CN107070905A - A kind of security gateway system for parsing multi-protocols and its application - Google Patents

A kind of security gateway system for parsing multi-protocols and its application Download PDF

Info

Publication number
CN107070905A
CN107070905A CN201710205413.7A CN201710205413A CN107070905A CN 107070905 A CN107070905 A CN 107070905A CN 201710205413 A CN201710205413 A CN 201710205413A CN 107070905 A CN107070905 A CN 107070905A
Authority
CN
China
Prior art keywords
user
protocols
security gateway
gateway system
communication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710205413.7A
Other languages
Chinese (zh)
Inventor
朱书杉
张小亮
李若寒
刘强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong Chaoyue Numerical Control Electronics Co Ltd
Original Assignee
Shandong Chaoyue Numerical Control Electronics Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong Chaoyue Numerical Control Electronics Co Ltd filed Critical Shandong Chaoyue Numerical Control Electronics Co Ltd
Priority to CN201710205413.7A priority Critical patent/CN107070905A/en
Publication of CN107070905A publication Critical patent/CN107070905A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to a kind of security gateway system for parsing multi-protocols and its application.The security gateway system of parsing multi-protocols of the present invention, the communication protocols such as common DNP3 agreements, Modbus agreements can be parsed, compared with traditional security gateway, can be to the specific security strategy of every device configuration, it is significantly more efficient to have blocked data modification and other unauthorized access, it is ensured that the security of data exchange between different zones.

