CN110290128B - Network isolation and exchange control method and device based on service security label - Google Patents
Network isolation and exchange control method and device based on service security label Download PDFInfo
- Publication number
- CN110290128B CN110290128B CN201910536196.9A CN201910536196A CN110290128B CN 110290128 B CN110290128 B CN 110290128B CN 201910536196 A CN201910536196 A CN 201910536196A CN 110290128 B CN110290128 B CN 110290128B
- Authority
- CN
- China
- Prior art keywords
- mark
- data
- service
- control
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a network isolation and exchange control method and a device based on a service security marker, belonging to the technical field of networks.
Description
Technical Field
The invention relates to a method and a device for carrying out network isolation switching control on data according to the service security attribute of the data, belonging to the technical field of networks.
Technical Field
When network isolation and data exchange are performed in a cross-network and cross-security domain scene, the traditional security isolation and information exchange systems such as unidirectional import and gatekeeper mainly improve the security of the inter-network exchange by stripping protocols and performing virus checking and killing, content filtering and checking and the like on the exchanged data, cannot perform fine-grained control on the data exchanged between networks based on the service security attribute of the data, and are difficult to prevent malicious codes from performing unauthorized exchange.
Disclosure of Invention
The invention aims to provide a network isolation and exchange control method and a network isolation and exchange control device based on service security marks aiming at the requirements of fine-grained isolation exchange and security control of data resources in cross-network and cross-domain environments.
In order to achieve the above object, the present invention adopts a network isolation and switching control method based on a service security label, which comprises the following steps:
step 1: respectively configuring a mark control strategy for a sending end and a receiving end, wherein the mark control strategy is a related matching rule defined based on a service security mark of data, and taking a corresponding control action on the data with a specific service security mark;
step 2: after receiving data to be imported, a sending end checks whether the data has a service security mark and carries out corresponding processing according to a mark control strategy configured by the sending end, and the method comprises the following steps: if the data does not carry a service safety mark and the mark control strategy configured at the sending end prohibits the introduction of the unmarked data, recording the log and carrying out corresponding processing; if the data does not carry the service safety mark and the mark control strategy configured at the sending end allows the unmarked data to be imported, automatically adding the appointed service safety mark to the formatted data block to be transmitted in one way and then executing the one-way transmission; if the data has the service safety mark, the service safety mark of the data is subjected to matching check, if the check is passed, the service safety mark of the data is added to a formatted data block to be transmitted in a one-way mode, and then the one-way transmission is executed, otherwise, a log is recorded and corresponding processing is carried out;
step 3: after receiving the formatted data block of unidirectional transmission, the receiving end checks whether the data block carries a service security mark and carries out corresponding processing according to a mark control strategy configured by the receiving end, including: if the data block does not have the service safety mark, recording the log and carrying out corresponding processing; and if the data block is provided with the safety mark, performing matching check on the service safety mark of the data block, if the check is passed, recovering the imported data based on the data block, otherwise, recording the log and performing corresponding processing.
Further, the service security label is a multi-element group M containing multiple service security attributes, where C is a security level, G is a service security attribute set, F is an operation control attribute set, the service security attribute set G includes service category, work group, role, and environment requirements, and the operation control attribute set F includes read-write control, print control, recording control, and copy control.
Further, the service security label includes a service security label m (r) of the information object<Cr,Gr,Fr>And a system object's business security label M (o) ═ m<Co,Go>The information object comprises data, and the system object comprises application, service and process.
Further, there are two relationships between m (o) and m (r): dominant versus incomparable; when C is presento≥CrAnd isIf M (o) is greater than or equal to M (r), M (o) and M (r) have a dominance relation, which represents that the system object can dominate the information object; if no dominance relation exists between M (o) and M (r), the two are in an incomparable relation, and the system object is represented as an information object without weight dominance.
Further, ifThe subject should be according to FrThe included operation control attribute limits the corresponding operation to the resource.
Further, the tag control policy may be denoted as R ═ C, G >, where R is the tag control policy, and the equation represents the set of information objects that satisfy the specified attributes.
Further, configuring a mark control strategy R for a sending terminal ss=<Cs,Gs>,RsThe service security label of a given information object is m(s) ═ m<Cs,Gs>If M(s) is more than or equal to M (r), the matching check of the sending end is passed; configuring a corresponding mark control strategy R for a receiving end gg=<Cg,Gg>,RgThe service security label of the designated information object is M (g) ═ m<Cg,Gg>And if M (g) is more than or equal to M (r'), the matching check of the receiving end is passed.
