CN109104424A - A kind of safety protecting method and device of OPC communication - Google Patents

A kind of safety protecting method and device of OPC communication Download PDF

Info

Publication number
CN109104424A
CN109104424A CN201810916163.2A CN201810916163A CN109104424A CN 109104424 A CN109104424 A CN 109104424A CN 201810916163 A CN201810916163 A CN 201810916163A CN 109104424 A CN109104424 A CN 109104424A
Authority
CN
China
Prior art keywords
opc
data packet
data packets
communication data
dec
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810916163.2A
Other languages
Chinese (zh)
Other versions
CN109104424B (en
Inventor
马纳
章维
罗冰
陆卫军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhongkong Technology Co ltd
Original Assignee
Zhejiang Supcon Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Supcon Technology Co Ltd filed Critical Zhejiang Supcon Technology Co Ltd
Priority to CN201810916163.2A priority Critical patent/CN109104424B/en
Publication of CN109104424A publication Critical patent/CN109104424A/en
Application granted granted Critical
Publication of CN109104424B publication Critical patent/CN109104424B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

This application provides the safety protecting methods and device of a kind of OPC communication, applied to OPC firewall, the OPC firewall is deployed on the communication link between OPC client and opc server, the described method includes: being detected when receiving OPC communication data packets to the legitimacy for presetting multiple tuple informations of the OPC communication data packets;When the OPC communication data packets preset multiple tuple informations it is legal when, detected according to legitimacy of the DEC/RPC protocol specification to the DEC/RPC data format of the OPC communication data packets;When the DEC/RPC data format of the OPC communication data packets is legal, the OPC communication data packets are forwarded.Filtering presets that multiple tuple informations are illegal or the illegal OPC communication data packets of DEC/RPC data format, reduces the security risk of OPC communications protocol.

