CN109104424A - A kind of safety protecting method and device of OPC communication - Google Patents
A kind of safety protecting method and device of OPC communication Download PDFInfo
- Publication number
- CN109104424A CN109104424A CN201810916163.2A CN201810916163A CN109104424A CN 109104424 A CN109104424 A CN 109104424A CN 201810916163 A CN201810916163 A CN 201810916163A CN 109104424 A CN109104424 A CN 109104424A
- Authority
- CN
- China
- Prior art keywords
- opc
- data packet
- data packets
- communication data
- dec
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000004891 communication Methods 0.000 title claims abstract description 216
- 238000000034 method Methods 0.000 title claims abstract description 40
- 238000001514 detection method Methods 0.000 claims description 14
- 230000007613 environmental effect Effects 0.000 claims description 10
- 238000001914 filtration Methods 0.000 abstract 1
- 230000005540 biological transmission Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 238000012423 maintenance Methods 0.000 description 3
- 238000013461 design Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
This application provides the safety protecting methods and device of a kind of OPC communication, applied to OPC firewall, the OPC firewall is deployed on the communication link between OPC client and opc server, the described method includes: being detected when receiving OPC communication data packets to the legitimacy for presetting multiple tuple informations of the OPC communication data packets;When the OPC communication data packets preset multiple tuple informations it is legal when, detected according to legitimacy of the DEC/RPC protocol specification to the DEC/RPC data format of the OPC communication data packets;When the DEC/RPC data format of the OPC communication data packets is legal, the OPC communication data packets are forwarded.Filtering presets that multiple tuple informations are illegal or the illegal OPC communication data packets of DEC/RPC data format, reduces the security risk of OPC communications protocol.
Description
Technical field
The present invention relates to technical field of data security, more particularly to the safety protecting method and dress of a kind of OPC communication
It sets.
Background technique
With the information-based fast development with industrialization depth integration, industrial control system use more and more standard,
Open communication protocol, security risk present in communication protocol become increasingly conspicuous.Wherein OPC Classical specification (calls OPC in the following text
Specification) as a kind of industrial standard be field device, automatically control application, provide between business administration application software it is open,
Unified standard interface is used widely in control field.
The company of many industrial control fields is all proposed the product for meeting OPC technology specification, is generally based on Microsoft
DCOM Distributed automatic control systim carries out exploitation design.But since DCOM technology is to be recognized it extensively in network security problem
Preceding design, easily by network attack.
Summary of the invention
In view of this, the invention discloses the safety protecting method and device of a kind of OPC communication, by analyzing bottom communication
Agreement DCE/RPC, DCOM mechanism proposes a kind of method of OPC communication security protection, reduces the safety of OPC communications protocol
Risk.
In order to achieve the above-mentioned object of the invention, specific technical solution provided by the invention is as follows:
A kind of safety protecting method of OPC communication, is applied to OPC firewall, the OPC firewall is deployed in OPC client
On communication link between end and opc server, which comprises
When receiving OPC communication data packets, to the legitimacy for presetting multiple tuple informations of the OPC communication data packets
It is detected;
When the OPC communication data packets preset multiple tuple informations it is legal when, according to DEC/RPC protocol specification to described
The legitimacy of the DEC/RPC data format of OPC communication data packets is detected;
When the DEC/RPC data format of the OPC communication data packets is legal, the OPC communication data packets are turned
Hair.
Optionally, the OPC communication data packets preset multiple tuple informations include: target MAC (Media Access Control) address, source MAC,
Purpose IP address, source IP address, destination port, source port and transport layer protocol;It is described that the OPC communication data packets are preset
The legitimacy of multiple tuple informations is detected, comprising:
According to the IP-MAC address binding list pre-established, the purpose IP address in the OPC communication data packets is detected
It is whether legal with the corresponding relationship of target MAC (Media Access Control) address, and with detecting the source IP address in the OPC communication data packets and source MAC
Whether the corresponding relationship of location is legal;
According to the security strategy table pre-established, with judging purpose IP address in the OPC communication data packets, source IP
Location, destination port, source port and transport layer protocol type whether meet the ACL access rule of the security strategy table, if so,
The OPC communication data packets to preset multiple tuple informations legal.
Optionally, it is described according to DEC/RPC protocol specification to the DEC/RPC data formats of the OPC communication data packets
Legitimacy is detected, comprising:
DEC/RPC agreement application layer data is extracted from the OPC communication data packets;
Whether the format for detecting the DEC/RPC agreement application layer data is legal;
When the OPC communication data packets are issued by OPC client, judge that the type of the OPC communication data packets is
No is Bind data packet, Alter_context data packet, Request data packet, Shutdown data packet and Cancel data packet
In any one;
When the OPC communication data packets are issued by opc server, judge that the type of the OPC communication data packets is
No is Response data packet, Fault data packet, Bind_ack data packet, Bind_nak data packet and Orphaned data packet
In any one.
