CN110290147A - Safe penetration defence method, device and equipment - Google Patents
Safe penetration defence method, device and equipment Download PDFInfo
- Publication number
- CN110290147A CN110290147A CN201910602330.0A CN201910602330A CN110290147A CN 110290147 A CN110290147 A CN 110290147A CN 201910602330 A CN201910602330 A CN 201910602330A CN 110290147 A CN110290147 A CN 110290147A
- Authority
- CN
- China
- Prior art keywords
- network flow
- access
- data
- preset
- protocol
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
This application involves a kind of safe penetration defence method, device and equipment.The described method includes: obtaining the access request that application system is sent;Protocol analysis to application layer is carried out to the corresponding network flow of access request, the network flow comprising preset protocol is intercepted, other network flows is allowed to pass through;Wherein, the protocol analysis is realized using the regular expression of json format;Whether preset Access control strategy is met by the network flow of protocol analysis according to the judgement of preset white list data;The network flow for permitting compliance with Access control strategy carries out data access, and intercepts other network flows.Using technical solution provided by the embodiments of the present application, traditional safe penetration defence based on four layers of network is promoted and arrives seven layers of network, impart the allocative abilities of more flexible safe access control rule, the thinking based on white list accesses control simultaneously, it does not need to carry out complete detection, so as to which safe penetration protection effect is greatly improved.
Description
Technical field
This application involves technical field of network security more particularly to a kind of safe penetration defence methods, device and equipment.
Background technique
With network technology and digital expanding economy, Internet technology is got over to the production of people, life bring convenience
Come more significant, but the network security problem that people face simultaneously also becomes increasingly conspicuous, and large-scale sensitive data is let out in global range
Dew event frequently occurs, and various safe penetration attack technologies also emerge one after another, and are also keeping updating, therefore, in order to exempt from
It is influenced by various safe penetration attack technology brings, corresponding safe penetration defense technique must also grow with each passing hour, so
The network security challenges to grow in intensity can be coped with.There are many common safe penetration defense techniques, as firewall technology, WAF,
IPS, NIDS, HIDS, honey jar, fort machine, network traffic analysis, database audit etc. are usually deployed multiple safeguards in IDC
(Internet Data Center, Internet data center) computer room, the network security for the common protection enterprise that cooperates.
Safe penetration defense technique scheme in the related technology, basic ideas are set in firewall and associated safety protection
The access control rule of the standby upper various complexity of configuration, exhaustive various technological means find to threaten and then are alerted and blocked to detect
It cuts, core point is the configuration of safe access control rule and the detection of security threat.On the one hand, safe access control rule
It is usually configured on firewall, the network equipment, is mainly based upon regular expression and ACL (Access Control
List, accesses control list) two kinds of expression-forms realize.Specifically, traditional firewall only supports the i.e. five-tuple of network layer
Access rule configuration;And on the network equipment under the premise of only supporting the configuration of network layer, that is, five-tuple access rule, even more only
It can be realized based on the expression-form of ACL, it is limited so as to cause the configuration ability to express of safe access control rule.In addition, by
The number that system performance constrains the safe access control rule that can be configured in an equipment is also conditional, if the number of configuration
It measures excessive, the performance of network communication can be significantly affected.On the other hand, the current Integral Thought of the detection technique of security threat is
Based on blacklist, this results in that the behavior of all requests must be monitored in real time to be made whether abnormal judgement,
This is one and is difficult to ensure very completing for task, i.e., inevitable accuracy, real-time and coverage rate in security threat detection
On sacrificed.
That is, in relevant safe penetration defense technique, there is the configuration quantity of safe access control rule and
Configure that ability to express is limited and the accuracy of security threat detection, the problems such as real-time and coverage rate are lower.
Summary of the invention
The application provides a kind of safe penetration defence method, device and equipment, to solve correlation at least to a certain extent
Safe penetration defense technique present in safe access control rule configuration quantity and configuration ability to express is limited and peace
The accuracy of full threat detection, the problems such as real-time and coverage rate are lower.
The above-mentioned purpose of the application is achieved through the following technical solutions:
In a first aspect, the embodiment of the present application provides a kind of safe penetration defence method, comprising:
Obtain the access request that application system is sent;
Protocol analysis to application layer is carried out to the corresponding network flow of the access request, by the net comprising preset protocol
Network flow is intercepted, and the network flow not comprising the preset protocol is allowed to pass through;Wherein, the protocol analysis uses json
The regular expression of format is realized;
Judge whether preset safety is met by the network flow of the protocol analysis according to preset white list data
Access control policy;Wherein, the preset Access control strategy is to be generated according to the preset white list data;Institute
It states in preset white list data comprising the preset application system data for allowing to carry out data access;
The network flow for permitting compliance with the Access control strategy carries out data access, and intercepts and do not meet the peace
The network flow of full access control policy.
