CN109862042A - A kind of isomeric network security reinforcement means and device - Google Patents
A kind of isomeric network security reinforcement means and device Download PDFInfo
- Publication number
- CN109862042A CN109862042A CN201910239605.9A CN201910239605A CN109862042A CN 109862042 A CN109862042 A CN 109862042A CN 201910239605 A CN201910239605 A CN 201910239605A CN 109862042 A CN109862042 A CN 109862042A
- Authority
- CN
- China
- Prior art keywords
- network security
- product
- reinforcement means
- isomeric
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of isomeric network security reinforcement means and devices, effectively reduce single safety product and protect faced security risk and security risk.The invention contains step 1: one group of selection has the heterogeneous network safety product of BYPASS function;Step 2: network security product is subjected to series connection deployment, while BYPASS function of the activation single product with group input/output port in deployment in a transparent mode;Step 3: according to needs are applied, redundant deployment security function similar or identical or strategy configuration, at least 2 products realize one or more security functions or strategy similar or identical by configuring on network security products at different levels.
Description
Technical field
The present invention relates to technical field of network security, more particularly, to a kind of isomeric network security reinforcement means and
Device.
Background technique
In face of increasingly complicated Network Security Environment, the usual network user can select various network security products to trusted domain
System and equipment carry out security protection.Common safeguard procedures include but is not limited to firewall (FW), intrusion detection (IDS),
Intrusion prevention (IPS), viral wooden horse filtering (AV), network address filtering (URL) etc..
With the rise of network security industry, all kinds of producers have developed various nets also based on respective platform or general flat hair
Network safety product, every money product include one or more above-mentioned safeguard functions.Each producer adopts according to respective risk sample simultaneously
Collection channel and research direction are continuously replenished and improve feature database (including but not limited to protocal analysis library, address base, the virus of product
Condition code), detection defence engine etc. and product loophole patch etc..
By traditional deployment mode, it will usually dispose above-mentioned network security product according to application demand on protection boundary.But
In practical applications, due to being limited to the protection feature of single product and the deployment architecture of limitation, however it remains Bu Shaowen
Topic, it is mainly shown as:
1, network security product itself also has technological deficiency, the regular hour is needed from disfigurement discovery to patch is provided, even if needle
To same class defect, the mending option time provided by each producer is also different, and the time is longer, and security risk is higher;
2, different manufacturers are different to the research direction and method of network security product, and the product of none producer can be to known
Or unknown all safety problems carry out all effectively detections and defence, the publication quality of feature database and time are different, using list
The anti-probability of the leakage of one product is higher;
3, there is also potential back door or loopholes for network security product itself, also or since unreasonable allocation causes protection to be leaked
Once utilization, consequence is hardly imaginable for hole, these back doors or loophole;
4, single product, which is easy to be visited by various networks, smells means aware device brand, model and version, and attacker is facilitated to utilize
Existing means carry out attack.
Summary of the invention
The contents of the present invention are to overcome the above problem and provide a kind of more scientific, firm network security reinforcing side
Method, this method based on isomerism principle, realized by the selection of effective product and deployment architecture design.Pass through this
Kind method further promotes the protective capacities of total system, while can also effectively promote the reliability of integral protection system.
The present invention provides a kind of network security reinforcement means having follow steps:
Step 1: one group of heterogeneous network safety product with BYPASS function of selection;
Step 2: network security product being subjected to series connection deployment in a transparent mode, while single product being activated to pass with group input and output
The BYPASS function of defeated port;
Step 3: according to apply needs, redundant deployment security function similar or identical or strategy on network security products at different levels
Configuration.
The quantity of one group of network security product described in step 1 is no less than 2, and product can be pure hardware, soft or hard one
Body equipment or pure software, at the same in a selected set product at least 2 products may be implemented it is one or more identical and/or
Similar functions.
Isomery described in step 1 refers to the production for realizing 1 or multinomial identical and/or similar network safety prevention function
Product are necessary for the product of different manufacturers or the same producer different series that there were significant differences.The significant difference closely stated refers to different productions
Hardware structure or operating system used by product or application system or feature database have apparent difference or different ways of realization.
Further, single product can define or one or more groups of inputs of configuration, output port have BYPASS function.
Transparent mode described in step 2 refers to that applying for one group of input and output both ends of product is saturating in normal discharge application
It is bright noninductive.
Further, the BYPASS function of the same group input and output transmission port of single product allocation activation in deployment.?
Product failure and/or power loss and/or crash and/or restart when causing product failure, BYPASS function comes into force, with organizing transmission port
Bypass channel is realized, using not interrupting.
Redundant deployment described in step 3 refers at least 2 different specific products by configuring realization 1 or multinomial
Security function or strategy similar or identical.
Compared with existing dispositions method, the invention has the following advantages that overcoming the protection energy of single factory or product
Power unicity increases the difficulty of network attack;Equipment failure is encountered when efficiently solving the deployment of single network safety equipment to draw
Sending out safeguard function, all failure or application are interrupted;It, can for specific security threat using different manufacturers ability and major differences
System is set to obtain protective capacities in optimal time;The profession and capacity variance of comprehensive selected disparate networks safety product, realize choosing
With the maximum set of protective capacities in product mix;Serial homogeneity functional configuration is carried out using isomate, reduces single device
Unreasonable allocation caused by protect loophole risk;Using multilayer heterogeneous deployment architecture, attacker only finds out outermost layer
Safeguard information, the information of postposition safeguard is difficult to visit to smell on the outside to know, the time of success attack is effectively prolonged
It is long.
Detailed description of the invention
Fig. 1 is a kind of functional block diagram of network security reinforcement means of the present invention;
Fig. 2 is a kind of structural block diagram of network security bracing means of the present invention.
Specific embodiment
The isomeric network security reinforcement means of the present invention is made with reference to the accompanying drawings and detailed description further
Explanation.
Embodiment 1, shown in Figure 1, a kind of isomeric network security reinforcement means, steps are as follows:
1. being directed to a certain safeguard function m, we select the network security product (n >=2) of n isomery;
2. network security product is disposed and connected in a transparent mode, BYPASS function of the single product with group transmission port
The allocation activation in deployment;
3. the prevention policies that redundant deployment is similar or identical on network security products at different levels configure according to needs are applied;
4. successively passing through the detection of n grades of products after network, which accesses, arrives at guard system, discovery, which exists to meet, defines protection plan
When the attack omited, the product by being detected attack is blocked, and is otherwise let pass;
5. BYPASS function comes into force when wherein certain grade of product failure, access is directly let pass by bypass circuit.
Embodiment 2, shown in Figure 2, a kind of isomeric network security bracing means, steps are as follows:
1. one group of isomeric network security product of selection (n, n >=2), at least 2 productions in a selected set product
One or more identical and/or similar functions may be implemented in product;
2. network security product is disposed and connected in a transparent mode, BYPASS function of the single product with group input/output terminal
Can deployment when allocation activation;
3. redundant deployment security function similar or identical or strategy are matched on network security products at different levels according to needs are applied
It sets;
4. successively passing through the detection of n grades of products after network, which accesses, arrives at guard system, discovery, which exists to meet, defines protection plan
When the attack omited, the product by being detected attack is blocked, and is otherwise let pass;
5. BYPASS function comes into force when wherein certain grade of product failure, access is directly let pass by bypass circuit.
It should be noted that embodiment described above be merely for convenience of it will be understood by those skilled in the art that, and
It is not used in and limits the scope of the invention, under the premise of not departing from inventive concept of the invention, those skilled in the art couple
Any obvious replacement and improvement that the present invention is made etc. are within the scope of the present invention.
Claims (6)
1. a kind of isomeric network security reinforcement means and device, characterized by comprising the steps of:
Step 1: one group of isomeric network security product of selection;
Step 2: network security product is disposed and connected in a transparent mode;
Step 3: according to apply needs, redundant deployment security function similar or identical or strategy on network security products at different levels
It configures, realizes one or more security functions or strategy similar or identical by configuring at least 2 products.
2. isomeric network security reinforcement means according to claim 1 and device, which is characterized in that single product
Can define or configuration 1 group or multiple groups input, output port have BYPASS function.
3. isomeric network security reinforcement means according to claim 1 and device, which is characterized in that due to using
Homogeneity deployment, and the product disposed has BYPASS function, simply by the presence of at least one product can normal use, total system
Still has a part or all of safeguard function, during simultaneity factor will not cause to apply because of the safety product that certain level-one fails
It is disconnected.
4. isomeric network security reinforcement means according to claim 1 and device, which is characterized in that due to using
When the design of isomery framework, optimal in the defense function available product mix threatened for a certain particular safety come into force
Between.
5. isomeric network security reinforcement means according to claim 1 and device, which is characterized in that due to using
The design of isomery framework, the maximum set in the protective capacities of total system available product mix.