Optionally, when in the DEC/RPC agreement application layer data there are when data packet authentication information, it is described according to DEC/
RPC protocol specification detects the legitimacy of the DEC/RPC data format of the OPC communication data packets, further includes:
The legitimacy of data packet authentication information in the DEC/RPC agreement application layer data is detected.
Optionally, before being forwarded to the OPC communication data packets, the method also includes:
When the destination port of the OPC communication data packets is OPC dynamic port, and the OPC communication data packets are
When Request data packet, the validity of Request data packet is detected;
When the OPC communication data packets have validity, the legitimacy of the OPC instruction of Request data packet is carried out
Detection.
Optionally, the validity to Request data packet detects, comprising:
Judge that the OPC in Request data packet instructs corresponding OPC interface whether registered;
If registered, Request data packet has validity;
If unregistered, Request data packet does not have validity.
Optionally, the legitimacy of the OPC instruction to Request data packet detects, comprising:
Identify Request data packet corresponding OPC interface mark, determine and record in Request data packet with the OPC
The corresponding context environmental mark of interface identifier;
According to context environmental mark, the operand information in Request data packet, determine that Request data packet issues
OPC instruction;
Access control list is instructed according to OPC, the legitimacy of OPC instruction is detected.
Optionally, the method also includes:
When the OPC communication data packets source port be 135 ports, and the OPC communication data packets be Response number
When according to packet, judge whether the request request of Response data packet is registered;
If registered, judge whether contain dynamic port in Response data packet;
If containing dynamic port, according to the purpose IP address in Response data packet, source IP address, destination port, source
The type of port and transport layer protocol generates ACL access rule, security strategy table is written in the ACL access rule, and open
The dynamic port.
Optionally, the method also includes:
When OPC client does not send SimplePing instruction pair by IObjectExporter interface within a preset time
When the dynamic port of opc server carries out keep-alive, the corresponding ACL access rule of the dynamic port is deleted, and close institute
State dynamic port.
A kind of safety device of OPC communication, comprising:
Tuple information detection unit, for when receiving OPC communication data packets, to the pre- of the OPC communication data packets
If the legitimacy of multiple tuple informations is detected;
DEC/RPC format detecting unit, for when the OPC communication data packets preset multiple tuple informations it is legal when,
It is detected according to legitimacy of the DEC/RPC protocol specification to the DEC/RPC data format of the OPC communication data packets;
Data packet forwarding unit, for when the DEC/RPC data format of the OPC communication data packets is legal, to described
OPC communication data packets are forwarded.
Optionally, the OPC communication data packets preset multiple tuple informations include: target MAC (Media Access Control) address, source MAC,
Purpose IP address, source IP address, destination port, source port and transport layer protocol;The tuple information detection unit, is specifically used for
According to the IP-MAC address binding list pre-established, the purpose IP address and purpose MAC in the OPC communication data packets are detected
Whether the corresponding relationship of address is legal, and detects the pass corresponding with source MAC of the source IP address in the OPC communication data packets
It whether legal is;According to the security strategy table pre-established, purpose IP address, the source IP in the OPC communication data packets are judged
Address, destination port, source port and transport layer protocol type whether meet the ACL access rule of the security strategy table, if
Be, the OPC communication data packets to preset multiple tuple informations legal.
Optionally, the DEC/RPC format detecting unit, specifically for extracting DEC/ from the OPC communication data packets
RPC agreement application layer data;Whether the format for detecting the DEC/RPC agreement application layer data is legal;When the OPC communicates number
It according to packet is issued by OPC client, judges whether the type of the OPC communication data packets is Bind data packet, Alter_
Any one in context data packet, Request data packet, Shutdown data packet and Cancel data packet;When described
OPC communication data packets are issued by opc server, judge whether the type of the OPC communication data packets is Response number
According to any one in packet, Fault data packet, Bind_ack data packet, Bind_nak data packet and Orphaned data packet.
Optionally, when in the DEC/RPC agreement application layer data there are when data packet authentication information, the DEC/RPC
Format detecting unit is also used to carry out the legitimacy of the data packet authentication information in the DEC/RPC agreement application layer data
Detection.
Optionally, described device further include:
Request data packet detecting unit member, is OPC dynamic port for the destination port when the OPC communication data packets,
And the OPC communication data packets be Request data packet when, the validity of Request data packet is detected;
OPC instruction detection unit, for when the OPC communication data packets have validity, to Request data packet
The legitimacy of OPC instruction is detected.
Optionally, the Request data packet detecting unit member is specifically used for wrapping when OPC client is sent to opc server
Bind data packet containing the OPC dynamic port, and receive opc server feedback Bind_ack data packet when, determine
The accessible OPC dynamic port of OPC client, Request data packet have validity;Or when OPC client takes to OPC
Business device transmission includes the Alter_context data packet of the OPC dynamic port, and receives opc server feedback
When Alter_context_response data packet, the accessible OPC dynamic port of OPC client, Request number are determined
There is validity according to packet.