Further, the corresponding processing includes alarming, discarding, forwarding or auditing.
In order to achieve the above object, the present invention further provides a network isolation and switching control device based on the service security label, which mainly comprises a sending end label control module and a receiving end label control module;
the sending end marks a management and control module: the system comprises a mark control strategy used for configuring a sending end mark control strategy, identifying a service safety mark of data led into the sending end, matching and checking the mark control strategy configured by the sending end, adding the service safety mark of the data into a formatted data block to be transmitted in one way according to a checking result, and then executing one-way transmission, or recording a log and performing corresponding processing on the data;
a receiving end mark management and control module: the system is used for configuring a receiving end mark control strategy, identifying the service safety mark of the receiving end formatted data block, performing matching check with the mark control strategy configured by the receiving end, recovering the imported data according to the check result, or recording the log of the data block and performing corresponding processing.
Further, in the receiving end mark management and control module, the corresponding processing includes alarming, discarding, forwarding or auditing.
Compared with the prior art, the invention has the following positive effects:
by correctly configuring a mark control strategy of a data transmission channel consisting of a sending end and a receiving end, the data transmitted in one direction can be subjected to fine-grained control based on the service security mark of the data, the security isolation and information exchange systems such as one-way import equipment and a gatekeeper are supported to perform fine-grained data control, and the network security is further improved. For example, by configuring the device, only data of specific service content can be allowed to be unidirectionally imported from the internet to the internal network; data of a low security level in the high-level security domain can also be supported to flow to the low-level security domain, but the data of the high security level is still forbidden to flow to the low-level security domain; the unmarked data or abnormal marked data sent by the malicious code can be found, and the disguised unauthorized service data can be prevented from flowing out in time.
Drawings
Fig. 1 is a flow chart of a network isolation and switching control method based on a service security label.
Fig. 2 is a relationship diagram (one-way import) of a network isolation and switching control device module based on a service security label.
Fig. 3 is a relationship diagram of a network isolation and switching control device module (bidirectional gatekeeper) based on a service security label.
Detailed Description
The preferred embodiments of the present invention will be described below with reference to the accompanying drawings, and it should be understood that the embodiments described herein are merely for the purpose of illustrating and explaining the present invention and are not intended to limit the present invention.
Fig. 1 is a flowchart of a method for controlling network isolation and switching based on a service security label, and steps of the method are specifically described as follows.
1. Configuring tag control policies
The service security mark M is a multi-tuple containing a plurality of service security attributes, wherein M is equal to<C,G,F>. Wherein C is a security level; g is a plurality of service security attributes GiG ═ G1,g2,…gn},giThe service safety attributes can be service types, work groups, roles, environmental requirements and the like; f is an operation control attribute FjF ═ F1,f2,…fm},fjThe method can be used for operation attributes such as read-write control, printing control, burning control, copying control and the like.
Under the abstract definition, the service security label of an information object (resource) such as data is denoted as m (r) ═ r<Cr,Gr,Fr>The service security label of a system object (subject) such as an application, a service, and a process is denoted as m (o) ═ m<Co,Go>. There are two relationships between the subject mark m (o) and the resource mark m (r): dominant versus incomparable. Marker M (o) dominating marker M (r) when Co≥CrAnd isAnd M (o) ≧ M (r), meaning that the subject can dominate the object (resource). If there is no dominance relationship between M (o) and M (r), they are not comparable, and the subject has no weight on the object (resource). If it is notThe subject should control attribute f according to the particular operation that the tag containsjAnd limiting the corresponding operation on the resource.
Since the information object (resource) and the system object (main body) service security label are both defined by the attribute method,therefore, the related label control strategy is also defined by adopting a similar attribute method. The marking control strategy R may be expressed as R ═ R<C,G>Indicating a set of information objects that satisfy the specified attributes. Thus, rule RsThe service security label of a given information object may also be denoted as m(s) ═ m(s) }<Cs,Gs>. When the strategy matching check is carried out, if M(s) ≧ M (R), the service security label of the information object R satisfies the label control strategy rule Rs。
According to the abstract definition method, a mark control strategy R can be configured for a certain sending end ss=<Cs,Gs>Configuring corresponding mark control strategy R for corresponding receiving end gg=<Cg,Gg>。
2. Label-free data unidirectional transmission control
(step 1): when the sending end identifies that the imported data does not have the service safety mark, if the sending end forbids the import of the unmarked data, the sending end records the log and records the log to the data and executes corresponding processing actions such as alarming, discarding, forwarding or auditing and the like; if the transmitting end allows the unmarked data to be imported, and a specified service safety mark M is preset for the unmarked dataxAnd (4) switching to step2, otherwise, logging and executing corresponding processing actions such as alarming, discarding, forwarding or auditing on the data, and ending the process.
