CN109104424B - Safety protection method and device for OPC communication - Google Patents
Safety protection method and device for OPC communication Download PDFInfo
- Publication number
- CN109104424B CN109104424B CN201810916163.2A CN201810916163A CN109104424B CN 109104424 B CN109104424 B CN 109104424B CN 201810916163 A CN201810916163 A CN 201810916163A CN 109104424 B CN109104424 B CN 109104424B
- Authority
- CN
- China
- Prior art keywords
- data packet
- opc
- communication data
- dec
- port
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a safety protection method and a safety protection device for OPC communication, which are applied to OPC firewalls, wherein the OPC firewalls are arranged on a communication link between an OPC client and an OPC server, and the method comprises the following steps: when an OPC communication data packet is received, detecting the legality of a plurality of tuple information preset in the OPC communication data packet; when the preset multiple tuple information of the OPC communication data packet is legal, detecting the legality of the DEC/RPC data format of the OPC communication data packet according to the DEC/RPC protocol specification; and when the DEC/RPC data format of the OPC communication data packet is legal, forwarding the OPC communication data packet. And an OPC communication data packet with illegal preset multiple tuple information or illegal DEC/RPC data format is filtered, so that the safety risk of an OPC communication protocol is reduced.
Description
Technical Field
The invention relates to the technical field of data security, in particular to a safety protection method and device for OPC communication.
Background
With the rapid development of informatization and industrialization deep fusion, an industrial control system increasingly adopts a standard and open communication protocol, and the potential safety hazard of the communication protocol is increasingly prominent. The OPC classic specification (hereinafter referred to as OPC specification) provides an open and unified standard interface for field devices, automatic control applications, and enterprise management application software as an industrial standard, and has been widely used in the control field.
Companies in many industrial control fields have introduced products that conform to the OPC specifications, which are typically developed and designed based on microsoft's DCOM distributed component technology. However, DCOM technology is highly vulnerable to network attacks because it was designed before network security issues were widely recognized.
Disclosure of Invention
In view of this, the invention discloses a method and a device for safety protection of OPC communication, which provides a method for safety protection of OPC communication by analyzing underlying communication protocols DCE/RPC and DCOM mechanisms, thereby reducing safety risks of OPC communication protocols.
In order to achieve the above purpose, the invention provides the following specific technical scheme:
the safety protection method of OPC communication is applied to an OPC firewall, the OPC firewall is deployed on a communication link between an OPC client and an OPC server, and the method comprises the following steps:
when an OPC communication data packet is received, detecting the legality of a plurality of tuple information preset in the OPC communication data packet;
when the preset multiple tuple information of the OPC communication data packet is legal, detecting the legality of the DEC/RPC data format of the OPC communication data packet according to the DEC/RPC protocol specification;
and when the DEC/RPC data format of the OPC communication data packet is legal, forwarding the OPC communication data packet.
Optionally, the preset multiple tuple information of the OPC communication data packet includes: a destination MAC address, a source MAC address, a destination IP address, a source IP address, a destination port, a source port and a transport layer protocol; the detecting the legality of the preset multiple tuple information of the OPC communication data packet comprises the following steps:
detecting whether the corresponding relation between a target IP address and a target MAC address in the OPC communication data packet is legal or not according to a pre-established IP-MAC address binding list, and detecting whether the corresponding relation between a source IP address and a source MAC address in the OPC communication data packet is legal or not;
and judging whether the types of a destination IP address, a source IP address, a destination port, a source port and a transport layer protocol in the OPC communication data packet accord with an ACL access rule of the security policy table or not according to a pre-established security policy table, if so, presetting a plurality of tuple information of the OPC communication data packet to be legal.
Optionally, the detecting the legality of the DEC/RPC data format of the OPC communication data packet according to the DEC/RPC protocol specification includes:
extracting DEC/RPC protocol application layer data from the OPC communication data packet;
detecting whether the format of the application layer data of the DEC/RPC protocol is legal or not;
when the OPC communication data packet is sent by an OPC client, judging whether the type of the OPC communication data packet is any one of a Bind data packet, an Alter _ context data packet, a Request data packet, a Shutdown data packet and a Cancel data packet;
and when the OPC communication data packet is sent by an OPC server, judging whether the type of the OPC communication data packet is any one of a Response data packet, a Fault data packet, a Bind _ ack data packet, a Bind _ nak data packet and an Orphaned data packet.
Optionally, when there is data packet authentication information in the application layer data of the DEC/RPC protocol, the detecting the validity of the DEC/RPC data format of the OPC communication data packet according to the DEC/RPC protocol specification further includes:
and detecting the legality of the data packet authentication information in the application layer data of the DEC/RPC protocol.