Optionally, the OPC instruction detection unit is specifically used for the corresponding OPC interface mark of identification Request data packet
Know, determines and records context environmental mark corresponding with OPC interface mark in Request data packet;According to
Context environmental mark, operand information in Request data packet determine the OPC instruction that Request data packet issues;Root
Access control list is instructed according to OPC, the legitimacy of OPC instruction is detected.
Optionally, described device further include:
Dynamic port recognition unit is 135 ports for the source port when the OPC communication data packets, and the OPC is logical
When news data packet is Response data packet, judge whether the request request of Response data packet is registered;If having stepped on
Note, judges whether contain dynamic port in Response data packet;If containing dynamic port, according in Response data packet
The type generation ACL access rule of purpose IP address, source IP address, destination port, source port and transport layer protocol, will be described
Security strategy table is written in ACL access rule.
Optionally, described device further include:
Dynamic port maintenance unit, for not passing through IObjectExporter interface within a preset time when OPC client
When sending dynamic port progress keep-alive of the SimplePing instruction to opc server, it is corresponding to delete the dynamic port
ACL access rule, to close the dynamic port.
Compared with the existing technology, beneficial effects of the present invention are as follows:
The safety protecting method and device of a kind of OPC communication disclosed by the invention, pass through the bottom communication of analysis OPC communication
Agreement DEC/RPC agreement detects the legitimacy for presetting multiple tuple informations of OPC communication data packets, and according to DEC/
RPC protocol specification detects the legitimacy of the DEC/RPC data format of the OPC communication data packets, abandons illegal
Data packet avoids illegal data packet from reducing OPC communications protocol to the network attack of bottom communication agreement DEC/RPC agreement
Security risk.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
The embodiment of invention for those of ordinary skill in the art without creative efforts, can also basis
The attached drawing of offer obtains other attached drawings.
Fig. 1 is a kind of safety protecting method flow diagram of OPC communication disclosed by the embodiments of the present invention;
Fig. 2 is the safety protecting method flow diagram of another kind OPC disclosed by the embodiments of the present invention communication;
Fig. 3 is the safety protecting method flow diagram of another OPC disclosed by the embodiments of the present invention communication;
Fig. 4 is a kind of safety shield apparatus schematic diagram of OPC communication disclosed by the embodiments of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
Referring to Fig. 1, being applied to OPC firewall, institute present embodiment discloses a kind of safety protecting method of OPC communication
It states on the communication link that OPC firewall is deployed between OPC client and opc server, the method specifically includes following step
It is rapid:
S101: when receiving OPC communication data packets, to multiple tuple informations of presetting of the OPC communication data packets
Legitimacy is detected;
What the OPC communication data packets can issue for OPC client, or what opc server issued.
Multiple tuple informations of presetting of the OPC communication data packets include: target MAC (Media Access Control) address, source MAC, destination IP
Address, source IP address, destination port, source port and transport layer protocol.On this basis, 7 tuples of OPC communication data packets are believed
The legitimacy of breath detected specifically includes the following steps:
According to the IP-MAC address binding list pre-established, the purpose IP address in the OPC communication data packets is detected
It is whether legal with the corresponding relationship of target MAC (Media Access Control) address, and with detecting the source IP address in the OPC communication data packets and source MAC
Whether the corresponding relationship of location is legal;
According to the security strategy table pre-established, with judging purpose IP address in the OPC communication data packets, source IP
Location, destination port, source port and transport layer protocol type whether meet the ACL access rule of the security strategy table, if so,
The OPC communication data packets to preset multiple tuple informations legal.
It is understood that when the corresponding relationship of purpose IP address and target MAC (Media Access Control) address in OPC communication data packets records
When in IP-MAC address binding list, the corresponding relationship of purpose IP address and target MAC (Media Access Control) address is legal;When OPC communication data
When the corresponding relationship of source IP address and source MAC in packet is recorded in IP-MAC address binding list, source IP address and source
The corresponding relationship of MAC Address is legal, otherwise illegal.
It should be noted that record in security strategy table purpose IP address, source IP address, destination port, source port and
The corresponding relationship of the type of transport layer protocol, if purpose IP address, source IP address in OPC communication data packets, destination port, source
The type of port and transport layer protocol meets the ACL access rule in security strategy table, and IP-MAC pairs in OPC communication data packets
When should be related to legal, OPC communication data packets to preset multiple tuple informations legal.
S102: when the OPC communication data packets preset multiple tuple informations it is legal when, according to DEC/RPC protocol specification
The legitimacy of the DEC/RPC data format of the OPC communication data packets is detected;
It should be noted that presetting that multiple tuple informations are illegal or OPC communication data packets when OPC communication data packets
DEC/RPC data format it is illegal when, abandon the OPC communication data packets.