Description

A kind of safety protecting method and device of OPC communication
Technical field
The present invention relates to technical field of data security, more particularly to the safety protecting method and dress of a kind of OPC communication It sets.
Background technique
With the information-based fast development with industrialization depth integration, industrial control system use more and more standard, Open communication protocol, security risk present in communication protocol become increasingly conspicuous.Wherein OPC Classical specification (calls OPC in the following text Specification) as a kind of industrial standard be field device, automatically control application, provide between business administration application software it is open, Unified standard interface is used widely in control field.
The company of many industrial control fields is all proposed the product for meeting OPC technology specification, is generally based on Microsoft DCOM Distributed automatic control systim carries out exploitation design.But since DCOM technology is to be recognized it extensively in network security problem Preceding design, easily by network attack.
Summary of the invention
In view of this, the invention discloses the safety protecting method and device of a kind of OPC communication, by analyzing bottom communication Agreement DCE/RPC, DCOM mechanism proposes a kind of method of OPC communication security protection, reduces the safety of OPC communications protocol Risk.
In order to achieve the above-mentioned object of the invention, specific technical solution provided by the invention is as follows:
A kind of safety protecting method of OPC communication, is applied to OPC firewall, the OPC firewall is deployed in OPC client On communication link between end and opc server, which comprises
When receiving OPC communication data packets, to the legitimacy for presetting multiple tuple informations of the OPC communication data packets It is detected;
When the OPC communication data packets preset multiple tuple informations it is legal when, according to DEC/RPC protocol specification to described The legitimacy of the DEC/RPC data format of OPC communication data packets is detected;
When the DEC/RPC data format of the OPC communication data packets is legal, the OPC communication data packets are turned Hair.
Optionally, the OPC communication data packets preset multiple tuple informations include: target MAC (Media Access Control) address, source MAC, Purpose IP address, source IP address, destination port, source port and transport layer protocol;It is described that the OPC communication data packets are preset The legitimacy of multiple tuple informations is detected, comprising:
According to the IP-MAC address binding list pre-established, the purpose IP address in the OPC communication data packets is detected It is whether legal with the corresponding relationship of target MAC (Media Access Control) address, and with detecting the source IP address in the OPC communication data packets and source MAC Whether the corresponding relationship of location is legal;
According to the security strategy table pre-established, with judging purpose IP address in the OPC communication data packets, source IP Location, destination port, source port and transport layer protocol type whether meet the ACL access rule of the security strategy table, if so, The OPC communication data packets to preset multiple tuple informations legal.
Optionally, it is described according to DEC/RPC protocol specification to the DEC/RPC data formats of the OPC communication data packets Legitimacy is detected, comprising:
DEC/RPC agreement application layer data is extracted from the OPC communication data packets;
Whether the format for detecting the DEC/RPC agreement application layer data is legal;
When the OPC communication data packets are issued by OPC client, judge that the type of the OPC communication data packets is No is Bind data packet, Alter_context data packet, Request data packet, Shutdown data packet and Cancel data packet In any one;
When the OPC communication data packets are issued by opc server, judge that the type of the OPC communication data packets is No is Response data packet, Fault data packet, Bind_ack data packet, Bind_nak data packet and Orphaned data packet In any one.
Optionally, when in the DEC/RPC agreement application layer data there are when data packet authentication information, it is described according to DEC/ RPC protocol specification detects the legitimacy of the DEC/RPC data format of the OPC communication data packets, further includes:
The legitimacy of data packet authentication information in the DEC/RPC agreement application layer data is detected.
Optionally, before being forwarded to the OPC communication data packets, the method also includes:
When the destination port of the OPC communication data packets is OPC dynamic port, and the OPC communication data packets are When Request data packet, the validity of Request data packet is detected;
When the OPC communication data packets have validity, the legitimacy of the OPC instruction of Request data packet is carried out Detection.
Optionally, the validity to Request data packet detects, comprising:
Judge that the OPC in Request data packet instructs corresponding OPC interface whether registered;
If registered, Request data packet has validity;
If unregistered, Request data packet does not have validity.
Optionally, the legitimacy of the OPC instruction to Request data packet detects, comprising:
Identify Request data packet corresponding OPC interface mark, determine and record in Request data packet with the OPC The corresponding context environmental mark of interface identifier;
According to context environmental mark, the operand information in Request data packet, determine that Request data packet issues OPC instruction;
Access control list is instructed according to OPC, the legitimacy of OPC instruction is detected.
Optionally, the method also includes:
When the OPC communication data packets source port be 135 ports, and the OPC communication data packets be Response number When according to packet, judge whether the request request of Response data packet is registered;
If registered, judge whether contain dynamic port in Response data packet;
If containing dynamic port, according to the purpose IP address in Response data packet, source IP address, destination port, source The type of port and transport layer protocol generates ACL access rule, security strategy table is written in the ACL access rule, and open The dynamic port.
Optionally, the method also includes:
When OPC client does not send SimplePing instruction pair by IObjectExporter interface within a preset time When the dynamic port of opc server carries out keep-alive, the corresponding ACL access rule of the dynamic port is deleted, and close institute State dynamic port.
A kind of safety device of OPC communication, comprising:
Tuple information detection unit, for when receiving OPC communication data packets, to the pre- of the OPC communication data packets If the legitimacy of multiple tuple informations is detected;
DEC/RPC format detecting unit, for when the OPC communication data packets preset multiple tuple informations it is legal when, It is detected according to legitimacy of the DEC/RPC protocol specification to the DEC/RPC data format of the OPC communication data packets;
Data packet forwarding unit, for when the DEC/RPC data format of the OPC communication data packets is legal, to described OPC communication data packets are forwarded.
Optionally, the OPC communication data packets preset multiple tuple informations include: target MAC (Media Access Control) address, source MAC, Purpose IP address, source IP address, destination port, source port and transport layer protocol;The tuple information detection unit, is specifically used for According to the IP-MAC address binding list pre-established, the purpose IP address and purpose MAC in the OPC communication data packets are detected Whether the corresponding relationship of address is legal, and detects the pass corresponding with source MAC of the source IP address in the OPC communication data packets It whether legal is;According to the security strategy table pre-established, purpose IP address, the source IP in the OPC communication data packets are judged Address, destination port, source port and transport layer protocol type whether meet the ACL access rule of the security strategy table, if Be, the OPC communication data packets to preset multiple tuple informations legal.
Optionally, the DEC/RPC format detecting unit, specifically for extracting DEC/ from the OPC communication data packets RPC agreement application layer data;Whether the format for detecting the DEC/RPC agreement application layer data is legal;When the OPC communicates number It according to packet is issued by OPC client, judges whether the type of the OPC communication data packets is Bind data packet, Alter_ Any one in context data packet, Request data packet, Shutdown data packet and Cancel data packet;When described OPC communication data packets are issued by opc server, judge whether the type of the OPC communication data packets is Response number According to any one in packet, Fault data packet, Bind_ack data packet, Bind_nak data packet and Orphaned data packet.
Optionally, when in the DEC/RPC agreement application layer data there are when data packet authentication information, the DEC/RPC Format detecting unit is also used to carry out the legitimacy of the data packet authentication information in the DEC/RPC agreement application layer data Detection.
Optionally, described device further include:
Request data packet detecting unit member, is OPC dynamic port for the destination port when the OPC communication data packets, And the OPC communication data packets be Request data packet when, the validity of Request data packet is detected;
OPC instruction detection unit, for when the OPC communication data packets have validity, to Request data packet The legitimacy of OPC instruction is detected.
Optionally, the Request data packet detecting unit member is specifically used for wrapping when OPC client is sent to opc server Bind data packet containing the OPC dynamic port, and receive opc server feedback Bind_ack data packet when, determine The accessible OPC dynamic port of OPC client, Request data packet have validity;Or when OPC client takes to OPC Business device transmission includes the Alter_context data packet of the OPC dynamic port, and receives opc server feedback When Alter_context_response data packet, the accessible OPC dynamic port of OPC client, Request number are determined There is validity according to packet.
Optionally, the OPC instruction detection unit is specifically used for the corresponding OPC interface mark of identification Request data packet Know, determines and records context environmental mark corresponding with OPC interface mark in Request data packet;According to Context environmental mark, operand information in Request data packet determine the OPC instruction that Request data packet issues;Root Access control list is instructed according to OPC, the legitimacy of OPC instruction is detected.
Optionally, described device further include:
Dynamic port recognition unit is 135 ports for the source port when the OPC communication data packets, and the OPC is logical When news data packet is Response data packet, judge whether the request request of Response data packet is registered;If having stepped on Note, judges whether contain dynamic port in Response data packet;If containing dynamic port, according in Response data packet The type generation ACL access rule of purpose IP address, source IP address, destination port, source port and transport layer protocol, will be described Security strategy table is written in ACL access rule.
Optionally, described device further include:
Dynamic port maintenance unit, for not passing through IObjectExporter interface within a preset time when OPC client When sending dynamic port progress keep-alive of the SimplePing instruction to opc server, it is corresponding to delete the dynamic port ACL access rule, to close the dynamic port.
Compared with the existing technology, beneficial effects of the present invention are as follows:
The safety protecting method and device of a kind of OPC communication disclosed by the invention, pass through the bottom communication of analysis OPC communication Agreement DEC/RPC agreement detects the legitimacy for presetting multiple tuple informations of OPC communication data packets, and according to DEC/ RPC protocol specification detects the legitimacy of the DEC/RPC data format of the OPC communication data packets, abandons illegal Data packet avoids illegal data packet from reducing OPC communications protocol to the network attack of bottom communication agreement DEC/RPC agreement Security risk.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this The embodiment of invention for those of ordinary skill in the art without creative efforts, can also basis The attached drawing of offer obtains other attached drawings.
Fig. 1 is a kind of safety protecting method flow diagram of OPC communication disclosed by the embodiments of the present invention;