Optionally, the protocol analysis corresponding network flow of the access request carried out to application layer, comprising:
According to the mapping table of the network port and seven layer protocol of network that pre-establish, by the network comprising heterogeneous networks port
Flow is forwarded to the processing unit for carrying out corresponding protocol processes;
The protocol analysis to application layer is carried out to network flow by the processing unit;Wherein, the application layer is institute
State the layer 7 of seven layer protocol of network.
Optionally, it is described allow the application system data for carrying out data access include by the requirements for access data put on record and
Attribute data;The requirements for access data include agreement or domain name;The attribute data includes process title, file name, hair
Title of doing business or digital signature it is one or more;
It is described judge whether to meet by the network flow of the protocol analysis according to preset white list data it is preset
Access control strategy, comprising:
Judge through the network flow of the protocol analysis whether to include the attribute number according to preset white list data
According to the requirements for access data;
When the network flow by the protocol analysis includes the attribute data and the requirements for access data simultaneously,
The preset Access control strategy is met by the network flow of the protocol analysis described in determining.
Optionally, it is described according to the judgement of preset white list data by the network flow of the protocol analysis whether include
The attribute data and whether comprising after the requirements for access data, further includes:
When the network flow by the protocol analysis only includes the attribute data but does not include the requirements for access number
According to when, the network flow is examined;
Put on record what the network flow that examination & approval are completed included without the requirements for access data put on record, and will examine
At the corresponding application system data of network flow be added to the white list data so that it is described examination & approval complete network flow
Meet the Access control strategy.
Optionally, the method also includes:
When the quantity for getting the application system for allowing to carry out data access changes, white list described in real-time update
Data.
Optionally, the method also includes:
While permitting compliance with the network flow progress data access of the Access control strategy, the secondary access is replicated
Content and carry out log recording;
While interception does not meet the network flow of the Access control strategy, the content of the secondary access request is replicated
And carry out log recording and push warning information.
Optionally, the method also includes:
While interception does not meet the network flow of the Access control strategy, preset miscue information is returned
It is back to corresponding application system.
Second aspect, the embodiment of the present application also provide a kind of safe penetration defence installation, comprising:
Module is obtained, for obtaining the access request of application system transmission;
Protocol resolution module, for carrying out the protocol analysis to application layer to the corresponding network flow of the access request,
Network flow comprising preset protocol is intercepted, the network flow not comprising the preset protocol is allowed to pass through;Wherein, institute
Protocol analysis is stated to realize using the regular expression of json format;
Judgment module, for judging whether accord with by the network flow of the protocol analysis according to preset white list data
Close preset Access control strategy;Wherein, the preset Access control strategy is according to the preset white name
Forms data generates;Include the preset application system data for allowing to carry out data access in the preset white list data;
Blocking module, the network flow for permitting compliance with the Access control strategy carries out data access, and blocks
Cut the network flow for not meeting the Access control strategy.
Optionally, the protocol resolution module includes:
Retransmission unit will include difference for the mapping table according to the network port and seven layer protocol of network that pre-establish
The network flow of the network port is forwarded to the processing unit for carrying out corresponding protocol processes;
Protocol analysis unit, for carrying out the protocol analysis to application layer to network flow by the processing unit;Its
In, the application layer is the layer 7 of seven layer protocol of network.
The third aspect, the embodiment of the present application also provide a kind of safe penetration defensive equipment, comprising:
Memory and the processor being connected with the memory;
The memory, for storing program, described program is at least used to execute above-mentioned safe penetration defence method;
The processor, for calling and executing the described program of the memory storage.
The technical solution that embodiments herein provides can include the following benefits:
When using technical solution provided by the embodiments of the present application, when the access for getting application system and wanting access to internet
When request, the corresponding network flow of the secondary access request is carried out for application layer (layer 7 of seven layer protocol of network) first
Protocol analysis can intercept the network flow containing specific protocol (preset abnormal or illegal agreement) of exchanging, i.e., to application
The access behavior of layer carries out security management and control, further, since regular expression of the protocol analysis using the json format that can customize
It realizes, be easy to machine parsing and generate and can effectively be promoted network transmission efficiency, so as to promote secure access control
The configuration quantity and configuration ability to express of rule is made, therefore finally can be improved safe access control ability and safe penetration defence
Effect;Secondly, using the thinking of white list comprehensively, analyzes by the network flow after protocol analysis, whether judge it
Meet the Access control strategy generated according to preset white list data, the i.e. normal access in application layer and built-in system
Demand carries out real-time linkage, (being contained in white list) the outside access request manually put on record of only letting pass, so
Setting does not need to carry out complete detection, avoids complicated security threat detection model, so as to improve security threat detection
Accuracy, real-time and coverage rate.