DEC/RPC agreement is the underlying protocol of DCOM, when the legitimacy of the DEC/RPC data format of OPC communication data packets
When, OPC communication data packets be it is illegal unsafe, abandon the data packet ensure that OPC communication safety.
Specifically, according to DEC/RPC protocol specification to the legal of the DEC/RPC data formats of the OPC communication data packets
Property is detected, comprising:
DEC/RPC agreement application layer data is extracted from the OPC communication data packets;Specific DEC/RPC agreement of extracting is answered
With the header message (PDU Header) and data length of layer data.
Whether the format for detecting the DEC/RPC agreement application layer data is legal;The foundation of detection includes DCE/RPC agreement
Application layer data header message, DCE/RPC agreement application layer data length scale.
When the OPC communication data packets are issued by OPC client, judge that the type of the OPC communication data packets is
No is Bind data packet, Alter_context data packet, Request data packet, Shutdown data packet and Cancel data packet
In any one;
When the OPC communication data packets are issued by opc server, judge that the type of the OPC communication data packets is
No is Response data packet, Fault data packet, Bind_ack data packet, Bind_nak data packet and Orphaned data packet
In any one.
It is understood that when OPC communication data packets are that OPC client issues, and the type of OPC communication data packets is
In Bind data packet, Alter_context data packet, Request data packet, Shutdown data packet and Cancel data packet
Any one when, the DEC/RPC data format of OPC communication data packets is legal.When OPC communication data packets are that opc server issues
, the type of OPC communication data packets is Response data packet, Fault data packet, Bind_ack data packet, Bind_nak number
According to any one in packet and Orphaned data packet, the DEC/RPC data format of OPC communication data packets is legal.
It should be noted that when in the DEC/RPC agreement application layer data there are when data packet authentication information, according to
DEC/RPC protocol specification detects the legitimacy of the DEC/RPC data format of the OPC communication data packets, further includes: right
The legitimacy of data packet authentication information in the DEC/RPC agreement application layer data is detected.
S103: when the DEC/RPC data format of the OPC communication data packets is legal, to the OPC communication data packets into
Row forwarding.
It is understood that then OPC communication data packets are forwarded when OPC communication data packets are issued by OPC client
To corresponding opc server;When OPC communication data packets are issued by opc server, then OPC communication data packets are forwarded to
Corresponding OPC client.
A kind of safety protecting method of OPC communication, passes through the bottom communication agreement of analysis OPC communication disclosed in the present embodiment
DEC/RPC agreement detects the legitimacy for presetting multiple tuple informations of OPC communication data packets, and is assisted according to DEC/RPC
View specification detects the legitimacy of the DEC/RPC data format of the OPC communication data packets, abandons illegal data
Packet, avoids illegal data packet from reducing the peace of OPC communications protocol to the network attack of bottom communication agreement DEC/RPC agreement
Full blast danger.
Referring to Fig. 2, present embodiment discloses the safety protecting methods of another OPC communication, specifically includes the following steps:
S201: OPC communication data packets are received;
S202: judge OPC communication data packets whether preset multiple tuple informations legal;
If it is not, S203: abandoning OPC communication data packets;
If so, S204: judging whether the DEC/RPC data format of OPC communication data packets closes according to DEC/RPC protocol specification
Method;
If it is not, S203: abandoning OPC communication data packets;
If so, S205: whether the destination port for judging OPC communication data packets is OPC dynamic port;
If it is not, S206: being forwarded to the OPC communication data packets.
If so, S207: judging whether OPC communication data packets are Request data packet;
If it is not, S206: being forwarded to the OPC communication data packets.
If so, S208: judging whether Request data packet has validity;
Specifically, judging whether Request data packet has a kind of method of validity are as follows: when OPC client takes to OPC
Business device transmission includes the Bind data packet of the OPC dynamic port, and receives the Bind_ack data of opc server feedback
Bao Shi, determines the accessible OPC dynamic port of OPC client, and Request data packet has validity.
There are also a kind of a kind of method for judging Request data packet and whether having validity are as follows: when OPC client is to OPC
Server transmission includes the Alter_context data packet of the OPC dynamic port, and receives opc server feedback
When Alter_context_response data packet, the accessible OPC dynamic port of OPC client, Request number are determined
There is validity according to packet.
It should be noted that OPC client is by sending Bind data packet or Alter_context number to opc server
According to packet, inquire whether opc server supports the access of corresponding OPC dynamic port, if opc server feeds back Bind_ack data
When packet or Alter_context_response data packet, the accessible OPC dynamic port of OPC client is determined,
Request data packet has validity.
If it is not, S203: abandoning OPC communication data packets.
If so, S209: judging whether the OPC instruction of Request data packet is legal;
Specifically, the legitimacy of the OPC instruction to Request data packet detects, comprising: identification Request
The corresponding OPC interface mark of data packet, determines and records on corresponding with OPC interface mark in Request data packet
Hereafter environmental labels;According to context environmental mark, the operand information in Request data packet, Request data packet is determined
The OPC instruction issued;Access control list is instructed according to OPC, the legitimacy of OPC instruction is detected.