Optionally, before forwarding the OPC communication packet, the method further includes:
when the destination port of the OPC communication data packet is an OPC dynamic port and the OPC communication data packet is a Request data packet, detecting the validity of the Request data packet;
and when the OPC communication data packet has validity, detecting the validity of the OPC instruction of the Request data packet.
Optionally, the detecting the validity of the Request packet includes:
judging whether an OPC interface corresponding to an OPC instruction in the Request data packet is registered or not;
if the Request data packet is registered, the Request data packet has validity;
if not, the Request packet has no validity.
Optionally, the detecting the validity of the OPC instruction of the Request data packet includes:
identifying an OPC interface identifier corresponding to a Request data packet, and determining and recording a context environment identifier corresponding to the OPC interface identifier in the Request data packet;
determining an OPC instruction issued by the Request data packet according to the context environment identifier and the operand information in the Request data packet;
and detecting the legality of the OPC instruction according to the OPC instruction access control table.
Optionally, the method further includes:
when the source port of the OPC communication data packet is a 135 port and the OPC communication data packet is a Response data packet, judging whether a request of the Response data packet is registered;
if the dynamic port is registered, judging whether the Response data packet contains the dynamic port;
and if the dynamic port is contained, generating an ACL access rule according to the types of a destination IP address, a source IP address, a destination port, a source port and a transport layer protocol in the Response data packet, writing the ACL access rule into a security policy table, and opening the dynamic port.
Optionally, the method further includes:
and when the OPC client side does not send a SimplePing instruction to keep the dynamic port of the OPC server alive through an IObjectExporter interface within the preset time, deleting the ACL access rule corresponding to the dynamic port, and closing the dynamic port.
An OPC communication safety shield apparatus, comprising:
the system comprises a tuple information detection unit, a tuple information detection unit and a tuple information processing unit, wherein the tuple information detection unit is used for detecting the legality of a plurality of preset tuple information of an OPC communication data packet when the OPC communication data packet is received;
the DEC/RPC format detection unit is used for detecting the legality of the DEC/RPC data format of the OPC communication data packet according to DEC/RPC protocol specifications when a plurality of preset tuple information of the OPC communication data packet is legal;
and the data packet forwarding unit is used for forwarding the OPC communication data packet when the DEC/RPC data format of the OPC communication data packet is legal.
Optionally, the preset multiple tuple information of the OPC communication data packet includes: a destination MAC address, a source MAC address, a destination IP address, a source IP address, a destination port, a source port and a transport layer protocol; the tuple information detection unit is specifically used for detecting whether the corresponding relation between the destination IP address and the destination MAC address in the OPC communication data packet is legal or not according to a pre-established IP-MAC address binding list, and detecting whether the corresponding relation between the source IP address and the source MAC address in the OPC communication data packet is legal or not; and judging whether the types of a destination IP address, a source IP address, a destination port, a source port and a transport layer protocol in the OPC communication data packet accord with an ACL access rule of the security policy table or not according to a pre-established security policy table, if so, presetting a plurality of tuple information of the OPC communication data packet to be legal.
Optionally, the DEC/RPC format detection unit is specifically configured to extract DEC/RPC protocol application layer data from the OPC communication data packet; detecting whether the format of the application layer data of the DEC/RPC protocol is legal or not; when the OPC communication data packet is sent by an OPC client, judging whether the type of the OPC communication data packet is any one of a Bind data packet, an Alter _ context data packet, a Request data packet, a Shutdown data packet and a Cancel data packet; and when the OPC communication data packet is sent by an OPC server, judging whether the type of the OPC communication data packet is any one of a Response data packet, a Fault data packet, a Bind _ ack data packet, a Bind _ nak data packet and an Orphaned data packet.
Optionally, when there is data packet authentication information in the DEC/RPC protocol application layer data, the DEC/RPC format detection unit is further configured to detect validity of the data packet authentication information in the DEC/RPC protocol application layer data.
Optionally, the apparatus further comprises:
a Request data packet detection unit, configured to detect validity of a Request data packet when a destination port of the OPC communication data packet is an OPC dynamic port and the OPC communication data packet is a Request data packet;
and the OPC instruction detection unit is used for detecting the validity of the OPC instruction of the Request data packet when the OPC communication data packet has validity.
Optionally, the Request packet detecting unit is specifically configured to determine that the OPC client may access the OPC dynamic port when the OPC client sends a Bind packet including the OPC dynamic port to the OPC server and receives a Bind _ ack packet fed back by the OPC server, where the Request packet has validity; or when the OPC client sends an Alter _ context data packet containing the OPC dynamic port to the OPC server and receives the Alter _ context _ response data packet fed back by the OPC server, the OPC client is judged to be capable of accessing the OPC dynamic port, and the Request data packet has validity.