Fig. 2 is the safety protecting method flow diagram of another kind OPC disclosed by the embodiments of the present invention communication;
Fig. 3 is the safety protecting method flow diagram of another OPC disclosed by the embodiments of the present invention communication;
Fig. 4 is a kind of safety shield apparatus schematic diagram of OPC communication disclosed by the embodiments of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment shall fall within the protection scope of the present invention.
Referring to Fig. 1, being applied to OPC firewall, institute present embodiment discloses a kind of safety protecting method of OPC communication It states on the communication link that OPC firewall is deployed between OPC client and opc server, the method specifically includes following step It is rapid:
S101: when receiving OPC communication data packets, to multiple tuple informations of presetting of the OPC communication data packets Legitimacy is detected;
What the OPC communication data packets can issue for OPC client, or what opc server issued.
Multiple tuple informations of presetting of the OPC communication data packets include: target MAC (Media Access Control) address, source MAC, destination IP Address, source IP address, destination port, source port and transport layer protocol.On this basis, 7 tuples of OPC communication data packets are believed The legitimacy of breath detected specifically includes the following steps:
According to the IP-MAC address binding list pre-established, the purpose IP address in the OPC communication data packets is detected It is whether legal with the corresponding relationship of target MAC (Media Access Control) address, and with detecting the source IP address in the OPC communication data packets and source MAC Whether the corresponding relationship of location is legal;
According to the security strategy table pre-established, with judging purpose IP address in the OPC communication data packets, source IP Location, destination port, source port and transport layer protocol type whether meet the ACL access rule of the security strategy table, if so, The OPC communication data packets to preset multiple tuple informations legal.
It is understood that when the corresponding relationship of purpose IP address and target MAC (Media Access Control) address in OPC communication data packets records When in IP-MAC address binding list, the corresponding relationship of purpose IP address and target MAC (Media Access Control) address is legal;When OPC communication data When the corresponding relationship of source IP address and source MAC in packet is recorded in IP-MAC address binding list, source IP address and source The corresponding relationship of MAC Address is legal, otherwise illegal.
It should be noted that record in security strategy table purpose IP address, source IP address, destination port, source port and The corresponding relationship of the type of transport layer protocol, if purpose IP address, source IP address in OPC communication data packets, destination port, source The type of port and transport layer protocol meets the ACL access rule in security strategy table, and IP-MAC pairs in OPC communication data packets When should be related to legal, OPC communication data packets to preset multiple tuple informations legal.
S102: when the OPC communication data packets preset multiple tuple informations it is legal when, according to DEC/RPC protocol specification The legitimacy of the DEC/RPC data format of the OPC communication data packets is detected;
It should be noted that presetting that multiple tuple informations are illegal or OPC communication data packets when OPC communication data packets DEC/RPC data format it is illegal when, abandon the OPC communication data packets.
DEC/RPC agreement is the underlying protocol of DCOM, when the legitimacy of the DEC/RPC data format of OPC communication data packets When, OPC communication data packets be it is illegal unsafe, abandon the data packet ensure that OPC communication safety.
Specifically, according to DEC/RPC protocol specification to the legal of the DEC/RPC data formats of the OPC communication data packets Property is detected, comprising:
DEC/RPC agreement application layer data is extracted from the OPC communication data packets;Specific DEC/RPC agreement of extracting is answered With the header message (PDU Header) and data length of layer data.
Whether the format for detecting the DEC/RPC agreement application layer data is legal;The foundation of detection includes DCE/RPC agreement Application layer data header message, DCE/RPC agreement application layer data length scale.
When the OPC communication data packets are issued by OPC client, judge that the type of the OPC communication data packets is No is Bind data packet, Alter_context data packet, Request data packet, Shutdown data packet and Cancel data packet In any one;
When the OPC communication data packets are issued by opc server, judge that the type of the OPC communication data packets is No is Response data packet, Fault data packet, Bind_ack data packet, Bind_nak data packet and Orphaned data packet In any one.
It is understood that when OPC communication data packets are that OPC client issues, and the type of OPC communication data packets is In Bind data packet, Alter_context data packet, Request data packet, Shutdown data packet and Cancel data packet Any one when, the DEC/RPC data format of OPC communication data packets is legal.When OPC communication data packets are that opc server issues , the type of OPC communication data packets is Response data packet, Fault data packet, Bind_ack data packet, Bind_nak number According to any one in packet and Orphaned data packet, the DEC/RPC data format of OPC communication data packets is legal.
It should be noted that when in the DEC/RPC agreement application layer data there are when data packet authentication information, according to DEC/RPC protocol specification detects the legitimacy of the DEC/RPC data format of the OPC communication data packets, further includes: right The legitimacy of data packet authentication information in the DEC/RPC agreement application layer data is detected.
S103: when the DEC/RPC data format of the OPC communication data packets is legal, to the OPC communication data packets into Row forwarding.
It is understood that then OPC communication data packets are forwarded when OPC communication data packets are issued by OPC client To corresponding opc server;When OPC communication data packets are issued by opc server, then OPC communication data packets are forwarded to Corresponding OPC client.
