CN105721457A - Network security defense system and network security defense method based on dynamic transformation - Google Patents

Network security defense system and network security defense method based on dynamic transformation Download PDF

Info

Publication number
CN105721457A
CN105721457A CN201610062939.XA CN201610062939A CN105721457A CN 105721457 A CN105721457 A CN 105721457A CN 201610062939 A CN201610062939 A CN 201610062939A CN 105721457 A CN105721457 A CN 105721457A
Authority
CN
China
Prior art keywords
communication
network
session information
data packet
vip
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610062939.XA
Other languages
Chinese (zh)
Other versions
CN105721457B (en
Inventor
耿童童
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Weida Information Technology Co., Ltd.
Original Assignee
耿童童
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 耿童童 filed Critical 耿童童
Priority to CN201610062939.XA priority Critical patent/CN105721457B/en
Publication of CN105721457A publication Critical patent/CN105721457A/en
Application granted granted Critical
Publication of CN105721457B publication Critical patent/CN105721457B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • H04L61/5014Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Abstract

The invention provides a network security defense system and network security defense method based on dynamic transformation. The network security defense system comprises a communication processing unit, a terminal information unit and a dynamic transformation unit. A terminal information table is configured for each network terminal in an inner network through the communication processing unit; the terminal information tables comprise true IP addresses, virtual IP addresses and outer network access IP addresses allocated to the network terminals; the dynamic transformation unit dynamically transforms the virtual IP addresses; and the communication processing unit enables the network terminals in the inner network to communicate with each other through the vIPs and communicate with the outer network through the wIPs. According to the system and the method, the static features of the conventional inner network are broken; through transforming the IP address information of the network terminals in the inner network, an attacker cannot obtain the topological structure of the inner network and cannot accurately obtain the true information of the network terminals in the inner network; therefore, the inner network attacking behaviors are effectively defensed; and the security of the inner network is improved.