It should be understood that above general description and following detailed description be only it is exemplary and explanatory, not
The application can be limited.
Detailed description of the invention
The drawings herein are incorporated into the specification and forms part of this specification, and shows the implementation for meeting the application
Example, and together with specification it is used to explain the principle of the application.
Fig. 1 is a kind of flow chart of safe penetration defence method provided by the embodiments of the present application;
Fig. 2 is a kind of schematic diagram of the specific implementation of application layer protocol parsing provided by the embodiments of the present application;
Fig. 3 is a kind of signal for judging network flow and whether meeting Access control strategy provided by the embodiments of the present application
Figure;
Fig. 4 is a kind of structural schematic diagram of safe penetration defence installation provided by the embodiments of the present application;
Fig. 5 is a kind of structural schematic diagram of safe penetration defensive equipment provided by the embodiments of the present application.
Specific embodiment
Example embodiments are described in detail here, and the example is illustrated in the accompanying drawings.Following description is related to
When attached drawing, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements.Following exemplary embodiment
Described in embodiment do not represent all embodiments consistent with the application.On the contrary, they be only with it is such as appended
The example of the consistent device and method of some aspects be described in detail in claims, the application.
Embodiment one
Referring to Fig. 1, Fig. 1 is a kind of flow chart of safe penetration defence method provided by the embodiments of the present application.Such as Fig. 1 institute
Show, method includes the following steps:
S101: the access request that application system is sent is obtained;
Specifically, application system is the external system for requesting to carry out internet data access, when it needs to carry out data visit
Internally system access request can be sent when asking.
S102: carrying out the protocol analysis to application layer to the corresponding network flow of the access request, will include default association
The network flow of view is intercepted, and the network flow not comprising the preset protocol is allowed to pass through;Wherein, the protocol analysis makes
It is realized with the regular expression of json format;
Specifically, the data access to internet that network flow, that is, outer application system issues, carries and corresponds to
Outer application system relevant information, such as agreement etc..
In addition, agreement, that is, network protocol abbreviation, agreement tend to separate into several levels and are defined, layering definition be in order to
The change of a certain layer protocol is set not influence the agreement of other levels.
Further, the corresponding network flow of the access request specifically include the protocol analysis of application layer:
According to the mapping table of the network port and seven layer protocol of network that pre-establish, by the network comprising heterogeneous networks port
Flow is forwarded to the processing unit for carrying out corresponding protocol processes;
The protocol analysis to application layer is carried out to network flow by the processing unit;Wherein, the application layer is institute
State the layer 7 of seven layer protocol of network.
Specifically, the above-mentioned network port refers to the port on logical meaning, such as the port in ICP/IP protocol, end
The range of slogan is from 0 to 65535, such as 80 ports for browsing web service, 21 ports etc. for FTP service.It should
Step is to establish the mapping relations of port numbers and agreement according to actual needs first, according to its packet when receiving network flow later
The network port contained transfers it on corresponding processing service unit and carries out protocol analysis.
In addition, seven layer protocol of network is respectively from top to bottom: 7- application layer, 6- expression layer, 5- session layer, 4- transport layer,
3- network layer, 2- data link layer, 1- physical layer.Wherein, 7,6,5,4 layers are high level, define the function of application program;Remaining
Three layers are mainly directed towards the data flow end to end by network.Traditional firewall only supports the access rule of 3- network layer to match
It sets, therefore configures ability to express and be restricted;And it can be matched for 7- application layer in the technical solution of the embodiment of the present application
It sets, configuration ability to express can be effectively improved.Wherein, the regular expression for the json format that allocation plan can customize
It realizes, the resource object for participating in element and supporting application layer of the regular expression carries out safety to the access behavior of application layer
Control, to improve safe access control ability and safe penetration protection effect.
As a kind of concrete implementation scheme of step S102, referring to Fig. 2, Fig. 2 is provided by the embodiments of the present application one
The schematic diagram of the specific implementation of kind application layer protocol parsing.As shown in Fig. 2, other on core switch hang transparent gateway,
The network flow that application system is sent later is transmitted to transparent gateway after core switch, which can pass through flow
The prior arts such as abduction technology realize that transparent gateway carries out application layer to received network flow (such as TCP/IP flow)
Protocol analysis, to intercept the network flow for the content containing specified protocol of exchanging, other kinds of network flow can then be passed through
Firewall carries out subsequent processing.