A kind of safety protecting method of OPC communication, passes through the bottom communication agreement of analysis OPC communication disclosed in the present embodiment DEC/RPC agreement detects the legitimacy for presetting multiple tuple informations of OPC communication data packets, and is assisted according to DEC/RPC View specification detects the legitimacy of the DEC/RPC data format of the OPC communication data packets, abandons illegal data Packet, avoids illegal data packet from reducing the peace of OPC communications protocol to the network attack of bottom communication agreement DEC/RPC agreement Full blast danger.
Referring to Fig. 2, present embodiment discloses the safety protecting methods of another OPC communication, specifically includes the following steps:
S201: OPC communication data packets are received;
S202: judge OPC communication data packets whether preset multiple tuple informations legal;
If it is not, S203: abandoning OPC communication data packets;
If so, S204: judging whether the DEC/RPC data format of OPC communication data packets closes according to DEC/RPC protocol specification Method;
If it is not, S203: abandoning OPC communication data packets;
If so, S205: whether the destination port for judging OPC communication data packets is OPC dynamic port;
If it is not, S206: being forwarded to the OPC communication data packets.
If so, S207: judging whether OPC communication data packets are Request data packet;
If it is not, S206: being forwarded to the OPC communication data packets.
If so, S208: judging whether Request data packet has validity;
Specifically, judging whether Request data packet has a kind of method of validity are as follows: when OPC client takes to OPC Business device transmission includes the Bind data packet of the OPC dynamic port, and receives the Bind_ack data of opc server feedback Bao Shi, determines the accessible OPC dynamic port of OPC client, and Request data packet has validity.
There are also a kind of a kind of method for judging Request data packet and whether having validity are as follows: when OPC client is to OPC Server transmission includes the Alter_context data packet of the OPC dynamic port, and receives opc server feedback When Alter_context_response data packet, the accessible OPC dynamic port of OPC client, Request number are determined There is validity according to packet.
It should be noted that OPC client is by sending Bind data packet or Alter_context number to opc server According to packet, inquire whether opc server supports the access of corresponding OPC dynamic port, if opc server feeds back Bind_ack data When packet or Alter_context_response data packet, the accessible OPC dynamic port of OPC client is determined, Request data packet has validity.
If it is not, S203: abandoning OPC communication data packets.
If so, S209: judging whether the OPC instruction of Request data packet is legal;
Specifically, the legitimacy of the OPC instruction to Request data packet detects, comprising: identification Request The corresponding OPC interface mark of data packet, determines and records on corresponding with OPC interface mark in Request data packet Hereafter environmental labels;According to context environmental mark, the operand information in Request data packet, Request data packet is determined The OPC instruction issued;Access control list is instructed according to OPC, the legitimacy of OPC instruction is detected.
If legal, S206: the OPC communication data packets are forwarded.
If it is illegal, OPC communication data packets S203: are abandoned.
It should be noted that as shown in table 1, OPC instruction access control list include OPC command information, client address and Server address.
1 OPC of table instructs access control list
OPC instruction Client address Server address
IOPCServer::AddGroup() 172.0.20.1 172.0.20.10
IOPCItemIO::Read() 172.0.20.2 172.0.20.11
....... ....... ......
A kind of safety protecting method of OPC communication, establishes OPC access control list, realization refers to OPC disclosed in the present embodiment The access control of order filters illegal OPC instruction, to guarantee the safety of OPC communication.
Referring to Fig. 3, present embodiment discloses the safety protecting methods of another OPC communication, specifically includes the following steps:
S301: OPC communication data packets are received;
S302: judge OPC communication data packets whether preset multiple tuple informations legal;
If it is not, S303: abandoning OPC communication data packets;
If so, S304: judging whether the DEC/RPC data format of OPC communication data packets closes according to DEC/RPC protocol specification Method;
If it is not, S303: abandoning OPC communication data packets;
If so, S305: whether the source port for judging OPC communication data packets is 135 ports;
If it is not, S306: being forwarded to the OPC communication data packets.
If so, S307: judging whether OPC communication data packets are Response data packet;
If it is not, S306: being forwarded to the OPC communication data packets.
If: S308: judge whether the request request of Response data packet is registered;
If unregistered: S303: abandoning OPC communication data packets;
If registered, S309: judge whether contain dynamic port in Response data packet;
If it is not, S306: being forwarded to the OPC communication data packets.
If so, S310: according in Response data packet purpose IP address, source IP address, destination port, source port and The type of transport layer protocol generates ACL access rule, and security strategy table is written in the ACL access rule, executes S306.
It should be noted that the ACL access rule is written in security strategy table, the dynamic port is opened, to permit The data packet for being permitted to meet the ACL access rule passes through OPC firewall.
It should also be noted that, dynamic port identification further includes the state-maintenance of dynamic port, when OPC client is not pre- If in the time by IObjectExporter interface send SimplePing instruction to the dynamic port of opc server into When row keep-alive, the corresponding ACL access rule of the dynamic port is deleted, to close the dynamic port.
A kind of safety protecting method of OPC communication, Dynamic Recognition opc server access port disclosed in the present embodiment are opened Off status, and it is carried out to include the lifecycle management opened and closed, the dynamic port number stayed open minimizes, solution Traditional firewall of having determined can not effectively carry out the problem of OPC dynamic port protection.