Description

Network security protection system and network security defence method based on dynamic mapping
Technical field
The present invention relates to network safety filed, particularly relate to a kind of network security protection system based on dynamic mapping and network security defence method.
Background technology
Intranet security is extremely important in real network environment, but is ignored by most of Network Security Devices.Existing method generally detects aggressive behavior by collection flow, but abnormal flow often produces after aggressive behavior, thus aggressive behavior cannot be carried out Real-time defence by this type of method.Another kind of method is to dispose network security protection system on the main frame accessing network, although can defend part aggressive behavior, but cannot defend the Intranet aggressive behavior of the unknown.Static Internet protocol address distribution makes the network that assailant can pass through to scan Local or Remote accurately and quickly determine target of attack.Determining that in objective network the IP address of mobile host computers is the first step that major part is attacked, a range of IP address in network is generally sent probe and finds target by scanning tools and anthelmintic, once target response, namely can determine that target and attacks.
Even if major part network deploys fire wall and there is also much public He privately owned main frame and can be accessed by outside, and all of network lacks effective mean of defense for internal scanning person, once assailant slips into Intranet, get final product the topological structure of detection network and attack accordingly.Use DHCP (DynamicHostConfigurationProtocol, it is called for short DHCP) or network address translation (NetworkAddressTranslation, it is called for short NAT) can dynamic IP address allocation, but still can not be on the defensive on one's own initiative, because the conversion of IP address infrequently and easily tracked.
Application number be 200510036269.6 patent of invention disclose active probe virus protection system and the means of defence thereof in a kind of network virus protection field, this system includes the probe module being embedded in three-tier switch, memorizer, security policy module and be installed on the outside access information management in information monitoring server, this invention solves existing LAN virus protection system cannot take precautions against the shortcoming of virus attack between LAN subnet, but the method that this patent provides can not detect the attack existed in flow between physical port under switch, Intranet attack detecting still has blank;
Application number is a kind of distributed Intrusion Detection Systems and Inner-net Monitor System and the method that the patent of invention of 200410017802.X discloses network safety prevention, this system is three-tier distribution, including network and detector in host, central controller, management and monitoring center, background data base, detector performs intrusion detection and Intranet monitoring by IP address and MAC Address according to safety regulation;Find invasion or block in time in violation of rules and regulations, report to the police and charge to background data base;Information according to record is audited, and destroyed data are reduced, and it has a problem in that and can not detect under separate unit switch device the exception in flow between each port, it is impossible to is deep into network bottom layer detection and attacks;
Application number be 02115957.2 patent of invention disclose a kind of distributed network security protection system; configuration collects decision-making module and policy issue module; network is divided into N number of subnet according to tree; on each subnet management platform, all configuration collects decision-making module and policy issue module; in subnet, each node installs micro-intrusion detection module and micro-firewall module, and policy issue module adopts mobile proxy technology;The distribution of native system declines intrusion detection module with individual node machine for protection object; thus realizing dual fine-grained safeguard protection; it has a problem in that needs install intrusion detection and firewall system on every monitored main frame; lower deployment cost is greatly increased; when particularly network size is bigger, dispose difficulty very big;
Application number be 200810122357.1 patent of invention disclose a kind of warning for Intranet attack detecting and responding system, Intranet is carried out abnormal information detection by the Outlier Detection Algorithm module of its testing machine, obtain abnormality detection information and determine the credibility of this information, the alert when the credibility of this abnormality detection information arrives preset value, it has a problem in that comprising modules is many, structure is complicated, and passively flow is analyzed, it is impossible to fundamentally stop Intranet to be attacked.
Generally speaking, existing Intranet defense technique includes antivirus software technology, Intrusion Detection Technique, data encryption technology etc., protects the safety of Intranet to a certain extent.But, due to the nature static of the topology information of existing network, assailant often has planar network architecture and network address information in the time series analysis of abundance, thus progressively permeating Intranet, reaches target of attack.
Summary of the invention
It is an object of the invention to the shortcoming overcoming above-mentioned prior art, the nature static feature of the Intranet that breaks traditions, a kind of network security protection system based on dynamic mapping and network security defence method are proposed, its basic thought is: by the IP address information of the network terminal in dynamic mapping Intranet, make assailant cannot obtain the topological structure of Intranet, cannot accurately obtaining the real information of the network terminal in Intranet, thus effectively having defendd Intranet aggressive behavior, improve the safety of Intranet.
For achieving the above object, technical scheme provided by the present invention is:
A kind of network security protection system based on dynamic mapping, including communications processor element 13, end message unit 14 and dynamic mapping unit 15, described communications processor element 13 connects described end message unit 14, described dynamic mapping unit 15 connects described end message unit 14, described communications processor element 13 is arrange each network terminal one terminal information table of configuration in the Intranet of described network security protection system, and it is stored in described end message unit 14, described terminal information table includes the rIP distributing to the network terminal, vIP and wIP, wherein rIP is the real IP address distributing to the network terminal, vIP is the virtual ip address distributing to the network terminal, wIP is the extranet access IP address distributing to the network terminal, the vIP of storage in end message unit 14 described in the dynamic mapping of described dynamic mapping unit 15, described communications processor element 13 is based on the communication data packet of the described end message list processing network terminal, and make between the network terminal in Intranet, to adopt vIP to communicate, wIP is adopted to communicate between the network terminal and outer net in Intranet.
Further according to network security protection system of the present invention, rIP, vIP and the wIP of the storage of wherein said end message unit 14 have one-to-one relationship each other, including one group of mutually corresponding rIP, vIP and wIP in the terminal information table of each network terminal, described communication data packet includes active IP, purpose IP, source port, destination interface and communication protocol;When two network terminals in Intranet are communicated, described communications processor element 13 the source IP in communication data packet is replaced with in the terminal information table of the network terminal sending this communication data packet with described vIP corresponding for source IP, the purpose IP in communication data packet is replaced with the rIP corresponding with described purpose IP in the terminal information table of the network terminal receiving this communication data packet;For in Intranet the network terminal access outer net time, described communications processor element 13 the source IP in communication data packet is replaced with send this communication data packet the network terminal terminal information table in described wIP corresponding for source IP;During for the network terminal in extranet access Intranet, described communications processor element 13 will replace with from the purpose IP in the communication data packet of outer net and receive rIP corresponding with described purpose IP in the terminal information table of the network terminal of this communication data packet.
Further according to network security protection system of the present invention, wherein said network security protection system also includes data cell 12, described data cell 12 is connected to described communications processor element 13, described communications processor element 13 includes IP address assignment module 31, domain name mapping module 32, session information memory module 33 and IP address changing module 34, described IP address assignment module 31 is connected to described data cell 12 and described end message unit 14, domain name parsing module 32 is connected to described data cell 12 and described end message unit 14, described session information memory module 33 is connected to described IP address changing module 34, described IP address changing module 34 is connected to described data cell 12 and described end message unit 14;Described IP address assignment module 31 is access each network terminal one rIP of distribution of Intranet, and an a corresponding vIP and corresponding wIP is distributed for each rIP, a corresponding vDomain is generated for each vIP, corresponding vIPtime is generated for each vIP, corresponding vDomaintime is generated for each vDomain, and obtain the rMac of each network terminal, wherein said vDomain is the virtual Domain Name that vIP is corresponding, described vIPtime is the vIP current time generated, described vDomaintime is the vDomain current time generated, described rMac is the physical network card address of the network terminal, described IP address assignment module 31 generates the terminal information table of each network terminal and is stored in end message unit 14, the terminal information table of each network terminal includes one group of rIP of correspondence, vIP, wIP, vDomain, vIPtime, vDomaintime and rMac;Domain name parsing module 32 resolves DNS data bag based on the terminal information table of storage in end message unit 14;Described IP address changing module 34 performs the IP replacement operation of communication data packet;Described data cell 12 is as the packet Transmit-Receive Unit of communications processor element 13, and the DHCP packet of reception is mail to IP address assignment module 31, the DNS data bag of reception is mail to domain name mapping module 32, other packets outside DHCP packet and DNS data bag are mail to described IP address changing module 34.
Further according to network security protection system of the present invention, wherein said IP address changing module 34 performs the IP replacement operation of communication data packet in such a way:
(1) when, two network terminals in Intranet being communicated, first described IP address changing module 34 sets up the session information of this communication, described session information includes the rIP that the source IP of communication data packet, purpose IP, source port, destination interface, communication protocol and the vIP corresponding with source IP and purpose IP are corresponding, and the described session information set up is stored in session information memory module 33;Then described IP address changing module 34 is based on the session information of this communication, source IP in communication data packet is replaced with in session information with described vIP corresponding for source IP, the purpose IP in communication data packet is replaced with rIP corresponding with described purpose IP in session information;Then described IP address changing module 34 recalculates packet verification according to the session information of this communication and is sent to data cell 12 with rear packet;Last described IP address changing module 34 deletes the session information of this communication of storage in session information memory module 33;
(2) when, outer net being accessed for the network terminal in Intranet, first described IP address changing module 34 sets up the session information of this communication, described session information includes the source IP of communication data packet, purpose IP, source port, destination interface, communication protocol and the wIP corresponding with source IP, and the described session information set up is stored in session information memory module 33;Then described IP address changing module 34 is based on the session information of this communication, the source IP in communication data packet is replaced with in session information with described wIP corresponding for source IP;Then described IP address changing module 34 recalculates packet verification according to the session information of this communication and is sent to data cell 12 with rear packet;Last described IP address changing module 34 deletes the session information of this communication of storage in session information memory module 33;