The other mode hung of transparent gateway selection is attached with core switch, and reason is once event occurs for transparent gateway
Hindering core switch being capable of automatic bypass, it can makes two networks obstructed by specific triggering state (power-off or crash)
The system for crossing Network Security Device (such as transparent gateway), and be directly physically connected, so after having bypass, when network is pacified
After full equipment fault, the network mutual conduction being connected in this equipment can be allowed.
Further, transparent gateway can form cluster by the more hosts with ten thousand Broadcoms, use LVS (Linux
Virtual Server, Linux virtual server) high availability mechanism is provided, (SuSE) Linux OS is run on host, is modified
System kernel parameter opens route forwarding function and the Performance tuning of (SuSE) Linux OS, then will by iptables
The flow of target port is kidnapped onto corresponding agency service in PREROUTING chain.
About the specific implementation of protocol analysis, the parsing of common application layer protocol such as http, ftp, dns, ssh etc.
There is the realization of open source, belongs to the prior art, therefore and will not be described here in detail.Processing meeting for cryptographic protocols such as https, sftp
It is more more complicated, need the abduction to CA certificate to be just able to achieve.Specific method is to install root on the host of all application systems
Certificate using root certificate dynamic grant a certificate and is deployed to transparent gateway according to the application information of application system, adds to realize
The decryption of close traffic requests and agency.
S103: preset according to whether preset white list data judges to meet by the network flow of the protocol analysis
Access control strategy;Wherein, the preset Access control strategy is raw according to the preset white list data
At;Include the preset application system data for allowing to carry out data access in the preset white list data;
Specifically, the step is to generate white list according to the application system for allowing to carry out data access put on record first
Data, and Access control strategy is generated by white list data, thus the network flow that judgement passes through above-mentioned protocol analysis
Whether Access control strategy is met.
Further, described that the application system for carrying out data access is allowed to include the requirements for access data and category by putting on record
Property data;The requirements for access data include agreement or domain name;The attribute data includes process title, file name, distribution
Quotient's title or digital signature it is one or more;
It is described judge whether to meet by the network flow of the protocol analysis according to preset white list data it is preset
Access control strategy, comprising:
Judge through the network flow of the protocol analysis whether to include the attribute number according to preset white list data
According to the requirements for access data;
When the network flow by the protocol analysis includes the attribute data and the requirements for access data simultaneously,
The preset Access control strategy is met by the network flow of the protocol analysis described in determining.
That is, the application system recorded in white list data includes at least requirements for access data and attribute data,
When receiving new network flow request data access, judge the network flow whether include necessary requirements for access data and
Attribute data, so that it is determined that whether it meets Access control strategy.
In addition, optional, which can also include:
When the network flow by the protocol analysis only includes the attribute data but does not include the requirements for access number
According to when, the network flow is examined;
Put on record what the network flow that examination & approval are completed included without the requirements for access data put on record, and will examine
At the corresponding application system data of network flow be added to the white list data so that it is described examination & approval complete network flow
Meet the Access control strategy.
That is, further including two kinds of feelings for the network flow for not meeting pre-set Access control strategy
Condition, a kind of situation are, for that by the application system put on record, may change requirements for access number before online or after online before
According to, another situation is that, for the application system do not put on record before, it includes the attribute datas put on record, for both feelings
Condition, it is necessary to it be audited when outer application system sends data access request, if new requirements for access meets rule
Then, then ratify it to carry out data access and put to new requirements for access data on record, thus as increment white list data pair
Initial white list data is supplemented and generates corresponding Access control strategy.
As a kind of concrete implementation scheme of step S103, referring to Fig. 3, Fig. 3 is provided by the embodiments of the present application one
Kind judges whether network flow meets the schematic diagram of Access control strategy.As shown in figure 3, for any need access interconnection
The application system of net must send access request in its management backstage, and transparent gateway judges whether it meets preset safety visit
Ask control strategy, application system needs the application that accesses by dedicated permission workflow if not meeting, and when application needs
Details (such as requirements for access data and attribute data) are sent to safety management backstage, safety management after application goes through
The details that backstage can be sent according to application system generate increment white list data and corresponding Access control strategy, and
Real-time synchronization is to transparent gateway.
In addition, the above method further include: when the quantity for getting the application system for allowing to carry out data access changes
When, white list data described in real-time update.
Specifically, when capacity reducing or dilatation occur for the application system put on record, real-time update white list data.Some implementations
In example when implementing, it can be the corresponding newest node information synchronization of application system to safety management by automated pubilication system
From the background, newest white list data is generated in real time.
S104: the network flow for permitting compliance with the Access control strategy carries out data access, and intercepts and do not meet
The network flow of the Access control strategy.