The safety protecting method of disclosed a kind of OPC communication based on the above embodiment, referring to Fig. 4, the present embodiment is corresponding A kind of safety device of OPC communication is disclosed, is applied to OPC firewall, the OPC firewall is deployed in OPC client On communication link between opc server, described device includes:
Tuple information detection unit 401, for when receiving OPC communication data packets, to the OPC communication data packets The legitimacy for presetting multiple tuple informations is detected;
DEC/RPC format detecting unit 402, for when the OPC communication data packets to preset multiple tuple informations legal When, it is detected according to legitimacy of the DEC/RPC protocol specification to the DEC/RPC data format of the OPC communication data packets;
Data packet forwarding unit 403, for when the DEC/RPC data format of the OPC communication data packets is legal, to institute OPC communication data packets are stated to be forwarded.
Optionally, the OPC communication data packets preset multiple tuple informations include: target MAC (Media Access Control) address, source MAC, Purpose IP address, source IP address, destination port, source port and transport layer protocol;The tuple information detection unit, is specifically used for According to the IP-MAC address binding list pre-established, the purpose IP address and purpose MAC in the OPC communication data packets are detected Whether the corresponding relationship of address is legal, and detects the pass corresponding with source MAC of the source IP address in the OPC communication data packets It whether legal is;According to the security strategy table pre-established, purpose IP address, the source IP in the OPC communication data packets are judged Address, destination port, source port and transport layer protocol type whether meet the ACL access rule of the security strategy table, if Be, the OPC communication data packets to preset multiple tuple informations legal.
Optionally, the DEC/RPC format detecting unit, specifically for extracting DEC/ from the OPC communication data packets RPC agreement application layer data;Whether the format for detecting the DEC/RPC agreement application layer data is legal;When the OPC communicates number It according to packet is issued by OPC client, judges whether the type of the OPC communication data packets is Bind data packet, Alter_ Any one in context data packet, Request data packet, Shutdown data packet and Cancel data packet;When described OPC communication data packets are issued by opc server, judge whether the type of the OPC communication data packets is Response number According to any one in packet, Fault data packet, Bind_ack data packet, Bind_nak data packet and Orphaned data packet.
Optionally, when in the DEC/RPC agreement application layer data there are when data packet authentication information, the DEC/RPC Format detecting unit is also used to carry out the legitimacy of the data packet authentication information in the DEC/RPC agreement application layer data Detection.
Optionally, described device further include:
Request data packet detecting unit member, is OPC dynamic port for the destination port when the OPC communication data packets, And the OPC communication data packets be Request data packet when, the validity of Request data packet is detected;
OPC instruction detection unit, for when the OPC communication data packets have validity, to Request data packet The legitimacy of OPC instruction is detected.
Optionally, the Request data packet detecting unit member is specifically used for wrapping when OPC client is sent to opc server Bind data packet containing the OPC dynamic port, and receive opc server feedback Bind_ack data packet when, determine The accessible OPC dynamic port of OPC client, Request data packet have validity;Or when OPC client takes to OPC Business device transmission includes the Alter_context data packet of the OPC dynamic port, and receives opc server feedback When Alter_context_response data packet, the accessible OPC dynamic port of OPC client, Request number are determined There is validity according to packet.
Optionally, the OPC instruction detection unit is specifically used for the corresponding OPC interface mark of identification Request data packet Know, determines and records context environmental mark corresponding with OPC interface mark in Request data packet;According to Context environmental mark, operand information in Request data packet determine the OPC instruction that Request data packet issues;Root Access control list is instructed according to OPC, the legitimacy of OPC instruction is detected.
Optionally, described device further include:
Dynamic port recognition unit is 135 ports for the source port when the OPC communication data packets, and the OPC is logical When news data packet is Response data packet, judge whether the request request of Response data packet is registered;If having stepped on Note, judges whether contain dynamic port in Response data packet;If containing dynamic port, according in Response data packet The type generation ACL access rule of purpose IP address, source IP address, destination port, source port and transport layer protocol, will be described Security strategy table is written in ACL access rule.
Optionally, described device further include:
Dynamic port maintenance unit, for not passing through IObjectExporter interface within a preset time when OPC client When sending dynamic port progress keep-alive of the SimplePing instruction to opc server, it is corresponding to delete the dynamic port ACL access rule, to close the dynamic port.
A kind of safety device of OPC communication, passes through the bottom communication agreement of analysis OPC communication disclosed in the present embodiment DEC/RPC agreement detects the legitimacy for presetting multiple tuple informations of OPC communication data packets, and is assisted according to DEC/RPC View specification detects the legitimacy of the DEC/RPC data format of the OPC communication data packets, abandons illegal data Packet, avoids illegal data packet from reducing the peace of OPC communications protocol to the network attack of bottom communication agreement DEC/RPC agreement Full blast danger.
The foregoing description of the disclosed embodiments enables those skilled in the art to implement or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, as defined herein General Principle can be realized in other embodiments without departing from the spirit or scope of the present invention.Therefore, of the invention It is not intended to be limited to the embodiments shown herein, and is to fit to and the principles and novel features disclosed herein phase one The widest scope of cause.