(step 2): the sending end adds the appointed business safety mark M for the formatted data block to be transmitted in one wayxAnd then transmits the data block to the receiving end in a single direction.
(step 3): the receiving end checks whether the data block carries a service safety mark, and if the data block carries the service safety mark, the step4 is carried in; if the service safety mark is not carried, the receiving end executes corresponding processing actions such as alarming, discarding, forwarding or auditing and the like on the data block, and records a log.
(step 4): the receiving end identifies and extracts the data block service security mark M (R') and controls the strategy R with the mark configured by the receiving endgMatching check is carried out, and if matching is successful, switching to step 5; if the matching is not successful, the receiving end pair data blockAnd executing corresponding processing actions such as alarming, discarding, forwarding or auditing and recording logs.
The matching rule is as follows: if M (g) is more than or equal to M (r'), matching is successful, otherwise, matching is unsuccessful.
(step 5): and the receiving end recovers the data and sends the data to a related system.
3. Control of unidirectional transmission of marked data
(step 1): the sending end identifies and extracts the service safety mark M (R) of the data and the mark control strategy R configured with the sending endsMatching check is carried out, and if matching is successful, step2 is carried out; and if the matching is unsuccessful, performing corresponding processing actions such as alarming, discarding, forwarding or auditing on the data, and recording a log.
The matching rule is as follows: if M(s) is more than or equal to M (r), the matching is successful, otherwise, the matching is unsuccessful.
(step 2): the sending end adds the service security mark M (r) of the data into the formatted data block to be transmitted in one way, and then transmits the data block in one way to the receiving end.
(step 3): the receiving end checks whether the data block carries a service safety mark, and if the data block carries the service safety mark, the step4 is carried in; if the service safety mark is not carried, corresponding processing actions such as alarming, discarding, forwarding or auditing are carried out on the data, and a log is recorded.
(step 4): the receiving end identifies and extracts the service security mark M (r') of the data block and controls the strategy g with the mark configured by the receiving endjAnd matching, if the matching is successful, transferring to step5, and if the matching is unsuccessful, performing corresponding processing actions such as alarming, discarding, forwarding or auditing on the data block, and recording a log.
The matching rule is as follows: if M (g) is more than or equal to M (r'), matching is successful, otherwise, matching is unsuccessful.
(step 5): and the receiving end recovers the data and sends the data to a related system.
The embodiment also provides a network isolation and exchange control device based on the service security label, which is used for implementing the method and comprises a sending end label control module and a receiving end label control module. The sending end mark control module is used for configuring a sending end mark control strategy, identifying a service safety mark of data imported to a sending end, matching and checking the service safety mark with the mark control strategy configured by the sending end, adding the service safety mark of the data to a formatted data block to be transmitted in a one-way mode according to a checking result, and then executing one-way transmission, or discarding, auditing or forwarding the data. The receiving end mark management and control module: the system is used for configuring a receiving end mark control strategy, identifying the service safety mark of the receiving end formatted data block, performing matching check with the mark control strategy configured by the receiving end, and recovering imported data or discarding, auditing or forwarding the data block according to a check result.
The device can realize data exchange control: the sending end and the receiving end of the device form a unidirectional data transmission channel in pairs, and the unidirectional data transmission channel can be used for unidirectional leading-in equipment to realize fine-grained control of unidirectional transmission data, as shown in fig. 2. The method can also be used for security isolation and information exchange equipment such as a network gate and the like, and fine-grained control is respectively performed on two unidirectional transmission channels in opposite directions, so that the security of network exchange is further improved, as shown in fig. 3.
The above embodiments are only intended to illustrate the technical solution of the present invention and not to limit the same, and a person skilled in the art can modify the technical solution of the present invention or substitute the same without departing from the spirit and scope of the present invention, and the scope of the present invention should be determined by the claims.