Optionally, the OPC instruction detecting unit is specifically configured to identify an OPC interface identifier corresponding to the Request data packet, and determine and record a context environment identifier corresponding to the OPC interface identifier in the Request data packet; determining an OPC instruction issued by the Request data packet according to the context environment identifier and the operand information in the Request data packet; and detecting the legality of the OPC instruction according to the OPC instruction access control table.
Optionally, the apparatus further comprises:
a dynamic port identification unit, configured to determine whether a request of a Response packet is registered when a source port of the OPC communication packet is a 135 port and the OPC communication packet is the Response packet; if the dynamic port is registered, judging whether the Response data packet contains the dynamic port; and if the dynamic port is contained, generating an ACL access rule according to the types of the destination IP address, the source IP address, the destination port, the source port and the transport layer protocol in the Response data packet, and writing the ACL access rule into a security policy table.
Optionally, the apparatus further comprises:
and the dynamic port maintenance unit is used for deleting the ACL access rule corresponding to the dynamic port to close the dynamic port when the OPC client does not send a SimplePing instruction to keep the dynamic port of the OPC server alive through an IObjectExporter interface within the preset time.
Compared with the prior art, the invention has the following beneficial effects:
the invention discloses a safety protection method and a safety protection device for OPC communication, which are used for detecting the legality of a plurality of preset tuple information of an OPC communication data packet by analyzing a DEC/RPC protocol of a bottom layer communication protocol of the OPC communication, detecting the legality of a DEC/RPC data format of the OPC communication data packet according to the DEC/RPC protocol specification, discarding illegal data packets, avoiding the network attack of the illegal data packets on the DEC/RPC protocol, and reducing the safety risk of the OPC communication protocol.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
FIG. 1 is a schematic flow chart illustrating a method for security protection of OPC communication according to an embodiment of the present invention;
FIG. 2 is a schematic flow chart illustrating another method for securing OPC communication according to an embodiment of the present invention;
FIG. 3 is a schematic flow chart illustrating another method for security protection of OPC communication according to an embodiment of the present invention;
FIG. 4 is a schematic structural diagram of an OPC-communication safety protection device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, the present embodiment discloses a method for security protection of OPC communication, which is applied to an OPC firewall disposed on a communication link between an OPC client and an OPC server, and the method specifically includes the following steps:
s101: when an OPC communication data packet is received, detecting the legality of a plurality of tuple information preset in the OPC communication data packet;
the OPC communication data packet can be sent by an OPC client or sent by an OPC server.
The preset multiple tuple information of the OPC communication data packet comprises: destination MAC address, source MAC address, destination IP address, source IP address, destination port, source port, and transport layer protocol. On the basis, the method for detecting the legality of the 7-tuple information of the OPC communication data packet specifically comprises the following steps of:
detecting whether the corresponding relation between a target IP address and a target MAC address in the OPC communication data packet is legal or not according to a pre-established IP-MAC address binding list, and detecting whether the corresponding relation between a source IP address and a source MAC address in the OPC communication data packet is legal or not;
and judging whether the types of a destination IP address, a source IP address, a destination port, a source port and a transport layer protocol in the OPC communication data packet accord with an ACL access rule of the security policy table or not according to a pre-established security policy table, if so, presetting a plurality of tuple information of the OPC communication data packet to be legal.
It can be understood that, when the corresponding relationship between the destination IP address and the destination MAC address in the OPC communication data packet is recorded in the IP-MAC address binding list, the corresponding relationship between the destination IP address and the destination MAC address is legal; when the corresponding relation between the source IP address and the source MAC address in the OPC communication data packet is recorded in the IP-MAC address binding list, the corresponding relation between the source IP address and the source MAC address is legal, otherwise, the corresponding relation is illegal.
It should be noted that, the security policy table records the corresponding relationship between the types of the destination IP address, the source IP address, the destination port, the source port, and the transport layer protocol, and if the types of the destination IP address, the source IP address, the destination port, the source port, and the transport layer protocol in the OPC communication packet conform to the ACL access rule in the security policy table, and the IP-MAC corresponding relationship in the OPC communication packet is legal, a plurality of tuple information preset in the OPC communication packet is legal.
S102: when the preset multiple tuple information of the OPC communication data packet is legal, detecting the legality of the DEC/RPC data format of the OPC communication data packet according to the DEC/RPC protocol specification;
it should be noted that, when the preset multiple tuple information of the OPC communication packet is illegal, or the DEC/RPC data format of the OPC communication packet is illegal, the OPC communication packet is discarded.