If legal, S206: the OPC communication data packets are forwarded.
If it is illegal, OPC communication data packets S203: are abandoned.
It should be noted that as shown in table 1, OPC instruction access control list include OPC command information, client address and
Server address.
1 OPC of table instructs access control list
OPC instruction | Client address | Server address |
IOPCServer::AddGroup() | 172.0.20.1 | 172.0.20.10 |
IOPCItemIO::Read() | 172.0.20.2 | 172.0.20.11 |
....... | ....... | ...... |
A kind of safety protecting method of OPC communication, establishes OPC access control list, realization refers to OPC disclosed in the present embodiment
The access control of order filters illegal OPC instruction, to guarantee the safety of OPC communication.
Referring to Fig. 3, present embodiment discloses the safety protecting methods of another OPC communication, specifically includes the following steps:
S301: OPC communication data packets are received;
S302: judge OPC communication data packets whether preset multiple tuple informations legal;
If it is not, S303: abandoning OPC communication data packets;
If so, S304: judging whether the DEC/RPC data format of OPC communication data packets closes according to DEC/RPC protocol specification
Method;
If it is not, S303: abandoning OPC communication data packets;
If so, S305: whether the source port for judging OPC communication data packets is 135 ports;
If it is not, S306: being forwarded to the OPC communication data packets.
If so, S307: judging whether OPC communication data packets are Response data packet;
If it is not, S306: being forwarded to the OPC communication data packets.
If: S308: judge whether the request request of Response data packet is registered;
If unregistered: S303: abandoning OPC communication data packets;
If registered, S309: judge whether contain dynamic port in Response data packet;
If it is not, S306: being forwarded to the OPC communication data packets.
If so, S310: according in Response data packet purpose IP address, source IP address, destination port, source port and
The type of transport layer protocol generates ACL access rule, and security strategy table is written in the ACL access rule, executes S306.
It should be noted that the ACL access rule is written in security strategy table, the dynamic port is opened, to permit
The data packet for being permitted to meet the ACL access rule passes through OPC firewall.
It should also be noted that, dynamic port identification further includes the state-maintenance of dynamic port, when OPC client is not pre-
If in the time by IObjectExporter interface send SimplePing instruction to the dynamic port of opc server into
When row keep-alive, the corresponding ACL access rule of the dynamic port is deleted, to close the dynamic port.
A kind of safety protecting method of OPC communication, Dynamic Recognition opc server access port disclosed in the present embodiment are opened
Off status, and it is carried out to include the lifecycle management opened and closed, the dynamic port number stayed open minimizes, solution
Traditional firewall of having determined can not effectively carry out the problem of OPC dynamic port protection.
The safety protecting method of disclosed a kind of OPC communication based on the above embodiment, referring to Fig. 4, the present embodiment is corresponding
A kind of safety device of OPC communication is disclosed, is applied to OPC firewall, the OPC firewall is deployed in OPC client
On communication link between opc server, described device includes:
Tuple information detection unit 401, for when receiving OPC communication data packets, to the OPC communication data packets
The legitimacy for presetting multiple tuple informations is detected;
DEC/RPC format detecting unit 402, for when the OPC communication data packets to preset multiple tuple informations legal
When, it is detected according to legitimacy of the DEC/RPC protocol specification to the DEC/RPC data format of the OPC communication data packets;
Data packet forwarding unit 403, for when the DEC/RPC data format of the OPC communication data packets is legal, to institute
OPC communication data packets are stated to be forwarded.
Optionally, the OPC communication data packets preset multiple tuple informations include: target MAC (Media Access Control) address, source MAC,
Purpose IP address, source IP address, destination port, source port and transport layer protocol;The tuple information detection unit, is specifically used for
According to the IP-MAC address binding list pre-established, the purpose IP address and purpose MAC in the OPC communication data packets are detected
Whether the corresponding relationship of address is legal, and detects the pass corresponding with source MAC of the source IP address in the OPC communication data packets
It whether legal is;According to the security strategy table pre-established, purpose IP address, the source IP in the OPC communication data packets are judged
Address, destination port, source port and transport layer protocol type whether meet the ACL access rule of the security strategy table, if
Be, the OPC communication data packets to preset multiple tuple informations legal.
Optionally, the DEC/RPC format detecting unit, specifically for extracting DEC/ from the OPC communication data packets
RPC agreement application layer data;Whether the format for detecting the DEC/RPC agreement application layer data is legal;When the OPC communicates number
It according to packet is issued by OPC client, judges whether the type of the OPC communication data packets is Bind data packet, Alter_
Any one in context data packet, Request data packet, Shutdown data packet and Cancel data packet;When described
OPC communication data packets are issued by opc server, judge whether the type of the OPC communication data packets is Response number
According to any one in packet, Fault data packet, Bind_ack data packet, Bind_nak data packet and Orphaned data packet.