(3) time, for the network terminal in extranet access Intranet, first described IP address changing module 34 sets up the session information of this communication, described session information includes the source IP of communication data packet, purpose IP, source port, destination interface, communication protocol and the rIP corresponding with purpose IP, and the described session information set up is stored in session information memory module 33;Then described IP address changing module 34 is based on the session information of this communication, will replace with rIP corresponding with described purpose IP in session information from the purpose IP in the communication data packet of outer net;Then described IP address changing module 34 recalculates packet verification according to the session information of this communication and is sent to data cell 12 with rear packet;Last described IP address changing module 34 deletes the session information of this communication of storage in session information memory module 33.
Further according to network security protection system of the present invention, when wherein two network terminals in Intranet being communicated, the purpose IP type of communication data packet was first judged by described IP address changing module 34 before setting up session information, if the purpose IP of communication data packet is rIP or wIP, then this communication data packet is abandoned and directly terminate this communication.
Further according to network security protection system of the present invention, wherein also include administrative unit 11, described administrative unit 11 is connected to described data cell 12, communications processor element 13 and dynamic mapping unit 15, described administrative unit 11 generates user configuration information and sends to described data cell 12, communications processor element 13 and dynamic mapping unit 15, and described user configuration information includes distributing to the interval of the scope of the rIP of the network terminal in Intranet, the scope of vIP, the scope of wIP, the interval of vIP dynamic mapping and vDomain dynamic mapping.
Further according to network security protection system of the present invention, wherein said administrative unit is also attached to described end message unit 14, by described administrative unit 11, the wIP in terminal information table corresponding for the particular network terminal of storage in end message unit 14 can be set to static wIP, when making the network terminal in Intranet is communicated, the purpose IP type of communication data packet was first judged by described IP address changing module 34 before setting up session information, if the purpose IP of communication data packet is a rIP, then this communication data packet abandoned and directly terminate this communication, if the purpose IP of communication data packet is a wIP, then judge whether described wIP is static wIP further, if not this communication data packet is then abandoned and directly terminates this communication by static wIP, if the purpose IP of communication data packet is static wIP or vIP, then communicate according to the communication mode of two network terminals in above-mentioned Intranet.
Further according to network security protection system of the present invention, wherein said dynamic mapping unit 15 includes virtual IP address modified module 41 and virtual Domain Name modified module 42, described virtual IP address modified module 41 travels through described end message unit 14, dynamically revise the vIP in end message unit 14 and ensure that vIP does not repeat, described virtual Domain Name modified module 42 travels through described end message unit 14, dynamically revises the vDomain in end message unit 14 and ensures that vDomain does not repeat.
Further according to network security protection system of the present invention, wherein said virtual IP address modified module 41 includes virtual IP address amendment submodule 51 and virtual IP address repeats inquiry submodule 52, described virtual IP address amendment submodule 51 travels through the terminal information table of storage in end message unit 14, and judge whether the interval of vIPtime corresponding for vIP in terminal information table and current time reaches or beyond the virtual IP address dynamic mapping interval being pre-configured with, if then from the virtual IP address scope being pre-configured with, one new vIP of stochastic generation replaces original vIP, and the vIPtime of its correspondence is updated to current time, described virtual IP address repeats the amendment to virtual IP address amendment submodule 51 of the inquiry submodule 52 and carries out duplication elimination query, and notify that virtual IP address amendment submodule 51 revises the vIP repeated;Described virtual Domain Name modified module 42 includes virtual Domain Name amendment submodule 61 and virtual Domain Name repeats inquiry submodule 62, described virtual Domain Name amendment submodule 61 travels through the terminal information table of storage in end message unit 14, and judge whether the interval of vDomaintime corresponding for vDomain in terminal information table and current time reaches or beyond the virtual Domain Name dynamic mapping interval being pre-configured with, if then one new vDomain of virtual Domain Name amendment submodule 61 stochastic generation replaces original vDomain, and the vDomaintime of its correspondence is updated to current time, described virtual Domain Name repeats the amendment to virtual Domain Name amendment submodule 61 of the inquiry submodule 62 and carries out duplication elimination query, and notify that virtual Domain Name amendment submodule 61 revises the vDomain repeated.
A kind of network security defence method based on dynamic mapping, comprises the following steps:
Step (1), a corresponding terminal information table is generated for each network terminal in Intranet, described terminal information table includes the rIP distributing to the network terminal, the vIP corresponding with rIP, the wIP corresponding with rIP, the vDomain corresponding with vIP, the vIPtime corresponding with vIP, the vDomaintime corresponding with vDomain, rMac, wherein said rIP is the real IP address distributing to the network terminal, described vIP is the virtual ip address distributing to the network terminal, described wIP is the extranet access IP address distributing to the network terminal, described vDomain is the virtual Domain Name that vIP is corresponding, described vIPtime is the current time of vIP distribution, described vDomaintime is the current time of vDomain distribution, described rMac is the physical network card address of the network terminal;
Step (2), in such a way communication data packet is carried out IP replacement operation so that between the network terminal in Intranet, adopt vIP to communicate, between the network terminal and the outer net in Intranet, adopts wIP to communicate:
(2-1): when two network terminals in Intranet are communicated, first the source IP in the communication data packet that a network terminal sends is extracted, then inquire about in terminal information table and obtain and described vIP corresponding for source IP, extract the purpose IP in described communication data packet simultaneously, and inquiry obtains the rIP corresponding with described purpose IP in terminal information table;Then according to the source IP of communication data packet, purpose IP, source port, destination interface, communication protocol and the rIP corresponding for the vIP corresponding with source IP and purpose IP that inquires, set up the session information of this communication;Then the source IP in communication data packet is replaced with in the session information of this communication with described vIP corresponding for source IP, purpose IP in communication data packet is replaced with rIP corresponding with described purpose IP in the session information of this communication, and according to the session information of this communication recalculate communication data packet verification and after communication data packet is sent to another network terminal;Finally delete the session information of this communication;
(2-2): when outer net is accessed for the network terminal in Intranet, first extract the source IP in the communication data packet that inner-mesh network terminal sends, then inquire about in terminal information table and obtain and described wIP corresponding for source IP;Then according to the source IP of communication data packet, purpose IP, source port, destination interface, communication protocol and the wIP corresponding with source IP that inquire, set up the session information of this communication;Then the source IP in communication data packet is replaced with in the session information of this communication with described wIP corresponding for source IP, and according to the session information of this communication recalculate communication data packet verification and after communication data packet is sent to outer net;Finally delete the session information of this communication;
(2-3): during for the network terminal in extranet access Intranet, first extract from the purpose IP in the communication data packet of outer net, then in terminal information table, inquiry obtains the rIP corresponding with described purpose IP;Then according to the source IP of communication data packet, purpose IP, source port, destination interface, communication protocol and the rIP corresponding with purpose IP that inquire, set up the session information of this communication;Then the purpose IP in communication data packet is replaced with rIP corresponding with described purpose IP in the session information of this communication, and according to the session information of this communication recalculate communication data packet verification and after communication data packet is sent the network terminal to Intranet;Finally delete the session information of this communication.
Beneficial effects of the present invention:
1), the present invention innovated a kind of network communication mode, make Intranet is communicated by the vIP of dynamic mapping between the network terminal, thus effectively preventing the detection to Intranet and infiltration.When in Intranet certain network terminal A need with when in Intranet, another one network terminal B communicates, it is to be appreciated that the vIP of B or first obtain the vDomain of B, then send DNS request packet and obtain the vIP corresponding for vDomain of B, the vIP being then based on dynamic mapping carries out interior Network Communication, and carry out extranet access for the network terminal configuration wIP in Intranet, thus the real IP of each terminal in Intranet will not be revealed in the data access of intranet and extranet.
2), the present invention breaks traditions the nature static feature of Intranet, by the IP address information of the network terminal in dynamic mapping Intranet, make assailant cannot obtain the topological structure of Intranet, cannot accurately obtain the real information of the network terminal in Intranet, thus effectively having defendd Intranet aggressive behavior, improve the safety of Intranet.
3), the present invention can by being set to static wIP further by wIP, two network terminals accessing Intranet are made to be possible not only to utilize vIP to communicate, static wIP can also be utilized to communicate, so dispose of the present invention based on the network security protection system of dynamic mapping after, in Intranet, user remains able to use the IP address of static state to access the particular terminal such as the network printer, server by original mode, while ensureing network security, improve the Intranet access efficiency to particular terminal, be greatly improved described network security protection system practical value.
4), facts have proved through model machine use, the present invention can effectively stop Intranet aggressive behavior, and scheme of the present invention realize easily arranging in all kinds of LANs, simple to operate, safe and reliable, there is significant economic and social benefits and wide marketing application prospect.
Accompanying drawing explanation
Fig. 1 is the population structure block diagram of network security protection system the first preferred implementation based on dynamic mapping of the present invention;
Fig. 2 is the structured flowchart of data cell in network security protection system of the present invention;
Fig. 3 is the structured flowchart of communications processor element in network security protection system of the present invention;
Fig. 4 is the structured flowchart of dynamic mapping unit in network security protection system of the present invention;
Fig. 5 is the structured flowchart of virtual IP address modified module in dynamic mapping unit of the present invention;
Fig. 6 is the structured flowchart of virtual Domain Name modified module in dynamic mapping unit of the present invention;
Fig. 7 is the population structure block diagram of network security protection system the second preferred implementation based on dynamic mapping of the present invention;