Description

A kind of security gateway system for parsing multi-protocols and its application
Technical field
The present invention relates to a kind of security gateway system for parsing multi-protocols and its application, belong to the technology neck of network security Domain.
Background technology
Nearly ten years, it is a large amount of using logical in industrial control network with the fast development of information technology and technology of Internet of things With field intelligent instrument and open TCP/IP technologies, information-based application in the industry, which is achieved, to be developed rapidly, industrial system Security hidden trouble it is increasingly serious.With the maturation of industrial dedicated security gateways technology, it is integrated with fire wall, VPN, invades anti- Shield, anti-junk data and the high-performance security gateway product for the function such as antitoxin of killing virus will reduce the use complexity of user, drop Low use cost, and gradually substitute existing fire wall, anti-virus, intrusion detection market.
The shortcoming consideration of conventional TCP/IP network is interconnected necessary Communication Security Problem.System complexity, artificial thing Therefore, operational error, equipment fault and natural calamity etc. can also damage to communication security.High-performance security gateway product will promote Enter the development of China's industrial data safety and related industry, improve current network safety prevention level.For communication protocol The problems such as complication of diversified, various equipment, the security gateway equipment of many industrial system scenarios is can adapt in the market Less, the solution that can completely adapt to various communications protocols is not enough.
The content of the invention
In view of the shortcomings of the prior art, the present invention provides a kind of security gateway system for parsing multi-protocols.
The present invention also provides a kind of method communicated using above-mentioned multi-protocols security gateway system.
The technical scheme is that:
A kind of security gateway system for parsing multi-protocols, including tension management module, bottom filtering protection module and data Library module;
The tension management module interacts configuration server using web, is built with the open source codes of LAMP, using B/S Architecture design;The tension management module realizes that user's setting, system parameter setting, communication strategy are set and by web interface Carry out device log inquiry;The user, which is set, includes user's addition and user deletes;Shown system parameter setting includes setting Gateway parameter, Serial Port Information and network interface information;Shielded equipment is operated by the communication strategy of setting;The device log Inquiry includes the inquiry of device log and the deletion of device log;With good man-machine experience, interactive mode is embodied well Feature.User is set to be managed to user.
The bottom filtering protection module realizes source IP address, the filtering of purpose IP address, the parsing of communication protocol, with institute State the interaction of communication strategy;Shielded equipment is configured, recording equipment daily record is simultaneously stored in database module;
The device log that the database module filters protection module to bottom is stored, and is interacted with upper level applications Present;Upper strata is set and linked with bottom configuration by the database module, is presented by the web interface on upper strata, tension management The systematic parameter of module setting, communication strategy pass to bottom by the database module and performed.
According to currently preferred, the user includes keeper and operator;The authority of keeper includes, user's addition Deleted with user, modification user profile, entry password.
According to currently preferred, the tension management module by the application software of itself realize user set, system Parameter setting, strategy and rule setting and log query.
According to currently preferred, the device log includes Operation Log and business diary, the device log be by The equipment of protection completes the daily record of communication process from establishing a connection to each other.
According to currently preferred, the bottom filtering protection module uses (SuSE) Linux OS;The database module Designed using SQL Server databases.
A kind of method communicated using above-mentioned multi-protocols security gateway system, including step are as follows:
1) user carries out authentication;Keeper carries out authentication by web-based management interface, if authentication is logical Cross, then enter System configurations interface and carry out system parameter setting, communication strategy setting;Operator is logged in by web-based management interface System, carries out equipment operation;
The bottom filtering protection module is when carrying out data transmit-receive, first according to communication strategy to source IP and the number of transmitting-receiving According to testing, if source IP is configured credible IP, connection is set up;If the data of transmitting-receiving are business datum, right Purpose IP address is detected, if purpose IP address is configured trusted IP address, master control is passed through according to communication strategy The message of transmission is encrypted AES in chip, and receiving terminal is received after message data bag, is added according to communication strategy pair Close message is decrypted, and will decrypt obtained message progress parsing filtering by communication protocol, obtains message content;
According to currently preferred, when management net enters row data communication with control net, based on white list strategy, pass through state The mode of detection, intelligent protocol identification or CA digital authenticatings, identity information and message data bag content of the recipient to sender Multiple authentication has been carried out, the protection to border networks is realized.
According to currently preferred, the audit log in communication process is also stored in data by the bottom filtering protection module Library module.
According to currently preferred, the step 1) in keeper carry out authentication mode include, user name password And the USB Key of storage private key for user and digital certificate Multi Identity Attestation mechanism.
According to currently preferred, the step 1) in, the operator is logged in by way of user name password, if Continuous 3 authentification failures, then lock equipment, could be used after turning back on, and verification process is recorded into Operation Log.
Beneficial effects of the present invention are:
1. the security gateway system of parsing multi-protocols of the present invention, can be very between being netted applied to management net and control Isolate between good formation net, it is ensured that the security of data transfer;It is also applicable between the different components inside control net, carries out Filtering, inspection and the blocking of control instruction, enhance the security protection ability of whole communication system, it is ensured that the safety of data communication Property and integrality;
2. the security gateway system of parsing multi-protocols of the present invention, using the security algorithm that is integrated with a variety of high speeds and logical The SOC of communication interface has abandoned traditional data encrypting and deciphering processing mode, has made data encrypting and deciphering speed big as encryption chip Width is lifted;
3. the security gateway system of parsing multi-protocols of the present invention, can parse common DNP3 agreements, Modbus associations The communication protocols such as view, can be to the specific security strategy of every device configuration, significantly more efficient resistance compared with traditional security gateway Break data modification and other unauthorized access, it is ensured that the security of data exchange between different zones.
Brief description of the drawings
Fig. 1 be it is of the present invention be multi-protocols security gateway system pie graph.
Embodiment
With reference to embodiment and Figure of description, the present invention will be further described, but not limited to this.
Embodiment 1
As shown in Figure 1.
A kind of security gateway system for parsing multi-protocols, including tension management module, bottom filtering protection module and data Library module;
The tension management module interacts configuration server using web, is built with the open source codes of LAMP, using B/S Architecture design;The tension management module realizes that user's setting, system parameter setting, communication strategy are set and by web interface Carry out device log inquiry;The user, which is set, includes user's addition and user deletes;Shown system parameter setting includes setting Gateway parameter, Serial Port Information and network interface information;Shielded equipment is operated by the communication strategy of setting;The device log Inquiry includes the inquiry of device log and the deletion of device log;With good man-machine experience, interactive mode is embodied well Feature.User is set to be managed to user.
The bottom filtering protection module realizes source IP address, the filtering of purpose IP address, the parsing of communication protocol, with institute State the interaction of communication strategy;Shielded equipment is configured, recording equipment daily record is simultaneously stored in database module;
The device log that the database module filters protection module to bottom is stored, and is interacted with upper level applications Present;Upper strata is set and linked with bottom configuration by the database module, is presented by the web interface on upper strata, tension management The systematic parameter of module setting, communication strategy pass to bottom by the database module and performed.
Embodiment 2
The security gateway system of multi-protocols is parsed as described in Example 1, except that, the user includes keeper And operator;The authority of keeper includes, and user's addition and user delete, modification user profile, entry password.
Embodiment 3
The security gateway system of multi-protocols is parsed as described in Example 1, except that, the tension management module is led to Cross the application software of itself and realize user's setting, system parameter setting, strategy and rule setting and log query.
Embodiment 4
The security gateway system of multi-protocols is parsed as described in Example 1, except that, the device log includes behaviour Make daily record and business diary, the device log, which is shielded equipment, completes communication process from establishing a connection to each other Daily record.
Embodiment 5
The security gateway system of multi-protocols is parsed as described in Example 1, except that, the bottom filtering protection mould Block uses (SuSE) Linux OS;The database module is designed using SQL Server databases.
Embodiment 6
A kind of method that multi-protocols security gateway system using described in embodiment 1-5 is communicated, including step are as follows:
1) user carries out authentication;Keeper carries out authentication by web-based management interface, if authentication is logical Cross, then enter System configurations interface and carry out system parameter setting, communication strategy setting;Operator is logged in by web-based management interface System, carries out equipment operation;
The bottom filtering protection module is when carrying out data transmit-receive, first according to communication strategy to source IP and the number of transmitting-receiving According to testing, if source IP is configured credible IP, connection is set up;If the data of transmitting-receiving are business datum, right Purpose IP address is detected, if purpose IP address is configured trusted IP address, master control is passed through according to communication strategy The message of transmission is encrypted AES in chip, and receiving terminal is received after message data bag, is added according to communication strategy pair Close message is decrypted, and will decrypt obtained message progress parsing filtering by communication protocol, obtains message content;
Embodiment 7
The method that multi-protocols security gateway system as described in Example 6 is communicated, except that, management net and control When net processed enters row data communication, based on white list strategy, pass through the side of state-detection, intelligent protocol identification or CA digital authenticatings Formula, recipient has carried out multiple authentication to the identity information and message data bag content of sender, and realization is prevented border networks Shield.
Embodiment 8
The method that multi-protocols security gateway system as described in Example 6 is communicated, except that, the bottom mistake Filter protection module and the audit log in communication process is also stored in database module.
Embodiment 9
The method that multi-protocols security gateway system as described in Example 6 is communicated, except that, the step 1) The mode that middle keeper carries out authentication includes, the USB Key's of user name password and storage private key for user and digital certificate Multi Identity Attestation mechanism.
Embodiment 10
The method that multi-protocols security gateway system as described in Example 6 is communicated, except that, the step 1) In, the operator is logged in by way of user name password, if continuous 3 authentification failures, equipment is locked, opened again It could be used after machine, and verification process is recorded into Operation Log.