6. isomeric network security reinforcement means according to claim 1 and device, which is characterized in that due to using
Multilayer heterogeneous, after reasonable disposition strategy, attacker only finds out outermost safeguard information, to postposition safeguard
Information be difficult to visit to smell on the outside to know, the time of success attack is effectively extended.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910239605.9A CN109862042A (en) | 2019-03-27 | 2019-03-27 | A kind of isomeric network security reinforcement means and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910239605.9A CN109862042A (en) | 2019-03-27 | 2019-03-27 | A kind of isomeric network security reinforcement means and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109862042A true CN109862042A (en) | 2019-06-07 |
Family
ID=66902061
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910239605.9A Pending CN109862042A (en) | 2019-03-27 | 2019-03-27 | A kind of isomeric network security reinforcement means and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109862042A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114978873A (en) * | 2022-04-22 | 2022-08-30 | 南京地铁集团有限公司 | Monitoring method, system, device, electronic equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050038790A1 (en) * | 2001-09-20 | 2005-02-17 | Stephen Wolthusen | Device and method for establishing a security policy in a distributed system |
| CN105099825A (en) * | 2015-08-17 | 2015-11-25 | 北京神州绿盟信息安全科技股份有限公司 | Security protection method and device for external Bypass |
| CN105812326A (en) * | 2014-12-29 | 2016-07-27 | 北京网御星云信息技术有限公司 | Heterogeneous firewall strategy centralized control method and heterogeneous firewall strategy centralized control system |
| CN108337224A (en) * | 2017-12-14 | 2018-07-27 | 兆辉易安(北京)网络安全技术有限公司 | The industry control security gateway system and its invasion cognitive method of three mould isomery redundancies |
| CN109309687A (en) * | 2018-11-27 | 2019-02-05 | 杭州迪普科技股份有限公司 | Network security defence method, device and the network equipment |
-
2019
- 2019-03-27 CN CN201910239605.9A patent/CN109862042A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050038790A1 (en) * | 2001-09-20 | 2005-02-17 | Stephen Wolthusen | Device and method for establishing a security policy in a distributed system |
| CN105812326A (en) * | 2014-12-29 | 2016-07-27 | 北京网御星云信息技术有限公司 | Heterogeneous firewall strategy centralized control method and heterogeneous firewall strategy centralized control system |
| CN105099825A (en) * | 2015-08-17 | 2015-11-25 | 北京神州绿盟信息安全科技股份有限公司 | Security protection method and device for external Bypass |
| CN108337224A (en) * | 2017-12-14 | 2018-07-27 | 兆辉易安(北京)网络安全技术有限公司 | The industry control security gateway system and its invasion cognitive method of three mould isomery redundancies |
| CN109309687A (en) * | 2018-11-27 | 2019-02-05 | 杭州迪普科技股份有限公司 | Network security defence method, device and the network equipment |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114978873A (en) * | 2022-04-22 | 2022-08-30 | 南京地铁集团有限公司 | Monitoring method, system, device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1885788B (en) | Network safety protection method and system | |
| EP3270564B1 (en) | Distributed security provisioning | |
| US7673147B2 (en) | Real-time mitigation of data access insider intrusions | |
| RU2679179C1 (en) | Systems and methods for creating and modifying access lists | |
| Alwakeel et al. | A survey of network function virtualization security | |
| US6584508B1 (en) | Advanced data guard having independently wrapped components | |
| CN101018200B (en) | Bi-planar network architecture | |
| US20050071643A1 (en) | Method of and system for enterprise information asset protection through insider attack specification, monitoring and mitigation | |
| US20070056020A1 (en) | Automated deployment of protection agents to devices connected to a distributed computer network | |
| CN105408911A (en) | Hardware and software execution profiling | |
| CN106446658A (en) | Data center security protection method and system | |
| CN109962912A (en) | A kind of defence method and system based on the drainage of honey jar flow | |
| CN106899561A (en) | A kind of TNC authority control methods and system based on ACL | |
| CN109862042A (en) | A kind of isomeric network security reinforcement means and device | |
| Nasir et al. | [Retracted] Analysis of Communication and Network Securities Using the Concepts of Complex Picture Fuzzy Relations | |
| US8898332B2 (en) | Methods, systems, devices and computer program products for protecting a network by providing severable network zones | |
| Tanaka et al. | IoT system security issues and solution approaches | |
| CN117319064A (en) | Network space safety management and control system based on trusted computing | |
| CN110378120A (en) | Application programming interfaces attack detection method, device and readable storage medium storing program for executing | |
| CN110417769A (en) | A kind of industry internet platform Multi Identity Attestation method | |
| US20080068183A1 (en) | Methods and apparatus for accessing, or providing access to, user-configurable or different response policies for different duress codes | |
| CN106850701A (en) | A kind of mobile terminal shares partition method and system | |
| Kiru et al. | Ransomware Evolution: Solving Ransomware Attack Challenges | |
| Al-Alaj et al. | A Model for the Administration of Access Control in Software Defined Networking using Custom Permissions | |
| Lau et al. | Securing supervisory control and data acquisition control systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20190607 |
|
| WD01 | Invention patent application deemed withdrawn after publication |