The DEC/RPC protocol is a bottom layer protocol of DCOM, when the DEC/RPC data format of the OPC communication data packet is legal, the OPC communication data packet is illegal and unsafe, and the data packet is discarded to ensure the safety of OPC communication.
Specifically, the method for detecting the legality of the DEC/RPC data format of the OPC communication data packet according to the DEC/RPC protocol specification comprises the following steps:
extracting DEC/RPC protocol application layer data from the OPC communication data packet; and specifically extracting the Header information (PDU Header) and the data length of the application layer data of the DEC/RPC protocol.
Detecting whether the format of the application layer data of the DEC/RPC protocol is legal or not; the detection basis comprises DCE/RPC protocol application layer data header information and DCE/RPC protocol application layer data length.
When the OPC communication data packet is sent by an OPC client, judging whether the type of the OPC communication data packet is any one of a Bind data packet, an Alter _ context data packet, a Request data packet, a Shutdown data packet and a Cancel data packet;
and when the OPC communication data packet is sent by an OPC server, judging whether the type of the OPC communication data packet is any one of a Response data packet, a Fault data packet, a Bind _ ack data packet, a Bind _ nak data packet and an Orphaned data packet.
It can be understood that, when the OPC communication packet is sent by the OPC client and the type of the OPC communication packet is any one of a Bind packet, an Alter _ context packet, a Request packet, a Shutdown packet, and a Cancel packet, the DEC/RPC data format of the OPC communication packet is legal. When the OPC communication data packet is sent by the OPC server, the type of the OPC communication data packet is any one of a Response data packet, a Fault data packet, a Bind _ ack data packet, a Bind _ nak data packet and an Orphaned data packet, and the DEC/RPC data format of the OPC communication data packet is legal.
It should be noted that, when there is data packet authentication information in the application layer data of the DEC/RPC protocol, the method detects the validity of the DEC/RPC data format of the OPC communication data packet according to the DEC/RPC protocol specification, and further includes: and detecting the legality of the data packet authentication information in the application layer data of the DEC/RPC protocol.
S103: and when the DEC/RPC data format of the OPC communication data packet is legal, forwarding the OPC communication data packet.
It can be understood that, when the OPC communication packet is sent by the OPC client, the OPC communication packet is forwarded to the corresponding OPC server; and when the OPC communication data packet is sent out by the OPC server, forwarding the OPC communication data packet to a corresponding OPC client.
According to the safety protection method for the OPC communication, the legality of a plurality of preset tuple information of the OPC communication data packet is detected by analyzing the DEC/RPC protocol of the bottom layer communication protocol of the OPC communication, the legality of the DEC/RPC data format of the OPC communication data packet is detected according to the DEC/RPC protocol specification, an illegal data packet is discarded, network attack of the illegal data packet on the DEC/RPC protocol is avoided, and the safety risk of the OPC communication protocol is reduced.
Referring to fig. 2, the present embodiment discloses another OPC communication security protection method, which specifically includes the following steps:
s201: receiving an OPC communication data packet;
s202: judging whether preset multiple tuple information of the OPC communication data packet is legal or not;
if not, S203: discarding the OPC communication data packet;
if yes, S204: judging whether the DEC/RPC data format of the OPC communication data packet is legal or not according to the DEC/RPC protocol specification;
if not, S203: discarding the OPC communication data packet;
if yes, S205: judging whether a destination port of an OPC communication data packet is an OPC dynamic port;
if not, S206: and forwarding the OPC communication data packet.
If yes, S207: judging whether the OPC communication data packet is a Request data packet or not;
if not, S206: and forwarding the OPC communication data packet.
If yes, S208: judging whether the Request data packet has validity or not;
specifically, one method for determining whether a Request packet has validity includes: and when the OPC client sends a Bind data packet containing the OPC dynamic port to the OPC server and receives a Bind _ ack data packet fed back by the OPC server, the OPC client is judged to be capable of accessing the OPC dynamic port, and the Request data packet has validity.
Another method for determining whether a Request packet is valid is as follows: when the OPC client sends an Alter _ context data packet containing the OPC dynamic port to the OPC server and receives the Alter _ context _ response data packet fed back by the OPC server, the OPC client is judged to be capable of accessing the OPC dynamic port, and the Request data packet has validity.
It should be noted that, the OPC client sends a Bind data packet or an enter _ context data packet to the OPC server to inquire whether the OPC server supports access to the corresponding OPC dynamic port, and if the OPC server feeds back the Bind _ ack data packet or the enter _ context _ response data packet, it is determined that the OPC client can access the OPC dynamic port, and the Request data packet has validity.
If not, S203: and discarding the OPC communication data packet.
If yes, S209: judging whether an OPC instruction of the Request data packet is legal or not;
specifically, the detecting the validity of the OPC instruction of the Request data packet includes: identifying an OPC interface identifier corresponding to a Request data packet, and determining and recording a context environment identifier corresponding to the OPC interface identifier in the Request data packet; determining an OPC instruction issued by the Request data packet according to the context environment identifier and the operand information in the Request data packet; and detecting the legality of the OPC instruction according to the OPC instruction access control table.
If legal, S206: and forwarding the OPC communication data packet.
If not, S203: and discarding the OPC communication data packet.
Note that, as shown in table 1, the OPC instruction access control table includes OPC instruction information, a client address, and a server address.
TABLE 1 OPC instruction Access control Table
| OPC instruction | Client address | Server address |
| IOPCServer::AddGroup() | 172.0.20.1 | 172.0.20.10 |
| IOPCItemIO::Read() | 172.0.20.2 | 172.0.20.11 |
| ....... | ....... | ...... |
The OPC communication security protection method disclosed in this embodiment establishes an OPC access control table, implements access control on OPC instructions, and filters illegal OPC instructions, thereby ensuring the security of OPC communication.
Referring to fig. 3, the present embodiment discloses another OPC communication security protection method, which specifically includes the following steps:
s301: receiving an OPC communication data packet;
s302: judging whether preset multiple tuple information of the OPC communication data packet is legal or not;
if not, S303: discarding the OPC communication data packet;
if yes, S304: judging whether the DEC/RPC data format of the OPC communication data packet is legal or not according to the DEC/RPC protocol specification;
if not, S303: discarding the OPC communication data packet;
if yes, S305: judging whether the source port of the OPC communication data packet is a 135 port;
if not, S306: and forwarding the OPC communication data packet.
If yes, S307: judging whether the OPC communication data packet is a Response data packet or not;
if not, S306: and forwarding the OPC communication data packet.
If so: s308: judging whether a request of a Response data packet is registered or not;
if not registered: s303: discarding the OPC communication data packet;
if registered, S309: judging whether the Response data packet contains a dynamic port or not;
if not, S306: and forwarding the OPC communication data packet.
If yes, S310: and generating an ACL access rule according to the types of the destination IP address, the source IP address, the destination port, the source port and the transport layer protocol in the Response data packet, writing the ACL access rule into a security policy table, and executing S306.
It should be noted that, the ACL access rule is written into the security policy table, and the dynamic port is opened to allow the data packet conforming to the ACL access rule to pass through the OPC firewall.
It should be further noted that the dynamic port identification further includes state maintenance of the dynamic port, and when the OPC client does not send a SimplePing instruction to keep the dynamic port of the OPC server alive through the IObjectExporter interface within a preset time, the ACL access rule corresponding to the dynamic port is deleted to close the dynamic port.
The OPC communication security protection method disclosed in this embodiment dynamically identifies the on-off state of the access port of the OPC server, performs full-life-cycle management including opening and closing, keeps the number of open dynamic ports to a minimum, and solves the problem that the conventional firewall cannot effectively perform OPC dynamic port protection.
Referring to fig. 4, the present embodiment correspondingly discloses an OPC communication security protection apparatus applied to an OPC firewall, where the OPC firewall is deployed on a communication link between an OPC client and an OPC server, and the apparatus includes:
a tuple information detection unit 401, configured to detect validity of a plurality of preset tuple information of an OPC communication packet when the OPC communication packet is received;
a DEC/RPC format detection unit 402, configured to, when a plurality of preset tuple information of the OPC communication data packet is legal, detect the legality of the DEC/RPC data format of the OPC communication data packet according to a DEC/RPC protocol specification;
and a data packet forwarding unit 403, configured to forward the OPC communication data packet when a DEC/RPC data format of the OPC communication data packet is legal.
Optionally, the preset multiple tuple information of the OPC communication data packet includes: a destination MAC address, a source MAC address, a destination IP address, a source IP address, a destination port, a source port and a transport layer protocol; the tuple information detection unit is specifically used for detecting whether the corresponding relation between the destination IP address and the destination MAC address in the OPC communication data packet is legal or not according to a pre-established IP-MAC address binding list, and detecting whether the corresponding relation between the source IP address and the source MAC address in the OPC communication data packet is legal or not; and judging whether the types of a destination IP address, a source IP address, a destination port, a source port and a transport layer protocol in the OPC communication data packet accord with an ACL access rule of the security policy table or not according to a pre-established security policy table, if so, presetting a plurality of tuple information of the OPC communication data packet to be legal.
Optionally, the DEC/RPC format detection unit is specifically configured to extract DEC/RPC protocol application layer data from the OPC communication data packet; detecting whether the format of the application layer data of the DEC/RPC protocol is legal or not; when the OPC communication data packet is sent by an OPC client, judging whether the type of the OPC communication data packet is any one of a Bind data packet, an Alter _ context data packet, a Request data packet, a Shutdown data packet and a Cancel data packet; and when the OPC communication data packet is sent by an OPC server, judging whether the type of the OPC communication data packet is any one of a Response data packet, a Fault data packet, a Bind _ ack data packet, a Bind _ nak data packet and an Orphaned data packet.
Optionally, when there is data packet authentication information in the DEC/RPC protocol application layer data, the DEC/RPC format detection unit is further configured to detect validity of the data packet authentication information in the DEC/RPC protocol application layer data.
Optionally, the apparatus further comprises:
a Request data packet detection unit, configured to detect validity of a Request data packet when a destination port of the OPC communication data packet is an OPC dynamic port and the OPC communication data packet is a Request data packet;
and the OPC instruction detection unit is used for detecting the validity of the OPC instruction of the Request data packet when the OPC communication data packet has validity.
Optionally, the Request packet detecting unit is specifically configured to determine that the OPC client may access the OPC dynamic port when the OPC client sends a Bind packet including the OPC dynamic port to the OPC server and receives a Bind _ ack packet fed back by the OPC server, where the Request packet has validity; or when the OPC client sends an Alter _ context data packet containing the OPC dynamic port to the OPC server and receives the Alter _ context _ response data packet fed back by the OPC server, the OPC client is judged to be capable of accessing the OPC dynamic port, and the Request data packet has validity.
Optionally, the OPC instruction detecting unit is specifically configured to identify an OPC interface identifier corresponding to the Request data packet, and determine and record a context environment identifier corresponding to the OPC interface identifier in the Request data packet; determining an OPC instruction issued by the Request data packet according to the context environment identifier and the operand information in the Request data packet; and detecting the legality of the OPC instruction according to the OPC instruction access control table.
Optionally, the apparatus further comprises:
a dynamic port identification unit, configured to determine whether a request of a Response packet is registered when a source port of the OPC communication packet is a 135 port and the OPC communication packet is the Response packet; if the dynamic port is registered, judging whether the Response data packet contains the dynamic port; and if the dynamic port is contained, generating an ACL access rule according to the types of the destination IP address, the source IP address, the destination port, the source port and the transport layer protocol in the Response data packet, and writing the ACL access rule into a security policy table.
Optionally, the apparatus further comprises:
and the dynamic port maintenance unit is used for deleting the ACL access rule corresponding to the dynamic port to close the dynamic port when the OPC client does not send a SimplePing instruction to keep the dynamic port of the OPC server alive through an IObjectExporter interface within the preset time.
The safety protection device for OPC communication disclosed by the embodiment detects the legality of a plurality of preset tuple information of an OPC communication data packet by analyzing the DEC/RPC protocol of the bottom layer communication protocol of OPC communication, and detects the legality of the DEC/RPC data format of the OPC communication data packet according to the DEC/RPC protocol specification, discards illegal data packets, avoids network attack of the illegal data packets on the DEC/RPC protocol, and reduces the safety risk of the OPC communication protocol.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (8)
1. The safety protection method for OPC communication is applied to an OPC firewall, wherein the OPC firewall is deployed on a communication link between an OPC client and an OPC server, and the method comprises the following steps:
when an OPC communication data packet is received, detecting the legality of a plurality of tuple information preset in the OPC communication data packet;
when the preset multiple tuple information of the OPC communication data packet is legal, detecting the legality of the DEC/RPC data format of the OPC communication data packet according to the DEC/RPC protocol specification;
when the DEC/RPC data format of the OPC communication data packet is legal and the destination port of the OPC communication data packet is an OPC dynamic port, judging whether the OPC communication data packet is a Request data packet;
when the destination port of the OPC communication data packet is an OPC dynamic port and the OPC communication data packet is a Request data packet, detecting the validity of the Request data packet;
when the OPC communication data packet has validity, detecting the validity of an OPC instruction of a Request data packet;
when an OPC instruction of a Request data packet is legal, forwarding the OPC communication data packet;
the detecting the validity of the Request data packet includes:
when an OPC client sends a Bind data packet containing the OPC dynamic port to an OPC server and receives a Bind _ ack data packet fed back by the OPC server, the OPC client is judged to be capable of accessing the OPC dynamic port, a Request data packet has validity, and the Bind data packet is used for inquiring whether the OPC server supports the access of the corresponding OPC dynamic port or not;
or when the OPC client sends an Alter _ context data packet containing the OPC dynamic port to the OPC server and receives the Alter _ context _ response data packet fed back by the OPC server, the OPC client is judged to be capable of accessing the OPC dynamic port, the Request data packet has validity, and the Alter _ context data packet is used for inquiring whether the OPC server supports the access of the corresponding OPC dynamic port.
2. The method of claim 1, wherein the predetermined tuple information of the OPC communication data packet comprises: a destination MAC address, a source MAC address, a destination IP address, a source IP address, a destination port, a source port and a transport layer protocol; the detecting the legality of the preset multiple tuple information of the OPC communication data packet comprises the following steps:
detecting whether the corresponding relation between a target IP address and a target MAC address in the OPC communication data packet is legal or not according to a pre-established IP-MAC address binding list, and detecting whether the corresponding relation between a source IP address and a source MAC address in the OPC communication data packet is legal or not;
and judging whether the types of a destination IP address, a source IP address, a destination port, a source port and a transport layer protocol in the OPC communication data packet accord with an ACL access rule of the security policy table or not according to a pre-established security policy table, if so, presetting a plurality of tuple information of the OPC communication data packet to be legal.
3. The method of claim 1, wherein the checking the validity of the DEC/RPC data format of the OPC communication data packet according to the DEC/RPC protocol specification comprises:
extracting DEC/RPC protocol application layer data from the OPC communication data packet;
detecting whether the format of the application layer data of the DEC/RPC protocol is legal or not;
when the OPC communication data packet is sent by an OPC client, judging whether the type of the OPC communication data packet is any one of a Bind data packet, an Alter _ context data packet, a Request data packet, a Shutdown data packet and a Cancel data packet;
when the OPC communication data packet is sent by an OPC server, judging whether the type of the OPC communication data packet is any one of a Response data packet, an Alter _ context _ Response data packet, a Fault data packet, a Bind _ ack data packet, a Bind _ nak data packet and an Orphaned data packet.
4. The method of claim 3, wherein when packet authentication information exists in the application layer data of the DEC/RPC protocol, the detecting the validity of the DEC/RPC data format of the OPC communication packet according to the DEC/RPC protocol specification further comprises:
and detecting the legality of the data packet authentication information in the application layer data of the DEC/RPC protocol.
5. The method according to claim 1, wherein the detecting the validity of the OPC instruction of the Request packet comprises:
identifying an OPC interface identifier corresponding to a Request data packet, and determining and recording a context environment identifier corresponding to the OPC interface identifier in the Request data packet;
determining an OPC instruction issued by the Request data packet according to the context environment identifier and the operand information in the Request data packet;
and detecting the legality of the OPC instruction according to the OPC instruction access control table.
6. The method of claim 1, further comprising:
when the source port of the OPC communication data packet is a 135 port and the OPC communication data packet is a Response data packet, judging whether a request of the Response data packet is registered;
if the dynamic port is registered, judging whether the Response data packet contains the dynamic port;
and if the dynamic port is contained, generating an ACL access rule according to the types of the destination IP address, the source IP address, the destination port, the source port and the transport layer protocol in the Response data packet, and writing the ACL access rule into a security policy table.
7. The method of claim 6, further comprising:
and when the OPC client side does not send a SimplePing instruction to keep the dynamic port of the OPC server alive through an IObjectExporter interface within the preset time, deleting the ACL access rule corresponding to the dynamic port so as to close the dynamic port.