Claims (10)

1. a kind of security gateway system for parsing multi-protocols, it is characterised in that including tension management module, bottom filtering protection mould Block and database module;The tension management module interacts configuration server using web, is built with the open source codes of LAMP, Using B/S architecture designs;The tension management module realizes that user's setting, system parameter setting, communication strategy set and passed through Web interface carries out device log inquiry;The user, which is set, includes user's addition and user deletes;Shown system parameter setting bag Include setting gateway parameter, Serial Port Information and network interface information;Shielded equipment is operated by the communication strategy of setting;It is described to set Standby log query includes the inquiry of device log and the deletion of device log;The bottom filtering protection module is with realizing source IP Location, the filtering of purpose IP address, the parsing of communication protocol, with interacting for the communication strategy;Shielded equipment is matched somebody with somebody Put, recording equipment daily record is simultaneously stored in database module;The database module filters the equipment day of protection module to bottom Will is stored, and presentation is interacted with upper level applications;Upper strata is set and linked with bottom configuration by the database module, Presented by the web interface on upper strata, the systematic parameter of tension management module setting, communication strategy are transmitted by the database module Performed to bottom.
2. the security gateway system of parsing multi-protocols according to claim 1, it is characterised in that the user includes management Member and operator;The authority of keeper includes, and user's addition and user delete, modification user profile, entry password.
3. the security gateway system of parsing multi-protocols according to claim 1, it is characterised in that the tension management module User's setting, system parameter setting, strategy and rule setting and log query are realized by the application software of itself.
4. the security gateway system of parsing multi-protocols according to claim 1, it is characterised in that the device log includes Operation Log and business diary, the device log are that shielded equipment completes communication process from establishing a connection to each other Daily record.
5. the security gateway system of parsing multi-protocols according to claim 1, it is characterised in that the bottom filtering protection Module uses (SuSE) Linux OS;The database module is designed using SQL Server databases.
6. a kind of method that multi-protocols security gateway system using described in claim 1-5 any one is communicated, it is special Levy and be, including step is as follows:
1) user carries out authentication;Keeper carries out authentication by web-based management interface, if authentication passes through, System parameter setting, communication strategy are carried out into System configurations interface to set;Operator by web-based management interface login system, Carry out equipment operation;
The bottom filtering protection module is entered according to communication strategy to the data of source IP and transmitting-receiving first when carrying out data transmit-receive Performing check, if source IP is configured credible IP, sets up connection;If the data of transmitting-receiving are business datum, to purpose IP address is detected, if purpose IP address is configured trusted IP address, main control chip is passed through according to communication strategy The message of transmission is encrypted interior AES, and receiving terminal is received after message data bag, according to communication strategy to encryption Message is decrypted, and will decrypt obtained message progress parsing filtering by communication protocol, obtains message content.
7. the method that multi-protocols security gateway system according to claim 6 is communicated, it is characterised in that management net with When control net enters row data communication, based on white list strategy, pass through the side of state-detection, intelligent protocol identification or CA digital authenticatings Formula, recipient has carried out multiple authentication to the identity information and message data bag content of sender, and realization is prevented border networks Shield.
8. the method that multi-protocols security gateway system according to claim 6 is communicated, it is characterised in that the bottom Filter protection module and the audit log in communication process is also stored in database module.
9. the method that multi-protocols security gateway system according to claim 6 is communicated, it is characterised in that the step 1) mode of keeper's progress authentication includes in, the USB Key of user name password and storage private key for user and digital certificate Multi Identity Attestation mechanism.
10. the method that multi-protocols security gateway system according to claim 6 is communicated, it is characterised in that the step It is rapid 1) in, the operator is logged in by way of user name password, if continuous 3 authentification failures, equipment is locked, weight It could be used after new start, and verification process is recorded into Operation Log.
CN201710205413.7A 2017-03-31 2017-03-31 A kind of security gateway system for parsing multi-protocols and its application Pending CN107070905A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710205413.7A CN107070905A (en) 2017-03-31 2017-03-31 A kind of security gateway system for parsing multi-protocols and its application

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710205413.7A CN107070905A (en) 2017-03-31 2017-03-31 A kind of security gateway system for parsing multi-protocols and its application

Publications (1)

Publication Number Publication Date
CN107070905A true CN107070905A (en) 2017-08-18