Optionally, when in the DEC/RPC agreement application layer data there are when data packet authentication information, the DEC/RPC
Format detecting unit is also used to carry out the legitimacy of the data packet authentication information in the DEC/RPC agreement application layer data
Detection.
Optionally, described device further include:
Request data packet detecting unit member, is OPC dynamic port for the destination port when the OPC communication data packets,
And the OPC communication data packets be Request data packet when, the validity of Request data packet is detected;
OPC instruction detection unit, for when the OPC communication data packets have validity, to Request data packet
The legitimacy of OPC instruction is detected.
Optionally, the Request data packet detecting unit member is specifically used for wrapping when OPC client is sent to opc server
Bind data packet containing the OPC dynamic port, and receive opc server feedback Bind_ack data packet when, determine
The accessible OPC dynamic port of OPC client, Request data packet have validity;Or when OPC client takes to OPC
Business device transmission includes the Alter_context data packet of the OPC dynamic port, and receives opc server feedback
When Alter_context_response data packet, the accessible OPC dynamic port of OPC client, Request number are determined
There is validity according to packet.
Optionally, the OPC instruction detection unit is specifically used for the corresponding OPC interface mark of identification Request data packet
Know, determines and records context environmental mark corresponding with OPC interface mark in Request data packet;According to
Context environmental mark, operand information in Request data packet determine the OPC instruction that Request data packet issues;Root
Access control list is instructed according to OPC, the legitimacy of OPC instruction is detected.
Optionally, described device further include:
Dynamic port recognition unit is 135 ports for the source port when the OPC communication data packets, and the OPC is logical
When news data packet is Response data packet, judge whether the request request of Response data packet is registered;If having stepped on
Note, judges whether contain dynamic port in Response data packet;If containing dynamic port, according in Response data packet
The type generation ACL access rule of purpose IP address, source IP address, destination port, source port and transport layer protocol, will be described
Security strategy table is written in ACL access rule.
Optionally, described device further include:
Dynamic port maintenance unit, for not passing through IObjectExporter interface within a preset time when OPC client
When sending dynamic port progress keep-alive of the SimplePing instruction to opc server, it is corresponding to delete the dynamic port
ACL access rule, to close the dynamic port.
A kind of safety device of OPC communication, passes through the bottom communication agreement of analysis OPC communication disclosed in the present embodiment
DEC/RPC agreement detects the legitimacy for presetting multiple tuple informations of OPC communication data packets, and is assisted according to DEC/RPC
View specification detects the legitimacy of the DEC/RPC data format of the OPC communication data packets, abandons illegal data
Packet, avoids illegal data packet from reducing the peace of OPC communications protocol to the network attack of bottom communication agreement DEC/RPC agreement
Full blast danger.
The foregoing description of the disclosed embodiments enables those skilled in the art to implement or use the present invention.
Various modifications to these embodiments will be readily apparent to those skilled in the art, as defined herein
General Principle can be realized in other embodiments without departing from the spirit or scope of the present invention.Therefore, of the invention
It is not intended to be limited to the embodiments shown herein, and is to fit to and the principles and novel features disclosed herein phase one
The widest scope of cause.
Claims (10)
1. a kind of safety protecting method of OPC communication, which is characterized in that be applied to OPC firewall, the OPC firewall deployment
On communication link between OPC client and opc server, which comprises
When receiving OPC communication data packets, the legitimacy for presetting multiple tuple informations of the OPC communication data packets is carried out
Detection;
When the OPC communication data packets preset multiple tuple informations it is legal when, according to DEC/RPC protocol specification to the OPC
The legitimacy of the DEC/RPC data format of communication data packets is detected;
When the DEC/RPC data format of the OPC communication data packets is legal, the OPC communication data packets are forwarded.
2. the method according to claim 1, wherein the OPC communication data packets preset multiple tuple informations
It include: target MAC (Media Access Control) address, source MAC, purpose IP address, source IP address, destination port, source port and transport layer protocol;Institute
It states and the legitimacy for presetting multiple tuple informations of the OPC communication data packets is detected, comprising:
According to the IP-MAC address binding list pre-established, the purpose IP address and mesh in the OPC communication data packets are detected
MAC Address corresponding relationship it is whether legal, and detect the source IP address in the OPC communication data packets and source MAC
Whether corresponding relationship is legal;
According to the security strategy table pre-established, purpose IP address in the OPC communication data packets, source IP address, mesh are judged
Port, source port and transport layer protocol type whether meet the ACL access rule of the security strategy table, if so, described
OPC communication data packets to preset multiple tuple informations legal.