Specifically, if the network flow that application system is sent eventually by protocol analysis and meets safe access control plan
Slightly, then allow it to carry out data access, otherwise intercepted.
Further, multiple while permitting compliance with the network flow progress data access of the Access control strategy
It makes the content of the secondary access and carries out log recording, to audit afterwards and to count;
While interception does not meet the network flow of the Access control strategy, the content of the secondary access request is replicated
And log recording and push warning information are carried out, relevant treatment is carried out so that subsequent safe operation personnel intervene.
Wherein, the transmission of above access log data uses message queue technology, shows and analysis uses ELK
(Elasticsearch, Logstash, Kibana;That is three open source softwares) technology component.
In addition, the above method can also include: the same of the network flow that interception does not meet the Access control strategy
When, preset miscue information is back to corresponding application system, with the reason for prompting its user access intercepted.
The technical solution that embodiments herein provides can include the following benefits:
When using technical solution provided by the embodiments of the present application, when the access for getting application system and wanting access to internet
When request, the corresponding network flow of the secondary access request is carried out for application layer (layer 7 of seven layer protocol of network) first
Protocol analysis can intercept the network flow containing specific protocol (preset abnormal or illegal agreement) of exchanging, i.e., to application
The access behavior of layer carries out security management and control, further, since regular expression of the protocol analysis using the json format that can customize
It realizes, be easy to machine parsing and generate and can effectively be promoted network transmission efficiency, so as to promote secure access control
The configuration quantity and configuration ability to express of rule is made, therefore finally can be improved safe access control ability and safe penetration defence
Effect;Secondly, using the thinking of white list comprehensively, analyzes by the network flow after protocol analysis, whether judge it
Meet the Access control strategy generated according to preset white list data, the i.e. normal access in application layer and built-in system
Demand carries out real-time linkage, (being contained in white list) the outside access request manually put on record of only letting pass, so
Setting does not need to carry out complete detection, avoids complicated security threat detection model, so as to improve security threat detection
Accuracy, real-time and coverage rate.
In order to more fully be introduced technical solution of the present invention, corresponding to above-mentioned safe penetration defence method,
The embodiment of the present application also provides a kind of safe penetration defence installation.
Referring to Fig. 4, Fig. 4 is a kind of structural schematic diagram of safe penetration defence installation provided by the embodiments of the present application.Such as
Shown in Fig. 4, which includes:
Module 41 is obtained, for obtaining the access request of application system transmission;
Protocol resolution module 42, for carrying out the agreement solution to application layer to the corresponding network flow of the access request
Analysis, the network flow comprising preset protocol is intercepted, and the network flow not comprising the preset protocol is allowed to pass through;Its
In, the protocol analysis is realized using the regular expression of json format;
Judgment module 43, for according to the judgement of preset white list data by the network flow of the protocol analysis whether
Meet preset Access control strategy;Wherein, the preset Access control strategy is according to described preset white
List data generates;Include the preset application system data for allowing to carry out data access in the preset white list data;
Blocking module 44, the network flow for permitting compliance with the Access control strategy carry out data access, and
Intercept the network flow for not meeting the Access control strategy.
Optionally, protocol resolution module 42 includes:
Retransmission unit will include difference for the mapping table according to the network port and seven layer protocol of network that pre-establish
The network flow of the network port is forwarded to the processing unit for carrying out corresponding protocol processes;
Protocol analysis unit, for carrying out the protocol analysis to application layer to network flow by the processing unit;Its
In, the application layer is the layer 7 of seven layer protocol of network.
Specifically, the specific implementation of above-mentioned each functional module please refers to safe penetration defender in above-described embodiment
Content in method realizes that this will not be detailed here.
In order to more fully be introduced technical solution of the present invention, corresponding to above-mentioned safe penetration defence method,
The embodiment of the present application also provides a kind of safe penetration defensive equipment.
Referring to Fig. 5, Fig. 5 is a kind of structural schematic diagram of safe penetration defensive equipment provided by the embodiments of the present application.Such as
Shown in Fig. 5, which includes:
Memory 51 and the processor 52 being connected with memory 51;
Memory 51, for storing program, described program is at least used to execute above-mentioned safe penetration defence method;
Processor 52, for calling and executing the described program of the storage of memory 51.
Specifically, the specific implementation of the function of above procedure please refers to safe penetration defence method in above-described embodiment
In content realize that this will not be detailed here.
It is understood that same or similar part can mutually refer in the various embodiments described above, in some embodiments
Unspecified content may refer to the same or similar content in other embodiments.