Family

ID=59601478

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710205413.7A Pending CN107070905A (en) 2017-03-31 2017-03-31 A kind of security gateway system for parsing multi-protocols and its application

Country Status (1)

Country Link
CN (1) CN107070905A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107426213A (en) * 2017-07-26 2017-12-01 郑州云海信息技术有限公司 The method and system that a kind of limitation SSR management platforms log in
CN108076058A (en) * 2017-12-14 2018-05-25 北京博大光通物联科技股份有限公司 Heterogeneous network communications protocol method for amalgamation processing based on self-adapting changeable long codes
CN113467345A (en) * 2021-08-11 2021-10-01 中电积至(海南)信息技术有限公司 Intelligent home security gateway system with simulation module

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104320332A (en) * 2014-11-13 2015-01-28 济南华汉电气科技有限公司 Multi-protocol industrial communication safety gateway and communication method with gateway applied
CN105323167A (en) * 2014-06-30 2016-02-10 瞻博网络公司 Multi-protocol label switching (MPLS) rings

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105323167A (en) * 2014-06-30 2016-02-10 瞻博网络公司 Multi-protocol label switching (MPLS) rings
CN104320332A (en) * 2014-11-13 2015-01-28 济南华汉电气科技有限公司 Multi-protocol industrial communication safety gateway and communication method with gateway applied

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
宋吉业: "基于L i nux多协议工业/医用安全网关的设计", 《万方》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107426213A (en) * 2017-07-26 2017-12-01 郑州云海信息技术有限公司 The method and system that a kind of limitation SSR management platforms log in
CN108076058A (en) * 2017-12-14 2018-05-25 北京博大光通物联科技股份有限公司 Heterogeneous network communications protocol method for amalgamation processing based on self-adapting changeable long codes
CN113467345A (en) * 2021-08-11 2021-10-01 中电积至(海南)信息技术有限公司 Intelligent home security gateway system with simulation module
CN113467345B (en) * 2021-08-11 2022-06-14 中电积至(海南)信息技术有限公司 Intelligent home security gateway system with simulation module

Similar Documents

Publication Publication Date Title
CN109831327B (en) IMS full-service network monitoring intelligent operation and maintenance support system based on big data analysis
US10095878B2 (en) Internal controls engine and reporting of events generated by a network or associated applications
US10601874B2 (en) System and apparatus for providing network security
US6321337B1 (en) Method and system for protecting operations of trusted internal networks
US20180048674A1 (en) Routing Systems and Methods
JP2018186550A (en) Delay data access
US20030177387A1 (en) Secured web entry server
CN103490895A (en) Industrial control identity authentication method and device with state cryptographic algorithms
CN104683332A (en) Security isolation gateway in industrial control network and security isolation method thereof
CN104796261A (en) Secure access control system and method for network terminal nodes
CN105391687A (en) System and method for supplying information security operation service to medium-sized and small enterprises
CN204392296U (en) Secure isolation gateway in a kind of industrial control network
CN109510841A (en) A kind of security isolation gateway of control device and system
JP2002533792A (en) Method and system for protecting the operation of a trusted internal network
CN107070905A (en) A kind of security gateway system for parsing multi-protocols and its application
CN109617875A (en) A kind of the secure accessing platform and its implementation of terminal communication network
Mohammed et al. Automatic defense against zero-day polymorphic worms in communication networks
O’Raw et al. Securing the industrial Internet of Things for critical infrastructure (IIoT-CI)
CN111970232A (en) Safe access system of intelligent service robot of electric power business hall
CN1819590A (en) Enciphering method of computer electronic documents
Neu et al. An approach for detecting encrypted insider attacks on OpenFlow SDN Networks
Nair et al. Security attacks in internet of things
Farook et al. Implementation of Intrusion Detection Systems for High Performance Computing Environment Applications
Miloslavskaya et al. Ensuring information security for internet of things
Tóth Information-Sharing Challenges and Issues in Multinational Operations, Part 1

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20170818