In figure, the implication of each accompanying drawing labelling is as follows:
11-administrative unit, 12-data cell, 13-communications processor element, 14-end message unit, 15-dynamic mapping unit;
21-packet-receiving module, 22-packet sending module;
31-IP address assignment module, 32-domain name mapping module, 33-session information memory module, 34-IP address changing module;
41-virtual IP address modified module, 42-virtual Domain Name modified module;
51-virtual IP address amendment submodule, 52-virtual IP address repeats inquiry submodule;
61-virtual Domain Name amendment submodule, 62-virtual Domain Name repeats inquiry submodule.
Detailed description of the invention
Below in conjunction with accompanying drawing, technical scheme is described in detail, so that those skilled in the art can be more clearly understood from the solution of the present invention, but does not therefore limit the scope of the invention.
Along with the development of attack technology, carry out man-to-man Intranet defence difficulty for the novel attack constantly occurred very big.Assailant spies toward utilizing some scanning probe instruments that Intranet is carried out information starting Intranet to attack to go to, to obtain the real information of the network terminal accessing network in Intranet topological sum Intranet, wherein the network terminal includes main frame, server, intelligent mobile terminal, the network printer, router;Due to the nature static feature of current network framework, assailant often has the time of abundance Intranet is analyzed and detects.Therefore, attack for Intranet, it is possible to take the thinking of dynamic mapping, the nature static of network topology, host information is become dynamic, so that assailant is difficult to collect initiates IP address information required when Intranet is attacked.
First the Innovation Theory of the present invention is described, network security protection system based on dynamic mapping of the present invention is deployed in the network exit of Intranet, distribute three IP addresses to each network terminal accessing network in Intranet and each IP address can not be repeated, one of them IP address is to utilize DHCP(DynamicHostConfigurationProtocol, DHCP) agreement distribution, by checking what the network interface card link information of the network terminal can view, it is called real IP (rIP), DHCP protocol is a procotol for Intranet, it is mainly used in the network terminal to accessing network in Intranet and distributes IP address.Based on the network security protection system of dynamic mapping while each accesses network terminal distribution rIP of network in Intranet, a virtual IP address (vIP) and an IP(wIP accessing outer net can be generated accordingly) for each network terminal, generate corresponding virtual Domain Name vDomain for each vIP simultaneously, the network terminal is by sending DNS(DomainNameSystem, domain name system) request data Packet analyzing vDomain can obtain vIP corresponding to this vDomain;Utilizing vIP to communicate in Intranet between the network terminal, the network terminal in Intranet utilizes wIP to access outer net;The current time vDomaintime that current time vIPtime and the vDomain that in Intranet, each access rIP of the network terminal of network, vIP, wIP, vDomain, the network terminal physical network card address rMac, vIP generate generates constitutes the terminal information table of this network terminal, and in Intranet, the terminal information table of each network terminal is collectively stored in the end message unit 14 of system;
Arrange the LAN (i.e. above-mentioned Intranet) of the network security protection system based on dynamic mapping of the present invention, vIP is utilized to communicate between the network terminal in LAN, and rIP can not be utilized to communicate, when certain network terminal A in Intranet needs a network terminal B other with in Intranet to communicate, it is to be appreciated that the vDomain of the vIP of network terminal B or first acquisition network terminal B, then send DNS request packet and obtain the vIP corresponding for vDomain of network terminal B, then communicate.Meanwhile, present invention introduces the thought of dynamic mapping, at set intervals vIP and the vDomain distributing to each network terminal is modified, this prevents assailant to the detection of Intranet and infiltration effectively, assailant is made cannot accurately to obtain the real information of the network terminal in Intranet topological structure and Intranet, and then effectively defendd Intranet aggressive behavior, improve the security protection of Intranet.Structural principle and the work process of the network security protection system based on dynamic mapping of the present invention is specifically described, it is preferred that include following embodiment below in conjunction with accompanying drawing.
First preferred implementation
As it is shown in figure 1, as the first preferred implementation, the network security protection system based on dynamic mapping of the present invention includes administrative unit 11, data cell 12, communications processor element 13, end message unit 14 and dynamic mapping unit 15;Wherein said administrative unit 11 is connected to data cell 12, communications processor element 13 and dynamic mapping unit 15, data cell 12 is connected to communications processor element 13, Intranet and outer net, communications processor element 13 is connected to data cell 12 and end message unit 14, end message unit 14 is connected to communications processor element 13, and dynamic mapping unit 15 is connected to end message unit 14.
User generates user configuration information by administrative unit 11 and sends to data cell 12, communications processor element 13 and dynamic mapping unit 15, and user configuration information includes distributing to the interval of the scope of the rIP of the network terminal accessing network in Intranet, the scope of vIP, the scope of wIP, the interval of vIP dynamic mapping and vDomain dynamic mapping.
Data cell 12 receives the packet from Intranet and outer net, it is sent to communications processor element 13 to process, communications processor element 13 is sent to data cell 12 packet after processing, data cell 12 carries out forward process according to the purpose IP address of packet, the packet mailing to Intranet is sent to Intranet, the packet mailing to outer net is sent to outer net.It is concrete as in figure 2 it is shown, data cell 12 includes packet-receiving module 21 and packet sending module 22;The packet that packet-receiving module 21 receives Intranet and outer net sends over, it is sent to communications processor element 13 to process, packet is divided into DHCP packet based on the essential information of packet by concrete packet-receiving module 21, DNS data bag and other packets in addition, and three class packets are respectively sent to the alignment processing module in communications processor element, packet sending module 22 is for receiving the packet after communications processor element 13 processes, scope according to the rIP set in the user configuration information that administrative unit 11 provides, (these three IP scope is the scope of the obtainable IP address of the network terminal in Intranet for the scope of vIP and the scope of wIP, belong to Intranet IP), the purpose IP address of packet is judged, if the purpose IP address of packet is in Intranet, then packet is sent to Intranet, if the purpose IP address of packet is at outer net, then packet is sent to outer net.
End message unit 14 is for safeguarding a terminal information table for each network terminal accessing network in Intranet, and terminal information table includes following information: (1) distributes to the real IP address of the network terminal, is designated as rIP;(2) distribute to the virtual ip address of the network terminal, be designated as vIP;(3) distribute to the IP address for accessing outer net of the network terminal, be designated as wIP;(4) distribute to the virtual Domain Name for obtaining vIP of the network terminal, be designated as vDomain;(5) physical address of network terminal network interface card, is designated as rMac;(6) current time of vIP distribution, is designated as vIPtime;(7) current time of vDomain distribution, is designated as vDomaintime;In end message unit, the terminal information table of each network terminal is set up by subordinate's communications processor element.
Described communications processor element 13 is for processing the packet that data cell 12 sends over, it is achieved the proper communication between Intranet and outer net, between Intranet.First communications processor element 13 for accessing each network terminal distribution rIP, vIP, wIP and the vDomain of network in Intranet, is simultaneously generated terminal information table and stores in end message unit 14.Communications processor element 13 makes to adopt vIP to communicate between Intranet, wIP is adopted to communicate between Intranet and outer net, in addition, owing to DHCP protocol is for distributing the agreement of IP address in Intranet, vDomain is used for obtaining vIP and carries out interior Network Communication, therefore communications processor element 13 has two independent modules that both packets are processed, wherein the IP address assignment module of communications processor element 13 is used for processing DHCP packet, and domain name mapping module is for processing the DNS data bag of request analysis vDomain.Concrete as it is shown on figure 3, communications processor element 13 is responsible for processing the packet that data cell 12 sends over, including IP address assignment module 31, domain name mapping module 32, session information memory module 33, IP address changing module 34.Described IP address assignment module 31 is responsible for processing DHCP packet, and configures the terminal information table of each network terminal in Intranet.When IP address assignment module 31 receives the DHCP packet distributing IP address with request that each network terminal in Intranet is sent, a real IP and rIP is distributed to each network terminal accessing network in Intranet according to the scope of the rIP address set in user configuration information, by checking that the network interface card link information of the network terminal can check the rIP distributing to this network terminal, IP address assignment module 31 is when each accesses network terminal distribution rIP of network in Intranet, a vIP corresponding with its a rIP and wIP can be distributed for each network terminal accordingly according to the scope of vIP and the wIP set in user configuration information, generate corresponding virtual Domain Name vDomain for each vIP simultaneously, and it is simultaneously generated the current time vDomaintime of current time vIPtime and each vDomain distribution of each vIP distribution, and ensure that any one IP will not repeat, and obtain the physical network card address rMac of each network terminal.In Intranet each to access the current time vDomaintime of current time vIPtime and vDomain distribution of the rIP of the network terminal of network, vIP, wIP, vDomain, the network terminal physical network card address rMac, vIP distribution mutually corresponding and constitute the terminal information table of this network terminal, it is thus achieved that any one information (such as vIP) in the network terminal can obtain the every other information (such as rIP, wIP, vDomain, rMac, vIPtime and vDomaintime) of this network terminal by inquiring about the terminal information table of this network terminal.IP address assignment module 31 generates the terminal information table of each network terminal, and is stored in end message unit 14 by the terminal information table of each network terminal generated.Domain name parsing module 32 is responsible for processing the DNS request packet of request analysis vDomain, domain name mapping module 32 vDomain that inquiry request resolves in end message unit 14, if inquiring described vDomain, then generate DNS response data packet according to vIP corresponding to vDomain in end message unit 14, being sent to data cell 12, the described vIP then obtained based on parsing again carries out network of relation access.If inquiring about the vDomain less than request analysis, directly by this DNS request data packet discarding.So based on domain name parsing module 32, the network terminal can be obtained by vIP corresponding to vDomain by sending DNS request packet parsing vDomain.
Substantial improvement is that in network security protection system of the present invention utilizes vIP to communicate by making between the network terminal in Intranet, the network terminal in Intranet utilizes wIP to access outer net, from without revealing the real IP of each terminal Intranet, and then cannot scanning probe to the host information of Intranet and topological structure, and then cannot attack.This function is realized by the session information memory module 33 in communications processor element and IP address changing module 34.The each packet communicated must include five-tuple information and source IP, purpose IP, source port, destination interface and communication protocol, and this is well-known in the art, therefore subsequent content is directly described on this basis.Described session information memory module 33 is for storing the session information of two IP communicated, and stored session information includes source IP, purpose IP, source port, destination interface, communication protocol and the information such as rIP, wIP corresponding to source IP, purpose IP in end message unit 14.Between two terminals in Intranet, between outer net and Intranet, each communication of two IP all can set up a corresponding session information, IP address changing module therein is used for setting up the session information of communication correspondence every time and storing it in session information memory module 33, in the concrete communication process of communication every time, process the packet in communication according to the session information of its correspondence, and to be communicated complete after delete the session information that this communication is corresponding.Described IP address changing module 34 processes the packet except the DNS request packet of DHCP packet and request analysis vDomain.Each type of communication process is specifically described below.
If the communication between Intranet and outer net, there are two kinds of situations and accessing outer network from inner network and extranet access Intranet, this judgement can be carried out according to the IP in packet.When accessing outer network from inner network, Intranet sends packet to outer net, the packet of Intranet is first sent to IP address changing module 34 after data cell analysis judges, when communication begins setting up, IP address changing module 34 is the session information that the connection setup between this Intranet with outer net is corresponding, packet described above includes source IP, purpose IP, source port, destination interface and communication protocol, described IP address changing module 34 extracts the source IP in this packet, and utilize this source IP to inquire about in end message unit 14, if obtaining the described packet of corresponding wIP(really derive from the network terminal of Intranet, source IP therein should be network terminal real IP in Intranet and described source IP is rIP, in end message unit, storage has the terminal information table of each interior network termination as previously mentioned, rIP in described terminal information table, vIP, wIP, vDomain, rMac, vIPtime and vDomaintime is mutually corresponding, the wIP obtaining correspondence can be inquired about according to rIP, if inquire about less than, this packet is directly abandoned, lower same), then by described rIP, purpose IP, source port, destination interface, communication protocol and the wIP inquired form the session information of this communication, and store in session information storage module 33, in ensuing communication process, according to this session information, packet is processed.Then IP map function is carried out, IP address changing module 34 utilizes the source IP in described packet, purpose IP, source port, session information memory module 33 is inquired about by destination interface and communication protocol, if inquire about less than, directly by this data packet discarding, if inquired, what then inquire includes described source IP, purpose IP, source port, destination interface is corresponding to this session information that communicate interior at session information with communication protocol, source IP in packet is replaced with the wIP in the session information inquired by described IP address changing module 34, then recalculate packet verification according to described session information and rear packet is sent to the packet sending module 22 of data cell 12, packet sending module 22 is according to the purpose IP in packet, the information such as destination interface and communication protocol sends data packets to outer net.After this sign off, IP address changing module 34 is inquired about in session information memory module 33 again with the source IP in described packet, purpose IP, source port, destination interface and communication protocol and is obtained this corresponding described session information that communicates, and is deleted by this session information.So when outer net receives the packet that Intranet sends, it is the wIP of the network terminal in Intranet by what extract that the source IP information in packet obtains, it it is not the real IP of the network terminal, achieving the network terminal in Intranet by this IP conversion utilizes wIP to access the purpose of outer net, it is ensured that network security.
In like manner, when extranet access Intranet, outer net sends packet to Intranet, the packet of outer net is first sent to IP address changing module 34 after data cell analysis judges, when communication begins setting up, IP address changing module 34 is the session information that the connection setup between this outer net with Intranet is corresponding, described packet includes source IP, purpose IP, source port, destination interface and communication protocol, for accessing the network terminal of Intranet, (outer net data access generally will not obtain the real IP of interior network termination to described packet, and the outer net data access constituting potential safety hazard is typically all the IP obtained in Intranet when first accessing outer net based on Intranet and carries out, the present invention described above uses wIP when accessing outer network from inner network, so the wIP of the network terminal that its purpose IP is generally in Intranet during extranet access Intranet, this will be appreciated that for those skilled in the art), described IP address changing module 34 extracts the purpose IP in this packet, and utilize this purpose IP to inquire about in end message unit 14, if inquire about less than, this packet is directly abandoned, if can inquire, then extract the rIP corresponding with this purpose IP, then by the source IP of described packet, purpose IP, source port, destination interface, communication protocol and the rIP inquired form the session information of this communication, and store in session information storage module 33, in ensuing communication process, according to this session information, packet is processed.Then IP map function is carried out, IP address changing module 34 utilizes the source IP in described packet, purpose IP, source port, session information memory module 33 is inquired about by destination interface and communication protocol, if inquire about less than, directly by this data packet discarding, if inquired, what then inquire includes described source IP, purpose IP, source port, destination interface is corresponding to this session information that communicate interior at session information with communication protocol, purpose IP in packet is replaced with the rIP in the session information inquired by described IP address changing module 34, then recalculate packet verification according to described session information and rear packet is sent to the packet sending module 22 of data cell 12, packet sending module 22 is according to the rIP in packet, the information such as destination interface find the interior network termination of correspondence, complete data communication.After this sign off, IP address changing module 34 is inquired about in session information memory module 33 again with the source IP in described packet, purpose IP, source port, destination interface and communication protocol and is obtained this corresponding described session information that communicates, and is deleted by this session information.So when outer net sends packet to Intranet, the real IP of the interior network termination corresponding with purpose IP in packet can be found by above-mentioned conversion, it is ensured that outer network data can accurately reach interior network termination.
If the communication between Intranet and Intranet, namely in Intranet, a network terminal sends to another network terminal and accesses packet, first before communication begins setting up, IP address changing module 34 extracts the purpose IP in packet, and its type is judged (because of vIP, rIP, wIP corresponds respectively to different IP sections, therefore this type decision is easily realized), if the purpose IP of packet is rIP or wIP, then this packet is directly abandoned, because not allowing between Intranet to conduct interviews with rIP or wIP, if the purpose IP of packet is a vIP, then perform following communication scaling process.First when communication begins setting up, IP address changing module 34 is the session information that the connection setup between this Intranet is corresponding, described packet includes source IP, purpose IP, source port, destination interface and communication protocol, described IP address changing module 34 extracts the source IP in this packet, and utilize this source IP to inquire about in end message unit 14, if obtaining corresponding vIP(packet really derive from the network terminal in Intranet, then the source IP of described packet necessarily sends the network terminal of this packet real IP in Intranet and described source IP is rIP, now can inquire the vIP of this network terminal according to rIP), described IP address changing module 34 extracts the purpose IP in this packet simultaneously, and utilize this purpose IP to inquire about in end message unit 14, if obtain corresponding rIP(inquiry less than, then directly by data packet discarding), then by described source IP, purpose IP, source port, destination interface, communication protocol and the vIP corresponding with source IP inquired, the rIP corresponding with purpose IP forms the session information of this communication, and store in session information storage module 33, in ensuing communication process, according to this session information, packet is processed.Then IP map function is performed by IP address changing module 34, IP address changing module 34 utilizes the source IP in described packet, purpose IP, source port, session information memory module 33 is inquired about by destination interface and communication protocol, if inquire about less than, directly by this data packet discarding, if inquired, what then inquire includes described source IP, purpose IP, source port, destination interface is corresponding to this session information that communicate interior at session information with communication protocol, then the source IP in packet is replaced with vIP corresponding with source IP in the session information inquired by described IP address changing module 34, purpose IP in packet is replaced with rIP corresponding for this purpose IP in the session information inquired, then recalculate packet verification according to described session information and rear packet is sent to the packet sending module 22 of data cell 12, packet sending module 22 is according to the rIP in packet, the information such as destination interface find the interior network termination of correspondence, complete data communication.After this sign off, IP address changing module 34 is inquired about in session information memory module 33 again with the source IP in described packet, purpose IP, source port, destination interface and communication protocol and is obtained this corresponding described session information that communicates, and is deleted by this session information.When sending packet in such Intranet, sender utilizes vIP to carry out data transmission, and recipient utilizes rIP to carry out data receiver, utilizes vIP to communicate in Intranet between the network terminal, it is ensured that the smooth arrival of network security and communication data.
Dynamic mapping unit 15 includes virtual IP address modified module and virtual Domain Name modified module, for the terminal information table of storage in dynamic mapping end message unit 14, wherein virtual IP address modified module traversal end message unit 14, dynamically revise the vIP in end message unit 14 and ensure that vIP does not repeat, virtual Domain Name modified module traversal end message unit 14, dynamically revises the vDomain in end message unit 14 and ensures that vDomain does not repeat.Concrete dynamic mapping unit 15 includes virtual IP address modified module 41 and virtual Domain Name modified module 42 as Figure 4-Figure 6, for the terminal information table of storage in dynamically amendment end message unit 14;Virtual IP address modified module 41 includes again virtual IP address amendment submodule 51 and virtual IP address repeats inquiry submodule 52, scope according to the interval of virtual IP address dynamic mapping set in user configuration information and virtual IP address, virtual IP address amendment submodule 51 ceaselessly travels through the terminal information table of storage in end message unit 14, if the interval of vIPtime corresponding for vIP in certain terminal information table and current time reaches or exceeds the interval of virtual IP address dynamic mapping, then virtual IP address amendment submodule 51 one new vIP of stochastic generation from the scope of the virtual IP address set replaces the vIP in this terminal information table corresponding to vIPtime, and described vIPtime is updated to the generation time of this new vIP simultaneously, virtual IP address repeats inquiry submodule 52 and the virtual IP address in end message unit 14 is carried out duplication elimination query, end message unit is inquired about and whether has included newly-generated described vIP, if then notice virtual IP address amendment submodule 51 revises the vIP repeated again, and update the vIPtime of its correspondence, until end message unit does not include the vIP of new amendment, complete the dynamic amendment to vIP;Virtual Domain Name modified module 42 includes virtual Domain Name amendment submodule 61 and virtual Domain Name repeats inquiry submodule 62, interval according to the virtual Domain Name dynamic mapping set in user configuration information, virtual Domain Name amendment submodule 61 travels through the terminal information table of storage in end message unit 14, if the interval of the vDomaintime of certain terminal information table and current time meets or exceeds the interval of virtual Domain Name dynamic mapping, virtual Domain Name amendment one new vDomain of submodule 61 stochastic generation replaces original vDomain, and described vDomaintime is updated to the generation time of this new vDomain simultaneously, virtual Domain Name repeats inquiry submodule 62 and the virtual Domain Name in end message unit 14 is carried out duplication elimination query, and notify that virtual Domain Name amendment submodule 61 revises the vDomain repeated.