8. An OPC communication safety shield apparatus, comprising:
the system comprises a tuple information detection unit, a tuple information detection unit and a tuple information processing unit, wherein the tuple information detection unit is used for detecting the legality of a plurality of preset tuple information of an OPC communication data packet when the OPC communication data packet is received;
the DEC/RPC format detection unit is used for detecting the legality of the DEC/RPC data format of the OPC communication data packet according to DEC/RPC protocol specifications when a plurality of preset tuple information of the OPC communication data packet is legal; triggering a Request data packet detection unit when the DEC/RPC data format of the OPC communication data packet is legal;
a Request data packet detection unit, configured to detect validity of a Request data packet when a destination port of the OPC communication data packet is an OPC dynamic port and the OPC communication data packet is a Request data packet; triggering an OPC instruction detection unit based on validity of the Request data packet;
the OPC instruction detection unit is used for detecting the validity of the OPC instruction of the Request data packet when the OPC communication data packet has validity; triggering a data packet forwarding unit when an OPC instruction based on the Request data packet is legal;
a data packet forwarding unit, configured to forward the OPC communication data packet;
the device comprises a Request data packet detection unit, a Request data packet detection unit and a data processing unit, wherein the Request data packet detection unit is specifically used for judging that an OPC client can access an OPC dynamic port when the OPC client sends a Bind data packet containing the OPC dynamic port to the OPC server and receives a Bind _ ack data packet fed back by the OPC server, the Request data packet has validity, and the Bind data packet is used for inquiring whether the OPC server supports the access of the corresponding OPC dynamic port or not; or when the OPC client sends an Alter _ context data packet containing the OPC dynamic port to the OPC server and receives the Alter _ context _ response data packet fed back by the OPC server, the OPC client is judged to be capable of accessing the OPC dynamic port, the Request data packet has validity, and the Alter _ context data packet is used for inquiring whether the OPC server supports the access of the corresponding OPC dynamic port.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810916163.2A CN109104424B (en) | 2018-08-13 | 2018-08-13 | Safety protection method and device for OPC communication |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810916163.2A CN109104424B (en) | 2018-08-13 | 2018-08-13 | Safety protection method and device for OPC communication |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109104424A CN109104424A (en) | 2018-12-28 |
| CN109104424B true CN109104424B (en) | 2021-03-23 |
Family
ID=64849609
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810916163.2A Active CN109104424B (en) | 2018-08-13 | 2018-08-13 | Safety protection method and device for OPC communication |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109104424B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112039916B (en) * | 2020-09-07 | 2023-04-07 | 北京天融信网络安全技术有限公司 | Communication method and device based on OPC protocol, electronic equipment and storage medium |
| CN115174273B (en) * | 2022-09-06 | 2023-01-06 | 军工保密资格审查认证中心 | Data processing method, industrial control system, electronic device, and storage medium |
| CN115174274B (en) * | 2022-09-06 | 2023-01-06 | 军工保密资格审查认证中心 | Data processing method, industrial control system, electronic device, and storage medium |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5737289A (en) * | 1994-05-31 | 1998-04-07 | Sony Corporation | Data recording apparatus adapted for recording data signals onto an optical recording medium |
| CN103036870A (en) * | 2012-10-26 | 2013-04-10 | 青岛海天炜业自动化控制系统有限公司 | Industrial firewall without industrial protocol (IP) distributed type depth check arithmetic based on industrial protocol object linking and embedding for process control (OPC) classic |
| CN104660593B (en) * | 2015-02-09 | 2017-10-10 | 西北工业大学 | OPC security gateway packet filtering methods |
| CN106559382B (en) * | 2015-09-25 | 2019-10-11 | 北京计算机技术及应用研究所 | Protection system of security gateway access control method based on OPC agreement |
| CN107294998A (en) * | 2017-07-10 | 2017-10-24 | 王红涛 | A kind of security protection system of intelligent electric power electrical secondary system |
-
2018
- 2018-08-13 CN CN201810916163.2A patent/CN109104424B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN109104424A (en) | 2018-12-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109104424B (en) | Safety protection method and device for OPC communication | |
| US7725936B2 (en) | Host-based network intrusion detection systems | |
| EP3264720B1 (en) | Using dns communications to filter domain names | |
| US8060927B2 (en) | Security state aware firewall | |
| US20110167108A1 (en) | Web page tamper-froof device, method and system | |
| US10110557B2 (en) | FTP application layer packet filtering method, device and computer storage medium | |
| JP2005079706A (en) | System and apparatus for preventing illegal connection to network | |
| US9100437B2 (en) | Methods, apparatus, and articles of manufacture to provide firewalls for process control systems | |
| CN108111536B (en) | Application-level secure cross-domain communication method and system | |
| CN105162763B (en) | Communication data processing method and device | |
| US20200120111A1 (en) | Methods and apparatus to detect and prevent host firewall bypass threats through a data link layer | |
| WO2012014509A1 (en) | Unauthorized access blocking control method | |
| JP2008054204A (en) | Connection device, terminal device, and data confirmation program | |
| JP4877145B2 (en) | Program for controlling communication device and communication device | |
| US8006303B1 (en) | System, method and program product for intrusion protection of a network | |
| JP2010198386A (en) | Illegal access monitoring system and illegal access monitoring method | |
| CN110022319B (en) | Attack data security isolation method and device, computer equipment and storage equipment | |
| CN107360178A (en) | A kind of method that network access is controlled using white list | |
| CN111131183B (en) | Network security monitoring method, computer device and computer readable storage medium | |
| US7561574B2 (en) | Method and system for filtering packets within a tunnel | |
| CN116723020A (en) | Network service simulation method and device, electronic equipment and storage medium | |
| CN114024731B (en) | Message processing method and device | |
| JP2016152549A (en) | Gateway system | |
| CN110581843B (en) | Mimic Web gateway multi-application flow directional distribution method | |
| CN114465744A (en) | Safety access method and network firewall system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |