to NP, is scrambled to forwarding table Processing, ACL table item also carry out scrambling processing, and guaranteeing that business is appointed by this method so can normally be handled.To forwarding table and The scrambling processing mode of ACL table item is identical as scrambling processing mode of the optical module of entrance to message.

In the present embodiment due to being encrypted to all messages, then the message that CPU is externally sent, if unencryption exists Outlet optical module will appear the case where mistake decryption, and the embodiment of the invention provides solutions, as follows, and: CPU externally transmits messages text When, CPU carries out scrambling processing to the message of outgoing, in this way, exporting optical module when optical module of the message of CPU outgoing through exporting It can still be descrambled accordingly or decryption processing, finally be reduced into normal message and send.

In the present embodiment, optical module and router (being free of optical module) can be provided by different manufacturers, due to optical mode Block has carried out encryption to message, is the message by encryption always in the message of router interior (except CPU) processing, draws The message of the special data of hair back door triggering becomes not identical as former message, thus can due to have passed through encryption after encryption Substantially reduce the probability that back door is triggered.

Two, assume that component all in router is all unsafe；

The flow direction of system structure and message, as shown in figure 5, there is optical module on LPU, CPU and NP, LPU use switching network Connection, LPU, CPU, NP and switching network are the component of router；Optical module can be independent when selling, and can also make It is sold together for the component of router.Configuration center is independent equipment.

In this example, it is assumed that the NP etc. in router is unsafe, wherein there may be back doors.As for CPU Whether safety can be examined together with the source code of software to third party censorship by open operating system is realized.Therefore, It assume that being sent to router needs by the message that CPU is handled to be safe.

First: before router device works normally, first being issued on configuration information to each LPU veneer by configuration center Optical module；Unlike previous embodiment, configuration information does not have to be handed down to CPU, in addition in the present embodiment, also issues filtering Table is to the optical module on each LPU veneer.

In the present embodiment, set in filter table and do not need scrambled type of message, if do not send configuration information to CPU then filter table should be comprising being sent to the message of CPU, therefore can be used to filter NP in filter table and need to be transmitted to CPU The message of processing, such as routing protocol packet, for these messages, optical module can be according to the guidance of filter table without scrambling Processing, therefore CPU is also there is no need to descramble, it can be by original flow processing.

Then: after message enters the optical module of entrance, optical module carries out message according to the filter table that configuration center issues Filtering, if one or more list item in message matching filter table, optical module do not carry out scrambling processing to message；If report Text mismatches any list item in filter table, then the algorithm that optical module will use that configuration center issues is added with key pair message Processing is disturbed, details are not described herein with previous embodiment for specific processing method.

If treated that message hands to CPU by NP, this segment message should meet filter table rule, not by light Module scrambling；Therefore CPU can be normally carried out processing.If NP treated message hands to other optical modes as outlet Block, then other descramble message as the optical module of outlet.

In the present embodiment, the list item of filter table can be made of one or more field of header, such as root According to virtual LAN (Virtual Local Area Network, VLAN) number, the protocol fields of IP packet, source IP address, mesh IP address, TCP port (source port, destination port), udp port (source port, destination port) etc..The list item of filter table can be with According to being set, the particular content embodiment of the present invention does not make uniqueness restriction.

In the present embodiment, when CPU externally sends message, CPU is not due to receiving configuration information, and CPU is not Scrambling processing can be carried out to the message of outgoing, and since there are corresponding filter table list items on the optical module exported, also not Scramble process is carried out to such message.

Optical module and router (being free of optical module) in the present embodiment can be provided by different manufacturers, due to optical module Scrambling processing has been carried out to message, has been scrambled message always in the message of router interior (except CPU) processing, causes The message of the special data of back door triggering becomes not identical as former message due to have passed through scrambling, scrambling later, thus can be big The big probability for reducing back door and being triggered.

Three, assume that component all in router is all unsafe；

In this example, it is assumed that router is using software-defined network (Software Defined Network, SDN) framework, SDN controller is deployed in SDN network.In the route network of this framework, router is no longer Need to handle Routing Protocol, the forwarding table in router is issued by SDN controller.This scene and the basic class of previous embodiment Seemingly, it please refers to shown in Fig. 6, the difference is that if necessary to carry out scrambling processing to entire IP packet, then configuration center meeting Configuration information (add/Descrambling Algorithms and key) is issued to SDN controller, the forwarding table that then SDN controller issues need into Row scrambling processing identical with message；If configuration information configuration is that only to the load of message, (such as IP load, TCP/UDP are carried Lotus) it is handled, then configuration center does not need to issue SDN controller configuration information, and SDN does not need to add forwarding table yet Disturb processing.

Since Routing Protocol function is realized via SDN controller, the CPU on line processing unit only needs to receive from SDN The message of controller, therefore the list item of the filter table on optical module will be less, rule also will be simpler；Correspondingly, optical mode Block does not need that scrambled message is also less, can greatly reduce the probability that back door is triggered.

Influence to NP business and solution, which is encrypted, to message in the embodiment of the present invention can refer to the first The solution of application scenarios, the difference is that forwarding table is to be handed down to CPU by SDN controller in the present embodiment, under SDN controller needs to carry out forwarding table scrambling processing identical with message before hair forwarding table.

The present embodiment, router interior, except CPU, the message of processing is scrambled message always, causes back door touching The message of the special data of hair becomes not identical as former message, thus will be greatly reduced due to have passed through scrambling after scrambling The probability that back door is triggered.

The embodiment of the invention also provides a kind of configuration center, as shown in fig. 7, comprises:

Configuration information determination unit 701, for determining encryption configuration information and corresponding with above-mentioned encryption configuration information Decrypt configuration information；

Information transmitting unit 702 will be above-mentioned for above-mentioned encryption configuration information to be sent to the inlet module of the network equipment Decryption configuration information is sent to the outlet module of the above-mentioned network equipment；Above-mentioned encryption configuration information is for adding above-mentioned inlet module The close data packet into the above-mentioned network equipment, above-mentioned decryption configuration information is for making above-mentioned outlet module decryption issue above-mentioned network The data packet of the data packet of equipment, above-mentioned outlet module decryption is the data packet encrypted through above-mentioned inlet module.

Encryption configuration information is used to refer to the fixed configuration information how to encrypt, such as: encryption rule, the letter such as encrypted object Breath.Encryption rule may include: Encryption Algorithm and key or Encryption Algorithm, public key and private key；The algorithm of encryption has very It is more, such as: DES, DSA, MD5 etc., other than the above Encryption Algorithm, scrambling algorithms also belong to Encryption Algorithm, such as: to data It carries out XOR operation and upsets the algorithm of former data.Encrypted object is then to specify partially to encrypt which of data packet.

The embodiment of the present invention gives encryption configuration information and the optinal plan of corresponding decryption configuration information is as follows: Optionally, above-mentioned encryption configuration information includes: encrypted object and encryption rule, and above-mentioned encrypted object specifies data packet needs The part of encryption；Above-mentioned decryption configuration information includes: that decryption object and decryption rule, above-mentioned decryption object specify data packet The part for needing to decrypt, it is identical as the part of above-mentioned needs encryption.

In the present embodiment, it in encryption configuration information other than encryption rule, also carries and needs to encrypt for specified Part information, therefore can flexibly control to data packet encryption specific part.Due to being encrypted to data packet, meeting Network service is impacted, such as: protocol header is encrypted, then the business service of network equipment offer may be provided. It therefore, can be according to the security requirement of business demand or data packet by the way that encrypted object is added in encryption configuration information Flexibly control, without necessarily being encrypted to entire data packet.Decryption configuration information is to encryption configuration information with corresponding The information of relationship is being decrypted since outlet module is not necessarily able to detect that that part of data packet is encrypted Also it joined decryption object in configuration information.In addition, even if outlet module can detecte data packet encryption part, by Also decryption object is added in decryption configuration information can also save computing resource required for detection encryption part.Therefore this implementation Example can be used as a preferred implementation.