So of the present invention based in the LAN of the network security protection system of dynamic mapping in layout, no matter it is between Intranet, or between outer net and Intranet, when carrying out data communication, use vIP and specific wIP that virtual dynamic converts, do not use the real IP of the network terminal, effectively prevent assailant to the detection of Intranet and infiltration, assailant is made cannot accurately to obtain the real information of the network terminal in Intranet topological structure and Intranet, and then effectively defendd Intranet aggressive behavior, it is achieved that the security protection of Intranet.
The present invention further proposes the dynamic mapping network security defence method based on above-mentioned network security protection system, comprises the following steps:
Step (1), a corresponding terminal information table is generated for each network terminal in Intranet, described terminal information table includes the rIP distributing to the network terminal, the vIP corresponding with rIP, the wIP corresponding with rIP, the vDomain corresponding with vIP, the vIPtime corresponding with vIP, the vDomaintime corresponding with vDomain, rMac, wherein said rIP is the real IP address distributing to the network terminal, described vIP is the virtual ip address distributing to the network terminal, described wIP is the extranet access IP address distributing to the network terminal, described vDomain is the virtual Domain Name that vIP is corresponding, described vIPtime is the current time of vIP distribution, described vDomaintime is the current time of vDomain distribution, described rMac is the physical network card address of the network terminal;
Step (2), in such a way communication data packet is carried out IP replacement operation so that between the network terminal in Intranet, adopt vIP to communicate, between the network terminal and the outer net in Intranet, adopts wIP to communicate:
(2-1): when two network terminals in Intranet are communicated, first the source IP in the communication data packet that a network terminal sends is extracted, then inquire about in terminal information table and obtain and described vIP corresponding for source IP, extract the purpose IP in described communication data packet simultaneously, and inquiry obtains the rIP corresponding with described purpose IP in terminal information table;Then according to the source IP of communication data packet, purpose IP, source port, destination interface, communication protocol and the rIP corresponding for the vIP corresponding with source IP and purpose IP that inquires, set up the session information of this communication;Then the source IP in communication data packet is replaced with in the session information of this communication with described vIP corresponding for source IP, purpose IP in communication data packet is replaced with rIP corresponding with described purpose IP in the session information of this communication, and according to the session information of this communication recalculate communication data packet verification and after communication data packet is sent to another network terminal;Finally delete the session information of this communication;
(2-2): when outer net is accessed for the network terminal in Intranet, first extract the source IP in the communication data packet that inner-mesh network terminal sends, then inquire about in terminal information table and obtain and described wIP corresponding for source IP;Then according to the source IP of communication data packet, purpose IP, source port, destination interface, communication protocol and the wIP corresponding with source IP that inquire, set up the session information of this communication;Then the source IP in communication data packet is replaced with in the session information of this communication with described wIP corresponding for source IP, and according to the session information of this communication recalculate communication data packet verification and after communication data packet is sent to outer net;Finally delete the session information of this communication;
(2-2): during for the network terminal in extranet access Intranet, first extract from the purpose IP in the communication data packet of outer net, then in terminal information table, inquiry obtains the rIP corresponding with described purpose IP;Then according to the source IP of communication data packet, purpose IP, source port, destination interface, communication protocol and the rIP corresponding with purpose IP that inquire, set up the session information of this communication;Then the purpose IP in communication data packet is replaced with rIP corresponding with described purpose IP in the session information of this communication, and according to the session information of this communication recalculate communication data packet verification and after communication data packet is sent the network terminal to Intranet;Finally delete the session information of this communication.
Second preferred implementation
The network security protection system based on dynamic mapping described in second preferred implementation of the present invention differs only in above-mentioned first preferred implementation, as shown in Figure 7, user can pass through the static characteristic of the wIP that administrative unit 11 is arranged in terminal information memory unit 14 in the terminal information table of storage, namely the wIP accessing the particular network terminal of network in Intranet can be set to static wIP, preferably flag bit can be set in the terminal information table of particular network terminal, whether the wIP distinguishing particular network terminal by arranging the value of statistical indicant of correspondence in flag bit is static wIP.Such Intranet accesses two network terminals of network except communicating with vIP, it is also possible to communicate with the wIP of static configuration.Carry out such amendment, it is because in existing interior planar network architecture, in order to access conveniently, the network printer and some specific server often arrange the IP address of static state, deploying after based on the network security protection system of dynamic mapping, owing to vIP is dynamic mapping, in order to make user in Intranet the IP address of static state can be used to access the network printer and some specific server by original mode, present embodiment adds above-mentioned functions, two network terminals accessing network in Intranet are made to be possible not only to utilize vIP to communicate, the static wIP that can also utilize configuration communicates, therefore communication process between Intranet and outer net is identical with above-mentioned first embodiment in this second embodiment, repeated description is not done at this, it is only that process between two network terminals in Intranet can outside communicating based on vIP described in the first embodiment, it is also with static wIP to communicate, only the data communication process of Intranet in the second embodiment is described below.
For communication between Intranet and Intranet in present embodiment, first before communication begins setting up, IP address changing module 34 extracts the purpose IP in packet, and its type is judged (because of vIP, rIP, wIP corresponds respectively to different IP sections, therefore this type decision is easily realized), if the purpose IP of packet is a rIP, then this packet is directly abandoned, because not allowing between Intranet to conduct interviews with rIP, if purpose IP is a wIP in packet, then IP address changing module 34 utilizes this wIP inquiry whether to inquire about it in end message unit to there being static mark position, to judge that whether this wIP is the wIP of static state setting, if this wIP is not the wIP of user's static state setting, then this packet is directly abandoned, and terminate communication.If the purpose IP in the packet that IP address changing module 34 is extracted is an a vIP or wIP being in static state setting, then perform following communication scaling process.When communication starts, IP address changing module 34 sets up the session information of correspondence, packet includes source IP, purpose IP, source port, destination interface and communication protocol, source IP therein represents network terminal real IP in Intranet and described source IP is rIP, described IP address changing module 34 extracts the source IP in this packet, and utilize this source IP to inquire about in end message unit 14, obtain corresponding vIP, described IP address changing module 34 extracts the purpose IP in this packet simultaneously, and utilize this purpose IP to inquire about in end message unit 14, if obtain corresponding rIP(inquiry less than, then directly by data packet discarding), then by described source IP, purpose IP, source port, destination interface, communication protocol and the vIP corresponding with source IP inquired, the rIP corresponding with purpose IP forms the session information of this communication, and store in session information storage module 33, in ensuing communication process, according to this session information, packet is processed.Then IP address changing module 34 carries out IP map function, the source IP in described packet is first utilized by IP address changing module 34, purpose IP, source port, destination interface and communication protocol inquire about corresponding session information in session information memory module 33, if inquire about less than, directly by this data packet discarding, if inquired, the source IP in packet is replaced with vIP(corresponding with source IP in the session information inquired because this source IP is as mentioned above for rIP by described IP address changing module 34), when the purpose IP in packet being replaced with when rIP(corresponding for this purpose IP in the session information inquired is static wIP for purpose IP, owing to this static state wIP does not change in the terminal information table of the purpose network terminal, no matter therefore how the vIP of the purpose network terminal changes, the purpose IP of packet is always static wIP, and the rIP of the purpose network terminal can be easily found according to this static state wIP, because wIP and rIP is also one to one, it is thus possible to quickly communicate with the purpose network terminal at static wIP place), then recalculate packet verification according to described session information and rear packet is sent to the packet sending module 22 of data cell 12, packet sending module 22 is according to the rIP in packet, the information such as destination interface find the interior network termination of correspondence, complete data communication;After this sign off, IP address changing module 34 is inquired about in session information memory module 33 again with the source IP in described packet, purpose IP, source port, destination interface and communication protocol and is obtained this corresponding described session information that communicates, and is deleted by this session information.Such present embodiment passes through to arrange the IP address of static state for the network terminal such as printer, server that is similar in Intranet to its packet conducted interviews
Deploying after based on the network security protection system of dynamic mapping, in Intranet, user remains able to use the IP address of static state to access the terminal such as the network printer, server by original mode, while ensureing network security, improve the Intranet access efficiency to the particular terminal such as printer, server.
The present invention breaks traditions the nature static feature of Intranet, a kind of network security protection system based on dynamic mapping is proposed, by the IP address information of the network terminal in dynamic mapping Intranet, make assailant cannot obtain the topological structure of Intranet, cannot accurately obtain the real information of the network terminal in Intranet, thus effectively having defendd Intranet aggressive behavior, improve the safety of Intranet.
Below it is only that the preferred embodiment of the present invention is described; technical scheme is not limited to this; the any known deformation that those skilled in the art make on the basis that the major technique of the present invention is conceived broadly falls into the claimed technology category of the present invention, and the protection domain that the present invention is concrete is as the criterion with the record of claims.