It should be noted that term " first ", " second " etc. are used for description purposes only in the description of the present application, without
It can be interpreted as indication or suggestion relative importance.In addition, in the description of the present application, unless otherwise indicated, the meaning of " multiple "
Refer at least two.
Any process described otherwise above or method description are construed as in flow chart or herein, and expression includes
It is one or more for realizing specific logical function or process the step of executable instruction code module, segment or portion
Point, and the range of the preferred embodiment of the application includes other realization, wherein can not press shown or discussed suitable
Sequence, including according to related function by it is basic simultaneously in the way of or in the opposite order, Lai Zhihang function, this should be by the application
Embodiment person of ordinary skill in the field understood.
It should be appreciated that each section of the application can be realized with hardware, software, firmware or their combination.Above-mentioned
In embodiment, software that multiple steps or method can be executed in memory and by suitable instruction execution system with storage
Or firmware is realized.It, and in another embodiment, can be under well known in the art for example, if realized with hardware
Any one of column technology or their combination are realized: having a logic gates for realizing logic function to data-signal
Discrete logic, with suitable combinational logic gate circuit specific integrated circuit, programmable gate array (PGA), scene
Programmable gate array (FPGA) etc..
Those skilled in the art are understood that realize all or part of step that above-described embodiment method carries
It suddenly is that relevant hardware can be instructed to complete by program, the program can store in a kind of computer-readable storage medium
In matter, which when being executed, includes the steps that one or a combination set of embodiment of the method.
It, can also be in addition, can integrate in a processing module in each functional unit in each embodiment of the application
It is that each unit physically exists alone, can also be integrated in two or more units in a module.Above-mentioned integrated mould
Block both can take the form of hardware realization, can also be realized in the form of software function module.The integrated module is such as
Fruit is realized and when sold or used as an independent product in the form of software function module, also can store in a computer
In read/write memory medium.
Storage medium mentioned above can be read-only memory, disk or CD etc..
In the description of this specification, reference term " one embodiment ", " some embodiments ", " example ", " specifically show
The description of example " or " some examples " etc. means specific features, structure, material or spy described in conjunction with this embodiment or example
Point is contained at least one embodiment or example of the application.In the present specification, schematic expression of the above terms are not
Centainly refer to identical embodiment or example.Moreover, particular features, structures, materials, or characteristics described can be any
One or more embodiment or examples in can be combined in any suitable manner.
Although embodiments herein has been shown and described above, it is to be understood that above-described embodiment is example
Property, it should not be understood as the limitation to the application, those skilled in the art within the scope of application can be to above-mentioned
Embodiment is changed, modifies, replacement and variant.
Claims (10)
1. a kind of safe penetration defence method characterized by comprising
Obtain the access request that application system is sent;
Protocol analysis to application layer is carried out to the corresponding network flow of the access request, by the network flow comprising preset protocol
Amount is intercepted, and the network flow not comprising the preset protocol is allowed to pass through;Wherein, the protocol analysis uses json format
Regular expression realize;
Judge whether preset secure access is met by the network flow of the protocol analysis according to preset white list data
Control strategy;Wherein, the preset Access control strategy is to be generated according to the preset white list data;It is described pre-
If white list data in comprising it is preset allow carry out data access application system data;
The network flow for permitting compliance with the Access control strategy carries out data access, and intercepts and do not meet the safety visit
Ask the network flow of control strategy.
2. the method according to claim 1, wherein described carry out the corresponding network flow of the access request
To the protocol analysis of application layer, comprising:
According to the mapping table of the network port and seven layer protocol of network that pre-establish, by the network flow comprising heterogeneous networks port
It is forwarded to the processing unit for carrying out corresponding protocol processes;
The protocol analysis to application layer is carried out to network flow by the processing unit;Wherein, the application layer is the net
The layer 7 of seven layer protocol of network.
3. the method according to claim 1, wherein the application system data packet for allowing to carry out data access
Include the requirements for access data and attribute data by putting on record;The requirements for access data include agreement or domain name;The attribute number
According to including the one or more of process title, file name, publisher's title or digital signature;
It is described to judge whether preset safety is met by the network flow of the protocol analysis according to preset white list data
Access control policy, comprising:
According to the judgement of preset white list data by the network flow of the protocol analysis whether include the attribute data with
The requirements for access data;
When the network flow by the protocol analysis includes the attribute data and the requirements for access data simultaneously, determine
The network flow by the protocol analysis meets the preset Access control strategy.
4. according to the method described in claim 3, it is characterized in that, described judge according to preset white list data by described
Whether the network flow of protocol analysis includes the attribute data and whether comprising also wrapping after the requirements for access data
It includes:
When the network flow by the protocol analysis only includes the attribute data but does not include the requirements for access data,
The network flow is examined;
Put on record what the network flow that examination & approval are completed included without the requirements for access data put on record, and examination & approval are completed
The corresponding application system data of network flow are added to the white list data, so that the network flow that the examination & approval are completed meets
The Access control strategy.