In embodiments of the present invention, the network equipment can be arbitrary the network equipment, and the embodiment of the present invention does not make only this The restriction of one property；In addition, to give a specific application scenarios as follows for the embodiment of the present invention: optionally, above-mentioned encrypted object It include: scrambling object, above-mentioned scrambling object specifies data packet and needs scrambled part；Above-mentioned encryption rule includes: that scrambling is calculated Method and key；Above-mentioned decryption object includes: descrambling object, and above-mentioned descrambling object specifies the part that data packet needs to descramble； Above-mentioned decryption rule includes: Descrambling Algorithms corresponding with above-mentioned scrambling algorithms and above-mentioned key；

Above- mentioned information transmission unit 702 will for above-mentioned encryption configuration information to be sent to the optical module of router entrance Above-mentioned decryption configuration information is sent to the optical module of above-mentioned router outlet.

In embodiments of the present invention, even if scrambled part can be entirely in this specific application scenarios of router Data packet is also possible to only payload segment, can also be other arbitrary setting sections；But due to the protocol header to data packet It is scrambled, it is impacted to will lead to data packet forwarding, therefore based on this embodiment of the invention provides following three kinds of solutions, It is as follows: optionally, if scrambled part includes the protocol header part of data packet；

Above- mentioned information transmission unit 702 is also used to send above-mentioned encryption configuration information to the above-mentioned network equipment, makes above-mentioned net Network equipment carries out scrambling identical with above-mentioned data packet to the list item of forwarding table and handles；

Alternatively, above- mentioned information transmission unit 702, it is also used to send scrambled treated forwarding to the above-mentioned network equipment Table；Above-mentioned scrambling treated scrambling mode that forwarding table uses is identical as the scrambling mode of above-mentioned data packet；

Alternatively, above- mentioned information transmission unit 702, is also used to send above-mentioned encryption to software-defined network SDN controller Configuration information makes above-mentioned SDN controller carry out identical with above-mentioned data packet scrambling processing to forwarding table, and after scrambling is handled Forwarding table be sent to the above-mentioned network equipment.

In the present embodiment, the network equipment is router.In the present embodiment, new equipment SDN controller is also introduced, Encryption configuration information can be also sent to SDN controller by configuration center, and SDN controller scrambles forwarding table, then will be added Forwarding table after disturbing is sent to the network equipment, and the network equipment will use the forwarding table after scrambling and execute forwarding capability.Above scheme Scrambling processing has been carried out to forwarding table, since the scrambling mode to forwarding table is identical as the scrambling mode to data packet, plus Forwarding table after disturbing can be proper use of by router.

Other than control controls the part that data packet encrypts, it can also control whether to need to carry out data packet Encryption, concrete scheme are as follows: further, as shown in figure 8, above-mentioned configuration center further include:

Information determination unit 801 is filtered, for determining the first filtering configuration information and corresponding second filtering configuration information, Above-mentioned first filtering configuration information specifies the data packet for not needing encryption, and above-mentioned second filtering configuration information, which specifies, not to be needed The data packet of decryption；

Above- mentioned information transmission unit 702 is also used to above-mentioned first filtering configuration information being sent to above-mentioned inlet module, will Above-mentioned second filtering configuration information is sent to above-mentioned outlet module.

A part of data packet can't be made not encrypt by the way of configuring encrypted object, but determine that these data packets add Close part.And use filtering configuration information, then can directly determination data packet whether can be encrypted.Such as: there are some data packets Inherently it is sent to what the network equipment was handled, if this partial data packet encrypts, it is also necessary to configuration information will decrypted It is sent to the network equipment, there can be security risk in this way, and also results in unnecessary encryption and decryption calculating.Therefore, it adopts With this embodiment scheme, safety can be improved, and computing resource can be saved.