Claims (10)

1. the network security protection system based on dynamic mapping, it is characterized in that, including communications processor element (13), end message unit (14) and dynamic mapping unit (15), described communications processor element (13) connects described end message unit (14), described dynamic mapping unit (15) connects described end message unit (14), described communications processor element (13) is each network terminal one terminal information table of configuration in the Intranet of the described network security protection system of layout, and it is stored in described end message unit (14), described terminal information table includes the rIP distributing to the network terminal, vIP and wIP, wherein rIP is the real IP address distributing to the network terminal, vIP is the virtual ip address distributing to the network terminal, wIP is the extranet access IP address distributing to the network terminal, the vIP of storage in end message unit (14) described in the dynamic mapping of described dynamic mapping unit (15), described communications processor element (13) is based on the communication data packet of the described end message list processing network terminal, and make between the network terminal in Intranet, to adopt vIP to communicate, wIP is adopted to communicate between the network terminal and outer net in Intranet.
2. network security protection system according to claim 1, it is characterized in that, rIP, vIP and wIP that described end message unit (14) stores have one-to-one relationship each other, including one group of mutually corresponding rIP, vIP and wIP in the terminal information table of each network terminal, described communication data packet includes active IP, purpose IP, source port, destination interface and communication protocol;When two network terminals in Intranet are communicated, described communications processor element (13) the source IP in communication data packet is replaced with in the terminal information table of the network terminal sending this communication data packet with described vIP corresponding for source IP, the purpose IP in communication data packet is replaced with the rIP corresponding with described purpose IP in the terminal information table of the network terminal receiving this communication data packet;For in Intranet the network terminal access outer net time, described communications processor element (13) the source IP in communication data packet is replaced with send this communication data packet the network terminal terminal information table in described wIP corresponding for source IP;During for the network terminal in extranet access Intranet, described communications processor element (13) will replace with from the purpose IP in the communication data packet of outer net and receive rIP corresponding with described purpose IP in the terminal information table of the network terminal of this communication data packet.
3. network security protection system according to claim 2, it is characterized in that, described network security protection system also includes data cell (12), described data cell (12) is connected to described communications processor element (13), described communications processor element (13) includes IP address assignment module (31), domain name mapping module (32), session information memory module (33) and IP address changing module (34), described IP address assignment module (31) is connected to described data cell (12) and described end message unit (14), domain name parsing module (32) is connected to described data cell (12) and described end message unit (14), described session information memory module (33) is connected to described IP address changing module (34), described IP address changing module (34) is connected to described data cell (12) and described end message unit (14);Described IP address assignment module (31) is each network terminal one rIP of distribution accessing Intranet, and an a corresponding vIP and corresponding wIP is distributed for each rIP, a corresponding vDomain is generated for each vIP, corresponding vIPtime is generated for each vIP, corresponding vDomaintime is generated for each vDomain, and obtain the rMac of each network terminal, wherein said vDomain is the virtual Domain Name that vIP is corresponding, described vIPtime is the vIP current time generated, described vDomaintime is the vDomain current time generated, described rMac is the physical network card address of the network terminal, described IP address assignment module (31) generates the terminal information table of each network terminal and is stored in end message unit (14), the terminal information table of each network terminal includes one group of rIP of correspondence, vIP, wIP, vDomain, vIPtime, vDomaintime and rMac;Domain name parsing module (32) resolves DNS data bag based on the terminal information table of storage in end message unit (14);Described IP address changing module (34) performs the IP replacement operation of communication data packet;Described data cell (12) is as the packet Transmit-Receive Unit of communications processor element (13), and the DHCP packet of reception is mail to IP address assignment module (31), the DNS data bag of reception is mail to domain name mapping module (32), other packets outside DHCP packet and DNS data bag are mail to described IP address changing module (34).
4. network security protection system according to claim 3, it is characterised in that described IP address changing module (34) performs the IP replacement operation of communication data packet in such a way:
(1) when, two network terminals in Intranet being communicated, first described IP address changing module (34) sets up the session information of this communication, described session information includes the rIP that the source IP of communication data packet, purpose IP, source port, destination interface, communication protocol and the vIP corresponding with source IP and purpose IP are corresponding, and the described session information set up is stored in session information memory module (33);Then described IP address changing module (34) is based on the session information of this communication, source IP in communication data packet is replaced with in session information with described vIP corresponding for source IP, the purpose IP in communication data packet is replaced with rIP corresponding with described purpose IP in session information;Then described IP address changing module (34) is recalculated packet verification according to the session information of this communication and is sent to data cell (12) with rear packet;Last described IP address changing module (34) deletes the session information of this communication of storage in session information memory module (33);
(2) when, outer net being accessed for the network terminal in Intranet, first described IP address changing module (34) sets up the session information of this communication, described session information includes the source IP of communication data packet, purpose IP, source port, destination interface, communication protocol and the wIP corresponding with source IP, and the described session information set up is stored in session information memory module (33);Then described IP address changing module (34) is based on the session information of this communication, the source IP in communication data packet is replaced with in session information with described wIP corresponding for source IP;Then described IP address changing module (34) is recalculated packet verification according to the session information of this communication and is sent to data cell (12) with rear packet;Last described IP address changing module (34) deletes the session information of this communication of storage in session information memory module (33);
(3) time, for the network terminal in extranet access Intranet, first described IP address changing module (34) sets up the session information of this communication, described session information includes the source IP of communication data packet, purpose IP, source port, destination interface, communication protocol and the rIP corresponding with purpose IP, and the described session information set up is stored in session information memory module (33);Then described IP address changing module (34) is based on the session information of this communication, will replace with rIP corresponding with described purpose IP in session information from the purpose IP in the communication data packet of outer net;Then described IP address changing module (34) is recalculated packet verification according to the session information of this communication and is sent to data cell (12) with rear packet;Last described IP address changing module (34) deletes the session information of this communication of storage in session information memory module (33).
5. network security protection system according to claim 4, it is characterized in that, when two network terminals in Intranet are communicated, the purpose IP type of communication data packet was first judged by described IP address changing module (34) before setting up session information, if the purpose IP of communication data packet is rIP or wIP, then this communication data packet is abandoned and directly terminate this communication.
6. network security protection system according to claim 4, it is characterized in that, also include administrative unit (11), described administrative unit (11) is connected to described data cell (12), communications processor element (13) and dynamic mapping unit (15), described administrative unit (11) generates user configuration information and sends to described data cell (12), communications processor element (13) and dynamic mapping unit (15), described user configuration information includes the scope distributing to the rIP of the network terminal in Intranet, the scope of vIP, the scope of wIP, the interval of vIP dynamic mapping and the interval of vDomain dynamic mapping.
7. network security protection system according to claim 6, it is characterized in that, described administrative unit is also attached to described end message unit (14), by described administrative unit (11), the wIP in terminal information table corresponding for the particular network terminal of storage in end message unit (14) can be set to static wIP, when making the network terminal in Intranet is communicated, the purpose IP type of communication data packet was first judged by described IP address changing module (34) before setting up session information, if the purpose IP of communication data packet is a rIP, then this communication data packet abandoned and directly terminate this communication, if the purpose IP of communication data packet is a wIP, then judge whether described wIP is static wIP further, if not this communication data packet is then abandoned and directly terminates this communication by static wIP, if the purpose IP of communication data packet is static wIP or vIP, then communicate according to the communication mode of two network terminals in above-mentioned Intranet.
8. the network security protection system according to claim 3-7, it is characterized in that, described dynamic mapping unit (15) includes virtual IP address modified module (41) and virtual Domain Name modified module (42), described virtual IP address modified module (41) travels through described end message unit (14), dynamically revise the vIP in end message unit (14) and ensure that vIP does not repeat, described virtual Domain Name modified module (42) travels through described end message unit (14), dynamically revises the vDomain in end message unit (14) and ensures that vDomain does not repeat.
9. network security protection system according to claim 8, it is characterized in that, described virtual IP address modified module (41) includes virtual IP address amendment submodule (51) and virtual IP address repeats inquiry submodule (52), the terminal information table of storage in described virtual IP address amendment submodule (51) traversal end message unit (14), and judge whether the interval of vIPtime corresponding for vIP in terminal information table and current time reaches or beyond the virtual IP address dynamic mapping interval being pre-configured with, if then from the virtual IP address scope being pre-configured with, one new vIP of stochastic generation replaces original vIP, and the vIPtime of its correspondence is updated to current time, described virtual IP address repeats inquiry submodule (52) amendment to virtual IP address amendment submodule (51) and carries out duplication elimination query, and notify that virtual IP address amendment submodule (51) revises the vIP repeated;Described virtual Domain Name modified module (42) includes virtual Domain Name amendment submodule (61) and virtual Domain Name repeats inquiry submodule (62), the terminal information table of storage in described virtual Domain Name amendment submodule (61) traversal end message unit (14), and judge whether the interval of vDomaintime corresponding for vDomain in terminal information table and current time reaches or beyond the virtual Domain Name dynamic mapping interval being pre-configured with, if then one new vDomain of virtual Domain Name amendment submodule (61) stochastic generation replaces original vDomain, and the vDomaintime of its correspondence is updated to current time, described virtual Domain Name repeats inquiry submodule (62) amendment to virtual Domain Name amendment submodule (61) and carries out duplication elimination query, and notify that virtual Domain Name amendment submodule (61) revises the vDomain repeated.
10. the network security defence method based on dynamic mapping, it is characterised in that comprise the following steps:
Step (1), a corresponding terminal information table is generated for each network terminal in Intranet, described terminal information table includes the rIP distributing to the network terminal, the vIP corresponding with rIP, the wIP corresponding with rIP, the vDomain corresponding with vIP, the vIPtime corresponding with vIP, the vDomaintime corresponding with vDomain, rMac, wherein said rIP is the real IP address distributing to the network terminal, described vIP is the virtual ip address distributing to the network terminal, described wIP is the extranet access IP address distributing to the network terminal, described vDomain is the virtual Domain Name that vIP is corresponding, described vIPtime is the current time of vIP distribution, described vDomaintime is the current time of vDomain distribution, described rMac is the physical network card address of the network terminal;
Step (2), in such a way communication data packet is carried out IP replacement operation so that between the network terminal in Intranet, adopt vIP to communicate, between the network terminal and the outer net in Intranet, adopts wIP to communicate:
(2-1): when two network terminals in Intranet are communicated, first the source IP in the communication data packet that a network terminal sends is extracted, then inquire about in terminal information table and obtain and described vIP corresponding for source IP, extract the purpose IP in described communication data packet simultaneously, and inquiry obtains the rIP corresponding with described purpose IP in terminal information table;Then according to the source IP of communication data packet, purpose IP, source port, destination interface, communication protocol and the rIP corresponding for the vIP corresponding with source IP and purpose IP that inquires, set up the session information of this communication;Then the source IP in communication data packet is replaced with in the session information of this communication with described vIP corresponding for source IP, purpose IP in communication data packet is replaced with rIP corresponding with described purpose IP in the session information of this communication, and according to the session information of this communication recalculate communication data packet verification and after communication data packet is sent to another network terminal;Finally delete the session information of this communication;
(2-2): when outer net is accessed for the network terminal in Intranet, first extract the source IP in the communication data packet that inner-mesh network terminal sends, then inquire about in terminal information table and obtain and described wIP corresponding for source IP;Then according to the source IP of communication data packet, purpose IP, source port, destination interface, communication protocol and the wIP corresponding with source IP that inquire, set up the session information of this communication;Then the source IP in communication data packet is replaced with in the session information of this communication with described wIP corresponding for source IP, and according to the session information of this communication recalculate communication data packet verification and after communication data packet is sent to outer net;Finally delete the session information of this communication;
(2-3): during for the network terminal in extranet access Intranet, first extract from the purpose IP in the communication data packet of outer net, then in terminal information table, inquiry obtains the rIP corresponding with described purpose IP;Then according to the source IP of communication data packet, purpose IP, source port, destination interface, communication protocol and the rIP corresponding with purpose IP that inquire, set up the session information of this communication;Then the purpose IP in communication data packet is replaced with rIP corresponding with described purpose IP in the session information of this communication, and according to the session information of this communication recalculate communication data packet verification and after communication data packet is sent the network terminal to Intranet;Finally delete the session information of this communication.
CN201610062939.XA 2016-01-30 2016-01-30 Network security protection system and network security defence method based on dynamic mapping Active CN105721457B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610062939.XA CN105721457B (en) 2016-01-30 2016-01-30 Network security protection system and network security defence method based on dynamic mapping