5. the method according to claim 1, wherein further include:
When the quantity for getting the application system for allowing to carry out data access changes, white list number described in real-time update
According to.
6. the method according to claim 1, wherein further include:
While permitting compliance with the network flow progress data access of the Access control strategy, the interior of the secondary access is replicated
Hold and carries out log recording;
While interception does not meet the network flow of the Access control strategy, the content for replicating the secondary access request is gone forward side by side
Row log recording and push warning information.
7. according to the method described in claim 6, it is characterized by further comprising:
While interception does not meet the network flow of the Access control strategy, preset miscue information is back to
Corresponding application system.
8. a kind of safe penetration defence installation characterized by comprising
Module is obtained, for obtaining the access request of application system transmission;
Protocol resolution module will be wrapped for carrying out the protocol analysis to application layer to the corresponding network flow of the access request
Network flow containing preset protocol is intercepted, and the network flow not comprising the preset protocol is allowed to pass through;Wherein, the association
View parsing is realized using the regular expression of json format;
Judgment module, it is pre- for judging whether to meet by the network flow of the protocol analysis according to preset white list data
If Access control strategy;Wherein, the preset Access control strategy is according to the preset white list number
According to generation;Include the preset application system data for allowing to carry out data access in the preset white list data;
Blocking module, the network flow for permitting compliance with the Access control strategy carries out data access, and intercepts not
Meet the network flow of the Access control strategy.
9. device according to claim 8, which is characterized in that the protocol resolution module includes:
Retransmission unit will include heterogeneous networks for the mapping table according to the network port and seven layer protocol of network that pre-establish
The network flow of port is forwarded to the processing unit for carrying out corresponding protocol processes;
Protocol analysis unit, for carrying out the protocol analysis to application layer to network flow by the processing unit;Wherein, institute
State the layer 7 that application layer is seven layer protocol of network.
10. a kind of safe penetration defensive equipment characterized by comprising
Memory and the processor being connected with the memory;
The memory, for storing program, described program is at least used to execute such as the described in any item safety of claim 1-7
Permeate defence method;
The processor, for calling and executing the described program of the memory storage.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910602330.0A CN110290147A (en) | 2019-07-05 | 2019-07-05 | Safe penetration defence method, device and equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910602330.0A CN110290147A (en) | 2019-07-05 | 2019-07-05 | Safe penetration defence method, device and equipment |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110290147A true CN110290147A (en) | 2019-09-27 |
Family
ID=68020680
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910602330.0A Pending CN110290147A (en) | 2019-07-05 | 2019-07-05 | Safe penetration defence method, device and equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110290147A (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111585975A (en) * | 2020-04-17 | 2020-08-25 | 上海中通吉网络技术有限公司 | Security vulnerability detection method, device and system, and switch |
CN111865990A (en) * | 2020-07-23 | 2020-10-30 | 上海中通吉网络技术有限公司 | Method, device, equipment and system for managing and controlling malicious reverse connection behavior of intranet |
CN112333191A (en) * | 2020-11-06 | 2021-02-05 | 杭州安恒信息技术股份有限公司 | Illegal network asset detection and access blocking method, device, equipment and medium |
CN112565188A (en) * | 2020-11-03 | 2021-03-26 | 鸬鹚科技(苏州)有限公司 | Data access method and device, computer equipment and storage medium |
CN113596033A (en) * | 2021-07-30 | 2021-11-02 | 深信服科技股份有限公司 | Access control method and device, equipment and storage medium |
CN114499942A (en) * | 2021-12-22 | 2022-05-13 | 天翼云科技有限公司 | Data access method and device and electronic equipment |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100268763A1 (en) * | 2007-10-08 | 2010-10-21 | Juha Antero Rasanen | Methods, Apparatuses, System, and Related Computer Program Product for Policy Control |
CN102571738A (en) * | 2010-12-08 | 2012-07-11 | 中国电信股份有限公司 | Intrusion prevention system (IPS) based on virtual local area network (VLAN) exchange and system thereof |
CN102855274A (en) * | 2012-07-17 | 2013-01-02 | 北京奇虎科技有限公司 | Method and device for detecting suspicious progresses |
CN105138901A (en) * | 2015-08-03 | 2015-12-09 | 浪潮电子信息产业股份有限公司 | White list based realization method for active defense of cloud host |
CN105337986A (en) * | 2015-11-20 | 2016-02-17 | 英赛克科技(北京)有限公司 | Credible protocol conversion method and credible protocol conversion system |
CN107612733A (en) * | 2017-09-19 | 2018-01-19 | 杭州安恒信息技术有限公司 | A kind of network audit and monitoring method and its system based on industrial control system |
-
2019
- 2019-07-05 CN CN201910602330.0A patent/CN110290147A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100268763A1 (en) * | 2007-10-08 | 2010-10-21 | Juha Antero Rasanen | Methods, Apparatuses, System, and Related Computer Program Product for Policy Control |
CN102571738A (en) * | 2010-12-08 | 2012-07-11 | 中国电信股份有限公司 | Intrusion prevention system (IPS) based on virtual local area network (VLAN) exchange and system thereof |
CN102855274A (en) * | 2012-07-17 | 2013-01-02 | 北京奇虎科技有限公司 | Method and device for detecting suspicious progresses |
CN105138901A (en) * | 2015-08-03 | 2015-12-09 | 浪潮电子信息产业股份有限公司 | White list based realization method for active defense of cloud host |
CN105337986A (en) * | 2015-11-20 | 2016-02-17 | 英赛克科技(北京)有限公司 | Credible protocol conversion method and credible protocol conversion system |
CN107612733A (en) * | 2017-09-19 | 2018-01-19 | 杭州安恒信息技术有限公司 | A kind of network audit and monitoring method and its system based on industrial control system |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111585975A (en) * | 2020-04-17 | 2020-08-25 | 上海中通吉网络技术有限公司 | Security vulnerability detection method, device and system, and switch |
CN111585975B (en) * | 2020-04-17 | 2023-03-14 | 上海中通吉网络技术有限公司 | Security vulnerability detection method, device and system and switch |
CN111865990A (en) * | 2020-07-23 | 2020-10-30 | 上海中通吉网络技术有限公司 | Method, device, equipment and system for managing and controlling malicious reverse connection behavior of intranet |
CN111865990B (en) * | 2020-07-23 | 2023-02-21 | 上海中通吉网络技术有限公司 | Method, device, equipment and system for managing and controlling malicious reverse connection behavior of intranet |
CN112565188A (en) * | 2020-11-03 | 2021-03-26 | 鸬鹚科技(苏州)有限公司 | Data access method and device, computer equipment and storage medium |
CN112333191A (en) * | 2020-11-06 | 2021-02-05 | 杭州安恒信息技术股份有限公司 | Illegal network asset detection and access blocking method, device, equipment and medium |
CN113596033A (en) * | 2021-07-30 | 2021-11-02 | 深信服科技股份有限公司 | Access control method and device, equipment and storage medium |
CN114499942A (en) * | 2021-12-22 | 2022-05-13 | 天翼云科技有限公司 | Data access method and device and electronic equipment |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110290147A (en) | Safe penetration defence method, device and equipment | |
Khan et al. | Fog computing security: a review of current applications and security solutions | |
US10462188B2 (en) | Computer network security system | |
US11533341B2 (en) | Technologies for scalable security architecture of virtualized networks | |
US10212135B2 (en) | Locked down network interface | |
US10742604B2 (en) | Locked down network interface | |
US10601874B2 (en) | System and apparatus for providing network security | |
CA2962228C (en) | Distributed traffic management system and techniques | |
ES2702097T3 (en) | Cloud-based firewall system and service | |
US9298917B2 (en) | Enhanced security SCADA systems and methods | |
CN107637018A (en) | Technology for the security personalization of security monitoring virtual network function | |
US20090276204A1 (en) | Method and system for policy simulation | |
US20140007236A1 (en) | Systems, methods, and apparatus for improved application security | |
TWI699666B (en) | System and method for information security threat disruption via a border gateway | |
CN106650425B (en) | A kind of control method and device of security sandbox | |
US10728275B2 (en) | Method and apparatus for determining a threat using distributed trust across a network | |
CN110351275A (en) | A kind of host port flux monitoring method, system, device and storage equipment | |
CN106534174A (en) | Cloud protection method, apparatus and system of sensitive data | |
Rehman et al. | Proactive defense mechanism: Enhancing IoT security through diversity-based moving target defense and cyber deception | |
Yu | Access control for network management | |
LAAN | Securing the SDN northbound interface | |
Heikkinen | Information Security Case Study with Security Onion at Kajaani UAS Datacentre Laboratory | |
Elouafiq et al. | Aggressive and Intelligent Self-defensive Net-work Towards a New Generation of Semi-autonomous Networks | |
Shaghaghi | Securing Software-Defined Network Enabled Enterprises Against Insider Threats | |
CN109510807A (en) | A kind of method, apparatus and storage medium optimizing snort rule set |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190927 |