The embodiment of the invention also provides a kind of inlet modules, as shown in Figure 9, comprising:

Data packet receiving unit 901, for receiving the data packet for needing the approach network equipment；

Data packet encryption unit 902, for being encrypted according to encryption configuration information to above-mentioned data packet；

Data packet sending unit 903 makes above-mentioned network for above-mentioned encrypted data packet to be sent to the above-mentioned network equipment Device forwards give the outlet module with packet decryption function.

In the present embodiment, data packet is encrypted when entering the network equipment by inlet module, is entered for the network equipment The content of the data packet of the network equipment can send the report comprising special data since encryption is changed to avoid malicious user Back door present in the text triggering network equipment, not only can solve the trust problem of network equipment itself, can also improve network The safety of equipment.

Optionally, above-mentioned encryption configuration information includes: encrypted object and encryption rule；Above-mentioned encrypted object specifies Data packet needs the part encrypted；

Above-mentioned data packet encryption unit 902, specifically for using above-mentioned encryption rule to the above-mentioned need in above-mentioned data packet The part to be encrypted is encrypted.

In the present embodiment, it in encryption configuration information other than encryption rule, also carries and needs to encrypt for specified Part information, therefore can flexibly control to data packet encryption specific part.

Further, as shown in Figure 10, above-mentioned inlet module further include:

Information receiving unit 1001 is filtered, for receiving the first filtering configuration information from configuration center；

Above-mentioned data packet encryption unit 902 is configured specifically for whether the above-mentioned data packet of determination belongs to above-mentioned first filtering That specifies in information does not need the data packet of encryption, if it is not, then adding according to above-mentioned encryption configuration information to above-mentioned data packet It is close.

In the present embodiment, a part of data packet can't be made not encrypt by the way of configuring encrypted object, but certainly The part of fixed these data packets encryption.And use filtering configuration information, then can directly determination data packet whether can be encrypted.Example As: there are some data packets to be inherently sent to the network equipment handled, if this partial data packet encrypts, it is also necessary to Decryption configuration information is sent to the network equipment, there can be security risk in this way, and also results in unnecessary encryption reconciliation Close calculating.Therefore, using this embodiment scheme, safety can be improved, and computing resource can be saved.

Optionally, above-mentioned inlet module is optical module, and the above-mentioned network equipment is router；

Above-mentioned data packet receiving unit 901 needs the data packet of approach router specifically for receiving.

This gives the concrete application scenes of inlet module, are the optical modules under router applications scene.As One optional application scenarios of the embodiment of the present invention should not be construed as limiting the uniqueness of the embodiment of the present invention.

The embodiment of the invention also provides a kind of outlet modules, as shown in figure 11, comprising:

Receiving unit 1101 needs to be sent to the data packet of destination after the approach network equipment for receiving, above-mentioned data packet It is encrypted by the inlet module of the above-mentioned network equipment；

Decryption unit 1102, for above-mentioned data packet to be decrypted according to decryption configuration information；

Transmission unit 1103, for the data packet after above-mentioned decryption to be sent to above-mentioned purpose end.

In the present embodiment, data packet is encrypted when entering the network equipment by inlet module, goes out network equipment warp in data packet When crossing outlet module, it is decrypted by outlet module；For the network equipment into the network equipment data packet content by Changed in encryption, after being sent to avoid malicious user present in the message triggering network equipment comprising special data Door, not only can solve the trust problem of network equipment itself, can also improve the safety of the network equipment.

Optionally, above-mentioned outlet module is optical module, and the above-mentioned network equipment is router；

Above-mentioned receiving unit 1101, it is above-mentioned specifically for needing to be sent to the data packet of destination after reception approach router Data packet by above-mentioned router entrance optical mode block encryption.

This gives the concrete application scenes of outlet module, are the optical modules under router applications scene.As One optional application scenarios of the embodiment of the present invention should not be construed as limiting the uniqueness of the embodiment of the present invention.