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610062939.XA CN105721457B (en) 2016-01-30 2016-01-30 Network security protection system and network security defence method based on dynamic mapping

Publications (2)

Publication Number Publication Date
CN105721457A true CN105721457A (en) 2016-06-29
CN105721457B CN105721457B (en) 2019-04-30

Family

ID=56155278

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610062939.XA Active CN105721457B (en) 2016-01-30 2016-01-30 Network security protection system and network security defence method based on dynamic mapping

Country Status (1)

Country Link
CN (1) CN105721457B (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106657053A (en) * 2016-12-19 2017-05-10 中国人民解放军国防信息学院 Network security defense method based on side state migration
CN106790764A (en) * 2017-01-24 2017-05-31 广州捷轻信息技术有限公司 A kind of method and system based on outer net port locations IP address of internal network
CN107070951A (en) * 2017-05-25 2017-08-18 北京北信源软件股份有限公司 A kind of intranet security guard system and method
CN107071075A (en) * 2016-11-16 2017-08-18 国家数字交换系统工程技术研究中心 The device and method of network address dynamic hop
CN107426021A (en) * 2017-07-19 2017-12-01 北京锐安科技有限公司 Construction method, device and the redundant system of redundant system
CN109495440A (en) * 2018-09-06 2019-03-19 国家电网有限公司 A kind of random device of Intranet dynamic security
CN109862003A (en) * 2019-01-24 2019-06-07 深信服科技股份有限公司 Local generation method, device, system and the storage medium for threatening information bank
CN110365496A (en) * 2019-07-23 2019-10-22 泰州学院 A kind of network security protection system based on dynamic mapping
CN111031075A (en) * 2020-03-03 2020-04-17 网御安全技术(深圳)有限公司 Network service security access method, terminal, system and readable storage medium
CN111131169A (en) * 2019-11-30 2020-05-08 中国人民解放军战略支援部队信息工程大学 Switching network-oriented dynamic ID hiding method
CN112311810A (en) * 2020-11-13 2021-02-02 国网冀北电力有限公司张家口供电公司 Network dynamic defense method for dynamically adapting to attack
CN117118746A (en) * 2023-10-20 2023-11-24 明阳时创(北京)科技有限公司 DNS attack defense method, system, medium and device based on dynamic DNAT

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104506511A (en) * 2014-12-15 2015-04-08 蓝盾信息安全技术股份有限公司 Moving target defense system and moving target defense method for SDN (self-defending network)
WO2015092876A1 (en) * 2013-12-18 2015-06-25 株式会社 日立製作所 Connection management system, connection management method and connection management device
CN104883410A (en) * 2015-05-21 2015-09-02 深圳颐和网络科技有限公司 Network transmission method and network transmission device
CN105141641A (en) * 2015-10-14 2015-12-09 武汉大学 Chaos moving target defense method based on SDN and system thereof

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015092876A1 (en) * 2013-12-18 2015-06-25 株式会社 日立製作所 Connection management system, connection management method and connection management device
CN104506511A (en) * 2014-12-15 2015-04-08 蓝盾信息安全技术股份有限公司 Moving target defense system and moving target defense method for SDN (self-defending network)
CN104883410A (en) * 2015-05-21 2015-09-02 深圳颐和网络科技有限公司 Network transmission method and network transmission device
CN105141641A (en) * 2015-10-14 2015-12-09 武汉大学 Chaos moving target defense method based on SDN and system thereof

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
布日古德: "动态网络伪装安全模型研究", 《中国优秀硕士学位论文全文数据库信息科技辑》 *
李长春: "网络地址转换技术及其应用", 《电脑知识与技术》 *
陈松、战学刚: "基于双向NAT和智能DNS内网服务器安全快速访问策略", 《计算机工程与设计》 *

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107071075A (en) * 2016-11-16 2017-08-18 国家数字交换系统工程技术研究中心 The device and method of network address dynamic hop
CN107071075B (en) * 2016-11-16 2020-07-21 国家数字交换系统工程技术研究中心 Device and method for dynamically jumping network address
CN106657053B (en) * 2016-12-19 2019-11-08 中国人民解放军国防信息学院 A kind of network security defence method based on end state transition
CN106657053A (en) * 2016-12-19 2017-05-10 中国人民解放军国防信息学院 Network security defense method based on side state migration
CN106790764A (en) * 2017-01-24 2017-05-31 广州捷轻信息技术有限公司 A kind of method and system based on outer net port locations IP address of internal network
CN107070951A (en) * 2017-05-25 2017-08-18 北京北信源软件股份有限公司 A kind of intranet security guard system and method
CN107426021A (en) * 2017-07-19 2017-12-01 北京锐安科技有限公司 Construction method, device and the redundant system of redundant system
CN109495440A (en) * 2018-09-06 2019-03-19 国家电网有限公司 A kind of random device of Intranet dynamic security
CN109862003A (en) * 2019-01-24 2019-06-07 深信服科技股份有限公司 Local generation method, device, system and the storage medium for threatening information bank
CN109862003B (en) * 2019-01-24 2022-02-22 深信服科技股份有限公司 Method, device, system and storage medium for generating local threat intelligence library
CN110365496A (en) * 2019-07-23 2019-10-22 泰州学院 A kind of network security protection system based on dynamic mapping
CN111131169A (en) * 2019-11-30 2020-05-08 中国人民解放军战略支援部队信息工程大学 Switching network-oriented dynamic ID hiding method
CN111031075A (en) * 2020-03-03 2020-04-17 网御安全技术(深圳)有限公司 Network service security access method, terminal, system and readable storage medium
CN111031075B (en) * 2020-03-03 2020-06-23 网御安全技术(深圳)有限公司 Network service security access method, terminal, system and readable storage medium
CN112311810A (en) * 2020-11-13 2021-02-02 国网冀北电力有限公司张家口供电公司 Network dynamic defense method for dynamically adapting to attack
CN117118746A (en) * 2023-10-20 2023-11-24 明阳时创(北京)科技有限公司 DNS attack defense method, system, medium and device based on dynamic DNAT
CN117118746B (en) * 2023-10-20 2024-01-09 明阳时创(北京)科技有限公司 DNS attack defense method, system, medium and device based on dynamic DNAT

Also Published As

Publication number Publication date
CN105721457B (en) 2019-04-30

Similar Documents

Publication Publication Date Title
CN105721457A (en) Network security defense system and network security defense method based on dynamic transformation
CN101572701B (en) Security gateway system for resisting DDoS attack for DNS service
US20150288604A1 (en) Sensor Network Gateway
EP1722535A2 (en) Method and apparatus for identifying and disabling worms in communication networks
KR20170020309A (en) Sensor network gateway
CN105262738A (en) Router and method for preventing ARP attacks thereof
CN103916490B (en) DNS tamper-proof method and device
CN104506511A (en) Moving target defense system and moving target defense method for SDN (self-defending network)
RU2006143768A (en) AROMATIC RESTRICTION OF THE NETWORK VIOLENT
JP6737610B2 (en) Communication device
CN112688900B (en) Local area network safety protection system and method for preventing ARP spoofing and network scanning
US7596808B1 (en) Zero hop algorithm for network threat identification and mitigation
US20220174072A1 (en) Data Processing Method and Device
CN102984031B (en) Method and device for allowing encoding equipment to be safely accessed to monitoring and control network
KR101064382B1 (en) Arp attack blocking system in communication network and method thereof
CN108574673A (en) ARP message aggression detection method and device applied to gateway
WO2014206152A1 (en) Network safety monitoring method and system
CN103327134A (en) Network data redirection method and device based on DHCP service
Al-Shareeda et al. Sadetection: Security mechanisms to detect slaac attack in ipv6 link-local network
Groat et al. IPv6: nowhere to run, nowhere to hide
Fayyaz et al. Using JPCAP to prevent man-in-the-middle attacks in a local area network environment
WO2015130752A1 (en) Sensor network gateway
US20120096548A1 (en) Network attack detection
US20180212982A1 (en) Network system, network controller, and network control method
CN113132327A (en) Data system configuration guarantee device and data system configuration defense method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20170315

Address after: Chaoyang District City, Jiuxianqiao, 100016 Beijing Road No. 14 Building 5 floor room 98112

Applicant after: Beijing Weida Information Technology Co., Ltd.

Address before: 710065 Shaanxi Province, Xi'an Yanta District Jinye road green waters B building room 1902

Applicant before: Geng Tongtong

GR01 Patent grant
GR01 Patent grant