Claims (10)

1. a kind of safety protecting method of OPC communication, which is characterized in that be applied to OPC firewall, the OPC firewall deployment On communication link between OPC client and opc server, which comprises
When receiving OPC communication data packets, the legitimacy for presetting multiple tuple informations of the OPC communication data packets is carried out Detection;
When the OPC communication data packets preset multiple tuple informations it is legal when, according to DEC/RPC protocol specification to the OPC The legitimacy of the DEC/RPC data format of communication data packets is detected;
When the DEC/RPC data format of the OPC communication data packets is legal, the OPC communication data packets are forwarded.
2. the method according to claim 1, wherein the OPC communication data packets preset multiple tuple informations It include: target MAC (Media Access Control) address, source MAC, purpose IP address, source IP address, destination port, source port and transport layer protocol;Institute It states and the legitimacy for presetting multiple tuple informations of the OPC communication data packets is detected, comprising:
According to the IP-MAC address binding list pre-established, the purpose IP address and mesh in the OPC communication data packets are detected MAC Address corresponding relationship it is whether legal, and detect the source IP address in the OPC communication data packets and source MAC Whether corresponding relationship is legal;
According to the security strategy table pre-established, purpose IP address in the OPC communication data packets, source IP address, mesh are judged Port, source port and transport layer protocol type whether meet the ACL access rule of the security strategy table, if so, described OPC communication data packets to preset multiple tuple informations legal.
3. the method according to claim 1, wherein described communicate the OPC according to DEC/RPC protocol specification The legitimacy of the DEC/RPC data format of data packet is detected, comprising:
DEC/RPC agreement application layer data is extracted from the OPC communication data packets;
Whether the format for detecting the DEC/RPC agreement application layer data is legal;
When the OPC communication data packets are issued by OPC client, judge the OPC communication data packets type whether be In Bind data packet, Alter_context data packet, Request data packet, Shutdown data packet and Cancel data packet Any one;
When the OPC communication data packets are issued by opc server, judge the OPC communication data packets type whether be Response data packet, Alter_context_response data packet, Fault data packet, Bind_ack data packet, Bind_ Any one in nak data packet and Orphaned data packet.
4. according to the method described in claim 3, it is characterized in that, when there are numbers in the DEC/RPC agreement application layer data When according to packet authentication information, it is described according to DEC/RPC protocol specification to the DEC/RPC data formats of the OPC communication data packets Legitimacy is detected, further includes:
The legitimacy of data packet authentication information in the DEC/RPC agreement application layer data is detected.
5. the method according to claim 1, wherein before being forwarded to the OPC communication data packets, institute State method further include:
When the OPC communication data packets destination port be OPC dynamic port, and the OPC communication data packets be Request number When according to packet, the validity of Request data packet is detected;
When the OPC communication data packets have validity, the legitimacy of the OPC instruction of Request data packet is detected.
6. according to the method described in claim 5, it is characterized in that, the validity to Request data packet detects, Include:
When OPC client to opc server send include the OPC dynamic port Bind data packet, and receive OPC clothes When the Bind_ack data packet for device feedback of being engaged in, the accessible OPC dynamic port of OPC client, Request data packet are determined With validity;
Or when OPC client to opc server send include the OPC dynamic port Alter_context data packet, and When receiving the Alter_context_response data packet of opc server feedback, determine that OPC client is accessible described OPC dynamic port, Request data packet have validity.
7. according to the method described in claim 5, it is characterized in that, the legitimacy of the OPC instruction to Request data packet It is detected, comprising:
Identify Request data packet corresponding OPC interface mark, determine and record in Request data packet with the OPC interface Identify corresponding context environmental mark;
According to context environmental mark, the operand information in Request data packet, the OPC that Request data packet issues is determined Instruction;
Access control list is instructed according to OPC, the legitimacy of OPC instruction is detected.
8. the method according to claim 1, wherein the method also includes:
When the OPC communication data packets source port be 135 ports, and the OPC communication data packets be Response data packet When, judge whether the request request of Response data packet is registered;
If registered, judge whether contain dynamic port in Response data packet;
If containing dynamic port, according to the purpose IP address in Response data packet, source IP address, destination port, source port ACL access rule is generated with the type of transport layer protocol, security strategy table is written into the ACL access rule.
9. according to the method described in claim 8, it is characterized in that, the method also includes:
OPC is taken when OPC client does not send SimplePing instruction by IObjectExporter interface within a preset time When the dynamic port of business device carries out keep-alive, the corresponding ACL access rule of the dynamic port is deleted, to close the dynamic Port.
10. a kind of safety device of OPC communication characterized by comprising
Tuple information detection unit, for when receiving OPC communication data packets, to the default more of the OPC communication data packets The legitimacy of a tuple information is detected;
DEC/RPC format detecting unit, for when the OPC communication data packets preset multiple tuple informations it is legal when, according to DEC/RPC protocol specification detects the legitimacy of the DEC/RPC data format of the OPC communication data packets;
Data packet forwarding unit, for leading to the OPC when the DEC/RPC data format of the OPC communication data packets is legal News data packet is forwarded.
CN201810916163.2A 2018-08-13 2018-08-13 Safety protection method and device for OPC communication Active CN109104424B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810916163.2A CN109104424B (en) 2018-08-13 2018-08-13 Safety protection method and device for OPC communication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810916163.2A CN109104424B (en) 2018-08-13 2018-08-13 Safety protection method and device for OPC communication