3. the method according to claim 1, wherein described communicate the OPC according to DEC/RPC protocol specification
The legitimacy of the DEC/RPC data format of data packet is detected, comprising:
DEC/RPC agreement application layer data is extracted from the OPC communication data packets;
Whether the format for detecting the DEC/RPC agreement application layer data is legal;
When the OPC communication data packets are issued by OPC client, judge the OPC communication data packets type whether be
In Bind data packet, Alter_context data packet, Request data packet, Shutdown data packet and Cancel data packet
Any one;
When the OPC communication data packets are issued by opc server, judge the OPC communication data packets type whether be
Response data packet, Alter_context_response data packet, Fault data packet, Bind_ack data packet, Bind_
Any one in nak data packet and Orphaned data packet.
4. according to the method described in claim 3, it is characterized in that, when there are numbers in the DEC/RPC agreement application layer data
When according to packet authentication information, it is described according to DEC/RPC protocol specification to the DEC/RPC data formats of the OPC communication data packets
Legitimacy is detected, further includes:
The legitimacy of data packet authentication information in the DEC/RPC agreement application layer data is detected.
5. the method according to claim 1, wherein before being forwarded to the OPC communication data packets, institute
State method further include:
When the OPC communication data packets destination port be OPC dynamic port, and the OPC communication data packets be Request number
When according to packet, the validity of Request data packet is detected;
When the OPC communication data packets have validity, the legitimacy of the OPC instruction of Request data packet is detected.
6. according to the method described in claim 5, it is characterized in that, the validity to Request data packet detects,
Include:
When OPC client to opc server send include the OPC dynamic port Bind data packet, and receive OPC clothes
When the Bind_ack data packet for device feedback of being engaged in, the accessible OPC dynamic port of OPC client, Request data packet are determined
With validity;
Or when OPC client to opc server send include the OPC dynamic port Alter_context data packet, and
When receiving the Alter_context_response data packet of opc server feedback, determine that OPC client is accessible described
OPC dynamic port, Request data packet have validity.
7. according to the method described in claim 5, it is characterized in that, the legitimacy of the OPC instruction to Request data packet
It is detected, comprising:
Identify Request data packet corresponding OPC interface mark, determine and record in Request data packet with the OPC interface
Identify corresponding context environmental mark;
According to context environmental mark, the operand information in Request data packet, the OPC that Request data packet issues is determined
Instruction;
Access control list is instructed according to OPC, the legitimacy of OPC instruction is detected.
8. the method according to claim 1, wherein the method also includes:
When the OPC communication data packets source port be 135 ports, and the OPC communication data packets be Response data packet
When, judge whether the request request of Response data packet is registered;
If registered, judge whether contain dynamic port in Response data packet;
If containing dynamic port, according to the purpose IP address in Response data packet, source IP address, destination port, source port
ACL access rule is generated with the type of transport layer protocol, security strategy table is written into the ACL access rule.
9. according to the method described in claim 8, it is characterized in that, the method also includes:
OPC is taken when OPC client does not send SimplePing instruction by IObjectExporter interface within a preset time
When the dynamic port of business device carries out keep-alive, the corresponding ACL access rule of the dynamic port is deleted, to close the dynamic
Port.
10. a kind of safety device of OPC communication characterized by comprising
Tuple information detection unit, for when receiving OPC communication data packets, to the default more of the OPC communication data packets
The legitimacy of a tuple information is detected;
DEC/RPC format detecting unit, for when the OPC communication data packets preset multiple tuple informations it is legal when, according to
DEC/RPC protocol specification detects the legitimacy of the DEC/RPC data format of the OPC communication data packets;
Data packet forwarding unit, for leading to the OPC when the DEC/RPC data format of the OPC communication data packets is legal
News data packet is forwarded.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810916163.2A CN109104424B (en) | 2018-08-13 | 2018-08-13 | Safety protection method and device for OPC communication |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810916163.2A CN109104424B (en) | 2018-08-13 | 2018-08-13 | Safety protection method and device for OPC communication |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109104424A true CN109104424A (en) | 2018-12-28 |
CN109104424B CN109104424B (en) | 2021-03-23 |
Family
ID=64849609
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810916163.2A Active CN109104424B (en) | 2018-08-13 | 2018-08-13 | Safety protection method and device for OPC communication |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109104424B (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112039916A (en) * | 2020-09-07 | 2020-12-04 | 北京天融信网络安全技术有限公司 | Communication method and device based on OPC protocol, electronic equipment and storage medium |