Further, above-mentioned receiving unit 1101 is also used to receive the second filtering configuration information from configuration center；

Whether above-mentioned decryption unit 1102 belongs to specifically for the above-mentioned received data packet of received data packet unit of determination The data packet for not needing decryption specified in the second filtering configuration information is stated, if it is not, then according to above-mentioned decryption configuration information to upper Data packet is stated to be decrypted.

In the present embodiment, a part of data packet can't be made non-decrypting in such a way that object is decrypted in configuration, but certainly The part of these fixed packet decryptions.And use filtering configuration information, then can directly determination data packet whether can be decrypted.Example As: there are some data packets to be inherently sent to the network equipment handled, if this partial data packet encrypts, it is also necessary to Decryption configuration information is sent to the network equipment, there can be security risk in this way, and also results in unnecessary encryption reconciliation Close calculating.Therefore, using this embodiment scheme, safety can be improved, and computing resource can be saved.

The embodiment of the invention also provides a kind of network equipments, as shown in figure 12, comprising:

The inlet module 1201 of any one provided in an embodiment of the present invention and provided in an embodiment of the present invention any one The outlet module 1202 of item.

The embodiment of the invention also provides a kind of network security management systems, as shown in figure 13, comprising: the embodiment of the present invention The configuration center 1301 of any one of offer, the inlet module 1302, Yi Jiben of any one provided in an embodiment of the present invention The outlet module 1302 for any one that inventive embodiments provide；Alternatively, as shown in figure 14, comprising: the embodiment of the present invention provides Any one configuration center 1401 and the network equipment provided in an embodiment of the present invention 1402.

Further, as shown in figure 15, if above-mentioned configuration center sends encryption configuration information, above-mentioned system to SDN controller System further include: SDN controller 1501；

Above-mentioned SDN controller 1501 handles for carrying out scrambling identical with data packet to forwarding table, and scrambling is handled Forwarding table afterwards is sent to the above-mentioned network equipment 1402.

The present invention implements to additionally provide another configuration center in fact, as shown in figure 16, comprising: processor 1601, transmitter 1602 and memory 1603；Above-mentioned memory 1603 can be used for the storage function such as data buffer storage when processor is handled Energy；

Wherein, processor 1601, for determining encryption configuration information and decryption corresponding with above-mentioned encryption configuration information Configuration information；

Transmitter 1602, for above-mentioned encryption configuration information to be sent to the inlet module of the network equipment, by above-mentioned decryption Configuration information is sent to the outlet module of the above-mentioned network equipment；Above-mentioned encryption configuration information for make above-mentioned inlet module encrypt into Enter the data packet of the above-mentioned network equipment, above-mentioned decryption configuration information is for making above-mentioned outlet module decryption issue the above-mentioned network equipment Data packet, the data packet of above-mentioned outlet module decryption is the data packet encrypted through above-mentioned inlet module.

In embodiments of the present invention, the network equipment can be arbitrary the network equipment, and the embodiment of the present invention does not make only this The restriction of one property；In addition, to give a specific application scenarios as follows for the embodiment of the present invention: the above-mentioned network equipment is routing Device, above-mentioned inlet module and above-mentioned outlet module are optical module；

In embodiments of the present invention, even if scrambled part can be entirely in this specific application scenarios of router Data packet is also possible to only payload segment, can also be other arbitrary setting sections；But due to the protocol header to data packet It is scrambled, it is impacted to will lead to data packet forwarding, therefore based on this embodiment of the invention provides following three kinds of solutions, As follows: if scrambled part includes the protocol header part of data packet, above-mentioned transmitter 1602 is also used to send out to the above-mentioned network equipment It serves and states encryption configuration information, carry out the above-mentioned network equipment at scrambling identical with above-mentioned data packet to the list item of forwarding table Reason；

Alternatively, above-mentioned transmitter 1602, it is also used to send scrambled treated forwarding table to the above-mentioned network equipment；It is above-mentioned Scrambling treated scrambling mode that forwarding table uses is identical as the scrambling mode of above-mentioned data packet；

Alternatively, above-mentioned transmitter 1602, is also used to send above-mentioned encryption configuration information to SDN, makes above-mentioned SDN controller pair Forwarding table carries out identical with above-mentioned data packet scrambling processing, and the forwarding table that will scramble that treated is sent to above-mentioned network and sets It is standby.