Publications (2)

Publication Number Publication Date
CN109104424A true CN109104424A (en) 2018-12-28
CN109104424B CN109104424B (en) 2021-03-23

Family

ID=64849609

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810916163.2A Active CN109104424B (en) 2018-08-13 2018-08-13 Safety protection method and device for OPC communication

Country Status (1)

Country Link
CN (1) CN109104424B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112039916A (en) * 2020-09-07 2020-12-04 北京天融信网络安全技术有限公司 Communication method and device based on OPC protocol, electronic equipment and storage medium
CN115174274A (en) * 2022-09-06 2022-10-11 军工保密资格审查认证中心 Data processing method, industrial control system, electronic device, and storage medium
CN115174273A (en) * 2022-09-06 2022-10-11 军工保密资格审查认证中心 Data processing method, industrial control system, electronic device, and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1995033261A1 (en) * 1994-05-31 1995-12-07 Sony Corporation Data recorder
CN103036870A (en) * 2012-10-26 2013-04-10 青岛海天炜业自动化控制系统有限公司 Industrial firewall without industrial protocol (IP) distributed type depth check arithmetic based on industrial protocol object linking and embedding for process control (OPC) classic
CN104660593A (en) * 2015-02-09 2015-05-27 西北工业大学 Method for filtering OPC security gateway data packets
CN106559382A (en) * 2015-09-25 2017-04-05 北京计算机技术及应用研究所 Protection system of security gateway access control method based on OPC agreements
CN107294998A (en) * 2017-07-10 2017-10-24 王红涛 A kind of security protection system of intelligent electric power electrical secondary system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1995033261A1 (en) * 1994-05-31 1995-12-07 Sony Corporation Data recorder
CN103036870A (en) * 2012-10-26 2013-04-10 青岛海天炜业自动化控制系统有限公司 Industrial firewall without industrial protocol (IP) distributed type depth check arithmetic based on industrial protocol object linking and embedding for process control (OPC) classic
CN104660593A (en) * 2015-02-09 2015-05-27 西北工业大学 Method for filtering OPC security gateway data packets
CN106559382A (en) * 2015-09-25 2017-04-05 北京计算机技术及应用研究所 Protection system of security gateway access control method based on OPC agreements
CN107294998A (en) * 2017-07-10 2017-10-24 王红涛 A kind of security protection system of intelligent electric power electrical secondary system

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112039916A (en) * 2020-09-07 2020-12-04 北京天融信网络安全技术有限公司 Communication method and device based on OPC protocol, electronic equipment and storage medium
CN115174274A (en) * 2022-09-06 2022-10-11 军工保密资格审查认证中心 Data processing method, industrial control system, electronic device, and storage medium
CN115174273A (en) * 2022-09-06 2022-10-11 军工保密资格审查认证中心 Data processing method, industrial control system, electronic device, and storage medium
CN115174273B (en) * 2022-09-06 2023-01-06 军工保密资格审查认证中心 Data processing method, industrial control system, electronic device, and storage medium
CN115174274B (en) * 2022-09-06 2023-01-06 军工保密资格审查认证中心 Data processing method, industrial control system, electronic device, and storage medium

Also Published As

Publication number Publication date
CN109104424B (en) 2021-03-23

Similar Documents

Publication Publication Date Title
JP4174392B2 (en) Network unauthorized connection prevention system and network unauthorized connection prevention device
CN101309272B (en) Authentication server and mobile communication terminal access controlling method of virtual private network
CN1682516B (en) Method and apparatus for preventing spoofing of network addresses
CN109104424A (en) A kind of safety protecting method and device of OPC communication
CN101022340B (en) Intelligent control method for realizing city Ethernet exchanger switch-in security
CN106302371B (en) A kind of firewall control method and system based on subscriber service system
CN101547187B (en) Network attack protection method for broadband access equipment
JP3618245B2 (en) Network monitoring system
CN101529862A (en) Methods and apparatus for detecting unwanted traffic in one or more packet networks utilizing string analysis
CN104994094B (en) Virtual platform safety protecting method based on virtual switch, device and system
CN104601566B (en) authentication method and device
WO2012014509A1 (en) Unauthorized access blocking control method
CN103647772A (en) Method for carrying out trusted access controlling on network data package
CN106789527A (en) The method and system that a kind of private line network is accessed
CN102739665B (en) Method for realizing network virtual security domain
CN101984693A (en) Monitoring method and monitoring device for access of terminal to local area network (LAN)
CN101340275B (en) Data card, data processing and transmitting method
JP2004032744A (en) Method based on border gateway protocol communication for controlling communication security protection
CN104468490A (en) Control method for network access admittance
CN101820414A (en) Host access control system and method
CN108924061A (en) A kind of application identification and management method, system and relevant apparatus
CN1859384B (en) Method for controlling user's message passing through network isolation device
CN115051851B (en) User access behavior management and control system and method in scene of internet of things
JP2013516016A (en) Proxy-based security system to ensure availability
CN109167774A (en) A kind of data message and the data flow secure interaction method on firewall

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP03 Change of name, title or address

Address after: No. 309 Liuhe Road, Binjiang District, Hangzhou City, Zhejiang Province (High tech Zone)

Patentee after: Zhongkong Technology Co.,Ltd.

Country or region after: China

Address before: No. six, No. 309, Binjiang District Road, Hangzhou, Zhejiang

Patentee before: ZHEJIANG SUPCON TECHNOLOGY Co.,Ltd.

Country or region before: China