CN115174274A (en) * | 2022-09-06 | 2022-10-11 | 军工保密资格审查认证中心 | Data processing method, industrial control system, electronic device, and storage medium |
CN115174273A (en) * | 2022-09-06 | 2022-10-11 | 军工保密资格审查认证中心 | Data processing method, industrial control system, electronic device, and storage medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO1995033261A1 (en) * | 1994-05-31 | 1995-12-07 | Sony Corporation | Data recorder |
CN103036870A (en) * | 2012-10-26 | 2013-04-10 | 青岛海天炜业自动化控制系统有限公司 | Industrial firewall without industrial protocol (IP) distributed type depth check arithmetic based on industrial protocol object linking and embedding for process control (OPC) classic |
CN104660593A (en) * | 2015-02-09 | 2015-05-27 | 西北工业大学 | Method for filtering OPC security gateway data packets |
CN106559382A (en) * | 2015-09-25 | 2017-04-05 | 北京计算机技术及应用研究所 | Protection system of security gateway access control method based on OPC agreements |
CN107294998A (en) * | 2017-07-10 | 2017-10-24 | 王红涛 | A kind of security protection system of intelligent electric power electrical secondary system |
-
2018
- 2018-08-13 CN CN201810916163.2A patent/CN109104424B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO1995033261A1 (en) * | 1994-05-31 | 1995-12-07 | Sony Corporation | Data recorder |
CN103036870A (en) * | 2012-10-26 | 2013-04-10 | 青岛海天炜业自动化控制系统有限公司 | Industrial firewall without industrial protocol (IP) distributed type depth check arithmetic based on industrial protocol object linking and embedding for process control (OPC) classic |
CN104660593A (en) * | 2015-02-09 | 2015-05-27 | 西北工业大学 | Method for filtering OPC security gateway data packets |
CN106559382A (en) * | 2015-09-25 | 2017-04-05 | 北京计算机技术及应用研究所 | Protection system of security gateway access control method based on OPC agreements |
CN107294998A (en) * | 2017-07-10 | 2017-10-24 | 王红涛 | A kind of security protection system of intelligent electric power electrical secondary system |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112039916A (en) * | 2020-09-07 | 2020-12-04 | 北京天融信网络安全技术有限公司 | Communication method and device based on OPC protocol, electronic equipment and storage medium |
CN115174274A (en) * | 2022-09-06 | 2022-10-11 | 军工保密资格审查认证中心 | Data processing method, industrial control system, electronic device, and storage medium |
CN115174273A (en) * | 2022-09-06 | 2022-10-11 | 军工保密资格审查认证中心 | Data processing method, industrial control system, electronic device, and storage medium |
CN115174273B (en) * | 2022-09-06 | 2023-01-06 | 军工保密资格审查认证中心 | Data processing method, industrial control system, electronic device, and storage medium |
CN115174274B (en) * | 2022-09-06 | 2023-01-06 | 军工保密资格审查认证中心 | Data processing method, industrial control system, electronic device, and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN109104424B (en) | 2021-03-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP4174392B2 (en) | Network unauthorized connection prevention system and network unauthorized connection prevention device | |
CN101309272B (en) | Authentication server and mobile communication terminal access controlling method of virtual private network | |
CN1682516B (en) | Method and apparatus for preventing spoofing of network addresses | |
CN109104424A (en) | A kind of safety protecting method and device of OPC communication | |
CN101022340B (en) | Intelligent control method for realizing city Ethernet exchanger switch-in security | |
CN106302371B (en) | A kind of firewall control method and system based on subscriber service system | |
CN101547187B (en) | Network attack protection method for broadband access equipment | |
JP3618245B2 (en) | Network monitoring system | |
CN101529862A (en) | Methods and apparatus for detecting unwanted traffic in one or more packet networks utilizing string analysis | |
CN104994094B (en) | Virtual platform safety protecting method based on virtual switch, device and system | |
CN104601566B (en) | authentication method and device | |
WO2012014509A1 (en) | Unauthorized access blocking control method | |
CN103647772A (en) | Method for carrying out trusted access controlling on network data package | |
CN106789527A (en) | The method and system that a kind of private line network is accessed | |
CN102739665B (en) | Method for realizing network virtual security domain | |
CN101984693A (en) | Monitoring method and monitoring device for access of terminal to local area network (LAN) | |
CN101340275B (en) | Data card, data processing and transmitting method | |
JP2004032744A (en) | Method based on border gateway protocol communication for controlling communication security protection | |
CN104468490A (en) | Control method for network access admittance | |
CN101820414A (en) | Host access control system and method | |
CN108924061A (en) | A kind of application identification and management method, system and relevant apparatus | |
CN1859384B (en) | Method for controlling user's message passing through network isolation device | |
CN115051851B (en) | User access behavior management and control system and method in scene of internet of things | |
JP2013516016A (en) | Proxy-based security system to ensure availability | |
CN109167774A (en) | A kind of data message and the data flow secure interaction method on firewall |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CP03 | Change of name, title or address |
Address after: No. 309 Liuhe Road, Binjiang District, Hangzhou City, Zhejiang Province (High tech Zone) Patentee after: Zhongkong Technology Co.,Ltd. Country or region after: China Address before: No. six, No. 309, Binjiang District Road, Hangzhou, Zhejiang Patentee before: ZHEJIANG SUPCON TECHNOLOGY Co.,Ltd. Country or region before: China |