Other than control controls the part that data packet encrypts, it can also control whether to need to carry out data packet Encryption, concrete scheme are as follows: above-mentioned processor 1601, are also used to determine that the first filtering configuration information and corresponding second filtering are matched Confidence breath, above-mentioned first filtering configuration information specify the data packet for not needing encryption, and above-mentioned second filtering configuration information is specified The data packet of decryption is not needed；

Above-mentioned transmitter 1602 is also used to above-mentioned first filtering configuration information being sent to above-mentioned inlet module, will be above-mentioned Second filtering configuration information is sent to above-mentioned outlet module.

The embodiment of the invention also provides another inlet modules, as shown in figure 17, comprising: receiver 1701, transmitter 1702, processor 1703 and memory 1704；Wherein memory 1704 can mention in 1703 operational process of processor for it For storage resource；

Above-mentioned receiver 1701, for receiving the data packet for needing the approach network equipment；

Above-mentioned processor 1703, for being encrypted according to encryption configuration information to above-mentioned data packet；

Above-mentioned transmitter 1702 sets above-mentioned network for above-mentioned encrypted data packet to be sent to the above-mentioned network equipment It is standby to be transmitted to the outlet module with packet decryption function.

Above-mentioned processor 1703, specifically for what is encrypted using above-mentioned encryption rule to the above-mentioned needs in above-mentioned data packet Part is encrypted.

Further, above-mentioned receiver 1701 is also used to receive the first filtering configuration information from configuration center；

Whether above-mentioned processor 1703 belongs to above-mentioned first filtering configuration information middle finger specifically for the above-mentioned data packet of determination The fixed data packet for not needing encryption, if it is not, then being encrypted according to above-mentioned encryption configuration information to above-mentioned data packet.

Above-mentioned receiver 1701 needs the data packet of approach router specifically for receiving.

The embodiment of the invention also provides another outlet modules, as shown in figure 18, comprising: receiver 1801, transmitter 1802, processor 1803 and memory 1804；Wherein memory 1804 can mention in 1803 operational process of processor for it For storage resource；

Above-mentioned receiver 1801 needs to be sent to the data packet of destination after the approach network equipment for receiving, above-mentioned data Packet is encrypted by the inlet module of the above-mentioned network equipment；

Above-mentioned processor 1803, for above-mentioned data packet to be decrypted according to decryption configuration information；

Above-mentioned transmitter 1802, for the data packet after above-mentioned decryption to be sent to above-mentioned purpose end.

Above-mentioned receiver 1801, specifically for needing to be sent to the data packet of destination, above-mentioned number after reception approach router According to packet by the optical mode block encryption of above-mentioned router entrance.

Further, above-mentioned receiver 1801 is also used to receive the second filtering configuration information from configuration center；

Whether above-mentioned processor 1803 belongs to specifically for the above-mentioned received data packet of received data packet unit of determination The data packet for not needing decryption specified in above-mentioned second filtering configuration information, if it is not, then according to above-mentioned decryption configuration information pair Above-mentioned data packet is decrypted.

It is worth noting that, above-mentioned apparatus is only divided according to the functional logic, but it is not limited to above-mentioned draw Point, as long as corresponding functions can be realized；In addition, the specific name of each functional unit is also only to facilitate mutual area Point, the protection scope being not intended to restrict the invention.

In addition, those of ordinary skill in the art will appreciate that realizing all or part of the steps in above-mentioned each method embodiment It is that relevant hardware can be instructed to complete by program, corresponding program can store in a kind of computer readable storage medium In, storage medium mentioned above can be read-only memory, disk or CD etc..

The above is only the preferable specific embodiments of the present invention, but scope of protection of the present invention is not limited thereto, any Those familiar with the art the variation that can readily occur in or replaces in the technical scope that the embodiment of the present invention discloses It changes, should be covered by the protection scope of the present invention.Therefore, protection scope of the present invention should be with the protection model of claim Subject to enclosing.

Claims

1. a kind of network safety managing method characterized by comprising

The encryption configuration information is sent to the inlet module of the network equipment by the configuration center, by the decryption configuration information It is sent to the outlet module of the network equipment；

The data packet that the encryption configuration information is used to that the inlet module encryption to be made to enter the network equipment, the decryption are matched Confidence breath is for making the outlet module decryption issue the data packet of the network equipment, the data packet of the outlet module decryption It is the data packet encrypted through the inlet module.

2. method according to claim 1, which is characterized in that the encryption configuration information includes: encrypted object and encryption Rule, the encrypted object specify the part that data packet needs to encrypt；

The decryption configuration information includes: that decryption object and decryption rule, the decryption object specify data packet and need to solve Close part, it is identical as the part for needing to encrypt.

3. method according to claim 2, which is characterized in that the network equipment is router, the inlet module and institute Stating outlet module is optical module；

The encrypted object includes: scrambling object, and the scrambling object specifies data packet and needs scrambled part；The encryption Rule includes: scrambling algorithms and key；The decryption object includes: descrambling object, and the descrambling object specifies data packet The part for needing to descramble；The decryption rule includes: Descrambling Algorithms corresponding with the scrambling algorithms and the key.

4. method according to claim 3, which is characterized in that if scrambled part includes the protocol header part of data packet, institute State method further include:

The configuration center sends the encryption configuration information to the network equipment, makes the network equipment to the table of forwarding table Item carries out scrambling processing identical with the data packet；

Alternatively, the configuration center sends scrambled treated forwarding table to the network equipment；Treated for the scrambling The scrambling mode that forwarding table uses is identical as the scrambling mode of the data packet；

Alternatively, the configuration center sends the encryption configuration information to software-defined network SDN controller, make the SDN Controller carries out identical with data packet scrambling to forwarding table and handles, and will scrambling treated described in forwarding table is sent to The network equipment.

5. according to claim 1 to 4 any one the methods, which is characterized in that the method also includes:

The configuration center determines the first filtering configuration information and corresponding second filtering configuration information, the first filtering configuration Information specifies the data packet for not needing encryption, and the second filtering configuration information specifies the data packet for not needing decryption；

The first filtering configuration information is sent to the inlet module by the configuration center, and confidence is matched in second filtering Breath is sent to the outlet module.

6. a kind of configuration center characterized by comprising

Configuration information determination unit, for determining encryption configuration information and decryption corresponding with encryption configuration information configuration Information；

Information transmitting unit matches the decryption for the encryption configuration information to be sent to the inlet module of the network equipment Confidence ceases the outlet module for being sent to the network equipment；The encryption configuration information is for entering the inlet module encryption The data packet of the network equipment, the decryption configuration information are used to that the outlet module decryption to be made to issue the network equipment The data packet of data packet, the outlet module decryption is the data packet encrypted through the inlet module.

7. configuration center according to claim 6, which is characterized in that

The encryption configuration information includes: encrypted object and encryption rule, and the encrypted object specifies data packet and needs to add Close part；The decryption configuration information includes: that decryption object and decryption rule, the decryption object specify data packet and need The part to be decrypted, it is identical as the part for needing to encrypt.

8. configuration center according to claim 7, which is characterized in that the encrypted object includes: scrambling object, the scrambling Object specifies data packet and needs scrambled part；The encryption rule includes: scrambling algorithms and key；The decryption object It include: descrambling object, the descrambling object specifies the part that data packet needs to descramble；The decryption rule include: with it is described The corresponding Descrambling Algorithms of scrambling algorithms and the key；

The information transmitting unit, specifically for the encryption configuration information to be sent to the optical module of router entrance, by institute State the optical module that decryption configuration information is sent to the router outlet.

9. configuration center according to claim 8, which is characterized in that if scrambled part includes the protocol headers of data packet Point；

The information transmitting unit is also used to send the encryption configuration information to the network equipment, makes the network equipment Scrambling processing identical with the data packet is carried out to the list item of forwarding table；

Alternatively, the information transmitting unit, it is also used to send scrambled treated forwarding table to the network equipment；It is described to add The scrambling mode that forwarding table of disturbing that treated uses is identical as the scrambling mode of the data packet；

Alternatively, the information transmitting unit, is also used to send the encryption configuration letter to software-defined network SDN controller Breath makes the SDN controller carry out identical with data packet scrambling to forwarding table and handles, and will scrambling treated forwards Table is sent to the network equipment.

10. according to configuration center described in claim 6 to 9 any one, which is characterized in that the configuration center further include:

Information determination unit is filtered, for determining the first filtering configuration information and corresponding second filtering configuration information, described the One filtering configuration information specifies the data packet for not needing encryption, and the second filtering configuration information, which specifies, does not need decryption Data packet；

The information transmitting unit is also used to the first filtering configuration information being sent to the inlet module, by described the Two filtering configuration informations are sent to the outlet module.

11. a kind of inlet module characterized by comprising

Data packet sending unit turns the network equipment for the encrypted data packet to be sent to the network equipment Issue the outlet module with packet decryption function；

The encryption configuration information includes: encrypted object and encryption rule, and the encrypted object specifies the data packet and needs The part to be encrypted.

12. inlet module according to claim 11, which is characterized in that the inlet module further include:

Whether the data packet encryption unit belongs to the first filtering configuration information middle finger specifically for the determination data packet The fixed data packet for not needing encryption, if it is not, then being encrypted according to the encryption configuration information to the data packet.

13. 1 or 12 inlet module according to claim 1, which is characterized in that the encryption configuration information includes: encryption pair As and encryption rule；The encrypted object specifies the part that data packet needs to encrypt；

The data packet encryption unit, specifically for what is encrypted using the encryption rule to the needs in the data packet Part is encrypted.

14. 1 or 12 inlet module according to claim 1, which is characterized in that the inlet module is optical module, the net Network equipment is router；

15. a kind of outlet module characterized by comprising

Receiving unit needs to be sent to the data packet of destination after the approach network equipment for receiving, and the data packet is by the net The inlet module of network equipment encrypts；

Transmission unit, for the data packet after the decryption to be sent to the destination；

The decryption configuration information includes: that decryption object and decryption rule, the decryption object specify the data packet and need The part to be decrypted.

16. outlet module according to claim 15, which is characterized in that the outlet module is optical module, and the network is set Standby is router；

The receiving unit needs to be sent to the data packet of destination after approach router specifically for receiving, the data packet by The optical mode block encryption of the router entrance.

17. outlet module according to claim 15, which is characterized in that

The receiving unit is also used to receive the second filtering configuration information from configuration center；

Whether the decryption unit belongs to second mistake specifically for the determination received data packet of received data packet unit The data packet for not needing decryption specified in filter configuration information, if it is not, then according to the decryption configuration information to the data packet It is decrypted.

18. a kind of network equipment characterized by comprising

The inlet module of claim 11~14 any one and the outlet module of claim 15~17 any one.

19. a kind of network security management system characterized by comprising

The configuration center of claim 6~10 any one, the inlet module and right of claim 11~14 any one It is required that the outlet module of 15~17 any one；Or, comprising: the configuration center of claim 6~10 any one, Yi Jiquan Benefit requires 18 network equipment.

20. 9 system according to claim 1, which is characterized in that match if the configuration center sends encryption to SDN controller Confidence breath, the system also includes: SDN controller；

The SDN controller is handled for carrying out identical with data packet scrambling to forwarding table, and will scrambling treated forwards Table is sent to the network equipment.