Claims (8)
1. A network isolation and exchange control method based on service security marks is used for controlling data at a sending end and a receiving end respectively according to service security attribute information including security level and service category in the marks by identifying service security marks carried by the data aiming at the requirements of fine-grained isolation exchange and security control of data resources under cross-network and cross-domain environments, and comprises the following steps:
configuring mark control strategy for transmitting end and receiving end, wherein the mark control strategy is service safety mark definition phase based on dataThe correlation matching rule is used for taking corresponding control action on the data with the specific service safety mark; the service security label is a multi-element group M containing multiple service security attributes<C,G,F>Wherein C is security level, G is service security attribute set, F is operation control attribute set, the service security attribute set G includes service category, work group, role, environment requirement, the operation control attribute set F includes read-write control, printing control, burning control, copy control; the service security label comprises a service security label M (r) of the information object<Cr,Gr,Fr>And a system object's business security label M (o) ═ m<Co,Go>The information object comprises data, and the system object comprises application, service and process; after receiving data to be imported, a sending end checks whether the data has a service security mark and carries out corresponding processing according to a mark control strategy configured by the sending end, and the method comprises the following steps: if the data does not carry a service safety mark and the mark control strategy configured at the sending end prohibits the introduction of the unmarked data, recording the log and carrying out corresponding processing; if the data does not carry the service safety mark and the mark control strategy configured at the sending end allows the unmarked data to be imported, automatically adding the appointed service safety mark to the formatted data block to be transmitted in one way and then executing the one-way transmission; if the data has the service safety mark, the service safety mark of the data is subjected to matching check, if the check is passed, the service safety mark of the data is added to a formatted data block to be transmitted in a one-way mode, and then the one-way transmission is executed, otherwise, a log is recorded and corresponding processing is carried out;
after receiving the formatted data block of unidirectional transmission, the receiving end checks whether the data block carries a service security mark and carries out corresponding processing according to a mark control strategy configured by the receiving end, including: if the data block does not have the service safety mark, recording the log and carrying out corresponding processing; and if the data block is provided with the safety mark, performing matching check on the service safety mark of the data block, if the check is passed, recovering the imported data based on the data block, otherwise, recording the log and performing corresponding processing.
2. The method of claim 1, wherein there are two relationships between m (o) and m (r): dominant versus incomparable; when C is presento≥CrAnd isIf M (o) is greater than or equal to M (r), M (o) and M (r) have a dominance relation, which represents that the system object can dominate the information object; if no dominance relation exists between M (o) and M (r), the two are in an incomparable relation, and the system object is represented as an information object without weight dominance.
4. The method of claim 1, wherein the tag control policy is denoted as R ═ < C, G >, where R is the tag control policy, the equation representing the set of information objects that satisfy the specified attributes.
5. The method of claim 4, wherein a tag control policy R is configured for a sender ss=<Cs,Gs>,RsThe service security label of a given information object is m(s) ═ m<Cs,Gs>If M(s) is more than or equal to M (r), the matching check of the sending end is passed; configuring a corresponding mark control strategy R for a receiving end gg=<Cg,Gg>,RgThe service security label of the designated information object is M (g) ═ m<Cg,Gg>And if M (g) is more than or equal to M (r'), the matching check of the receiving end is passed.
6. The method of claim 1, wherein the respective processing comprises alerting, discarding, forwarding, or auditing.
7. A network isolation and switching control device based on service security label, based on the method of claim 1, the device comprising:
the sending end mark control module is used for configuring a sending end mark control strategy, identifying a service safety mark of data led into a sending end, matching and checking the service safety mark with the mark control strategy configured by the sending end, adding the service safety mark of the data into a formatted data block to be transmitted in one direction according to a checking result, and then executing one-way transmission, or recording a log on the data and performing corresponding processing;
and the receiving end mark control module is used for configuring a receiving end mark control strategy, identifying the service safety mark of the receiving end formatted data block, performing matching check with the mark control strategy configured by the receiving end, recovering imported data according to a check result or recording a log of the data block and performing corresponding processing.
8. The apparatus of claim 7, in which the respective processing comprises alerting, discarding, forwarding, or auditing.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910536196.9A CN110290128B (en) | 2019-06-20 | 2019-06-20 | Network isolation and exchange control method and device based on service security label |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910536196.9A CN110290128B (en) | 2019-06-20 | 2019-06-20 | Network isolation and exchange control method and device based on service security label |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110290128A CN110290128A (en) | 2019-09-27 |
CN110290128B true CN110290128B (en) | 2021-02-19 |
Family
ID=68004356
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910536196.9A Active CN110290128B (en) | 2019-06-20 | 2019-06-20 | Network isolation and exchange control method and device based on service security label |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110290128B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111049851B (en) * | 2019-12-24 | 2021-10-01 | 中国电子科技集团公司第五十四研究所 | Multi-level and multi-dimensional linkage management and control system for cross-domain transmission service |
Family Cites Families (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101534300B (en) * | 2009-04-17 | 2012-05-30 | 公安部第一研究所 | System protection framework combining multi-access control mechanism and method thereof |
CN101876994B (en) * | 2009-12-22 | 2012-02-15 | 中国科学院软件研究所 | Establishing method for multi-layer optimized strategy evaluation engine and implementing method thereof |
CN101860526B (en) * | 2009-12-22 | 2012-10-03 | 中国航空工业集团公司第六三一研究所 | Method for controlling multilevel access to integrated avionics system |
CN102486819B (en) * | 2010-12-01 | 2016-08-03 | 中铁信息工程集团有限公司 | A kind of hardened system |
CN102495989A (en) * | 2011-12-21 | 2012-06-13 | 北京诺思恒信科技有限公司 | Subject-label-based access control method and system |
CN102904889B (en) * | 2012-10-12 | 2016-09-07 | 北京可信华泰信息技术有限公司 | Support the forced symmetric centralization system and method for cross-platform unified management |
CN103166794A (en) * | 2013-02-22 | 2013-06-19 | 中国人民解放军91655部队 | Information security management method with integration security control function |
CN103647772A (en) * | 2013-12-12 | 2014-03-19 | 浪潮电子信息产业股份有限公司 | Method for carrying out trusted access controlling on network data package |
CN105245543B (en) * | 2015-10-28 | 2018-04-13 | 中国人民解放军国防科学技术大学 | A kind of operating system forced access control method based on safety label randomization |
CN107016289B (en) * | 2017-02-15 | 2020-04-10 | 中国科学院信息工程研究所 | Web operating system-based mobile thin terminal security model establishing method and device |
CN107277023B (en) * | 2017-06-28 | 2020-04-10 | 中国科学院信息工程研究所 | Web-based mobile thin terminal access control method and system and thin terminal |
CN108270782B (en) * | 2018-01-15 | 2020-05-26 | 中国科学院信息工程研究所 | Access control method and system based on security label |
CN109117313B (en) * | 2018-08-28 | 2022-03-18 | 成都信息工程大学 | Vehicle intelligent security gateway with disaster isolation backup management and control mechanism and management and control method |
-
2019
- 2019-06-20 CN CN201910536196.9A patent/CN110290128B/en active Active
Also Published As
Publication number | Publication date |
---|---|
CN110290128A (en) | 2019-09-27 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8233388B2 (en) | System and method for controlling and tracking network content flow | |
US7958549B2 (en) | Attack defending system and attack defending method | |
US5898823A (en) | Network printer auto-detection method and system | |
US20070022468A1 (en) | Packet transmission equipment and packet transmission system | |
CN102055674B (en) | Internet protocol (IP) message as well as information processing method and device based on same | |
MY150011A (en) | Software vulnerability exploitation shield | |
CN108111536B (en) | Application-level secure cross-domain communication method and system | |
US20150089578A1 (en) | Mitigating policy violations through textual redaction | |
CN110290128B (en) | Network isolation and exchange control method and device based on service security label | |
CN103428032A (en) | Attack positioning and assistant positioning device and method | |
CN112839083A (en) | Data transmission method and device and readable storage medium | |
CN108833337A (en) | A kind of data transmission system and method based on optic communication | |
CN103581156B (en) | A kind of method of work of trustable network and trustable network | |
CN109660565A (en) | A kind of isolation gap equipment and implementation method | |
Lamshöft et al. | Assessment of hidden channel attacks: Targetting modbus/tcp | |
JP2009044665A (en) | Program for controlling communication device, and communication device | |
CN105227540A (en) | A kind of MTD guard system of event-triggered and method | |
Stevens et al. | An implementation of an optical data diode | |
BR0107377A (en) | Improvement introduced in a method for obtaining data and terminals for obtaining data through said method | |
WO2011081358A2 (en) | Proxy-based security system for guaranteeing availability | |
CN114401103B (en) | SMB remote transmission file detection method and device, electronic equipment and storage medium | |
CN113472736B (en) | Method, device, equipment and readable medium for transmitting data of internal and external networks | |
CN115277262A (en) | Unidirectional data transmission method, system, equipment and storage medium | |
TWI771523B (en) | System and method for unidirectional transfer of file | |
CN110324326B (en) | Network data transmission control method and device based on service security marker |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |